Saturday, July 18, 2009

Internet’s Anonymity Makes Cyberattack Hard to Trace

(NYTimes) It is an axiom that “on the Internet nobody knows that you are a dog.”

By the same token, it is all but impossible to know whether you are from North Korea or South Korea.

That puzzle is plaguing law enforcement investigators in several nations who are now hunting for the authors of a small but highly publicized Internet denial-of-service attack that briefly knocked offline the Web sites of some United States and South Korean government agencies and companies.

The attack, which began over the Fourth of July weekend and continued into the next week, led to South Korean accusations that the attack had been conducted by North Korean military or intelligence agents, possibly in retaliation for new United Nations sanctions. American officials quickly cautioned that despite sensational news media coverage, the attacks were no different from similar challenges government agencies face on a daily basis.

Cyberwarfare specialists cautioned this week that the Internet was effectively a “wilderness of mirrors,” and that attributing the source of cyberattacks and other kinds of exploitation is difficult at best and sometimes impossible. Despite the initial assertions and rumors that North Korea was behind the attacks and slight evidence that the programmer had some familiarity with South Korean software, the consensus of most computer security specialists is that the attackers could be located anywhere in the world.

“It would be incredibly difficult to prove that North Korea was involved in this,” said Amrit Williams, chief technology officer for Bigfix, a computer security management firm. “There are no geographic borders for the Internet. I can reach out and touch people everywhere.”

But researchers said that law enforcement investigators were likely to be aided in their pursuit by a second computer security truism — that the only ones who get caught are dumb, unsophisticated or both.

For starters, the attacking system, which cannibalized more than 50,000 computers and which is known as a botnet, was actually small, computer researchers said, compared with similar computer malware programs that are now routinely used by members of the computer underground.

Moreover, independent researchers, who have examined the programmer’s instructions used to lash together the tens of thousands of computers, said that it showed that the program, known as a D.D.O.S., or a distributed denial of service attack, revealed a high degree of amateurism.

That fact suggested that the authors, who hid themselves by masking their actions behind an international trail of Internet-connected computers, might have left telltale fingerprints that will ultimately be their undoing.

Last week, investigators quickly located computers that were involved with the control of the botnet in Britain and several other countries. However, the Internet service provider whose systems were implicated in the attack quickly issued a news release stating that the attack was actually coming from Miami. The company said that it was cooperating with the Serious Organized Crime Agency, a law enforcement agency that is part of the British government.

But independent investigators who have tracked the botnet cautioned against placing reliance on the locations for the command-and-control computers that have been publicly identified.

“We’re still looking for the initial infection vector,” said Jose Nazario, a network security researcher at Arbor Networks, a computer security provider for large network systems.

Several researchers recalled a similar incident in 2000, when a series of high-profile denial of service attacks were conducted against companies including Yahoo!, Amazon.com, Dell, ETrade, eBay and CNN. The culprit proved to be a 15-year-old Canadian high school student who was identified as a suspect only after publicly bragging about the attacks in an online forum.

Finding attackers who have no desire to reveal their locations — even amateurs — may be far more vexing.

“The truth is, we may never know the true origin of the attack unless the attacker made some colossal blunder,” said Joe Stewart, a director in the Counter Threat Unit at SecureWorks, a computer security consulting organization.

Some experts pointed to an entirely different origin for the attacks, or at least the attention paid to them. Cyberwarfare has become a hot topic in Washington this year, with the Obama administration undertaking a detailed review of the nation’s computer security preparedness.

“There is a U.S. political debate going on right now with high stakes and big payoffs,” said Ronald J. Deibert, director of the Citizen Lab at the Munk Center for International Studies at the University of Toronto. “With the administration cyberreview there are many government agencies orbiting around the policy debate that have an interest in pointing to this incident as evidence with obvious implications.”

No comments: