Honeynet looks to sting hackers

A group of 30 computer security researchers who set up inexpensive "fake" networks to observe how hackers behave as they break into them are finding out about new software vulnerabilities and warning the public.

The security professionals, calling themselves The Honeynet Project, quietly maintain a distributed network of Windows NT, Linux, Sun Sparc servers and desktops accessible via the Internet to monitor how hackers go after various operating systems. As research volunteers operating on a shoestring, they've collected a wealth of data - and at times found out about new attack tools and exploits of the "blackhat" underworld of hackers.

In January, for instance, the Honeynet Project discovered hackers could use a management feature called the CDE Subprocess Control Service to take root control of Solaris.

The Honeynet Project shared that insight with the CERT Coordination Center, which determined the matter was serious enough to issue security alerts advising Solaris users to turn off CDE until the buffer-overflow vulnerability was patched.

But most days, according to Jed Haile, project engineer at Nitro Data Systems and volunteer hacker-watcher, the Honeynet records hacker activity that is of less scientific interest but is astonishing in its intensity and criminality.

Hackers that fall into the Honeynet are seen to swap stolen telephone and credit card numbers, try to break into other possibly more "real" networks and even discuss using the Internet for terrorist attacks.

In general, experience shows that hackers frequently operate as gangs - and they love to talk.

"The 'blackhats' have a compulsive need to chat on IRC [Internet Relay Chat software]," says Haile, who spoke about the two-year experience of The Honeynet Project at the recent InfoSec conference. "The first thing they'll do on a hacked box is set up IRC and invite their buddies over." Then they set up an encrypted route back to another compromised server elsewhere on the Internet.

The goal of the Honeynet Project, started by Sun engineer Lance Spitzer, is not to capture hackers, but to observe their actions and find out about new tools they use.

"A lot of these hackers are not gurus who know everything about computers," Haile says. "They have very good tools. And they talk about doing this for money. There's definitely a market for hired hacking out there."

The Honeynet Project's undisclosed number of servers and desktops, maintained at diverse locations with a minimum of publicity, spans the country. Each server typically gets 20 or more unique scans per day, and the hackers don't have too hard a time breaking into any operating system that isn't up to date on its patches, although they may find new vulnerabilities, too.

As a scientific effort, one of the Honeynet Project's goals is to analyze the collected data to develop software that can detect the probability of a successful attack. The Honeynet Project also would like to be able to pinpoint those who make these hacker tools.

Even as it learned a lot about hackers, the Honeynet Project discovered there are practical obstacles in operating a honeynet, especially in making sure a hacker doesn't use the honeypot as a springboard to break into other systems.

"Suppose hackers break into a honeynet during the weekend and they take down the White House?" Haile says. "There's a tremendous legal liability in all this." If an attacker makes more than five or six outbound attempts at attacks, the honeynet shuts him off. Hailer says no company should set up a honeynet of its own before discussing it with its legal department.

The Honeynet Project has designed a second-generation honeynet that will include an extensive "production-looking" intranet to keep hackers intrigued with trying to break in further. But it will block outbound scanning.

Hackers tend to be an angry lot, particularly when they figure out they are being watched in a honeynet, Haile says. "Hackers will undertake every effort to destroy a honeypot when they find it."