Summer Hack Attacks

What a summer it has been. As I sit here on my first day back from a vacation camping in the Adirondacks with the feeling of well-being that being away from phones, faxes, and computers for two weeks brings, I am quickly drawn back to the intensity of life in Lower Hudson Regional Information Center. The subtleties of the mountains in the midst of summer have been replaced with the stark reality of the news that our web server was hacked into for the first time in six years. My initial reaction is that I'm surprised it hasn't happened sooner given the number of students in the region whose school computer boots up to our homepage. After a few moments, however, my focus turns to, "Who did it and how?"

Somehow, someone had gotten full rights to our web server and vandalized the page to read "Ramapo HS class of 2001 rules". The hacker published a few similar "graffiti" type statements on the page and disappeared into cyberspace. Our staff discovered the attack at about 7:00am, immediately took the server off line and put our mirror server on-line. To the outside world nothing had happened; behind the scenes things were hopping..

I hope I can be forgiven for wondering whether our technology has blessed or cursed us.

Our staff checks the web file server's log files to see who and how the hacker achieved control. We find no clues there because the hacker has cleverly deleted the log files thus covering his tracks. We check the log files on the firewall and determine that the attack probably happened at 3:00am in the morning. We begin tracing the hacker's tracks from that point and find that he had dialed in from home to an ISP. In order to get the name and address of the owner of the account from the ISP, however, we have to provide a supeona.

We call the local police and the Westchester DA's office and report the crime. A local detective travels to our site to collect statements and evidence. Each of our staff members involved in the any aspect of the incident is required to keep close track of their time so that we can use the information in determining the extent of damages we have incurred. We intend to prosecute the individual fully. What a welcome back from the world of canoeing, hiking, and kayaking.

Within an hour of the news of the web server attack I am informed that during my vacation a computer worm attacked the White House web server. Although the White House was not affected, the "Code Red" worm ripped through Internet servers like no other previously unleashed piece of malicious code. " Based on reports, Code Red has infected over 225,000 servers. The Regional Information Center was a victim. We were down for about six hours before we patched the server and applied security patches to the other vulnerable school servers in our region.

Later in the morning I turn to my e-mail that I deliberately ignored during my Adirondack vacation. In my in-box were warnings regarding two e-mail borne viruses, "Snow White and the Seven Dwarfs" and "Hi! How are you?" Both had plagued the Internet during my two weeks away from the office. One of the consequences of the "Hi! How are you?" virus is that it sends files in your My Documents folder to e-mail addresses throughout the Internet. That's a pretty nasty consequence for innocently opening an infected e-mail attachment. Fortunately, our staff received early warnings regarding theses viruses and dodged the bullet in both cases.

Given it's my first day back from vacation, and the nighttime call of the loon at Buck Pond and the sounds of evening breezes washing through oceans of white pine are still fresh memories; I hope I can be forgiven for wondering whether our technology has blessed or cursed us.

Pete

PS: It's now two weeks since I've been back and Code Red has returned again. We were spared any disruption but an article in a security magazine predicts that Code Red is tame compared to new "polymorhic worms" that will be attacking the Internet this fall and winter. These worms transform themselves every time they replicate so that they can't to be detected by standard patches and intrusion detection systems. They will be horribly disruptive. More on this in the coming months.