Scientists and students at the Naval Postgraduate School develop the Therminator to protect computers from hackers

[InfoSec News <isn () c4i org>]

http://www.miami.com/mld/miamiherald/2002/03/25/business/2917190.htm

BY KEVIN HOWE
Knight Ridder News Service
Mar. 25, 2002

The Internet is a world of its own, and some people who live in it are
building unseen empires of master computers that can subvert, suborn
and enslave other computers without their owners ever being aware of
it.

These Genghis Khans of cyberspace have governments and the military
worried because they are capable of using their armies of slave
computers to attack government and civilian computer networks.

But now, scientists and students at Monterey, California's Naval
Postgraduate School have developed a new defense -- the Therminator.

An electronic empire-builder shut down the eBay and Yahoo online
networks last year by launching a denial-of-service attack, said John
McEachen, assistant professor of electrical and computer engineering
at the naval school.

The lone hacker wrote a program that scanned computers hooked to the
Net, injected its own directives in them to obey his master computer's
commands and then ordered thousands of these ''slaves'' to contact
eBay and Yahoo!, drowning those computers with online chatter.

No similar attacks have been traced to terrorists, but the potential
is there, said McEachen, who mentioned that some hackers have tried
similar assaults on military computer networks, apparently just for
fun.

Until now, most computer network security systems have alerted their
owners only after the system has been attacked. The alert is triggered
by systems that identify patterns of programs used for intrusion.

''The problem is that you have to have seen a pattern in the past in
order to be able to detect it again and identify an attack,'' McEachen
said.

But today's sophisticated hackers don't make the mistake of repeating
themselves. When they attack, they come from a new direction with new
methods.

``Most of these people are clever enough to do the unusual.''

The response developed at the Naval Postgraduate School by scientists
and students is Therminator, a computer program that patrols the
boundaries of a network and reports back when potential Internet
hackers appear to be probing it for a possible assault.

Two of the students, Navy Lt. Stephen Donald and Marine Corps Capt.  
Robert McMillen, tried out the Therminator system at the U.S. Pacific
Command in Hawaii on Jan. 5, 2001.

Within a half hour, McEachen said, the two had discovered a major
intrusion into the Pacific Command's network.

Therminator looks for anomalies in systems, rather than repeated
patterns, and displays them in three-dimensional graphics that show
patterns of usual daily activity and spikes of unusual activity -- the
sudden appearance of new computer traffic and ''packages'' entering
the system.

The system is based on mathematics developed by David Ford at the
National Security Agency and Stephen Northcutt, founder of the SANS
Institute computer security company.

It requires ''a tremendous amount of processing power,'' McEachen
said. The one at the Naval Postgraduate School uses a $50,000 Sun
Blade processor.

Therminator can -- and should -- be used in tandem with normal
firewalls designed to protect systems, intrusion detectors and routers
to provide in-depth defense, he said. It provides continuous
monitoring of a network's health while serving as a checkpoint for
entering computer messages and information packages.

After its debut at Pacific Command, the Army and Air Force got
interested, setting up Therminator at Fort Belvoir, Va.; Fort
Huachuca, Ariz.; and San Antonio.

Automated computer systems constantly scan the Internet, McEachen
said, most of them as tools to seek out commercial customers -- the
major source of spam advertising messages.

Similar automated scanning systems are used by hackers who look for
other broadband, sophisticated systems on the Internet that can be
recruited as slaves, he said.

Sometimes owners are enticed by offers of free software, movies or
music albums that contain an enslaving code that recruits their
computers when downloaded.

But the computers don't even have to be turned on, McEachen said. By
simply being hooked up to an Internet modem, they are vulnerable to
such probes.

Therminator is part of a larger program at the Naval Postgraduate
School called RIDLR -- Reconfigurable Intrusion Detection Laboratory
Research. Within minutes of turning on that network for the very first
time, McEachen said, even without an identifying website and using a
name made up of random numbers, it was inundated with ``a constant
flow of packages -- probes to see what we have.''

Within 15 days, the researchers detected an attack launched from four
sites in Canada and the United States, all by the same person.

McEachen said he is convinced that the hacker who set it in motion had
not written the code himself.

''He got it off a chat room. The original writer is probably sending
that out to get more ``slaves'' for a ``grandmaster computer.''

The integration of military electronic sensor, guidance and targeting
systems make them increasingly vulnerable to attack and misuse by
hackers, McEachen said. Questions that concern computer security
specialists are: Who's doing it and why?

''In an industrial nation state, there are a lot of really good
hackers to whom this is just a way of living,'' McEachen said.

Economic motives might be part of it, since some hackers live on
credit-card-number theft from databases, and ego also comes into play.

``There's a whole socioeconomic segment of society out there doing
it.''

The Navy is in the process of applying for a patent for Therminator
and plans to release it to the civilian community for use in
protecting industrial, financial and infrastructure systems, McEachen
said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.