LIFE AFTER THE HACKS: Networks worry about security - and wonder if it's possible

The three-day hacking spree earlier this month is teaching ISPs and infrastructure companies - which tout about one-hop accessibility and reliable interconnection - the language of network security. And they're speaking it with a touch of fear, worried that they can do little to avert such attacks.

From Feb. 7 to Feb. 9, hackers immobilized some of the Web's most popular sites, including Yahoo!, eBay and Amazon.com. Rather than invading the sites, the hackers kept would-be users out by a "denial of service" attack.

"The good news is that attacks like that in the end are not harmful to data. The bigger concern is that as people begin looking at the Web as a serious, viable way to conduct business, they will expect it to have a security level that can't be compromised," said Laurie Priddy, executive vice president of systems and applications for GlobalCenter, the division of Global Crossing that hosts Yahoo!

"The bottom line is, if you're an infrastructure company, you probably need to spend more money on security," Priddy said. "You're going to have to make cost decisions that, in the past, I don't think you wanted to make."

GlobalCenter learned that hackers shut down Yahoo! with a "smurf attack," in which an attacker impersonates the IP address of a server and sends out "pings," or calls, asking for a response from all computers on that network. This flood of pings immobilizes the server.

GlobalCenter took several hours to install rate limiters in its routers, cutting off the number of pings permitted per site and letting the server recover.

But the hard fact is that the hackers" - who still were being sought at press time - played off the same mesh architecture that has made the Internet well-suited for communication and e-commerce. They used highjacked third-party computers, implanting code that made the computers take instruction without the knowledge of their owners-in hackerspeak, "zombies."

These attacks are made easier by new hacking programs that include wizards and graphical user interfaces. The software lets almost anyone above the novice level coordinate an attack on a Web site.

What's more, the software takes advantage of what has been the Internet's strength - the ease with which it connects a large network of users. "We've pushed the Internet as the ultimate connection machine," says Earl Cutting, a technology analyst with Humphreys Associates. "After the events of Feb. 7, connectivity doesn't look quite so good if being highly connected means that someone can insert code into your computer without your knowledge."

"We need to improve computer security in a sense that guarantees that each individual owner of a computer has control of that computer," said Sun Microsystems security engineer Whitfield Diffie. That task will be made easier by January's relaxation of U.S. export restrictions on security hardware and software. "For the first time, the U.S. has a vested interest in the security of computers worldwide," he said.

Another vested interest comes from Internet retailers and the networks that serve them. The Web's apparent vulnerability to anyone outside a site blocking off traffic is not reassuring. Research conducted last week by PC Data reported that 45% of Internet users would be less likely to give out credit card numbers over the Web after these hacks. About 37% said the attacks changed their opinion about Internet security in general, and 50% said the hacks affected their opinion about the specific Web sites involved.

"This hits the Web where it really lives - in the pocketbook," said senior analyst David Marthens of Tel-Data. "Consumers are already skittish about shopping online. But when sites get blitzed so that those consumers who do want to shop can't get in, that starts e-tailers worrying, too. All of a sudden, maintaining a bombproof Web site looks as important as how quickly it loads. That's tough for service providers because there is no such thing."