[ISN] Global Hack Attack

From: mea culpa (jerichoat_private)
Date: Sun Jan 10 1999 - 00:39:45 PST

  • Next message: mea culpa: "[ISN] HERT formed as alternative to CERT"

    Forwarded From: hippyman <hippymanat_private>
    
    (IDG) -- U.S. Department of Defense (DOD) security experts on Friday
    warned that hackers have a new weapon in their arsenal -- coordinated
    attacks on government and private networks from multiple locations around
    the world.
    
    Discovered just this month by the Navy, the attacks are hard to detect
    since they involve sending two to three malicious data packets among
    millions of friendly packets from multiple Internet locations around the
    globe simultaneously in an effort to intrude into a network.
    
    Multiple attackers can farm part of the attack to one Internet address and
    part of the attack to another, making it hard for existing
    intrusion-monitoring systems to identify the packets as part of a
    coordinated attack.
    
    "What is clear it that the attacks are coordinated," said Stephen
    Northcutt, head of the intrusion center at the U.S. Naval Surface Warfare
    Center, in Virginia. "But exactly how many people are driving it is not
    clear."
    
    At times, as many as 15 different hackers appeared to be involved in the
    attacks, but it is not clear how many people are actually behind such
    coordinated attacks, Northcutt said. So far the attacks were directed at
    nonclassified networks at the DOD and at least at one private, corporate
    network.
    
    Although no known damage has been caused by the coordinated attacks yet,
    Northcutt and his colleagues issued a security alert Friday in order to
    make network administrators aware of the new attack mechanisms.
    
    "We are talking about how hackers are using a weapon, not about a new
    weapon itself," said Tim Aldrich, another U.S. Navy Surface Warfare Center
    security analyst.
    
    It has been common for a single attacker to target multiple sites, but now
    multiple attackers are working together to target either single sites or
    multiple sites, Aldrich said.
    
    Aldrich and his colleagues assume that the new techniques will be widely
    used and that it is imperative that intrusion-detection tools, techniques,
    and tracking databases be developed or modified to detect and respond to
    this new threat.
    
    For sites with properly engineered Internet security, the new attack
    mechanism is no more effective than the previous generation of attacks.
    But sites that are not as secure and have routers with knowledge of an
    internal network sitting outside a firewall are especially vulnerable,
    Northcutt said.
    
    The Navy's Shadow (Secondary Heuristic Analysis for Defensive Online
    Warfare) Intrusion Detection team has developed a new and freely available
    detection technique to track this new hacking activity. The information
    can be found at http://www.nswc.navy.mil/ISSEC/CID.
    
    The new hacker technique requires security experts to rethink some of
    their defense methods, which so far have focused on attacks from one
    hacker. In a coordinated attack, however, one attacker can do the
    reconnaissance, while another follows up with the exploit. Detecting
    attacks requires correlating attack packets with each other, which is
    difficult if a small amount of them are sent from many locations at the
    same time, Northcutt said.
    
    The Shadow team is asking anyone who has detected similar patterns of
    coordinated hacking to share information about them by sending information
    to shadowat_private
    
    Northcutt and other intrusion-detection researchers will gather in San
    Diego for the SANS Institute's Intrusion Detection and Response Workshop.
    
    The SANS Institute is a network security cooperative research and
    education organization made up of more than 62,000 system administrators,
    security professionals, and network administrators.
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:15:30 PDT