January 30, 2003
In Net Attacks, Defining the Right to Know
S electronic sieges go, the so-called Slammer worm that attacked the Internet last weekend fell short of calamitous.
Although the rogue program hit tens of thousands of computers and clogged parts of the network all over the world, Slammer paled in comparison with Code Red, the worm that attacked the White House Web site in 2001. By Monday, most of the patching of systems had been accomplished and few traces of Slammer remained.
Yet some companies were hit worse than others, notably Bank of America, which discovered that thousands of its ATM's could not dispense cash. And when bank officials disclosed hours later on Saturday that Slammer had created the problem, it highlighted an old debate in the world of computer crime: to tell or not to tell.
If your local ATM fails to dispense cash, is the computer simply down, or has a malicious bit of code been set loose on the computer network to which the cash machine is linked? Unless the reason is publicized as widely as Slammer's attack was last weekend, chances are you will never know.
Bank of America, as it turned out, went public with the reason for its problems after receiving inquiries from news organizations. "We disclosed it when asked about it," said Juliet Don, a spokeswoman for the bank. "We explained as far as we knew everything that was happening."
But to many consumer advocates, full disclosure should be the only option, especially when it comes to companies that deal with personal finances. "Companies should always err on the side of a fuller disclosure," said Linda Sherry, a spokeswoman for Consumer Action, a national watchdog group based in San Francisco that specializes in personal finance issues.
"People need to be kept informed so they can make decisions about their finances and their banking," Ms. Sherry said. "Customers have a right to know whether the electronic network of the bank they're working with is safe and secure."
In reality, few computer attacks are ever reported, and the ones that are made known tend to be those that affect thousands of computers.
Consumers often find out about breaches to computers that contain their credit card numbers, their credit history or their Social Security numbers only if the problem is so widespread that there is no way to keep it under the radar. There is a loose threshold - in terms of numbers of computers attacked, whether consumers were affected and the extent of financial damage - above which an incident becomes public.
The Slammer worm did not go hunting for personal information like credit card numbers. It was set on a random rampage throughout the Internet looking for unlocked doors, and had no instructions to steal data. Still, the extent of the break-ins was enough to put consumers on alert to the precariousness of their personal information.
For as long as computers have been subject to attacks, the victims have more often than not preferred to remain relatively silent, adhering to the principle that no publicity is the best publicity of all. This is especially true when the victim of the attack is a corporation or, more specifically, a financial institution.
And it remains true even as the number of computer crimes reported to the CERT Coordination Center, a federally financed information clearinghouse for computer security, has risen sharply - to more than 82,000 last year from six in 1988. Yet they constitute a small fraction of the total incidents.
"We know we're getting just a very tiny percentage of the incident reports," said Roman Danyliw, an Internet security analyst with the CERT Coordination Center. "Optimistically, it's in the single digits, maybe 5 percent."
Symantec's DeepSight Threat Management System monitors intrusion detection systems around the globe. "In the last seven days, we've seen 52 million security events," said Alfred Huger, a senior director of engineering at Symantec Security Response. While most of these might be only an unsuccessful if malicious knock on a computer's door, the numbers suggest the breadth of the problem. "How many of those attacks will ever be reported?" Mr. Huger said.
No customer records at Bank of America are said to have been compromised, and no money was reported stolen. The worm simply exploited a security hole in SQL Server 2000, a Microsoft database program, and clogged the bank's network to the point of inoperation. And among companies catering to consumers, Bank of America was not alone.
The Associated Press reported that the Web site for the Countrywide Financial Corporation, a residential mortgage firm, was still inaccessible to customers on Monday, and that for certain periods over the weekend, American Express customers were unable reach the American Express Web site to check credit statements and account balances. Continental Airlines was also reported to have been affected.
The impact was worse overseas, with major problems reported in South Korea and Japan. In Finland, the telephone system was affected.
In the United States, the attack cast a harsh light nonetheless on precisely the vulnerabilities that many corporations, especially those catering to consumers, do not want to advertise.
"One of the reasons is the fear of, 'What's going to happen to my reputation?' '' Mr. Danyliw said. A corporation's officials may reason, " 'If I report my incident and that information gets published, what does that mean in reference to my competitors?' '' he explained.
This tends to hold true, Mr. Danyliw said, even though CERT acts as a "trusted reporter," keeping confidential the names of those who report security breaches.
The fear of publicity similarly deters companies from reporting computer crimes to law enforcement officials, Mr. Danyliw said. Even if the information is taken in confidence, companies fear that it will surface as a result of, say, a Freedom of Information Act request by a news organization.
Peter G. Neumann, principal scientist at SRI International in Menlo Park, Calif., who has been in the thick of computer security discussions for nearly three decades, said that when it came to pointing out security risks, he often felt like King Canute, raising his fist in vain against the incoming tide.
"The increasing number of incidents and dependence on the Internet, and the number of patches one has to deal with for the known bugs is amazing," Mr. Neumann said. "Things are getting worse rather than better."
The same, he said, is true of the general disinclination to disclose breaches. "Companies are trying desperately to hide the fact that there are things that aren't going right," he said. "The idea that you keep it secret is ridiculous. It's an absurd situation."
Among the new voices in the debate are two researchers at Harvard who argue that it is in the victim's interest to make its vulnerabilities public. The disclosure itself acts as a fortification of sorts, they suggest.
In a paper presented at a cryptography conference this week, Michael Smith, a computer science professor, and Stuart Schechter, a doctoral candidate in computer science, argued that organizations or individuals that share information about computer break-ins are less attractive targets for malicious hackers.
If an organization tells others about its security holes and the fixes it has made to them, the two researchers say, then others have the opportunity to make the same changes and spread the word. Ultimately, a company that clearly reports the details of a break-in and whether the perpetrator was caught reduces the chances that someone else will attempt to use the same path into a secured system. Hackers would prefer a company that has not reported news of a break-in to one that has.
Mr. Schechter and Dr. Smith's theory applies more to attacks with specific targets than to random ones like the Slammer worm.
An automatic program like the Slammer worm is far less risky for a hacker to deploy than an attack on a specific victim. Attacking a target requires far more effort and carries a higher level of risk for the would-be perpetrator, and he is thus less likely to attack a computer that is known to be sharing security information with others, the researchers' report said.
Scott Wimer, chief executive officer of Cylant, a computer security concern in Moscow, Idaho, said that potential thieves size up well-fortified companies the way a mugger might assess passers-by.
"Football players don't get mugged," Mr. Wimer said.
But the Schechter-Smith paper has already stirred some dissent.
"I hate to nay-say people from Harvard," said Mr. Huger of Symantec Security Response, "but I'd have to say, at least from my personal experience, that if I'm a malicious user or a hacker and I'm looking for targets, am I going to take a shot at one I know nothing about?"
Challenging the football player analogy, Mr. Huger said that even with its focus on security, Symantec is a favorite among would-be intruders. "We're a football player in terms of security and they don't give us any breaks," he said. "We have something like 3,000 or 4,000 people a day trying to break in."
"A lot of hacking, even the targeted stuff, is trophy hunting,'' he added. "We know for certain that's why people take a go at us, because there's value in breaking into our Web site."
In the Slammer attack last weekend, a lack of preventive care played at least some role in creating vulnerability. System administrators were remiss about installing a security patch to the Microsoft SQL Server 2000 software, even though the patch had been available since last summer.
When neglect is the cause, it reinforces a reluctance to go public.
"It points to a larger vulnerability," Mr. Huger said, "that they can't patch something even when they've had the patch for six months." Even Microsoft had not installed the patch on some of its machines, a slip-up that caused a significant slowdown on its Microsoft Network service.
In Bank of America's case, said Ms. Don, the spokeswoman, system administrators had installed the patch when it was sent out but "unfortunately, it was either ineffective or we missed some of the servers," she said. She said that the bank was treating the incident as a "lesson learned."
Some security experts are meanwhile beginning to call for government regulations that would require institutions to disclose security breaches, particularly those that directly affect consumers.
The Harvard researchers' paper, presented at the Financial Cryptography Conference in Gosier, Guadeloupe, agrees with proposals made last September by the President's Critical Infrastructure Protection Board in its draft of the National Strategy to Secure Cyberspace.
The board proposed that private companies and federal agencies use a centralized, nationwide online system to share information about security breaches.
The board has yet to decide whether to make the reporting system a federal requirement.
"This is again one of the things that we've talked about as a recommendation, something that could be useful for the private sector," said Tiffany Olson, deputy chief of staff for the board. "There is no time frame on an ultimate decision."
In California, a law requiring companies to notify their customers of computer security breaches will go into effect on July 1. Intended to combat identity theft, the law covers breaches that put certain information at risk, specifically credit card numbers, Social Security numbers, drivers license information and bank account numbers.
Mr. Schechter, one of the Harvard researchers, said that insurance companies should reduce premiums for companies that share information because the sharing reduces their risk.
Yet the sharing of information can go only so far in preventing breaches, he warned. The onus is on the user to act on security advice.
"People need to actually patch their systems when flaws are found," Dr. Schechter said. "Until then, attacking systems will be as easy as figuring out which known vulnerabilities haven't been patched, then exploiting them."
That was certainly proven last weekend.