By putting out honeypots — easily compromised computers designed to trap attackers — four volunteer researchers in New Zealand are trying to find out what makes cyber-criminals tick.
The researchers, based at Victoria University and the University of Auckland, are members of the global, non-profit Honeynet Project, a research organisation dedicated to improving the security of the internet at no cost to the public.
The New Zealand Honeynet Project is run by Christian Seifert, a PhD student at Victoria University.
“Primarily, we are trying to find out how the bad guys work,” says Seifert. “We look at their attacks, methods, motives and tools, and with that knowledge we can make recommendations [to the public] on how to protect [yourself] against them.”
The local team sets up designated honeypot-machines, connects them to the network and waits for them to be attacked, says Seifert. The closely monitored machines let the researchers observe how the attackers get into the machines and, once in the machines, what the attackers do with them, he says.
“We can see [for example] whether the attacker serves up malicious content via a web server he sets up, or whether [the attacker] goes out and attacks other computers,” says Seifert.
Last year, Seifert set up a “simple Linux machine” with an exposed SSH (secure shell) service. It had a weak username-password combination, and an attacker managed to guess the combination quite quickly. The attacker then placed the computer in a botnet and went on to attack other machines, using a tool to scan the network for computers that have a SSH service running, says Seifert. This particular attacker had control over several hundred machines.
If you connect a machine that exposes this kind of service to the network, you will see an attack within minutes, he says.Seifert’s PhD research is around client-honeypots which initiate connections to a server. These honeypots are designed to identify and capture information relating to threats to client based-applications, such as browsers or email. He is especially interested in examining the techniques attackers use to hide attacks from traditional tools, like intrusion-detection systems.
“We are looking at countering the obfuscation attempts they use,” he says.
Seifert recently took over running the local Honeynet project from Jamie Riden, an IT security expert who has now moved to the UK.
Riden got involved in the project in March 2006, when he chatted to a French member, Laurent Oudot, about some attacks he was seeing against one of the servers he was looking after. Oudot encouraged Riden to become a member, which led to Riden starting up the New Zealand chapter of the Honeynet Project.
In collaboration with American and German researchers, Riden recently published a paper about web server security, called, “Know Your Enemy: Web Application Threats”. The researchers found that web servers have a high risk of being hacked, mainly because of poor-quality code, PHP and shell-script attacks and the emergence of search engines as hacking tools.
“We are always looking for people that are interested in honeypots to join [the project] and collaborate with us,” says Seifert.
Around 20 organisations globally are members of the Honeynet Alliance, he says.
All the results of the organisation’s work are released, as it is firmly committed to the ideals of open source, says the Honeynet Project website.