ADVANCED TRACKER HACKERS

As the number of computer crimes spirals, the computer forensics experts (a rare breed of security pros) skills are getting ever more precious. These are the data detectives who search for digital clues remaining on computers after malicious (or black-hat) hackers have done their dirty deeds. Cyber sleuths analyze e-mail, Web site records, and hard drive data, looking for clues to the identity of criminals and crackers, much like gumshoes examine crime scenes for fingerprints and stray hairs.

It’s not only the number of crimes that’s fueling the need for these skills but also the increasing sophistication of criminals. The black-hat community is moving forward at a pace that outstrips the ability of the average system administrator or law enforcement agency. That means that both ebusinesses and law enforcement agencies are paying plenty to find experts to sift through evidence left behind at digital crime scenes.

In other words, security consultants and auditors are well-compensated for their knowledge—especially since the 9-11 attacks. In a recent survey of more than 8,000 IT managers, security consultants, on average, make $27,000 more per year than network administrators. Overall, salaries for all positions grew 22.8% to an average of $80,341 in 2001.

The need for computer forensics is growing exponentially. The need is particularly acute at local, state, federal, and military law enforcement agencies that host computer forensics divisions, which are looking for individuals adept at solving hacking and intellectual property cases. And an increasing number of corporations are using computer forensics to resolve internal matters such as fraud, violations of trade secrets, and inappropriate use of company computers.

The job is intense and tedious and requires nerves of steel. Most specialists have years of programming or computer-related experience, strong analytical skills, and the patience to invest days taking apart a computer in search of evidence. And if things keep going the way they are, it probably won’t hurt if these experts didn’t mind overtime.

Other professional attributes needed to catch a thief, are strong computer science fundamentals, a broad understanding of security vulnerabilities, and strong system administration skills. Cyber sleuths use these skills to seek information to reconstruct how a system was hacked. The number and complexity of intrusions has increased at an alarming rate. Cyber sleuths have been forced to find ways to try to keep up with intruder tools as they have progressed in sophistication.

Experts gather this data and create an audit trail for criminal prosecutions. They search for information that may be encrypted or hidden, along with unallocated disk space. Most cunningly of all, they set traps using vulnerable computers to lure malicious hackers into giving away themselves and their techniques.

Computer forensics specialists must have strong analytic skills and excellent verbal and written communication skills. That’s because they’re required to document their findings in detail, and they often testify at criminal trials.

The demand is being answered by several educational facilities, including the University of Central Florida, in Orlando, which offers a graduate certificate degree in computer forensics. The International Association of Computer Investigative Specialists, based in Donahue, Iowa, offers certification for computer forensics examiners. Demand for such courses is so high that the association’s fall classes are already full. Such courses are helpful for those IT managers or individuals who lack computer programming experience, but who want to make the leap into computer forensics.

Computer forensics specialists caution that IT managers interested in pursuing computer forensics as a career shouldn’t expect that just by taking a few courses in the subject, they’ll be able to track some of the world’s slyest hackers (see sidebar, “The Costs of Tracking a Hacker”). The specialty is a tough discipline in a fast-moving industry that requires highly trained professionals dedicated to continued learning. That’s because there’s no way to stay ahead of the crooks. White-hat hackers at this point can only try to narrow the gap between themselves and the bad guys—and hope that the black-hat hackers don’t get too fastidious when it comes to leaving behind digital footprints.

It took the intruder less than a minute to break into the university’s computer via the Internet, and he stayed less than a half an hour. Yet finding out what he did in that time took researchers, on average, more than 34 hours each.

That inequity—highlighted during the Forensic Challenge, a contest of digital-sleuthing skills whose results were announced recently—underscores the costs of cleaning up after an intruder compromises a network. That damage done in a half an hour would take a company an estimated 34 hours of investigative time and cost about $3,000 if the investigation was handled internally and more than $33,000 if a consultant was called in. And. those are conservative estimates.

Eventually, the members of a loose group of security experts known as the Honeynet Project, would announce the winner of the Forensic Challenge. The contest pitted the reports of 13 amateur and professional cyber sleuths against one another.

Each digital detective used decompilers, data recovery programs and other forensic tools to uncover as much information as possible. The entries consisted of a memo to fictional upper management, a security advisory, and an in-depth analysis of the evidence uncovered by the contestant’s digital detective work. The winner of the contest, Thomas Roessler, a student in mathematics at the University of Bonn in Germany, has dabbled in, but not done digital forensics work in the past.

Roessler indicated that it’s always amazing how much information you can get out of a system by using rather basic tools. You always miss something.

The contest was made more interesting by the fact that the attack was a real one, captured by one of the several “honeypots” (vulnerable computers connected to the Net and surreptitiously watched) run by the Honeynet Project. In fact, the detectives produced several leads to the identity of the culprit. However, the person responsible would not be prosecuted. Such on-line vandals are extremely common.

The perpetrator represents a very large and common percentage of the black-hat community. It’s a threat that everyone faces. Nevertheless, only about 70 to 80% of the so-called black-hat hackers (those who break into computers illegally) have comparable skills to the attacker who breached the computer.

The contest also helped illuminate why securing a computer is more cost effective than hiring consultants to come in and do the detective work afterward. It is a fairly extensive process to take what amounts to a bunch of garbage and build a comprehensive picture of what happened. The costs of such investigations can easily amount to $30,000 per computer.

Companies need to understand the difficulty, and costs, involved. Companies also tend to balk at agreeing to that kind of expense when there is no guaranteed payoff. Hopefully the contest opened the eyes of corporate executives, who all too often want a quick fix.

If you just reinstall the system, do you know if you have plugged the hole that allowed the attacker to get in? Most of the time, such quick fixes just mean the attacker gets another shot at the system. Some computers at the University of Washington have been compromised five times. Multiple intrusions are occurring all over the place.

The Honeynet Project plans to do another contest soon, but it’s a question of time. The next project would also focus on either a Solaris, Windows NT/2000, or XP computer. Getting one would not be a problem, however.

Anonymity in Retrieving System Logs

The 9-11 terrorist attacks have had numerous side effects on national security. One of these is legislation that increases the ability of federal agencies to intercept Internet traffic. Another side effect was the loss of the well-known Web anonymity service hosted by ZeroKnowledge, which turned out not to be related.

Web anonymizers allow people to visit Web sites without disclosing their identity to the owner of the Web site, or even a local administrator who can log the URLs that a user visits. These tools work just as well for a terrorist who wishes to use the Web with anonymity, although using Internet access in a Web cafe, which one the plane hijackers did, works well, too.

Anonymity has its place in a free society, and personal rights and freedoms shouldn’t be collateral victims of terrorist attacks. Interestingly, government agencies may also be important users of anonymizers. This part of the chapter explains how anonymization works on the Internet, and why this is important in the face of increasing privacy concerns.