[ISN] Honeynet Founder Lance Spitzner: "Hackers not afraid of being caught"

From: InfoSec News (alerts@private)
Date: Tue Nov 28 2006 - 01:36:31 PST


http://hackreport.net/2006/11/28/honeynet-founder-lance-spitzner-hackers-not-afraid-of-being-caught/

By Martin Hack 
November 28th, 2006

Lance Spitzner is considered the leading light in the field of honeypot 
research. He is the founder of the Honeynet Project which currently 
consists of 15 organizations spread throughout the world. The Honeynet 
Projects goal is to capture information on threats, analyze them and 
publish the findings. Realizing the importance of this project the US 
Government awarded him a grant that allows him and small to team to 
focus exclusively on the project.

I had an opportunity to chat with Lance about his perspective on the 
current security landscape.

What are the biggest changes you have seen over the last couple of 
years?

Years ago it was hackers who were doing it for the bragging rights, now 
its criminals. The motivation has changed, hacking is now profitable and 
theres so much money to be made with very little risk to the actual 
hackers.

Interestingly enough IRC (Internet Relay Chat) is still being utilized 
to start attacks and for communications amongst the bad guys. There are 
more secure means of communications available but they are still using 
IRC. They are not worried about being caught they are blatantly doing 
these things out in the open. Though the good ones are communicating 
less which makes it harder to track them. Their focus has shifted to 
make money in which case they naturally dont want to make a name for 
themselves, so theres less bragging involved, less communication.

Over the past year or two we have seen a tremendous amount of 
acceleration of adaptability on the part of the hackers, the minute 
theres a new security tool out there, the bad guys find a way around it. 
Spam is a good example, nobody has been able to stop it. Recently you 
see spam that comes in form of distorted or disguised images, so its 
even harder to filter it. Its amazing how fast the bad guys are staying 
ahead of us.

And then there is the issue of catching the bad guys. There are a lot 
good guys in law enforcement, but even if you track down a guy somewhere 
on the other side of the globe, you then need to find a prosecutor who 
is willing to go forward. And sometimes thats not a high priority for 
them.

Even with better technology, better OS security, stronger passwords, 
better policies it just makes it more difficult and time consuming for 
the bad guys but they can spend all the time since there is no fear of 
prosecution. So much profit for so little risk.

Hacking is just a tool for extortion, fraud, identity theft, things that 
have been happening for a long time. If we want to make it more 
difficult for them we have to bump up the risk as a deterrence.


Are you doing any research based on specific industry threats?

We are starting to do research on financial threats since theres a lot 
of activity there.


Which countries have most of the hacking activity?

Hacking is getting more global but for some reason we are still seeing a 
lot of activity coming out of Romania.


What about botnets?

Our german team is doing a lot of research there. In general botnets are 
basically business infrastructure for the bad guys, they can change 
their attack behavior to whatever their customers demand, DDOS 
(extortion) spam, phising, they have flexibility. The whole thing is a 
business now.


Do attackers know when they are in a honeypot?

They could potentially reverse engineer our tools and find out, but in 
general they are not looking. In reality they dont have any fear of 
being caught.


Automated vs. Manual Attacks

My assumption is that almost everything is automated now, however there 
might be script kiddies and some elite hackers that do their own special 
thing but thats a very small percentage. Most activity is automated, its 
simply ROI for them, thats the way to make money.


How much can technology help to stop threats?

Technology will only go so far, the vendors put a lot of time and effort 
in making the operating systems more secure. They have finally gotten 
there, its much more difficult now to breach a default system. However 
what took us 5 years to figure out and implement has taken the bad guys 
5 minutes to figure out to get around - which is to go after the human.


Do you have any data on whether actual attacks increased or decreased?

I dont have exact numbers but I have a feeling that the number of 
attacks peaked about a year ago. There are still a lot of attacks but 
theres also a lot of other stuff like phising going on. I wouldnt be 
surprised if the number of attacks either plateaued or are even going 
down. The bad guys had first to compromise the operating systems to 
build the botnets. Also there are constantly new devices that get 
connected to the Internet, Backberrys, handhelds and things like that, 
these are just new markets for the bad guys to make money with.


Recourse Technologies (which was later acquired by Symantec) had one of 
the first commercial honeypot solutions, do you see a market for such 
products?

No. Since most of the data is used for research, the main consumers of 
the data are government, law enforcement and educational institutions 
and to some extent security vendors themselves.


If someone wants to learn more about the Honeynet Project, what should 
they do?

The best way to start is with our website - www.honeynet.org it contains 
all the information and how to get in touch with us.


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Tue Nov 28 2006 - 01:53:39 PST