Pacific Connection(英語)

Do Hackers Undermine Trust in the Internet?

この記事を読むのに必要な時間:およそ 12 分

One day last February, I clicked on my browser's bookmark to log onto the Yahoo! website. Nothing happened. I tried again0---still nothing, except a notice that the site was unavailable. In my experience, that seemed odd. I had been accessing Yahoo!, one of the Web's most popular destinations and arguably the very embodiment of a "portal" site, for several years now, and it had always been there. I clicked again. Yahoo! was missing in action.

Clicking on Yahoo! has become so routine in my life that I've learned to take it for granted. I like its highly organized search engine, with items sorted by category---a technique that makes ever more sense as the Web grows ever larger. (For example: "Regional > Countries > Japan > Prefectures > Tokyo > Education > College and University > University of Tokyo") Yahoo programmers are a clever bunch. From one site, you can pull up television listings, check local weather and movie theater listings, look at your stock portfolio, search for a business or person's telephone number, play games, participate in auctions, compare online shopping prices, and upload files, 15 MB worth, via a personal "briefcase" that can then be accessed from anywhere. Throughout, Yahoo's user interface is remarkably straightforward and it's spare use of graphics makes the services fast even on a slow dialup connection. In short, Yahoo! is the kind of service people are likely to make a part of their lives. That is, until it is gone.

And where did Yahoo! go? A quick check to another useful site---CNET's News.com---provided the answer. Yahoo! was the victim of a "denial of service" (DoS) attack, the equivalent of watering a small garden with a firehose. A torrent of packets, often numbering in the millions---is directed at a single website. Technically known as ICMP (Internet Control Message Protocol) echo request packets, they are legitimately sent to IP addresses to solicit a reply, a practice known as "pinging." But throw enough ICMP packets at a hapless Web server and the beast goes down like a lily in a flood. In a so-called "smurf" attack, the packets don't emanate directly from the attacker, but one or more intermediary machines. The intermediary receives ICMP requests that have forged ("spoofed") return addresses---the address of the targeted machine. And so the echoed replies aren't echoed at all, but forwarded onward to flood the victim machine, resulting on severe network overload.

Yahoo! proved to be the first of several sites to get hit. Others included eBay, CNN, Amazon, and Expedia. The National Discount Brokers Group, which serves 20,000 customers, was shut down for more than an hour after it was flooded by information requests from two Internet addresses. The University of California at Santa Barbara was shut down, as was the Federal Bureau of Investigation's site.

As all these organizations learned, defense is difficult. A report from Carnegie Mellon University's Computer Emergency Response Team (CERT) says that there is no easy solution for victims. "ICMP echo reply traffic (the traffic from the intermediary) could be blocked at the victim's router; however, that will not necessarily prevent congestion that occurs between the victim's router and the victim's Internet service provider." Tracking down the perpetrator has also proved difficult. And months after this latest attack, the stunt could be repeated. And so the question is---could DoS attacks, and other assaults on the Web infrastructure, undermine user confidence in the Web?

People are asking that, but despite all the alarms going off last February, user confidence seems about the same as it's ever been. Yahoo! is back online. Amazon is still selling books. CNN is still serving news. eBay is still selling Star Wars memorabilia. Unless these services are knocked out for days, people may grumble, but life will go on---because none of these sites, Yahoo! included, provides services so time-dependent that their absence is cause for alarm. The consequences for online brokers is more severe. Among the victims last February was E*Trade, among the best known of the online discount security firms. Traders expect that when they want to buy or sell a stock, they can place the order immediately.

As more serious business is conducted online, one can imagine a denial of service attack having more severe consequences. Last March, for example, the state of Arizona conducted America's first election in which voters could optionally vote online. The election, which covered just the Democratic presidential primary (Albert Gore versus Bill Bradley) drew almost 40,000 online voters, who each logged onto a website and entered identification numbers up to four days before the election. The trial election went smoothly, but concerns over manipulation are real. Reportedly, a journalist from one magazine actually hired a California hacker to try to mess with the system---without success, as it turned out. But imagine now an election five years hence conducted chiefly over the Internet, where a DoS attack effectively shuts down all polling booths. Suddenly, what was once an inconvenience is now a threat to democracy.

Context counts

In considering the consequences of DoS attacks, context counts. The difference between aggravation and crisis depends on how time-dependent and critical the activity being interrupted. That's true with other kinds of hacker pranks, as well. These threats aren't going away soon, and so it is important to distinguish between those that truly undermine confidence and those that are merely annoying.

Defenders of Kevin Mitnik, one of the world's best known computer hackers, try to make that point. Mitnik, who was released from jail early this year, contends that his acts and life have been misrepresented by the media since he was 17. He said that he was simply curious, wanting to know as much as he could about how phone networks worked. He has said that "there is no evidence in this case whatsoever and certainly no intent on my part at any time to defraud anyone of anything."

Mitnik first came to light when he was arrested in Los Angeles for stealing computer manuals from a switching center at Pacific Bell, the local telephone carrier. The next year he was jailed for six months for breaking into computers at the University of Southern California, and was later treated in a program similar to that given alcoholics and drug addicts. Mitnik went underground in 1992, until three years later, when he tampered with computer files belonging to researcher Tsutomu Shimomura.

Some argue that Mitnik's fame may have wound up attracting new hackers that are far more menacing. His attorney has said that the government made a mistake in that it didn't distinguish between a computer prankster like Mitnik and a computer terrorist, who does actual harm. "He never deprived owners of their unfettered use of their computers. He just peeked at it. Prosecutors couldn't admit they were pursuing a peeker: they had to go after the myth they created."

But if Mitnik could be construed as a clever but harmless prankster, the same could not be said for the people who posted fake announcements of mergers on the sites of two companies. In the case of Aastrom Biosciences, the stock rose 30 percent before the company could deny the information, leaving the door open for the perpetrator to sell high. A similar attack hit PairGain Technologies, a DSL supplier, and the false news pushed the stock from $8 to $12. In that attack, a new employee eventually pleaded guilty and was given a stiff fine and a five year probation sentence.

Both harmed the Web by undermining its credibility. If you can't believe an announced merger on a corporate website, why should you believe any other corporate announcement? And what if you bought a stock on the basis of its expected evaluation, only to learn that an insider who faked the information was selling his stocks for an inflated price? In the age of the Internet, you can get swindled for thousands of dollars from the comfort of your computer chair.

Credit card theft: Even Bill Gates Isn't Safe

Trust is also the first order of business for anyone transacting business on the Web. That's why credit card theft---the latest problem to befall e-commerce---is arguably a bigger problem than an interruption of service, because it undermines consumers' confidence while potentially costing merchants millions of dollars. Customers have traditionally been reluctant to enter their credit card information online, and merchants have bent over backwards to assure them that such transactions are no less risky than comparable ordering by telephone. Indeed, the escalation of encryption technologies to 128-bit have largely been about giving customers a sense of well being. While earlier encryption schemes have been cracked by teams setting out for the purpose, there's little evidence that these security holes have been breached.

As it turns out, the problem is not in sending sensitive information, but in how that data is stored. A vivid example of that emerged last March, when police in Wales accused two teenagers of stealing data on more than 26,000 credit card accounts---including that of Bill Gates---and posting the information on the Web. The source for the sites was varied, ranging from the American Society of Clinical Pathologists to SalesGate.com. Ironically, the attacks reportedly took advantage of a security hole in Microsoft software and the information was posted to a site by a hacker known as Curador. The Microsoft hole was actually patched 1998, but not all customers have upgraded.

A message from the hacker said, "I would like to thank all the nice people in ALL the Sites I Cracked for having left their entire sales database, readable & writable, for anyone who bothered to check their site out. Maybe one day people will set up their site properly before they start trading because otherwise this won't be the last page I post to the NET." He continued, "Also Greetz [greetings] to my friend Bill Gates, I think that any guy who sells Products Like SQL Server, with default world readable permissions can't be all BAD." SalesGate reported it would now move from NT to Linux. In a separate incident, hackers listed about 350,000 credit card numbers from CD Universe, a music site, which were posted after a hacker with the alias "Maxus" said he had tried to extort $100,000 from the company.

Both incidents illustrate how the forecasts of "digital cash" made in the mid 1990s have turned out to be wrong. At least so far, the familiar credit card has become the universal method for payment over the Internet. E-commerce merchants have argued that online transactions are at least as safe as their telephone counterparts. But the stolen credit card numbers, Mr. Gates' included, would seem to undermine that argument. If I think that the site I post my credit card number and address to will inadvertently make that information available to others, that will make me hesitate.

In the U.S., at least, having your credit card information stolen online is inconvenient, but not costly. That's because of the laws governing the "card-not-present" transactions that take place over the Web and telephone in ordering everything from airline tickets to Mother's Day flowers. The real financial risk is borne not by customers, but by the merchants, themselves. Credit card rules in the U.S. generally mandate that the bank that issues the credit card will reimburse merchants for fraudulent transactions where they have the card in hand. But in card-not-present transactions, the merchant takes the risk. What that risk is is anybody's guess. Expedia, Microsoft's online travel agency, for example, said it would reduce its earnings by $4 million to $6 million to cover fraudulent transactions on its website using stolen credit cards. Other companies have listed credit card fraud in their financial disclosures as a potential drain on profits.

The problem affects not just small companies. Even a large, sophisticated company like Casio is vulnerable. In late 1998, the company learned that forged and stolen credit cards had been used to order products like handheld computers and digital cameras. The police, as is often the case, were no help here, and ultimately, Casio paid for the loss itself.

After being accused of ignoring the problem, credit card companies are finally starting to fight back. Visa, for example, is issuing a guide for online merchants that, for the first time, will help companies steer clear of trouble. In the past, the firm has provided comparable information for catalog companies. "Internet merchants haven't always come out of the old catalog business, and sometimes they have little experience in business," said Dave Richey, vice president for card operations at Visa, in an interview with CNET News.com. "They're often new and often focused on IPOs and other stuff. Communication between merchant and cardholder is key in avoiding misunderstandings."

Visa U.S.A. says that overall card fraud losses have dropped to an all-time low of 0.06% of total transaction volume, down from 0.07% in 1998 and 0.18% in 1992. The company uses artificial intelligence to detect potential fraudulent transactions.

Visa U.S.A.'s online commerce unit, e-Visa, also recently rolled out advanced fraud-screen technology tailored for online merchants. The technology uses artificial intelligence and a Visa database to flag potentially fraudulent transactions made over the Internet. "We look for unusual patterns," says Casey Watson, a spokeswoman for Visa International. "For example, if a merchant is getting hit with a hundred transactions from the same card or a lot of inquires from Eastern Europe at 3AM, the software raise a flag that human intervention is needed."

The case of the posted credit card information, though, is a different kind of problem. Watson was reluctant to talk about the specific incident in Wales, saying it is still under investigation. But she did note that the practice among some merchants of posting sensitive cardholder information on a Web-connected server is a problem. "Merchants may need to rethink where they store this data---perhaps that data should be offline or at least behind additional firewalls." She said that Visa may eventually mandate stronger security guidelines. "If merchants don't put into place security standards to protect cardholder data, then they may not be a player on the internet---because customers will shun their sites." The bigger problem, she acknowledges, is that some customers won't make the distinction between secure and unsecure sites. They won't shop online, period.

An interview with Brian Burns, general manager, Asia Pacific, CyberSource Corporation, Mountain View, California

Last March, the Silicon Valley-based CyberSource Corporation announced a partnership with Marubeni Corporation and Trans-Cosmos, Inc. ("TCI") to establish CyberSource Kabushiki Kaisha ("CyberSource K.K."), which will market CyberSource's software---including its Internet fraud detection program---in Japan. CyberSource's chief Japanese representative is Brian Burns, who came to CyberSource via Microsoft. Burns has lived in Japan and other parts of Asia for the last 15 years, visits the country monthly, and speaks and reads the language---it was his undergraduate minor at the University of California at Berkeley.

What's propelling demand for your fraud detection software in Japan?
There's a huge amount of interest because there are even higher levels of anxiety than in America among consumers and merchants over Internet fraud.
Is that because, unlike here, consumers in Japan are responsible for fraud?
There is probably more liability on the consumer side than there is in the U.S., although the merchant still bears a considerable load.
At one time Japan wasn't a big user of credit cards. Is that changing?
Credit card penetration in Japan is very high, but usage is significantly lower than in the United States. One reason is that revolving credit isn't as available as it is in the U.S.. That's changing, and we see credit card usage increasing.
Is the Internet driving that?
Commerce on the Internet in Japan is in its nascent stage. Many users don't feel that it's secure to use a credit card on the web, even though it's probably safer to use a credit card on the Internet than it is to give it to anyone in a store. So partly this is a matter of education.
One concern is the stealing and posting of credit card information. Does your software help prevent that?
Yes. We provide 'multi-level security' from end to end, and each level is different. Between the consumer and the merchant, we use the strongest encryption available: 128-bit. Between the merchant and our data center, we offer our Simple Commerce Messaging Protocol (SCMP). So the data travels securely from the user to the merchant, then on to us, and we pass it on to the banks or the credit card network. SCMP is very secure and fast. We've been able to create it because of a very tight relationship between us and the merchants. One of our strongest selling points in partnering with financial institutions---banks, credit card companies, processors---is the security we have developed for our own internal systems, using a combination of industry standards and proprietary solutions to protect the user data in our own internal databases.
And that's where the weak link has been in terms of credit card identification theft?
Yes---from both external and internal attacks. Our CTO, Tom Arnold, likes to say that even he couldn't get Bill Gates credit card number, even if he wanted to.
In trying to sell the Japanese public on the safety of using credit cards on the Web, are you considering some kind of an online branding program?
That's in the works. We have the "protected by CyberSource" campaign in the U.S. In truth, the protection is needed more by the merchant than the customer. However, once a customer does puts their credit card into that website, our security will protect that information from ever leaking out.
>How does fraud detection work?
It's based on artificial intelligence and heuristic algorithms that look at many different factors. We do about 150 different tests to look at all of the patterns we've identified that have any correlation with the probability of fraud. So if we see a customer in Texas with a credit card number registered to someone in North Carolina, with an IP address saying he's in Malaysia, there might be something wrong here. That doesn't necessarily say that this guy will not be able to make a purchase. But we provide a score, and the merchant makes a decision based on that score. We also consider the time of day. A transaction taking place in Singapore at 3:30AM local time has a higher probability of fraud, and that bumps up the score. We look at all kinds of behavior patterns, like velocity. We monitor how frequently a card is being used. And if a card is being used one time with one name and five minutes later it's using another address, we can detect that.
You mentioned the reluctance of Japanese consumers to use credit cards on the Web. What about Japanese merchants on the web?
There's reluctance here, as well. For example, the merchant discount rate---what the merchant pays the credit card network to process the transaction---is higher in Japan: six to seven percent, versus about three percent in the U.S. So merchants have less incentive. But many people think that rate will eventually drop.
How fast is e-commerce taking hold in Japan?
According to the Cyber Social Infrastructure Research Center, the Internet population in Japan in 1999 was estimated to be over 14 million and the number of eCommerce sites at more than 13,000. We expect these numbers to rise dramatically as problems are solved.For example, Japan---like the United States---has had to solve the problem of 45 second response times to process a credit cards. Another issue, as I've mentioned, is the reticent to use cards over the Web.
Japan is ahead of us in terms of wireless Internet access. Will the adoption of smart phones that can display Web content help spur e-commerce growth?
Many people think these devices could spur growth. But it remains to be seen how big an effect they will have. The browsers themselves are still rather clumsy. Buying a pair of baseball tickets with your browser might take you longer than it would be to call. On the other hand, the average Japanese person in a metropolitan area spends over two hours a day on the train. You can't talk on the phone while on a train-it's not socially acceptable. But you could plug away at the keys for the entire trip.
Can you really interact in Kanji over the Web using a cellphone?
You'd be surprised how fast a 14-year old high school girl can pull up the Kanji for her name and address using what would appear to be the most clumsy of user interfaces.

著者プロフィール

Bart Eisenberg

Bart Eisenberg's articles on the trends and technologies of the American computer industry have appeared in Gijutsu-Hyoron publications since the late 1980s. He has covered and consulted for both startups and the major corporations that make up the Silicon Valley. A native of Los Angeles and a self-confessed gadget freak, he lives with his wife Susan in Marin County, north of San Francisco. When not there, he can sometimes be found hiking with a GPS in the Sierra, traveling in India, driving his Toyota subcompact down the California coast, or on the streets of New York and Tokyo.

(上記,プロフィール訳)

1980年代後半より,『Software Design』や『Web Site Expert』などの雑誌に,アメリカのコンピュータ業界のトレンドと技術に関するレポートを執筆しています。シリコンバレーで,スタートアップ企業から大企業まで幅広い分野でコンサルタントを務めました。

ロサンゼルス生まれで,自称ガジェットフリークです.現在,妻のSusanとともに,サンフランシスコ北部のMarin County在住。また,SierraのGPSを携えてハイキングしたり,インドを旅したり,カリフォルニア海岸をドライブしたり,NYや東京の街中を歩いたりしています。

コメント

コメントの記入