Posted by: Not a TS Newshound E-Mail: notwrittenbya@journalist.com
Date Posted: March 03, 2000 at 02:23 MST
OMINOUS CHANGE IN HACKER ATTACKS ON WEB SITES
03/02/2000
From the Associated Press.

Indianapolis, IN. - In an incident that authorities believe documents increasing perils to companies and organizations operating Internet web sites, computer hackers last night disabled the web site of Resort Condominiums International (RCI), a company that operates an on-line service that allows its members to trade weeks at timeshare resorts around the world. RCI is a susidiary of Cendant Corporation, travel and leisure services company that also franchises numerous hotel chains and also owns Avis Rent a Car.

Authorities are worried that this attack shows that computer hackers are expanding their attacks to include lower profile companies. Many hackers are apparently making this shift in response to security enhancements adopted by the more highly visible and prominent web based companies, such as Yahoo and eBay, which hackers have targeted in previous attacks.

Indicating the seriousness of this attack, US Attorney General Janet Reno announced at a news conference this morning that the US Department of Justice Internet Strike Force is taking the lead in investigating this case. "For some time we have been concerned that hackers might expand their efforts to disrupt web operations. Our undercover agents and informants in anarchist groups have informed us that many of these groups were planning to expand their operations to include disrupting the web sites of companies whose activities they did not agree with. After the WTO demonstrations in Seattle, we noticed a large increase in their efforts to implement these plans. Thus, it is critical that we act quickly and decisively to ensure that the web remains free and open to all users."

Felicia Ramsey, Head of the Department of Justice Internet Strike Task Force, later told reporters that, with the assistance of RCI, they have already determined that the attacks originated from a hacker group known as the TUGs. The members of this group are believed to have adopted this name as a variation of THUGs, believing that they would arouse less suspicion with the new name. As with most hacker groups, they are a loosely affiliated organization of individuals that communicate with each other primarily over the Internet. Many of them also disguise their real names with screen names, such as Fletch, MNdee, Shaggy, Travelnut, Makai Guy and Wonka.

Unlike other hacker groups, however, the TUGs operate a highly visible web site and even have their own web domain, www.tug2.net. Ramsey is very concerned about this, because she believes it indicates increasing brazenness in the hacker community after their recent successes in crippling the large e-commerce sites. "Now we see a hacker group that isn’t even bothering to maintain a low profile; it’s like they’re sticking their tongues out at us and daring us to stop them. My orders from Ms. Reno are clear that we are to do everything we can to put a stop to groups such as this."

Indianapolis Police are working closely with Justice’s Internet Task Force on this case. When contacted about the case, Chief Jerry Barker said the Police’s Department’s white-collar detectives were working with RCI to collect more detailed information on the attack. Barker added that the Department believes the attack was also triggered by the opposition of some TUGs to changes that RCI is making in its operations.

Contacted later, Ron Jackson, President of RCI, concurred with Barker’s assessment, stating his belief that "the perpetrators of this attack are people who naively oppose changes we are making to our exchange program that will greatly enhance the benefits and flexibility of interval ownership." Jackson added that RCI has previously announced their plans to introduce their revamped program this April at a meeting of the American Resort Development Association, and stated that he believed that this attack was timed to discredit RCI just before they made this important announcement.

The investigators believe they have determined the techniques used by the TUGs to disable RCI’s web site. In what is now a standard method of attacking web companies, the hackers overwhelmed the RCI servers by flooding them with data requests.

The attack appears to have started when several TUGs posted messages on the TUG BBS on Tuesday indicating that new condominiums often became available during the middle of the night, and therefore TUGs should log in to the RCI site early in the morning. This post triggered a first round of heavy traffic to the RCI site. Then later in the day another message was posted stating that popular resorts in Puerto Vallarta and Hawaii had made a significant number of their condominiums available for trading. This second post was apparently made after the TUG leaders realized that the RCI server was still functioning despite the increased traffic triggered by the first post.

Jackson reported that early in the morning RCI’s servers received five requests for information on possible trades in less than two minutes. "Although our servers and our Internet connections were not designed to handle such a large volume of data, we managed to get through this first phase of the attack with only minimal disruptions to service. The real problem came later in the day after the post about the availability of the condominiums in Hawaii and Puerto Vallarta, when people began to log on to our site at a rate of one person every two to three minutes. " Jackson said. "Although we recently redesigned our software to use the latest Java scripting, there is no way we could survive such a concerted attack. We also believe that the hackers somehow obtained information on our vulnerability to such massive information requests and used this information to paralyze our operations."

Jackson also said that RCI made changes to its software this afternoon to improve it’s ability to remain operational. "Now if the system becomes overloaded users will simply get a message that says (ECI_ERR_NO_SESSIONS, -17). While this is not totally satisfactory, we believe site users will be happier receiving this message rather than simply not knowing why our site isn't responding."