| About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store |
 |
||||
|
||||
 |
||||
 |
|
|||
 |
||||
|
|
|
||
|
|||||||||||||||||||||||||||||||||||||||||
 COLUMN
'Honey pot' network can gather evidence for catching and prosecuting hackers WE'RE FREQUENTLY ASKED, "Is the online security threat real? Is it as prevalent as some have postulated, or have the press and media exaggerated the problem by espousing security fears and doubts?" Well, we're here to tell you once and for all that the threat is real, and here's an example that we hope will convince you.
The hacker group had compromised more than 350 systems on the Internet, and those were only the ones they cared to share with their friends while logged in to the Honeynet systems. The complete number of compromised systems is anyone's guess. But how could they do this? These wily miscreants often defy tracking, dodging in and out of computer systems and leaving no more than a digital fingerprint. They used well-known remote buffer-overflow exploits on Unix systems to gain instant access. Then from those violated systems, they set up shop by installing Unix "root kits" (for remotely controlling systems) and launching additional attacks. The point of installing a honey pot system is to capture a malicious hacker's attempts to gain unauthorized access to a system. By setting up a honey pot network, such as the Honeynet project, you can track and learn an enormous amount about how these malicious hackers and script kiddies gain access to systems; communicate with each other; what tools they use once they get on, such as root kits; and where they attack after the current victim. This data lets the honest folks build countermeasures to their activities. A number of honey pot-like software products claim the ability to catch a thief, if you will. Such software is designed to record the activity of attackers and in some cases trap them into a corner, rendering their actions useless. But the Honeynet group has gone beyond that by setting up their own homegrown honey pot network. They use a combination of firewalls and a network and security product called snort to control incoming and outgoing access while at the same time watching everything that transpires with keystroke logging. A number of commercial products now have honey pot capabilities like those cooked up by Lance and his friends, but none come close to Honeynet's cost: free. Among the commercial tools worth taking a look at are those from Netfacade and Recourse Technologies. The hacker group's initial exploit was the Solaris ToolTalk Database (TTDB) vulnerability, which allows remote-command execution. The attack can be discovered with some intrusion detection systems, but a Unix system's syslog will also show the reaction to a successful attack. The following entries in syslog most likely mean an attack has occurred and has completed successfully: /usr/dt/bin/rpc.ttdbserverd: Segmentation Fault - core dumped /usr/dt/bin/rpc.ttdbserverd: Illegal Instruction - core dumped With TTDB the group was able to install their root kit and then create backdoors on the system by adding users such as "r" and "re" with a setUID parameter of 0 and their own passwords. Then they set up their own IRC (Internet Relay Chat) bots to tell the rest of the group about their exploits. The TTDB vulnerability is nothing new. You've seen it discussed here a number of times, but it is an incredibly effective attack. And Lance wanted it that way. He wanted to set up systems that mirror the majority of Internet computers. Doing so made the attack simple for the intruders. The hacker group was clearly a script kiddie bunch using publicly available exploit code to break into these systems, set up their root kits, and further exploit systems. This island-hopping technique is widespread in the underground and is the most frequent means of elaborate attack. But some say the insecurity identified by the project, although a realistic view of the threat on the Internet, doesn't truly address the most dangerous threat: those foreign countries, corporations, or international underground hackers that are too smart and stealthy to be caught. The Honeynet project has proven incredibly valuable for the security community. How else can the "white hats" learn about what the script kiddies are doing, the tools they are using, and the techniques they are deploying? Lance believes you can't get this valuable information just by attending hacker conferences, lurking in IRC sessions, or reading security mailing lists. And we agree. For more information about the Honeynet project, check out www.enteract.com/~lspitz/motives. How do you stay current with the happenings in the underground? Send your thoughts to security_watch@infoworld.com. Stuart McClure is president and CTO and Joel Scambray is managing principal at security consultant Foundstone ( www.foundstone.com ).  RELATED SUBJECTS  SecurityMORE > SPONSORED WHITE PAPERS 
SPONSORED LINKS
|
|||||||||||||||||||||||||||||||||||||||||
|
||||||||||
|
||||||||||
