We have met the enemy and he is us

For the second time this year, script kiddies using old tactics are bolstering their egos in the name of their countries. While Israeli and Palestinian hackers continue to duke it out in cyberspace, a new war between Chinese and American crackers is now under way.

The score as of last Monday: China, 1,031; America, 750. That's the number of compromised Web sites each side claims to have defaced with its patriotic messages or forced off the Net altogether.

Everyone knows these strikes are fairly inconsequential instances of Web graffiti and minor denial-of-service attacks by a bunch of script kiddies. But this little hacker war could escalate into full-scale distributed denial-of-service (DDOS) attacks against bigger businesses with better security. And it could also draw U.S. law enforcement authorities into international investigations that they want nothing to do with.

Let's start with the downstream effect on U.S. businesses: On May 5, the National Infrastructure Protection Center (NIPC), a global reporting partnership between the U.S. Federal Bureau of Investigation and the private sector, posted a new warning of a sharp increase in scans against Port 80 (an always-open port for Web traffic), through which attackers are installing DDOS agents.

You remember those pesky little DDOS agents secretly planted in small businesses and colleges over the Net that were remotely commanded to attack Amazon.com Inc., Yahoo Inc., eBay Inc. and others last year? As they are now, the agents were installed in organizations with the worst or no information security.

While the NIPC wouldn't connect this to the Chinese/ American cracking, intelligence from the private sector reveals that these DDOS agents are being installed on machines the Chinese crackers claim to have compromised.

"We contacted the victims on the Chinese lists, and we've recovered a few tools placed on the victim machines DDOS tools and a Perl exploit used to break into Windows NT Web servers through Port 80," says Ryan Russell, an incident analyst at SecurityFocus.com, a security intelligence firm in San Mateo, Calif.

Because DDOS attacks are so difficult to prevent, even U.S. businesses with more security protection than most are now at risk of losing online business the way Amazon, ZDNet and others did last year.

Now for the problems facing law enforcement. No way does the FBI want to escalate this script kiddie war into an international cyberconflict, contends Winn Schwartau, a well-known writer and lecturer on information warfare. Which explains why neither the NIPC nor the presidentially directed Critical Infrastructure Assurance Office in Washington would comment on the Chinese/American hacks.

"This is all new ground. There's no way to know if this script-kiddie war even fits into the spectrum of conflict, which in a precyberworld followed a natural path between diplomacy and kinetic conflict," Schwartau says. "Besides, law enforcement would have to track these things down to see who's at the end of them. And I can tell you, that's very difficult when the anonymity factor is maintained and the attackers are offshore."

Attackers from each country are covering their tracks by bouncing their attacks through servers in Korea, Russia and elsewhere to make finding them and retaliating nearly impossible.

About the only thing that can be done at this point is for businesses and other organizations to beef up their perimeter security, starting in particular with the Web sites of smaller companies and the .edu sites that are being defaced through an easy, 1-year-old patchable exploit called the Unicode hole, according to Russell. The Unicode exploit allows crackers deeper into a Web site by dropping the symbols percentc1 percent1c.. into the address space.

Those companies that are already on top of patches and filters should batten down their hatches in anticipation of DDOS attacks. Check your fail-over mechanisms and IP blocking/rerouting features in your filters.

And by all means, crackers, chill out before this escalates into something bigger. The Chinese hackers claim more sites, but the U.S. hackers have hit much higher-profile government, entertainment and telecommunications sites in China. So call it even, will ya?

This story, "We have met the enemy and he is us" was originally published by Computerworld.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon