US is hackers’ launch pad of choice
1 April 2005 | 0
The Irish Honeynet Project recorded a massive 597 Internet attacks in January 2003, paving the way for what is certainly set to be busy times ahead for the country’s system and network administrators. Vulnerable web servers, anonymous FTP (File Transfer) servers and open mail relays were all fair game for the attackers of the world in months gone by, but it was a 7 month old vulnerability in Microsoft SQL Server 2000 and products based on it that caused widespread panic as huge numbers of systems running the software were overwhelmed and ultimately disabled.
Once again, the United States featured heavily in January as hackers and crackers with source addresses in that country rampaged the Honeynet leaving no doubt that the US alone accounts for the biggest threat to Internet connected systems in Ireland. The US has consistently been the largest single source of attack accounting for a huge proportion of the traffic seen on a daily basis in the Honeynet, but it must be recognised that Europe, including Eastern Europe, is running at a close second.
While it is easy to jump to conclusions and deduce that attackers in the US seem to be consistently targeting computers in this country, it is not always as cut and dry as it may seem. A typical attacker will generally be skilled enough to understand that using their own personal computer, or computers belonging to their employer for illegal purposes is an extremely risky business and is to be avoided at all costs. With advances being made in computer forensics, it is becoming more and more easy to quickly and accurately determine whether a given computer system has been involved in illegal activity, be that hacking, virus and worm writing, industrial espionage, or any other electronic vice that may be the flavour of the month with the blackhats.
Hackers tend to traverse through several computers, usually located in multiple countries, and go to great lengths to avoid detection, before launching the final onslaught. By using several systems in numerous jurisdictions an attacker can cloak the real source of the attack. Tracking the exact starting point of an attack can be a lengthy, time-consuming process and may require fluency in myriad of languages and unlimited patience. If there is one lesson we can learn from the consistency and frequency of US attacks on the Irish Honeynet, it is simply that there appears to be no shortage of vulnerable systems in that country and there is equally no shortage of malicious individuals who are intent on using them as the launch pad for attacks on the rest of the world.
The Sapphire Worm, aka SQL Slammer, first seen on January 24th, was an excellent example of a different kind of attack that showed no discrimination or preference to any one particular individual, organisation or country. Although only a small proportion of computer systems around the world were at risk (about 1%) this worm still managed to dramatically degrade the performance of the Internet as a whole and even had the effect of momentarily crippling one of the most wired countries in the world, South Korea. The attack had such an impact on the Irish Honeynet, it was necessary to shut down the operation for a couple of days. Although the Honeynet is intentionally left in a default, un-patched configuration, it was never envisaged that a single worm could generate such huge amounts of traffic so quickly.
It was the usual cry of complacency by system administrators against the software developers for their lack of secure code, a cry of complacency by the vendor against system administrators for failing to apply critical, and long available, patches to their systems and general ill feeling all around. It is interesting to note that while the vendor, in this case Microsoft, was busy deflecting blame by claiming that they released a patch more than six months previously, they were also busy chasing the worm around their own organisation in a rushed, and somewhat late, attempt to secure their own systems.
It seems everyone is complacent, but nobody accountable for their actions-or lack thereof. Whether it is the vendor developed (or poorly developed) code, the lazy administrator, the incompetent security manager, or the high-level executive who refuses to provide the necessary resources, unless some kind of accountability is forced onto the stakeholders there will be no incentive for improvement and incidents like this will become more and more commonplace. Unless a solution is forthcoming, be it from Industry or Government, our exposure to risk from Internet borne attacks will only skyrocket. One small consolidation was that the Honeynet provided us with an early warning that something unusual was occurring in cyberspace and armed us with the relevant information necessary to ensure our production systems remained unharmed.
The Irish Honeynet, set up by Espion, Deloitte & Touche and Data Electronics, operational since April 2002, is designed to imitate the Internet infrastructures commonly used by organisations, but it is ‘wired’ with detection sensors that capture all activity to and from the system. The Honeynet is not advertised in any way so any traffic to it from the Internet is suspicious by nature, as it arises from hackers and crackers who are deliberately attempting to identify and attack systems that are vulnerable.