[ From http://www.computerworld.com/home/print.nsf/all/99031596AA ] [ ComputerWorld 3/15/99] New Generation of Scanning Tools Mask Source of Attack Espionage has 'never been so easy' By Ann Harrison 03/15/99 For several weeks, television networks have aired dramatic stories of international attacks on Pentagon computers. But security analysts said last week that those attacks are more likely the work of a new generation of automated scanning and attack tools that simulate coordinated, multinational probes. John Hamre, deputy secretary of defense, told congressional subcommittees last month that unidentified crackers have been launching attacks from as many as 15 locations worldwide. The U.S. Department of Defense insisted the attacks haven't breached classified networks but declined to confirm details. However, a bulletin released last week by the CIO Institute (www.cio.org), a private organization of federal government CIOs, suggested a different scenario. It said that, just before Christmas, experts began noticing widespread use of sophisticated scanning tools that mask their activities in a barrage of what appear to be multinational attacks. Malignant Tools "Military and commercial espionage has never been so easy," the bulletin said. It added that the new tools are more malignant than their predecessors because they can spread out attacks to hide below the monitoring thresholds of audit trails and intrusion-detection software. "We should be worried about automated attacks. The tools have never been this good," said Alan Paller, director of research at SANS Institute, a Bethesda, Md.-based research and educational organization for systems administrators, security and networking professionals. By embedding those tools in Perl script, crackers can automate the entire process of identifying computer systems, locating known vulnerabilities and exploiting those holes to gain root access. For example, software called NMap performs decoy scans using any selection of TCP/IP addresses. NMap allows a relatively unsophisticated cracker, located in the same city as the target network, to mimic a coordinated group of international cyberattackers. Paller said the Pentagon attack didn't have the correct signature for NMap, but he noted there are several other tools with similar capabilities. But Rob Clyde, security expert at Axent Technologies Inc. in Rockville, Md., said he believes NMap does fit the profile of the Pentagon attacks. "NMap is not new. It's just this version has come out with the capability of setting things up as a decoy of where the scan is coming from," Clyde said. What to Do to Prevent Attack 03/22/99 Most network managers try to detect network attacks after the fact by searching logs from firewalls, routers and hosts for the telltale signs of an attack. By that time, it's often too late. Network managers should instead use cutting-edge tools that analyze the data gathered by scanners such as Nmap, said David Remnitz, managing partner at computer security firm IFsec in New York. Those tools analyze attack patterns and build databases of possible areas of vulnerability, thus helping network managers repel attacks. Remnitz recommended tools such as Network Flight Recorder, created by a Washington-based company of the same name, which tracks and analyzes data packets sent from and received by a network server. Software developer H.D. Moore has created a series of shareware Perl scripts called Nlog to create a flat-file database of Nmap log files and to generate reports (www.nlog.ings.com). But Karen Evans, a security manager in the Office of Justice Program at the Department of Justice, noted that it's not easy to find analysts who can accurately evaluate Nmap scans. Of course, the combination of Nmap and Nlog also provides all the information necessary for a well-informed, precise assault on a network or host. "Using Nmap and Nlog in concert creates extensive maps of networks that can be stored ahead of time," said Stephen Northcutt, a computer security consultant who spoke with members of the Naval Surface Warfare Center's Shadow intrusion-detection team at a recent briefing. "As new exploits are discovered, the hacker can simply get a listing of the systems that are vulnerable and then go to work." The key is to use those network maps to find and fix those weak spots before a cracker finds them.