Zombie Attack: Hackers use denial of service attacks to take down Web sites and drag unsuspecting companies into their crimes.
Hackers take down Web sites and drag unsuspecting companies into their crimes.
August 31, 2009 at 08:00 PM
6 minute read
—
For several days this summer beginning July 4, international hackers targeted and disabled a variety of Web sites in the U.S. and South Korea. The Web sites belonged to the Department of Homeland Security, Federal Aviation Administration, Federal Trade Commission, The Washington Post, New York Stock Exchange and the office of South Korea's president, among others. Some South Korean reports named North Korea as a suspect. Whoever it was, the culprit apparently carried out the attacks using a simple technique called distributed denial of service (DDoS).
“Cyber-attacks like [the one in July] are being recognized as yet another means available to governments to cause harm to opponents,” says Michael Overly, a partner in Foley & Lardner's IT privacy, security and information management practice. But more often, independent hackers launch these types of DDoS attacks just to cause chaos. And corporations are common victims.
DDoS attacks occur when hackers infect thousands of computers across the world–often within business networks–with a virus that turns those networks into “zombies.” The zombies send many simple requests to a targeted Web site, overloading server capacities and causing the Web site to shut down. It's an expanded version of denial-of-service attacks, which spawn from a more limited number of computers. Neither technology is complicated, but DDoS attacks can be extremely difficult to trace back to an original source. And they're happening more often.
In one recent example, Gawker Media, an online blog network, was brought down by DDoS for a weekend in early August.
And in late July, a Texas grand jury indicted a 25-year-old security guard for breaking into the HVAC system and planning a DDoS attack at the Dallas orthopedic health clinic where he worked. The man solicited help for the DDoS from other hackers by posting videos online. His plan shows how easy the attacks can be, and how even smaller companies are at risk.
“If the stock exchange can be hacked, if the government of South Korea can be hacked and if the Department of Defense can be hacked–no company can be absolutely secure,” Overly says.
Moreover, cyber-attacks can be quite simple to carry out, and they create several layers of risk for companies with an online presence. Those that engage in e-commerce, buying or selling products online, face the most glaring problem. Jim Butterworth, director of cybersecurity at Guidance Software, says companies with online storefronts, such as Amazon.com or eBay, are the most likely targets of DDoS attacks, and Guidance Vice President and Deputy General Counsel Patrick Zeller agrees.
“If your public-facing site is taken down, your business is going to stop,” Zeller says.
Simple but Dangerous
Beyond the loss of sales, companies that host content for their clients online–such as an e-discovery vendor or a simple Web site-hosting service–must be wary of DDoS because they likely have service agreements they must uphold. If their servers go down and consequently knock out their clients' ability to function, Butterworth says these content hosts may face liability for breach of contract.
As bad as it might be to deal with a downed Web site, in the worst case scenario the DDoS might be an early warning sign of a bigger attack or more serious data breach. During a DDoS, the hacker bombards the company's system with thousands upon thousands of useless pieces of information. In the midst of this, there's the potential for a hidden motive: that the hacker is trying to slip malicious code past digital security while the system is overwhelmed with extraneous data. Such malware could lead to a data breach and stolen confidential data.
Victim and Villain
In addition to being targets of these attacks, companies also face legal liability as unwilling participants. If a company does not have adequate IT security measures, hackers can turn company computers into zombies to use in the attack. Then the company can get sued for negligence.
“It's coming up more and more,” Zeller says. Trying to sue hackers rarely produces productive financial results, not only because they are hard to find, but also because they don't have much money, he adds.
Consequently, attack victims look for financial liability not with the actual perpetrator but with deep-pocketed companies that inadvertently became part of the crime. Overly has seen a situation where someone stole thousands of Social Security numbers and hid them on an unsuspecting company's network. At the very least, that type of incident would lead to some unpleasant public relations. Regardless of whether litigation ensues, disclosure of a company's accidental complicity in an attack could impact a company's business reputation and stock price.
Overly gives another example of a bank: Someone breaks into its network and doesn't steal any personal consumer data. But the criminal uses that access to attack another company. In this situation, which could happen to any company with frequent customer interactions, there might be no actual damage to the bank's customers, Overly explains, but there could be damage to its reputation.
Enemy at the Gates
However, companies can prevent hackers from using their networks in attacks. The defense starts with a concise policy that employees understand and follow and that management enforces.
“[Successful] companies boil this down to a few pages of very clearly written text,” Overly says. “Then [they] follow up on a quarterly basis by emphasizing a single point in the policy and giving examples of what the problem is and what the company is trying to address.”
Policies should bar employees from downloading applications at work, such as peer-to-peer software. The company should encourage workers to report any computer aberrations–such as a strangely slow computer or e-mails asking for personal information–to IT security immediately, even though most questions will probably end up being benign.
The legal department also should be an integral part of the cybersecurity process, especially after a company identifies an attack and law enforcement may become involved. On a more routine basis, Overly says counsel should ensure that contracts with third-party vendors guarantee appropriate security measures. Also, in-house attorneys should make sure independent validation of a company's security setup is a priority, instead of only relying on internal IT staff.
Butterworth emphasizes that corporate executives cannot measure protecting the network in terms of merely complying with rules or checking items off a list.
Corporate cybersecurity is a never-ending process in a constantly changing environment, so in-house counsel should focus on awareness and education, as opposed to simply following minimum–and often static–standards.
“It's about knowing what's going on instead of trying to [do well on] some sort of report card using standards that are five to 10 years old,” Butterworth says.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllFinancial Watchdog Alleges Walmart Forced Army of Gig-Worker Drivers to Receive Pay Through High-Fee Accounts
GC Pleads Guilty to Embezzling $7.4 Million From 3 Banks
In Lawsuit, Ex-Google Employee Says Company’s Layoffs Targeted Parents and Others on Leave
6 minute readGC With Deep GM Experience Takes Legal Reins of Power Management Giant
2 minute readTrending Stories
- 1Decision of the Day: Administrative Court Finds Prevailing Wage Law Applies to Workers Who Cleaned NYC Subways During Pandemic
- 2Trailblazing Broward Judge Retires; Legacy Includes Bush v. Gore
- 3Federal Judge Named in Lawsuit Over Underage Drinking Party at His California Home
- 4'Almost an Arms Race': California Law Firms Scooped Up Lateral Talent by the Handful in 2024
- 5Pittsburgh Judge Rules Loan Company's Online Arbitration Agreement Unenforceable
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250