Decoy PCs trick hackers into teaching security

For the best security, hack the hackers, suggest security experts who have spent several months watching malicious intruders break into disguised decoy systems on the Internet.

The informal study found it was only two to four days before hackers attacked an unprotected Windows 98 system with its file sharing enabled. Hackers attacked one such system four times in a five-day period. The fastest takeover was 15 minutes, when a hacker broke into a PC running Red Hat Linux 6.2.

An ongoing organization may form out of this informal research, known as the Honeynet Project. Security researchers created a network of PCs they dubbed honeypots, named for the attractive but troublesome favorite treat of children’s book character Winnie the Pooh. In this case, the group placed PCs on the Internet in various states of security and designed to attract hackers, says Lance Spitzner, who described the experiment at the final day of the annual Black Hat Briefings security conference this week in Las Vegas.

Some of the computers ran with the default installations of their operating systems, while team members patched others with the latest security fixes. Then they placed the PCs on the Internet in such a way that Honeynet Project members could closely observe the systems without being noticed by hackers. They recorded the exact methods hackers used to break into those and other systems, and even recorded the text conversations of a notorious group of Web page defacement hackers known as GForce Pakistan.

“Even though the technical proficiency of the [GForce Pakistan] hackers was pretty low, they were able to cause a lot of damage,” says security consultant George Kurtz, also a speaker.

Gathering intelligence

The honeynet served as an intelligence gathering system, says Spitzner, a former Army officer who worked in a tank rapid deployment force.

“It’s about teaching people how the attacks spread to other systems,” Kurtz says. “You would never find a for-profit company that would say, ‘hey, we’ve been hacked, want to take a look at what they did?'”

Commercial intrusion detection systems can sometimes let you know if you’re being hacked, Kurtz adds. But simple detection can’t tell you “the mindset or motivations of the hacker.”

Honeynet Project participants encouraged Black Hat attendees to set up honeypots on their own networks, and to share their findings with the Honeynet Project.

If more honeypots are in place, hackers might think twice before trying to break into a particular network, the speakers suggest. It could be the Internet version of the deterrence that security cameras provide to potential bank robbers.

“If we can make [the hackers] have to keep looking over their shoulders, so much the better,” adds group member Edward Skoudis. “A presumption of surveillance goes a long way in preventing hack attacks in the first place.”

The Honeynet founding group, composed of security and network information specialists from many of the largest computer networking products companies, plans to continue operations as a nonprofit organization.

Their efforts are just another in the cyberwar on hackers, a recurring theme of the Black Hat event.

Legal weapons

In fact, international laws of conflict apply even in cyberspace, says Walter Gary Sharp Sr., a former military legal counsel. He spoke on “Key Legal Implications of the Computer Network Defense,” addressing a crowd that included people who may have considered defending their networks by hacking the hackers.

The rules of the Geneva Conventions and the United Nations charter apply to international hacker attacks as well, Sharp says. Those rules vary if the hacker’s nation of origin is at peace or in armed conflict with the nation where the targeted system resides.

Lawmakers and international agencies are clearly concerned about computer security issues, the speakers suggest. One, cryptographic analyst Bruce Schneier, says he is testifying next week before a U.S. Senate panel on the status of computer security and proposed improvements.

“Security in the real world is all about risk management,” Schneier says. He suggests the insurance industry might have a useful role.

“The insurance industry drives security in the real world,” he says. “They write policies based on the countermeasures you have in place to protect yourself.”

If companies who use software could buy “anti-hacking insurance,” software quality might improve, Schneier says.

“Right now, Microsoft has no financial incentive to make Windows secure,” Schneier says.

But if customers held insurance policies against security problems in programs, software developers would need to rapidly plug holes and repair weaknesses in their products – or face ever-higher insurance premiums.