Hackers at the gate
By DAVE GUSSOW
© St. Petersburg Times, published October 9, 2000
You've turned off filesharing and printsharing, just as the experts recommend, and you've spent good money on firewall software to block intruders.
Still, the hackers and thieves bombard your computer with pings and probes, seeking an unguarded entry into your hard drive. You know they're trying because the firewall software shows the attacks, and sometimes they come in bunches.
At first, you're jolted at the thought of someone trying to invade your computer, a creepy feeling that you're being invaded. Then it turns to anger as the attacks continue.
Some users of cable modems and digital subscriber lines, or DSL, get fed up enough to complain to their Internet providers. And some end up feeling doubly abused. They say the ISPs, particularly Time Warner's Road Runner service, don't do enough to protect them or to track down the culprits, even when they provide information that seems to identify the hackers.
If it were only that easy, Time Warner and others say. Hunting hackers is not as simple as it appears. The anonymity of the Internet, where people can mask identities and fake origination points, can make it a fruitless chase. And, they say, if hackers could easily be found, more people would have been arrested or kicked off systems.
Despite advances in security technology, hackers seem to be at least one step ahead of businesses as well as home users. Consider incidents such as the "denial of service" attacks that closed down major Web sites this year. It's thought hackers planted some of the software used in the attacks in home PCs left unprotected, and Web sites were caught unprepared for the electronic assault.
And there is a veil of secrecy involved in such investigations. Consider:
A 16-year-old broke into NASA's computer system, downloaded $1.6-million worth of software used for the International Space Station and forced the agency to shut down its system for 21 days and spend $41,000 to fix it.
He also broke into a Department of Defense computer system, intercepting 3,300 e-mail messages and stealing passwords. He'll spend six months in jail for his efforts, unusual because it's the first time a juvenile has received such a sentence, said Assistant U.S. Attorney Richard Boscovich in Miami.
Even when a case is prosecuted, however, it doesn't guarantee publicity. In the NASA case, the teenager agreed to allow the government to give out general background of the case, Boscovich said. If the teen had not approved, the government's public comments on the case would have been limited because it involved a juvenile.
The case also is unusual because the teen got caught. Such well-publicized cases represent a tiny fraction of the number of people who try to invade others' computers. And there's this reality: Law enforcement and ISPs have limited resources to chase hackers and other cybercrime. Bigger cases get priority.
While reports occasionally surface of home users losing data, hackers have less to gain, in terms of publicity and financially, from those systems. Much of the probing of home systems likely comes from teenagers exploring with tools available on the Internet, experts say. And because these high-speed cable modem and DSL connections are always on, they are easier to probe. (Tech Times, Dec. 6)
Still, some Road Runner customers say they have complained about the problem but have not received a response. Particularly galling to these users is that some of the attacks seem to be coming from other Road Runner subscribers.
Road Runner has one full-time staffer working on security issues in the Tampa Bay area and hopes to add a second before the end of the year, according to Mark Bailey, vice president of Time Warner's Road Runner Online Services in the area. He says users should receive a response acknowledging the complaint, usually within 24 hours. If a response isn't sent, Bailey said, "We all screw up sometime."
But Bailey says the company is concerned about security and tries to be responsive. "As Road Runner customers, they do have access to us," Bailey said. "Our procedures are pretty ironclad. This is a very competitive space and we can't afford not to be."
Road Runner can't say what happens after a complaint is filed and investigated for two reasons, Bailey says: Some are turned over to law enforcement, such as the FBI, for criminal investigation. Or, if Road Runner identifies the would-be hacker, privacy laws prohibit it from telling the person who complained about the outcome.
Additionally, if the intrusion is identified as originating through another Internet service provider, Road Runner will notify the customer where to complain. Sometimes, the intruders "mask" their identity and where the attack originated, making tracking more difficult.
On average, Road Runner kicks 10 people a week off its system for violating its policies, said Ruben Bazarte, the company's operations director. The company has a rating scale for violations such as spam and pornography.
"We pretty much give everybody one shot from a spam point of view," he said, referring to unsolicited commercial e-mail. But hacking, "We take very, very seriously."
Road Runner has two e-mail addresses where people can send complaints: firstname.lastname@example.org goes to the company's national desk, which copies it to the local service; e-mail sent to email@example.com is handled here.
Road Runner installers are supposed to tell new subscribers about security issues, such as turning off Windows file- and printsharing, Bailey said. It also will talk about firewall software such as BlackICE Defender (www.networkice.com) that many people use to block intruders. Security also is mentioned on the Road Runner Web site (www.rr.com).
As for theories that Road Runner probes users' systems, Bailey gave an emphatic "absolutely not" response. The company does "ping" modems, but only to check its system, not users' systems.
For those with fast phone connections, Verizon warns DSL subscribers about Internet security issues, as well as the increased risks for hacking posed by DSL connections, Tampa spokesman Bob Elek said. Verizon also has a section about privacy and protection on its Web site (www.gte.com/dsl/personalFirewall.html).
Reporting back to customers who complain is not an issue solely for Road Runner. I filed several spam complaints with America Online and didn't receive an acknowledgement, much less an update on what happened.
Most complaints to ISPs involve spam, not hacking, said Joseph Marion, executive director of the Federation of Internet Solutions Providers Associations (formerly the Florida Internet Service Providers Association), because most users have dial-up connections that are harder to hack.
While Marion says ISPs have no written guidelines on handling hackers, they should at least exchange information when problems arise. Better, "they should be contacting law enforcement" so they can work with authorities to get enough information to prosecute offenders. And, in criminal investigations, information is not usually released publicly unless the case is resolved.
That leaves much of the burden for protecting a computer on the owner. But while it seems ever more difficult to protect computers, it seems to get ever easier for hackers.
"In the past, if you wanted to mount an attack on someone's computer, you had to be a good programmer or know another hacker who could help you," said John Myung, an official with Network ICE, maker of Black Ice Defender firewall software. "But today, the destructive tools needed by hackers are easy to find on the Internet, and they're free. There may be millions of people using these tools."
That doesn't mean we're defenseless, says Winn Schwartau, a nationally known expert on high-tech security from Seminole. But it is an advantage for the hackers.
"The good guys have to lock every single door to their electronic house," Schwartau said in an e-mail. "The bad guys only have to find one loose hinge."
- Information from Times wires was used in this report.
© 2006 • All Rights Reserved • Tampa Bay Times
490 First Avenue South St. Petersburg, FL 33701 727-893-8111