Hackers caught in security 'honeypot'

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2666273,00.html?chkpt=zdhpnews01

By Keith Johnson, WSJ Interactive Edition
December 19, 2000 6:01 AM PT

When a group of suspected Pakistani hackers broke into a U.S.-based
computer system in June, they thought they had found a vulnerable
network to use as an anonymous launching pad to attack Web sites
across India.

But what they had done was walk right into a trap known as a honeypot
-- a specially equipped system deployed by security professionals to
lure hackers and track their every move. For a month, every keystroke
they made, every tool they used, every word of their online chat
sessions was recorded and studied. The honeypot administrators learned
how the hackers chose their targets, what level of expertise they had,
what their favorite kinds of attacks were, and how they went about
trying to cover their tracks so that they could nest on compromised
systems.

Lance Spitzner, the honeypot's creator, is a self-confessed computer
geek, but he's more likely to quote Sun Tzu's "The Art of War" than
the latest guide to Unix. A security consultant with Sun Microsystems
Inc. in Chicago, Spitzner says he is applying the tactics and
techniques he learned as a tank commander in the U.S. army to the
cloak-and-dagger world of Internet security.

"I used to have to crawl around inside Soviet T-72 tanks to get an
idea what the enemy was doing, what they had to work with," the
31-year-old says. "Now, I'm doing the same thing, just with different
tools."

To be sure, Spitzner's HoneyNet Project -- which includes some 30
security professionals, programmers and psychologists, all working on
the project in their spare time -- isn't the first time honeypots have
been used to gather intelligence on the Internet underground. The
concept, if not the term, was coined by Clifford Stoll in his
groundbreaking "Cuckoo's Egg" story of hacker tracking, and experts
have used decoy computer systems for years to lure hackers and study
their moves.

But unlike previous honeypots, which were baited with known
vulnerabilities designed to mimic various computers, Spitzner's team
puts unmodified production systems online -- networks with the same
specifications, operating systems and security as those used by many
companies. And this project isn't a hush-hush, internal corporate
operation like previous honeypots: Spitzner posts all of his findings
on the Internet for the security community to see at
project.honeynet.org.

That approach scores big points with many security professionals, who
say it makes their job easier by raising awareness of the threats
posed by even inexpert hackers. "Some 95 percent of a security
practitioner's job is convincing people to take [these threats]
seriously," says Marcus Ranum, chief technology officer for NFR
Security Inc., of Rockville, Md., who says the availability of the
information gathered by the HoneyNet Project is one of its biggest
virtues. Spitzner's work "has been a terrific resource for me to be
able to say to people, 'Go see what the hackers are up to, if you
don't believe this stuff is real," Ranum says.

Trailing the kiddies Spitzner says a four-year stint in the U.S.
army's rapid-deployment force after the Persian Gulf War taught him
how valuable reliable information on the enemy could be. But there
wasn't much available when he joined Sun two years ago as a consultant
advising corporate clients on security issues. "There was very little
information out there on just who these hackers were, on what was
motivating them, on how they operated," he says.

Curious, he built his first honeypot in a spare bedroom early last
year. Within 15 minutes, it was scanned by a hacker looking for easy
prey. For about 18 months, the HoneyNet Project -- which mushroomed as
word of the project spread through the security community -- has
focused on the kinds of random attacks carried out by so-called script
kiddies, who use ready-made software to attack vulnerable systems. The
temporary shutdowns of Amazon.com, eBay and Yahoo! this year were
blamed on script kiddies armed with software they downloaded from the
Internet.

Even though they often are technological neophytes, script kiddies
pose a big threat to corporate security. While "people laugh at them,"
says Spitzner, "they've compromised an awful lot of corporate sites."
Security experts attribute that in part to the proliferation of Web
sites where hacking software is made available to the public,
allegedly for educational purposes. NFR's Ranum says the combination
of easily available software and greater numbers of would-be hackers
has "hugely increased the threat" to corporate security.

And no one is safe from random attacks targeting any system with a
connection to the Internet, says Eric Cole, a member of the HoneyNet
Project who teaches courses for the Security Administration and
Network Security Institute, an industry think tank. "It doesn't matter
if you're a Fortune 500 company or a small start-up," he says,
"hackers will probe you and try to get in."

The script kiddies don't just find tools to scan the Internet for
vulnerable systems; dozens of point-and-click applications are
available to let them cover their tracks once on board, rewriting the
logs that keep track of who has done what on the system. In response,
security professionals have come up with programs that track network
traffic or detect any changes to key files within the system, leading
to an elaborate game of hide-and-seek.

In one of his first honeypot episodes, early last year, Spitzner spent
four days following a script kiddie around his honeypot, watching as
the hacker used ready-made programs to cover his tracks and gain
control of the system. Mr. Spitzner, wary of scaring away the hacker,
had to tread carefully, making sure to leave no trace as he in turn
explored the system's logs. Based on what he learned, Spitzner was
able to armor common operating systems like Linux and Solaris against
most script kiddie attacks.

The real challenge, says free-lance security consultant Martin Roesch,
is "keeping up with the hacker arms race." A member of the HoneyNet
Project since its inception, Roesch created Snort, a program that
allows the team to eavesdrop on network traffic into the honeypot. He
has spent two years fine-tuning the program "as part of the constant
cycle of measure/countermeasure" that pits security pros against the
script kiddies armed with increasingly sophisticated software.

The next step, due to be initiated in January, is to sweeten the
honeypot by building a transactional system that looks like an
electronic-commerce site. The intent is to make the honeypot
irresistible to the more-skilled hackers, dubbed blackhats, who are
looking to steal credit-card numbers rather than just vandalize Web
sites.

Max Kilger, a team member and Stanford-educated psychologist, says
that could be the ideal opportunity to take the offensive and begin
developing pre-emptive security countermeasures based on what the
project learns about the psychology of these hackers. Since the
blackhat community has rigidly defined social structures like any
other group -- a strict meritocracy that breeds fierce competition and
rivalry -- Kilger thinks in-depth knowledge of their habits also could
help security professionals bring hackers in from the cold. And just
having honeypots operational, he adds, can serve as an effective
deterrent -- virtual land mines to protect corporate networks from
prying eyes.

There are, though, still plenty of questions and criticism about the
HoneyNet Project and honeypots in general. For starters, although the
project has helped show many in the security community the nuts and
bolts of investigating a break-in, it is unlikely to shine a light on
any of the cutting-edge tools used by hackers. "The project is
ground-breaking in the sense that they're being so helpful and open
about it," says Ranum. "But technologically, what they're doing isn't
rocket science."

And while honeypots are a great training environment for security
professionals, says Elias Levy, chief technology officer at
Securityfocus.com, a leading online source of security information and
discussion, "they won't fulfill their promise unless you have the time
to administer them correctly." Companies concerned about security
threats are "better off using an intrusion-detection system" if they
don't have a dedicated team of highly trained administrators, he says.

Many security chiefs could use the training. According to the Security
Administration and Network Security Institute, putting unqualified
administrators in charge of security is one of the biggest mistakes
companies make.

But many administrators, torn by budget constraints and the need to
find quick-fix solutions to get critical systems back online, often
are in no position to probe hacker attacks, says Frank Prince, an
electronic-security analyst with Forrester Research in Cambridge,
Mass. Honeypots or other projects that offer the detailed,
behind-the-scenes forensics of hacker tracking often end up being as
useful as "metallurgy for the guy tightening the lug nuts," Prince
says.

What's more, in dollar terms the most damaging attacks come from
inside companies, not from hackers, he says. While honeypots can help
compile information on people breaking into the system, they do little
to combat sabotage from within.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".