Click to Print

Hack Attack

How to protect your e-commerce site from hackers
June 1, 2000

In February, an unknown hacker typed in a command that caused a harem of slave computers called zombies to begin what is known as a distributed denial of service (DDoS) attack. Their target was giant portal site Yahoo!. The secret army of computers flooded Yahoo! servers with repeated requests for data, keeping almost all legitimate visitors from reaching the site for three hours. In the days that followed, copycat hackers had their way with some of the biggest and busiest e-commerce and portal sites on the Internet. Microsoft, eBay, and were just a few of the Goliaths knocked down, allegedly by the likes of a few David-sized teen hackers.

Though one arrest has been made (a 15-year-old has been charged with disabling, the DDoS attacks are still being seen as "victorious" and hordes of curious techno-wizards are nosing around in cyberspace right now, sniffing out unsecure servers on which to display their criminal prowess. And just in case you were feeling left out, rest assured: The big sites aren't the only ones at risk. Smaller sites may be just as vulnerable to hacking, whether from unknown pranksters, thieves seeking your customer's financial information or saboteurs in search of company secrets. But don't shut down your e-shop yet.

While every computer connected to the Internet is exposed to the prying eyes of the world, there are steps you can take to evaluate and eliminate potential security risks. The first step is to be aware of the ways high-tech criminals attempt to compromise network security. Read on to educate yourself about common hacking methods and how to reduce your risks.

Tina Gasperson writes about technology, business and the Internet. Her articles and columns have been published at,, and many other publications. Visit her Web site at

The Trojan Horse

Trojans are evil programs that hackers either secretly install on your system or trick you into installing yourself by disguising them as good programs. These programs enable hackers to access your network remotely, gain complete control and perform any number of dirty deeds, including making your computer into a zombie and using it to perform DDoS attacks.

The Numbers Game

Many hackers simply want access to private information, like databases filled with credit card numbers and sensitive company data. All they have to do is figure out your administrator password. Many times they'll attempt to grab it through "social engineering"-calling or e-mailing you or an employee, claiming to be a technical support person. Then they'll go to work on schmoozing you out of your password. Hackers may also try to "crack" your password, choosing from a variety of password dictionaries, which automatically try thousands of word/letter combinations. Take the following measures to avoid this scam:

The Inside Job

The worst threat against your computer files and databases may be an employee or contractor with legitimate access. It's a lot easier for someone on the inside to copy sensitive information to a disk than it is to penetrate a firewall. Use these precautions with everyone from clients and employees to contractors:

Greg Gilliom, president and CEO of NetworkICE, the company that created BlackICE, says of the software, "If you have any valuable information on your server and someone tries to break in and get it, you'll know about it and BlackICE blocks the attempt." The program runs in the background, logging intrusion attempts along with identification information, while providing a customizable firewall for sites that allow database information retrieval by site visitors. By setting the software to a "paranoid" access level, for instance, all attempts to access the server that don't fit into a pre-determined range are rejected. This allows your customers to spend money freely but keeps nosey crooks out.

After Rockliffe began running the product on its server, the hacker made another attack on the system. This time, the company was able to track the identity of the hacker, contact his Internet service provider and have his account closed. Probably the work of a stranger, right? Not according to Rockliffe owner John Davies. "We linked the hacker's domain name to his customer record in our database. I guess he really liked our software. He was trying to see if he could find any license keys."

Asking The Experts

Once you've learned to think like a hacker, consider enlisting the services of an expert. "Security can get so complex so quickly, that even major corporations will hire security experts. Chances are, unless you're an expert in the area, you're not going to know enough," Sherman says. IBM Global Services provides "Ethical Hacking," an alternative to hiring a full-time security guru. For between $15,000 and $40,000, a team of expert hackers performs a thorough review of your overall network design. Then they'll attempt to gain unauthorized access to your server and you'll get a complete report, along with recommendations for immediate and long-term security improvements.

What can you do if your budget isn't big enough to hire a team of white-hatted hackers or a security genius? Move the whole thing offsite, like Rockliffe Software did shortly after the hacking incident. "Running a server locally can be problematic, especially if your Internet connection goes down. To be honest, I wouldn't recommend it to anybody," Davies says.

"People who have servers in their homes have a lot of challenges because they have to manage the software and the traffic and they have to be on call 24 hours a day," says Laura Zung, vice president of product management for Verio Inc., a Web hosting company that offers secure e-commerce packages with built-in encryption. "The very best option for homebased entrepreneurs is a hosting account and e-commerce software. It gives the best price performance and is very secure." With equipment in your home, you're responsible for your customers' security. If you sign up for a remotely hosted Web site, then the ball is in the provider's court. A Web host also absorbs most of the overhead and setup costs, creating an inexpensive, virtually hack-free solution.

Extra Protection

Whether you keep your server at home or farm it out to a Web host, you can insure yourself against electronic attacks. offers policies that cover breach of computer security, computer theft, damage to data and software, and loss of business income due to illegitimate use or a denial of service attack. Marsh Inc. provides a "Net Secure" policy that covers security breaches, information theft and denial of service attacks.