To Catch a Hacker

The traditional defense against hackers has been to block their entry and hope they move on to another site. Sometimes that works, but sometimes the hackers find alternate routes into a network. The latest influx of intrusion detection products is designed to be more proactive, some even help companies catch hackers red handed.

When Dan Arndt, vice president of operations at Rockliffe Systems Inc. (www.rockliffe.com), noticed a hacker was causing problems with his Internet Information Server (IIS) 4.0 Web Server, he upgraded to IIS Service Pack 4 (SP4). When the problems persisted he upgraded to SP5. That still didn’t work for Arndt.

The hacker was locking up IIS: When customers tried to order Rockliffe’s product via the Web site, the entire system came to its knees.

Arndt speculates that the hacker’s motive was not to attack his company, but rather to penetrate Rockliffe’s network to gain access to either temporary or permanent authentication keys for the software Rockliffe sells.

The hacker, in fact, was evaluating Rockliffe’s Mail Site, a mailing list server. Unbeknownst to the company at the time, the hacker was registered in Rockliffe’s database as an evaluator.

John Davies, the company’s president, came across BlackICE, an intrusion detection software product from Network ICE Corp. (www.networkice.com) that is designed to track hackers down. Davies agreed to enter the company in the beta-testing phase of BlackICE with the hope of catching the hacker.

BlackICE can be used to detect hack attempts, block attacks and identify intruders for future prosecution.

"I was able to track this guy down in about four hours," Arndt says.

To catch the hacker, Arndt used three Windows NT domain name system commands: Who is, Trace Route and NS Lookup. From these commands, he determined who was hosting the hacker’s IP address. He then went to his own database of evaluators and found the serial number corresponding to the hacker.

"He was running an evaluation of our product in his production environment, and had generated the maximum number of evaluation keys," Arndt says.

Arndt then went to the hacker’s upstream provider, Global1.net and requested more information on the hacker.

"They were very cooperative. I showed them the trace and the log, and they said they were more than willing to cancel the hacker’s account," Arndt says. "But they couldn’t give me all the information they had on the guy."

Arndt learned from the provider that the hacker lives in Brazil, and he is identified as Marco Jr.

Since the hacker resides in Brazil, he is not under the jurisdiction of the United States.

"Each country’s laws are different, and some countries don’t even have laws on the books about hacking," says Mike Flynn, the manager of international and Internet anti-piracy at the Software Publishers Association (SPA, www.spa.org).

Flynn says the SPA has taken an interest in the Rockliffe case, due to both the threat that hackers pose and the fact that this is an international case.

"Hacking really can create a major disruption that can cripple a nation-state if hackers target a financial market, or the communications and transportation infrastructures," he says.

Although the damage in this case was not devastating, Flynn says the difficulty in prosecuting Marco Jr. poses a threat because hackers from countries without stringent laws are essentially safe from prosecution.

If Marco Jr. were in the United States, Rockliffe would have been granted access to more personal information under the Digital Millennium Act of 1998. ISPs are required by law to remove infringing material once its been brought to the ISPs attention that the material is infringing.

Under the act, Arndt would have been granted an administrative subpoena to see the service provider’s records on Marco Jr.

"If the hacker were in America, a case like this could easily ride to the Federal level; Marco Jr. would spend some time in jail and lose his equipment," Flynn says.

BlackICE is not the only product on the market that has helped companies catch hackers. A company [which co.?] spokeswoman says RealSecure from Internet Security Systems Inc. (ISS, www.iss.net) has been used to catch several hackers, though none of the companies using the product were available for comment. Axent Technologies Inc. (www.axent.com) offers a slew of intrusion detection products and services. Startup company Recourse Technologies Inc. (www.resourcetechnologies.com) recently released ManTrap, software that records hackers' activities and traces intruders back across the Internet.

"Obviously, there is no small pill for security," says Drew Williams, Axent’s manager of e-security services and a co-founder of the company’s information security team. "But security products are becoming enablers as well as defense mechanisms."