By Martin Hack
November 28th, 2006
Lance Spitzner is considered the leading light in the field of honeypot
research. He is the founder of the Honeynet Project which currently
consists of 15 organizations spread throughout the world. The Honeynet
Projects goal is to capture information on threats, analyze them and
publish the findings. Realizing the importance of this project the US
Government awarded him a grant that allows him and small to team to
focus exclusively on the project.
I had an opportunity to chat with Lance about his perspective on the
current security landscape.
What are the biggest changes you have seen over the last couple of
Years ago it was hackers who were doing it for the bragging rights, now
its criminals. The motivation has changed, hacking is now profitable and
theres so much money to be made with very little risk to the actual
Interestingly enough IRC (Internet Relay Chat) is still being utilized
to start attacks and for communications amongst the bad guys. There are
more secure means of communications available but they are still using
IRC. They are not worried about being caught they are blatantly doing
these things out in the open. Though the good ones are communicating
less which makes it harder to track them. Their focus has shifted to
make money in which case they naturally dont want to make a name for
themselves, so theres less bragging involved, less communication.
Over the past year or two we have seen a tremendous amount of
acceleration of adaptability on the part of the hackers, the minute
theres a new security tool out there, the bad guys find a way around it.
Spam is a good example, nobody has been able to stop it. Recently you
see spam that comes in form of distorted or disguised images, so its
even harder to filter it. Its amazing how fast the bad guys are staying
ahead of us.
And then there is the issue of catching the bad guys. There are a lot
good guys in law enforcement, but even if you track down a guy somewhere
on the other side of the globe, you then need to find a prosecutor who
is willing to go forward. And sometimes thats not a high priority for
Even with better technology, better OS security, stronger passwords,
better policies it just makes it more difficult and time consuming for
the bad guys but they can spend all the time since there is no fear of
prosecution. So much profit for so little risk.
Hacking is just a tool for extortion, fraud, identity theft, things that
have been happening for a long time. If we want to make it more
difficult for them we have to bump up the risk as a deterrence.
Are you doing any research based on specific industry threats?
We are starting to do research on financial threats since theres a lot
of activity there.
Which countries have most of the hacking activity?
Hacking is getting more global but for some reason we are still seeing a
lot of activity coming out of Romania.
What about botnets?
Our german team is doing a lot of research there. In general botnets are
basically business infrastructure for the bad guys, they can change
their attack behavior to whatever their customers demand, DDOS
(extortion) spam, phising, they have flexibility. The whole thing is a
Do attackers know when they are in a honeypot?
They could potentially reverse engineer our tools and find out, but in
general they are not looking. In reality they dont have any fear of
Automated vs. Manual Attacks
My assumption is that almost everything is automated now, however there
might be script kiddies and some elite hackers that do their own special
thing but thats a very small percentage. Most activity is automated, its
simply ROI for them, thats the way to make money.
How much can technology help to stop threats?
Technology will only go so far, the vendors put a lot of time and effort
in making the operating systems more secure. They have finally gotten
there, its much more difficult now to breach a default system. However
what took us 5 years to figure out and implement has taken the bad guys
5 minutes to figure out to get around - which is to go after the human.
Do you have any data on whether actual attacks increased or decreased?
I dont have exact numbers but I have a feeling that the number of
attacks peaked about a year ago. There are still a lot of attacks but
theres also a lot of other stuff like phising going on. I wouldnt be
surprised if the number of attacks either plateaued or are even going
down. The bad guys had first to compromise the operating systems to
build the botnets. Also there are constantly new devices that get
connected to the Internet, Backberrys, handhelds and things like that,
these are just new markets for the bad guys to make money with.
Recourse Technologies (which was later acquired by Symantec) had one of
the first commercial honeypot solutions, do you see a market for such
No. Since most of the data is used for research, the main consumers of
the data are government, law enforcement and educational institutions
and to some extent security vendors themselves.
If someone wants to learn more about the Honeynet Project, what should
The best way to start is with our website - www.honeynet.org it contains
all the information and how to get in touch with us.
Subscribe to InfoSec News