[ISN] Sandia Labs studies phony computer network for hackers

From: InfoSec News (isn@private)
Date: Thu Nov 20 2003 - 23:14:37 PST

  • Next message: InfoSec News: "[ISN] For security ask yourself...what would Microsoft do?"

    http://www.oaklandtribune.com/Stories/0,1413,82~1865~1776530,00.html
    
    By Ian Hoffman
    STAFF WRITER
    November 19, 2003 
    
    Instead of merely fending off thousands of daily computer attacks,
    federal researchers are trying a new tack: Create a meaningless
    digital universe to bog down hackers and study their tactics.
    
    It's called a "honeynet," and while the idea isn't exactly new,
    branches of the U.S. defense community are starting to embrace the
    idea.
    
    "If I can detect and delay someone until I can get a (law-enforcement)  
    response to where they are, then I don't need to build four-foot-thick
    bunkers to keep them out," said Barry V. Hess, co-manager of
    cybersecurity for Sandia National Laboratories.
    
    Network-security experts at Sandia's California campus in Livermore
    are experimenting with such a mirage this week in Phoenix.
    
    Their charge is protecting a supercomputing conference touted as the
    most data-rich public gathering in the world, handling the wired and
    wireless equivalent of more than 30,000 cable modems -- all without a
    main firewall.
    
    It adds up to a vigorous road test for Sandia's honeynet, especially
    with new breeds of supercomputers and video-conferencing systems tying
    online almost every day of the conference.
    
    "The door is wide open," said Tim Toole, a Sandia network architect
    working security for SC2003. "If someone wants to, they can knock at
    the door of Booth 31's supercomputer and they can walk right in."
    
    First an attacker has to identify the target machine. Automated worms
    and viruses get screened by the virtual network. Human attackers probe
    deeper and find an improbably large universe of computers.
    
    Unlike honeypots -- machines or software mimicking a vulnerable
    computer operating system -- a honeynet is a bogus network, a
    cyber-verse that has no purpose except to distract hackers from a real
    network and record their actions in a system where they can't do much
    harm.
    
    That's the fascination of honeypots and honeynets, said honeypot
    builder Niels Provos, a security researcher for Google and member of
    the Honeynet Project, a loose-knit group of security experts looking
    at the technology.
    
    "You'd like people who are in the business of attacking networks to
    tell you their knowledge," Provos said. "So you put honeypots out
    there."
    
    Honeypots already have fingered computer vulnerabilities, helped trace
    the black market in credit-card numbers and shown promise at filtering
    spam. Honeynets give researchers a glimpse at the vast flow of pings,
    probes and illicit traffic.
    
    In a typical day, for example, Sandia-California's unclassified
    computer network is hit by roughly 100,000 worms and 100 to 200 attack
    attempts. The lab's classified computer network, which contains
    nuclear weapons data, defense and intelligence information, is
    considered relatively secure.
    
    By law, it is "air-gapped" from outside connections, except for a
    limited number of government links protected by encryption approved by
    the National Security Agency. But the unclassified network still
    contains proprietary business and personnel information worth
    protecting.
    
    "The ultimate goal is to deter them from your real computer system and
    delay them on a fictitious system so you have more time to figure out
    who they are and what they're after," Toole said. "We can feed them a
    little good information, a little bad information. We can use it as an
    educational tool to figure out their mentality. We want to see if we
    can go after the black hats."
    
    Experts say the growing federal interest in honeynets doesn't presage
    the end of firewalls, intrusion-detection systems and other
    cybersecurity tools.
    
    "It's not a silver bullet, and it certainly doesn't replace the need
    for other forms of computer security," said Dorothy Denning, a
    professor of defense analysis at the Naval Postgraduate School's
    Center for Terrorism and Irregular Warfare in Monterey.
    
    [...]
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Nov 21 2003 - 02:14:15 PST