• silicon.com
• Technology
• Security

By Martin Brampton, 8 February 2005 07:00

COMMENT With hackers developing new methods of targeting us as quickly - or perhaps more quickly - than we can come up with defences, Martin Brampton wonders just how fragile our wired economy is.

It was quite a minor hack but losing my website recently certainly got me thinking. We know about the various kinds of digital attack. Mostly, though, we just imagine problems happening to other people. If the digital world is to prosper, we will need to think differently.

For some reason, I looked at my website one evening and was shocked to find the usual home page had been replaced by a message from a Russian hacking group. Soon afterwards somebody wrote to me, pointing out the problem. Links to any part of my site simply brought up the hacker's message.

Contacting the hosting company resulted in an immediate change to my password and the suggestion that the usual cause was out-of-date software. Not knowing the route used by the hacker, I spent quite some time checking the core software was completely up-to-date. My efforts were actually in vain but that was revealed later.

The web page left by the hacker gave a reference to a website and even left an email address. Mainly out of curiosity, I wrote to ask why the site had been hacked. A couple of days later, I was surprised to get a reply, apologising for the delay and pointing out exactly what weakness had been exploited.

It turned out to be in an add-on component called Remository that provides for file downloads. No doubt I should have been aware of the issue sooner, since a search of the web quickly gave further information on the software dating from last September. But the patch proposed at that time did not actually cover the hack to my site and further patches were needed.

Remository is open source software and its author has abandoned it to deal with other pressures of life. I had to figure out the patches myself, which was not too difficult. Being reluctant to abandon a good piece of software, I finally decided to take over responsibility for the further development of Remository. After all, the spirit of open source includes the principle that if you want a job done, you can consider doing it yourself.

Problems caused by users finding ways to break systems started occurring long before the internet age. But the combination of far greater exposure and a culture of rapid development has caused an increase in vulnerability.

Testing is all too easily confined to checking that simple cases work correctly. This does not prove that wildly inappropriate data or deliberately damaging data fall foul of validation checks.

And not all hackers will be so obliging as to install their own code only after renaming the official code so as to preserve it. Indeed, if I were a banking site one might suppose the consequences of a hack could have been very much more severe.

We are ill-prepared to face some of the worst possibilities online. Large numbers of internet-connected computers have been subverted and many are made available to rent for practically untraceable attacks of one kind or another. It is also believed that as many as one-third of legitimate credit card numbers are known to criminals.

For the most part fraudulent use of cards is marginal and although banks fight it some losses are simply counted as a cost of doing business. The countermeasures rely on picking up unusual transaction patterns, making checks and ultimately blocking cards. However, it has been suggested this leaves the possibility of a doomsday scenario.

A sudden, massive surge of fraudulent transactions would overwhelm the standard countermeasures, leading either to huge losses or to vast numbers of cards being disabled. The result would be a severe loss in consumer confidence and perhaps large financial losses.

Maybe that cannot happen or maybe the banks have an effective response ready. But unless we can think up possibilities of that kind faster than they can be deployed, there is a risk that our wired economy is excessively fragile. I can cope with my website disappearing but I would be very unhappy if my online bank disappeared.