Digital sleuthing uncovers hacking costs

Intruders can get in in next to no time - yet it will cost you thousands of pounds and long hours to find out exactly what happened

It took the intruder less than a minute to break into the university's computer via the Internet, and he stayed less than a half an hour. Yet finding out what he did in that time took researchers, on average, more than 34 hours each.

That inequity -- highlighted during the Forensic Challenge, a contest of digital-sleuthing skills whose results were announced this week -- underscores the costs of cleaning up after an intruder compromises a network, said David Dittrich, senior security engineer at the University of Washington and the lead judge in the contest.

"This guy can do all that damage in a half an hour," he said. Dittrich estimated that those 34 hours would cost a company about $2,000 (£1,408.50) if the investigation was handled internally and more than $22,000 (£15,493) if a consultant was called in. "Those are conservative estimates, as well," he said.

On Monday, Dittrich, and other members of a loose group of security experts known as the Honeynet Project, announced the winner of the Forensic Challenge. The contest pitted the reports of 13 amateur and professional cybersleuths against one another.

Each digital detective used decompilers, data recovery programs and other forensic tools to uncover as much information as possible. The entries consisted of a memo to fictional upper management, a security advisory, and an in-depth analysis of the evidence uncovered by the contestant's digital detective work.

The contest was made more interesting by the fact that the attack was a real one, captured by one of the several "honeypots" -- vulnerable computers connected to the Net and surreptitiously watched -- run by the Honeynet Project.

In fact, the detectives produced several leads to the identity of the culprit. Lance Spitzner, the founder of the Honeynet Project, said they would not prosecute the person responsible. Such online vandals are extremely common, he said.

"I would say this guy represents a very large and common percentage of the black-hat community -- it's a threat that we all face," he said, estimating that 70 to 80 percent of, so-called, black-hat hackers -- those that break into computers illegally -- have comparable skills to the attacker who breeched the computer.

The contest also helps illuminate why securing a computer is more cost effective than hiring consultants to come in and do the detective work afterwards, said Fred Cohen, director of the online investigations program for the University of New Haven, Connecticut, in the US.

"It is a fairly extensive process to take what amounts to a bunch of garbage and build a comprehensive picture of what happened," he said. The costs of such investigations can easily amount to $20,000 per computer, he said.

Cohen, who both teaches forensics and works on actual cases, stressed that companies need to understand the difficulty, and costs, involved. "Companies tend to balk at agreeing to that kind of expense when there is no guaranteed payoff."

Dittrich also hoped that the contest would open the eyes of corporate execs who -- all too often -- want a quick fix.

"If you just reinstall the system, do you know if you have plugged the hole that allowed the attacker to get in?" he asked. Most of the time, such quick fixes just mean the attacker gets another shot at the system. Some computers at the University of Washington have been compromised five times, he said.

"Multiple intrusions are occurring all over the place," he said.

The Honeynet Project plans to do another contest, said Dittrich, but it's a question of time. "I probably spent easily over 100 hours on this," he said. "There was a lot of work that was done just in the judging."

The next project would also focus on either a Solaris or a Windows NT/2000 computer, he said. Getting one would not be a problem, however.

Systems placed on the Internet don't last that long, Dittrich explained.

"If we really wanted to get another system, it would take less than a week. We are being scanned constantly. We could get the data ready rather quickly," he said.

Take me to Hackers

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read what others have said.