http://www.washingtonpost.com/wp-dyn/articles/A28625-2003Jan8.html By Leslie Walker walkerlat_private Thursday, January 9, 2003 An ordinary office building on Route 1 in Alexandria offers a rare window into the Internet hacker wars and a few clues to why Uncle Sam wants more monitoring capabilities in cyberspace. Inside a cavernous room on the first floor there, security analysts for Symantec sit in long, curved rows 24 hours a day, working on computers and facing a wall of theater-size screens. Information displayed on the screens helps them keep tabs on whether any attacks are underway at any of the company's more than 600 corporate clients. Every five minutes or so, a giant, illuminated globe appears on the central screen and starts to rotate, displaying the locations worldwide where hackers are launching the most attacks. Symantec uses special technology to monitor a huge chunk of the public Internet along with the internal nooks and crannies of its clients' private networks, looking for telltale signs of computer break-ins. Its software constantly compares current hacker activity with a database of prior attacks, then displays in red the names of countries where an unusual amount of malicious Internet activity is originating that day. The rotating globe also displays the number of attempted break-ins against Symantec clients over the past 24 hours in the 10 most active countries. On a recent Friday, the globe showed more than 16,000 attempted break-ins originating from the United States, which often ranks as the world's top launching pad for computer hackers. Brazil ranked No. 4 with 722 attacks. South Korea, Japan, Germany and Taiwan also frequently appear on Symantec's top 10 list for malicious computer activity. Big numbers are par for the course at the Alexandria center, where analysts detect more than 15,000 discrete "security events" against Symantec's clients every day. About 4,000 are deemed real hacker attacks after further analysis, company officials said. "You can tell from these statistics that it's the Wild West out there on the Internet," said Grant Geyer, who supervises the 12,000-square-foot facility. "Companies need to do whatever they can to protect themselves." The four-year-old operation, which includes special monitoring and "data mining" technology, was created by a local start-up called Riptech. Last year, California-based Symantec paid about $350 million to buy Riptech and three other electronic-security firms (Recourse Technologies, SecurityFocus and Mountain Wave) that had developed proprietary anti-hacker technology. Symantec merged Riptech's operations with its own and now has four similar centers -- in Britain, Japan, Germany and San Antonio. Symantec is known as the maker of the Norton anti-virus software that runs on many home computers. But like competitor Network Associates, it has been diversifying its security arsenal in an attempt to be at the forefront of an emerging industry -- managing cybersecurity on behalf of companies and governments. Mid-size companies typically pay Symantec $1,000 to $2,000 a month to monitor their networks. The firm has big clients, too -- including 55 of the Fortune 500 companies -- and does work for several federal agencies. The managed-security industry is complex and growing fast, especially as companies awake to the difficulties of interpreting the deluge of data on their computer networks. Not only is it hard to make sense of who's doing what on a firm's network, Web sites and wireless devices, but almost no company can see what is happening on other computer networks. One advantage managed-security firms have is a global view that lets them detect patterns. The Alexandria facility is a private, miniature version of the kind of public Internet-monitoring capability the Bush administration wants the federal government to develop to protect the nation's electronic infrastructure. The administration is readying for release in a few weeks a final draft of its national strategy for bolstering cybersecurity. Hacking -- unauthorized break-ins on private computers and networks -- is increasing dramatically as more computers connect to the Internet. So, too, is the distribution of computer "viruses" and "worms" that travel the globe via images, documents and plain-text e-mail messages. Riptech, one of the few companies that monitored global hacking, detected a rise in malicious computer traffic during the first half of last year amounting to an annual rate of 65 percent. One reason for the jump was the explosive growth in the distribution of point-and-click hacking tools online. At the same time, more critical commercial and government operations are moving online, presenting a greater number of tempting targets to cyber-crooks. The United States and other countries have passed laws criminalizing certain forms of electronic break-ins, but detection and prosecution remain a challenge because it's so easy to hide tracks in cyberspace. Even in Alexandria, Symantec's job isn't to catch the bad guys, nor to report them to law enforcement -- it's to thwart attacks and notify companies of problems. Natalie Smishko, 25, is typical of the analysts. Sitting in a raised, rotating cubicle with built-in computer monitors and its own heat and light controls, Smishko pores over logs in an attempt to separate real attacks from false positives. Symantec's software automatically collates data from multiple sources -- all the software programs and hardware devices that companies use to monitor their networks -- and presents it in a unified format. "In this case, an attack was launched against one of our clients and you can see where they scanned our protected network," said Smishko, pointing to a list of network locations that allowed her to click on any single address to get more details. Another view showed her all the computer ports the interloper had scanned to see if they were open. Drilling deeper, she could see where, if at all, the interloper entered the client's network. If data is transmitted, she can see that, too -- and not only when it is moved by outsiders. Symantec has caught insiders improperly sending pre-merger details and pre-earnings data and has reported those findings to the employees' bosses. In addition, Smishko can probe Symantec's database history to see if a hacker's style of attack -- the reconnaissance probes he runs, software he uses, ports he tries to enter and originating Internet addresses -- matches prior attacks. Spotting repeat offenders helps Symantec anticipate what might come next, as with attacks that happened on the financial sector last summer. During that time, analysts in Alexandria saw Bulgaria's name suddenly go red on their giant globe as the hacking activity originating there increased over a three-week period. The analysts determined that unidentified cyber-baddies were launching what appeared to be coordinated attacks against many of the largest financial institutions in the United States, several of which are monitored by Symantec. "We immediately gave a whole block of IP addresses [numerical addresses of specific machines hooked up to the Internet] to our clients and told them to block all traffic originating from those addresses," Geyer recalled. That doesn't mean the perpetrators were actually in Bulgaria. Serious attacks often are launched through "bot-nets," slang for networks of robots, typically compromised machines in the homes of unsuspecting PC users. Hackers take these computers over from afar and turn them into "zombies" that they control remotely and use to launch coordinated attacks. "It's not unusual for us to see a single home computer launch attacks against 200 of our clients on the same day," Geyer said. It's anybody's guess, of course, who will win this escalating global arms race between hackers and anti-hackers. But it's a sure bet that 2003 will see plenty of new resources pour into the coffers of cybersecurity firms, bulking up the fledgling anti-hacking industry. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 00:49:08 PST