[ISN] Payback time! How to catch a hacker

From: InfoSec News (isnat_private)
Date: Thu Jan 31 2002 - 02:08:43 PST

  • Next message: InfoSec News: "[ISN] Top Security Sites Easy Prey To Script Attacks - Update"

    Forwarded from: security curmudgeon <jerichoat_private>
     I'm sure everyone will remember hackerwatch.org from last year, when they
     were the victim of an embarassing defacement. Commentary:
     Mirror of the defacement:
    				- security curmudgeon
    Payback time! How to catch a hacker
    By Robert Vamosi	   
    January 30, 2002, 5:10 AM PT
    COMMENTARY--A new service from McAfee will soon let you discover whether
    anyone is hacking into your system, and if so, let you submit that
    information to the malicious user's ISP or local law enforcement
    The project, known as HackerWatch.org, is an ambitious attempt by McAfee,
    a division of Network Associates best known for its antivirus products, to
    create an interactive anti-hacker community online.  But will it make a
    Sam Curry, who has overseen firewall development at McAfee for some time,
    said HackerWatch is intended "not to start any witch hunts, but to get
    good quality information" from its users.  To help it reach that goal,
    McAfee recently merged with NeoWorx, a company best known for NeoTrace, a
    product used by law enforcement to trace malicious users. 
    HOW DOES IT WORK? Using the Internet tools whois and ping, NeoTrace tracks
    the origin of any malicious user who attempts to intrude on your system. 
    Since the McAfee merger, the product has been renamed McAfee Visual Trace. 
    The program shows you the routes by which the malicious user contacted
    your computer graphically, as nodes displayed on a world map. The nodes
    are color-coded to represent the speed of the signal--red for slow and
    green for fast. McAfee Visual Trace is able to look up the registered
    owners of the originating address, and if the malicious user's location
    falls within the United States, it can even display the hacker's street
    Along with NeoTrace, NeoWorx also makes a firewall product called
    NeoWatch, an intrusion detector which is known for its friendly GUI.  The
    latest release of McAfee's Personal Firewall, version 3.0, fuses
    NeoWatch's interface with earlier versions of McAfee's Personal Firewall. 
    With version 3.0, whenever the McAfee firewall stops an intrusion, anyone
    subscribed to the HackerWatch service will be able to receive details
    about the intruder. 
    If HackerWatch identifies your event as malicious or suspicious, Curry
    said, you have the opportunity to volunteer information about your
    break-in to the pool of data being collected by HackerWatch.  You also
    have the option to forward the info to the malicious user's ISP, and
    perhaps put pressure on the ISP to refuse him or her service. Certain
    events, such as distributed denial-of-service attacks, can even be sent to
    local law enforcement. 
    THE GOOD NEWS IS that reporting any hacking attempt on your system is
    completely up to you; HackerWatch will not send the information it gathers
    to ISPs or law enforcement. Furthermore, your ISP and timestamp
    information will be removed from any reports.  As Curry explained it,
    "that information can later be supplied with a subpoena, if needed."  At
    present, only certain events will be flagged as suspicious--for example,
    when there's a lot of activity from a single IP address or heavy activity
    on a particular TCP/IP port. In the future, HackerWatch hopes to be able
    to distinguish suspicious content within data packets being sent across
    the Internet. 
    Within the next six months, Curry said McAfee plans to make more of the
    HackerWatch.org site public by including Internet alerts from CERT
    Coordination Center and the SANS Institute. The site will also provide its
    own HackerWatch-based alerts, as McAfee moves toward a unified
    hacker/virus rating system. "HackerWatch.org will be parallel to our virus
    coverage," said Curry.  "The [McAfee] Visual Trace information on the site
    will be analogous to McAfee's Virus Map."
    In theory, HackerWatch.org is great idea.  In practice, it'll depend on
    how many of you use McAfee's products and report your findings to
    HackerWatch--as well as to ISPs and law enforcement.  According to Curry,
    there are about 200,000 HackerWatch subscribers, with about 55 to 60
    percent of those located inside the U.S.  That is a tiny fraction of the
    worldwide Internet community.  But you have to start somewhere, so I wish
    McAfee good luck.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 06:06:28 PST