How to catch hackers--and make them pay
Catching hackers is tricky. Even if you find out they broke into your system, what next?
By Robert Vamosi
A new service from McAfee will soon let you discover whether anyone is hacking into your system and, if so, let you submit that information to the malicious user's ISP or local law enforcement officials. The project, known as HackerWatch.org, is an ambitious attempt by McAfee, a division of Network Associates best known for its antivirus products, to create an interactive antihacker community online. But will it make a difference?
|HackerWatch is intended "not to start any witch hunts, but to get good quality information" from its users.|
How does it work?
Using the Internet tools Whois and ping, NeoTrace tracks the origin of any malicious user who attempts to intrude on your system. Since the McAfee merger, the product has been renamed McAfee Visual Trace. The program shows you the routes by which the malicious user contacted your computer graphically, as nodes displayed on a world map. The nodes are color-coded to represent the speed of the signal--red for slow and green for fast. McAfee Visual Trace is able to look up the registered owners of the originating address, and, if the malicious user's location falls within the United States, it can even display the hacker's street address.
In addition to NeoTrace, NeoWorx makes a firewall product called NeoWatch, an intrusion detector that is known for its friendly GUI. The latest release of McAfee's Personal Firewall, version 3.0, fuses NeoWatch's interface with earlier versions of McAfee's Personal Firewall. With version 3.0, whenever the McAfee firewall stops an intrusion, anyone subscribed to the HackerWatch service will be able to receive details about the intruder.
If HackerWatch identifies your event as malicious or suspicious, Curry said, you have the opportunity to volunteer information about your break-in to the pool of data being collected by HackerWatch. You also have the option to forward the info to the malicious user's ISP, perhaps putting pressure on the ISP to refuse him or her service. Certain events, such as distributed denial of service attacks, can even be sent to local law enforcement.
|Certain events, such as distributed denial of service attacks, can even be sent to local law enforcement.|
The good news
Reporting any hacking attempt on your system is completely up to you; HackerWatch will not send the information it gathers to ISPs or law enforcement officials. Furthermore, your ISP and time-stamp information will be removed from any reports. As Curry explained it, "That information can later be supplied with a subpoena, if needed."
At present, only certain events will be flagged as suspicious--for example, when there's a lot of activity from a single IP address or heavy activity on a particular TCP/IP port. In the future, HackerWatch hopes to be able to distinguish suspicious content within data packets being sent across the Internet.
Within the next six months, Curry said McAfee plans to make more of the HackerWatch.org site public by including Internet alerts from the CERT Coordination Center and the SANS Institute. The site will also provide its own HackerWatch-based alerts as McAfee moves toward a unified hacker/virus rating system. "HackerWatch.org will be parallel to our virus coverage," said Curry. "The [McAfee] Visual Trace information on the site will be analogous to McAfee's Virus Map."
In theory, HackerWatch.org is a great idea. In practice, it will depend on how many of you use McAfee's products and report your findings to HackerWatch--as well as to ISPs and the law. According to Curry, there are about 200,000 HackerWatch subscribers, and 55 to 60 percent of them are located inside the United States. That's a tiny fraction of the worldwide Internet community. But you have to start somewhere, so I wish McAfee good luck.
Will HackerWatch make the Net more secure? Let us know what you think!