[ISN] Honeynet looks to sting hackers

From: InfoSec News (isnat_private)
Date: Tue Apr 23 2002 - 22:51:59 PDT

  • Next message: InfoSec News: "[ISN] IE 6 Privacy Features Open Users To Attack - Expert"

    Forwarded from: William Knowles <wkat_private>
    By Ellen Messmer
    Network World, 04/22/02
    A group of 30 computer security researchers who set up inexpensive
    "fake" networks to observe how hackers behave as they break into them
    are finding out about new software vulnerabilities and warning the
    The security professionals, calling themselves The Honeynet Project,
    quietly maintain a distributed network of Windows NT, Linux, Sun Sparc
    servers and desktops accessible via the Internet to monitor how
    hackers go after various operating systems. As research volunteers
    operating on a shoestring, they've collected a wealth of data - and at
    times found out about new attack tools and exploits of the "blackhat"  
    underworld of hackers.
    In January, for instance, the Honeynet Project discovered hackers
    could use a management feature called the CDE Subprocess Control
    Service to take root control of Solaris.
    The Honeynet Project shared that insight with the CERT Coordination
    Center, which determined the matter was serious enough to issue
    security alerts advising Solaris users to turn off CDE until the
    buffer-overflow vulnerability was patched.
    But most days, according to Jed Haile, project engineer at Nitro Data
    Systems and volunteer hacker-watcher, the Honeynet records hacker
    activity that is of less scientific interest but is astonishing in its
    intensity and criminality.
    Hackers that fall into the Honeynet are seen to swap stolen telephone
    and credit card numbers, try to break into other possibly more "real"  
    networks and even discuss using the Internet for terrorist attacks.
    In general, experience shows that hackers frequently operate as gangs
    - and they love to talk.
    "The 'blackhats' have a compulsive need to chat on IRC [Internet Relay
    Chat software]," says Haile, who spoke about the two-year experience
    of The Honeynet Project at the recent InfoSec conference. "The first
    thing they'll do on a hacked box is set up IRC and invite their
    buddies over." Then they set up an encrypted route back to another
    compromised server elsewhere on the Internet.
    The goal of the Honeynet Project, started by Sun engineer Lance
    Spitzer, is not to capture hackers, but to observe their actions and
    find out about new tools they use.
    "A lot of these hackers are not gurus who know everything about
    computers," Haile says. "They have very good tools. And they talk
    about doing this for money. There's definitely a market for hired
    hacking out there."
    The Honeynet Project's undisclosed number of servers and desktops,
    maintained at diverse locations with a minimum of publicity, spans the
    country. Each server typically gets 20 or more unique scans per day,
    and the hackers don't have too hard a time breaking into any operating
    system that isn't up to date on its patches, although they may find
    new vulnerabilities, too.
    As a scientific effort, one of the Honeynet Project's goals is to
    analyze the collected data to develop software that can detect the
    probability of a successful attack. The Honeynet Project also would
    like to be able to pinpoint those who make these hacker tools.
    Even as it learned a lot about hackers, the Honeynet Project
    discovered there are practical obstacles in operating a honeynet,
    especially in making sure a hacker doesn't use the honeypot as a
    springboard to break into other systems.
    "Suppose hackers break into a honeynet during the weekend and they
    take down the White House?" Haile says. "There's a tremendous legal
    liability in all this." If an attacker makes more than five or six
    outbound attempts at attacks, the honeynet shuts him off. Hailer says
    no company should set up a honeynet of its own before discussing it
    with its legal department.
    The Honeynet Project has designed a second-generation honeynet that
    will include an extensive "production-looking" intranet to keep
    hackers intrigued with trying to break in further. But it will block
    outbound scanning.
    Hackers tend to be an angry lot, particularly when they figure out
    they are being watched in a honeynet, Haile says. "Hackers will
    undertake every effort to destroy a honeypot when they find it."
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Apr 24 2002 - 01:40:48 PDT