[ISN] How to Foil Data Thieves, Hackers

From: InfoSec News (isnat_private)
Date: Mon Jan 20 2003 - 22:55:36 PST

  • Next message: InfoSec News: "[ISN] Microsoft Reveals Secret Code to Russia"

    Associated Press 
    January. 20, 2003
    A suspected crooked insider at a New York software company sells
    consumer credit reports to identity thieves, at roughly $30 a pop, in
    a high-tech scam that prosecutors say victimizes thousands.
    An unemployed British computer administrator fights extradition to
    face federal charges in Virginia and New Jersey that he hacked into 92
    separate U.S. military and government networks, often getting past
    easy-to-guess passwords to download sensitive data.
    These and other recent data intrusions, whose authors are typically
    intent on theft, sabotage or cyberterrorism, have given rise to a
    promising profiling-and-reasoning strategy aimed at preventing online
    break-ins as they happen.
    Just as authorities use profiling to guard against criminals at ports
    and borders, researchers at the State University of New York at
    Buffalo are developing software that can generate highly personalized
    profiles of network users by analyzing the sequences of commands
    entered at each computer terminal.
    The system -- a prototype is likely to be ready for intensive testing
    this summer -- could provide a high-grade layer of protection for
    military installations and government agencies as well as banking or
    other commercial networks that require especially tight monitoring.
    The "user-level anomaly detection" software draws up regularly updated
    profiles by closely tracking over time how each person performs an
    array of routine tasks, such as opening files, sending e-mail or
    searching archives.
    Designed to tell if someone has strayed into an unauthorized zone or
    is masquerading as an employee using a stolen password, the program
    keeps watch for even subtle deviations in behavior. Alerted to
    anomalies, network administrators then begin monitoring more
    aggressively to assess whether pilferage is in progress.
    "The ultimate goal is to detect intrusions or violations occurring on
    the fly," said chief researcher Shambhu Upadhyaya, a SUNY Buffalo
    computer science professor. "There are systems that try to do this in
    real time, but the problem is it results in too many false alarms."
    Keeping false alarms to a manageable minimum is key, but extremely
    difficult to achieve, said Bruce Schneier, a network security and
    cryptography expert and author of Secrets & Lies, Digital Security in
    a Networked World.
    "These systems live and die on false alarms," said Schneier. "You see
    this problem in facial recognition, trying to catch terrorists by
    recognizing faces in airports. All those trials failed miserably."
    The Buffalo school is one of 36 research and teaching centers
    designated by the National Security Agency since 1998 to help
    safeguard America's information technology systems.
    Aided by doctoral student Ramkumar Chinchani and Kevin Kwiat of the
    Air Force Research Laboratory in Rome, New York, Upadhyaya began
    examining in 1999 whether monitoring simple user commands instead of
    network traffic might produce faster, more effective monitoring.
    Some computer-security products that feature user profiling seek out
    deviations on the basis of huge amounts of data flowing through entire
    networks. They're typically 60 percent to 80 percent reliable, whereas
    simulation tests indicated the new software would be up to 94 percent
    reliable, Upadhyaya said.
    The software borrows from risk-analysis economic models, drawing on
    dynamic reasoning and engineering methodologies. And even if it proves
    successful, the software would be just one tool in a computer-security
    arena that requires multilayered defenses, Upadhyaya said.
    "Hackers are a step ahead of you always," he explained, noting that
    the military "is especially worried about the insider who's been there
    a long time and learned all the loopholes."
    Mike Kurdziel, an information security specialist at Harris, which
    makes tactical military radios, thinks Upadhyaya has "constrained the
    problem" by installing various thresholds to curtail false alarms.
    "Other intrusion techniques require something like looking at audit
    logs after the damage has already occurred," Kurdziel said. "The
    advantages offered by this approach is an intruder with malicious
    intent can be identified very early and a system operator can contain
    the damage, repair it in real time and shut out the intruder.
    "This really is an advance," he said. "This means that systems that
    have been attacked by an intruder maliciously might not necessarily be
    brought down."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jan 21 2003 - 03:20:42 PST