The project, known as HackerWatch.org, is an ambitious attempt by McAfee, a division of Network Associates best known for its antivirus products, to create an interactive anti-hacker community online. But will it make a difference?
Sam Curry, who has overseen firewall development at McAfee for some time, said HackerWatch is intended "not to start any witch hunts, but to get good quality information" from its users. To help it reach that goal, McAfee recently merged with NeoWorx, a company best known for NeoTrace, a product used by law enforcement to trace malicious users.
HOW DOES IT WORK? Using the Internet tools whois and ping, NeoTrace tracks the origin of any malicious user who attempts to intrude on your system. Since the McAfee merger, the product has been renamed McAfee Visual Trace. The program shows you the routes by which the malicious user contacted your computer graphically, as nodes displayed on a world map. The nodes are color-coded to represent the speed of the signal--red for slow and green for fast. McAfee Visual Trace is able to look up the registered owners of the originating address, and if the malicious user's location falls within the United States, it can even display the hacker's street address.
Along with NeoTrace, NeoWorx also makes a firewall product called NeoWatch, an intrusion detector which is known for its friendly GUI. The latest release of McAfee's Personal Firewall, version 3.0, fuses NeoWatch's interface with earlier versions of McAfee's Personal Firewall. With version 3.0, whenever the McAfee firewall stops an intrusion, anyone subscribed to the HackerWatch service will be able to receive details about the intruder.
If HackerWatch identifies your event as malicious or suspicious, Curry said, you have the opportunity to volunteer information about your break-in to the pool of data being collected by HackerWatch. You also have the option to forward the info to the malicious user's ISP, and perhaps put pressure on the ISP to refuse him or her service. Certain events, such as distributed denial-of-service attacks, can even be sent to local law enforcement.
THE GOOD NEWS IS that reporting any hacking attempt on your system is completely up to you; HackerWatch will not send the information it gathers to ISPs or law enforcement. Furthermore, your ISP and timestamp information will be removed from any reports. As Curry explained it, "that information can later be supplied with a subpoena, if needed."
At present, only certain events will be flagged as suspicious--for example, when there's a lot of activity from a single IP address or heavy activity on a particular TCP/IP port. In the future, HackerWatch hopes to be able to distinguish suspicious content within data packets being sent across the Internet.
Within the next six months, Curry said McAfee plans to make more of the HackerWatch.org site public by including Internet alerts from CERT Coordination Center and the SANS Institute. The site will also provide its own HackerWatch-based alerts, as McAfee moves toward a unified hacker/virus rating system. "HackerWatch.org will be parallel to our virus coverage," said Curry. "The [McAfee] Visual Trace information on the site will be analogous to McAfee's Virus Map."
In theory, HackerWatch.org is great idea. In practice, it'll depend on how many of you use McAfee's products and report your findings to HackerWatch--as well as to ISPs and law enforcement. According to Curry, there are about 200,000 HackerWatch subscribers, with about 55 to 60 percent of those located inside the U.S. That is a tiny fraction of the worldwide Internet community. But you have to start somewhere, so I wish McAfee good luck.