Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[ISN] Sandia Labs studies phony computer network for hackers
From: InfoSec News (isnc4i.org)
Date: Fri Nov 21 2003 - 01:14:37 CST
By Ian Hoffman
November 19, 2003
Instead of merely fending off thousands of daily computer attacks,
federal researchers are trying a new tack: Create a meaningless
digital universe to bog down hackers and study their tactics.
It's called a "honeynet," and while the idea isn't exactly new,
branches of the U.S. defense community are starting to embrace the
"If I can detect and delay someone until I can get a (law-enforcement)
response to where they are, then I don't need to build four-foot-thick
bunkers to keep them out," said Barry V. Hess, co-manager of
cybersecurity for Sandia National Laboratories.
Network-security experts at Sandia's California campus in Livermore
are experimenting with such a mirage this week in Phoenix.
Their charge is protecting a supercomputing conference touted as the
most data-rich public gathering in the world, handling the wired and
wireless equivalent of more than 30,000 cable modems -- all without a
It adds up to a vigorous road test for Sandia's honeynet, especially
with new breeds of supercomputers and video-conferencing systems tying
online almost every day of the conference.
"The door is wide open," said Tim Toole, a Sandia network architect
working security for SC2003. "If someone wants to, they can knock at
the door of Booth 31's supercomputer and they can walk right in."
First an attacker has to identify the target machine. Automated worms
and viruses get screened by the virtual network. Human attackers probe
deeper and find an improbably large universe of computers.
Unlike honeypots -- machines or software mimicking a vulnerable
computer operating system -- a honeynet is a bogus network, a
cyber-verse that has no purpose except to distract hackers from a real
network and record their actions in a system where they can't do much
That's the fascination of honeypots and honeynets, said honeypot
builder Niels Provos, a security researcher for Google and member of
the Honeynet Project, a loose-knit group of security experts looking
at the technology.
"You'd like people who are in the business of attacking networks to
tell you their knowledge," Provos said. "So you put honeypots out
Honeypots already have fingered computer vulnerabilities, helped trace
the black market in credit-card numbers and shown promise at filtering
spam. Honeynets give researchers a glimpse at the vast flow of pings,
probes and illicit traffic.
In a typical day, for example, Sandia-California's unclassified
computer network is hit by roughly 100,000 worms and 100 to 200 attack
attempts. The lab's classified computer network, which contains
nuclear weapons data, defense and intelligence information, is
considered relatively secure.
By law, it is "air-gapped" from outside connections, except for a
limited number of government links protected by encryption approved by
the National Security Agency. But the unclassified network still
contains proprietary business and personnel information worth
"The ultimate goal is to deter them from your real computer system and
delay them on a fictitious system so you have more time to figure out
who they are and what they're after," Toole said. "We can feed them a
little good information, a little bad information. We can use it as an
educational tool to figure out their mentality. We want to see if we
can go after the black hats."
Experts say the growing federal interest in honeynets doesn't presage
the end of firewalls, intrusion-detection systems and other
"It's not a silver bullet, and it certainly doesn't replace the need
for other forms of computer security," said Dorothy Denning, a
professor of defense analysis at the Naval Postgraduate School's
Center for Terrorism and Irregular Warfare in Monterey.
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.