Digital sleuthing uncovers hacking costs

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1005-200-5217277.html?tag=tp_pr

By Robert Lemos
Special to CNET News.com
March 22, 2001, 5:05 a.m. PT

It took the intruder less than a minute to break into the university's
computer via the Internet, and he stayed less than a half an hour. Yet
finding out what he did in that time took researchers, on average,
more than 34 hours each.

That inequity--highlighted during the Forensic Challenge, a contest of
digital-sleuthing skills whose results were announced this
week--underscores the costs of cleaning up after an intruder
compromises a network, said David Dittrich, senior security engineer
at the University of Washington and the lead judge in the contest.

"This guy can do all that damage in a half an hour," he said. Dittrich
estimated that those 34 hours would cost a company about $2,000 if the
investigation was handled internally and more than $22,000 if a
consultant was called in.

"Those are conservative estimates, as well," he said.

On Monday, Dittrich, and other members of a loose group of security
experts known as the Honeynet Project, announced the winner of the
Forensic Challenge. The contest pitted the reports of 13 amateur and
professional cybersleuths against one another.

Each digital detective used decompilers, data recovery programs and
other forensic tools to uncover as much information as possible. The
entries consisted of a memo to fictional upper management, a security
advisory, and an in-depth analysis of the evidence uncovered by the
contestant's digital detective work.

The contest was made more interesting by the fact that the attack was
a real one, captured by one of the several "honeypots"--vulnerable
computers connected to the Net and surreptitiously watched--run by the
Honeynet Project.

In fact, the detectives produced several leads to the identity of the
culprit. Lance Spitzner, the founder of the Honeynet Project, said
they would not prosecute the person responsible. Such online vandals
are extremely common, he said.

"I would say this guy represents a very large and common percentage of
the black-hat community--it's a threat that we all face," he said,
estimating that 70 to 80 percent of, so-called, black-hat
hackers--those that break into computers illegally--have comparable
skills to the attacker who breeched the computer.

The contest also helps illuminate why securing a computer is more cost
effective than hiring consultants to come in and do the detective work
afterwards, said Fred Cohen, director of the online investigations
program for the University of New Haven, Conn.

"It is a fairly extensive process to take what amounts to a bunch of
garbage and build a comprehensive picture of what happened," he said.
The costs of such investigations can easily amount to $20,000 per
computer, he said.

Cohen, who both teaches forensics and works on actual cases, stressed
that companies need to understand the difficulty, and costs, involved.
"Companies tend to balk at agreeing to that kind of expense when there
is no guaranteed payoff."

Dittrich also hoped that the contest would open the eyes of corporate
execs who--all too often--want a quick fix.

"If you just reinstall the system, do you know if you have plugged the
hole that allowed the attacker to get in?" he asked. Most of the time,
such quick fixes just mean the attacker gets another shot at the
system. Some computers at the University of Washington have been
compromised five times, he said.

"Multiple intrusions are occurring all over the place," he said.

The Honeynet Project plans to do another contest, said Dittrich, but
it's a question of time. "I probably spent easily over 100 hours on
this," he said. "There was a lot of work that was done just in the
judging."

The next project would also focus on either a Solaris or a Windows
NT/2000 computer, he said. Getting one would not be a problem,
however.

Systems placed on the Internet don't last that long, Dittrich
explained.

"If we really wanted to get another system, it would take less than a
week. We are being scanned constantly. We could get the data ready
rather quickly," he said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".