[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

No Subject




Navy fights new hack method

http://www.abcnews.com/sections/tech/CNET/cnet_navyhack980925.html

Tim Clark
CNET NEWS.COM
Hackers are banding together across the globe to mount low-visibility
attacks in an effort to sneak under the radar of security specialists and
intrusion detection software, a U.S. Navy network security team said today. 

Coordinated attacks from up to 15 different locations on several continents
have been detected, and Navy experts believe that the attackers garner
information by probing Navy Web sites and then share it among themselves. 

"These new patterns are really hard to decipher--you need expert forensics
to get the smoking gun," said Stephen Northcutt, head of the Shadow
intrusion detection team at the Naval Surface Warfare Center. "To know
what's really happening will require law enforcement to get hold of the
hackers' code so we can disassemble it." 

The new method involves sending as few as two suspicious probes per hour to
a host computer, a level of interest that usually won't be detected by
standard countermeasures. But by pooling information learned from those
probes, hackers can garner considerable knowledge about a site. 

Northcutt said the new technique for attacks was discovered only this month
and has been detected at Defense Department facilities as well as in
private sector sites, including some outside the United States. 

The Shadow group has posted descriptions of the attacks and
countermeasures, and the information has been forwarded to CERT, which
investigates security attacks. 

"Most intrusion detection systems have a threshold, a radar. These attacks
are intentionally sliding under that threshold so normal intrusion
detection tools will not detect them," said Tim Aldrich, principal analyst
at the Navy facility. 

The Shadow team said that although the new method is harder to detect, it
should not affect sites that are well-secured. But the technique puts sites
with weak security at greater risk. 

The attacks do not involve a new hacker tool or new kind of attack, but
rather represent a low-visibility technique for perpetrating attacks. For
example, one coordinated attack that involved at least 14 locations simply
probed a Web site for security weaknesses without mounting a break-in. 

The Shadow Intrusion Detection team said it cannot determine how many
people might be involved in the attacks--hackers frequently use many
different machines to launch their attacks. But the number of individuals
involved is less important than the technique itself, Northcutt said. 

The technique could be used to scan or mount attacks from more than 100
Internet addresses. The security experts also suggested that makers of
commercial intrusion detection software need to counter the new method. 

"This stealthy probing enables large amounts of parallel firepower, which
means many attack attempts [from many sites] over a short time frame," said
a note distributed by the System Administration Networking and Security
(SANS) Institute. 

Going public with a news of new hacker techniques is somewhat unusual in
the secretive network security community, which often fears that
publicizing attacks before countermeasures are known will tip off attackers
to vulnerabilities. 

"We went public in hopes of raising awareness," Northcutt said. "You're
only going to be able to find stealthy stuff by looking for stealthy stuff." 

But before publicizing the new hacker technique, he added, the Shadow team
had checked to be certain it would not jeopardize any official actions
against the attackers. He also thinks that users of the attack may be caught. 

"If they're working together, it ought to be easier to track them down
because they leave more of a trail," he said.