A chat about Internet Security and Denial of Service attacks
(CNN) -- Avi Rubin, Principal Technical Staff Member at AT&T Labs and Adjunct Professor of Computer Science New York University, joined the CNN.com chat room on February 10, 2000, to discuss to discuss Internet security and the a series of attacks on popular computer Web sites. Rubin joined the chat from New Jersey. The following is an edited transcript of the chat.
Chat Moderator: Welcome to CNN's Technology Chat, Avi Rubin.
Avi Rubin: Hi everyone.
Chat Moderator: In the past few days, several sites have suffered denial of service attacks. How sophisticated is this type of attack, and is it traceable?
Avi Rubin: The attack is quite sophisticated. However, automated tools out there make it very easy for anyone to download them and run the attack. So, in that sense, the attack is very simple. Right now, it is very difficult to trace anything back to the attackers. I should however warn you that the penalties of being caught will be quite severe, as this has already gotten the attention of government at the highest level. So, don't try it!
Question from Candyce: How can I protect myself from being used as an unsuspecting "agent?"
Avi Rubin: Very good question. The basic thing to do is practice the standard computer security philosophy. Use off the shelf security products or hire a consulting company to do it for you. If you are an individual user, then make sure your Internet service provider is up to speed. Virus checkers are a must, as are intrusion detection tools and firewalls.
Question from Haley: Mr. Rubin It appears that most of us in the USA immediately concluded that this week's "hacking" originated on American soil. My question is this: What if it wasn't? What if the action was from a different shore?
Avi Rubin: I was thinking the same thing myself. In fact, there is no way to know that the attack originated in the US. If it originated in a country where the laws are different, and we have no agreement with them, then there is little that could be done to prosecute them.
Question from Jason: What exactly is a DOS attack?
Avi Rubin: A Denial of service attack is when a malicious adversary floods a network with fake traffic so that legitimate traffic cannot pass. Imagine if 100 people in your neighborhood ordered Domino's pizzas at the same time, when they did not intend on eating them. People that really wanted pizza would be out of luck.
Chat Moderator: What do you think are the reasons for these attacks?
Avi Rubin: I think that these attacks have been inevitable. The Internet is totally vulnerable to this kind of thing. It was just a matter of time before the automated attacking tools became so easy and widespread that everyone started using them.
Chat Moderator: Should the FBI enlist the help of people such as Kevin Mitnick and Kevin Poulsen to help find the hackers responsible for these recent attacks?
Avi Rubin: No, I don't think so. First of all, there are plenty of people on the "good" side who know how to deal with these problems as well as those guys. Secondly, I am against rewarding people, by putting them in an important visible position, for actions such as hacking.
Question from Jimmy: Why can't we let Microsoft and Netscape fix the issue of ping flooding with a patch? Java leaves everyone’s system wide open as well.
Avi Rubin: Unfortunately, ping flooding is only the tip of the iceberg. The attacks we experienced this week could not have been solved by either of these companies, as they had to do more with web servers running UNIX operating systems. I agree that Java has created its own security problems, but in this case, it is not related to Denial of Service attacks.
Chat Moderator: Is it possible for the United States or individual businesses to create a successful counter cyberterrorism strategy?
Avi Rubin: Yes, I think that there are many things that can be done. In fact, in about an hour, I am going to attend a meeting and a conference call with all of the AT&T security people to discuss this very thing.
Question from Candyce: I believe I've read that you've called this an "arms race" between attackers and security folks. Can you explain that a little?
Avi Rubin: Yes, thanks for asking. In an arms race, there are two sides. Each side is constantly building up its forces to try to outdo the other side. We typically see this with the nuclear capabilities of various countries. On the Internet, there is a similar situation. The attackers move several steps forward by coming up with new ways of penetrating systems, and the protectors come up with new things, such as firewalls, to counter that. Unlike a typical arms race, however, the security specialists can only respond to the new attacks. There is very little we can do proactively.
Chat Moderator: Why don't more network administrators install available fixes and patches on their system?
Avi Rubin: That is the million-dollar question. I guess they haven't felt the pressing need for this until now. My guess is that they will start to change that habit.
Question from Medic: And what things (aside from the obvious - firewalls and networking essentials) are important to someone looking to enter into the field on the "good side?"
Avi Rubin: There are several books that one can read. For example, Garfinkle and Spafford have a wonderful book on UNIX security. Just go to your favorite online bookstore and type in the words computer or Internet security, and you will see a ton of them. There are also conferences and workshops on this topic. It is best to start by studying the tools that are available and getting caught up on the literature. Another thing that works well is to walk into your system administrator’s office and have a talk with him/her. These guys are usually the most knowledgeable about this topic within any organization.
Question from CMG63: Isn't there a way to disregard message traffic fr?
Avi Rubin: Yes, there is. The problem is that it is difficult to selectively disregard traffic. If you disregard all traffic, then you lose, because you are effectively isolated from the network.
Question from SusieSouth: Should individuals be concerned about these attacks? How should we protect ourselves?
Avi Rubin: Unless you are a computer system administrator, or in charge of one, there is very little you can do about the attacks. However, if you are an individual, it is unlikely that you will be the target of an attack, unless attacks are generated that are directed at everyone. In which case we are all in the same boat. The biggest concern I would have as an individual is if a lot of my day to day activities, such as day trading or shopping are done on the web, and I can't live without them. I think we are going to see a lot more of what happened the last few days.
Question from Candyce: These denial of service attacks are pretty crude and simple in their design...what kinds of weapons do you see in the future?
Avi Rubin: I think we are going to see attack scripts that are much more automated and distributed in binary form. I wouldn't be surprised if a virus/worm such as Melissa were used to distribute these kinds of daemon programs to peoples' home PCs. I also think that the tools are going to be harder and harder to detect and that their internal communication is going to be encrypted. Actually, we are already starting to see that.
Question from KDawg: In your opinion has the hacker community actually helped network administrators fix their security holes?
Avi Rubin: That is like asking if the burglar community has helped people secure their homes. If people weren't doing these kinds of things, then there wouldn't be a need for security. On the other hand, if networks were designed with more security in mind in the first place, a lot of these attacks wouldn't be possible. I am reluctant to give the hacker community any credit for anything good that has happened.
Question from CMG63: Assuming someone is caught, would a severe sentence in a conviction reduce the numbers of attacks?
Avi Rubin: I sure hope so. I have no way of knowing this, but perhaps many of the teenagers who are now tempted to try out these easy attacks will think twice before launching one if they see someone get 10 years in jail.
Question from StankyMan: Are there really cases of credit card numbers being stolen from packet sniffing? Isn't the whole SSL thing overrated? There are bigger problems to deal with, IMO.
Avi Rubin: Good question. I know of several cases of credit card numbers being stolen by people breaking into back end servers. However, I believe that without SSL, the problem would be a lot worse. While SSL is no silver bullet, it does solve some real problems. Now that we have SSL, it is true that there are much bigger problems.
Question from Foghorn: Do you see a trend in which companies are selected for attacks?
Avi Rubin: It appears that the biggest, most visible companies are being hit. Obviously, someone wanted some press coverage. Boy did they get it.
Question from Gumball_SanDiego: Are there any plan to make the "tracking" process better and faster to find these people?
Avi Rubin: Yes, we are working on it, but it is a very hard problem.
Question from Candyce: Could there come a time when hostile governments could attack countries in a significant way by targeting e-commerce?
Avi Rubin: Absolutely. In fact, there is no way of telling that this isn't what happened this week. Could this have been Saddam Husein's test run? There is no way to know. I think it is pretty scary.
Chat Moderator: Do you have any final thoughts for our audience?
Avi Rubin: I think that we are finally seeing what computer security experts have been preaching about for some time now. The Internet is very vulnerable to this kind of attack, and it is going to take a concerted effort to prevent widescale abuse. History was made this week, and I doubt there is any going back.
Chat Moderator: Thank you for talking with us today, Avi Rubin
Avi Rubin: Thank you everyone and goodbye.
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.