In-Depth
Can the hackers be stopped?
- By John K. Waters
- June 3, 2002
In April 2001, Frank Cilluffo, director of the Information Warfare Taskforce
at the Center for Strategic and International Studies said, ''By 2002, 19
million people will have the skills to hack.'' That prediction has been
published far and wide ever since.
On the Web, you see it mainly on hacker-oriented sites, where it is splashed
across the pages almost gleefully, and on security vendor sites, where it crouches
or looms (depending on the font) like a rabid dog dripping foamy danger.
It is 2002, and although no one can say for sure whether the ranks of hackers
have swelled to meet Cilluffo's 19 million, there are a lot of people exploiting
network vulnerabilities for profit, politics and fun. Recently appointed U.S.
cybersecurity czar Richard Clarke has pegged the damage caused last year by
malicious hacking at about $12 billion. The NIMDA virus alone, which struck
last November, cost firms more than $2 billion by Clarke's estimates. He expects
that figure to reach $18 billion this year, if the growth and sophistication
of viruses continues at their current rate.
And in an increasingly Web-centric world, the risk that your network will be
compromised is growing. Companies are providing more and more internal network
access to customers, partners and suppliers. And each access created for a legitimate
user provides another possible point of attack for a hacker. The nascent systems
based on XML Web services are leaving the doggie door open, while an enterprise's
risk issues are buried under piles of emerging standards and interoperability
issues.
''More and more people are online for longer periods of time,'' said
Brad Powell, senior security architect at Sun Microsystems. ''The exponential
growth of the Internet means exponential growth of risks. And money is being
exchanged on the Internet, which makes it attractive to the bad guys.''
Last year's attacks on the World Trade Center and the Pentagon appear to have
fostered a new sense of vulnerability in business organizations. While we have
not seen a real spike in security spending just yet, anecdotally at least, wallets
are opening up.
''What used to be back burner issues have definitely been brought to the
forefront since 9-11,'' said Stuart McClure, president and CTO at Foundstone,
a security assessment company based in Mission Viejo, Calif. ''I've had
clients come to me and say, 'Just give me a number, because everything is getting
pushed through.' The interest has definitely been heightened.''
Of course, IT managers did not need Osama Bin Laden's gang to get them interested
in network security, but the attacks probably cranked up the volume in most
organizations.
''Everyone knew before 9-11 that they could be attacked,'' noted Chris
Wraight, a consultant at Sophos Inc., a U.K.-based antivirus vendor. ''The
difference is that now they understand an attack can come from a completely
unexpected source, in a completely unexpected way.''
Hacker intel
Cyber czar Clarke has only added to the general anxiety with his warnings about
the possibility of a ''digital Pearl Harbor'' in which a cyberterrorist
attack would paralyze computers, electrical grids and other key infrastructure.
But is it really digital kamikazes IT managers should be guarding their networks
against, or is it socially challenged teenage boys living in their parents'
basements? Is it outsiders or insiders? What about the tactics they employ?
And why are they hacking the network in the first place?
Those were some of the questions Lance Spitzner, a former U.S. Army tank officer
turned security architect for Sun Microsystems, set out to answer in the late
1990s when he set up the first of what would become a network of computers designed
to be compromised by hackers.
''I believed then, and I think history has proven me right, that to understand
your threats and to effectively protect against them, you have to understand
the bad guys,'' Spitzner said. ''You need to understand how they attack
and hack into systems, why they do it, how they do it and what they do once
they do it. In other words, you have to know your enemy.''
Serving in the Army's rapid deployment force in the early 1990s, Spitzner always
knew his enemy. ''They train you a lot on the enemy,'' he said. ''I
was required to climb around inside enemy tanks to better understand their weapons,
how they attack, why they attack, things like that. They taught us that to defeat
your enemy, you need to understand how they fight, why they fight, and how they
operate and communicate.''
But in the civilian world of information security, Spitzner found this kind
of clear definition sorely lacking. ''I didn't know whom I was defending
against,'' he noted. ''I didn't know why they attacked the systems.
I didn't know the tools they used.''
To gather the intel he needed, Spitzner started building ''honeypots''
-- standalone computers designed to serve as hacker targets. ''The problem
was how do you learn about the bad guys?'' he said. ''This seemed like
a logical solution. I would watch [the honeypots] and learn, but I couldn't
understand a lot of what they did, so I started asking friends for help. We
all started sharing information and the project informally grew.''
As the number of boxes in his network of honeypots grew, so did the number
of security pros watching and learning from them. Eventually, the informal group
coalesced into The Honeynet Project, a nonprofit research organization of 30
security professionals who volunteer their time and resources to researching
cyberthreats.
''Instead of trying to guess who the enemy is and develop theories on how
blackhats think and operate,' said Spitzner, who serves as the group's
coordinator, ''we have them teach us their tools, tactics and motives. When
the bad guys probe, attack and compromise our systems, we watch and learn from
their every step.''
The group's mission is to learn the tools, tactics and motives of the so-called
''blackhat'' community, and to share the lessons they have learned.
The group publishes its findings on its Web site (http://project.honeynet.org/)
and earlier this year consolidated its papers and conclusions into its first
book, Know Your Enemy: Revealing the Security Tools, Tactics, and Motives
of the Blackhat Community (Boston: Addison-Wesley, 2001).
''That's what I think makes us different,'' said Spitzner. ''Everything
we do we give to the public because we want [them] to learn and become aware
of just how aggressive and real this threat is.''
Blackhats and whitehats
According to Sun's Powell, one of the first Honeynet Project members, who describes
himself as ''a digital forensics guy,'' a blackhat, not surprisingly,
is an attacker. The term generally refers to someone attempting unauthorized
access or activity to a closed computer system, and The Honeynet Project uses
the term in lieu of the better-known ''hacker'' or ''cracker.''
True hackers do not consider themselves to be criminal, and they never penetrate
a system with the intent to cause harm. They are after knowledge, information
and the refinement of skills. The preferred term for a criminal hacker is cracker.
Crackers destroy data, hack for money or just generally hack with illegal intent.
Anyone who knows a hacker knows how seriously he or she takes these labels.
''I used to be adamant about using 'cracker,''' Powell said, ''but
the news media is going to use 'hacker' no matter what we say. So we use 'criminal
hacker' or blackhat to describe someone who has engaged in criminal activity.''
In Honeynet Speak, the ''whitehats'' are hackers who use their powers
only for good. And there are plenty of grayhats out in the industry, noted Powell.
''These are people who started out as foolish kids who did something criminal
with their hacking skills, but learned the error of their ways or they've just
grown up,'' he said. ''They have this talent, but they don't feel right
about breaking into sites criminally. They become the next generation of security
experts.''
The Honeynet Project membership includes whitehats, grayhats and people with
ties to the blackhat community. The group's eclectic membership roster, which
is limited to 30 members for logistical reasons, with no more than two members
from any one firm, also includes a social psychologist and a Naval intelligence
officer with top-secret clearance.
Unsweetened honey
Whether their hats are white, black or gray, one thing these intruders seem
to have in common is their apparently indefatigable desire to penetrate closed
systems. ''Their motives do vary,'' said Sun's Spitzner. ''One guy
wants to do it to brag about his elite skills. Another wants to use the machines
to strike a network with a denial of service attack. And another wants to steal
credit card numbers. At the end of the day, they all have the same basic goal:
To hack into as many computers as possible.''
And hack they do. According to the group's most recent numbers, Honeynet receives
an average of 150 scans per day and experiences an average of five attacks per
week from distinct individuals.
Perhaps most surprising, Spitzner and company claim to do nothing whatsoever
to ''sweeten'' their network to make it more appealing or to lure crackers.
''That's a popular misconception,'' Spitzner said. ''We do nothing
to lure the bad guys. We do nothing to sweeten the honeypots. We do nothing
to advertise their existence. We merely install the default operating system
and connect them to the Internet. Nothing has to be done to sweeten them because
the bad guys are out there hammering away, scanning millions upon millions of
systems every day.''
The group uses a combination of firewalls and a network and security product
called Snort to control incoming and outgoing access while keeping watch on
everything that transpires with keystroke logging.
''We've talked about creating sites in the next generation that actually
have some products and content that might be interesting to blackhats,''
added Sun's Powell. ''But we haven't had to do anything but put it out there
and wait for it to get attacked.''
''Keep in mind,'' noted Spitzner, ''that the whole Internet is
scanned on a daily basis by thousands of people, and they're trading that information.
I think most people are aware the threats are out there, but they don't realize
they are a target. People think the bad guys hit only targets of high value.
That's one of the myths our organization debunks.''
These kiddies aren't kidding
One of the most common threats studied by The Honeynet Project is known as the
''script kiddie.'' Although the term is commonly understood to refer
to an amateur hacker with few skills and who uses existing tools to search for
and take the path of least resistance, Spitzner and his colleagues use it to
refer to a penetration methodology.
Blackhats employing a strategy of ''probing for the easy kill'' are
not searching for specific information or targeting a specific company, Spitzner
explained. Their goal is to ''gain root''-- control of a computer --
in the easiest way possible. These types of intruders focus on a small number
of exploits and then search the entire Internet for that exploit.
''Some of them are actually advanced users who develop their own tools
and leave behind sophisticated back doors,'' Spitzner said. ''Others
have no idea what they're doing and only know how to type 'go' at the command
prompt.''
Do not let the name fool you; the script kiddie methodology in the right hands
can and has caused some real damage. Spitzner said it is the very randomness
of the target selection process they use that makes the script kiddie such a
dangerous threat. ''Sooner or later,'' he noted, ''your systems
and networks will be probed.''
Most script kiddie tools are automated, Spitzner said. Users simply launch
them and come back later to see what they have found. Although he said no two
script kiddie tools are alike, they tend to employ the same approach: Develop
a database of IP addresses that can be scanned, and then scan them for specific
vulnerabilities. Once a system has been exploited, they use it as a launching
pad from which they can scan the entire Internet, as Spitzner puts it, ''without
fear of retribution.'' If any of their scans are detected, the blame falls
to the compromised system's administrator.
Spitzner said the results of these scans are often archived, and script kiddies
share or even buy databases of vulnerable systems from each other. These databases
make it possible for an attacker to exploit a system without even scanning it.
(Which is why, Spitzner said, just because you are not being scanned, that does
not mean you are not being exploited.)
The more sophisticated blackhats install ''trojans'' and back doors
once they compromise a system, he noted. Back doors allow easy and unnoticed
access to the system whenever the user wants, and the trojans make intruders
undetectable.
''The intruder is building a safe and comfy little home right there on
your system,'' Spitzner said. ''From there, they can brazenly scan the
Internet to their heart's content.''
And because script kiddies employ automated tools, they can scan a system any
time, night or day. System administrators who believe blackhats attack only
late at night tend to miss scans when they search their log entries for probes
the night before. ''They [script kiddies] are scanning 24 hours a day,''
Spitzner said.
Keeping the kiddies at bay
To protect against intrusion from script kiddies, Spitzner advises the following:
Be aware of common exploits. Script kiddies are looking for an
easy way in. Make sure your systems and networks are not vulnerable to commonly
known exploits. (For more on common exploits, go to the CERT Coordination Center
Web site at www.cert.org, the Computer Incident
Advisory Capability Web site at www.ciac.org/ciac,
and the listserv bugtraq.)
Run only services you need. If you are not using it, turn it
off. If you do need it, make sure it is the latest version.
Limit the systems that can conduct zone transfers from your Name Servers.
Log any unauthorized zone transfers and follow up on them. (Spitzner recommends
upgrading to the latest version of the Berkeley Internet Name Domain (Bind),
software used for Domain Name Service. Readers can find it on the Internet Software
Consortium Web site at www.isc.org/bind.html.)
Watch out for probes. Tracking probes allows you to react to
threats quickly and to gain a better understanding of the threats to your network.
Foundstone's McClure, a columnist on security issues, co-author of the book
Hacking Exposed: Network Security Secrets and Solutions (with Joel Scambray
and George Kurtz, Osborne/McGraw-Hill, 2001), and a former member of the Honeynet
team, warns against underestimating the potential threat of script kiddies.
He cites a Pakistani hacker group The Honeynet Project tracked last year and
eventually turned over to the authorities.
''The group not only attacked Lance [Spitzner]'s systems,'' McClure
said, ''but used them as islands to attack more systems.''
The Honeynet team tracked the group's activities and discovered they had compromised
more than 350 systems on the Internet and probably many more. They used well-known
remote buffer-overflow exploits on Unix systems to gain instant access. On those
violated systems, they installed Unix ''root kits,'' which they used
to control systems remotely and launch additional attacks.
''This was a script kiddie bunch using publicly available exploit code
to break into these systems, set up their root kits and further exploit systems,'
McClure explained. ''This island-hopping technique is widespread in the
underground and is the most frequent means of elaborate attack. Imagine what
they might have done if they hadn't been caught.''
In this instance, The Honeynet Project contacted the authorities to inform
them of the Pakistani hackers' activities. In general, the group does not track
crackers for the purposes of prosecution, but it does forward all information
about compromised systems to CERT so the organization can notify administrators
of compromised systems. On The Honeynet Project's Web site, the group writes
that they limit their contact with authorities and contact them ''only when
the Project feels there is a critical need. If we were to become involved in
a major legal case every time a system was compromised, we would not have time
for research, let alone our real jobs.''
Eavesdropping on IRC
One of the ways in which the Honeynet Project gathers its enemy intel is by
monitoring chat sessions among blackhats after an exploit. For many blackhats,
hacking and cracking is a way to achieve social status. For many, Sun's Spitzner
said, hacking is a social activity. Hackers meet online to discuss the latest
hacking tools, their hacking conquests and their personal lives. IT managers
must become familiar with the social culture of hackers, he said, if they expect
to provide effective security.
Spitzner said Internet Relay Chat (IRC) has replaced electronic bulletin boards
as the social medium for Internet addicts, and there are dozens of IRC Networks
currently alive on the Internet. The most popular are DALnet, EFNet and Undernet,
he noted. Each IRC network is composed of hundreds, and even thousands, of channels
where individuals with similar interests can chat in real-time. And these channels
are dynamic; they are created the first time someone enters the chat session,
and destroyed when the last person leaves.
''People try to impress each other with bigger and bigger exploits,''
Spitzner said. 'We see that all the time when we capture logs. Often, once
a person has broken in, [they] set up an IRC server and start bragging about
it. It's just one-upmanship, [for example,] ''I cracked 10,000 sites and you
cracked only 9,000.' It's about who has the bigger body count.''
This is where having a psychologist in the group comes in handy, he explained.
Honeynet Project member Dr. Max Kilger analyzes captured chat sessions, or any
communication between individuals, and creates a profile of the people involved.
''He looks at why they do it,'' Spitzner said. ''What is their motivation?
What can we learn from that? Is it part of a pattern? Is it a new phenomenon?
Is it the equivalent of teenagers going out and spray painting their logos on
storefronts, or is it someone who's more hardcore? We're looking for behavioral
patterns.''
Blackhats motives vary widely, and through its observations, the Honeynet group
has uncovered many of them. Spitzner said he and his colleagues have seen intruders
break into hundreds of sites just so they can break the next RSA key by marshalling
other people's CPU power in a kind of grid-computing session. Of course, they
have seen malicious hackers set up hundreds of thousands of machines to launch
distributed denial of services (DDOS) attacks. Recently, he said, the group
observed crackers from Korea utilize a large group of machines to launch mail
bombs against the Winter Olympics Web site to protest that one of their skaters
was disqualified. ''They intended to flood the site and bring it down,''
Spitzner explained.
''The reasons they attack run from the political to 'I bought your product
and didn't like it and now I'm going to get all these machines to attack your
machine and make you pay for it','' he said.
Changes in the blackhat community
The Honeynet Project has been tracking the activities of the blackhat community
and monitoring its behavior for a few years now. Beyond their usual involvement
with viruses, hacking, espionage and system misuse, the group has observed some
new trends in the world of hackers, crackers and script kiddies.
One disturbing trend, said Sun's Powell, is the increasing number of sophisticated
cracker groups who compromise computer systems specifically for illegal financial
gain. Criminal hacking, he added, is becoming an organized crime.
''We used to see random kids breaking into systems to steal credit card
numbers and we still see them, but we're seeing things going a whole lot farther
than that,'' he said. ''They're not just stealing those numbers, they're
using them to set up their own Internet sites using stolen funds. They then
advertise those sites, take orders from people who come to buy their products,
and collect more and more credit card numbers in the process.''
As an example of the growing sophistication of criminal hackers, he cites a
group of blackhats The Honeynet Project tracked as they set up a porn site.
''We wondered what they were up to,'' Powell said. ''We concluded
that it was an extortion scheme. People would come to a site and give them their
credit card information, and they would tag them for a hundred bucks a month.
You're not likely to go to the police and tell them, 'Hey, someone stole my
credit card information while I was visiting this site with kiddie porn on it.'
If you do that to a 1,000 people, that's a lot of money pouring in.''
And that is not the only thing that is changing. The typically white, male,
upper-middle class, America-centric world of computer hacking is seeing a shift
in gender, ethnicity and socio-economic aspects. ''Typically, it's been
more of a male-oriented, upper-middle class, American thing,' said Powell.
''But as computers get cheaper, and Internet access becomes more and more
commonly available worldwide, that profile is definitely going to change, especially
as it becomes cool to be a hacker or a cracker.''
In March, a hacker claiming to be a 17-year-old girl with the handle ''Gigabyte''
-- and said to have been moved by the sexism that permeates the male-dominated,
virus-writer community -- created what might be the first-ever virus written
in C#, the programming language that runs natively on Microsoft's .NET platforms.
Sophos issued an advisory when Gigabyte sent the company an e-mail 'heads
up' with a sample of the worm, dubbed the Sharp virus, attached.
''Apparently, she wrote the worm to make a social point,'' explained
Sophos' Wraight. ''The typical profile of a virus writer is a teenage boy
with more time than sense. It's unusual to find girls engaging in this kind
of mischief, but it's sure not because they can't.''
One issue, however, seems to be unchanged when it comes to computer systems
security. As Foundstone's McClure puts it, security is not a goal, but a process.
''Security is certainly something that can be achieved,'' McClure said,
''but it's also something you have to constantly strive for. If you want
to be in shape, you have to work out. But once you're in shape, you can't just
sit and watch TV. You have to keep working at it.''
IT managers should remember that security is not really a technical issue, he
said. Firewalls, antivirus software and intrusion detection systems (IDS) are
widely used tools, as well as very important parts of a secure system; but without
the right people doing the right things, they will never be enough to provide
true security.
''People have to understand how little the technologies they put in place
really matter,'' McClure said. ''You have to build procedures and processes
around it. The standard line is, 'people, processes and technology.' And it's
true. I've seen freeware firewalls sustain very sophisticated attacks because
some very good people manned the network. And I've seen firewalls that cost
hundreds of thousands of dollars broken into on a regular basis.''
At its bottom, said Sun's Powell, computer system security is a risk assessment
issue.
''I can take any machine and make it extremely secure,'' he said. ''I
can probably make it hacker-proof. But you're not going to be able to do much
with it, and it's going to be a lot harder to use. That's the tradeoff between
the usability and security of computers. There's always going to be a risk.
The challenge is to identify it and manage it, because you can't avoid it.''
Honeynet Research Alliance
Although The Honeynet Project's membership is limited, interested parties can
become actively involved through the group's Honeynet Research Alliance.
''If someone wants to set up their own honeynet and share their research
and findings with the group, we're all for it,'' said Sun's Spitzner.
The group's Web site lists the goal of the Alliance to develop ''a community
of organizations actively researching, developing and deploying Honeynets and
sharing the lessons learned.''
The Alliance is a closed group limited to organizations actively researching
honeynets. Individuals merely interested in honeynet technologies are encouraged
to join the public honeypot mail list.
The Honeynet Alliance lists six active member organizations, including: South
Florida HoneyNet Project, Nodal Intrusion Forensics Technology Initiative, Incidents.org
Virtual Honeynet Project, Neohapsis Honeynet Project, Paladion Networks Honeynet
Project and the Internet Systematics Lab Honeynet Project. At press time, the
Alliance had four Honeynets online: two are virtual, while two report to a centralized
database.
For more information, see the related article 'Seven security
basics.'