Information Security News mailing list archives
Counterspy
From: InfoSec News <isn () C4I ORG>
Date: Wed, 24 Jan 2001 02:01:43 -0600
http://www.forbes.com/forbes/2001/0205/130.html Srikumar S. Rao Forbes Magazine 02.05.01 Michael Lyle has no problem stooping to the hacker's level in the information war. During one of his frequent 3 a.m. prowls on Internet Relay Chat, the 21-year-old chief technology officer of Recourse Technologies came across a braggart who claimed to have shut down a site. The hacker spoke of a tool called Mstream that bombards servers with junk data from many different sources. Posing as a hacker named Icee, Lyle swapped some code for a copy of Mstream. Within a week he had reverse-engineered it, and sent out a warning to his colleagues in the security community. Such countertactics are in demand as companies realize the passive approach to cyberwarfirewalls, intrusion detection systemsis getting them nowhere. More than 30,000 "how to hack" Web sites provide tools to would-be interlopers. Providing tools to take back the night is big business. "Sooner or later, companies' defenses will get busted. Now they can fight back," says Frank Huerta, president of Recourse Technologies in Palo Alto, Calif., one of the leading arms merchants. Firms responding to the latest Computer Security Institute/FBI study claim that costs from security breaches doubled in 2000. Security software firm McAfee estimates that cybertheft and vandalism cost the economy $20 billion a year. No wonder companies want to take the offensive, arming themselves with potent software. Two hot new weapons are "honey pots" and tracers. A honey pot is a fake server set up to trap the unwitting intruder. Once inside, an alarm is tripped and the hacker's every keystroke, method of entry and manner of attack is covertly scrutinized. Tracers are surveillance algorithms powerful enough to follow a hacker's tangled itinerary back to its origin, whether an Internet service provider or a specific Internet Protocol address. The notion of honey pots has been around for decades but never caught on because a good decoy server was too labor-intensive to set up, and the information in it quickly became stale. An alert hacker would quickly smell a ruse. Recourse was founded in 1999 by two colleagues at the Web-hosting firm Exodus CommunicationsHuerta, a former marketer, and Lyle, a top security expert. Their plan was to come up with a better honey pot. Its ManTrap product, released in October 1999, can automatically and easily simulate a credible environment and continuously updates it. "A hacker can read e-mails calling for a marketing meeting or a back-office tryst. When he comes back the next day he will find minutes of the meeting and a love note on how good the tryst was," says Huerta. Eugene Schultz, research director at security consulting firm Predictive Systems, tested ManTrap at Purdue University and found that hackers stayed 30% longer and came back more times than with rival product Deception Tool Kit from Fred Cohen Associates. ManTrap's honey pot can be so realistic that, on one occasion, a Recourse programmer inadvertently entered one and made changes without realizing he was in the wrong server. ManTrap, which costs $25,000 for four "cages," protects against inside jobs, too. Within weeks of installing ManTrap, a large telecommunications company caught two employees trying to access confidential salary and personnel information. "We intend to set up another honey pot. There's no telling how many bad apples we have," says the firm's chief security officer. Tracing cybervandals back to their lairs is a harder task. Good hackers will disguise their origins by sending packets from multiple locations on the Net to more accurately map an entire system. Recourse's just-released tracer, ManHunt, can correlate this isolated data-gathering and recognize it as a prelude to an attack. When it encounters suspect network data traffic, ManHunt quickly maps the affected area and assigns probabilities to possible paths used by the hackers to get in. It then checks and eliminates these paths one by one, using something called Dijkstra's algorithm to find the most likely route from systems administrator to point of entry. Chasing a hacker's Internet Protocol address across the network presents some murky legal issues. Technically, you could be charged with trespassing if you track through the private servers of, say, an Internet service provider, without its permission. If a provider isn't already a ManHunt customer, Recourse will try to get rights of way by sharing information about the hacker's behavior. ManHunt, which costs $170,000 to run on one server with four microprocessors, is still working on getting its first dozen customers. Recourse's next product, TipOff, will tell a company if its network has been hacked and check network integrity. The better it works, the more it will push customers to buy ManTrap or ManHunt. Not a bad strategy. Srikumar S. Rao is Louis and Johanna Vorzimer Professor of Marketing at New York's Long Island University ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Counterspy InfoSec News (Jan 24)
- Re: Counterspy Dave Dittrich (Jan 25)
- Re: Counterspy Aleph One (Jan 29)
- <Possible follow-ups>
- Re: Counterspy Robert G. Ferrell (Jan 25)
- Re: Counterspy Bud Rogers (Jan 25)
- Re: Counterspy Baines, Thomas B. (Jan 25)
- Re: Counterspy Dave Dittrich (Jan 25)