Interesting People mailing list archives
IP: re: DoS technology apparently lesser-known fifth horseman of the apocalypse
From: Dave Farber <farber () cis upenn edu>
Date: Fri, 25 Feb 2000 15:14:06 -0500
----- Original Message ----- From: "Ezor, Jonathan (Legal)" <jezor () mimeo com> To: <farber () cis upenn edu> Sent: Friday, February 25, 2000 12:27 PM Subject: RE: DoS technology apparently lesser-known fifth horseman of the apocalypse
Dave, As an IP subscriber, I thought you might find interesting the article on dealing with DOS and other attacks which I just published in the
newsletter
for my book, "Clicking Through: A Survival Guide for Bringing Your Company Online" (Bloomberg Press 1999). I've reproduced it below. Thanks for all the useful information! {Jonathan} Jonathan I. Ezor, Esq. <author () clickingthrough com> Dir. of Legal Affairs, Mimeo.com <http://www.mimeo.com> Author, "CLICKING THROUGH: A Survival Guide for Bringing Your Company Online" (Bloomberg Press: 1999) Info. and free Internet business law e-mail newsletter: <http://www.clickingthrough.com> BLUNTING THE STING OF CYBERVANDALISM by Jonathan Ezor Director of Legal Affairs, Mimeo.com <http://www.mimeo.com>From ClickingThroughList 1.4(Copyright 2000 Jonathan Ezor; all rights reserved) A recent series of attacks on major Web sites such as eBay, CNN, E*Trade and Yahoo! has captured the attention of both the technology and business press. These attacks, commonly known as Denial of Service (or "DOS",
which
has nothing to do with disk operating systems) attacks, utilize previously-invaded computers attached to the Internet to bombard a
targeted
site with huge numbers of simultaneous information requests. The servers become so busy responding to all the spurious queries that they cannot provide content to legitimate users, much as a lone salesclerk in a toy store on that "last shopping day" has too many customers screaming for answers to give quality time to a single legitimate purchaser. The result is that the sites are essentially shut down. DOS attacks are not new;
they
have been part of the arsenal of malicious hackers (also known as "crackers") for years. Because the recent attacks were so widespread,
were
apparently carefully coordinated by multiple crackers, and were aimed at some of the most used and highest profile sites, though, DOS is suddenly part of the vocabulary of even the casual Internet user. The DOS attacks have been particularly worrisome, coming as they did on the heels of revelations in January by online vendor CD Universe that its internal credit card and user records were compromised and ransomed back
to
them by a cybervandal. It's critical to remember that no credit card information was intercepted in transit; that is, no one was able to snag a credit card number as the user was sending it to CD Universe to make a purchase. Rather, the cracker attacked the stored files of past transactions and, utilizing previously-publicized weaknesses, copied the credit card information. Regardless of the method, though, the result was troubling to say the least. Web site owners need to be concerned about DOS and these other malicious attacks on their sites, in the same way that a real-world storeowner must contend with the threat of burglary and vandalism. Most site owners, though, don't manage their own connection, security and storage arrangements, choosing instead to work with third-party hosting companies to handle the day-to-day operations of the site. How can these siteowners protect themselves, and their customers, from inconvenience or theft? The short answer is by due diligence and proper contracts with the hosting company, communication with users, and insurance. Chapter 1 of "Clicking Through" details many of the questions and concerns that businesspeople should raise with hosting providers, but these recent events provide some additional guidance and raise new questions as well. You must remember to investigate the host's sophistication in dealing with computer security issues. Ask questions such as: · On which operating system does the server run? The possible answers could include Windows NT/2000, some variant of Unix (such as Linux), or even MacOS. While each OS has security issues, some are more secure than
others.
· Have all upgrades and patches (both for security and stability) been installed? · What third-party software and hardware does the hosting company use to increase its security? · What physical security does the facility have? · Does the hosting company receive CERT risk and intrusion bulletins? · How quickly are CERT recommendations implemented? · Does the host have redundant connections in case one comes under cyberattack? · What is the provider's history regarding previous cyberattacks? How have they been handled? · What is the procedure to notify your company in the event your site or the hosting facility itself suffers a DOS attack or similar outage? Similar questions should be asked of any transaction processing facility,
if
financial information is kept off the actual host server. In doing this research, you may wish to speak to the employee in charge of data
security,
rather than a sales representative who may not have updated or correct
data.
Remember to get as many of these answers as possible into your contract as affirmative commitments of the host and/or transaction processor. Even if the hosting company or transaction processor is taking all reasonable precautions against cybervandalism, problems may still arise.
In
such event, you need to determine (and your contract needs to state) who bears the responsibility for outages, delays and loss caused by crackers
and
cybervandalism. Your contract should require the other party to indemnify you for damages for its negligence and failure to take proper precautions
at
the very least, and you may even be able to negotiate credits against fees or reimbursement from a hosting facility if your site goes down for technical reasons for more than a minimal amount of time. On the user side, you'll need to balance customer expectations with the possibility of cybervandalism. Make sure the terms and conditions of use
of
your site expressly state that you cannot guarantee your site will always
be
operating, and try to have alternate means (such as telephone access,
or even fax) for your users who need to reach you when your site may not
be
fully functional. (This is of greater importance to sites offering time-sensitive commerce, such as auctions or brokerages). You should also anticipate some angry calls from users complaining of site outages when
the
problems are actually on the user end-make sure your customer service personnel know how to diagnose and help a user understand the cause of
such
problems. (A developer at an early online stock brokerage once stated
that
something like 70% of their customer support calls had nothing to do with their site, but were general Internet use questions.) Finally, examine
your
business interruption liability insurance, and make sure your policies
cover
cybervandalism as well as more common situations. Just as you can't absolutely prevent fires or earthquakes or vandalism from disrupting your brick-and-mortar business, cybervandalism such as DOS attacks is likely to be a fact of Internet business life for some time to come. The best approach is to share the risk with your hosting company, insurance carrier and other providers, and keep your customers informed
when
problems do arise.
Current thread:
- IP: re: DoS technology apparently lesser-known fifth horseman of the apocalypse Dave Farber (Feb 25)
- <Possible follow-ups>
- IP: re: DoS technology apparently lesser-known fifth horseman of the apocalypse Dave Farber (Feb 25)