To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned. (About the Honeynet Project)
Lance Spitzner is considered the leading light in the field of honeypot research. He is the founder of the Honeynet Project which currently consists of 15 organizations spread throughout the world. The Honeynet Project’s goal is to capture information on threats, analyze them and publish the findings. Realizing the importance of this project the US Government awarded him a grant that allows him and small to team to focus exclusively on the project.
I had an opportunity to chat with Lance about his perspective on the current security landscape.
What are the biggest changes you have seen over the last couple of years?
Years ago it was hackers who were doing it for the bragging rights, now it’s criminals. The motivation has changed, hacking is now profitable and there’s so much money to be made with very little risk to the actual hackers.
Interestingly enough IRC (Internet Relay Chat) is still being utilized to start attacks and for communications amongst the bad guys. There are more secure means of communications available but they are still using IRC. They are not worried about being caught they are blatantly doing these things out in the open. Though the good ones are communicating less which makes it harder to track them. Their focus has shifted to make money in which case they naturally don’t want to make a name for themselves, so there’s less bragging involved, less communication.
Over the past year or two we have seen a tremendous amount of acceleration of adaptability on the part of the hackers, the minute there’s a new security tool out there, the bad guys find a way around it. Spam is a good example, nobody has been able to stop it. Recently you see spam that comes in form of distorted or disguised images, so it’s even harder to filter it. It’s amazing how fast the bad guys are staying ahead of us.
And then there is the issue of catching the bad guys. There are a lot good guys in law enforcement, but even if you track down a guy somewhere on the other side of the globe, you then need to find a prosecutor who is willing to go forward. And sometimes that’s not a high priority for them.
Even with better technology, better OS security, stronger passwords, better policies it just makes it more difficult and time consuming for the bad guys but they can spend all the time since there is no fear of prosecution. So much profit for so little risk.
Hacking is just a tool for extortion, fraud, identity theft, things that have been happening for a long time. If we want to make it more difficult for them we have to bump up the risk as a deterrence.
Are you doing any research based on specific industry threats?
We are starting to do research on financial threats since there’s a lot of activity there.
Which countries have most of the hacking activity?
Hacking is getting more global but for some reason we are still seeing a lot of activity coming out of Romania.
What about botnets?
Our german team is doing a lot of research there. In general botnets are basically business infrastructure for the bad guys, they can change their attack behavior to whatever their “customers” demand, DDOS (extortion) spam, phising, they have flexibility. The whole thing is a business now.
Do attackers know when they are in a honeypot?
They could potentially reverse engineer our tools and find out, but in general they are not looking. In reality they don’t have any fear of being caught.
Automated vs. Manual Attacks
My assumption is that almost everything is automated now, however there might be script kiddies and some elite hackers that do their own special thing but that’s a very small percentage. Most activity is automated, it’s simply ROI for them, that’s the way to make money.
How much can technology help to stop threats?
Technology will only go so far, the vendors put a lot of time and effort in making the operating systems more secure. They have finally gotten there, it’s much more difficult now to breach a default system. However what took us 5 years to figure out and implement has taken the bad guys 5 minutes to figure out to get around - which is to go after the human.
Do you have any data on whether actual attacks increased or decreased?
I don’t have exact numbers but I have a feeling that the number of attacks peaked about a year ago. There are still a lot of attacks but there’s also a lot of other stuff like phising going on. I wouldn’t be surprised if the number of attacks either plateaued or are even going down. The bad guys had first to compromise the operating systems to build the botnets. Also there are constantly new devices that get connected to the Internet, Backberry’s, handhelds and things like that, these are just new markets for the bad guys to make money with.
Recourse Technologies (which was later acquired by Symantec) had one of the first commercial honeypot solutions, do you see a market for such products?
No. Since most of the data is used for research, the main consumers of the data are government, law enforcement and educational institutions and to some extent security vendors themselves.
If someone wants to learn more about the Honeynet Project, what should they do?
The best way to start is with our website - www.honeynet.org it contains all the information and how to get in touch with us.
Update: Article on Slashdot http://it.slashdot.org/article.pl?sid=06/11/29/1521237
Leave a comment
You must be logged in to post a comment.