Cyberspace is difficult terrain for FBI
Although the FBI has vowed to track down those responsible for this week's cyber attacks, security experts say they will have a tough time.
But even as she spoke, security experts interviewed by CNET News.com questioned the FBI's prowess in this arena, noting that sleuthing in cyberspace is far different from hunting down a band of drug smugglers in South Florida. Confronted with so many ways to cover tracks on the Internet, even the most nimble technological experts would have a difficult time finding the perpetrators.
The type of denial of service attack being launched at Web sites such as Yahoo and eBay this week is distributed across numerous systems and
networks. That means the assault--essentially made up of repetitive streams of information sent to clog or disable a particular computer--is executed using a variety of unknowing computer systems housed at various locations on multiple networks.
"There's a very good chance that they'll never know who did some of these attacks," said Avi Rubin, an Internet security expert at AT&T Labs and author of the "Web Security Sourcebook." "The odds are reduced with every indirection."
Compounding such doubts, FBI officials were caught off guard with some basic questions today. For example, federal investigators told reporters that they had not heard of any attacks, even though several had occurred before the afternoon press briefing.
FBI officials could not say whether the attacks were coming from inside or outside the United States, or both. They had no answers when asked whether one group might be responsible, if copycats might be involved, or what type of computers were used in the attacks.
"It's too early in the investigation," said Ron Dick, chief of the Investigations and Operations section for the National Infrastructure Protection Center, appearing alongside Reno at the J. Edgar Hoover Building here.
Others noted that the individuals or groups attacking the popular Web sites could be located anywhere, reaching far beyond the jurisdictional boundaries of the FBI.
"If they're hopping through several Unix (systems) boxes in several countries and erase their tracks, it could be a very long process," said Christopher Klaus, founder of network security software and consulting firm Internet Security Systems.
Tracing the attacks requires a high level of cooperation between companies, such as the various ISPs used by the hackers to access the Net. This is where some hold hope for the FBI.
"They are the only group with the authority to force ISPs to turn over information that they might otherwise not make available," Russ Cooper, editor of NTBugtraq, an Internet discussion forum about security issues, said in an email interview.
"However, the FBI does not have the ability to put together the logs from a variety of backbone providers in order to trace back an attack to its real origin," he continued. "This must be done by cooperating between, possibly, many different ISPs."
The Net companies and the firms that in turn host their Web sites have rallied around the unified cause of stopping the attacks by working with each other. Most affected Web sites have confirmed that they are speaking with the FBI but have offered scant details about the probe.
"Security on the Internet is a community effort," Dick said. "It's not something that is done by any one organization, any one federal agency or the government itself. It is a partnership between all of us--and the most important partner is the private sector itself."
Yahoo plans to work with law enforcement officials and other Web competitors that also were attacked this week, a spokeswoman said. Yahoo executives declined to give specifics but expect to turn over a variety of data that was generated by the attack.
"We are cooperating fully with the FBI's investigation," said Amazon.com spokeswoman Patty Smith. "The thing about security is once you start talking about it, that's when it becomes degraded."
Added eBay in a posting on its Web site: "We are taking multiple measures to fight this, including working with local and federal authorities, (Internet service providers) including Sprint, UUNet and AboveNet, our vendors including Cisco Systems, our partners, and other Internet sites that have recently been attacked in the same way."
Major Web hosting firms, such as Exodus Communications and GlobalCenter, the hosting division of international communications carrier Global Crossing, are also taking the unusual step of working together to solve the riddle.
"Right now they're looking for patterns and trends and fingerprints," said Laurie Priddy, executive vice president of systems and applications at GlobalCenter. "For the time being it's just data collection. Internally, we're strategizing to figure out what we can put in place to help if it happens again."
The time-consuming process is like searching for the proverbial needle in the haystack, disheartening some insiders.
"We're looking, but we're not really expecting to find anything because (the attackers) attempted to cover their tracks," Priddy said. "I'm not sure that people are really optimistic (about catching the perpetrators)."
Using the "hopping" techniques, the hackers have made it difficult for any investigation to be fruitful, according to some.
"They've used multiple levels of misdirection," said Bill Wilson, director of security services for Exodus. "This is a very difficult process of putting the pieces together, but law enforcement also is becoming increasingly sophisticated. As a result, there is a reasonable chance that the source of this will ultimately be known."
Dick and other authorities have called on the private sector to strengthen their security, but he acknowledged the difficulties in guarding against these assaults.
"The intruder community is actively developing tools by which to circumvent any of these security measures to take advantage of government systems, as well as those involved in commerce," he said. With tools freely distributed over the Web, Dick added, even "an unsophisticated intruder or an unsophisticated computer user" can become a cyber criminal.
For this reason, some remain skeptical that investigators will find those responsible. Rather, the perpetrators, as in other non-computer crimes, are more likely to finger themselves by boasting about the successful attacks.
"The attackers they catch are the ones that aren't very careful," Rubin said, suggesting the attackers could be turned in after telling a friend or spouting off in a chat room, for example. "It's really not all that different from the way crimes are solved outside the Internet in the physical world."
Security experts warn that the hopping methods of the hackers could also prove to be a legal hornets' nest. The owners of many computers involved in coordinated, distributed attacks on Web sites such as Yahoo may not even know their machines are being co-opted and utilized by a renegade hacker, they say.
"When it is a distributed liability, what is the responsibility of these parties?" asked Klaus, of Internet Security Systems. "Who's ultimately responsible?"
So what legal remedies are there if the hackers are caught? Although there are gray areas in the relatively immature specialty of Net law, legal experts say there are a handful of laws on the books and legal precedents that govern so-called cyber crimes.
In 1996 Congress updated the Computer Fraud and Abuse Act, which protects against many computer crimes. The law affects "anything that knowingly causes the transmission of a program, information, code or command and as a result intentionally causes damage." Penalties under the law include restitution and up to 10 years in prison, or up to 20 years if the perpetrator was previously convicted for a similar offense, according to legal experts.
The statute was applied in the cases involving noted hacker Kevin Mitnick and Melissa virus author David Smith. Wire fraud laws also were applied in Mitnick's case. And federal investigators said they could prosecute a hacker from another country if they used a computer based in the United States.
Nevertheless, jailing a hacker is of little benefit to the affected company in civil litigation. A company that may have lost millions in revenue or suffered from a damaged reputation often is lucky to collect any restitution.
"The problem in all of these cases...is the hacker doesn't have any resources. There's no money to recover," said Daniel Harris, a partner at Brobeck, Phelger & Harrison, a San Francisco-based law firm with offices nationwide.
Harris, who practices intellectual property law, said the best most companies can hope for is to get a criminal conviction before even considering civil remedies. A variety of civil laws, such as those against fraud and trespassing, can be applied in cyber crime cases, he said.
"For the company, they're better off letting the federal prosecutors pursue the case because if there's any money to recover, they'll get it," Harris said. "It's much easier to sue for civil damages once the criminal case has been completed."
Corey Grice and Ben Heskett reported from San Francisco, and Joe Wilcox reported from Washington. News.com's Troy Wolverton contributed to this report.