As electronic sieges go, the so-called Slammer worm that attacked the Internet last weekend fell short of calamitous.
Although the rogue program hit tens of thousands of computers and clogged parts of the network all over the world, Slammer paled in comparison with Code Red, the worm that attacked the White House Web site in 2001. By Monday, most of the patching of systems had been accomplished and few traces of Slammer remained.
Yet some companies were hit worse than others, notably Bank of America, which discovered that thousands of its ATMs could not dispense cash. And when bank officials disclosed hours later on Saturday that Slammer had created the problem, it highlighted an old debate in the world of computer crime: to tell or not to tell.
PHOTO: NY TIMES
If your local ATM fails to dispense cash, is the computer simply down, or has a malicious bit of code been set loose on the computer network to which the cash machine is linked? Unless the reason is publicized as widely as Slammer's attack was, chances are you will never know.
Bank of America, as it turned out, went public with the reason for its problems after receiving inquiries from news organizations. "We disclosed it when asked about it," said Juliet Don, a spokeswoman for the bank. "We explained as far as we knew everything that was happening."
But to many consumer advocates, full disclosure should be the only option, especially when it comes to companies that deal with personal finances. "Companies should always err on the side of a fuller disclosure," said Linda Sherry, a spokeswoman for Consumer Action, a national watchdog group based in San Francisco that specializes in personal finance issues.
"People need to be kept informed so they can make decisions about their finances and their banking," Sherry said. "Customers have a right to know whether the electronic network of the bank they're working with is safe and secure."
In reality, few computer attacks are ever reported, and the ones that are made known tend to be those that affect thousands of computers.
Consumers often find out about breaches to computers that contain their credit card numbers, their credit history or their Social Security numbers only if the problem is so widespread that there is no way to keep it under the radar. There is a loose threshold -- in terms of numbers of computers attacked, whether consumers were affected and the extent of financial damage -- above which an incident becomes public.
A random rampage
The Slammer worm did not go hunting for personal information like credit card numbers. It was set on a random rampage throughout the Internet looking for unlocked doors, and had no instructions to steal data. Still, the extent of the break-in was enough to put consumers on alert to the precariousness of their personal information.
For as long as computers have been subject to attacks, the victims have more often than not preferred to remain relatively silent, adhering to the principle that no publicity is the best publicity of all. This is especially true when the victim of the attack is a corporation or, more specifically, a financial institution.
And it remains true even as the number of computer crimes reported to the CERT Coordination Center, a federally financed information clearinghouse for computer security, has risen sharply -- to more than 82,000 last year from six in 1988. Yet they constitute a small fraction of the total incidents.
"We know we're getting just a very tiny percentage of the incident reports," said Roman Danyliw, an Internet security analyst with the CERT Coordination Center. "Optimistically, it's in the single digits, maybe 5 percent."
Symantec's DeepSight Threat Management System monitors intrusion detection systems around the globe. "In the last seven days, we've seen 52 million security events," said Alfred Huger, a senior director of engineering at Symantec Security Response. While most of these might be only an unsuccessful if malicious knock on a computer's door, the numbers suggest the breadth of the problem. "How many of those attacks will ever be reported?" Huger said.
No customer records at Bank of America are said to have been compromised, and no money was reported stolen. The worm simply exploited a security hole in SQL Server 2000, a Microsoft database program, and clogged the bank's network to the point of inoperation. And among companies catering to consumers, Bank of America was not alone.
The Associated Press reported that the Web site for the Countrywide Financial Corp, a residential mortgage firm, was still inaccessible to customers on Monday, and that for certain periods over the weekend, American Express customers were unable reach the American Express Web site to check credit statements and account balances. Continental Airlines was also reported to have been affected.
The impact was worse overseas, with major problems reported in South Korea and Japan. In Finland, the telephone system was affected.
In the US, the attack cast a harsh light nonetheless on precisely the vulnerabilities that many corporations, especially those catering to consumers, do not want to advertise.
"One of the reasons is the fear of, `What's going to happen to my reputation?'" Denyliw said. A corporation's officials may reason, "`If I report my incident and that information gets published, what does that mean in reference to my competitors?'" he said.
This tends to hold true, Denyliw said, even though CERT acts as a "trusted reporter," keeping confidential the names of those who report security breaches.
The fear of publicity similarly deters companies from reporting computer crimes to law enforcement officials, Denyliw said. Even if the information is taken in confidence, companies fear that it will surface as a result of, say, a Freedom of Information Act request by a news organization.
Peter G. Neumann, principal scientist at SRI International in Menlo Park, California, who has been in the thick of computer security discussions for nearly three decades, said that when it came to pointing out security risks, he often felt like King Canute, raising his fist in vain against the incoming tide.
"The increasing number of incidents and dependence on the Internet, and the number of patches one has to deal with for the known bugs is amazing," Neumann said. "Things are getting worse rather than better."
The same, he said, is true of the general disinclination to disclose breaches. "Companies are trying desperately to hide the fact that there are things that aren't going right," he said. "The idea that you keep it secret is ridiculous. It's an absurd situation."
Harvard men
Among the new voices in the debate are two researchers at Harvard who argue that it is in the victim's interest to make its vulnerabilities public. The disclosure itself acts as a fortification of sorts, they suggest.
In a paper presented at a cryptography conference this week, Michael Smith, a computer science professor, and Stuart Schechter, a doctoral candidate in computer science, argued that organizations or individuals that share information about computer break-ins are less attractive targets for malicious hackers.
If an organization tells others about its security holes and the fixes it has made to them, the two explained, then others have the opportunity to make the same changes and spread the word. Ultimately, a company that clearly reports the details of a break-in and whether the perpetrator was caught reduces the chances that someone else will attempt to use the same path into a secured system. Hackers would prefer a company that has not reported news of a break-in to one that has. Schechter and Smith's theory applies more to attacks with specific targets than to random ones like the Slammer worm.
An automatic program like the Slammer worm is far less risky for a hacker to deploy than an attack on a specific victim. Attacking a target requires far more effort and carries a higher level of risk for the would-be perpetrator, and he is thus less likely to attack a computer that is known to be sharing security information with others, the researchers' report said.
Scott Wimer, chief executive officer of Cylant, a computer security concern in Moscow, Idaho, said that potential thieves size up well-fortified companies the way a mugger might assess passers-by.
"Football players don't get mugged," Wimer said.
But the Schechter-Smith paper has already stirred some dissent.
"I hate to nay-say people from Harvard," said Huger of Symantec Security Response, "but I'd have to say, at least from my personal experience, that if I'm a malicious user to hacker and I'm looking for targets, am I going to take a shot at one I know nothing about?"
Challenging the football player analogy, Huger said that even with its focus on security, Symantec is a favorite among would-be intruders. "We're a football player in terms of security and they don't give us any breaks," he said. "We have something like 3,000 or 4,000 people a day trying to break in."
"A lot of hacking, even the targeted stuff, is trophy hunting," he added. "We know for certain that's why people take a go at us, because there's value in breaking into our Web site."
FALLING BEHIND: Samsung shares have declined more than 20 percent this year, as the world’s largest chipmaker struggles in key markets and plays catch-up to rival SK Hynix Samsung Electronics Co is laying off workers in Southeast Asia, Australia and New Zealand as part of a plan to reduce its global headcount by thousands of jobs, sources familiar with the situation said. The layoffs could affect about 10 percent of its workforces in those markets, although the numbers for each subsidiary might vary, said one of the sources, who asked not to be named because the matter is private. Job cuts are planned for other overseas subsidiaries and could reach 10 percent in certain markets, the source said. The South Korean company has about 147,000 in staff overseas, more than half
TECH PARTNERSHIP: The deal with Arizona-based Amkor would provide TSMC with advanced packing and test capacities, a requirement to serve US customers Taiwan Semiconductor Manufacturing Co (TSMC, 台積電) is collaborating with Amkor Technology Inc to provide local advanced packaging and test capacities in Arizona to address customer requirements for geographical flexibility in chip manufacturing. As part of the agreement, TSMC, the world’s biggest contract chipmaker, would contract turnkey advanced packaging and test services from Amkor at their planned facility in Peoria, Arizona, a joint statement released yesterday said. TSMC would leverage these services to support its customers, particularly those using TSMC’s advanced wafer fabrication facilities in Phoenix, Arizona, it said. The companies would jointly define the specific packaging technologies, such as TSMC’s Integrated
An Indian factory producing iPhone components resumed work yesterday after a fire that halted production — the third blaze to disrupt Apple Inc’s local supply chain since the start of last year. Local industrial behemoth Tata Group’s plant in Tamil Nadu, which was shut down by the unexplained fire on Saturday, is a key linchpin of Apple’s nascent supply chain in the country. A spokesperson for subsidiary Tata Electronics Pvt yesterday said that the company would restart work in “many areas of the facility today.” “We’ve been working diligently since Saturday to support our team and to identify the cause of the fire,”
Sales RecORD: Hon Hai’s consolidated sales rose by about 20 percent last quarter, while Largan, another Apple supplier, saw quarterly sales increase by 17 percent IPhone assembler Hon Hai Precision Industry Co (鴻海精密) on Saturday reported its highest-ever quarterly sales for the third quarter on the back of solid global demand for artificial intelligence (AI) servers. Hon Hai, also known as Foxconn Technology Group (富士康科技集團) globally, said it posted NT$1.85 trillion (US$57.93 billion) in consolidated sales in the July-to-September quarter, up 19.46 percent from the previous quarter and up 20.15 percent from a year earlier. The figure beat the previous third-quarter high of NT$1.74 trillion recorded in 2022, company data showed. Due to rising demand for AI, Hon Hai said its cloud and networking division enjoyed strong sales