By John Jaser
Our perceptions of the Internet change all too quickly. Four years ago, spam morphed from a brand of processed meat into e-mail solicitations for Canadian pharmaceuticals. Two years ago, spam changed again from a potpourri of sexual enhancement offers to a launch vehicle for computer viruses. Now, spam has changed again – this time to a vehicle for death threats.
The FBI has reported threatening e-mails throughout the United States with a common, chilling subject line: “Someone you call your friend wants you dead.” The victim is asked to pay $20,000 for the “evidence of the person that wants you dead.” When the tape arrives, the victim then must pay an additional $80,000 to stop the sender from fulfilling his assignment – which is to kill the victim.
“Now, do you want to live or die?” the threatening e-mail asks. “It is up to you.”
Most consumers have the good sense to delete the message, figuring that it’s no more personal than an advertisement for Cialis. But a variant of death threat spam may not be so simple for companies, particularly banks, to ignore.
The bank variety is actually targeted to bank presidents and other officers. The subject of these e-mails is highly specific, and the body contains frightening details, such as the officer’s home address. If you’ve been wondering why few bank Web sites display their officers’ names and photographs anymore, now you know.
Another form of targeted attack is denial of service, known as DoS in our acronym-filled world. DoS attacks prevent legitimate users from accessing a Web site because it’s been flooded with bogus requests for information.
DoS attacks have disabled institutions of all stripes. Last year, a 20-year-old Estonian used his home PC to disable the main Web site for the prime minister’s political party. Last week, hackers shut down Radio Free Europe. Over the Memorial Day weekend, an American company called Revision3 alleges it was disabled by another company’s “automatic retaliation” DoS attack because they closed a security hole that was being exploited. At its height, Revision3 says it received 8,000 packets of information per second.
What’s the motive for these attacks? Some are political, others financial, but far more involve retaliation. A bank that disabled a phishing attack was hit by a DoS attack an hour later. To stop the attack, the bank temporarily shut down its Web site. The attack stopped, the Web site went back online and then the hackers hit it again. In all, the bank was attacked more than a dozen times before the hackers moved to different prey.
But what if they hadn’t? Could a flood of Web site hits block everyone from reaching your bank’s Web site?
A good Web hosting service can determine the source of a DoS attack and prevent attack messages from hitting your site. Of course, the hackers know this and have developed an alternative attack called distributed denial of service (DDoS), where the flood of Web site requests are launched from hijacked computers all over the world.
In the case of a DDoS attack, the hosting service could hold off the onslaught with high-capacity routers and switches capable of filtering the thousands of messages per second, based on unusual connection behavior. Beyond that, a request to Web backbone services such as AT&T can stop a bombardment that originates from several ranges of Internet addresses.
Prevention of all these attacks begins with prompt reporting. The FBI recommends that anyone who receives a death threat via e-mail should report it immediately to www.ic3.gov. In the case of DoS and DDoS attacks, a quick call to your bank’s Web hosting service should start the recovery process.
A good Web hosting service should have technicians available to answer your phone calls around the clock, seven days a week. Better yet, the Web host should detect the attack automatically and have remedies ready to go. If your Web hosting service fumbles its answers about combating DoS and DDoS attacks, you might seriously consider looking for an alternate provider.
This is not the way your bank should lose the battle for Internet security.
John Jaser is an Internet security manager at Avon, Conn.-based COCC Inc., (www.cocc.com), a 41-year-old firm specializing in outsourced information technology and support. “Guarding the Gate” is a regular feature in Banking New York focusing on banking technology and security trends.