IP: re: DoS technology apparently lesser-known fifth horseman of the apocalypse

[Dave Farber <farber@cis.upenn.edu>]

----- Original Message -----
From: "Ezor, Jonathan (Legal)" <jezor@mimeo.com>
To: <farber@cis.upenn.edu>
Sent: Friday, February 25, 2000 12:27 PM
Subject: RE: DoS technology apparently lesser-known fifth horseman of the
apocalypse


> Dave,
>
> As an IP subscriber, I thought you might find interesting the article on
> dealing with DOS and other attacks which I just published in the
newsletter
> for my book, "Clicking Through: A Survival Guide for Bringing Your Company
> Online" (Bloomberg Press 1999).  I've reproduced it below.  Thanks for all
> the useful information!  {Jonathan}
>
> Jonathan I. Ezor, Esq. <author@clickingthrough.com>
> Dir. of Legal Affairs, Mimeo.com <http://www.mimeo.com>
> Author, "CLICKING THROUGH: A Survival Guide for Bringing
> Your Company Online" (Bloomberg Press: 1999)
> Info. and free Internet business law e-mail newsletter:
> <http://www.clickingthrough.com>
>
>
> BLUNTING THE STING OF CYBERVANDALISM
> by Jonathan Ezor
> Director of Legal Affairs, Mimeo.com <http://www.mimeo.com>
> >From ClickingThroughList 1.4
> (Copyright 2000 Jonathan Ezor; all rights reserved)
>
> A recent series of attacks on major Web sites such as eBay, CNN,
> E*Trade
> and Yahoo! has captured the attention of both the technology and business
> press.  These attacks, commonly known as Denial of Service (or "DOS",
which
> has nothing to do with disk operating systems) attacks, utilize
> previously-invaded computers attached to the Internet to bombard a
targeted
> site with huge numbers of simultaneous information requests.  The servers
> become so busy responding to all the spurious queries that they cannot
> provide content to legitimate users, much as a lone salesclerk in a toy
> store on that "last shopping day" has too many customers screaming for
> answers to give quality time to a single legitimate purchaser.  The result
> is that the sites are essentially shut down.  DOS attacks are not new;
they
> have been part of the arsenal of malicious hackers (also known as
>  "crackers") for years.  Because the recent attacks were so widespread,
were
> apparently carefully coordinated by multiple crackers, and were aimed at
> some of the most used and highest profile sites, though, DOS is suddenly
> part of the vocabulary of even the casual Internet user.
>
> The DOS attacks have been particularly worrisome, coming as they
> did on
> the heels of revelations in January by online vendor CD Universe that its
> internal credit card and user records were compromised and ransomed back
to
> them by a cybervandal.  It's critical to remember that no credit card
> information was intercepted in transit; that is, no one was able to snag a
> credit card number as the user was sending it to CD Universe to make a
> purchase.  Rather, the cracker attacked the stored files of past
> transactions and, utilizing previously-publicized weaknesses, copied the
> credit card information.  Regardless of the method, though, the result was
> troubling to say the least.
>
> Web site owners need to be concerned about DOS and these other
> malicious
> attacks on their sites, in the same way that a real-world storeowner must
> contend with the threat of burglary and vandalism.  Most site owners,
> though, don't manage their own connection, security and storage
> arrangements,  choosing instead to work with third-party hosting companies
> to handle the day-to-day operations of the site.  How can these siteowners
> protect themselves, and their customers, from inconvenience or theft?  The
> short answer is by due diligence and proper contracts with the hosting
> company, communication with users, and insurance.
>
> Chapter 1 of "Clicking Through" details many of the questions and
> concerns
> that businesspeople should raise with hosting providers, but these recent
> events provide some additional guidance and raise new questions as well.
> You must remember to investigate the host's sophistication in dealing with
> computer security issues.  Ask questions such as:
>
> · On which operating system does the server run?  The possible answers
> could
> include Windows NT/2000, some variant of Unix (such as Linux), or even
> MacOS.  While each OS has security issues, some are more secure than
others.
> · Have all upgrades and patches (both for security and stability) been
> installed?
> · What third-party software and hardware does the hosting company use
> to
> increase its security?
> · What physical security does the facility have?
> · Does the hosting company receive CERT risk and intrusion bulletins?
> · How quickly are CERT recommendations implemented?
> · Does the host have redundant connections in case one comes under
> cyberattack?
> · What is the provider's history regarding previous cyberattacks?  How
> have
> they been handled?
> · What is the procedure to notify your company in the event your site
> or the
> hosting facility itself suffers a DOS attack or similar outage?
>
> Similar questions should be asked of any transaction processing facility,
if
> financial information is kept off the actual host server.  In doing this
> research, you may wish to speak to the employee in charge of data
security,
> rather than a sales representative who may not have updated or correct
data.
> Remember to get as many of these answers as possible into your contract as
> affirmative commitments of the host and/or transaction processor.
>
> Even if the hosting company or transaction processor is taking all
> reasonable precautions against cybervandalism, problems may still arise.
In
> such event, you need to determine (and your contract needs to state) who
> bears the responsibility for outages, delays and loss caused by crackers
and
> cybervandalism.  Your contract should require the other party to indemnify
> you for damages for its negligence and failure to take proper precautions
at
> the very least, and you may even be able to negotiate credits against fees
> or reimbursement from a hosting facility if your site goes down for
> technical reasons for more than a minimal amount of time.
>
> On the user side, you'll need to balance customer expectations with
> the
> possibility of cybervandalism.  Make sure the terms and conditions of use
of
> your site expressly state that you cannot guarantee your site will always
be
> operating, and try to have alternate means (such as telephone access,
e-mail
> or even fax) for your users who need to reach you when your site may not
be
> fully functional.  (This is of greater importance to sites offering
> time-sensitive commerce, such as auctions or brokerages).  You should also
> anticipate some angry calls from users complaining of site outages when
the
> problems are actually on the user end-make sure your customer service
> personnel know how to diagnose and help a user understand the cause of
such
> problems.  (A developer at an early online stock brokerage once stated
that
> something like 70% of their customer support calls had nothing to do with
> their site, but were general Internet use questions.)  Finally, examine
your
> business interruption liability insurance, and make sure your policies
cover
> cybervandalism as well as more common situations.
>
> Just as you can't absolutely prevent fires or earthquakes or
> vandalism from
> disrupting your brick-and-mortar business, cybervandalism such as DOS
> attacks is likely to be a fact of Internet business life for some time to
> come.  The best approach is to share the risk with your hosting company,
> insurance carrier and other providers, and keep your customers informed
when
> problems do arise.
>