Lance Spitzer is doing what most CIOs and CSOs can’t afford to do. As the founder of the Honeynet Project, a three-year-old nonprofit research group, he is sitting back and watching the hackers, just to see what they’ll dream up next.
The latest? Automated credit card fraud. The bad guys — that’s Spitzer’s technical term — can go to an automated network of e-commerce sites controlled by hackers and punch in a stolen credit card number. If the number has been used on any of the hacked sites, the network automatically retrieves the name, address and purchase history of the unlucky credit card holder, making it easier to commit further fraud.
Spitzer, whose day job is with Sun Microsystems, knows this is happening because one of the Windows 2000 computers that makes up the Honeynet Project was used for this very purpose by a hacker who had access to more than 15,000 computers. But aside from alerting the CERT Coordination Center, the industry group that tracks such things, researchers at the Honeynet Project just observed the hacker’s exploits. That’s the idea behind the project: to set up a network of what are known as honeypots, bogus computers that don’t need to be defended, so that security experts can study how the hacking community operates if left unchecked.
“With honeypots, there’s no production activity or authorised action, so if anybody interacts, you know they’re being naughty,” Spitzer says, using another technical term. “It’s one of the very few cases where you can take an offensive approach.”
The idea of going on the offensive against hackers is not entirely new, but these days it seems to be gaining some momentum. In fact, the latest buzzword in information security is “intrusion prevention,” which vendors are positioning as a replacement for intrusion detection systems. The idea behind an intrusion prevention system (IPS) is to stop an attack — not just detect it. (Sounds a bit like what firewalls were supposed to do, huh?) “If two guys showed up in masks and with guns, you wouldn’t just record them on a videotape,” points out Ken Tyminksi, vice president and CISO of Prudential Financial, who is currently deploying a system from Information Security Systems.
Not that long ago, the idea of an offensive defence, seemed, well, offensive. Tim Mullen, CIO of the security software vendor AnchorIS, was lambasted last winter for presenting a paper about how companies might disable computers that launch malicious code. This is a highly controversial tactic, because of the very real possibility of attacking a computer system whose owners themselves are the victims of a hacker. But even as the hate mail subsided, Mullen was quietly working on a product, now in demo, that allows companies to strike back against computers on their own networks that have been infected with malicious code. “Now with the Enforcer product that you deploy within your own network, you can do whatever you want, knowing that you own that asset,” Mullen explains.
Spitzer, for one, has a simpler idea. He suggests that CIOs and CSOs think about deploying what he calls “honey tokens.” These might be phony patient records at a hospital, or even simply a word processing file named “HR-salaries” that’s stored in a restricted part of the network. If anyone tries to access the files, the security team knows the person is up to no good — ideally, long before the trespasser does any real damage.
In other words, the best defence really might be better offence. Who knew?
"Alarmed" is a biweekly column about security and privacy. Look for a new version every other Thursday.