Counterspy

[InfoSec News <isn () C4I ORG>]

http://www.forbes.com/forbes/2001/0205/130.html

Srikumar S. Rao
Forbes Magazine
02.05.01

Michael Lyle has no problem stooping to the hacker's level in the
information war. During one of his frequent 3 a.m. prowls on Internet
Relay Chat, the 21-year-old chief technology officer of Recourse
Technologies came across a braggart who claimed to have shut down a
site. The hacker spoke of a tool called Mstream that bombards servers
with junk data from many different sources. Posing as a hacker named
Icee, Lyle swapped some code for a copy of Mstream. Within a week he
had reverse-engineered it, and sent out a warning to his colleagues in
the security community.

Such countertactics are in demand as companies realize the passive
approach to cyberwarfirewalls, intrusion detection systemsis getting
them nowhere. More than 30,000 "how to hack" Web sites provide tools
to would-be interlopers. Providing tools to take back the night is big
business. "Sooner or later, companies' defenses will get busted. Now
they can fight back," says Frank Huerta, president of Recourse
Technologies in Palo Alto, Calif., one of the leading arms merchants.

Firms responding to the latest Computer Security Institute/FBI study
claim that costs from security breaches doubled in 2000. Security
software firm McAfee estimates that cybertheft and vandalism cost the
economy $20 billion a year. No wonder companies want to take the
offensive, arming themselves with potent software.

Two hot new weapons are "honey pots" and tracers. A honey pot is a
fake server set up to trap the unwitting intruder. Once inside, an
alarm is tripped and the hacker's every keystroke, method of entry and
manner of attack is covertly scrutinized. Tracers are surveillance
algorithms powerful enough to follow a hacker's tangled itinerary back
to its origin, whether an Internet service provider or a specific
Internet Protocol address.

The notion of honey pots has been around for decades but never caught
on because a good decoy server was too labor-intensive to set up, and
the information in it quickly became stale. An alert hacker would
quickly smell a ruse.

Recourse was founded in 1999 by two colleagues at the Web-hosting firm
Exodus CommunicationsHuerta, a former marketer, and Lyle, a top
security expert. Their plan was to come up with a better honey pot.
Its ManTrap product, released in October 1999, can automatically and
easily simulate a credible environment and continuously updates it. "A
hacker can read e-mails calling for a marketing meeting or a
back-office tryst. When he comes back the next day he will find
minutes of the meeting and a love note on how good the tryst was,"
says Huerta.

Eugene Schultz, research director at security consulting firm
Predictive Systems, tested ManTrap at Purdue University and found that
hackers stayed 30% longer and came back more times than with rival
product Deception Tool Kit from Fred Cohen Associates.

ManTrap's honey pot can be so realistic that, on one occasion, a
Recourse programmer inadvertently entered one and made changes without
realizing he was in the wrong server. ManTrap, which costs $25,000 for
four "cages," protects against inside jobs, too. Within weeks of
installing ManTrap, a large telecommunications company caught two
employees trying to access confidential salary and personnel
information. "We intend to set up another honey pot. There's no
telling how many bad apples we have," says the firm's chief security
officer.

Tracing cybervandals back to their lairs is a harder task. Good
hackers will disguise their origins by sending packets from multiple
locations on the Net to more accurately map an entire system.
Recourse's just-released tracer, ManHunt, can correlate this isolated
data-gathering and recognize it as a prelude to an attack.

When it encounters suspect network data traffic, ManHunt quickly maps
the affected area and assigns probabilities to possible paths used by
the hackers to get in. It then checks and eliminates these paths one
by one, using something called Dijkstra's algorithm to find the most
likely route from systems administrator to point of entry.

Chasing a hacker's Internet Protocol address across the network
presents some murky legal issues. Technically, you could be charged
with trespassing if you track through the private servers of, say, an
Internet service provider, without its permission. If a provider isn't
already a ManHunt customer, Recourse will try to get rights of way by
sharing information about the hacker's behavior. ManHunt, which costs
$170,000 to run on one server with four microprocessors, is still
working on getting its first dozen customers.

Recourse's next product, TipOff, will tell a company if its network
has been hacked and check network integrity. The better it works, the
more it will push customers to buy ManTrap or ManHunt. Not a bad
strategy.

Srikumar S. Rao is Louis and Johanna Vorzimer Professor of Marketing
at New York's Long Island University

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".