http://www.miami.com/mld/miamiherald/2002/03/25/business/2917190.htm BY KEVIN HOWE Knight Ridder News Service Mar. 25, 2002 The Internet is a world of its own, and some people who live in it are building unseen empires of master computers that can subvert, suborn and enslave other computers without their owners ever being aware of it. These Genghis Khans of cyberspace have governments and the military worried because they are capable of using their armies of slave computers to attack government and civilian computer networks. But now, scientists and students at Monterey, California's Naval Postgraduate School have developed a new defense -- the Therminator. An electronic empire-builder shut down the eBay and Yahoo online networks last year by launching a denial-of-service attack, said John McEachen, assistant professor of electrical and computer engineering at the naval school. The lone hacker wrote a program that scanned computers hooked to the Net, injected its own directives in them to obey his master computer's commands and then ordered thousands of these ''slaves'' to contact eBay and Yahoo!, drowning those computers with online chatter. No similar attacks have been traced to terrorists, but the potential is there, said McEachen, who mentioned that some hackers have tried similar assaults on military computer networks, apparently just for fun. Until now, most computer network security systems have alerted their owners only after the system has been attacked. The alert is triggered by systems that identify patterns of programs used for intrusion. ''The problem is that you have to have seen a pattern in the past in order to be able to detect it again and identify an attack,'' McEachen said. But today's sophisticated hackers don't make the mistake of repeating themselves. When they attack, they come from a new direction with new methods. ``Most of these people are clever enough to do the unusual.'' The response developed at the Naval Postgraduate School by scientists and students is Therminator, a computer program that patrols the boundaries of a network and reports back when potential Internet hackers appear to be probing it for a possible assault. Two of the students, Navy Lt. Stephen Donald and Marine Corps Capt. Robert McMillen, tried out the Therminator system at the U.S. Pacific Command in Hawaii on Jan. 5, 2001. Within a half hour, McEachen said, the two had discovered a major intrusion into the Pacific Command's network. Therminator looks for anomalies in systems, rather than repeated patterns, and displays them in three-dimensional graphics that show patterns of usual daily activity and spikes of unusual activity -- the sudden appearance of new computer traffic and ''packages'' entering the system. The system is based on mathematics developed by David Ford at the National Security Agency and Stephen Northcutt, founder of the SANS Institute computer security company. It requires ''a tremendous amount of processing power,'' McEachen said. The one at the Naval Postgraduate School uses a $50,000 Sun Blade processor. Therminator can -- and should -- be used in tandem with normal firewalls designed to protect systems, intrusion detectors and routers to provide in-depth defense, he said. It provides continuous monitoring of a network's health while serving as a checkpoint for entering computer messages and information packages. After its debut at Pacific Command, the Army and Air Force got interested, setting up Therminator at Fort Belvoir, Va.; Fort Huachuca, Ariz.; and San Antonio. Automated computer systems constantly scan the Internet, McEachen said, most of them as tools to seek out commercial customers -- the major source of spam advertising messages. Similar automated scanning systems are used by hackers who look for other broadband, sophisticated systems on the Internet that can be recruited as slaves, he said. Sometimes owners are enticed by offers of free software, movies or music albums that contain an enslaving code that recruits their computers when downloaded. But the computers don't even have to be turned on, McEachen said. By simply being hooked up to an Internet modem, they are vulnerable to such probes. Therminator is part of a larger program at the Naval Postgraduate School called RIDLR -- Reconfigurable Intrusion Detection Laboratory Research. Within minutes of turning on that network for the very first time, McEachen said, even without an identifying website and using a name made up of random numbers, it was inundated with ``a constant flow of packages -- probes to see what we have.'' Within 15 days, the researchers detected an attack launched from four sites in Canada and the United States, all by the same person. McEachen said he is convinced that the hacker who set it in motion had not written the code himself. ''He got it off a chat room. The original writer is probably sending that out to get more ``slaves'' for a ``grandmaster computer.'' The integration of military electronic sensor, guidance and targeting systems make them increasingly vulnerable to attack and misuse by hackers, McEachen said. Questions that concern computer security specialists are: Who's doing it and why? ''In an industrial nation state, there are a lot of really good hackers to whom this is just a way of living,'' McEachen said. Economic motives might be part of it, since some hackers live on credit-card-number theft from databases, and ego also comes into play. ``There's a whole socioeconomic segment of society out there doing it.'' The Navy is in the process of applying for a patent for Therminator and plans to release it to the civilian community for use in protecting industrial, financial and infrastructure systems, McEachen said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Mar 26 2002 - 04:19:57 PST