Barbed wire vrs the Honey-pot: methods of tracing and deterring hackers
While tracking hackers back to their bedrooms has largely been removed from the job description of security staff and cybernarks, there is at least one technique that aims to follow the movements of unwelcome visitors.
A honey-pot is a server, or system designed to bait unweary hackers into what appears to be an "easy target". As the system is designed simply to attract would be hackers, any connection to the server triggers an alarm, and allows security experts to follow the intruder's movement through the site - looking for idiosyncrasies. On the one hand the intruder wastes valuable time breaking into what is essentially an empty safe, and on the other it allows security staff are able to use the information they gather to shore up their other charges.
As senior security consultant with eSec, and coordinator of the Foundstone Ultimate guide to Hacking course Jeff Paine keeps a close eye on developments in the complex world of cyber security.
Paine points out that the honey-pot server approach forms part of a wider movement in cybercrime prevention by the name of Honeynet.
"Honeynet is world wide program, which induces hackers to break into machines, just to watch what they do once they are in there," Paine explained. "It is a way to study the methods and the motives of hackers."
According to Paine the Honeynet project also allow cybercrime fighters to take a "foot print" of different hackers, and monitor for their reappearance.
"We know from the Honeynet project that some hackers simply want to break in and take control of the system," Paine said. "Others are looking for specific information, and then there are those that want to use the servers as zombies to attack other servers, or launch pads out to other servers."
However, Paine says that some of the most noxious attacks come from the least expected corners. While the zombie servers that grab the headlines are those used to launch high profile denial of service attacks, Paine has recently come across cases where spam was being illicitly redirected through an unknowing server.
"We are getting to the point where servers are compromised so soon after they are up and running that the owners simply assume the extra bandwidth costs reflect their own usage," Paine said. "Whereas they are really paying to send out thousands upon thousands of spam e-mails they don't even see."
To a certain degree Paine believes the lack of interest in tracking hackers can be attributed to the prevalence of such attacks. He believes network administrators assume attacks will ultimately aim for other targets.
"The current attitude on security reflects the belief that hackers are generally looking for a launch pad to break into other systems," Paine said.
As own data is not under threat in the wake of a clandestine visitor, many network administrators are only really interested in locking the hackers out, to protect their bandwidth and processing resources.
Tim Smith, security CTO for network integrators Dimension Data most organisations lack the computer forensics skills to appropriately track and prosecute malevolent hackers.
"Unless they are outsourcing their security to a third party it is often very difficult to track down an attacker," Smith said. "To actually get a prosecution you need an intimate knowledge of computer forensics, it is really easy for people who don't know what they are doing to destroy the relevant data."
