Setting Out The Snares For Hackers
By Jennifer Lee, The New York Times, 9/6/2001
THE break-in came on June 4, 2000, at 11:37 a.m. The target was a Sun
Sparc5 computer sitting in the spare bedroom of a suburban Chicago
The perpetrator probed the computer's operating system for a well-known
vulnerability. When he found it, he attacked by sending a small piece of
code that exploited the weakness and opened a backdoor to the system's
most sensitive areas.
The attacker set up shop inside the computer, reprogramming the machine
to lie to the owner. He installed a program that would allow him to
control the computer remotely, and he fixed the holes in the computer's
security to secure it against other intruders. He then tried to cover up
his tracks, erasing any record of his having broken in. But it was too
late: the computer was equipped with sensors, the digital equivalent of
a burglar alarm. An e-mail message went out to 20 computer professionals
around the globe alerting them to the attack.
They didn't move to stop the intrusion or defend the computer, however.
They simply sat back and observed.
The marauding intruder had wandered into what is known as a honeypot, a
computer that is designed to be attacked. While most such machines are
lures to keep attackers away from important computer systems, this one
was part of a nonprofit research effort known as the Honeynet Project.
Relying partly on criminal psychology and partly on computer security,
the Honeynet Project enlists experts to lay traps to examine the modus
operandi of predatory hackers, or "black hat" hackers.
The project started out as a hobby for Lance Spitzner, a security
engineer for Sun Microsystems who became curious about some suspicious
activity he saw on his computer logs at home. When he put a computer
online to test for hackers in February 1999, it was attacked within 15
minutes by an automated program that was scanning the Internet for
It was his first exposure to how aggressive and systematic the black hat
hackers are: not only corporate systems, but even nondescript home
computers have value to them. Security through obscurity is not a viable
Through his requests for help and word-of-mouth communication, the
project has mushroomed into a team of 30 respected programmers,
psychologists, reformed and semi-reformed hackers, and former military
officers from the United States to Israel to India who volunteer their
spare time. Team members rarely meet face to face, instead dissecting
information individually and communicating with one another by e-mail.
But in July about 15 of them met in Las Vegas to do a presentation at
the Black Hat computer security conference, with some of them seeing
each other for the first time.
If nothing else, the project has demonstrated that computers on the
Internet are vulnerable. It estimates that between April and December of
last year, nine of its 12 computer systems were hacked, some of them
multiple times. One Windows 98 system was compromised five times in four
In an unusual move for the opaque world of computer security, the
Honeynet Project has been sharing its research publicly, first through a
series of papers released on the Internet and next through a book called
"Know Your Enemy," to be published by Addison-Wesley with an
accompanying CD-ROM this month. The project hopes to raise awareness of
the risks posed by black hat hackers, even to home computers. Through a
step-by-step analysis of how black hats disguise their attacks, they
hope to learn how to prevent one.
The Honeynet Project grew out of Mr. Spitzner's surprise and
disappointment over how little information on black hat hackers was
available to security professionals, in contrast to the detailed enemy
profiles he relied on during four years as an Army tank commander in the
military's Rapid Deployment Force after the Persian Gulf War.
In warfare, he said, knowing the enemy's motivations, techniques and
weapons is critical. "In the military you are given intelligence on your
enemy," said Mr. Spitzner, who crawled around the inside of a Russian
T-72 tank as part of his training. "In the security community, there is
very little information on the enemy -- what they do, how they attack."
The project first documents the frequency of attacks on a target. In one
30-day period, the "honeynet" -- typically, three or more computers set
out as bait -- was scanned an average of 17 times a day. The team
estimates that the computer system most vulnerable to hackers is the
default installation of a Red Hat 6.2 server, which they say is usually
compromised within 72 hours. (Although a patch is available, users often
neglect to install it.)
Roger Schermerhorn, a senior manager with the Andersen consulting firm
who was among several hundred computer security professionals at the
Honeynet presentation in Las Vegas, said he was impressed by the
statistics. "It's quantifiable measurements and data," he said. "That's
extremely rare to find."
The project's analysis is psychological as well as statistical. Some of
the most intriguing information involved the attack on the Sun Sparc5 in
June 2000, which the project analyzed in a paper posted at project
Honeynet reported that the computer had been attacked by an
international gang of computer hackers, most of them based in Pakistan,
who had taken over hundreds of computers around the world with the goal
of using them as launching pads for other attacks.
The group, which calls itself K1dd13 (pronounced kiddie), was not
technically savvy. In the online chats, one member asked how to mount a
drive in the Unix operating system, which for a hacker would be as
rudimentary as knowing how to insert a CD-ROM into a PC. Even so, the
Honeynet Project says, the group has invaded computers operated by NASA
and the the United States Navy. "It says something about us as security
professionals that people who are this incompetent can cause this much
damage," Mr. Spitzner said.
By monitoring the hackers' online conversations, which shifted from
English to Romanian to a dialect of Urdu, Pakistan's national language,
the security professionals were able to piece together profiles of the
hackers and produce a case study of the sociology of hacking.
They believe that the leader is a 17-year-old youth in Karachi,
Pakistan, who says his activities are motivated by a desire to draw
attention in cyberspace to violence against Muslims in Kashmir, the
disputed territory bordering India and Pakistan. Other members of the
group seemed motivated less by politics than by an urge to do damage.
The proliferation of automated hacking tools, which systematically scan
large numbers of computers on the Internet and exploit their weaknesses,
has made attacking accessible to "script kiddies," hackers who have
relatively little technical knowledge.
"They were not very skilled," said Saumil Shah, a Honeynet Project
member who translated much of the online dialogue from Urdu. "They were
just fumbling around."
The hackers' personalities proved more interesting than their
techniques. Analyzing the K1dd13 conversations, the Honeynet Project
psychologist, Max Kilger, described a complex hierarchy based on
technical prowess in which rivalry plays a big role. Dr. Kilger, who
works for a market research firm, noted the extent of bragging and
denigration of other members' skills, a practice that apparently extends
to much of the black hat community.
In one conversation, the leader bragged about the speed with which he
attacked 40 computers. "I owned and trojaned 40 servers of Linux in 3
hours," he said. Prestige within the group is partly determined by the
number and the prestige of the computers and domain names controlled.
Rivalries among groups of black hats also lead them to attack one
another's systems for sport. Hackers also often update the security in
their victims' computers to fortify their targets against attacks by
other groups. One popular method is to use the occupied computer to
launch a denial-of-service attack, which involves overwhelming a
computer's capacity with a deluge of requests, on other potential
hackers. "He went down for 7 hours," boasted one K1dd13 member who
"dossed" a rival computer.
The Honeynet Project estimates that 60 percent to 80 percent of hackers
break into computer systems to gain bragging status and that 10 percent
to 20 percent attack systems for financial gain.
"Those are the scary ones," Mr. Spitzner said of the latter. For those
hackers, accounts become a form of currency. The K1dd13 members bartered
online with other black hats, exchanging credit card numbers for
computer user accounts and passwords. One non-K1dd13 hacker offered to
trade 14 unused Visa and Mastercard numbers, or "virgin credit cards,"
for access to computer accounts. Another was looking specifically for a
compromised America Online account.
Most members of the Honeynet Project are white hats, people who use
their knowledge or networks to improve security. Marty Roesch, for
example, created a free intrusion-detection system called Snort.
But in computer security, such things are not always black and white.
Some of the Honeynet Project's biggest contributors are "gray hats" who
are well known for creating some of the invasive tools that people must
defend their computers against.
One Honeynet member from the Chicago area who goes by the online
nickname Rain Forest Puppy is known for discovering high-profile
security flaws in software like that used by Microsoft's Web server and
then distributing programs that take advantage of them. "I'm not in it
to catch hackers," he said in an interview in Las Vegas. "I'm in it to
develop security research."
The Honeynet Project is beginning to gather institutional partners to
speed its research and collection of data. Both the University of
Pennsylvania and the Naval Postgraduate School in Monterey, Calif., have
set up honeynet systems.
In the meantime, members are witnessing how rapidly the black hat
community learns of their progress. After the Honeynet Project posted
its K1dd13 paper on the Internet, for example, it took just four hours
for the hacker group to identify the computer in question and pull out
of the honeypot. "They left a very nasty message behind," Mr. Spitzner
said. "Definitely not printable in a newspaper." <a href="http://www.nytimes.com">http://www.nytimes.com</a>
GRAPHIC: Photos: Lance Spitzner, who leads the Honeynet Project.
(Associated Press)(pg. G1); LURING PREDATORS -- A diagram of Honeynet
Project computers, top, and an online conversation between boastful
hackers that it monitored. (Associated Press)(pg. G6)