As electronic sieges go, the so-called Slammer worm that attacked the Internet last weekend fell short of calamitous.
Although the rogue program hit tens of thousands of computers and clogged parts of the network all over the world, Slammer paled in comparison with Code Red, the worm that attacked the White House Web site in 2001. By Monday, most of the patching of systems had been accomplished and few traces of Slammer remained.
Yet some companies were hit worse than others, notably Bank of America, which discovered that thousands of its ATMs could not dispense cash. And when bank officials disclosed hours later on Saturday that Slammer had created the problem, it highlighted an old debate in the world of computer crime: to tell or not to tell.
PHOTO: NY TIMES
If your local ATM fails to dispense cash, is the computer simply down, or has a malicious bit of code been set loose on the computer network to which the cash machine is linked? Unless the reason is publicized as widely as Slammer's attack was, chances are you will never know.
Bank of America, as it turned out, went public with the reason for its problems after receiving inquiries from news organizations. "We disclosed it when asked about it," said Juliet Don, a spokeswoman for the bank. "We explained as far as we knew everything that was happening."
But to many consumer advocates, full disclosure should be the only option, especially when it comes to companies that deal with personal finances. "Companies should always err on the side of a fuller disclosure," said Linda Sherry, a spokeswoman for Consumer Action, a national watchdog group based in San Francisco that specializes in personal finance issues.
"People need to be kept informed so they can make decisions about their finances and their banking," Sherry said. "Customers have a right to know whether the electronic network of the bank they're working with is safe and secure."
In reality, few computer attacks are ever reported, and the ones that are made known tend to be those that affect thousands of computers.
Consumers often find out about breaches to computers that contain their credit card numbers, their credit history or their Social Security numbers only if the problem is so widespread that there is no way to keep it under the radar. There is a loose threshold -- in terms of numbers of computers attacked, whether consumers were affected and the extent of financial damage -- above which an incident becomes public.
A random rampage
The Slammer worm did not go hunting for personal information like credit card numbers. It was set on a random rampage throughout the Internet looking for unlocked doors, and had no instructions to steal data. Still, the extent of the break-in was enough to put consumers on alert to the precariousness of their personal information.
For as long as computers have been subject to attacks, the victims have more often than not preferred to remain relatively silent, adhering to the principle that no publicity is the best publicity of all. This is especially true when the victim of the attack is a corporation or, more specifically, a financial institution.
And it remains true even as the number of computer crimes reported to the CERT Coordination Center, a federally financed information clearinghouse for computer security, has risen sharply -- to more than 82,000 last year from six in 1988. Yet they constitute a small fraction of the total incidents.
"We know we're getting just a very tiny percentage of the incident reports," said Roman Danyliw, an Internet security analyst with the CERT Coordination Center. "Optimistically, it's in the single digits, maybe 5 percent."
Symantec's DeepSight Threat Management System monitors intrusion detection systems around the globe. "In the last seven days, we've seen 52 million security events," said Alfred Huger, a senior director of engineering at Symantec Security Response. While most of these might be only an unsuccessful if malicious knock on a computer's door, the numbers suggest the breadth of the problem. "How many of those attacks will ever be reported?" Huger said.
No customer records at Bank of America are said to have been compromised, and no money was reported stolen. The worm simply exploited a security hole in SQL Server 2000, a Microsoft database program, and clogged the bank's network to the point of inoperation. And among companies catering to consumers, Bank of America was not alone.
The Associated Press reported that the Web site for the Countrywide Financial Corp, a residential mortgage firm, was still inaccessible to customers on Monday, and that for certain periods over the weekend, American Express customers were unable reach the American Express Web site to check credit statements and account balances. Continental Airlines was also reported to have been affected.
The impact was worse overseas, with major problems reported in South Korea and Japan. In Finland, the telephone system was affected.
In the US, the attack cast a harsh light nonetheless on precisely the vulnerabilities that many corporations, especially those catering to consumers, do not want to advertise.
"One of the reasons is the fear of, `What's going to happen to my reputation?'" Denyliw said. A corporation's officials may reason, "`If I report my incident and that information gets published, what does that mean in reference to my competitors?'" he said.
This tends to hold true, Denyliw said, even though CERT acts as a "trusted reporter," keeping confidential the names of those who report security breaches.
The fear of publicity similarly deters companies from reporting computer crimes to law enforcement officials, Denyliw said. Even if the information is taken in confidence, companies fear that it will surface as a result of, say, a Freedom of Information Act request by a news organization.
Peter G. Neumann, principal scientist at SRI International in Menlo Park, California, who has been in the thick of computer security discussions for nearly three decades, said that when it came to pointing out security risks, he often felt like King Canute, raising his fist in vain against the incoming tide.
"The increasing number of incidents and dependence on the Internet, and the number of patches one has to deal with for the known bugs is amazing," Neumann said. "Things are getting worse rather than better."
The same, he said, is true of the general disinclination to disclose breaches. "Companies are trying desperately to hide the fact that there are things that aren't going right," he said. "The idea that you keep it secret is ridiculous. It's an absurd situation."
Harvard men
Among the new voices in the debate are two researchers at Harvard who argue that it is in the victim's interest to make its vulnerabilities public. The disclosure itself acts as a fortification of sorts, they suggest.
In a paper presented at a cryptography conference this week, Michael Smith, a computer science professor, and Stuart Schechter, a doctoral candidate in computer science, argued that organizations or individuals that share information about computer break-ins are less attractive targets for malicious hackers.
If an organization tells others about its security holes and the fixes it has made to them, the two explained, then others have the opportunity to make the same changes and spread the word. Ultimately, a company that clearly reports the details of a break-in and whether the perpetrator was caught reduces the chances that someone else will attempt to use the same path into a secured system. Hackers would prefer a company that has not reported news of a break-in to one that has. Schechter and Smith's theory applies more to attacks with specific targets than to random ones like the Slammer worm.
An automatic program like the Slammer worm is far less risky for a hacker to deploy than an attack on a specific victim. Attacking a target requires far more effort and carries a higher level of risk for the would-be perpetrator, and he is thus less likely to attack a computer that is known to be sharing security information with others, the researchers' report said.
Scott Wimer, chief executive officer of Cylant, a computer security concern in Moscow, Idaho, said that potential thieves size up well-fortified companies the way a mugger might assess passers-by.
"Football players don't get mugged," Wimer said.
But the Schechter-Smith paper has already stirred some dissent.
"I hate to nay-say people from Harvard," said Huger of Symantec Security Response, "but I'd have to say, at least from my personal experience, that if I'm a malicious user to hacker and I'm looking for targets, am I going to take a shot at one I know nothing about?"
Challenging the football player analogy, Huger said that even with its focus on security, Symantec is a favorite among would-be intruders. "We're a football player in terms of security and they don't give us any breaks," he said. "We have something like 3,000 or 4,000 people a day trying to break in."
"A lot of hacking, even the targeted stuff, is trophy hunting," he added. "We know for certain that's why people take a go at us, because there's value in breaking into our Web site."
Taiwan’s exports soared 56 percent year-on-year to an all-time high of US$64.05 billion last month, propelled by surging global demand for artificial intelligence (AI), high-performance computing and cloud service infrastructure, the Ministry of Finance said yesterday. Department of Statistics Director-General Beatrice Tsai (蔡美娜) called the figure an unexpected upside surprise, citing a wave of technology orders from overseas customers alongside the usual year-end shopping season for technology products. Growth is likely to remain strong this month, she said, projecting a 40 percent to 45 percent expansion on an annual basis. The outperformance could prompt the Directorate-General of Budget, Accounting and
Two Chinese chipmakers are attracting strong retail investor demand, buoyed by industry peer Moore Threads Technology Co’s (摩爾線程) stellar debut. The retail portion of MetaX Integrated Circuits (Shanghai) Co’s (上海沐曦) upcoming initial public offering (IPO) was 2,986 times oversubscribed on Friday, according to a filing. Meanwhile, Beijing Onmicro Electronics Co (北京昂瑞微), which makes radio frequency chips, was 2,899 times oversubscribed on Friday, its filing showed. The bids coincided with Moore Threads’ trading debut, which surged 425 percent on Friday after raising 8 billion yuan (US$1.13 billion) on bets that the company could emerge as a viable local competitor to Nvidia
BARRIERS: Gudeng’s chairman said it was unlikely that the US could replicate Taiwan’s science parks in Arizona, given its strict immigration policies and cultural differences Gudeng Precision Industrial Co (家登), which supplies wafer pods to the world’s major semiconductor firms, yesterday said it is in no rush to set up production in the US due to high costs. The company supplies its customers through a warehouse in Arizona jointly operated by TSS Holdings Ltd (德鑫控股), a joint holding of Gudeng and 17 Taiwanese firms in the semiconductor supply chain, including specialty plastic compounds producer Nytex Composites Co (耐特) and automated material handling system supplier Symtek Automation Asia Co (迅得). While the company has long been exploring the feasibility of setting up production in the US to address
OPTION: Uber said it could provide higher pay for batch trips, if incentives for batching is not removed entirely, as the latter would force it to pass on the costs to consumers Uber Technologies Inc yesterday warned that proposed restrictions on batching orders and minimum wages could prompt a NT$20 delivery fee increase in Taiwan, as lower efficiency would drive up costs. Uber CEO Dara Khosrowshahi made the remarks yesterday during his visit to Taiwan. He is on a multileg trip to the region, which includes stops in South Korea and Japan. His visit coincided the release last month of the Ministry of Labor’s draft bill on the delivery sector, which aims to safeguard delivery workers’ rights and improve their welfare. The ministry set the minimum pay for local food delivery drivers at
RSS