Illegal Internet

John Collins 

7. The Costs and Effects of Hacking on Business

The effect on e-commerce of hackers exploits is very real, with the negative publicity generated undermining consumer confidence in particular companies security. Often these attacks may start out as pranks, but unfortunately they can cause real harm through companies losing customers, which jeopardises their future and that of their employees.

For the purpose of this section on the costs of hacking to business, I will look at five case studies separately:

Case 1: Burger King

In March 2001 a hacker replaced the home page of the Burger King UK site with a parody of their arch rival McDonald's site, stating "Eat our food, we want your money" and suggesting to visitors that they should go to McDonalds instead! The site was running on Windows NT4 using Microsoft's Internet Information Server (IIS), and its thought the group of hackers called Dreamscape2K exploited security holes in the system to redirect the URL to the defaced page.

It is unlikely that this attack caused any financial damage (Burger King refused to release any figures), but it did make the company look really foolish, and hurt their reputation.

Case 2: Cert.org

The University of California estimate that about 4,000 Denial of Service (DoS) attacks happen every week. Cert.org, the site of the Computer Emergency Response Team set up to investigate computer and Internet security issues, fell foul to such an attack in May of 2001. The site was flooded with requests for information for two days which made it impossible for users to gain access to the site for more than 24 hours.

The Cert.org site was down for 24 hours, which does not do anything for the reputation of this government funded research facility by showing that it can be taken down this easily. The problem is that it is virtually impossible to prevent these kind of attacks, the servers simply cannot cope with these large surges in traffic. Furthermore, it is very difficult to track down the perpetrators of these attacks.

Case 3: The FBI and SirCam

The SirCam worm infected thousands on online companies, but few are willing to go public with their stories. In July 2001, the FBI was forced to admit that it infected it's own machines with the virus, allowing the bug to forward confidential files to outsiders. The virus was released accidentally by an FBI anti-virus researcher in the National Infrastructure Protection Centre (www.mipc.gov) which is the FBI's online security division.

Analysts Computer Economics believe SirCam did around $1.035 billion worth of damage across the world and infected an estimated, yet staggering, 2,300,000 computers. It certainly did nothing to improve the reputation of the FBI's fight against Internet crime.

Case 4: NetNames and Osama Bin Laden

In September of 2001, thousands of customers of the domain name registrars NetNames (www.netnames.co.uk) were affected by an attack from a hacker group calling itself Fluffi Bunni. Traffic to thousands of customer's web sites was redirected to a page containing a picture of a pink rabbit propped up against a keyboard with the message: "If you want to see the Internet again, give us Mr. Bin Laden and $5 million in a brown paper bag. Love Fluffi B." The text then went into a rant against religion and the US. The attack hit over 10,000 sites that use NetNames domain name servers.

NetNames shut down the servers half an hour after discovering the attack and their systems were back up within an hour. Even so, many customers lost fate in NetNames, with many security experts pointing the finger of blame at them. Although it is difficult to quantify the actual financial damage caused to the company, it is undoubtedly an incident that may overshadow their reputation for many years to come.

Case 5: Adobe and Dmitry Sklyarov

In July of 2001, Russian software programmer Dmitry Sklyarov found himself in a US prison cell after presenting a paper on the encryption methods used to protect electronic books at the Def Con hacker conference in Las Vegas. Sklyarov had written software that enabled people using Adobe's eBook reader software to get around any copyright protection codes and to print digital books at will.

Sklyarov became the first person to go to court under the 1998 Digital Millennium Copyright Act (DMCA), which prohibits anybody from selling technology that breaks copyright protection. Adobe's actions prompted a backlash from the hacker community, who pointed out that Sklyarov was doing the company a favour by pointing out the weaknesses in the eBook encryption system.

Online book stores such as Barnes & Noble, pulled the eBook format from their web sites until security issues were resolved. Adobe lost face within the industry and generated a lot of bad feeling in the tech community. Overall, the whole incident dented the publishing industry's confidence in the eBook format, while the US Department of Justice is to go ahead with the prosecution of Dmitry Sklyarov, so this affair is unlikely to go away for Adobe.