Truth About Computer Security Hysteria
Service provider attacks (SPAs)
Monday, 10 December 2001
VIRUS PIONEER FRED Cohen and Vmyths columnist Lewis Z. Koch suffered a horrifying denial-of-service (DoS) attack last week. It also happened to antivirus alumni Aryeh Goretsky, and to my brother Terry, and to my relatives Ed & Vera, and to my wife's friend Steve, and to my friend Carla.
The vicious attack knocked more than a million computers off the Internet and destroyed at least four million email addresses. Almost one million victims flooded the Internet with messages to tens of millions of users, urging them to update their address books. Many other victims — some of them businessmen who lost their advertised email addresses — scrambled to find an unaffected Internet connection so they could set up new email accounts.
The atrocity isolated school computer networks around the country. Many businesses must print reams of new stationary because of the attack. Heaven help us: the amount of global negative productivity might add up to billions of dollars.
Incredibly, the attack didn't come at the hands of a deadly computer virus. Nor did it come at the hands of a deranged 14yr-old hacker wannabee. No, I'm talking about the "@Home AT&T" controversy. Millions of customers woke up one morning to find their Internet service taken away from them by force. Those AT&T maniacs blew up the Internet!
I coined a new acronym to describe it — "SPA," short for "service provider attack."
The @Home SPA came at exactly the wrong time for Koch, who needed to make an important change to a column he posted. He ended up calling me by phone because he couldn't email me. Ironically, I'll bet a donut Koch selected AT&T as his default long distance carrier. Ha!
"With the pending (midnight) possible shutdown of all 4.1 Million @home customers, the largest Internet outage of all time is about to take place," Cohen moaned in a public email. "Whether and to what extent this will impact the rest of the global information infrastructure is yet to be seen. I for one may well be off the net for quite some time — anyone know of a good dial-in access point?" Mind you, Koch & Cohen & millions of others paid their attacker for this privilege.
Even more incredibly, FBI NIPC did not issue a warning despite having plenty of advance notice. Sadly, the feds were too busy writing yet another silly cyber-terrorism report — this one about a deadly über-hacker who calls himself "Fluffi Bunni." Oh, which reminds me. Memo to Fluffi: congrats on your SecurityFocus pseudohack! Truly elegant. Let's talk by phone at my expense. Don't worry: I guarantee your anonymity.
Most incredibly of all — reporters don't seem very concerned by the tragic losses of this attack. If a computer virus did this, you know full well the media would go ballistic. And you know full well Computer Economics, Inc. would declare a gazillion-point-three-five-one price tag for it. Why, why, why does this double standard exist?
Virus pioneer Fred Cohen warned "the largest Internet outage of all time is about to take place." Did he discover a horrifying new virus? A deadly new hacking technique, perhaps?
Nope — he was talking about the @Home AT&T controversy. "I for one may well be off the net for quite some time," Cohen wailed...
IN OTHER NEWS, Attrition.org announced their ISP viciously attacked them for more than a week and would probably continue to attack them in the near future.
"Our ISP (Inficad) was recently purchased by Getnet," Attrition.org explained. "For some bizarre reason, they decided to try to redo the entire network a day before the Thanksgiving holiday. As you can guess, this was not the best idea and led to half of our downtime. Getnet was also nice enough not to trust the key Inficad admins with router passwords, essentially cutting them off from doing their job. This led to even more down time..."
If you listened to media reports last year — and if you listen to computer security lecturers these days — you'd think Mafiaboy waged a horrifying attack against Amazon.com. Quite the contrary! A company official privately admitted his firm worries more about an SPA than a DoS. I believe Amazon.com let the FBI scream about the Mafiaboy attack because they reaped more in free publicity than they lost in downtime.
SPAs come from places you might not expect. Take antivirus firm MessageLabs, for example. A Vmyths reader who requested anonymity claims "five people at my location opened the Goner Virus yesterday. (Not me, I have more sense). This morning, each and every one of them has had over 600 identical emails from firstname.lastname@example.org telling them they've sent out a potentially harmful message and what they should do about it.. They're still coming. So — as if the virus wasn't bad enough, our servers are still struggling to cope with thousands of useless [MessageLabs] emails..."
(A MessageLabs spokesman admits his firm attacks customers with mailbombs. Client-victims can't opt out of these attacks, but things may change for the better "in the first quarter 2002.")
Oh, which reminds me. MessageLabs screamed "industry set to lose virus battle in 2001" in a press release dated eight months ago. Yes, we lost the high-tech war to a company that floods its own customers' email servers. We surrender to MessageLabs. We surrender right now, completely and unconditionally. And we're not kidding. Please stop killing us softly with your SPAs.
[Credit where due: I swiped the "killing us softly" line from Roberta Flack. You know, a parody of her ballad would almost write itself. "Scanning my mail with your servers, pinging your virus heuristics, killing me softly with your spam..." Ha!]
I should note Vmyths saw its share of SPAs in 2001. Our upstream provider committed numerous atrocities with their DNS machines, forcing us to establish our own DNS at great expense. Mind you, we paid our attacker for this privilege. Ironically, Vmyths still relied on our attacker the last time I asked our patron saint about it. "Yeah, I know they attack without warning, but they're a business..." Ah, of course. So why not just hire Mafiaboy to whack Vmyths? He'll do the same thing for half price and we can milk it for free publicity!
Seriously, folks — a DoS is like an SPA with a built-in RoI...
I coined a new acronym — "SPA," short for "service provider attack."
Reporters don't seem very concerned by the tragic losses of this SPA. If a computer virus did it, you know full well the media would go ballistic...