Operation: Capture the hackers

We are all aware of very destructive hackers roaming the Internet. The Honeypot Project has stepped up the fight against hackers by setting traps to learn more about the bad guys.

The project began in 1999 as an informal mailing list of a small group of individuals. The group soon realized that no single person had all the experience necessary to analyze the information collected from attacks. Thus, an organization formed with an aim to build online traps designed to catch and research how hackers, crackers and black hats do their dirty work. The project is key to understanding how hackers operate.

Honeynet Project founder Lance Spitzner is a senior security architect for Sun Microsystems and a faculty member of the SANS Institute. His love for tactics first began in the Army, where he served in the Rapid Deployment Force. Following the military, he received his MBA and became involved in the world of information security and exchanged his live ammunition for the honeypot, a decoy computer. He is also the author of “Honeypots: Tracking Hackers.”

Lance took some time out to explain “The HoneyNet Project.”

DANA GREENLEE: What really is the Honeynet Project and how does it work?

SPITZNER: A honeynet is nothing more than one type of honeypot. A honeypot is a security tool that we use to learn about the bad guys. Basically, a honeypot is a computer that has no value. Nobody should be talking to it. If anybody is talking to it, it’s most likely unauthorized activity.

GREENLEE: Let’s clarify what a “bad guy” is. There are hackers and crackers, right?

SPITZNER: I don’t like getting caught up in the terminology of hacker or cracker. For me, I prefer the term “blackhat.” A blackhat is anyone who is being malicious or unauthorized. That could be an insider, an employee, a kid in fourth grade, a KGB agent. Quite often people get caught up in what hackers and crackers are: some think the hacker is the good guy because all he is doing is tinkering whereas the cracker is the bad guy because he’s trying to break into systems. I try not to get caught up in that argument and try to just focus on security.

GREENLEE: What is involved in putting together a project with honeypots and honeynets?

SPITZNER: The organization called The Honeynet Project is a nonprofit, all volunteer organization. It’s made up of volunteers from around the world who learn about the bad guys and share everything we learn. How we do that is by deploying networks around the world to be broken into. Then we watch and learn everything the blackhat is doing. We call these networks honeynets.

GREENLEEE: Let’s talk about bait. Does a hacker come to the computer just because he can, or is there something on it that he wants?

SPITZNER: That’s one of the amazing things. If you put the computer out there with no perceived value, it will probably get scanned 10 – 20 times a day. This is any system. I’m not talking about corporations. Even a home system on cable, DSL or ISDN – a dedicated connection – they are also getting scanned 10 – 20 times a day. The hackers are getting very active because it’s very simple to hack. You just download the tool and run the tool.

GREENLEEE: Why do they do this? Don’t these guys have jobs?

SPITZNER: That’s one of the interesting things we’ve learned. Because of these honeynets, we see what these guys do afterwards so we can monitor their motives. There is a misconception that people think these attackers are misguided youths exploring the Internet. The reality is that the vast majority of these individuals have criminal intent. They are out to make money. We see people hacking into systems, scanning for stolen credit cards or launching attacks against other organizations and potentially getting paid for it. Or they are dealing in stolen music, videos or licensed software called “warez.” People scour the Internet for e-mail addresses to build databases of stolen e-mail to sell to spammers. Stolen PayPal accounts or stolen eBay accounts – there is a tremendous amount of criminal activity going on. It’s extremely hostile.

GREENLEE: How many people are doing this?

SPITZNER: It’s very, very hard to determine. I can’t tell you the actual number, but they are very active. For example, if you put a system on the Internet and I say it’s been scanned 10 — 20 times per day, that’s just being conservative. I see my systems get scanned 40 – 50 times per day.

GREEENLEE: Is there any correlation between how visible your server is to being more vulnerable versus a Web site that just sits in the background?

SPITZNER: Definitely. But keep in mind a large percentage of the bad guys really don’t care what system they break into. They simply download an automated tool that will literally scan 16 million computers in a night. If any one of those 16 million computers are vulnerable, the program will break into it.

GREENLEE: How are you using the information about blackhats that you gather from these honeynets?

SPITZNER: Information has different value to different people. For example, we in the security community are into discovering a new attack or a new tool the bad guy is using. Credit card companies are interested in how the bad guys are capturing and dealing in stolen credit cards. All that information is on our Web site (http://www.honeynet.org) because everything we learn we share with the public.

More information about The Honeynets Project is at http://www.honeynet.org.

Dana Greenlee is co-host, producer and engineer of the WebTalkGuys Radio Show, a Tacoma-based radio and webcast show featuring technology news and interviews.