A New Way to Catch a Hacker

[InfoSec News <isn () c4i org>]

http://www.nytimes.com/2003/04/28/technology/28NECO.html

By NICHOLAS THOMPSON
April 28, 2003   
 
For a computer security professional, Lance Spitzner has an unusual
goal: He wants ill-intentioned hackers to steal more Social Security
numbers and medical records.

Mr. Spitzner, a former Army officer, spends his days working at Sun
Microsystems and his evenings running the volunteer Honeynet Project,
a group of security professionals working to track hackers. Until
recently, the four-year-old nonprofit effort focused on building and
monitoring honeypots — computer systems designed to be easily
penetrated so that Honeynet volunteers can covertly scrutinize
hackers' tricks when they break into the systems.

Now Mr. Spitzner, 32, is focusing his efforts on a different type of
defense based on the insertion of "honeytokens" into real databases
and systems.

Honeytokens are pieces of seemingly enticing information that have no
useful value. Embedded in ways so that no innocent person should
accidentally stumble upon them, honeytokens trigger alarms when
viewed, grabbed or downloaded. For example, a bank could insert a fake
credit card number into its files and then set up a program called a
"sniffer" on the network that would send out an alarm if anyone
touched that particular number.

The term "honeytokens" was coined on Feb. 21 by a programmer named
Augusto Paes de Barros who used it in an e-mail message to a list of
security professionals. But the idea is not new.

It dates back in computing at least to 1986, when Clifford Stoll, a
programmer at Lawrence Berkeley National Laboratory in California,
buried fake records for an organization called the Strategic Defense
Initiative Network deep in his server. When intruders started
downloading the records, and then someone sent a letter to Mr. Stoll
about the phony organization, he and federal investigators traced the
intruders to East German and Soviet intelligence agencies.

Today, the use of honeytokens is not uncommon. For example, ForeScout
Technologies, based in San Mateo, Calif., has built a commercial
software program that tracks incidents of surreptitious
reconnaissance, like port scans — the computer equivalent of someone
turning your doorknob to see if it is unlocked. The program will
announce a false message of vulnerability to the scanner in the form
of a honeytoken. It then breaks the connection if the hacker follows
up with an attack.

Honeytokens, like their cousins the honeypots, are based on the notion
that if you build it, they will come. Mr. Spitzner became intrigued by
the idea of honeypots after putting a new computer online at home and
watching it get attacked within 15 minutes by an automatic program
scanning the Internet for vulnerable prey.

Many computer criminals break into systems simply for the fun and
challenge. Others are looking to take over vulnerable systems in order
to use them as safe houses for setting off further, more serious,
attacks. Others want to mine credit card addresses or steal corporate
secrets. According to a 2002 report by the Computer Security
Institute, 90 percent of the 500 corporations, government agencies,
financial institutions, medical institutions and universities surveyed
detected security breaches during the previous year.

Honeytokens could also be useful for national security purposes.  
Michael Vatis, director of the Institute for Security Technology
Studies at Dartmouth University, said that the Defense Department
could use them to snare people seeking unauthorized information on
weapons systems. For example, a honeytoken could be designed so that
if it were downloaded and then taken to a different system, it would
be able to contact its original server each time it was accessed. One
way to do this would be to include code in the honeytoken that would
automatically try to fetch a tiny image or some other file based on
the home server, making the honeytoken "phone home" whenever it is
opened.

Honeytokens also can be used to track attacks from within a company by
people who have passwords to enter the system legitimately. Pete
Herzog, managing director of the Institute for Security and Open
Methodologies, says that he has used honeytokens to detect when
employees illicitly download forbidden material. For example, he has
entered corporate memos with particular typos into private databases
and then monitored company networks to see where those typos show up.  
Tracing these honeytokens, he says, often leads to caches of illegal
materials stored on the network.

No one believes that honeytokens can stop all cybercrime. But they
could offer an upgrade in protection.

Honeytokens offer another advantage: They help reduce the number of
false positives in other cyberdefense systems. Like car alarms,
intrusion detection systems can go off so frequently because of
accidental trespassing that many security administrators ignore the
warnings. Honeytokens, if designed correctly, should trigger alarms
only if there is a malicious attack.

Hackers, however, are not impressed. Adrian Lamo, who gained notoriety
last year when he claimed to have broken into the systems of a number
of companies, including Yahoo, says he is not worried. "It's a form of
old-school security," he says. "It will work on the people who have
been to the old schools."

Mr. Lamo says that he only goes after information that he knows other
people frequently seek access to and that he runs credit checks to
ensure that information he uncovers, like Social Security numbers, are
real. Mr. Spitzner contends that it should not matter whether a hacker
bothers to run a credit check because the alarm should ring any time
the decoy record is accessed.

Hackers can also evade honeytokens by compressing and
password-protecting the information they steal, thereby changing or
hiding the data, like fake Social Security numbers or typos, in memos
that the sniffers are searching for. And "phone home" honeytokens
designed to trace users could be thwarted if opened only on computers
disconnected from the Internet.

Some experts are also worried about the possibility that using
honeytokens could violate the federal Wiretap Act, which places limits
on intercepting and monitoring electronic communications. Richard
Salgado, senior counsel for the Justice Department's computer crime
and intellectual property unit, has said that very little law governs
this new area and that security technicians should consult first their
lawyers.

Mr. Spitzner said that he was less worried about the law than about
smart hackers. Honeytokens cannot solve all problems, he said. "But
they can make a very simple and powerful tool in a security arsenal."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.