/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsThat’s more or less Lance Spitzner’s message to the blackhats–vile
hackers who probe computer networks and systems. He lures blackhats to hack into
his systems and unlike the spider, he does not ambush them. Instead, like an
ardent Discovery channel viewer, who, without batting an eyelid, watches a
gazelle being slaughtered by a carnivore–he observes every move that the
hacker makes. That’s because the system, which the blackhat is hacking into,
is a dud–a system of no real worth–popularly known as a honeypot.
|
/dq/media/post_attachments/baedede991096ee4b3f309f36f8c9a59dcef29e527b6327428577be5ba78d4db.gif){kind=small}
"WillOf honey, pots & nets
A honeypot is a system whose value lies in it being probed, attacked, or
compromised, usually for the purpose of detection or alerting of blackhat
activity. Where traditional security tools like firewalls and Intrusion
Detection Systems (IDS) are designed to ward off blackhats and limit the damage
caused by them, a honeypot aims at getting a hacker to attack and compromise a
system. Typically, honeypots have been systems that emulate other systems or
known vulnerabilities. Now, why on earth would anyone want to do that? To watch,
says Spitzner, and to learn. A former tank officer with the US Army turned
security expert on the net, Sptizner says the main utility of Honeypots lies in
their ability to offer significant insights of hacker behavior.
These kinds of insights can be used to create strategies and tools to combat
security threats. Based on what Spitzner has learned from such voyeurism for
instance, he has been able to armor common operating systems like Linux and
Solaris against most hacker attacks. Sometimes, when black hats look like they’re
on the verge of launching a major attack (see box), Spitzner uses the
information to warn off either the hackers themselves, or to signal to relevant
security authorities.
/dq/media/post_attachments/060a57307439e5be1a4c25de14f1b20c425c4bc62331a6a14d9802158567ec17.jpg)
The honeypot, however, has a couple of drawbacks. The trap is sometimes too
obvious and therefore easily detectable by a veteran blackhat who then leaves in
a hurry. In the circumstances, watchers can’t get as much data on hacker
behavior as they would like to. So the watchers are trying to evolve almost as
fast as the hackers. Lance, along with several other security professionals, has
evolved a complex version of the honeypot called the honeynet. "It is
different from a traditional honeypot.
One, it is not a single system but a network of multiple systems which sits
behind an access control device where all inbound and outbound data is
controlled and captured," says Spitzner.
The other main difference is that unlike traditional honeypots that emulate
weaknesses and even the system or operating systems, all systems placed within
the honeynet are real standard production systems. "In a honeynet, all the
systems and applications are real. Nothing is emulated nor is anything done to
make the systems less secure," adds Spitzner.
How honeynets work
The greatest problem any security professional faces is information
overload. The challenge for most is determining from extensive amounts of
information what is standard production traffic and what is blackhat activity.
Tools and techniques, host-based forensics, or system log analysis try to solve
this by using a database of known signatures or algorithms to differentiate
between production traffic and malicious activity.
But the amount of data generated, data pollution and false positives and
false negatives make such analysis exceedingly painful.
A false positive occurs when the IDS falsely generates an alarm from normal
user activity like production traffic. False negatives occur when network is
attacked, and the IDS fails to alarm even though it is supposed to do so. Like
all honeypots, the honeynet solves this problem of data overload by default.
"A honeynet is a network designed to be compromised, not to be used for
production traffic. By definition, any traffic entering or leaving the network
is suspicious. Any connection initiated from the honeynet to an outside network
indicates that a bad guy is prowling around," says Spitzner.
Should I get some honey?
Despite being the driving force behind the honeynet project, Lance is not
quick to recommend honeynets for most organizations.
"I wouldn’t recommend deploying honeynets for commercial
organizations. It really does not protect their resources. On the other hand, it
may consume a lot of their resources. However, some of the lower interaction
honeypots are very secure and help in intrusion detection and organizations
could benefit from them," says Spitzner.
However, Honeynets are better deployed in "information sensitive"
organizations like the government, military and research institutes like
universities, which can afford to invest in the resources. For instance, the
United States government deploys a honeynet to monitor any malicious attacks on
its sites. Among other things they warn off site administrators whose sites are
likely to be attacked and they often work with the FBI to deal with any legal
issues arising out of the surveillance.
In conclusion
Honeypots, including honeynets, are at the moment fringe technology as far
as the security industry is concerned. Awareness is not very high, the value of
commercially deploying them is not very clear, and they are expensive–requiring
among other things round-the-clock monitoring and maintenance.
"We are right now where firewalls where 8-9 years ago. But as they gain
acceptance, people should not forget that Honeypots and Honeynets will do very
little to keep out the bad guys. That will have to be taken care of by
procedures like virus scanning, installing patches, and disabling unnecessary
services–the boring stuff. Honeypots are at best complementary to Firewalls
and IDS’. I hope people and organizations keep this in mind," says
Spitzner.
Whether honeypots will ever be mainstream security technology is something
only time will tell. But the idea of tracking hackers will continue to excite
many in this world where hats and morality are in two distinct colors–black
and white.
A Honey Potter’s Diary
As Lance Spitzner watched, a few blackhat hackers discussed how to launch a
denial of service (DoS) attack against India in June 2000, a few months after
the Kargil war. What the hackers got in the process is access to ISP and credit
card accounts and passwords. Here is Spitzner’s diary for the first 14 days
that he watched these people.
Here is the summary of the chat sessions of the black-hat community,
specifically two individuals whom Spitzner called D1ck and J4n3 planning to
launch a DoS attack against India… (Note: Internet Relay Chat channels, nicks,
system names and IP addresses have been sanitized. More detail available at http://www.project.honeynet.org/papers/motives/)
Day 1, June 4: Our chat sessions begin with the discussion of building an
exploit archive and the sharing of exploits to be used against potential
targets.
Day 2, June 5: Today D1ck and J4n3 share exploits and Denial of Service
attacks. Notice how they brag about how many blists (broadcast amplifier
networks) they have for the attacks. Looks like one of them is gunning for Linux
boxes in .edu land.
They also discussed using new rootkits for Linux and sparc.
/dq/media/post_attachments/4023decc20f00ec375315328641232e4057b361a273202cbb5df5d328ba98135.jpg)
Day 3, June 6: D1ck and J4n3 brag about the systems they have launched Denial
of Service attacks against. Later on D1ck teaches J4n3 how to mount a drive.
Then they discuss sniffit (how to use it) and last, D1ck desperately looks for
an Irix exploit and rootkit.
Day 4, June 7: D1ck and J4n3 decided they want to take out India with Denial
of Service attacks and bind exploits. Later on, they DoS other IRC members who
irritate them.
Day 5, June 8: D1ck asks J4n3 to take out three systems for him. D1ck and his
elite buddy Sp07 try to figure out how a sniffer works "umm doesn’t it
have to be the same network?"
Day 6, June 9: Our wonder team has been busy, looks like D1ck rooted over 40
systems. If they scan enough systems, they can and will gain root.
Day 7, June 10: Not an exciting day. D1ck teaches a new k1dd13 how to use the
sadmind exploit. We are not sure if D1ck even knows how to use it himself.
Day 8, June 11: D1ck and J4n3 discuss systems they own and people they want
to DoS. D1ck discovers Ping of Death and thinks he is very k3wl.
Day 9, June 12: Looks like D1ck strikes it big, he finds an ISP and gains
access to their billing and over 5,000 user accounts. Now they have to figure
out how to crack them.
Day 10, June 13: Sp07 joins the gang today. Not the friendliest individual
for the Internet community. Seems to have taken a wee bit of a dislike to India
also.
Day 11, June 14: They start cracking user passwords and access personal
accounts.
Day 12, June 15: Also with Romanian Translated
D1ck and J4n3 try to find credit card numbers on a Credit Card channel so
they can buy some domain names.
Day 13, June 16: Also with Romanian Translated
D1ck and J4n3 still hangout on the Credit Card channel. Members swap credit
cards, shell accounts, and porn sites. At the end of the chat session, D1ck and
J4n3 focus on their website.
Day 14, June 17: Also with Romanian Translated
D1ck and J4n3 cover how to gain accounts on a Linux box, talk more about
Credit Cards and continue building a website.
‘Watching the Bad Guys’
‘Watching the Bad Guys’
Lance Spitzner is unusual, even by geeky standards. His sentences, like
online data, come in small packets and often come to an abrupt end. Spitzner’s
world is divided into two halves–the bad guys (read blackhats) and the others.
Not once does he refer to them as ‘black hats’. To him, it’s personal and
all about "watching ’em". He spoke to Dataquest about the honeypots,
hackers and his choice of hats…
What is the honeynet project all about?
The honeynet project is a non-profit, all volunteer security research
project made up of security professionals across the world. The mission of the
project is to learn about the bad guys and we share everything we learn. We
deploy networks around the world to be hacked into and when the bad guys hack
‘em, we watch ‘em.
|
/dq/media/post_attachments/2b629a09984a16868717787e90206f9f0c0ab72ab03126a9edd255b9b75b6ccb.jpg)
Did the stint in the US army help you in tackling security issues?
Technically, it did not help because I rode around in tanks. But the
concepts of military tactics and intelligence apply very well to information
security. And in both cases we fight the bad guys.
What has been the biggest learning for you from the Honeynet project?
The biggest learning is how incredibly active the bad guys are. The common
perception is that if you deploy a system with no value and of which nobody knew
about on the Internet, it would not be probed or attacked. In fact, the exact
opposite is true.
A system we put on the Internet is probed 20-30 times a day. And if put a
system on the net at home, they are likely to be probed 5-10 times a day.
How do you prevent a honeynet from being misused-say contraband being
dropped on to it or the network being misused to launch attacks on other
systems? After all, hackers keep dropping in and out of honeynets…
There can be a lot of activity going on that can be illegal in many ways.
First of all, we’ve almost perfected a technology called data control that
allows the bad guys to hack our system but makes sure that they can’t hack
other systems using the honeynet.
Every time something happens in a honeynet, it’s a unique situation and we’re
not sure whether it’s legal or illegal. So if somebody drops contraband (from
BOTs, to credit card and ISP accounts picked up in earlier hacker attack) we get
in touch with legal authorities and inform them. In fact, we have somebody from
the US department of Justice assigned to our project.
Can you generalize the way hackers behave? In your book on honeypots, you
have classified hackers into two categories–the script kiddies and the
advanced hackers? How do they differ in their behavior?
There are two general categories out there–the first is the script kiddie.
About 90% of the bad guys out there are script kiddies. They don’t care who
they hack as long as they keep hacking as many systems as possible. The other
category is the advanced hacker who wants to hack into systems that have a high
value.
Are script kiddies capable of extensive damage?
Oh Yes! It is very much possible. What we have to keep in mind is that, over
the years, the bad guys have not got better but their tools have. The tools have
become more automated and more effective.
What are your favorite movies?
The Matrix, Star Wars...
Is there a temptation to cross over to the dark side of the force?
No…not at all…never. I have a background that is very different. I spent
seven years in the Army. In fact, one of the key factors that motivated me to
build honeynets was to take on the bad guys. I consider honeynets as an
opportunity to help people.
TV Mahalingam