Honeynet looks to sting hackers

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.nwfusion.com/news/2002/0422apps.html

By Ellen Messmer
Network World, 04/22/02

A group of 30 computer security researchers who set up inexpensive
"fake" networks to observe how hackers behave as they break into them
are finding out about new software vulnerabilities and warning the
public.

The security professionals, calling themselves The Honeynet Project,
quietly maintain a distributed network of Windows NT, Linux, Sun Sparc
servers and desktops accessible via the Internet to monitor how
hackers go after various operating systems. As research volunteers
operating on a shoestring, they've collected a wealth of data - and at
times found out about new attack tools and exploits of the "blackhat"  
underworld of hackers.

In January, for instance, the Honeynet Project discovered hackers
could use a management feature called the CDE Subprocess Control
Service to take root control of Solaris.

The Honeynet Project shared that insight with the CERT Coordination
Center, which determined the matter was serious enough to issue
security alerts advising Solaris users to turn off CDE until the
buffer-overflow vulnerability was patched.

But most days, according to Jed Haile, project engineer at Nitro Data
Systems and volunteer hacker-watcher, the Honeynet records hacker
activity that is of less scientific interest but is astonishing in its
intensity and criminality.

Hackers that fall into the Honeynet are seen to swap stolen telephone
and credit card numbers, try to break into other possibly more "real"  
networks and even discuss using the Internet for terrorist attacks.

In general, experience shows that hackers frequently operate as gangs
- and they love to talk.

"The 'blackhats' have a compulsive need to chat on IRC [Internet Relay
Chat software]," says Haile, who spoke about the two-year experience
of The Honeynet Project at the recent InfoSec conference. "The first
thing they'll do on a hacked box is set up IRC and invite their
buddies over." Then they set up an encrypted route back to another
compromised server elsewhere on the Internet.

The goal of the Honeynet Project, started by Sun engineer Lance
Spitzer, is not to capture hackers, but to observe their actions and
find out about new tools they use.

"A lot of these hackers are not gurus who know everything about
computers," Haile says. "They have very good tools. And they talk
about doing this for money. There's definitely a market for hired
hacking out there."

The Honeynet Project's undisclosed number of servers and desktops,
maintained at diverse locations with a minimum of publicity, spans the
country. Each server typically gets 20 or more unique scans per day,
and the hackers don't have too hard a time breaking into any operating
system that isn't up to date on its patches, although they may find
new vulnerabilities, too.

As a scientific effort, one of the Honeynet Project's goals is to
analyze the collected data to develop software that can detect the
probability of a successful attack. The Honeynet Project also would
like to be able to pinpoint those who make these hacker tools.

Even as it learned a lot about hackers, the Honeynet Project
discovered there are practical obstacles in operating a honeynet,
especially in making sure a hacker doesn't use the honeypot as a
springboard to break into other systems.

"Suppose hackers break into a honeynet during the weekend and they
take down the White House?" Haile says. "There's a tremendous legal
liability in all this." If an attacker makes more than five or six
outbound attempts at attacks, the honeynet shuts him off. Hailer says
no company should set up a honeynet of its own before discussing it
with its legal department.

The Honeynet Project has designed a second-generation honeynet that
will include an extensive "production-looking" intranet to keep
hackers intrigued with trying to break in further. But it will block
outbound scanning.

Hackers tend to be an angry lot, particularly when they figure out
they are being watched in a honeynet, Haile says. "Hackers will
undertake every effort to destroy a honeypot when they find it."


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.