Return-Path: <sentto-279987-1713-999869362-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Fri, 07 Sep 2001 06:31:28 -0700 (PDT) Received: (qmail 22669 invoked by uid 510); 7 Sep 2001 13:29:33 -0000 Received: from n33.groups.yahoo.com (216.115.96.83) by 204.181.12.215 with SMTP; 7 Sep 2001 13:29:33 -0000 X-eGroups-Return: sentto-279987-1713-999869362-fc=all.net@returns.onelist.com Received: from [10.1.4.52] by ei.egroups.com with NNFMP; 07 Sep 2001 13:29:23 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_3_2_1); 7 Sep 2001 13:29:22 -0000 Received: (qmail 63533 invoked from network); 7 Sep 2001 13:29:02 -0000 Received: from unknown (10.1.10.27) by m8.onelist.org with QMQP; 7 Sep 2001 13:29:02 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 7 Sep 2001 13:24:47 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id GAA06793 for iwar@onelist.com; Fri, 7 Sep 2001 06:24:47 -0700 Message-Id: <200109071324.GAA06793@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Fri, 7 Sep 2001 06:24:47 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Honeynet-in-the-news] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Setting Out The Snares For Hackers By Jennifer Lee, The New York Times, 9/6/2001 www.nytimes.com THE break-in came on June 4, 2000, at 11:37 a.m. The target was a Sun Sparc5 computer sitting in the spare bedroom of a suburban Chicago house. The perpetrator probed the computer's operating system for a well-known vulnerability. When he found it, he attacked by sending a small piece of code that exploited the weakness and opened a backdoor to the system's most sensitive areas. The attacker set up shop inside the computer, reprogramming the machine to lie to the owner. He installed a program that would allow him to control the computer remotely, and he fixed the holes in the computer's security to secure it against other intruders. He then tried to cover up his tracks, erasing any record of his having broken in. But it was too late: the computer was equipped with sensors, the digital equivalent of a burglar alarm. An e-mail message went out to 20 computer professionals around the globe alerting them to the attack. They didn't move to stop the intrusion or defend the computer, however. They simply sat back and observed. The marauding intruder had wandered into what is known as a honeypot, a computer that is designed to be attacked. While most such machines are lures to keep attackers away from important computer systems, this one was part of a nonprofit research effort known as the Honeynet Project. Relying partly on criminal psychology and partly on computer security, the Honeynet Project enlists experts to lay traps to examine the modus operandi of predatory hackers, or "black hat" hackers. The project started out as a hobby for Lance Spitzner, a security engineer for Sun Microsystems who became curious about some suspicious activity he saw on his computer logs at home. When he put a computer online to test for hackers in February 1999, it was attacked within 15 minutes by an automated program that was scanning the Internet for vulnerable systems. It was his first exposure to how aggressive and systematic the black hat hackers are: not only corporate systems, but even nondescript home computers have value to them. Security through obscurity is not a viable strategy. Through his requests for help and word-of-mouth communication, the project has mushroomed into a team of 30 respected programmers, psychologists, reformed and semi-reformed hackers, and former military officers from the United States to Israel to India who volunteer their spare time. Team members rarely meet face to face, instead dissecting information individually and communicating with one another by e-mail. But in July about 15 of them met in Las Vegas to do a presentation at the Black Hat computer security conference, with some of them seeing each other for the first time. If nothing else, the project has demonstrated that computers on the Internet are vulnerable. It estimates that between April and December of last year, nine of its 12 computer systems were hacked, some of them multiple times. One Windows 98 system was compromised five times in four days. In an unusual move for the opaque world of computer security, the Honeynet Project has been sharing its research publicly, first through a series of papers released on the Internet and next through a book called "Know Your Enemy," to be published by Addison-Wesley with an accompanying CD-ROM this month. The project hopes to raise awareness of the risks posed by black hat hackers, even to home computers. Through a step-by-step analysis of how black hats disguise their attacks, they hope to learn how to prevent one. The Honeynet Project grew out of Mr. Spitzner's surprise and disappointment over how little information on black hat hackers was available to security professionals, in contrast to the detailed enemy profiles he relied on during four years as an Army tank commander in the military's Rapid Deployment Force after the Persian Gulf War. In warfare, he said, knowing the enemy's motivations, techniques and weapons is critical. "In the military you are given intelligence on your enemy," said Mr. Spitzner, who crawled around the inside of a Russian T-72 tank as part of his training. "In the security community, there is very little information on the enemy -- what they do, how they attack." The project first documents the frequency of attacks on a target. In one 30-day period, the "honeynet" -- typically, three or more computers set out as bait -- was scanned an average of 17 times a day. The team estimates that the computer system most vulnerable to hackers is the default installation of a Red Hat 6.2 server, which they say is usually compromised within 72 hours. (Although a patch is available, users often neglect to install it.) Roger Schermerhorn, a senior manager with the Andersen consulting firm who was among several hundred computer security professionals at the Honeynet presentation in Las Vegas, said he was impressed by the statistics. "It's quantifiable measurements and data," he said. "That's extremely rare to find." The project's analysis is psychological as well as statistical. Some of the most intriguing information involved the attack on the Sun Sparc5 in June 2000, which the project analyzed in a paper posted at project .honeynet.org/papers/motives/. Honeynet reported that the computer had been attacked by an international gang of computer hackers, most of them based in Pakistan, who had taken over hundreds of computers around the world with the goal of using them as launching pads for other attacks. The group, which calls itself K1dd13 (pronounced kiddie), was not technically savvy. In the online chats, one member asked how to mount a drive in the Unix operating system, which for a hacker would be as rudimentary as knowing how to insert a CD-ROM into a PC. Even so, the Honeynet Project says, the group has invaded computers operated by NASA and the the United States Navy. "It says something about us as security professionals that people who are this incompetent can cause this much damage," Mr. Spitzner said. By monitoring the hackers' online conversations, which shifted from English to Romanian to a dialect of Urdu, Pakistan's national language, the security professionals were able to piece together profiles of the hackers and produce a case study of the sociology of hacking. They believe that the leader is a 17-year-old youth in Karachi, Pakistan, who says his activities are motivated by a desire to draw attention in cyberspace to violence against Muslims in Kashmir, the disputed territory bordering India and Pakistan. Other members of the group seemed motivated less by politics than by an urge to do damage. The proliferation of automated hacking tools, which systematically scan large numbers of computers on the Internet and exploit their weaknesses, has made attacking accessible to "script kiddies," hackers who have relatively little technical knowledge. "They were not very skilled," said Saumil Shah, a Honeynet Project member who translated much of the online dialogue from Urdu. "They were just fumbling around." The hackers' personalities proved more interesting than their techniques. Analyzing the K1dd13 conversations, the Honeynet Project psychologist, Max Kilger, described a complex hierarchy based on technical prowess in which rivalry plays a big role. Dr. Kilger, who works for a market research firm, noted the extent of bragging and denigration of other members' skills, a practice that apparently extends to much of the black hat community. In one conversation, the leader bragged about the speed with which he attacked 40 computers. "I owned and trojaned 40 servers of Linux in 3 hours," he said. Prestige within the group is partly determined by the number and the prestige of the computers and domain names controlled. Rivalries among groups of black hats also lead them to attack one another's systems for sport. Hackers also often update the security in their victims' computers to fortify their targets against attacks by other groups. One popular method is to use the occupied computer to launch a denial-of-service attack, which involves overwhelming a computer's capacity with a deluge of requests, on other potential hackers. "He went down for 7 hours," boasted one K1dd13 member who "dossed" a rival computer. The Honeynet Project estimates that 60 percent to 80 percent of hackers break into computer systems to gain bragging status and that 10 percent to 20 percent attack systems for financial gain. "Those are the scary ones," Mr. Spitzner said of the latter. For those hackers, accounts become a form of currency. The K1dd13 members bartered online with other black hats, exchanging credit card numbers for computer user accounts and passwords. One non-K1dd13 hacker offered to trade 14 unused Visa and Mastercard numbers, or "virgin credit cards," for access to computer accounts. Another was looking specifically for a compromised America Online account. Most members of the Honeynet Project are white hats, people who use their knowledge or networks to improve security. Marty Roesch, for example, created a free intrusion-detection system called Snort. But in computer security, such things are not always black and white. Some of the Honeynet Project's biggest contributors are "gray hats" who are well known for creating some of the invasive tools that people must defend their computers against. One Honeynet member from the Chicago area who goes by the online nickname Rain Forest Puppy is known for discovering high-profile security flaws in software like that used by Microsoft's Web server and then distributing programs that take advantage of them. "I'm not in it to catch hackers," he said in an interview in Las Vegas. "I'm in it to develop security research." The Honeynet Project is beginning to gather institutional partners to speed its research and collection of data. Both the University of Pennsylvania and the Naval Postgraduate School in Monterey, Calif., have set up honeynet systems. In the meantime, members are witnessing how rapidly the black hat community learns of their progress. After the Honeynet Project posted its K1dd13 paper on the Internet, for example, it took just four hours for the hacker group to identify the computer in question and pull out of the honeypot. "They left a very nasty message behind," Mr. Spitzner said. "Definitely not printable in a newspaper." http://www.nytimes.com GRAPHIC: Photos: Lance Spitzner, who leads the Honeynet Project. (Associated Press)(pg. G1); LURING PREDATORS -- A diagram of Honeynet Project computers, top, and an online conversation between boastful hackers that it monitored. (Associated Press)(pg. G6) ------------------------ Yahoo! Groups Sponsor ---------------------~--> Secure your servers with 128-bit SSL encryption! Grab your copy of VeriSign's FREE Guide: "Securing Your Web Site for Business." Get it Now! http://us.click.yahoo.com/n7RbFC/zhwCAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:40 PDT