Information Security News mailing list archives
Hackers caught in security 'honeypot'
From: InfoSec News <isn () C4I ORG>
Date: Wed, 20 Dec 2000 01:23:08 -0600
http://www.zdnet.com/zdnn/stories/news/0,4586,2666273,00.html?chkpt=zdhpnews01 By Keith Johnson, WSJ Interactive Edition December 19, 2000 6:01 AM PT When a group of suspected Pakistani hackers broke into a U.S.-based computer system in June, they thought they had found a vulnerable network to use as an anonymous launching pad to attack Web sites across India. But what they had done was walk right into a trap known as a honeypot -- a specially equipped system deployed by security professionals to lure hackers and track their every move. For a month, every keystroke they made, every tool they used, every word of their online chat sessions was recorded and studied. The honeypot administrators learned how the hackers chose their targets, what level of expertise they had, what their favorite kinds of attacks were, and how they went about trying to cover their tracks so that they could nest on compromised systems. Lance Spitzner, the honeypot's creator, is a self-confessed computer geek, but he's more likely to quote Sun Tzu's "The Art of War" than the latest guide to Unix. A security consultant with Sun Microsystems Inc. in Chicago, Spitzner says he is applying the tactics and techniques he learned as a tank commander in the U.S. army to the cloak-and-dagger world of Internet security. "I used to have to crawl around inside Soviet T-72 tanks to get an idea what the enemy was doing, what they had to work with," the 31-year-old says. "Now, I'm doing the same thing, just with different tools." To be sure, Spitzner's HoneyNet Project -- which includes some 30 security professionals, programmers and psychologists, all working on the project in their spare time -- isn't the first time honeypots have been used to gather intelligence on the Internet underground. The concept, if not the term, was coined by Clifford Stoll in his groundbreaking "Cuckoo's Egg" story of hacker tracking, and experts have used decoy computer systems for years to lure hackers and study their moves. But unlike previous honeypots, which were baited with known vulnerabilities designed to mimic various computers, Spitzner's team puts unmodified production systems online -- networks with the same specifications, operating systems and security as those used by many companies. And this project isn't a hush-hush, internal corporate operation like previous honeypots: Spitzner posts all of his findings on the Internet for the security community to see at project.honeynet.org. That approach scores big points with many security professionals, who say it makes their job easier by raising awareness of the threats posed by even inexpert hackers. "Some 95 percent of a security practitioner's job is convincing people to take [these threats] seriously," says Marcus Ranum, chief technology officer for NFR Security Inc., of Rockville, Md., who says the availability of the information gathered by the HoneyNet Project is one of its biggest virtues. Spitzner's work "has been a terrific resource for me to be able to say to people, 'Go see what the hackers are up to, if you don't believe this stuff is real," Ranum says. Trailing the kiddies Spitzner says a four-year stint in the U.S. army's rapid-deployment force after the Persian Gulf War taught him how valuable reliable information on the enemy could be. But there wasn't much available when he joined Sun two years ago as a consultant advising corporate clients on security issues. "There was very little information out there on just who these hackers were, on what was motivating them, on how they operated," he says. Curious, he built his first honeypot in a spare bedroom early last year. Within 15 minutes, it was scanned by a hacker looking for easy prey. For about 18 months, the HoneyNet Project -- which mushroomed as word of the project spread through the security community -- has focused on the kinds of random attacks carried out by so-called script kiddies, who use ready-made software to attack vulnerable systems. The temporary shutdowns of Amazon.com, eBay and Yahoo! this year were blamed on script kiddies armed with software they downloaded from the Internet. Even though they often are technological neophytes, script kiddies pose a big threat to corporate security. While "people laugh at them," says Spitzner, "they've compromised an awful lot of corporate sites." Security experts attribute that in part to the proliferation of Web sites where hacking software is made available to the public, allegedly for educational purposes. NFR's Ranum says the combination of easily available software and greater numbers of would-be hackers has "hugely increased the threat" to corporate security. And no one is safe from random attacks targeting any system with a connection to the Internet, says Eric Cole, a member of the HoneyNet Project who teaches courses for the Security Administration and Network Security Institute, an industry think tank. "It doesn't matter if you're a Fortune 500 company or a small start-up," he says, "hackers will probe you and try to get in." The script kiddies don't just find tools to scan the Internet for vulnerable systems; dozens of point-and-click applications are available to let them cover their tracks once on board, rewriting the logs that keep track of who has done what on the system. In response, security professionals have come up with programs that track network traffic or detect any changes to key files within the system, leading to an elaborate game of hide-and-seek. In one of his first honeypot episodes, early last year, Spitzner spent four days following a script kiddie around his honeypot, watching as the hacker used ready-made programs to cover his tracks and gain control of the system. Mr. Spitzner, wary of scaring away the hacker, had to tread carefully, making sure to leave no trace as he in turn explored the system's logs. Based on what he learned, Spitzner was able to armor common operating systems like Linux and Solaris against most script kiddie attacks. The real challenge, says free-lance security consultant Martin Roesch, is "keeping up with the hacker arms race." A member of the HoneyNet Project since its inception, Roesch created Snort, a program that allows the team to eavesdrop on network traffic into the honeypot. He has spent two years fine-tuning the program "as part of the constant cycle of measure/countermeasure" that pits security pros against the script kiddies armed with increasingly sophisticated software. The next step, due to be initiated in January, is to sweeten the honeypot by building a transactional system that looks like an electronic-commerce site. The intent is to make the honeypot irresistible to the more-skilled hackers, dubbed blackhats, who are looking to steal credit-card numbers rather than just vandalize Web sites. Max Kilger, a team member and Stanford-educated psychologist, says that could be the ideal opportunity to take the offensive and begin developing pre-emptive security countermeasures based on what the project learns about the psychology of these hackers. Since the blackhat community has rigidly defined social structures like any other group -- a strict meritocracy that breeds fierce competition and rivalry -- Kilger thinks in-depth knowledge of their habits also could help security professionals bring hackers in from the cold. And just having honeypots operational, he adds, can serve as an effective deterrent -- virtual land mines to protect corporate networks from prying eyes. There are, though, still plenty of questions and criticism about the HoneyNet Project and honeypots in general. For starters, although the project has helped show many in the security community the nuts and bolts of investigating a break-in, it is unlikely to shine a light on any of the cutting-edge tools used by hackers. "The project is ground-breaking in the sense that they're being so helpful and open about it," says Ranum. "But technologically, what they're doing isn't rocket science." And while honeypots are a great training environment for security professionals, says Elias Levy, chief technology officer at Securityfocus.com, a leading online source of security information and discussion, "they won't fulfill their promise unless you have the time to administer them correctly." Companies concerned about security threats are "better off using an intrusion-detection system" if they don't have a dedicated team of highly trained administrators, he says. Many security chiefs could use the training. According to the Security Administration and Network Security Institute, putting unqualified administrators in charge of security is one of the biggest mistakes companies make. But many administrators, torn by budget constraints and the need to find quick-fix solutions to get critical systems back online, often are in no position to probe hacker attacks, says Frank Prince, an electronic-security analyst with Forrester Research in Cambridge, Mass. Honeypots or other projects that offer the detailed, behind-the-scenes forensics of hacker tracking often end up being as useful as "metallurgy for the guy tightening the lug nuts," Prince says. What's more, in dollar terms the most damaging attacks come from inside companies, not from hackers, he says. While honeypots can help compile information on people breaking into the system, they do little to combat sabotage from within. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Hackers caught in security 'honeypot' InfoSec News (Dec 20)