RSSHoneynet Founder Lance Spitzner: “Hackers not afraid of being caught”
November 28th, 2006To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned. (About the Honeynet Project)
Lance Spitzner is considered the leading light in the field of honeypot research. He is the founder of the Honeynet Project which currently consists of 15 organizations spread throughout the world. The Honeynet Project’s goal is to capture information on threats, analyze them and publish the findings. Realizing the importance of this project the US Government awarded him a grant that allows him and small to team to focus exclusively on the project.
I had an opportunity to chat with Lance about his perspective on the current security landscape.
His love for tactics began in the Army: Lance Spitzner
What are the biggest changes you have seen over the last couple of years?
Years ago it was hackers who were doing it for the bragging rights, now it’s criminals. The motivation has changed, hacking is now profitable and there’s so much money to be made with very little risk to the actual hackers.
Interestingly enough IRC (Internet Relay Chat) is still being utilized to start attacks and for communications amongst the bad guys. There are more secure means of communications available but they are still using IRC. They are not worried about being caught they are blatantly doing these things out in the open. Though the good ones are communicating less which makes it harder to track them. Their focus has shifted to make money in which case they naturally don’t want to make a name for themselves, so there’s less bragging involved, less communication.
Over the past year or two we have seen a tremendous amount of acceleration of adaptability on the part of the hackers, the minute there’s a new security tool out there, the bad guys find a way around it. Spam is a good example, nobody has been able to stop it. Recently you see spam that comes in form of distorted or disguised images, so it’s even harder to filter it. It’s amazing how fast the bad guys are staying ahead of us.
And then there is the issue of catching the bad guys. There are a lot good guys in law enforcement, but even if you track down a guy somewhere on the other side of the globe, you then need to find a prosecutor who is willing to go forward. And sometimes that’s not a high priority for them.
Even with better technology, better OS security, stronger passwords, better policies it just makes it more difficult and time consuming for the bad guys but they can spend all the time since there is no fear of prosecution. So much profit for so little risk.
Hacking is just a tool for extortion, fraud, identity theft, things that have been happening for a long time. If we want to make it more difficult for them we have to bump up the risk as a deterrence.
Are you doing any research based on specific industry threats?
We are starting to do research on financial threats since there’s a lot of activity there.
Honeynet Founder: Lance Spitzner
Which countries have most of the hacking activity?
Hacking is getting more global but for some reason we are still seeing a lot of activity coming out of Romania.
What about botnets?
Our german team is doing a lot of research there. In general botnets are basically business infrastructure for the bad guys, they can change their attack behavior to whatever their “customers” demand, DDOS (extortion) spam, phising, they have flexibility. The whole thing is a business now.
Do attackers know when they are in a honeypot?
They could potentially reverse engineer our tools and find out, but in general they are not looking. In reality they don’t have any fear of being caught.
Automated vs. Manual Attacks
My assumption is that almost everything is automated now, however there might be script kiddies and some elite hackers that do their own special thing but that’s a very small percentage. Most activity is automated, it’s simply ROI for them, that’s the way to make money.
How much can technology help to stop threats?
Technology will only go so far, the vendors put a lot of time and effort in making the operating systems more secure. They have finally gotten there, it’s much more difficult now to breach a default system. However what took us 5 years to figure out and implement has taken the bad guys 5 minutes to figure out to get around - which is to go after the human.
Do you have any data on whether actual attacks increased or decreased?
I don’t have exact numbers but I have a feeling that the number of attacks peaked about a year ago. There are still a lot of attacks but there’s also a lot of other stuff like phising going on. I wouldn’t be surprised if the number of attacks either plateaued or are even going down. The bad guys had first to compromise the operating systems to build the botnets. Also there are constantly new devices that get connected to the Internet, Backberry’s, handhelds and things like that, these are just new markets for the bad guys to make money with.
Recourse Technologies (which was later acquired by Symantec) had one of the first commercial honeypot solutions, do you see a market for such products?
No. Since most of the data is used for research, the main consumers of the data are government, law enforcement and educational institutions and to some extent security vendors themselves.
If someone wants to learn more about the Honeynet Project, what should they do?
The best way to start is with our website - www.honeynet.org it contains all the information and how to get in touch with us.
Update: Article on Slashdot http://it.slashdot.org/article.pl?sid=06/11/29/1521237
53 Comments
Comments RSS TrackBack Identifier URI
Leave a comment
"Do attackers know when they are in a honeypot? ... they are not looking ... they don’t have any fear of being caught."
Wow. I am SO in the wrong field.
Totally.
I was thinking about learning how to develop PHP apps, but screw that! I'm writing rootkits and selling botnets!
"Hacking is just a tool for extortion, fraud, identity theft, things that have been happening for a long time."
What an incredibly biased and poorly thought out statement. Maybe you and I have a different definition of hacking, but I don't know a programmer who isn't also a hacker.
hack·er1 (hăk'ər)
n. Informal.
1. One who is proficient at using or programming a computer; a computer buff.
2. One who uses programming skills to gain illegal access to a computer network or file.
"I was thinking about learning how to develop PHP apps, but screw that! I'm writing rootkits and selling botnets!"
And I'll be right there waiting for you.
"Hacking is just a tool for extortion, fraud, identity theft, things that have been happening for a long time."
Since when is hacking a tool, Hacking is a skill, an art, and a lifestyle. Hackers are getting a bad rep because poeple like Lance Spitzner make a proffit from scarring the general public. The more people fear hackers the more his budget goes up.
I hate to disappoint, but "phising" attacks have been around for years. Hackers making money from hacking has been around for years.
I, found it easier to switch from hack/phreak to security geek than continue bothering to break systems and this was over 12 years ago.
I also believe that most corporate targeted security products are snake-oil, and that society is being sold these horror stories to make the industry even more profitable. Its a con. Its been a con for years and will remain a con. Attack the people. hell thats been happening for ever. The public dont need more security tools the public need real education.
The issue with the hacking/cracking terminology has been around as long as I can remember. After so many times trying to explain to someone the difference - you eventually give up. I know a lot of people who consider themself a hacker but would never do anything illegally.
I agree with Martin Hack here. Hacking was coined in the golden age of the altair and unix. MIT and UC of Berkely all had "hackers" working and attending college there. Well i am going to avoid starting a nine hour argument that will never die. I will say this and only this without the hackers the internet would not be here so be happy its here. The more policing of the net the worse the hackers will get, it is the nature of the beast. They will always be around and reinventing the way technology works.
Is this really news to anyone? IRC botnets have been around for years and have been used for stealing for profit equally as long. Common sense tells you that you don't fear something that cannot induce consequences. Case in point, how are you going to press a guy in the middle of the congo for scamming you? U.S. domestic law?
How about we talk about how this has already been taken to the next level by hiring professional programmers who now offer encryption to hide the activity and a "be your own criminal" software package. In Russia, right now, you can buy a toolkit from the criminals that walks you through the setup of your very own criminal enterprise. For those interested, it's called, "WebAttacker ToolKit"
[...] The Hack Report has an interview with Honeynet Founder Lance Spitzner where he gets to re-hash what we know about the bad guys: yes they are after your computer, they are in it for the money now and no, there’s nothing law enforcement can do. [...]
People... hackers will stop getting a bad rap when the people who are building botnets for criminal purposes call THEMSELVES hackers. This debate is the deadest of dead horses. Got a problem with the misuse of the term "hacker?" Blame the criminals who REFER TO THEMSELVES as hackers. Leave good guys like Lance Sptizner alone and stop with this ages-old whine.
Why do you guys cry about the negative use of the name 'hacker' in these articles? You purists fighting for the name lost that battle decades ago.
Why not just make up a new name for yourselves? The term 'hacker' is not as cool or as 'respectable' as you might think...
I there was a name. I thought it was White Hats and BlackHats. With white being good and black being the latter.
Yet again we see Lance riding someone else's coat-tails to fame.
Reading the above interview we don't find a single original comment or thought, but we do find several pieces of utter rubbish.
"Since most of the data is used for research, the main consumers of the data are government, law enforcement and educational institutions and to some extent security vendors themselves."
I got in to a fight with Lance many, many years ago over this exact point. Lance formed the Honeynet project with the express purpose of trying to make money out of the Honeypot project. He was trying to flog Honeypots to every network in the world. The others who worked on the Honeypot project didn't like this and quit the project. Well, being thankful for small things, at least he worked this one out, eventually.
It's nice to see they're "starting" to research attacks against the finance industry. It's not like the finance industry hasn't been one of the main victims for the past 20 years.
Lance, do us all a favour. When you have something new to contribute, some radical finding that we don't already know, then write a white paper and get yourself interviewed. In the meantime stop this shameless self promoting, ego-pump using other peoples thoughts and common knowledge as if it's your own brilliance.
Most of the people commenting here are complaining. I think that people should just take the information in total. Don't worry about who said it or why. Most the information in the report is fairly accurate. I think a lot of the people who left negative comments misinterpreted the text.
An example is the part about the attacks being targeted towards people not the machines. I think this is a very accurate idea. Most of the problems that people have with spam and viruses come from ignorant use of the internet. Being fooled into downloading or viewing content that is malicious. And there was never any insinuation that people need more security tools, in fact that very statement suggests that more security tools won't make a difference. Because it's not the computer that is being targeted. No matter how good a security tool is, the user can probably circumvent it in order to infect their own machine. Which is most often the case.
Has a government or credit card society ever used honey-identities? If they caught someone using one of these and publically pulled their toes off (or some sort of more humane punishment), wouldn't that raise the risk of the botnetter's products?
What a dumbass... talking about "bad guys" when he was in the military. How does stealing a few bucks w/ spam compare to being a murderer for hire? Typical clueless computer geek trying to suck up to the whoever is in charge...losing sleep over the *poor* credit card companies making slightly less money. wake up people, spammers and phishers aren't the real problem.
PURE TRUTH!! THIS comment was perfect truth:
What a dumbass... talking about "bad guys" when he was in the military. How does stealing a few bucks w/ spam compare to being a murderer for hire? Typical clueless computer geek trying to suck up to the whoever is in charge...losing sleep over the *poor* credit card companies making slightly less money. wake up people, spammers and phishers aren't the real problem.
TRUTH TRUTH TRUTH
I could not possibly agree more. The financial institutions are irresponsible and will gladly sht all over the customers to make that extra buck. They could have done things correctly but it would have cut their PROFITS so the proliferating gluttons just plowed forward, "damn the consumer let them suffer!"
Ever had money pulled out of your account and had to call the bank and try to get your money back? They treat you like a goddamn criminal. The banks don't care one bit about the customer they care about the almighty dollar. SICKENING.
There's three types of hackers... or three shades, rather.
White Hats - The Good Guys
Black Hats - The Bad Guys
Gray Hats - Somewhere in between
Don't fret over the negative usage of the word, the context is obvious enough for someone to understand that Spitzner is talking about the Bad Guys.
I'm hiding in c:\windogs. 8D Thats the way it is done do you not think so.
"losing sleep over the *poor* credit card companies making slightly less money. wake up people, spammers and phishers aren't the real problem."
When your checking account gets cleared out while your're overseas on vacation becuase your bank has lousy security you won't be thinking that.
I also lol at the military service == murder for hire assertion. You know what I call people like you? Cowards. Little script kiddies kiding in momies basement stuffing down cheetoes and wondering why you suffer from chest pains at the age of 24 when whacking off with your tux plushie. Hey, we can all make blanket generalizations here, right? Have you discovered deoderant yet, or what that spigot that shoots water out of the ceiling in the bathroom is for?
i agree with
*The more policing of the net the worse the hackers will get, it is the nature of the beast. They will always be around and reinventing the way technology works.*
People cant honestly think that bad gyss are not afraid of getting caught, i mean of course IRC is being used but talking about somthing isnt commiting a crime, and lets face it anyone who is not just running canned expliots knows to use more sophisticated means of concealing the acts themselves.
I respect what th honeyet project is trying to do but i do not hold much stock in its results, most of its analysis and statistics must be based on the activities of skiddies and so doesnt do much to profile the work of the 2-5 percent of people who actually know what they are doing.
Articals like this just seem to me to be another way to spread FUD among the none tecnical majority of internet users
While I think this project has good intentions, I don't think it'll be very efficient at stopping/catching hackers. There's just simply too many of them, and they're not weighed down by a beauracracy like the guys trying to catch them.
It's almost impossible to stop these guys. I just co-wrote a book called "Identity Theft Incorporated" with Glenn Hastings, the world's premier (retired) identity thief, and what he did with his hacking partners to steal millions from banks and credit card companies defies all defense. You can see some of this on my website
www.richardmarcusbooks.com
easy to criticize lance. it's all the fashion to bash on the honeypots, etc but there has been value found. if you are so much brighter than lance, all you whining fux, then get out there and do your own thing better and stop attacking.
I know nothing about computers. This article was sent to me by a friend. That being said, given the comments listed; military, non-military, political, non-political. You're all pretty much the same. All the have-nots want what the have's have and no one wants to work for it.
[...] Hackers Criminals are now increasingly targeting identity data. They are shifting their attacks almost exclusively towards theft and exploitation of personal information such as SSN’s, credit card and other private data. Keeping systems up-to-date and the use of the latest system and network security technology can decrease the chances of hackers gaining access to sensitive information. [...]
[...] View: Full Story News source: Hack Report [...]
[...] Lance Spitzner: Self-confessed computer geek and former U.S. Army officer Lance Spitzner is perhaps most famous for creating the The Honeynet Project, a nonprofit research alliance that is “dedicated to improving the security of the Internet at no cost to the public,” according to the organization’s website. Spitzner’s heart of gold has earned him a top spot on my list. Check out this article from the Hack Report to learn more about his work with the Honeynet Project. [...]
[...] Lance Spitzner: Self-confessed computer geek and former U.S. Army officer Lance Spitzner is perhaps most famous for creating the The Honeynet Project, a nonprofit research alliance that is “dedicated to improving the security of the Internet at no cost to the public,” according to the organization’s website. Spitzner’s heart of gold has earned him a top spot on my list. Check out this article from the Hack Report to learn more about his work with the Honeynet Project. [...]
Hi I want to recommend you very useful rapidshare search http://loadingvault.com. You can find there a lot of new movies, games and music. Enjoy it!
Very useful rapidshare search. It includes over 4 000 000 files. Fileshunt.com is a best search engine designed to search files in various file sharing and uploading sites. My favorite, rapidshare search engine is Fileshunt.com it’s the most powerful an easy to use.
Ok Norton AV is the most scaring institution of all.
Mr Lance is trying. If he is making a profit so what.
At least the honeynet project is likely to have an effect in the future. At least it scares the top level crackers that they MAY be monitored.
urls to the latest world news.needfornews.com
Very interesting. For more information check out the http://www.softwaredownloadguide.com/
No firewall, no IDS, NOTHING will ever stop us. Not even honey pots.
We will not tire.
We will not falter.
And we will not fail.
Like my new BMW?
So much for cheetos in mothers basement.
I LIKE RIBEYES
And I dropped out in the 6th.....
GO FIGURE.
The Romania hackers are the elite
How do you know we do not snoop on your honeypots or flood them garbage?
See you in a network near you,
Cheers fanceylancey!
RE:
Comment by haden_fox on November 30, 2006 12:46 am:
""but talking about somthing isnt commiting a crime,"
Um, yes it is , it's called conspiracy.
nice post thanks
http://techebookshare.blogspot.com
I would like you to recomend http://filespump.com to look for files you are interested in.
Now it's the best file hosting search engine in the web.
More than 4 000 000 files indexed.
Try it and i think you will be satisfied with search results.
Use search string.
Hi I want to recommend you very useful download files search http://suche-project.eu You can find there a lot of new movies, games and music. Enjoy it!
Hi I want to recommend you very useful rapidshare search http://4rapidsearch.com You can find there a lot of new movies, games and music. Enjoy it!
Students! Learners! Pupils! Scholars!
Do you know how to successfully cheat on tests in school?
Check this out: http://cheatsheet.info
na hack me pede paki target kng sino po nag hack saken name nang character ko XxxwindragonxxX plzzzzzzz pakihanap lang po kasi pinaghirap ko po ung paki hanap sa flyff online t.y po
I saved big amount of my money constantly using http://sharesdigger.com It deals with filesharing sites, systematyzing them for user's comfort.
thank you. you can also use: http://rapid4shared.com/
Try ineedfile.com to look for rapidshare files. I using it regularly and allways satisfied with the results
It's redesigned now and looks much more beter. More than 7 000 000 files in their database.
They offer search toolbars for FF and IE. They also offer search bar for your site.
I really enjoy it, thanks for sharing.
Have you heared about 9Dragons which you need use kal geons to play,
and you can also borrow kal gold from other players?
I am so happy to get some Megaten Gold
My brother often go to the internet bar to buy fiesta money and play it.
What do you know Rose zuly.