Cybervandalism Is Tough to Thwart

Federal law-enforcement authorities say they're doing all they can to combat the ongoing attacks on popular Web sites, but experts warn little can prevent the onslaught.

"Internet protocols are not designed to protect against these types of attacks," says Michael Lyle, security expert with Recourse Technologies.

The spate of attacks began Monday with a cyberassault on the Yahoo portal that paralyzed the site for three hours. Subsequent attacks have targeted retailers Amazon.com, Buy.com, and auction giant eBay. Online news site CNN.com was attacked Tuesday; and on Wednesday, E-Trade and ZDNet were battered.

They comprise a growing list of major Web sites temporarily shut down by what are called "denial of service" attacks. Basically, the attackers bombard a site with a huge number of demands for information, slowing or halting its processing. Anyone trying to access a Web site under attack receives an error message denying Web access to the site.

Camouflaged Sources

Third-party sites are unknowingly setting off the assaults, says Ronald Dick, a cybersecurity expert at the FBI, speaking at a press conference on Wednesday. "The tools ... to launch these attacks have been placed there without their knowledge, and someone at a remote location is controlling those tools to launch attacks against the victims," he says.

The deception technique is called "spoofing," Dick adds. The hackers "falsify where they're coming from" to hide their identities. The FBI would not comment about who the third parties are or how many have been hit. However, no government computers have been identified as gates for the spoofed attacks, says Tom Burke, assistant commissioner of information security at the General Services Administration.

No hackers or groups have claimed responsibility for the infiltration. While the intruders remain unknown, Dick recognizes the possibility of an international presence in the scheme. "Historically, it's not just a U.S. issue. We inevitably end up overseas."

The FBI's National Infrastructure Protection Center, which investigates threats and attacks against telecommunication infrastructures, is working closely with the victim companies and with local law enforcement authorities, says U.S. Attorney General Janet Reno. Webmasters should promptly report any acts of "cybervandalism," Reno urged on Wednesday.

Malicious hackers could face a maximum penalty of between five and ten years in jail and up to a $250,000 fine, Dick says. In some cases hackers could face "twice the gross loss to the victim."