The Security Problem
Any use of computer and network systems to cause fraudulent activities or disruption of normal operations is a form of attack. This kind of attack could succeed either because the system is not properly secured or the security has been somehow compromised. To gain more insight into the nature of such attacks and the damage caused, let us look at news reports, collected from various sources on the Internet at the time of writing this chapter (July-August, 2002) and presented in reverse-chronological order:
This is only a small sample of security breaches taking place around us and is neither a comprehensive account of all types of computer attacks nor representative of problems that can be addressed using techniques discussed in this book. The only purpose of presenting this list is to familiarize you, the reader, with the ubiquity and seriousness of security breaches.
Case Studies
Further insight into the problem and modus operandi of attackers is gained by looking at the following three case studies. The first two were taken from US Department of Justice press releases and the third from a report at MSNBC.
Conspiracy by Two Computer Hackers
The following is a story of conspiracy, computer crimes and fraud by two Russian computer hackers. The full story can be found at US Department of Justice website at URL http://www.usdoj.gov/usao/waw/pr2001/oct/vasiliy.html:
Vasiliy Gorshkov of Chelyabinsk, Russia, working with Alexey Ivanov, also of Chelyabinsk, Russia, created large databases of credit card information stolen from Internet Service Providers like LightRealm of Kirkland, Washington. More than 56,000 credit card numbers and associated information were found on their computers in Russia. These computers also contained stolen bank account and other personal financial information of customers of online banking at Nara Bank and Central National Bank—Waco. The hackers had gained unauthorized control over numerous computers—including computers of a school district in St. Clair County, Michigan—and then used those compromised computers to commit a massive fraud involving PayPal and the online auction company eBay.
The fraud scheme consisted of using computer programs to establish thousands of anonymous e-mail accounts at e-mail websites like Hotmail, Yahoo!, and MyOwnEmail. The programs then created associated accounts at PayPal with random identities and stolen credit card numbers. Additional computer programs allowed the conspirators to control and manipulate eBay auctions so that they could act as both seller and winning bidder in the same auction and so, effectively pay themselves with stolen credit card accounts.
Both the conspirators were eventually tracked and caught by FBI involving an undercover operation during summer and fall of 2000.
Many aspects of this story are striking. The hackers, in the relative safety of their country, were able to successfully break into many websites of US institutions and obtain confidential information such as credit card numbers, bank account details and other personal information of hapless victims. They used this information and the anonymity provided by the Internet to run a sophisticated crime ring and steal real money.
Wire Fraud by Accountants
The next case is of two Cisco accountants who planned to defraud their employer. The full story can be found at http://www.usdoj.gov/criminal/cybercrime/Osowski_TangSent.htm.
Between October 2000 and March 27, 2001, Geoffrey Osowski and Wilson Tang, then accountants at Cisco Systems, Inc., participated together in a scheme to defraud Cisco Systems in order to obtain unauthorized Cisco stocks. As part of the scheme, they exceeded their authorization in order to access a computer system used by the company to manage stock option disbursal and used that access to identify control numbers to track authorized stock option disbursals. Then they created forged forms purporting to authorize disbursals of stock, faxed the forged requests to the company responsible for controlling and issuing shares of Cisco Systems, and directed that stock, a total of 97,750 shares, be placed in their personal brokerage accounts.
This case illustrates fraud by folks internal to a company who exceeded their access privilege on certain computer systems and misused that access toward illegal financial gain.
Exploiting a Known Software Bug
The following is a story based on a MSNBC May 17, 2001 news report. You can find the full story at http://zdnet.com.com/2100-11-529760.html?legacy=zdnn.
In April 2001, PDG Software Inc. revealed that computer criminals had figured out a way to easily break into its software and raid customer accounts—the trick was pretty simple: it involved discovering only a single URL. The flaw was so severe that PDG went to the FBI, which issued an alert that “hackers are actively exploiting it” and “the vulnerability has already resulted in compromise and theft of important information, including consumer data.”
But SawyerDesign.com's operators, Regal Plastic Supply, missed the warning. Within a few days, and up until the time of the MSNBC report, computer criminals had a field day with the site, raiding its database liberally. The flaw was fixed only after MSNBC.com notified the company.
This case illustrates inadequate attention to security aspects while designing the system and subsequent exploitation of the vulnerability by crooks.
We see a common pattern here. Attackers discover new vulnerabilities or exploit the known ones to access confidential information and misuse it to their advantage. Careful attention to security issues at the design and development time could prevent many of these vulnerabilities.
However, it would be naïve to assume that all weaknesses can be plugged at design and implementation time. There will always be some that escape even the most watchful eyes. Also, no amount of barricading will ever make a system safe against all security attacks. Think of it in terms of security in the physical world. You could secure your house by putting locks on all the doors, closing the windows from inside and installing the latest anti-burglar systems. This will keep most of the casual burglars at bay but may not be able to stop a highly skilled and determined intruder.
What is needed is not only prevention by careful design and implementation but also mechanisms for detection, once the security has been breached and response to it. There has to be procedures in place, either automated or manual, to monitor use of the system and flag suspicious activities. Once a breach has been detected, there should be a proper response to it—by removing the weakness and taking legal action against the perpetrator.
So, although this book is mostly about preventing security vulnerabilities at design and implementation time, you should keep in mind that such precautions address only one aspect of the overall security problem.
Survey Findings
A more comprehensive picture of the problem emerges from key findings of 2002 CSI/FBI Computer Crime and Security Survey:
Scale of security breaches. Out of 538 responses from US corporations, government agencies, financial institutions, medical institutions, and universities, 90% of respondents, primarily large corporations and government agencies, detected computer security breaches within the last 12 months, 80% acknowledged financial losses due to these breaches, and 44% quantified their combined losses as more than US$ 455 million.
Websites as attack targets. 98% respondents reported having external websites and 52% used these to conduct e-commerce. 38% acknowledged unauthorized access or attacks on their websites. Among those who acknowledged attacks, 39% reported 10 or more incidents; 70% reported vandalism (e.g., website defacements); 25% reported denial of service attacks and 6% reported financial fraud.
Origin of attacks. 74% respondents cited their Internet connection as a frequent point of attack whereas 34% cited their internal systems as a frequent point of attack.
Type of attacks. 85% respondents detected computer viruses. 40% detected system penetration from outside. An equal number of respondents detected denial of service attacks. 78% detected employee abuse of Internet access privileges.
A recurring theme among these findings and the previous news reports is that external websites are a frequent target of attacks. This is understandable. Websites, by their very nature, are accessible through the Internet and hence the basic connectivity is available to anyone connected to the Internet, which is pretty much everyone. Interactive websites run applications that connect back to internal networks, databases and other applications, thus providing connectivity to even more systems.
Website attacks are of particular interest to us as J2EE technology is often used to build the applications that provide interactivity to these websites and connectivity to databases and other internal applications. We talk more about the threats faced by a website later in this chapter. How to address these threats at the programming level is one of the main topics of this book.
Less talked about, but equally or even more significant, is the threat from internal people who may have legitimate access to certain systems for certain purposes, but end up misusing their privilege to commit unauthorized actions. Security from such users requires that a system should restrict access based on security rules and provide the capability to audit actions for potential security breaches. As J2EE is often used to design and construct such internal applications, we look at these security issues and the mechanisms to address these later in the book.
Other types of security attacks, those through computer viruses and distributed denial of service attacks, though very real and quite damaging, work at a different level and cannot be addressed by simply using security features of a software development technology like J2EE and hence, are not discussed in detail.