Since this week in class we are talking about software as a service and web-services, I think it’s appropriate for me to talk about the security implications and how they will affect business. To recap, the logic is that businesses spend a lot of money on redundant services that are common to everyone, so rather than paying large sums of money developing and maintaining systems, why not outsource it to a web provider who has a competency in the service you need while gaining the flexibility and omnipresence of the web? The most important threat to Web-services is the ability to halt the services it hopes to provide. What I’m talking about is referred to as DoS in the security world (also DDoS if it’s distributed).
What is DoS?
No, I’m not talking about the software that turned a computer nerd Harvard drop-out into a billionaire… it stands for Denial-of-Service. There are many forms of Denial-of-Service attacks, so for brevity I’ll only talk about one form of it, so you can understand how it works. Much of the web is about conventions and handshakes, for example when you want to connect to Google your computer sends out a packet of data that in simplified terms says, “Hey Google, I want to connect to you!” Google’s servers receive the message and the servers send a packet back saying, “Ok, I see that you want to connect to me, so let me allocate the resources, so you can download my webpage.” Your computer responds by saying, “Ok, since I know you are there, I’ll allocate the resources to receive.” The connection is then established and data can flow. But what if, after the second step we don’t respond, what does Google do? Having already allocated the resources to communicate, Google waits and periodically says, “I’m ready to send, are you there... are you there?” (For an excellent but fully technical explanation see here). The resources Google has allocated for one connection is miniscule, but now string along thousands or millions of computers that all yell at once and Google will come to its knees. This is what is known as a SYN flooding. According to this article the nation with the most zombie servers (23%) in the world is
Don’t piss off a good hacker … or run a super sale?
So how does Google defend? Well as my friend Peter points out here, one part of the equation is that big companies such as banks and Google are adopting the latest core processors and grid computing to expand their resource capacity. It’s just a numbers game… if enough hackers get together they can still bring any website down. Playing the devil’s advocate, let’s say Google builds up massive defenses, so they say to hackers “anything you can throw at me I can handle.” Google and many other websites are still vulnerable because hackers also go after the DNS servers. Domain name servers are the servers which translate the URLs you type into numeric Web addresses that link surfers to company sites (You can be proud to know that USC’s ISI is a player in the IANA). One notable DNS attack in 2004 brought down Apple, Google, Microsoft, Yahoo, and many more all at once! (see article here).
Hackers get all the bad rap for DoS, but you can bring a website down too. On Black Friday last year, Amazon offered the Xbox 360 for half of retail price. Users from around the world flocked to Amazon in hopes of getting in on this super deal, but ended up with white screens as this intense legitimate traffic brought the website down for 10 minutes (see article here).
Implications for Business
The scenario involving Amazon was not the first time the website was brought down by excessive users, and it won’t be the last. Even if we discount the hackers, web services are still prone to DoS in the same way. For example, let’s say it’s Dec. 31 (the end of the fiscal year) and the web server handling your outsourced accounting functions is being bombarded by other companies who have the same fiscal year end date. Frustrated because a report needs to be presented to management tomorrow, you (along with all the other companies who use this service) sit refreshing your pages hoping to get through. Therefore, unless the conventions which govern the web are redesigned, the Web and all Web-services will always be susceptible to DoS. This leads me to two reasons why all of your company’s IT will not be moving to the Web:
1. Control – When you keep your IT in-house you can dictate what happens on those systems and can shield yourself from the web by not having a physical connection.
2. Security – with laws such as HIPAA and the steep penalties for leaked data, sensitive information such as patient records won’t be moving to the web. Laws aside, what if your web services host becomes compromised due to social engineering or a curious web host wants to know if he/she should liquidate their stock based on your financials? Are you going to let your company and your information be subject to risks outside your control?
Don’t get me wrong, web services are great for all sizes of business, but the annoying guys in IT will always be around (sad isn't it... although there may be fewer of them, but being paid alot more). Although there is solid economic logic to support Web-services, there are many more factors and reasons why a company may not want to move its systems to the web, and I’m tired of writing, so let’s discuss them!
4 comments:
As you pointed out, those annoying IT guys will always be out there. So how concerned should we be. You're black Friday is a perfect example of what I mean. Denial-of Service is not always triggered by hackers. And even when it is there are ways to prevent it.(http://www.informationweek.com/showArticle.jhtml;jsessionid=NAXYK1Q0ANCZQQSNDLRCKHSCJUNN2JVN?articleID=197004237&queryText=DoS. So how much of a security issue is this really or is it merely annoying?
Reading your article reminds me of Winter Olympic in 2004 (I think.. not this past one but the one before).
The story goes like this...
In men's speed skating (where South Koreans sweep gold every winter olympics) brave young skater from U.S. names Apollo Anton Ono supposedly "stole" the gold medal from South Korea. What happened was that the South Korean passed Ono in the last lap to win the gold, but as Ono saw that he was being passed, Ono put on a little act where it seemed as if the Korean had pushed him when passing by. Therefore, the Korean got disqualified and Ono got the gold medal. Why am I telling this story? Right after the officials ruled South Korea as DQ, literally every household from South Korea (and some from outside of Korea, like me)tried to access the Winter Olympic website to dispute the decision. This is where DoS comes in. Well, sort of DoS, since the Olympic Website actually crashed due to traffic and amount of emails pouring in.
This was a pretty big story, and the world knew about the obnoxious Korean "Netizens", as they call themselves.
In 2006 World Cup, however, it was a definate case of DoS. Korea is also pretty soccer crazy,(http://mingalaronline.net/story/world_cup2006_korea_fans.jpg) and when there was a bit of controversy in the Swiss vs South Korea match, Koreans did the what they did best: went online to complain.
However, this time, people in Korea noticed that they couldn't access the website. Why? FIFA actually blocked all IP addresses coming from Korea. Of course I had the luxury of going on FIFA website to complain, since my IP address was from the US.
So I guess this is a case where DoS is not triggered by hackers, nor the sheer amount of users, but from the website itself.
Is this illegal? maybe, since it might be a denial of service to a specific group of people. However, it takes a crazy group of people (Koreans) to create such a case; therefore, I do not know if it is actually worthy of contemplating, yet.
Just to let you know, the story didn't end there. Some people found out about this phenomena, and the information that FIFA was purposely blocking Korean IP addresses became prevalent amongst Koreans. Of course, infuriated Koreans uploaded a way to fake, or actually deny the website to look at, your origin.
The results? FIFA website went down two days later.
In Summary, I guess this was a case where the website created a DoS of its own to prevent the possible DoS that would result from angry Koreans accessing the website.
Wow, I like your Google example. It makes more sense to me to understand DoS than the technical version. LoL.
Well, we seriously can't stop those annoying IT guys. They never stop hacking. It seems like when you upgrade your security level, they attempt hacks again, and maybe the more successful/satisfied they feel. I'm not saying those hackers are reckless or so because successful hacking means there are flaws in the security systems, but in some sense, I feel they have some kind of psychological issues. They like to hack popular sites or government sites. Probably because they like those challenges and they really want to be famous.
So the challenge is perhaps how can companies hire hackers to do good by figuring out a flawless security system before the rest successfully hack a site. Those hackers can probably do all the hack attempts in-house without affecting a wide range of people.
And yes, these security issues is definitely a concern for Web Services, so as the network speed and/or network reliability.
Regarding Brian's comment, actually people can use Proxy to access the internet to hide their real IPs, and there are sites that provide those anonymous IPs and how they can do it. So blocking IPs from regions may not be an ideal solution.
Well, IT is definitely a double-edged sword in this situation. On the one hand, it makes our life convenient and easy. On the other hand, we are becoming too dependent on it. Over dependence is never a good thing especially with all the dangers of IT. Hackers and downtime will always be a problem no matter how secure and properly maintained our systems are.
One good example will be the recent release of Apple TV. As Peony has pointed out in her Apple TV blog here. Just merely days after its release, people are already hacking away. The point here is that we, as humans, are never satisfied with anything.
IT just becomes a victim to our greed and unsatisfaction.
Software as a service or web-services is truly a good step towards a more inter-connected world. However, will all companies trust each other enough for this to happen?
Post a Comment