HoneyNet – Getting back to basics

Dublin, Ireland, Tuesday, 20 December 2005…The Irish Honeynet gets back to basics this month and investigates common or garden hacks and spyware. This focus follows from a request from this year’s Make IT Secure campaign (www.makeitsecure.ie) to provide some simple statistics that will help highlight the importance of home computer security in the modern networked world, the Irish Honeynet Project went back to basics.

Home bandwidth

A standard Windows XP SP2 Desktop Computer (configured with Anti-Virus and Microsoft Windows Automatic Updates enabled) was placed on the end of a standard broadband connection. It was left running for a total of 14 days. The PC was behind a Generation III Honeynet configuration and all traffic to and from the XP desktop machine was logged and recorded for analysis. Further details on the Technology used can be found at http://www.honeynet.org

The PC was not advertised in any way so all traffic to and from the PC was suspicious in nature. We did nothing to entice or lure connections to the PC. It replicates a typical home user (or home office) scenario.

Our Observations were as follows:

* During a two-week period from Oct 24th to Nov 7th our research showed that a sample broadband connected computer located in Ireland was attacked 3119 times.

* 46% of these attacks came from computers in Europe, 35.4% from computers in Asia, 12.5% from computers in North America, 3% Australasia, 3.1% Rest of World.

* The two countries that generated the most attacks in Europe were Germany and United Kingdom, with 31% and 12.1% of the total European attackers respectively.

* An overwhelming 84% of the attacks were targeting Windows machines, while only 2.5% at *NIX machines (including Linux). The remaining 14% were aimed at non-specific OS types.

So not much has changed. The attacks were relentless, but thankfully all were targeting known vulnerabilities, for which patches and updates are freely available. Interestingly, only a single attack originated from within Ireland. So we are right up there with the Palestinian Territory, from which there was also one attack logged. China, Germany, The UK, The US, and the United Arab Emirates were the main culprits, together accounting for well over half the attacks.

Focus on Spyware

In an attempt to qualify some of the much-publicised hype surrounding the problem with Spyware The Irish Honeynet Project configured four Windows XP Laptops to continuously browse the web over a 7-day period. Using HoneyClient technology the laptops logged and recorded each time a spyware infection occurred. More details of the technology used can be found at http://www.honeyclient.org/ Collectively, the four web browsers visited a total of 192,309 unique web pages in the 7-day period.

Espion analysed the results which pointed to the average user can expect at least one infection in a 21 hour browsing period. Or to put it another way – If an average user spends 3 hours browsing each day they can expect at least one spyware infection in each week of browsing.

Interestingly, one Laptop, User4, was configured to browse a large number of websites containing adult content. This user was infected with significantly more spyware than any other user. This user was infected 14 times in the 7-day period.

Adult Sites

Although our research was limited, we can assume that a user that spends time browsing adult oriented web sites can expect nearly twice (1.75 times) as many spyware infections as the average user. Interesting indeed.

Worth noting is that all of the spyware infections on our laptops would generally be classed as a Minor Threat – The spyware transmits gathered commercial-value information about the end user’s browsing habits. This includes keywords used in search engines, browsing habits and ratings of frequently visited websites, shopping reports etc.

The Irish Honeynet, set up by Espion, Deloitte, and Data Electronics, operational since April 2002, is designed to mimic the Internet infrastructures commonly used by organisations, but it is ‘wired’ with detection sensors that capture all activity to and from the system. The Honeynet is not advertised in any way so any traffic to it from the Internet is suspicious by nature, as it arises from hackers and crackers who are deliberately attempting to identify and attack systems that are vulnerable.

For more information please send an email to honeynet@espion.ie

About Espion

Espion is a leading Irish IT security company providing leading edge IT security services including, vulnerability assessment and penetration testing for networks & applications, IT infrastructure review and Audit, security policy & procedure review.

Espion is also the leading expert in computer forensic technology, offering a full range of forensic investigation services and Incident Response.

Based on a number of high profile incidents, Espion has developed “Security Education & Awareness Programmes for senior management”, “ethical hacking” courses, and other critical security related courses

In 2002, Espion co-founded the Irish Honeynet, with a view to researching hacking and attack behaviour in the Irish arena. Espion publishes this research on a monthly basis but also incorporates this research into the services it provides, thereby allowing Espion to remain “the expert” in the field of IT Security.

Established in 2001 Espion’s management team has more than 25 years experience in all aspects of the IT security field from engineering, project management, security architecture design and security sales.