Attacks Test Firms' Internet Defenses

[err0r]

The computer attacks against Visa Inc., PayPal and other companies that cut off ties with WikiLeaks are testing businesses' digital preparedness for what has become a high-stakes cyber war.

 

Moments after a manifesto saying "PayPal is the enemy" surfaced Sunday on blogs, PayPal's chief information security officer, Michael Barrett, moved his team "into red alert status," including at the company's operations nerve center in San Jose, Calif.

 

What ensued was a week-long chess game between hackers and PayPal engineers in some nine locations around the world. The attackers tried to flood PayPal.com and other sites with a surge of Internet traffic meant to overwhelm their server systems and make their websites inaccessible.

 

"A good chess player will typically go several half-moves ahead," Mr. Barrett said in an interview Friday. "We have counter-measures and counter-counter-measures," he said, such as shifting server resources from one part of the site to another. Amid the assault, PayPal's site has occasionally slowed down, but hasn't crashed.

 

By contrast, MasterCard Inc. and Visa both suffered website outages on Wednesday. The companies don't conduct business on those sites, which act as electronic brochures. Both firms said sensitive customer information and transaction processing networks were unaffected.

 

The attacks by a loose-knit collective known as "Anonymous" weren't a good measure of what the world's hackers can mete out on corporate sites. The attacks appear to be classic distributed denial of service (DDOS) assaults of a type that have plagued sites since almost the first days of the Web. The attacks were relatively unsophisticated.

 

Yet the fact that financial companies like MasterCard and Visa have left part of their operations vulnerable raises questions of whether businesses are using every tool available to them to gird for attacks from a more-sophisticated cyber army.

 

The cyber attacks were ongoing Friday. A prosecutors office in the Netherlands said its website had been disrupted by a denial-of-service attack, Reuters reported, a day after a teenager suspected of involvement in the attacks was arrested in the country.

 

On Friday, some "Anonymous" members put out an announcement saying they were shifting their strategies from attacking websites to flooding news sites and forums with interesting bits from the exposed WikiLeaks documents.

 

"We do not want to steal your personal information or credit card numbers. We also do not seek to attack critical infrastructure of companies such as MasterCard, Visa, PayPal or Amazon," they wrote in a statement posted online. "Our current goal is to raise awareness about WikiLeaks and the underhanded methods employed by the above companies to impair WikiLeaks' ability to function."

 

U.S. authorities say there are multiple probes into various aspects of the WikiLeaks case, including people responsible for leaking the documents and the recent Internet-based attacks, according to people familiar with the matter.

 

The Justice Department has used a grand jury in Alexandria, Va., which has jurisdiction over criminal cases involving the Pentagon, to conduct aspects of the investigations, according to people familiar with matter. It couldn't be learned what aspects of the investigation have been presented to the grand jury or whether prosecutors are moving close to making arrests.

 

The Federal Bureau of Investigation has investigators embedded in several police agencies around the world that are probing the cyber attacks, officials said. The FBI's role generally consists of providing Internet service provider information and other data from companies attacked. FBI investigators provided assistance in Wednesday's arrest of the Dutch teenager, the officials said.

 

"It is a scary reality of putting your business online that it is relatively cheap and relatively easy to mount a major attack from around the world," said Shawn White, the senior director of external operations at mobile and Internet performance monitoring firm Keynote Systems Inc.

 

The Web industry offers an arsenal of weapons against denial-of-service attacks, often selling them as services to corporations that can't afford to set up those technologies in-house.

 

Such services are often used to market the "cloud computing" industry, which urges corporations to move many of their computing tasks online to services that distribute the load across many servers, often in multiple locations.

 

Denial-of-service attacks are "the kind of thing that will never go away," says Rich Mogull, an analyst at research and consulting firm Securosis. But the more bandwidth a business has the less likely an attack is to succeed. Bringing down a large website like Amazon.com or PayPal isn't easy because such sites are used to dealing with large volumes of traffic.

 

But any slowdown has the risk to hurt PayPal's business. On Wednesday the graphic design website 99designs.com experienced a 15 to 20 minute outage in PayPal's payment service and had difficulty accepting payments via PayPal for several more hours, says its chief technology officer, Lachlan Donald.

 

While 99designs also accepts credit card payments, the company plans to add an additional payment option in order to buffer itself against possible future PayPal outages.

 

In PayPal's network operation center, charts showing total payments processed per minute and total traffic to the site, along with other data, are projected on a large, curved wall in front of around 20 workstations, each holding three to five computer monitors.

 

After the attacks began Monday, the line graph showing payments processed each minute dipped slightly as PayPal came under siege signaling the website was slowing while the neon green bar graph showing traffic to the website spiked, said Mr. Barrett.

 

PayPal, which is owned by and shares resources with e-commerce giant eBay Inc., was prepared. "We have made more changes in the last week than I can remember ever, simply to ensure the site is as robust as possible," said Mr. Barrett, the chief information security officer. Those include "hotwiring" the defensive layers that might get stressed. For example, the company re-purposed server resources that might normally be used to redirect people who type in the company's Web address without the needed "www" at the beginning.

 

PayPal's information security teams work on a global basis, handing off tasks between places as far apart as Tokyo and Dublin. "We made some changes last night that didn't work as we wanted," said Mr. Barrett. "The team in Chennai was able to fix them," while teams in the U.S. focused on other issues, he said.

 

On Friday morning, even as the attacks continued, the key charts had returned to their typical levels, signaling that PayPal's defensive layers were successfully deflecting unwanted traffic, said Mr. Barrett, who has been working 18 to 20 hours a day this week.

 

Both Visa and MasterCard were skittish about saying why the attacks hobbled their sites more than PayPal and Amazon, or what they are doing now to prevent such a disruption from occurring again.

 

"We're not commenting on technology questions," said a MasterCard spokesman. Visa declined to comment.

 

Raj Chaudhary, who leads the security and privacy practice at consulting firm Crowe Horwath LLP, said the unknown question about Visa and Mastercard is whether they had plans in place to thwart an attack. Most companies, he added, still have not constructed adequate defenses even after a decade of intermittent disruptions to Internet commerce.

 

The events of the last week have prompted new requests from clients to put together a new defense. Mr. Chaudhary said, companies want to know, "How can I assure I don't become Visa."

 

Source: Geoffrey Fowler