[ISN] A New Way to Catch a Hacker

From: InfoSec News (isnat_private)
Date: Tue Apr 29 2003 - 00:25:56 PDT

  • Next message: InfoSec News: "[ISN] Human Factor Wild Card in IT Performance"

    http://www.nytimes.com/2003/04/28/technology/28NECO.html
    
    By NICHOLAS THOMPSON
    April 28, 2003   
     
    For a computer security professional, Lance Spitzner has an unusual
    goal: He wants ill-intentioned hackers to steal more Social Security
    numbers and medical records.
    
    Mr. Spitzner, a former Army officer, spends his days working at Sun
    Microsystems and his evenings running the volunteer Honeynet Project,
    a group of security professionals working to track hackers. Until
    recently, the four-year-old nonprofit effort focused on building and
    monitoring honeypots — computer systems designed to be easily
    penetrated so that Honeynet volunteers can covertly scrutinize
    hackers' tricks when they break into the systems.
    
    Now Mr. Spitzner, 32, is focusing his efforts on a different type of
    defense based on the insertion of "honeytokens" into real databases
    and systems.
    
    Honeytokens are pieces of seemingly enticing information that have no
    useful value. Embedded in ways so that no innocent person should
    accidentally stumble upon them, honeytokens trigger alarms when
    viewed, grabbed or downloaded. For example, a bank could insert a fake
    credit card number into its files and then set up a program called a
    "sniffer" on the network that would send out an alarm if anyone
    touched that particular number.
    
    The term "honeytokens" was coined on Feb. 21 by a programmer named
    Augusto Paes de Barros who used it in an e-mail message to a list of
    security professionals. But the idea is not new.
    
    It dates back in computing at least to 1986, when Clifford Stoll, a
    programmer at Lawrence Berkeley National Laboratory in California,
    buried fake records for an organization called the Strategic Defense
    Initiative Network deep in his server. When intruders started
    downloading the records, and then someone sent a letter to Mr. Stoll
    about the phony organization, he and federal investigators traced the
    intruders to East German and Soviet intelligence agencies.
    
    Today, the use of honeytokens is not uncommon. For example, ForeScout
    Technologies, based in San Mateo, Calif., has built a commercial
    software program that tracks incidents of surreptitious
    reconnaissance, like port scans — the computer equivalent of someone
    turning your doorknob to see if it is unlocked. The program will
    announce a false message of vulnerability to the scanner in the form
    of a honeytoken. It then breaks the connection if the hacker follows
    up with an attack.
    
    Honeytokens, like their cousins the honeypots, are based on the notion
    that if you build it, they will come. Mr. Spitzner became intrigued by
    the idea of honeypots after putting a new computer online at home and
    watching it get attacked within 15 minutes by an automatic program
    scanning the Internet for vulnerable prey.
    
    Many computer criminals break into systems simply for the fun and
    challenge. Others are looking to take over vulnerable systems in order
    to use them as safe houses for setting off further, more serious,
    attacks. Others want to mine credit card addresses or steal corporate
    secrets. According to a 2002 report by the Computer Security
    Institute, 90 percent of the 500 corporations, government agencies,
    financial institutions, medical institutions and universities surveyed
    detected security breaches during the previous year.
    
    Honeytokens could also be useful for national security purposes.  
    Michael Vatis, director of the Institute for Security Technology
    Studies at Dartmouth University, said that the Defense Department
    could use them to snare people seeking unauthorized information on
    weapons systems. For example, a honeytoken could be designed so that
    if it were downloaded and then taken to a different system, it would
    be able to contact its original server each time it was accessed. One
    way to do this would be to include code in the honeytoken that would
    automatically try to fetch a tiny image or some other file based on
    the home server, making the honeytoken "phone home" whenever it is
    opened.
    
    Honeytokens also can be used to track attacks from within a company by
    people who have passwords to enter the system legitimately. Pete
    Herzog, managing director of the Institute for Security and Open
    Methodologies, says that he has used honeytokens to detect when
    employees illicitly download forbidden material. For example, he has
    entered corporate memos with particular typos into private databases
    and then monitored company networks to see where those typos show up.  
    Tracing these honeytokens, he says, often leads to caches of illegal
    materials stored on the network.
    
    No one believes that honeytokens can stop all cybercrime. But they
    could offer an upgrade in protection.
    
    Honeytokens offer another advantage: They help reduce the number of
    false positives in other cyberdefense systems. Like car alarms,
    intrusion detection systems can go off so frequently because of
    accidental trespassing that many security administrators ignore the
    warnings. Honeytokens, if designed correctly, should trigger alarms
    only if there is a malicious attack.
    
    Hackers, however, are not impressed. Adrian Lamo, who gained notoriety
    last year when he claimed to have broken into the systems of a number
    of companies, including Yahoo, says he is not worried. "It's a form of
    old-school security," he says. "It will work on the people who have
    been to the old schools."
    
    Mr. Lamo says that he only goes after information that he knows other
    people frequently seek access to and that he runs credit checks to
    ensure that information he uncovers, like Social Security numbers, are
    real. Mr. Spitzner contends that it should not matter whether a hacker
    bothers to run a credit check because the alarm should ring any time
    the decoy record is accessed.
    
    Hackers can also evade honeytokens by compressing and
    password-protecting the information they steal, thereby changing or
    hiding the data, like fake Social Security numbers or typos, in memos
    that the sniffers are searching for. And "phone home" honeytokens
    designed to trace users could be thwarted if opened only on computers
    disconnected from the Internet.
    
    Some experts are also worried about the possibility that using
    honeytokens could violate the federal Wiretap Act, which places limits
    on intercepting and monitoring electronic communications. Richard
    Salgado, senior counsel for the Justice Department's computer crime
    and intellectual property unit, has said that very little law governs
    this new area and that security technicians should consult first their
    lawyers.
    
    Mr. Spitzner said that he was less worried about the law than about
    smart hackers. Honeytokens cannot solve all problems, he said. "But
    they can make a very simple and powerful tool in a security arsenal."
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Apr 29 2003 - 02:35:21 PDT