The articles in this issue describe various tools and techniques
for detecting whether your system has been cracked, and if so, what
to do. A common thread throughout these articles is that much can
be learned from analyzing the features of these attacks.
One of the articles in particular ("Administering a Distributed
Intrusion Detection System" by Johannes B. Ullrich and Wayne
Larmon) describes the efforts of Dshield.org (http://www.dshield.org),
an organization that assembles and analyzes detection log data from
networks all over the world. Dshield.org then studies this data
for unusual activity in an attempt to identify sites that may be
participating in Internet attacks.
Another security organization, the Honeynet Project, is taking
a different approach to analyzing attacks. After one of its own
Honeynet systems was compromised, the Honeynet Project issued a
public challenge to examine the binary that had been installed.
According to the Web site, the goal of this "Reverse Challenge",
which was issued in May, is "to allow incident handlers around
the world to all look at the same binary -- a unique tool captured
in the wild -- and to see who can dig the most out of the tool
and communicate what they've found in a concise manner."
The mission for participants is to identify the purpose of the tool,
describe how it works, and to show their methods of analysis. The
results of the challenge were not available at press time, but can
be found at http://project.honeynet.org/.
Honeynets in general are systems set up specifically in the hope
that "blackhats" will attempt to crack them so that security
experts can then observe the crackers' methods. According to
the Honeynet Project's Web site, the goals of this volunteer-based
organization are to raise awareness of threats and vulnerabilities
that exist in the Internet today, to provide information to better
secure and defend resources, and to teach and provide the technology
and methods of information gathering. Some of the methods and technology
that have been learned through the Project's efforts can be
found in the book Know Your Enemy: Revealing the Security Tools,
Tactics, and Motives of the Blackhat Community by The Honeynet
Project (Addison-Wesley, 2001). Lance Spitzner, one of the book's
co-authors and a Honeynet Project founder, has another book coming
out. It's called Honeypots: Tracking Hackers and will
be available in September from Addison-Wesley. Good luck keeping
those "blackhats" at bay.
Editor in Chief