ISP hackers likely to evade justice

Not only can malicious hackers force an ISP out of business, it appears they can get away with it as well
Written by Graeme Wearden, Contributor

The hackers that brought down UK Internet Service Provider (ISP) Cloud Nine look almost certain to avoid prosecution.

Cloud Nine's chief executive, Emeric Miszti, has told ZDNet UK News that whoever carried out January's attacks managed to cover their tracks by deleting data that could have been used to trace them. This, according to Miszti, makes it very unlikely that those responsible will be found.

"The problem is that the hackers managed to delete the Web logs that would have recorded exactly what happened during the attacks," Miszti said. "Without that information, it's impossible to show that someone carried out a particular act and caused specific damage, and that's what the police tell us we need to be able to prove," he explained.

Previous reports suggested that Cloud Nine was brought down just by a distributed denial-of-service (DDoS) attack -- something that security experts found unlikely. It appears, though, that the ISP was hit by a combined hacking and DDoS attack.

"The hack attack targeted the most vulnerable point of our network -- the Web servers -- and through this door they were able to obtain information about our key internal servers. In effect, they mapped our network to enable them to better attack us," explained Miszti.

Following the attack, Cloud Nine's management assessed the cost of attempting to improve the ISP's security, and realised that they could not afford the extra investment required, and the loss of income while the work was carried out, said Miszti. They were forced to close, and sold their assets to fellow ISP ZetNet shortly after the attack.

"We would have had to have key parts of the network down for between one and two weeks, and this would have been unacceptable to many of our clients, whilst we rebuilt servers that we couldn't be sure were not compromised. We would also have had to rewrite most of our automation software for setting up new accounts and restructure our working practices from a stronger security viewpoint," said Miszti.

According to Miszti, Cloud Nine had recently completed new investments in hardware, ADSL and a remote facility at Redbus that had not yet become revenue generating -- meaning they didn't have the financial resources to cope with a wholesale rebuilding of their system.

To launch a DDoS attack, a hacker must have already secretly installed code on many third-party computers. These machines are then used to flood a target Web server with data requests, making it impossible for the server to function normally.

Companies who suffer a DDoS attack can attempt to repel the assault by identifying the IP addresses of the computers involved and blocking any traffic from them. Hackers can find a way around this, but even then a targeted server can be taken offline by its owners.

Miszti believes that Cloud Nine's attackers may have taken control of Cloud Nine's own internal remote control systems. "When the attacks came they were both internal and external and targeted at key servers such as DNS, email servers, Web servers," he explained.

Miszti is currently writing up a full account of the DDoS attacks so that other ISPs can learn from Cloud Nine's experience.

See the Net Crime News Section for the latest on fraud, crime, child protection and related issues.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.

Editorial standards