Web-Security Stocks Rally, but Magic Bullet Isn't on Horizon

Still, security awareness is bound to be raised, observers say, in the wake of attacks on high-profile Web sites.
Author:
Publish date:

Though no one appears to have a magic bullet, business could improve for computer-security companies in the wake of the recent attacks on

Yahoo!

(YHOO)

,

eBay

(EBAY) - Get Report

,

Buy.com

(BUYX)

and other sites.

Computer security experts say there's little a site can do to prevent itself from falling victim to a similar scheme, but the incident will at least raise awareness about security issues among organizations that use computers.

On Wednesday, the third day of the attacks, shares in online security companies rose despite a broad market selloff late in the day. Shares in

Axent Technologies

(AXNT)

rose 22%, and both

ISS Group

(ISSX)

and

Check Point Software Technologies

(CHKP) - Get Report

were trading higher.

Benefits Analysis

Just as the "Michelangelo" virus scare of 1992 heightened awareness of virus-protection software, the site outages of recent days will likely heighten awareness of, and demand for, other security measures. "In general, any security company benefits from this kind of stuff because usually people don't care about security," says Jeffrey Schiller, the network manager at the

Massachusetts Institute of Technology

.

Web Attacks:

TSC

Message Boards.

Defending against the scheme used to temporarily cripple the sites -- known as distributed denial of service, or DDOS -- is no simple matter, say experts. That's because the attack can't be prevented by security precautions at the target site; rather, it takes advantage of lax security at unrelated machines operated by third parties on the Internet. And because there are millions of computers permanently connected to the Internet -- operated by organizations without infinite time, money or other resources to devote to security -- hackers theoretically have numerous opportunities to bring down any site they choose to target.

"There is not a lot that can be done here by the victims to protect themselves," says Eugene Spafford, a professor of computer sciences at

Purdue University

and director of a research center devoted to computer and network security.

What Happens

Most security experts think attackers hijack other computers around the Internet and instruct them to flood the target Web site with requests for information. The server of the target Web site cannot process the deluge of requests at once, so the time to download a Web page slows to the point that the page becomes inaccessible.

Hackers launching DDOS attacks take advantage of weak Internet security in different ways, say administrators of computer networks.

Prior to their planned attacks, they deposit rogue software on unsecured machines, explains Randy Marchany, a system administrator at

Virginia Tech

and a faculty member of the

SANS Institute

, a cooperative group that educates computer professionals about network security. That rogue software transforms these machines into either "client" machines that directly attack the target site, or "master" machines that direct the clients, Marchany says. "It's literally, the client machines are soldiers, the masters are sergeants ... and the hacker is the commander," he says.

Another element of the attack is that the messages sent to the target site usually have forged return addresses, making it difficult for targets to trace the true source of the attack, says Schiller, who manages MIT's computer network. That complication can be prevented by companies and Internet service providers making sure that they don't pass on Internet traffic with faked addresses, Schiller says. "Most end-users don't know how, and most ISPs don't bother because it doesn't help them," he says. Such a precaution would make it easier to find perpetrators, making DDOS riskier and deterring future attacks.

Multi-tasking

Software and security services from a variety of sources, says Schiller, could prevent hackers from hijacking an organization's machine to go after another site. (He says MIT itself doesn't rely on outside security vendors. "We roll everything ourselves," he says.)

Because of the decentralized nature of the Internet, a Net-wide solution to prevent DDOS isn't easy to craft, says Spafford. Even if someone came up with a solution tomorrow, it might take years to implement, he says. A legal approach, he suggests, might be to hold companies responsible, at least in civil court, for damage caused by people who used their unsecured computers for an attack -- sort of how a homeowner might be liable for an injury at his pool if he didn't put a fence around it.

In the end, it's a community effort. "Everybody depends on each other. And that's the thing a lot of people haven't realized yet," Marchany says. "My security depends on your security. We all have a responsibility."