washingtonpost.com
Under Siege in Dulles By New-Generation Hackers

By Leslie Walker
Thursday, August 4, 2005

Sometime last year, the cat and mouse switched places on the Internet.

The hackers used to be the little guys, scampering around unleashing viruses and furtive attacks against Web sites. It was a nuisance, but big government and commercial sites generally could chase them away.

"We used to feel like the cat playing with the mouse," recalled Aristotle Balogh, senior vice president at VeriSign Inc., a company that oversees some of the Internet's critical functions. "Now we feel more like the mouse, trying to be fast enough because the attackers are becoming much more like the cat."

Balogh provided a gloomy account of the hacker wars two weeks ago when I visited VeriSign's global network operations center in Dulles. VeriSign considers 2004 "the turning point" in the conflict, Balogh explained, because the bad guys exhibited such dramatic leaps in creativity, sophistication and focus.

His assessment was underscored Tuesday when International Business Machines Corp. released a report saying "criminal-driven security attacks" jumped 50 percent in the first half of this year compared with last year. IBM's global security intelligence team detected more than 237 million security attacks worldwide in the first six months, including 54 million against governments, 36 million against manufacturers and 34 million against financial services.

To keep criminal hackers at bay, VeriSign, keeper of the master Internet address book, has been throwing mind-boggling amounts of money and computing firepower at security.

Gone are the days when reporters like me routinely were allowed to inspect the VeriSign computer housing the Internet's "A" root server, the top-level address book for matching domain names such as Google.com with the numeric addresses of the computers hosting them. Now the "A" root directory is replicated on multiple computers around the world. And to be extra safe, VeriSign keeps the main "A" root computer in an undisclosed location known to only a few employees -- a list that does not include chief executive Stratton Sclavos or other top officials.

"I don't know where it is, and I run the business," said Mark McLaughlin, the VeriSign senior vice president who supervises the registry for .com and .net domain names.

IBM's report also highlighted a sharp rise in "customized" attacks, those targeting specific companies and individuals, rather than involving random distribution of viruses, worms and malicious e-mail.

That confirmed a new expertise that Balogh said VeriSign first detected during a particular attack last year, one it found alarming because the attack changed every five to 10 minutes. "They did something, we mitigated it; they did something different and we mitigated; and then they did something different again," he said. "We played this cat and mouse game for three hours. We had never seen that level of sophistication. They were using tools to monitor the impact of what they were doing on the infrastructure and then immediately changing the vector of attack. This was an engineered attack."

New variations on old tricks have been appearing this year, some quite clever. In January alone, IBM detected a tenfold increase in "spear phishing," the latest flavor of "phishing" e-mails sent to entice people to bogus Web sites where they unwittingly reveal personal information.

"Spear phishing" messages have a similar goal, but go to fewer than 100 employees inside one company and typically arrive under the guise of a bogus company document.

Another emerging threat IBM cited is one in which hackers alter address records stored on domain-name computers run by Internet service providers. Web users trying to reach those sites are unwittingly redirected to bogus sites, where they get a malicious file dropped on their computer that steals personal data, often so hackers can sell it online.

"There has been a huge organizational shift in the way the miscreant Internet underground works," said Jeremy Kelley, senior threat assessment analyst for IBM. "It used to be virus writers who were huge annoyances. Now the criminal element is heavily involved in the miscreant underground . . . and it is all about profit-making."

VeriSign has an unusual vantage point on this escalating criminal activity, not only because it operates some core Internet infrastructure. The Mountain View, Calif., firm also runs security and networking services for many large companies, along with a payment-processing service that handles an estimated 37 percent of all e-commerce credit card transactions in North America. Both give it an early look at hacking trends.

On the bright side, Balogh said changes to the Internet domain system are underway that will make it harder for hackers to alter address records stored by Internet service providers.

But he also cited several worrisome trends, including hackers increasingly issuing blackmail demands for money to stop attacks on commercial Web services. Another is an increase in "zero-day exploits," attacks taking advantage of software vulnerabilities the same day they are publicized.

Perhaps scariest is the growing use of "zombie botnets," networks of compromised home computers that criminals lease to one another for as little as $300 an hour for as many as 10,000 infected machines.

"It keeps me up at night with all that's going on these days," Balogh said. "The online world is turning into such a war zone."

VeriSign's network handles between 12 billion and 20 billion look-ups for Internet addresses daily, a number that doubles every 12 to 18 months.

The company has added extra computing capacity and other precautions to thwart hackers trying to disable the address system by overwhelming it with bogus traffic requests known as "distributed denial of service" attacks. The most famous was launched against the domain system in October 2002, briefly bringing down more than half of the 13 master address directories, excluding the two run by VeriSign. Balogh said a second, unpublicized attack occurred later that night, which he would not describe but characterized as "five times worse."

But it's getting harder to outrun the hackers. VeriSign thinks time cycles are shortening between threats, including those its engineers regularly try to imagine coming down the pike. What might those be?

"There are like a million cell phones with Internet access today,'' Balogh said, citing one scenario he expects to unfold by 2009. "Just wait until 100 million have Internet access. . . . We know there is going to be a distributed denial of service attack where you are going to have literally 50 million cell phones coming at you."

Leslie Walker's e-mail address iswalkerl@washpost.com.

© 2005 The Washington Post Company