Security experts: Denial-of-service attacks still a big threat

[William Knowles <wk () C4I ORG>]

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO52633,00.html

By PATRICK THIBODEAU
October 20, 2000

BALTIMORE -- The types of massive distributed denial-of-service (DDOS)
attacks that knocked several big e-commerce Web sites out of action
earlier this year remain a viable threat that could grow even more
sophisticated, according to experts at this week's
government-sponsored National Information Systems Security Conference
here.

DDOS attacks entered the public consciousness last February, when
commercial sites belonging to eBay Inc., Buy.com Inc. and other
companies were attacked with an overwhelming flood of network traffic.
At this week's conference, Tom Longstaff, manager of research and
development at Carnegie Mellon University's CERT Coordination Center
security advisory service in Pittsburgh, said such attacks haven't
disappeared, and he warned that their severity could increase.

In a DDOS attack, an intruder breaks into a system and turns it into a
"zombie," then uses that machine to target Web servers run by other
companies. There are now indications that worm programs are being used
to automatically propagate large numbers of zombies, Longstaff warned.
A DDOS attack utilizing a worm will spread "much more quickly, and it
is much more difficult to trace back to the intruder," he said.

Longstaff and other experts at the conference -- which was sponsored
by the National Institute of Standards and Technology (NIST) and the
National Security Agency's National Computer Security Center -- said
there currently are no adequate mechanisms for stopping DDOS attacks.

But the major concern among some attendees of the annual event
remained not the criminal hacker from outside a company or government
agency, but the "insider" threat from disgruntled employees. All the
attention being given to external threats may be affecting the ability
of some agencies to respond to ones from insiders, according to Lee
Brandt, a network security officer at the Washington-based Federal
Railroad Administration.

"The internal threat is still the big threat," Brandt said. But he
added that Congress "unfortunately is concentrating on the external
threat." Brandt said he worries that funding to address internal
security matters will be de-emphasized by policy makers as a result.

The biggest threats to corporate systems are from other countries,
competitors or insiders, said Jeff Moss, a security consultant and the
founder and organizer of Def Con, the annual underground convention
attended by hackers, security experts and law enforcement officials.

"You can't be a lone computer hacker and try to fence stolen
information," Moss said. "Hackers are great at technology; they're not
great at being criminals."

But information technology managers also share some of the blame for
the risks their companies face, security experts said.

"The No. 1 problem in security today is still [IT staffs] that do not
keep their systems up to date," said Michel Kabay, a computer security
expert at consulting firm Atomic Tangerine Inc. in Menlo Park, Calif.
"Most [security] exploits use known vulnerabilities, and most known
vulnerabilities have known fixes, and they are free. The problem lies
in organizations where security is not yet assigned a high priority."


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".