Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Payback time! How to catch a hacker

From: InfoSec News <isn () c4i org>
Date: Thu, 31 Jan 2002 04:08:43 -0600 (CST)
Forwarded from: security curmudgeon <jericho () attrition org>


 I'm sure everyone will remember hackerwatch.org from last year, when they
 were the victim of an embarassing defacement. Commentary:

 http://www.attrition.org/security/commentary/hackerwatch.html

 Mirror of the defacement:

 http://defaced.alldas.de/mirror/2001/06/18/www.hackerwatch.org/

                                - security curmudgeon
--

Payback time! How to catch a hacker
By Robert Vamosi           
January 30, 2002, 5:10 AM PT
http://zdnet.com.com/2100-1107-825844.html

COMMENTARY--A new service from McAfee will soon let you discover whether
anyone is hacking into your system, and if so, let you submit that
information to the malicious user's ISP or local law enforcement
officials. 

The project, known as HackerWatch.org, is an ambitious attempt by McAfee,
a division of Network Associates best known for its antivirus products, to
create an interactive anti-hacker community online.  But will it make a
difference? 

Sam Curry, who has overseen firewall development at McAfee for some time,
said HackerWatch is intended "not to start any witch hunts, but to get
good quality information" from its users.  To help it reach that goal,
McAfee recently merged with NeoWorx, a company best known for NeoTrace, a
product used by law enforcement to trace malicious users. 

HOW DOES IT WORK? Using the Internet tools whois and ping, NeoTrace tracks
the origin of any malicious user who attempts to intrude on your system. 
Since the McAfee merger, the product has been renamed McAfee Visual Trace. 
The program shows you the routes by which the malicious user contacted
your computer graphically, as nodes displayed on a world map. The nodes
are color-coded to represent the speed of the signal--red for slow and
green for fast. McAfee Visual Trace is able to look up the registered
owners of the originating address, and if the malicious user's location
falls within the United States, it can even display the hacker's street
address.

Along with NeoTrace, NeoWorx also makes a firewall product called
NeoWatch, an intrusion detector which is known for its friendly GUI.  The
latest release of McAfee's Personal Firewall, version 3.0, fuses
NeoWatch's interface with earlier versions of McAfee's Personal Firewall. 
With version 3.0, whenever the McAfee firewall stops an intrusion, anyone
subscribed to the HackerWatch service will be able to receive details
about the intruder. 

If HackerWatch identifies your event as malicious or suspicious, Curry
said, you have the opportunity to volunteer information about your
break-in to the pool of data being collected by HackerWatch.  You also
have the option to forward the info to the malicious user's ISP, and
perhaps put pressure on the ISP to refuse him or her service. Certain
events, such as distributed denial-of-service attacks, can even be sent to
local law enforcement. 

THE GOOD NEWS IS that reporting any hacking attempt on your system is
completely up to you; HackerWatch will not send the information it gathers
to ISPs or law enforcement. Furthermore, your ISP and timestamp
information will be removed from any reports.  As Curry explained it,
"that information can later be supplied with a subpoena, if needed."  At
present, only certain events will be flagged as suspicious--for example,
when there's a lot of activity from a single IP address or heavy activity
on a particular TCP/IP port. In the future, HackerWatch hopes to be able
to distinguish suspicious content within data packets being sent across
the Internet. 

Within the next six months, Curry said McAfee plans to make more of the
HackerWatch.org site public by including Internet alerts from CERT
Coordination Center and the SANS Institute. The site will also provide its
own HackerWatch-based alerts, as McAfee moves toward a unified
hacker/virus rating system. "HackerWatch.org will be parallel to our virus
coverage," said Curry.  "The [McAfee] Visual Trace information on the site
will be analogous to McAfee's Virus Map."

In theory, HackerWatch.org is great idea.  In practice, it'll depend on
how many of you use McAfee's products and report your findings to
HackerWatch--as well as to ISPs and law enforcement.  According to Curry,
there are about 200,000 HackerWatch subscribers, with about 55 to 60
percent of those located inside the U.S.  That is a tiny fraction of the
worldwide Internet community.  But you have to start somewhere, so I wish
McAfee good luck.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: