RealTime IT News

U.S., South Korea Under Cyber Attack

Key Web sites in the U.S. and South Korea have been under attack for several days according to reports that indicate government, financial, and media sites are being targeted. Although there's been speculation that North Korea was the culprit, perhaps because of that nation's continued belligerent behavior, there was no proof. Today, North Korea sentenced two female U.S. journalists to 12 years of hard labor.

"The Department of Homeland Security (DHS) is aware of the DDOS attacks on federal and private sector public-facing websites and as of last night, all federal web sites were back up and running. The department's US-Computer Emergency Response Team issued a notice to federal departments and agencies, as well as other partner organizations, on this activity and advised them of steps to take to help mitigate against such attacks," Amy Kudwa, DHS deputy press secretary, told InternetNews.com in an e-mail.

"We see attacks on federal networks every single day, and measures in place have minimized the impact to federal websites. US-CERT will continue to work with its federal partners and the private sector to address this activity," she added.

One of those partners is Symantec. "Symantec is working with our partners and with the government," Dean Turner, Symantec Security Response director, told InternetNews.com.

Turner said that the initial attack consisted of over 50,000 machines, but said that the security community is still learning about what happened. He echoed the DHS' Kudwa in pointing out the government sites are under constant attack.

"The baseline of attacks against these sites is high, at a level not widely known outside the security community," Chad Loeven, Sunbelt Software vice president of business development, told InternetNews.com.

Primitive attacks

The attacks consisted of what appeared to be a SYN flood denial of service (DoS) attack , which got the headlines, and a malware attack, according to Turner. Even the malware was primitive, he said. It included such malware as myDoom, which was the top Internet threat in early 2004. Reports said that the malware contained programming errors.

But agencies need to beware of targeted attacks, according to Loeven. "I cannot speak to these recent attacks, but in general these targeted attacks are using a combination of social engineering plus a logical inference of the target's potential weaknesses," he said.

"For example, one government agency came to us with a situation where their own downloadable forms had been submitted back to them with malware embedded," he added.

"They can bypass basically all security with that method," he said.

He added that the motives for attacks on government sites are usually clear. Attackers are usually either after valuable information or they have political motives for shutting down key sources of information.

The threat cannot be ignored. "There are persistent, well-organized, well-funded groups attacking our infrastructure," Loeven said.

Although the attacks are low tech, they are also likely difficult or impossible to trace. Loeven explained that because they were launched from compromised machines, anyone tracing the attacks would have to trace the source of infection, which might in turn be another compromised machine.

"It's like a game of Snakes and Ladders where we're working backwards up to the source," he said.

"Because the traffic is coming from a particular location doesn't mean that's the origin of the attack," said Symantec's Turner. "The attack isn't from one location in the world. There's no evidence to indicate that the attack is from North Korea."

To help stop this DDoS, Symantec said it encourages all computer users to update their security software with the latest definitions, keep their computer systems clean and continue to use general best practices for staying safe online.