|
Humour
Entrapment on the Net
T A Balasubramanian on honeypots for hackers.
“Well, now that you have officially launched OUCH, the Organisation of
Unstoppable CTO Hackers, the new green hats who will join up, exactly like the
millions of monkey hackers out there who attack them, to counter-attack, let
me tell you something more about the evil ways of the black hat fraternity,”
says Gene Hackman, CEO of Virus Busters.
He is directing his remarks, of course at your humanoid CTO, Danny DeVito, who
is presently by your side, on an educative visit to the Techno Over-exposition
of Geeks and Gizmos for Lazy Enterprises (TOGGLE). You, Papyrus Bytewala, CIO
of Baffle, are trying hard to make sense of the events unfolding at the Hacker’s
Gold Mine Meet, or HGMM, part of the sprawling trade show.
“As I was saying,” resumes Hackman, “The honeypot that we set
up—codenamed Allure with Passion—was irresistible to the bots—those
charming autonomous code runners that the black hats let loose on the Net. They
were attacked, on average, 2,244 times a day—or once every 39 seconds.”
DeVito lets out a whistle, and steps backward, startled.
|
Once a nasty black hat gets access
to a computer through a bot, even a simple PC becomes useful. Often, there
is a neat ‘back door’ —an undetected entrance
|
“That’s right. Staggering, huh? Once a nasty black
hat gets access to a computer through a bot, even a simple PC becomes useful.
Quite often, there is a neat ‘back door’—an undetected entrance—that
is set up so they can create whatever later on. During our study, there were
quite a few hackers who went through the most common sequence of actions: check
the hijacked machine’s software configuration, maybe change the password,
check the hardware and software configuration again, download a file that gives
them control, install their own favourite code, and then run it.”
“What are the bots trying to accomplish?” you ask.
“Well, it depends on what their masters are planning next. First, like
good kidnappers, they swiftly act to determine whether the hostage could be
of use to them. The bots return a list of ‘most likely prospects’—or
‘softest victims’—to the hacker, who then attempts to access
and herd as many as possible into what we call the botnet,” says Hackman,
weaving his fingers together to illustrate. “A botnet, as you can imagine,
is simply a large number of hijacked sitting duck PCs under the remote control
of a black hat.”
“What does one do with the botnet?” you ask, fascinated.
“Depends on how dark your designs are. A botnet can easily be scaled to
immense size—millions of hijacked monkey machines can be herded together—to
make a virtual Godzilla size system—posing a big lumbering, almost invisible
threat to the entire net community.”
“The more bots you add on, the bigger the gorilla you can make, eh?”
says DeVito.
“That’s right, Danny. Except that nobody except the creator knows
the real size of the gorilla. The other reason why botnets are tremendously
popular with alpha hackers is because it gives them godlike powers of omnipotence
and omnipresence. The bots are like an army of obedient slaves that can be trotted
off to do many different —and nefarious—deeds. They are like the gangster
mafia—great to perpetrate fraud or identity theft, disrupt other networks,
and damage computer files, among other things. Maybe the slave bots in a botnet
can be used to send out spam or phishing e-mails. They can be made to spawn
other bots—botlets—that can swarm out and recruit more soft victims.
They can become the seeding network for a new virus outbreak or act as a distributed
data storage system for all kinds of illegal data. Spammers, phishing gangs
and others often rent a botnet from a black hat owner to use for their own ends.
All this, with control from a single desktop in any remote corner of the world.
It’s the perfect setting for megalomania and hubris.”
“No wonder black hats are so attached to their passion,” you observe.
“So what can OUCH do against such odds? Your honeypot would be the first
step, Gene, but it seems too puny a defence, even if it has enticing names like
Allure and Passion.”
“That’s only one honeypot, Danny. Remember what Chubby Goldfinger,
the guy yammering away at the podium there, said a while ago?”
“That the only long-term way to get back at hackers is to show the same
persistence, smartness and vigilance that they demonstrate?” says Danny,
instantly.
“That’s right,” says Gene, startled, “How did you recall
that so fast?”
“Ah, Danny’s just a good listener,” you interject quickly. It
would not do to get any human outside Baffle’s mafia inner circle start
getting curious about DeVito’s occasional flashes of humanoid prowess,
which, as you have noted, includes a near-perfect memory.
“So if we were to extend the notion of honeypots from one lonesome Allure
and Passion to match the power of botnets, what would that notion be?”
“Honeynets?” you say, smartly.
“Precisely, Papyrus,” says Hackman, beaming as though you have just
handed him a trophy. “With the help of honeynets, or a string of honeypots
similar in concept to the botnets, we can observe, in intimate detail, the workings
of the minds of those meddling monkeys who run botnets - a task that is virtually
impossible using other techniques.”
“So what can OUCH do with a honeynet?” you ask, preferring to get
your information in small, pint-size doses.
“Well, the CTOs have always been using defensive actions to protect their
goodies from black hats. Firewalls, intrusion detection systems, encryption
and so on. They detect any intruders only after the walls have been breached.
This is still no better than being a sitting duck. The enemy out there has the
initiative. Honeynets can change all that by getting actively into cyberspace
to gather information on threats—all the nasty things the black hats have
been up to. What makes a honeynet different from most honeypots is that it is
a network of what appears to a passing intruder as real computers. These victim
systems—honeypots within the honeynet—can be any type of system, service,
or information you want to provide as a convincing decoy.”
“What makes the honeynet different from the plain vanilla network?”
“Passivity, or sheer inertia. Since honeypots are just sitting around and
not doing any useful work other than being observant ducks, the honeynet itself
has no real activity, no real services. So any interaction happening at all
inside a honeynet tells you that malicious or nasty outsider is busy sniffing
around where he has no right to be. A connection that is started by an incoming
bot on your honeynet is most likely a probe, scan, or attack. An outgoing connection
from your honeynet means, clearly, that some black hat is now sitting with your
honeypot and has initiated outbound activity, much like a hotel guest might
use the hotel’s room service—without paying for it.”
“So, if the strings on the honeynet vibrate, there’s an intruder in
your home?”
“Exactly, Papyrus. This makes it simple to notice the arrival of the evil
ones,” says Hackman, ponderously. “In the usual mass of connections
on a common network, it is the classic needle in the haystack problem, as you
try to find the critical incident amongst gigantic reams of undifferentiated
information. But a honeynet gathers only activity that is clearly malicious.
All you are doing is capturing needles. Now it is up to you to decide which
of those needles have the greatest nuisance value, then bite into them to see
what makes them pointy and mean.”
“OUCH would have a smoking gun,” says DeVito, admiringly. “And
we CTOs will have the evidence to track down the scum of the cyber universe.”
|
