A New Way to Catch a Hacker

R. A. Hettinga rah at shipwright.com
Mon Apr 28 13:55:21 EDT 2003


The New York Times

April 28, 2003 

A New Way to Catch a Hacker 

For a computer security professional, Lance Spitzner has an unusual goal: He wants ill-intentioned hackers to steal more Social Security numbers and medical records. 

Mr. Spitzner, a former Army officer, spends his days working at Sun Microsystems and his evenings running the volunteer Honeynet Project, a group of security professionals working to track hackers. Until recently, the four-year-old nonprofit effort focused on building and monitoring honeypots ‹ computer systems designed to be easily penetrated so that Honeynet volunteers can covertly scrutinize hackers' tricks when they break into the systems. 

Now Mr. Spitzner, 32, is focusing his efforts on a different type of defense based on the insertion of "honeytokens" into real databases and systems. 

Honeytokens are pieces of seemingly enticing information that have no useful value. Embedded in ways so that no innocent person should accidentally stumble upon them, honeytokens trigger alarms when viewed, grabbed or downloaded. For example, a bank could insert a fake credit card number into its files and then set up a program called a "sniffer" on the network that would send out an alarm if anyone touched that particular number. 

The term "honeytokens" was coined on Feb. 21 by a programmer named Augusto Paes de Barros who used it in an e-mail message to a list of security professionals. But the idea is not new. 

It dates back in computing at least to 1986, when Clifford Stoll, a programmer at Lawrence Berkeley National Laboratory in California, buried fake records for an organization called the Strategic Defense Initiative Network deep in his server. When intruders started downloading the records, and then someone sent a letter to Mr. Stoll about the phony organization, he and federal investigators traced the intruders to East German and Soviet intelligence agencies. 

Today, the use of honeytokens is not uncommon. For example, ForeScout Technologies, based in San Mateo, Calif., has built a commercial software program that tracks incidents of surreptitious reconnaissance, like port scans ‹ the computer equivalent of someone turning your doorknob to see if it is unlocked. The program will announce a false message of vulnerability to the scanner in the form of a honeytoken. It then breaks the connection if the hacker follows up with an attack. 

Honeytokens, like their cousins the honeypots, are based on the notion that if you build it, they will come. Mr. Spitzner became intrigued by the idea of honeypots after putting a new computer online at home and watching it get attacked within 15 minutes by an automatic program scanning the Internet for vulnerable prey. 

Many computer criminals break into systems simply for the fun and challenge. Others are looking to take over vulnerable systems in order to use them as safe houses for setting off further, more serious, attacks. Others want to mine credit card addresses or steal corporate secrets. According to a 2002 report by the Computer Security Institute, 90 percent of the 500 corporations, government agencies, financial institutions, medical institutions and universities surveyed detected security breaches during the previous year. 

Honeytokens could also be useful for national security purposes. Michael Vatis, director of the Institute for Security Technology Studies at Dartmouth University, said that the Defense Department could use them to snare people seeking unauthorized information on weapons systems. For example, a honeytoken could be designed so that if it were downloaded and then taken to a different system, it would be able to contact its original server each time it was accessed. One way to do this would be to include code in the honeytoken that would automatically try to fetch a tiny image or some other file based on the home server, making the honeytoken "phone home" whenever it is opened. 

Honeytokens also can be used to track attacks from within a company by people who have passwords to enter the system legitimately. Pete Herzog, managing director of the Institute for Security and Open Methodologies, says that he has used honeytokens to detect when employees illicitly download forbidden material. For example, he has entered corporate memos with particular typos into private databases and then monitored company networks to see where those typos show up. Tracing these honeytokens, he says, often leads to caches of illegal materials stored on the network. 

No one believes that honeytokens can stop all cybercrime. But they could offer an upgrade in protection. 

Honeytokens offer another advantage: They help reduce the number of false positives in other cyberdefense systems. Like car alarms, intrusion detection systems can go off so frequently because of accidental trespassing that many security administrators ignore the warnings. Honeytokens, if designed correctly, should trigger alarms only if there is a malicious attack. 

Hackers, however, are not impressed. Adrian Lamo, who gained notoriety last year when he claimed to have broken into the systems of a number of companies, including Yahoo , says he is not worried. "It's a form of old-school security," he says. "It will work on the people who have been to the old schools." 

Mr. Lamo says that he only goes after information that he knows other people frequently seek access to and that he runs credit checks to ensure that information he uncovers, like Social Security numbers, are real. Mr. Spitzner contends that it should not matter whether a hacker bothers to run a credit check because the alarm should ring any time the decoy record is accessed. 

Hackers can also evade honeytokens by compressing and password-protecting the information they steal, thereby changing or hiding the data, like fake Social Security numbers or typos, in memos that the sniffers are searching for. And "phone home" honeytokens designed to trace users could be thwarted if opened only on computers disconnected from the Internet. 

Some experts are also worried about the possibility that using honeytokens could violate the federal Wiretap Act, which places limits on intercepting and monitoring electronic communications. Richard Salgado, senior counsel for the Justice Department's computer crime and intellectual property unit, has said that very little law governs this new area and that security technicians should consult first their lawyers. 

Mr. Spitzner said that he was less worried about the law than about smart hackers. Honeytokens cannot solve all problems, he said. "But they can make a very simple and powerful tool in a security arsenal." 

R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list