[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Thursday, 5 October 2006, 10:27 GMT 11:27 UK
Spinning a web to catch a hacker
By Mark Ward
Technology Correspondent, BBC News website

T-72 tanks, AP
Mr Spitzner took lessons of war into the fight against hackers
When Lance Spitzner was a tank commander in the US Army's Rapid Reaction Force the importance of intelligence about the enemy was drilled into him on a regular basis.

He knew that only once he had a deep understanding of the command structure, motives and tactics of Soviet T72 tank commanders would he be able to meet them on equal terms on the battlefield.

Back in civvy street and on getting a job overseeing computer security for a small consultancy he was shocked that so little was known about the people mounting attacks on networks and machines.

He admits that in 1998 when he got this job, and perhaps why he got it, was that no one cared about computer security.

"When I transferred into information security my job was to defend against threats but I knew nothing about them," he says.

The arms race is in the bad guys favour and they are investing a lot of money in this
Lance Spitzner

As the new hire at the small consultancy, fresh out of graduate school, he was the perfect candidate for the security post, largely because, he says: "no one else wanted to do it so they stuck me in charge of it".

But the nagging sense that he should know more about the attacks that were hitting the network and the computers on it drove him to set up his own crude honeypot.

The first one was a PC running RedHat Linux 5.0 open source software that was set up on his dining table complete with firewall that let attacks in but not out again.

"Sure enough it got hacked," he says and it helped him to learn a little more about what hackers do, how they do it and why.

At that time, he says, he was one of the few people he knew of gathering intelligence about cyber threats and unique in using a honeypot to do it.

Back then, says Mr Spitzner it was hackers hacking computers out of curiosity and for bragging rights rather than for material gain.

Palyh virus in e-mail inbox, BBC
Honeypots help to catch new versions of malicious programs
Little surprise that as the Honeynet Project, which Mr Spitzner founded in 1999, started to set up the fake networks to gather data about attackers, few were interested in or knew what to do with the data being gathered.

"When we first started offering the data in 99/00," he says, "no one wanted it or trusted us."

He adds: "In some cases when we told them they had been compromised and needed to clean up their systems they just turned around and sent their lawyers after us."

But as the project has grown and refined its methods and created new tools, respect for what it does has grown too. This has also been helped by the rise of hackers who hack for cash rather than curiosity and the growing interest of criminal gangs in the returns that technology can give them.

Now honeypots are a standard tool in the arsenal of almost all computer security firms - many use them to find out which attacks are proving successful and popular and to keep one step ahead of the next big vulnerability.

The Honeynet Project itself has many sister organisations around the world and all are staffed by volunteers.

"The value of the honeypot is to provide information," says Mr Spitzner, "we publish that information so people can better understand these threats and do something about them."

What the Honeynet Project does not do is shut down any of the criminal activity it identifies. The reasons for this, says Mr Spitzner, are two-fold.

Firstly, if the Honeynet Project were to become an agency of law enforcement its procedures would be subject to so many rules and regulations it would become almost impossible to operate.

Magnifying glass and fingerprint, BBC
Honeypots give intelligence about hackers and their methods
Secondly, it is very difficult to enforce a solid "chain of custody" between the honeynet gathering data and the point at which it is passed on to law enforcement agencies and used to prosecute. In the hands of a good defence lawyer this electronic evidence could be made to look very shaky.

But the Honeynets around the world operated by the Project do pass on useful information to law enforcement agencies and to official computer emergency response teams to help combat the bad guys.

Unfortunately, says Mr Spitzner, at the moment the advantage is with the hackers.

"The arms race is in the bad guys favour and they are investing a lot of money in this," he says. The risks of being caught are very low and the returns are "incredibly good".

As technology gets better at stopping attacks, the bad guys are refining their methods to focus on people which are always going to be the weak link, he says.

"They are very sophisticated and getting better at personalising attacks," he told the BBC News website, "I would be shocked if they did not have their own research and development organisations."

Tackling the huge growth in hi-tech crime is not going to be easy, says Mr Spitzner. No one thinks it is going to be eradicated but more could be done to increase the risks and put some people off pursuing a life of cyber crime.

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific