Taking a new tack on network attacks

Zephon: A Mass. company's security software opts for tagging digital desperadoes once they've committed the breach.

March 04, 2004|By Hiawatha Bray | Hiawatha Bray,NEW YORK TIMES NEWS SERVICE

Peiter Mudge Zatko is giving up.

Zatko is the legendary computer cracker who cofounded Lopht Heavy Industries, a Boston hacker collective that proudly shattered computer security systems and then announced its achievements to the world.

Long ago, Zatko went straight, using his skills to build digital moats and barricades around corporate and government computer systems. The work is interesting, and the pay is good. And yet Zatko's efforts have achieved little: No matter how good the defenses he builds are, the bad guys find a way in.

That's why Intrusic Inc., the Waltham, Mass., company where Zatko works as chief scientist, has abandoned the old concept of keeping intruders out, to focus on detecting them once they're inside.

It's a last-ditch approach, but these days, it's easy to leap over the first couple of ditches, thanks to millions of insecure home computers with broadband links to the Net.

Hackers can use those computers to launch ever more sophisticated attacks. But years of experience taught Zatko that once the bad guys are inside a network, they carry out a limited, predictable set of acts.

"This is still the same stuff from 1996," Zatko said. "I got tired of cleaning up the same mess over and over again."

So Zatko started doing his homework. He found that any properly configured network will do certain things in certain ways. You can codify the process with Newtonian precision.

"You ended up getting the same things as laws, the laws of physics," Zatko said.

Say you have a corporate server loaded with information about customers. There are certain things this machine should never do, actions that violate the physics of the network.

For instance, if this computer asks for data from a Web site located on the other side of the world, something's wrong. A server isn't supposed to do that. But it might if some hacker were running it by remote control.

Intrusic's software - named Zephon, after an angel in Milton's Paradise Lost - sits on the network, collecting and analyzing every data packet. Whenever a machine on the network does something that seems to violate the laws of network physics, Zephon starts watching more closely. If there are enough such violations, it flags corporate security.

In addition, because the Intrusic system has retained a copy of all of the network data, the specialists can quickly see whether the bad guys have used the computer to get into other parts of the system.

Caritas Christi Health Care of Boston, the Mohegan Sun Casino in Connecticut and the Home Depot home improvement chain have all bought into the Intrusic system.

It might work, but there's a whiff of despair about the concept. The Zephon approach assumes the impossibility of preventing people from raiding computer networks.

"There are thousands of new ways to attack every week," said cofounder Justin Bingham. "It's like an arms race. You really can't keep up."

The biggest reason is broadband-connected home PCs. One Intrusic executive calls them "the black hole" of computer security. It's well known that many home machines are wide open to attack by computer vandals armed with e-mail worms and other ugly tools. Infected machines are routinely used to relay spam e-mails or carry out denial-of-service attacks that overwhelm targeted sites.

But a nastier problem lurks. Many of us use our home machines to plug into company networks. It seems safe enough; we use so-called tunneling software that encrypts transactions and protects corporate secrets.

But if such a computer is taken over by a bad guy, the digital tunnel just makes his life easier. As far as the network is concerned, the vandal isn't an intruder, because he came in through the tunnel. So standard firewalls and intrusion detection methods are worthless.

For years to come, home computers will be easy pickings for hackers, and those that link to corporate networks will be the favorite targets of digital crooks.

No wonder Zatko has abandoned all hope of building an uncrackable network. Anti-intrusion gear is still valuable; it keeps out the riffraff. But the seriously bad boys will get in, even if they have to use a shortcut through somebody's living room.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.