Return-Path: <sentto-279987-4468-1013752672-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 14 Feb 2002 22:20:08 -0800 (PST) Received: (qmail 16283 invoked by uid 510); 15 Feb 2002 05:58:09 -0000 Received: from n20.groups.yahoo.com (216.115.96.70) by all.net with SMTP; 15 Feb 2002 05:58:09 -0000 X-eGroups-Return: sentto-279987-4468-1013752672-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.191] by n20.groups.yahoo.com with NNFMP; 15 Feb 2002 05:45:27 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_2); 15 Feb 2002 05:57:52 -0000 Received: (qmail 28977 invoked from network); 15 Feb 2002 05:57:51 -0000 Received: from unknown (216.115.97.171) by m5.grp.snv.yahoo.com with QMQP; 15 Feb 2002 05:57:51 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta3.grp.snv.yahoo.com with SMTP; 15 Feb 2002 05:57:51 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g1F6HpZ08936 for iwar@onelist.com; Thu, 14 Feb 2002 22:17:51 -0800 Message-Id: <200202150617.g1F6HpZ08936@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 14 Feb 2002 22:17:51 -0800 (PST) Subject: [iwar] The Therminator Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit http://www.montereyherald.com/mld/montereyherald/2662112.htm Posted on Wed, Feb. 13, 2002 Therminator joins fight against military computer hackers NPS scientists, students develop security program By KEVIN HOWE khowe@montereyherald.com The Internet is a world of its own, and some people who live in it are building unseen empires of master computers that can subvert, suborn and enslave other computers without their owners ever being aware of it. These Genghis Khans of cyberspace have governments and the military worried because they are capable of using their armies of slave computers to attack government and civilian computer networks. But now, scientists and students at Monterey's Naval Postgraduate School have developed a new defense - the Therminator. It was just such an electronic empire-builder who shut down the eBay and Yahoo online networks last year by launching a "service denial attack," said John McEachen, assistant professor of electrical and computer engineering at the naval school. The lone hacker wrote a program that scanned computers hooked to the 'Net, injected its own directives in them to obey his master computer's commands and then ordered thousands of these "slaves" to contact eBay and Yahoo, drowning those computers with online chatter. No similar attacks have been traced to terrorists, but the potential is there, said McEachen, who mentioned that some hackers have tried similar assaults on military computer networks, apparently just for fun. Until now, most computer network security systems alert their owners only after the system has been attacked. The alert is triggered by systems that identify patterns of programs used for intrusion. "The problem is that you have to have seen a pattern in the past in order to be able to detect it again and identify an attack," McEachen said. But today's sophisticated hackers don't make the mistake of repeating themselves. When they attack, they come from a new direction with new methods. "Most of these people are clever enough to do the unusual." The response developed at NPS by scientists and students is Therminator, a computer program that patrols the boundaries of a network and reports back when potential Internet hackers appear to be probing it for a possible assault. Two of the students, Navy Lt. Stephen Donald and Marine Corps Capt. Robert McMillen, tried the system at the U.S. Pacific Command in Hawaii on Jan. 5, 2001. Within a half hour, McEachen said, the two had discovered a major intrusion into the Pacific Command's network. Therminator looks for anomalies in systems, rather than repeated patterns, and displays them in three-dimensional graphics that show patterns of usual daily activity and spikes of unusual activity - the sudden appearance of new computer traffic and "packages" entering the system. The system is based on mathematics developed by Dr. David Ford at the National Security Agency and SANS Institute computer security company founder Stephen Northcutt. It requires "a tremendous amount of processing power," McEachen said. The one at NPS uses a $50,000 Sun Blade processor. Therminator can - and should - be used in tandem with normal "firewalls" designed to protect systems, intrusion detectors and routers to provide "a defense in depth," he said. It provides continuous monitoring of a network's health while serving as a checkpoint for entering computer messages and information packages. After its debut at Pacific Command, the Army and Air Force got interested, setting up Therminator at Fort Belvoir, Va., Fort Huachuca, Ariz., and San Antonio, Texas. Automated computer systems constantly scan the Internet, McEachen said, most of them as tools to seek out commercial customers - the major source of spam advertising messages. Similar automated scanning systems are used by hackers who look for other broad-band, sophisticated systems on the Internet that can be recruited as slaves, he said. Sometimes owners are enticed by offers of free software, movies or music albums that contain an enslaving code that recruits their computers when downloaded. But the computers don't even have to be turned on, McEachen said. By simply being hooked up to an Internet modem, they are vulnerable to such probes. Therminator is part of a larger program at NPS called RIDLR - Reconfigurable Intrusion Detection Laboratory Research. Within minutes of turning on that network for the first time, McEachen said, even without an identifying Web site and using a name made up of random numbers, it was inundated with "a constant flow of packages - probes to see what we have." Within 15 days, the researchers detected an attack launched from four sites in Canada and the United States, all by the same person. McEachen said he is convinced that the hacker who set it in motion had not written the code himself. "He got it off a chat room. The original writer is probably sending that out to get more 'slaves' for a 'grandmaster' computer." The integration of military electronic sensor, guidance and targeting systems make them increasingly vulnerable to attack and misuse by hackers, McEachen said. Questions that concern computer security specialists are: Who's doing it and what are their reasons? "In an industrial nation state there are a lot of really good hackers to whom this is just a way of living," McEachen said. Economic motives might be part of it, since some hackers live on credit-card-number theft from databases, and ego also comes into play. "There's a whole socioeconomic segment of society out there doing it." The Navy is in the process of applying for a patent for Therminator and plans to release it to the civilian community for use in protecting industrial, financial and infrastructure systems, McEachen said. Kevin Howe can be reached at 646-4416. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Sponsored by VeriSign - The Value of Trust Pinpoint the right security solution for your company - FREE Guide from industry leader VeriSign gives you all the facts. http://us.click.yahoo.com/pCuuSA/WdiDAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST