THIS STORY HAS BEEN FORMATTED FOR EASY PRINTING

Hackers' attacks alarm Web

Damage slight, but analysts see need for tighter safeguards

Supporters of Julian Assange during a protest yesterday in front of the British embassy in Budapest. Supporters of Julian Assange during a protest yesterday in front of the British embassy in Budapest. (Bernadett Szabo/Reuters)
By Hiawatha Bray
Globe Staff / December 10, 2010

E-mail this article

Invalid E-mail address
Invalid E-mail address

Sending your article

Your article has been sent.

Text size +

While the coordinated hacking of companies that have cut ties to WikiLeaks has done relatively little damage to their businesses so far, it has nonetheless shown how easily sophisticated attackers can pierce at least the outer layer of online security defenses at major Internet operations.

Internet hackers sympathetic to WikiLeaks founder Julian Assange launched focused attacks on the websites of credit card companies Visa and MasterCard and the online payment processor PayPal.com.

An Internet activist group that calls itself Anonymous launched the attack on PayPal Wednesday after posting an online manifesto that declared, “PayPal is the enemy.’’

The attack on PayPal could have been the most serious, since online shoppers need access to the site to make payments to Internet retailers.

In a statement issued yesterday, a PayPal spokeswoman said “these attacks have at times slowed the website itself down, but have not significantly impacted payments.’’

Jose Nazario, senior manager of security research at Arbor Networks Inc., a computer security firm in Chelmsford, said activists were also mounting a more serious effort to hack PayPal servers that thousands of other Web-based businesses use to collect payments on their own websites.

A successful attack on this service could disrupt millions of retail transactions during the busiest shopping period of the year, but Nazario said he had seen no sign the attack was succeeding.

To some observers, the hackers were analogous to a mob that smashes the plate-glass front of a store but doesn’t go inside to loot the merchandise.

For example, Visa and MasterCard’s websites were knocked offline for several hours on Wednesday, but these were the online portals the companies use to provide information to the public. Visa and MasterCard’s core business computers, those that process millions of financial transactions and store personal information on cardholders, were not affected.

Messages posted on the social-networking site Twitter indicated the activists had planned to launch a major attack on the retailer Amazon.com yesterday. But according to a later announcement, the attack was abandoned because Amazon’s network was too secure to disrupt.

The hackers want revenge for Assange’s arrest following his controversial decision to post online US diplomatic cables that reveal frank, sometimes embarrassing assessments of other global leaders and sensitive international incidents. Assange is being held in England, wanted on rape charges in Sweden, and has become a global pariah for publishing the cables in the face of widespread condemnation from world leaders.

Amazon.com has stopped providing Web-hosting services to WikiLeaks, while MasterCard, Visa, and PayPal have stopped transmitting donations to WikiLeaks from supporters around the world.

The attackers used a crude but effective way to shut down a website, called a “distributed denial-of-service’’ or DDOS attack. In such an attack, computers are programmed to send constant requests for data to the targeted websites until the quantity of traffic overwhelms them.

“If you load a website and hit refresh a bunch of times, you are launching a basic distributed denial-of-service attack,’’ said Molly Sauter, research assistant at the Berkman Center for Internet & Society at Harvard University.

Internet vandals automate the process. They install DDOS software on hundreds or thousands of computers, all of which target a particular site.

“It’s a pure brute force attack,’’ Sauter said.

Security experts have dealt with DDOS attacks for years and have developed a number of defenses. But Beth Jones, senior threat researcher at the computer security firm Sophos Inc., of Burlington, said that computer security workers for the companies may have let their guard down, focusing instead on newer threats.

“They don’t think enough about some of these old attacks,’’ Jones said.

Meanwhile, a teenager was arrested in the Netherlands yesterday in connection with the attacks, the Dutch public prosecutor said in a statement on its website. The teen is suspected of being part of a larger group that sympathizes with the work of WikiLeaks.

Jones said US citizens involved in Internet attacks could find themselves under arrest, too.

Such attacks are illegal under US law, and Web providers who detect the use of attack software on their networks could pass along the information to law enforcement agencies.

Material from Globe wire services was used in this story. Hiawatha Bray can be reached at bray@globe.com.