In-Depth

Can the hackers be stopped?

In April 2001, Frank Cilluffo, director of the Information Warfare Taskforce at the Center for Strategic and International Studies said, ''By 2002, 19 million people will have the skills to hack.'' That prediction has been published far and wide ever since.

On the Web, you see it mainly on hacker-oriented sites, where it is splashed across the pages almost gleefully, and on security vendor sites, where it crouches or looms (depending on the font) like a rabid dog dripping foamy danger.

It is 2002, and although no one can say for sure whether the ranks of hackers have swelled to meet Cilluffo's 19 million, there are a lot of people exploiting network vulnerabilities for profit, politics and fun. Recently appointed U.S. cybersecurity czar Richard Clarke has pegged the damage caused last year by malicious hacking at about $12 billion. The NIMDA virus alone, which struck last November, cost firms more than $2 billion by Clarke's estimates. He expects that figure to reach $18 billion this year, if the growth and sophistication of viruses continues at their current rate.

And in an increasingly Web-centric world, the risk that your network will be compromised is growing. Companies are providing more and more internal network access to customers, partners and suppliers. And each access created for a legitimate user provides another possible point of attack for a hacker. The nascent systems based on XML Web services are leaving the doggie door open, while an enterprise's risk issues are buried under piles of emerging standards and interoperability issues.

''More and more people are online for longer periods of time,'' said Brad Powell, senior security architect at Sun Microsystems. ''The exponential growth of the Internet means exponential growth of risks. And money is being exchanged on the Internet, which makes it attractive to the bad guys.''

Last year's attacks on the World Trade Center and the Pentagon appear to have fostered a new sense of vulnerability in business organizations. While we have not seen a real spike in security spending just yet, anecdotally at least, wallets are opening up.

''What used to be back burner issues have definitely been brought to the forefront since 9-11,'' said Stuart McClure, president and CTO at Foundstone, a security assessment company based in Mission Viejo, Calif. ''I've had clients come to me and say, 'Just give me a number, because everything is getting pushed through.' The interest has definitely been heightened.''

Of course, IT managers did not need Osama Bin Laden's gang to get them interested in network security, but the attacks probably cranked up the volume in most organizations.

''Everyone knew before 9-11 that they could be attacked,'' noted Chris Wraight, a consultant at Sophos Inc., a U.K.-based antivirus vendor. ''The difference is that now they understand an attack can come from a completely unexpected source, in a completely unexpected way.''

Hacker intel
Cyber czar Clarke has only added to the general anxiety with his warnings about the possibility of a ''digital Pearl Harbor'' in which a cyberterrorist attack would paralyze computers, electrical grids and other key infrastructure.

But is it really digital kamikazes IT managers should be guarding their networks against, or is it socially challenged teenage boys living in their parents' basements? Is it outsiders or insiders? What about the tactics they employ? And why are they hacking the network in the first place?

Those were some of the questions Lance Spitzner, a former U.S. Army tank officer turned security architect for Sun Microsystems, set out to answer in the late 1990s when he set up the first of what would become a network of computers designed to be compromised by hackers.

''I believed then, and I think history has proven me right, that to understand your threats and to effectively protect against them, you have to understand the bad guys,'' Spitzner said. ''You need to understand how they attack and hack into systems, why they do it, how they do it and what they do once they do it. In other words, you have to know your enemy.''

Serving in the Army's rapid deployment force in the early 1990s, Spitzner always knew his enemy. ''They train you a lot on the enemy,'' he said. ''I was required to climb around inside enemy tanks to better understand their weapons, how they attack, why they attack, things like that. They taught us that to defeat your enemy, you need to understand how they fight, why they fight, and how they operate and communicate.''

But in the civilian world of information security, Spitzner found this kind of clear definition sorely lacking. ''I didn't know whom I was defending against,'' he noted. ''I didn't know why they attacked the systems. I didn't know the tools they used.''

To gather the intel he needed, Spitzner started building ''honeypots'' -- standalone computers designed to serve as hacker targets. ''The problem was how do you learn about the bad guys?'' he said. ''This seemed like a logical solution. I would watch [the honeypots] and learn, but I couldn't understand a lot of what they did, so I started asking friends for help. We all started sharing information and the project informally grew.''

As the number of boxes in his network of honeypots grew, so did the number of security pros watching and learning from them. Eventually, the informal group coalesced into The Honeynet Project, a nonprofit research organization of 30 security professionals who volunteer their time and resources to researching cyberthreats.

''Instead of trying to guess who the enemy is and develop theories on how blackhats think and operate,' said Spitzner, who serves as the group's coordinator, ''we have them teach us their tools, tactics and motives. When the bad guys probe, attack and compromise our systems, we watch and learn from their every step.''

The group's mission is to learn the tools, tactics and motives of the so-called ''blackhat'' community, and to share the lessons they have learned. The group publishes its findings on its Web site (http://project.honeynet.org/) and earlier this year consolidated its papers and conclusions into its first book, Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community (Boston: Addison-Wesley, 2001).

''That's what I think makes us different,'' said Spitzner. ''Everything we do we give to the public because we want [them] to learn and become aware of just how aggressive and real this threat is.''

Blackhats and whitehats
According to Sun's Powell, one of the first Honeynet Project members, who describes himself as ''a digital forensics guy,'' a blackhat, not surprisingly, is an attacker. The term generally refers to someone attempting unauthorized access or activity to a closed computer system, and The Honeynet Project uses the term in lieu of the better-known ''hacker'' or ''cracker.'' True hackers do not consider themselves to be criminal, and they never penetrate a system with the intent to cause harm. They are after knowledge, information and the refinement of skills. The preferred term for a criminal hacker is cracker. Crackers destroy data, hack for money or just generally hack with illegal intent. Anyone who knows a hacker knows how seriously he or she takes these labels.

''I used to be adamant about using 'cracker,''' Powell said, ''but the news media is going to use 'hacker' no matter what we say. So we use 'criminal hacker' or blackhat to describe someone who has engaged in criminal activity.''

In Honeynet Speak, the ''whitehats'' are hackers who use their powers only for good. And there are plenty of grayhats out in the industry, noted Powell. ''These are people who started out as foolish kids who did something criminal with their hacking skills, but learned the error of their ways or they've just grown up,'' he said. ''They have this talent, but they don't feel right about breaking into sites criminally. They become the next generation of security experts.''

The Honeynet Project membership includes whitehats, grayhats and people with ties to the blackhat community. The group's eclectic membership roster, which is limited to 30 members for logistical reasons, with no more than two members from any one firm, also includes a social psychologist and a Naval intelligence officer with top-secret clearance.

Unsweetened honey
Whether their hats are white, black or gray, one thing these intruders seem to have in common is their apparently indefatigable desire to penetrate closed systems. ''Their motives do vary,'' said Sun's Spitzner. ''One guy wants to do it to brag about his elite skills. Another wants to use the machines to strike a network with a denial of service attack. And another wants to steal credit card numbers. At the end of the day, they all have the same basic goal: To hack into as many computers as possible.''

And hack they do. According to the group's most recent numbers, Honeynet receives an average of 150 scans per day and experiences an average of five attacks per week from distinct individuals.

Perhaps most surprising, Spitzner and company claim to do nothing whatsoever to ''sweeten'' their network to make it more appealing or to lure crackers.

''That's a popular misconception,'' Spitzner said. ''We do nothing to lure the bad guys. We do nothing to sweeten the honeypots. We do nothing to advertise their existence. We merely install the default operating system and connect them to the Internet. Nothing has to be done to sweeten them because the bad guys are out there hammering away, scanning millions upon millions of systems every day.''

The group uses a combination of firewalls and a network and security product called Snort to control incoming and outgoing access while keeping watch on everything that transpires with keystroke logging.

''We've talked about creating sites in the next generation that actually have some products and content that might be interesting to blackhats,'' added Sun's Powell. ''But we haven't had to do anything but put it out there and wait for it to get attacked.''

''Keep in mind,'' noted Spitzner, ''that the whole Internet is scanned on a daily basis by thousands of people, and they're trading that information. I think most people are aware the threats are out there, but they don't realize they are a target. People think the bad guys hit only targets of high value. That's one of the myths our organization debunks.''

These kiddies aren't kidding
One of the most common threats studied by The Honeynet Project is known as the ''script kiddie.'' Although the term is commonly understood to refer to an amateur hacker with few skills and who uses existing tools to search for and take the path of least resistance, Spitzner and his colleagues use it to refer to a penetration methodology.

Blackhats employing a strategy of ''probing for the easy kill'' are not searching for specific information or targeting a specific company, Spitzner explained. Their goal is to ''gain root''-- control of a computer -- in the easiest way possible. These types of intruders focus on a small number of exploits and then search the entire Internet for that exploit.

''Some of them are actually advanced users who develop their own tools and leave behind sophisticated back doors,'' Spitzner said. ''Others have no idea what they're doing and only know how to type 'go' at the command prompt.''

Do not let the name fool you; the script kiddie methodology in the right hands can and has caused some real damage. Spitzner said it is the very randomness of the target selection process they use that makes the script kiddie such a dangerous threat. ''Sooner or later,'' he noted, ''your systems and networks will be probed.''

Most script kiddie tools are automated, Spitzner said. Users simply launch them and come back later to see what they have found. Although he said no two script kiddie tools are alike, they tend to employ the same approach: Develop a database of IP addresses that can be scanned, and then scan them for specific vulnerabilities. Once a system has been exploited, they use it as a launching pad from which they can scan the entire Internet, as Spitzner puts it, ''without fear of retribution.'' If any of their scans are detected, the blame falls to the compromised system's administrator.

Spitzner said the results of these scans are often archived, and script kiddies share or even buy databases of vulnerable systems from each other. These databases make it possible for an attacker to exploit a system without even scanning it. (Which is why, Spitzner said, just because you are not being scanned, that does not mean you are not being exploited.)

The more sophisticated blackhats install ''trojans'' and back doors once they compromise a system, he noted. Back doors allow easy and unnoticed access to the system whenever the user wants, and the trojans make intruders undetectable.

''The intruder is building a safe and comfy little home right there on your system,'' Spitzner said. ''From there, they can brazenly scan the Internet to their heart's content.''

And because script kiddies employ automated tools, they can scan a system any time, night or day. System administrators who believe blackhats attack only late at night tend to miss scans when they search their log entries for probes the night before. ''They [script kiddies] are scanning 24 hours a day,'' Spitzner said.

Keeping the kiddies at bay
To protect against intrusion from script kiddies, Spitzner advises the following:

Be aware of common exploits. Script kiddies are looking for an easy way in. Make sure your systems and networks are not vulnerable to commonly known exploits. (For more on common exploits, go to the CERT Coordination Center Web site at www.cert.org, the Computer Incident Advisory Capability Web site at www.ciac.org/ciac, and the listserv bugtraq.)

Run only services you need. If you are not using it, turn it off. If you do need it, make sure it is the latest version.

Limit the systems that can conduct zone transfers from your Name Servers. Log any unauthorized zone transfers and follow up on them. (Spitzner recommends upgrading to the latest version of the Berkeley Internet Name Domain (Bind), software used for Domain Name Service. Readers can find it on the Internet Software Consortium Web site at www.isc.org/bind.html.)

Watch out for probes. Tracking probes allows you to react to threats quickly and to gain a better understanding of the threats to your network.

Foundstone's McClure, a columnist on security issues, co-author of the book Hacking Exposed: Network Security Secrets and Solutions (with Joel Scambray and George Kurtz, Osborne/McGraw-Hill, 2001), and a former member of the Honeynet team, warns against underestimating the potential threat of script kiddies. He cites a Pakistani hacker group The Honeynet Project tracked last year and eventually turned over to the authorities.

''The group not only attacked Lance [Spitzner]'s systems,'' McClure said, ''but used them as islands to attack more systems.''

The Honeynet team tracked the group's activities and discovered they had compromised more than 350 systems on the Internet and probably many more. They used well-known remote buffer-overflow exploits on Unix systems to gain instant access. On those violated systems, they installed Unix ''root kits,'' which they used to control systems remotely and launch additional attacks.

''This was a script kiddie bunch using publicly available exploit code to break into these systems, set up their root kits and further exploit systems,' McClure explained. ''This island-hopping technique is widespread in the underground and is the most frequent means of elaborate attack. Imagine what they might have done if they hadn't been caught.''

In this instance, The Honeynet Project contacted the authorities to inform them of the Pakistani hackers' activities. In general, the group does not track crackers for the purposes of prosecution, but it does forward all information about compromised systems to CERT so the organization can notify administrators of compromised systems. On The Honeynet Project's Web site, the group writes that they limit their contact with authorities and contact them ''only when the Project feels there is a critical need. If we were to become involved in a major legal case every time a system was compromised, we would not have time for research, let alone our real jobs.''

Eavesdropping on IRC
One of the ways in which the Honeynet Project gathers its enemy intel is by monitoring chat sessions among blackhats after an exploit. For many blackhats, hacking and cracking is a way to achieve social status. For many, Sun's Spitzner said, hacking is a social activity. Hackers meet online to discuss the latest hacking tools, their hacking conquests and their personal lives. IT managers must become familiar with the social culture of hackers, he said, if they expect to provide effective security.

Spitzner said Internet Relay Chat (IRC) has replaced electronic bulletin boards as the social medium for Internet addicts, and there are dozens of IRC Networks currently alive on the Internet. The most popular are DALnet, EFNet and Undernet, he noted. Each IRC network is composed of hundreds, and even thousands, of channels where individuals with similar interests can chat in real-time. And these channels are dynamic; they are created the first time someone enters the chat session, and destroyed when the last person leaves.

''People try to impress each other with bigger and bigger exploits,'' Spitzner said. 'We see that all the time when we capture logs. Often, once a person has broken in, [they] set up an IRC server and start bragging about it. It's just one-upmanship, [for example,] ''I cracked 10,000 sites and you cracked only 9,000.' It's about who has the bigger body count.''

This is where having a psychologist in the group comes in handy, he explained. Honeynet Project member Dr. Max Kilger analyzes captured chat sessions, or any communication between individuals, and creates a profile of the people involved. ''He looks at why they do it,'' Spitzner said. ''What is their motivation? What can we learn from that? Is it part of a pattern? Is it a new phenomenon? Is it the equivalent of teenagers going out and spray painting their logos on storefronts, or is it someone who's more hardcore? We're looking for behavioral patterns.''

Blackhats motives vary widely, and through its observations, the Honeynet group has uncovered many of them. Spitzner said he and his colleagues have seen intruders break into hundreds of sites just so they can break the next RSA key by marshalling other people's CPU power in a kind of grid-computing session. Of course, they have seen malicious hackers set up hundreds of thousands of machines to launch distributed denial of services (DDOS) attacks. Recently, he said, the group observed crackers from Korea utilize a large group of machines to launch mail bombs against the Winter Olympics Web site to protest that one of their skaters was disqualified. ''They intended to flood the site and bring it down,'' Spitzner explained.

''The reasons they attack run from the political to 'I bought your product and didn't like it and now I'm going to get all these machines to attack your machine and make you pay for it','' he said.

Changes in the blackhat community
The Honeynet Project has been tracking the activities of the blackhat community and monitoring its behavior for a few years now. Beyond their usual involvement with viruses, hacking, espionage and system misuse, the group has observed some new trends in the world of hackers, crackers and script kiddies.

One disturbing trend, said Sun's Powell, is the increasing number of sophisticated cracker groups who compromise computer systems specifically for illegal financial gain. Criminal hacking, he added, is becoming an organized crime.

''We used to see random kids breaking into systems to steal credit card numbers and we still see them, but we're seeing things going a whole lot farther than that,'' he said. ''They're not just stealing those numbers, they're using them to set up their own Internet sites using stolen funds. They then advertise those sites, take orders from people who come to buy their products, and collect more and more credit card numbers in the process.''

As an example of the growing sophistication of criminal hackers, he cites a group of blackhats The Honeynet Project tracked as they set up a porn site. ''We wondered what they were up to,'' Powell said. ''We concluded that it was an extortion scheme. People would come to a site and give them their credit card information, and they would tag them for a hundred bucks a month. You're not likely to go to the police and tell them, 'Hey, someone stole my credit card information while I was visiting this site with kiddie porn on it.' If you do that to a 1,000 people, that's a lot of money pouring in.''

And that is not the only thing that is changing. The typically white, male, upper-middle class, America-centric world of computer hacking is seeing a shift in gender, ethnicity and socio-economic aspects. ''Typically, it's been more of a male-oriented, upper-middle class, American thing,' said Powell. ''But as computers get cheaper, and Internet access becomes more and more commonly available worldwide, that profile is definitely going to change, especially as it becomes cool to be a hacker or a cracker.''

In March, a hacker claiming to be a 17-year-old girl with the handle ''Gigabyte'' -- and said to have been moved by the sexism that permeates the male-dominated, virus-writer community -- created what might be the first-ever virus written in C#, the programming language that runs natively on Microsoft's .NET platforms. Sophos issued an advisory when Gigabyte sent the company an e-mail 'heads up' with a sample of the worm, dubbed the Sharp virus, attached.

''Apparently, she wrote the worm to make a social point,'' explained Sophos' Wraight. ''The typical profile of a virus writer is a teenage boy with more time than sense. It's unusual to find girls engaging in this kind of mischief, but it's sure not because they can't.''

One issue, however, seems to be unchanged when it comes to computer systems security. As Foundstone's McClure puts it, security is not a goal, but a process.

''Security is certainly something that can be achieved,'' McClure said, ''but it's also something you have to constantly strive for. If you want to be in shape, you have to work out. But once you're in shape, you can't just sit and watch TV. You have to keep working at it.''

IT managers should remember that security is not really a technical issue, he said. Firewalls, antivirus software and intrusion detection systems (IDS) are widely used tools, as well as very important parts of a secure system; but without the right people doing the right things, they will never be enough to provide true security.

''People have to understand how little the technologies they put in place really matter,'' McClure said. ''You have to build procedures and processes around it. The standard line is, 'people, processes and technology.' And it's true. I've seen freeware firewalls sustain very sophisticated attacks because some very good people manned the network. And I've seen firewalls that cost hundreds of thousands of dollars broken into on a regular basis.''

At its bottom, said Sun's Powell, computer system security is a risk assessment issue.

''I can take any machine and make it extremely secure,'' he said. ''I can probably make it hacker-proof. But you're not going to be able to do much with it, and it's going to be a lot harder to use. That's the tradeoff between the usability and security of computers. There's always going to be a risk. The challenge is to identify it and manage it, because you can't avoid it.''

Honeynet Research Alliance
Although The Honeynet Project's membership is limited, interested parties can become actively involved through the group's Honeynet Research Alliance.

''If someone wants to set up their own honeynet and share their research and findings with the group, we're all for it,'' said Sun's Spitzner.

The group's Web site lists the goal of the Alliance to develop ''a community of organizations actively researching, developing and deploying Honeynets and sharing the lessons learned.''

The Alliance is a closed group limited to organizations actively researching honeynets. Individuals merely interested in honeynet technologies are encouraged to join the public honeypot mail list.

The Honeynet Alliance lists six active member organizations, including: South Florida HoneyNet Project, Nodal Intrusion Forensics Technology Initiative, Incidents.org Virtual Honeynet Project, Neohapsis Honeynet Project, Paladion Networks Honeynet Project and the Internet Systematics Lab Honeynet Project. At press time, the Alliance had four Honeynets online: two are virtual, while two report to a centralized database.

For more information, see the related article 'Seven security basics.'