Loading ...
Sorry, an error occurred while loading the content.


Expand Messages
  • Fred Cohen
    Setting Out The Snares For Hackers By Jennifer Lee, The New York Times, 9/6/2001 www.nytimes.com THE break-in came on June 4, 2000, at 11:37 a.m. The target
    Message 1 of 1 , Sep 7, 2001
      Setting Out The Snares For Hackers
      By Jennifer Lee, The New York Times, 9/6/2001
      THE break-in came on June 4, 2000, at 11:37 a.m. The target was a Sun
      Sparc5 computer sitting in the spare bedroom of a suburban Chicago
      The perpetrator probed the computer's operating system for a well-known
      vulnerability. When he found it, he attacked by sending a small piece of
      code that exploited the weakness and opened a backdoor to the system's
      most sensitive areas.
      The attacker set up shop inside the computer, reprogramming the machine
      to lie to the owner. He installed a program that would allow him to
      control the computer remotely, and he fixed the holes in the computer's
      security to secure it against other intruders. He then tried to cover up
      his tracks, erasing any record of his having broken in. But it was too
      late: the computer was equipped with sensors, the digital equivalent of
      a burglar alarm. An e-mail message went out to 20 computer professionals
      around the globe alerting them to the attack.
      They didn't move to stop the intrusion or defend the computer, however.
      They simply sat back and observed.
      The marauding intruder had wandered into what is known as a honeypot, a
      computer that is designed to be attacked. While most such machines are
      lures to keep attackers away from important computer systems, this one
      was part of a nonprofit research effort known as the Honeynet Project.
      Relying partly on criminal psychology and partly on computer security,
      the Honeynet Project enlists experts to lay traps to examine the modus
      operandi of predatory hackers, or "black hat" hackers.
      The project started out as a hobby for Lance Spitzner, a security
      engineer for Sun Microsystems who became curious about some suspicious
      activity he saw on his computer logs at home. When he put a computer
      online to test for hackers in February 1999, it was attacked within 15
      minutes by an automated program that was scanning the Internet for
      vulnerable systems.
      It was his first exposure to how aggressive and systematic the black hat
      hackers are: not only corporate systems, but even nondescript home
      computers have value to them. Security through obscurity is not a viable
      Through his requests for help and word-of-mouth communication, the
      project has mushroomed into a team of 30 respected programmers,
      psychologists, reformed and semi-reformed hackers, and former military
      officers from the United States to Israel to India who volunteer their
      spare time. Team members rarely meet face to face, instead dissecting
      information individually and communicating with one another by e-mail.
      But in July about 15 of them met in Las Vegas to do a presentation at
      the Black Hat computer security conference, with some of them seeing
      each other for the first time.
      If nothing else, the project has demonstrated that computers on the
      Internet are vulnerable. It estimates that between April and December of
      last year, nine of its 12 computer systems were hacked, some of them
      multiple times. One Windows 98 system was compromised five times in four
      In an unusual move for the opaque world of computer security, the
      Honeynet Project has been sharing its research publicly, first through a
      series of papers released on the Internet and next through a book called
      "Know Your Enemy," to be published by Addison-Wesley with an
      accompanying CD-ROM this month. The project hopes to raise awareness of
      the risks posed by black hat hackers, even to home computers. Through a
      step-by-step analysis of how black hats disguise their attacks, they
      hope to learn how to prevent one.
      The Honeynet Project grew out of Mr. Spitzner's surprise and
      disappointment over how little information on black hat hackers was
      available to security professionals, in contrast to the detailed enemy
      profiles he relied on during four years as an Army tank commander in the
      military's Rapid Deployment Force after the Persian Gulf War.
      In warfare, he said, knowing the enemy's motivations, techniques and
      weapons is critical. "In the military you are given intelligence on your
      enemy," said Mr. Spitzner, who crawled around the inside of a Russian
      T-72 tank as part of his training. "In the security community, there is
      very little information on the enemy -- what they do, how they attack."
      The project first documents the frequency of attacks on a target. In one
      30-day period, the "honeynet" -- typically, three or more computers set
      out as bait -- was scanned an average of 17 times a day. The team
      estimates that the computer system most vulnerable to hackers is the
      default installation of a Red Hat 6.2 server, which they say is usually
      compromised within 72 hours. (Although a patch is available, users often
      neglect to install it.)
      Roger Schermerhorn, a senior manager with the Andersen consulting firm
      who was among several hundred computer security professionals at the
      Honeynet presentation in Las Vegas, said he was impressed by the
      statistics. "It's quantifiable measurements and data," he said. "That's
      extremely rare to find."
      The project's analysis is psychological as well as statistical. Some of
      the most intriguing information involved the attack on the Sun Sparc5 in
      June 2000, which the project analyzed in a paper posted at project
      Honeynet reported that the computer had been attacked by an
      international gang of computer hackers, most of them based in Pakistan,
      who had taken over hundreds of computers around the world with the goal
      of using them as launching pads for other attacks.
      The group, which calls itself K1dd13 (pronounced kiddie), was not
      technically savvy. In the online chats, one member asked how to mount a
      drive in the Unix operating system, which for a hacker would be as
      rudimentary as knowing how to insert a CD-ROM into a PC. Even so, the
      Honeynet Project says, the group has invaded computers operated by NASA
      and the the United States Navy. "It says something about us as security
      professionals that people who are this incompetent can cause this much
      damage," Mr. Spitzner said.
      By monitoring the hackers' online conversations, which shifted from
      English to Romanian to a dialect of Urdu, Pakistan's national language,
      the security professionals were able to piece together profiles of the
      hackers and produce a case study of the sociology of hacking.
      They believe that the leader is a 17-year-old youth in Karachi,
      Pakistan, who says his activities are motivated by a desire to draw
      attention in cyberspace to violence against Muslims in Kashmir, the
      disputed territory bordering India and Pakistan. Other members of the
      group seemed motivated less by politics than by an urge to do damage.
      The proliferation of automated hacking tools, which systematically scan
      large numbers of computers on the Internet and exploit their weaknesses,
      has made attacking accessible to "script kiddies," hackers who have
      relatively little technical knowledge.
      "They were not very skilled," said Saumil Shah, a Honeynet Project
      member who translated much of the online dialogue from Urdu. "They were
      just fumbling around."
      The hackers' personalities proved more interesting than their
      techniques. Analyzing the K1dd13 conversations, the Honeynet Project
      psychologist, Max Kilger, described a complex hierarchy based on
      technical prowess in which rivalry plays a big role. Dr. Kilger, who
      works for a market research firm, noted the extent of bragging and
      denigration of other members' skills, a practice that apparently extends
      to much of the black hat community.
      In one conversation, the leader bragged about the speed with which he
      attacked 40 computers. "I owned and trojaned 40 servers of Linux in 3
      hours," he said. Prestige within the group is partly determined by the
      number and the prestige of the computers and domain names controlled.
      Rivalries among groups of black hats also lead them to attack one
      another's systems for sport. Hackers also often update the security in
      their victims' computers to fortify their targets against attacks by
      other groups. One popular method is to use the occupied computer to
      launch a denial-of-service attack, which involves overwhelming a
      computer's capacity with a deluge of requests, on other potential
      hackers. "He went down for 7 hours," boasted one K1dd13 member who
      "dossed" a rival computer.
      The Honeynet Project estimates that 60 percent to 80 percent of hackers
      break into computer systems to gain bragging status and that 10 percent
      to 20 percent attack systems for financial gain.
      "Those are the scary ones," Mr. Spitzner said of the latter. For those
      hackers, accounts become a form of currency. The K1dd13 members bartered
      online with other black hats, exchanging credit card numbers for
      computer user accounts and passwords. One non-K1dd13 hacker offered to
      trade 14 unused Visa and Mastercard numbers, or "virgin credit cards,"
      for access to computer accounts. Another was looking specifically for a
      compromised America Online account.
      Most members of the Honeynet Project are white hats, people who use
      their knowledge or networks to improve security. Marty Roesch, for
      example, created a free intrusion-detection system called Snort.
      But in computer security, such things are not always black and white.
      Some of the Honeynet Project's biggest contributors are "gray hats" who
      are well known for creating some of the invasive tools that people must
      defend their computers against.
      One Honeynet member from the Chicago area who goes by the online
      nickname Rain Forest Puppy is known for discovering high-profile
      security flaws in software like that used by Microsoft's Web server and
      then distributing programs that take advantage of them. "I'm not in it
      to catch hackers," he said in an interview in Las Vegas. "I'm in it to
      develop security research."
      The Honeynet Project is beginning to gather institutional partners to
      speed its research and collection of data. Both the University of
      Pennsylvania and the Naval Postgraduate School in Monterey, Calif., have
      set up honeynet systems.
      In the meantime, members are witnessing how rapidly the black hat
      community learns of their progress. After the Honeynet Project posted
      its K1dd13 paper on the Internet, for example, it took just four hours
      for the hacker group to identify the computer in question and pull out
      of the honeypot. "They left a very nasty message behind," Mr. Spitzner
      said. "Definitely not printable in a newspaper." <a href="http://www.nytimes.com">http://www.nytimes.com</a>
      GRAPHIC: Photos: Lance Spitzner, who leads the Honeynet Project.
      (Associated Press)(pg. G1); LURING PREDATORS -- A diagram of Honeynet
      Project computers, top, and an online conversation between boastful
      hackers that it monitored. (Associated Press)(pg. G6)
    Your message has been successfully submitted and would be delivered to recipients shortly.