http://www.smh.com.au/news/Next/Honeynet-traps-the-unwary/2005/05/23/1116700623833.html By Patrick Gray May 24, 2005 Next Some people just won't learn, according to the University of Washington's David Dittrich, a speaker at this week's AusCERT security conference on the Gold Coast. In his 15 years with the university, Mr Dittrich has had a lot of experience with security incidents but didn't expect computer users to be so reticent to learn about the dark side of computing. "Still people don't understand the power of the computers they have when they're taken over by someone else," Mr Dittrich says. "I thought the education process would happen faster." Mr Dittrich, 43, started work at the University of Washington in an administration role, maintaining Unix machines and coding MS-DOS based applications that controlled nuclear magnetic resonance equipment. Before long, Mr Dittrich moved into Unix support and eventually security administration. Since then he's cemented a reputation as an expert on Distributed Denial of Service (DDoS) attack tools and honeynet research. A honeynet is a computer, or group of computers, designed to be attacked for research and attack detection purposes. During his time in the field, he's seen things change. "In 1996 and 1997 the number of Unix intrusions was going through the roof and Windows wasn't really a problem at that point," he says. That all changed when Microsoft decided to build internet protocol support into its operating system in the mid-'90s. By 1999, the number of attacks had seemingly doubled and attackers weren't just hitting Unix systems. Scores of the university's 60,000 computers were breached every day. These days, Mr Dittrich is a senior security engineer and staff researcher at the university. He has also helped to develop course material taught across all faculties. Under a National Security Agency (NSA) approved program, the University of Washington now teaches non-IT students about the importance of data security. "The NSA definitely has it right when they're trying to convince people to get this education across every program," Mr Dittrich says. "Unless you have everyone up to speed and adequately paranoid, you're not going to have a secure system." And, according to Mr Dittrich, we have plenty to be paranoid about. Automated tools that made the wholesale compromise of thousands of systems first appeared in about 2000, he says, but they're still getting better. "I'm seeing a definite trend in increased sophistication in automation on everything to do with intrusion," Mr Dittrich says. More complicated and harder to detect tools are available to miscreants, he says, and "it's going to make it harder to deal with advanced attacks". In some ways, that's why Mr Dittrich believes in his honeynet research. While aspects of the research are increasingly geared towards forensic analysis, the honeynet can still be a valuable "canary in the coal mine"; a decoy system, which, when hacked into, should set alarm bells ringing. That hasn't stopped some security industry commentators from questioning the usefulness of honeynets in recent times. Greg Shipley, CTO of Chicago-based IT security consultancy Neohapsis, once described honeynets as "the IT security guy's pet rock". While he takes that one on the chin, Mr Dittrich admits honeynets are of limited use for most. But for others, it gives them a way to augment their existing security set-up and spin-off tools with applications in forensics that have been a welcome side-effect. However, Mr Dittrich argues that the answer lies in education and co-operation, not in a specific technology. In response to the next generation of threats, the security industry will have to work more effectively with the security research community and everyone will have to communicate more suitably with upper management, Mr Dittrich says. "That's been changing a lot but there's still a big gap," he says. The fourth annual AusCERT IT security conference started on the Gold Coast on Saturday. It ends on Thursday. _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Wed May 25 2005 - 12:10:45 PDT