[ISN] Scientists and students at the Naval Postgraduate School develop the Therminator to protect computers from hackers

From: InfoSec News (isnat_private)
Date: Tue Mar 26 2002 - 00:37:59 PST

  • Next message: InfoSec News: "[ISN] Linux Security Week - March 25th 2002"

    Knight Ridder News Service
    Mar. 25, 2002
    The Internet is a world of its own, and some people who live in it are
    building unseen empires of master computers that can subvert, suborn
    and enslave other computers without their owners ever being aware of
    These Genghis Khans of cyberspace have governments and the military
    worried because they are capable of using their armies of slave
    computers to attack government and civilian computer networks.
    But now, scientists and students at Monterey, California's Naval
    Postgraduate School have developed a new defense -- the Therminator.
    An electronic empire-builder shut down the eBay and Yahoo online
    networks last year by launching a denial-of-service attack, said John
    McEachen, assistant professor of electrical and computer engineering
    at the naval school.
    The lone hacker wrote a program that scanned computers hooked to the
    Net, injected its own directives in them to obey his master computer's
    commands and then ordered thousands of these ''slaves'' to contact
    eBay and Yahoo!, drowning those computers with online chatter.
    No similar attacks have been traced to terrorists, but the potential
    is there, said McEachen, who mentioned that some hackers have tried
    similar assaults on military computer networks, apparently just for
    Until now, most computer network security systems have alerted their
    owners only after the system has been attacked. The alert is triggered
    by systems that identify patterns of programs used for intrusion.
    ''The problem is that you have to have seen a pattern in the past in
    order to be able to detect it again and identify an attack,'' McEachen
    But today's sophisticated hackers don't make the mistake of repeating
    themselves. When they attack, they come from a new direction with new
    ``Most of these people are clever enough to do the unusual.''
    The response developed at the Naval Postgraduate School by scientists
    and students is Therminator, a computer program that patrols the
    boundaries of a network and reports back when potential Internet
    hackers appear to be probing it for a possible assault.
    Two of the students, Navy Lt. Stephen Donald and Marine Corps Capt.  
    Robert McMillen, tried out the Therminator system at the U.S. Pacific
    Command in Hawaii on Jan. 5, 2001.
    Within a half hour, McEachen said, the two had discovered a major
    intrusion into the Pacific Command's network.
    Therminator looks for anomalies in systems, rather than repeated
    patterns, and displays them in three-dimensional graphics that show
    patterns of usual daily activity and spikes of unusual activity -- the
    sudden appearance of new computer traffic and ''packages'' entering
    the system.
    The system is based on mathematics developed by David Ford at the
    National Security Agency and Stephen Northcutt, founder of the SANS
    Institute computer security company.
    It requires ''a tremendous amount of processing power,'' McEachen
    said. The one at the Naval Postgraduate School uses a $50,000 Sun
    Blade processor.
    Therminator can -- and should -- be used in tandem with normal
    firewalls designed to protect systems, intrusion detectors and routers
    to provide in-depth defense, he said. It provides continuous
    monitoring of a network's health while serving as a checkpoint for
    entering computer messages and information packages.
    After its debut at Pacific Command, the Army and Air Force got
    interested, setting up Therminator at Fort Belvoir, Va.; Fort
    Huachuca, Ariz.; and San Antonio.
    Automated computer systems constantly scan the Internet, McEachen
    said, most of them as tools to seek out commercial customers -- the
    major source of spam advertising messages.
    Similar automated scanning systems are used by hackers who look for
    other broadband, sophisticated systems on the Internet that can be
    recruited as slaves, he said.
    Sometimes owners are enticed by offers of free software, movies or
    music albums that contain an enslaving code that recruits their
    computers when downloaded.
    But the computers don't even have to be turned on, McEachen said. By
    simply being hooked up to an Internet modem, they are vulnerable to
    such probes.
    Therminator is part of a larger program at the Naval Postgraduate
    School called RIDLR -- Reconfigurable Intrusion Detection Laboratory
    Research. Within minutes of turning on that network for the very first
    time, McEachen said, even without an identifying website and using a
    name made up of random numbers, it was inundated with ``a constant
    flow of packages -- probes to see what we have.''
    Within 15 days, the researchers detected an attack launched from four
    sites in Canada and the United States, all by the same person.
    McEachen said he is convinced that the hacker who set it in motion had
    not written the code himself.
    ''He got it off a chat room. The original writer is probably sending
    that out to get more ``slaves'' for a ``grandmaster computer.''
    The integration of military electronic sensor, guidance and targeting
    systems make them increasingly vulnerable to attack and misuse by
    hackers, McEachen said. Questions that concern computer security
    specialists are: Who's doing it and why?
    ''In an industrial nation state, there are a lot of really good
    hackers to whom this is just a way of living,'' McEachen said.
    Economic motives might be part of it, since some hackers live on
    credit-card-number theft from databases, and ego also comes into play.
    ``There's a whole socioeconomic segment of society out there doing
    The Navy is in the process of applying for a patent for Therminator
    and plans to release it to the civilian community for use in
    protecting industrial, financial and infrastructure systems, McEachen
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 26 2002 - 04:19:57 PST