SECURITY gurus study hackers with 'honeypot' computers

Sunday, July 29th 2001, 12:00 am
By: News On 6

SAN JOSE, Calif. (AP) _ As a tank officer in the U.S. Army, Lance Spitzner carefully studied the range of Soviet tanks, their speed and rate of fire. He read about the history of threats and motivations for attacks.

It's called getting to know the enemy.

Later, as a computer security consultant, Spitzner was surprised at the sorry state of intelligence gathering on people who break into computers, steal information, erase data and launch attacks.

Some companies infiltrate hacker groups and hire hackers as consultants. But in this ever-escalating war, little was being gathered about their methods until after the damage was done.

From his worries, the Honeynet Project was born. It's an attempt to uncover the latest and greatest hacking techniques, motivations and targets by setting up a network of systems dubbed ``honeypots,'' solely to watch them being hacked.

``Everything in security has been about prevention, protection and reaction,'' Spitzner said. ``The bad guys have the initiative. We want to take the initiative and gain intelligence on the bad guys and counter that before they attack.''

The Honeynet consists of ordinary computers and software with one difference: The system seamlessly and quietly records every bit of information that passes through, including keystrokes.

In Honeynet's two years of operation, the half-dozen machines locked away in the spare bedroom of Spitzner's suburban Chicago home hosted everything from malicious, virus-like worms to a group of Pakistani hackers intent on stealing credit card numbers and defacing Web sites.

At first Spitzner relied on an informal group of colleagues to help solve the problems his computers recorded. Now, the team is 30 strong and includes computer gurus, forensic experts, statisticians and psychologists _ all volunteers.

The cost was low: Nobody was paid, and all equipment came out of Spitzner's closet.

Team members have called the FBI when it appeared laws were about to be broken, but their main purpose was to collect data for research, not prosecution. The hackers are rarely even identified.

And when it appears a hacker is about to divert a Honeynet computer to launch an attack against other systems, the honeypot is cut off to avoid liability.

The Honeynet Project aims to raise awareness and educate other professionals about security risks through papers and the group's book, ``Know Your Enemy,'' soon to be published by Addison-Wesley.

The group also hopes to predict how quickly machines are likely to be violated after hackers begin scanning their targets.

``The fastest one of our honeypots has ever been hacked is 15 minutes,'' Spitzner said. ``This should scare the hell out of you. We do nothing to advertise. We just put the systems out there. This is my ISDN line in my home bedroom. It's not IBM or something like that.''

The team turned off the original network earlier this year and started planning ``Operation Poohbear,'' which will be funded through book sales and grants. More than one Honeynet will be built, and they will be much more complex in hopes of attracting more experienced hackers of the blackhat, or unethical, variety.

Spitzner's group also works with other organizations, including the Naval Postgraduate Program and the University of Pennsylvania, to develop next-generation honeynets.

Unethical and illegal hacking is a growing problem. Honeynet's intrusion detection system, for instance, issued 157 alerts in May 2000. By February, alerts increased nearly nine times to 1,357.

Last year, 85 percent of 538 companies, universities and agencies responding to a questionnaire said their networks were breached, according to the Computer Security Institute and the FBI. The 186 respondents who quantified damages put losses at $378 million, up from $266 million a year ago.

Just recently, the ``Code Red'' worm infected more than 225,000 servers around the world and could have spelled disaster for the White House Web site had preventative action not been taken.

``A Honeynet potentially could have detected the attack and captured the worm much quicker for warning and analysis,'' Spitzner said.

Unlike traditional honeypots, which have been used for at least a decade, the Honeynet Project's systems are not emulations but real machines that operate as they would in a home or business.

``The work that they've done putting systems up and seeing how long they last is quite a valuable service,'' said Stephen Northcutt of the SANS Institute, a computer security research and education organization. ``You can point it out to people who don't want to be concerned about security and show them in gory detail that you have to be concerned.''

This is not the kind of thing most businesses or individuals should try doing themselves, security experts say, citing potential liabilities and the effort it takes.

``You're better off spending your resources training your people and putting in place processes for monitoring your systems instead of spending it on a honeypot,'' said Elias Levy, chief technology officer of San Mateo-based SecurityFocus.

Spitzner, who also is a consultant for Sun Microsystems Inc., learned firsthand about the difficulty and risk of honeypots when he built his first in early 1999.

Within 15 minutes, the computer was hacked _ and his hard drive erased after the hacker realized he was being watched.

The next system was set up to mask the monitoring and appear to be just another network of computers somewhere on the Internet.

``Every packet (of data) entering or leaving our network is captured and analyzed,'' Spitzner said. ``Any packet that's entering our network is most likely someone probing us. Any packet that initiates from the Honeynet means something's been compromised.''

The group installed alarm systems that automatically e-mail Spitzner and other team members, who spent hours analyzing the captured information.

So far, the longest any group has stayed on a machine has been three weeks.

It turned out to be a Pakistani group bent on stealing credit card numbers and defacing U.S. government Web sites. The group used the honeypot to run a chat service. Honeynet captured every word and alerted the FBI.

The conversations, translated by a team member fluent in Urdu, indicated the group consisted mainly of young hackers who used programs that automatically break into systems. One wrote about smoking marijuana after his father left for work; others seemed perplexed about mounting a hard drive in Unix and other simple tasks.

``It says something about us in the security community when individuals this incompetent are doing that much damage,'' Spitzner said. ``Just imagine if they were competent.''