http://www.washingtonpost.com/wp-dyn/articles/A28625-2003Jan8.html

By Leslie Walker
walkerlwashpost.com
Thursday, January 9, 2003

An ordinary office building on Route 1 in Alexandria offers a rare
window into the Internet hacker wars and a few clues to why Uncle Sam
wants more monitoring capabilities in cyberspace.

Inside a cavernous room on the first floor there, security analysts
for Symantec sit in long, curved rows 24 hours a day, working on
computers and facing a wall of theater-size screens. Information
displayed on the screens helps them keep tabs on whether any attacks
are underway at any of the company's more than 600 corporate clients.

Every five minutes or so, a giant, illuminated globe appears on the
central screen and starts to rotate, displaying the locations
worldwide where hackers are launching the most attacks. Symantec uses
special technology to monitor a huge chunk of the public Internet
along with the internal nooks and crannies of its clients' private
networks, looking for telltale signs of computer break-ins.

Its software constantly compares current hacker activity with a
database of prior attacks, then displays in red the names of countries
where an unusual amount of malicious Internet activity is originating
that day. The rotating globe also displays the number of attempted
break-ins against Symantec clients over the past 24 hours in the 10
most active countries.

On a recent Friday, the globe showed more than 16,000 attempted
break-ins originating from the United States, which often ranks as the
world's top launching pad for computer hackers. Brazil ranked No. 4
with 722 attacks. South Korea, Japan, Germany and Taiwan also
frequently appear on Symantec's top 10 list for malicious computer
activity.

Big numbers are par for the course at the Alexandria center, where
analysts detect more than 15,000 discrete "security events" against
Symantec's clients every day. About 4,000 are deemed real hacker
attacks after further analysis, company officials said.

"You can tell from these statistics that it's the Wild West out there
on the Internet," said Grant Geyer, who supervises the
12,000-square-foot facility. "Companies need to do whatever they can
to protect themselves."

The four-year-old operation, which includes special monitoring and
"data mining" technology, was created by a local start-up called
Riptech. Last year, California-based Symantec paid about $350 million
to buy Riptech and three other electronic-security firms (Recourse
Technologies, SecurityFocus and Mountain Wave) that had developed
proprietary anti-hacker technology. Symantec merged Riptech's
operations with its own and now has four similar centers -- in
Britain, Japan, Germany and San Antonio.

Symantec is known as the maker of the Norton anti-virus software that
runs on many home computers. But like competitor Network Associates,
it has been diversifying its security arsenal in an attempt to be at
the forefront of an emerging industry -- managing cybersecurity on
behalf of companies and governments. Mid-size companies typically pay
Symantec $1,000 to $2,000 a month to monitor their networks. The firm
has big clients, too -- including 55 of the Fortune 500 companies --
and does work for several federal agencies.

The managed-security industry is complex and growing fast, especially
as companies awake to the difficulties of interpreting the deluge of
data on their computer networks. Not only is it hard to make sense of
who's doing what on a firm's network, Web sites and wireless devices,
but almost no company can see what is happening on other computer
networks. One advantage managed-security firms have is a global view
that lets them detect patterns.

The Alexandria facility is a private, miniature version of the kind of
public Internet-monitoring capability the Bush administration wants
the federal government to develop to protect the nation's electronic
infrastructure. The administration is readying for release in a few
weeks a final draft of its national strategy for bolstering
cybersecurity.

Hacking -- unauthorized break-ins on private computers and networks --
is increasing dramatically as more computers connect to the Internet.
So, too, is the distribution of computer "viruses" and "worms" that
travel the globe via images, documents and plain-text e-mail messages.
Riptech, one of the few companies that monitored global hacking,
detected a rise in malicious computer traffic during the first half of
last year amounting to an annual rate of 65 percent.

One reason for the jump was the explosive growth in the distribution
of point-and-click hacking tools online. At the same time, more
critical commercial and government operations are moving online,
presenting a greater number of tempting targets to cyber-crooks. The
United States and other countries have passed laws criminalizing
certain forms of electronic break-ins, but detection and prosecution
remain a challenge because it's so easy to hide tracks in cyberspace.
Even in Alexandria, Symantec's job isn't to catch the bad guys, nor to
report them to law enforcement -- it's to thwart attacks and notify
companies of problems.

Natalie Smishko, 25, is typical of the analysts. Sitting in a raised,
rotating cubicle with built-in computer monitors and its own heat and
light controls, Smishko pores over logs in an attempt to separate real
attacks from false positives. Symantec's software automatically
collates data from multiple sources -- all the software programs and
hardware devices that companies use to monitor their networks -- and
presents it in a unified format.

"In this case, an attack was launched against one of our clients and
you can see where they scanned our protected network," said Smishko,
pointing to a list of network locations that allowed her to click on
any single address to get more details.

Another view showed her all the computer ports the interloper had
scanned to see if they were open. Drilling deeper, she could see
where, if at all, the interloper entered the client's network. If data
is transmitted, she can see that, too -- and not only when it is moved
by outsiders. Symantec has caught insiders improperly sending
pre-merger details and pre-earnings data and has reported those
findings to the employees' bosses.

In addition, Smishko can probe Symantec's database history to see if a
hacker's style of attack -- the reconnaissance probes he runs,
software he uses, ports he tries to enter and originating Internet
addresses -- matches prior attacks. Spotting repeat offenders helps
Symantec anticipate what might come next, as with attacks that
happened on the financial sector last summer.

During that time, analysts in Alexandria saw Bulgaria's name suddenly
go red on their giant globe as the hacking activity originating there
increased over a three-week period. The analysts determined that
unidentified cyber-baddies were launching what appeared to be
coordinated attacks against many of the largest financial institutions
in the United States, several of which are monitored by Symantec.

"We immediately gave a whole block of IP addresses [numerical
addresses of specific machines hooked up to the Internet] to our
clients and told them to block all traffic originating from those
addresses," Geyer recalled.

That doesn't mean the perpetrators were actually in Bulgaria. Serious
attacks often are launched through "bot-nets," slang for networks of
robots, typically compromised machines in the homes of unsuspecting PC
users. Hackers take these computers over from afar and turn them into
"zombies" that they control remotely and use to launch coordinated
attacks.

"It's not unusual for us to see a single home computer launch attacks
against 200 of our clients on the same day," Geyer said.

It's anybody's guess, of course, who will win this escalating global
arms race between hackers and anti-hackers. But it's a sure bet that
2003 will see plenty of new resources pour into the coffers of
cybersecurity firms, bulking up the fledgling anti-hacking industry.

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]