[ISN] Honeynet traps the unwary

InfoSec News isn at c4i.org
Wed May 25 03:38:42 EDT 2005


By Patrick Gray
May 24, 2005

Some people just won't learn, according to the University of
Washington's David Dittrich, a speaker at this week's AusCERT security
conference on the Gold Coast.

In his 15 years with the university, Mr Dittrich has had a lot of
experience with security incidents but didn't expect computer users to
be so reticent to learn about the dark side of computing.

"Still people don't understand the power of the computers they have
when they're taken over by someone else," Mr Dittrich says. "I thought
the education process would happen faster."

Mr Dittrich, 43, started work at the University of Washington in an
administration role, maintaining Unix machines and coding MS-DOS based
applications that controlled nuclear magnetic resonance equipment.  
Before long, Mr Dittrich moved into Unix support and eventually
security administration.

Since then he's cemented a reputation as an expert on Distributed
Denial of Service (DDoS) attack tools and honeynet research.

A honeynet is a computer, or group of computers, designed to be
attacked for research and attack detection purposes.

During his time in the field, he's seen things change.

"In 1996 and 1997 the number of Unix intrusions was going through the
roof and Windows wasn't really a problem at that point," he says.

That all changed when Microsoft decided to build internet protocol
support into its operating system in the mid-'90s.

By 1999, the number of attacks had seemingly doubled and attackers
weren't just hitting Unix systems.

Scores of the university's 60,000 computers were breached every day.

These days, Mr Dittrich is a senior security engineer and staff
researcher at the university. He has also helped to develop course
material taught across all faculties.

Under a National Security Agency (NSA) approved program, the
University of Washington now teaches non-IT students about the
importance of data security.

"The NSA definitely has it right when they're trying to convince
people to get this education across every program," Mr Dittrich says.  
"Unless you have everyone up to speed and adequately paranoid, you're
not going to have a secure system."

And, according to Mr Dittrich, we have plenty to be paranoid about.  
Automated tools that made the wholesale compromise of thousands of
systems first appeared in about 2000, he says, but they're still
getting better.

"I'm seeing a definite trend in increased sophistication in automation
on everything to do with intrusion," Mr Dittrich says.

More complicated and harder to detect tools are available to
miscreants, he says, and "it's going to make it harder to deal with
advanced attacks".

In some ways, that's why Mr Dittrich believes in his honeynet
research. While aspects of the research are increasingly geared
towards forensic analysis, the honeynet can still be a valuable
"canary in the coal mine"; a decoy system, which, when hacked into,
should set alarm bells ringing.

That hasn't stopped some security industry commentators from
questioning the usefulness of honeynets in recent times.

Greg Shipley, CTO of Chicago-based IT security consultancy Neohapsis,
once described honeynets as "the IT security guy's pet rock".

While he takes that one on the chin, Mr Dittrich admits honeynets are
of limited use for most. But for others, it gives them a way to
augment their existing security set-up and spin-off tools with
applications in forensics that have been a welcome side-effect.

However, Mr Dittrich argues that the answer lies in education and
co-operation, not in a specific technology. In response to the next
generation of threats, the security industry will have to work more
effectively with the security research community and everyone will
have to communicate more suitably with upper management, Mr Dittrich
says. "That's been changing a lot but there's still a big gap," he

The fourth annual AusCERT IT security conference started on the Gold
Coast on Saturday. It ends on Thursday.

More information about the ISN mailing list