Computer experts warned Tuesday that hackers may be planning an attack that would clog selected high-speed lines by enlisting the help of hundreds - or thousands - of unsuspecting users of new Apple computers.
Tipped off by Georgia Tech professor John Copeland, the Computer
Emergency Response Team Coodination Center in Pittsburgh has issued
an alert to managers of corporate and government Web sites that
someone in the "intruder community" means to flood their
lines with data The result could be a costly nuisance, a public
relations embarrassment or, perhaps, something worse.
After the CERT advisory, Apple offered a solution via the Internet,
saying that Macintosh owners need not worry if they download the
"open transport update" from the Internet (asu.info.apple.com/swupdates.nsf/
artnum/n11559). Apple said in a statement, "Apple is aware
of the CERT advisory and has taken steps to address it."
The story started when Copeland noticed someone "probing"
his home computer with odd bursts of data. First, he was puzzled,
then concerned.
Copeland is not the average Macintosh user, not even an average
techie. A professor of electrical engineering at Tech, he is a
veteran of Bell Labs and director of a center that studies highspeed
data transmission.
He traced the probes. He tracked several back toward their sources,
using techniques that show the paths they took by listing the
equipment that passed them along.
The tracks led first to Virginia, then to New York City before
jumping across the Atlantic. They ended in the United Arab Emirates
and Saudi Arabia. Another came from Italy, another from Duke University,
but Copeland is convinced that the scan started in the Middle
East.
In fact, hackers are adept at disguising their locations. Even
the results produced in the other tracking efforts may be false
sources, but Copeland said he believes the Middle East addresses
are not "spoofed," or adulterated.
He discounts the notion that repeated scans of his computer could
be the work of just another researcher.
Then something else clicked for him. The latest operating system from Apple - Macintosh OS 9 - has a feature that could be misused. A Mac running OS 9 can be used as a "data amplifier." An OS 9 machine will respond to a certain kind of data packet or message that triggers it to send a much larger, 1.5 megabit, packet of its own to wherever it is told to send it.
Copeland realized that a hacker who contacted a large number of OS 9 machines connected to the Internet could tell them all to send huge packets of data to one address, flooding its lines and rendering them useless.
The target could be a government agency, a news organization, or a global company. Once the target's lines are overloaded, they are blocked until either the offending Macs are turned off or the target's Internet address is changed - which can take several days.
Copeland mentally made the connection between this oddity in the OS 9 system and the probing of his own computer. To test his theory, Copeland duplicated the technique. He made "slaves" of three other Macs and caused them to send packets of data to an address.
"This is a scary thing," he said. "Right now, I have software that could shut down any Internet site."
He contacted CERT, Apple and the National Infrastructure Protection Center at the FBI.
The FBI does not comment on active cases, and the bureau has no jurisdiction outside the United States, said spokeswoman Debbie Weierman. "What we would do is contact the law enforcement officials, the government entities of the country involved and elicit their help." Will hackers use the technique to make mischief with Web sites in the United States? No one knows.
However, a successful attack could be aggravating and costly, virtually shutting down victims' Web access, said Shawn Hernan, vulnerability-handling team leader at CERT. "This is not Net-threatening, but it probably is a threat to some individual [Web] sites. You may have no recourse other than to go find those computers that are bombarding you and get them to stop."
And doing that would be time-consuming at best because the owners of those computers won't know their machines are the culprits. Tempering that warning is uncertainty about the intentions of the hackers. They could - at least conceivably - be playing or testing. If they are maliciously minded, their plan does seems to depend on a small number of vulnerable Macintosh computers. Moreover, some networks have engineered limits on how much data computers can transmit.
Finally, the conspiracy - if that is what it is - would be utterly squashed if vulnerable Macs were simply turned off or Apple's software fix downloaded.
Yet the danger is real, since attackers need only enlist a relatively few unwitting "slaves" to do some damage, said Copeland.
Just 40 computers manipulated by a hacker could produce enough data to swamp a DS-3 line, a broadband "pipe" that can carry about 45 megabits of data into an organization's network, he said. "It's like the rays from a spyglass. You could focus a few Macs on the connection and knock out the e-mail and Web connections to say, the (Atlanta-based) Centers for Disease Control."
A hacker intent on mischief would need only expertise, a computer, the appropriate software and a connection to the global Internet, Copeland said. "You don't have to buy 40 computers, and you don't have to break into 40 computers. The reason we haven't seen any attempts thus far is that I think the people who are doing this are saving it for New Year's Eve."
Whoever might be planning the attack
would hope to remain anonymous, since the flood of data would
come from many computers on which the hackers would hope to leave
no cyber-fingerprints. And the hacker could do it from anywhere.
Today's global Net - and the millions of computers connected to it - permits long-distance contact and often surveillance as well. A hacker with the right software can probe a computer for clues about its vulerability to intrusion or manipulation.
Hackers steal information, they alter Web sites. They crash computers or jam networks. They do it for fun, for profit or to make a political statement. They have done it often enough - and the stakes have grown so high - that an industry of computer security has grown up to protect the machines and the networks.
But in this case, hackers seem uninterested in information - other than the whereabouts of vulnerable computers to be used in clogging other lines.
So traditional defenses, the "firewalls" commonly used to surround corporate and governmental networks, are relatively useless. First, the hackers' are aiming at Macs, commonly found in homes. And a firewall will not afford protection if the attack comes and the flood of data chokes the lines before they get to the firewall itself.
For hackers, the strategy is not new. What is new is Macintosh OS 9.
So the number of computers that could be exploited remains relatively small. Apple represents something less than 10 percent of the desktop machines sold, and only a minority of installed machines are likely to be running OS 9, which only came out this fall.
Moreover, the machines most susceptible to the hackers would have cable modem or DSL connections and that too, represents only a small minority of users.
Unlike a standard dial-up modem, which links the user to the Net only while he or she is actively Web surfing, the connection of DSL or cable modem is always on. A talented scanner can gather information at his or her convenience, and then go back to manipulate the machine later. Somewhat similar attacks variously called "denial of service," "flooding," or a "Smurf attack," have been seen - and often defeated - by those who run Internet networks. There are various defenses. For example, engineers can limit the rate of data spewed by any one computer served by a high-speed provider like a cable or telephone company. One network with that protection is Cox Communications, one the nation's largest providers of high-speed access, which has faced a number of similar attacks.
"We don't share the same degree of concern that [Copeland] does," said Alex Best, senior vice president for engineering at Cox Communications, which is majority-owned by the same company that owns the Journal-Constitution. "But having said all that, I'll keep my fingers crossed on New Year's Eve, for a lot of reasons."
However, Hernan said CERT views that protection as little help
to the intended victims. "Limiting traffic internally is
only an internal solution."
Georgia Tech professor John A. Copeland is an authority on computer networking, an ardent supporter of business formation, and a research scholar who finds time to teach. It is a combination that has made him a hero to many in the academic and research community.
His background and credentials uniquely suited him to be the one who made the connection between a flaw in the MacIntosh OS9's security and the possibility that an intruder could use it to attack computer networks. Copeland has been awarded some 37 patents, and his publications are familiar to the technology research community.
He holds the John H. Weitnauer, Jr. chair in studies regarding
technology transfer and was for several years the director of
the Georgia Center for Advanced Telecommunications and Technology.
Copeland was one of the first university researchers to be designated
an Eminent Scholar in the state's jointly supported program to
marry academic excellence and entrepreneurial energy.
Though he works in his offices high atop the GCATT he is familiar
on campus to graduate students in computer sciences at Georgia
Tech. "John has that nice balance - a fine person, and an
expert who is respected around the world for his knowledge in
the electrical engineering and computer field," said Bill
Todd, president of the Georgia Research Alliance.
He holds a bachelor's, master's and doctorate in physics from
Georgia Tech, and he has been a researcher in semiconductor, microwave
and millimeterwave devices at Bell tabs. He has spent productive
years in private industry at Sangamo Weston and Hayes Microcomputer
Products. Regarding his days at the now-defunct Hayes, from 1985
to 1993, when the company was a pioneer in modem communication,
Copeland said jocularly: "When I was there they made a lot
of money ... it wasn't until I left that they went bankrupt."
Asked if he learned something from his Hayes experience, he was
quick to answer. "I learned that if you are a technology
company, and that's what made you successful then you keep emphasizing
technological advances. It simply won't do to turn and resort
to buying technology, relying on marketing for success."
Copeland said he thinks Georgia's best hope to become more
prominent in high-tech enterprises is to keep pushing technological
advances in ail areas, from electronics to biology, in order to
achieve national leadership. Along those lines, Copeland said
he enjoyed, though found challenging, his several years as director
of GCATT. He described it as "a 60 hour per week part-time
job for which there was no pay." Shortly after his tenure
ending in 1996, he helped to reshape the job into one directed
by a paid professional.
Despite working hard to keep his finger on the pulse of changes
m computer networking and directing various research projects,
Copeland said he enjoys teaching a course every semester for 100
students on data communication networks and acting as adviser
to 15 students on their doctorates.
An Atlantan who graduated from the former Northside High School
and attended Georgia Tech, Copeland said he enjoyed his challenging
work at Bell Labs but was glad to return to Atlanta for his work
at Hayes. There he focused on the development of modems with data
compression and error control and represented the company on various
panels that established the standards for modems.
Asked if he had any time for anything nonscientific, Copeland
said that, like many Atlantans, he is immersed m golf. He plays
at Dunwoody Country Club, which is near his house. "I'm not
the kind to go out there hacking every day, but I do play weekends,"
said Copeland.
As if to underline his belief in balance between work and leisure, Copeland states his vision: "An economy which is so efficient that everyone has time to pursue intellectual, social and recreational activities without feeling pressure to work long hours at unchallenging tasks just to survive."
And regarding freedom: "[I look to] a society where people
can spread out over the countryside but feel even closer to family,
friends and colleagues due to enhanced telecommunications."