Feb. 10, 2000 APBNews.com:

By James Gordon Meek

WASHINGTON (APBnews.com) -- The hacker or hackers responsible for launching the attacks that temporarily disabled top Web sites this week masked some of the electronic fingerprints that might have helped identify their origin, a senior FBI official said today.

The official, who spoke on condition of anonymity, told APBnews.com that whoever shut down sites such as eBay, CNN.com, ZDNet, E*Trade and others was sophisticated enough to "spoof" some of the raw data used to overwhelm targeted computers, making it look as if the flood of communications originated from the victim sites themselves.

The hacker is believed to have planted remote software "agents" inside large third-party "host" computers that forced the machines to unwittingly blast Web servers of a half-dozen news and e-commerce sites with junk data.

That barrage could have originated from as few as 20 or 30 separate machines, but another deception may have been that the data appeared as if it came from thousands of computers, said Pat Fisher, president of the computer security firm Janus Associates in Stamford, Conn.

To catch the mastermind who launched the attacks, said the FBI official, investigators are tapping into the U.S. intelligence base and using traditional investigative techniques, gathering "tremendous information" as a result.

The source said the FBI has no reason to believe the hacker is overseas, but said it is too early in the investigation to tell where the attacks originated.

'It could take forever'

Short of a hot tip about the hacker's identity, the FBI faces what some experts say could be a long, tedious effort at tracing the path of a cyber-intruder who may have hacked through untold numbers of machines and Internet service providers (ISPs) in the United States and abroad to cover the tracks.

Ray Kaplan, senior computer security consultant at Secure Computing Corp. in St. Paul, Minn., said the process of tracing the attack back to its originating machine could be painstaking.

"You have to start with the attacked site and pick your way back to see where the [malicious] traffic originated," Kaplan said. "If the person who put the remote agent software on the remote host is really good, then [the FBI] won't find any tracks."

Kaplan said examining the hacker's path could take weeks or months if the FBI has nothing else to go on. "It could take forever. In fact, it may never get done."

Traffic to be analyzed

Another potential problem could be the traffic logs stored at victim sites, ISPs, or the third-party computers at universities and corporations that were used in the attacks, which the FBI will need to analyze, said John Pike, a security expert at the Federation of American Scientists in Washington.

"The FBI can be quite clever when they have the data to work with, but I'm not going to assume they have enough information in this case," Pike told APBnews.com.

Whether the logs are complete or not, the process of analyzing such data is typically arduous, time-consuming and resource-intensive, the FBI official said.

The so-called "denial-of-service" attacks, in which Web sites are flooded with data to create a traffic bottleneck, began Monday with an assault on Yahoo. Amazon.com, Buy.com, eBay, E*Trade and CNN.com were targeted Tuesday and Wednesday.

No new attacks were reported today.

Challenge lies in recruiting experts

In the past year, the FBI's National Infrastructure Protection Center (NIPC) -- leading the probe of the latest big hacking event -- has lost 14 special agents assigned to investigating computer crimes and cyberterrorism.

The Justice Department budget proposed by President Clinton this week contains $37 million for fighting child pornography and other initiatives, but offers no additional funding for the NIPC, which would like to double its staff to 400 investigators, the FBI official said.

Pike said the bigger challenge for the government is recruiting computer security experts. Capable professionals with the skills and savvy to catch hackers are unlikely "to take a vow of poverty" to work for the government when lucrative private sector contracts await them.

Companies turn to private firms

While the FBI continues to encourage Web site administrators to contact the bureau as soon as an attack is detected, many are looking elsewhere for protection.

Fisher said she is hearing from an increasing number of e-commerce companies interested in the security services Janus offers for computer networks.