Click The Safety Button When Liars Are Near!

The Raven Lie Detector - signup to be notified!  Privacy Policy
< How many times did you lie on ? >
 

<CHANNELS>
Home
Articles
Humor
Store
Video
Audio		 Misc. Mailbox
Community
Polls
Raven
Contest
Learn more ...

Learn more about lying ...

Email Login
Password

New users sign up!!

Get your free credit report today!
This could
be your
banner..
Lying to hackers is okay by me by Winn Schwartau

Network World Fusion Focus on Security, 06/16/99

Military View - Hackers - Types of Deception - Ruses - Faces of Deception - Conclusion - Author

Intro:

"All warfare is based on deception."
-- Sun Tzu

"In war (conflict), truth is so precious, it must be protected by a bodyguard of lies."
-- Winston Churchill

"Make a noise in the East and attack in the West."
--Anonymous Chinese

I believe in lying. Sort of. Let me explain. The bad guys will do anything they can to get you. You know that and it doesn't seem quite fair. They get to cheat, and you, as a network or systems administrator working for a real company, have to play by the rules.

The bad guys can lie. They can use verbal social engineering or hard copy social engineering or pull any sort of nasty trick they want to break into your networks or otherwise try to make your life miserable.

But there are some innovative means to defend our networks, if we just apply some common sense.

  • You goal is reduce the amount of time the bad guys have to attack you.
  • You want your detection and reaction mechanisms to be as fast as possible.
  • You may choose to invite the attacker to stay around for a longer period of time to give you more opportunity to collect forensic evidence and/or identify him.

All I'm saying is that we should create an even playing field. "Do unto others as they do unto you," and in cyberspace and infowar, such logic makes impeccable defensive common sense. If the hackers lies to you, why shouldn't you lie right back?

There is a way. It is your right and defensive duty to:

  • Lie to your adversary.
  • Deceive him in any way possible.
  • Force him to waste time/resources.
  • Make his attacks a much riskier proposition.
  • Protect your assets by the same means he attacks yours.
  • Use automatic responses and hands-off management
  • Apply time-based security concepts.
  • Use Deception.

The Military View:

The world is currently full of nations that are militarily weak, but ruled by despots who do not lack for cleverness or the willingness to use deception to maintain and expand their power.

Winn's Translations for Networks:

The Internet is currently full of hackers, punks and goofballs that are morally handicapped, ethically weak, but who do not lack for cleverness or the willingness to use deception to maintain, project and expand their power.

and...
The Internet is currently full of networks that are defensively weak, but ruled by the technically and financially challenged who only need the willingness to use deception to maintain their systems' integrity and expand their power.

The main goal of your network defense is to keep your company functioning, keep the business process intact and maintain day-to-day integrity so that there are no interruptions.

There is another tool that can create victory without battle and impose your will on your network.

That technique is deception…lying. If you think about it and ask your legal counsel, there is no law against lying…especially to the bad guys.

Deception has been used throughout the history of warfare, from ancient times to today. Certainly the Trojan Horse fits the definition. Military leaders such as Phillip of Macedonia, Alexander the Great, Hannibal, Julius Caesar, William of Hastings and yes, Saddam Hussein, have successfully used deception to gain military advantage.

When undersized armies took on a larger force, their horses pulled weighty logs behind them over dusty roads to give the impression that more manpower was coming to battle. Small armies would light thousands of fires at night to give opposing forces a false impression of size.

Psychological operations fit right into the deception mode with the philosophy; "It doesn't hurt if your enemy thinks he's smarter or tougher than you." Think about that. Playing it stupid is good?

During World War II, D-Day planners convinced the Germans that the invasion would not be at Normandy, but some distance to the northeast.

And when the Allies captured a German Enigma encoding machine, we figured out how to decode high-level German transmissions. But we never let the Germans know that we could read their private mail, even if it meant sacrificing civilian targets to keep the secret. Thus, Churchill allowed Coventry to be bombed without air-raid notice to the population.

In modern warfare, electronic chaff is tossed from airplanes to confuse enemy radar. The Soviets poured thousands of electronic diodes into the concrete construction when a new American embassy was being built in Moscow some years ago. The intent was to confuse American counter-surveillance devices that can't tell the difference between the nonlinear junctions of the diodes and those in a real eavesdropping transmitter. Problem was, the Soviets overdid it; we found what they did early in the construction process, and we canned the new embassy.

Some experts maintain that the Star Wars program initiated during the Reagan years was nothing more than an elaborate public relations hoax of the first order that sought to convince the Soviets that we were willing spend a gazillion dollars on space-based defense. In other words, Star Wars was a deception.

And then there was the Gulf War. Did the Patriot missile system work as well as was claimed? Probably not, but the media and folks at home ate it up. Saddam Hussein's grand deception scheme kept us shooting our smart bombs at Scud launchers that were nothing more than cardboard facades or shells of real ones.

Deception clearly works.

Use Deception to Thwart Hackers:

Now, let's figure out how to apply deception to network security. It's time to even the odds! It is legally arguable to aggressively go after the bad guys. Corporate vigilantism is still only mentioned and knowingly approved of by law enforcement in dark corners. Law enforcement officials can't openly sanction the good guys to break the law to nab the bad guys; but the desire is certainly there. Nonetheless, an active defense is absolutely called for.

Scanning tools are a common means that the bad guys use to attack networks. Whether it's a purloined legal scanner from a real company, or an underground tool, attackers seek to understand and map out their victims' sites before entering.

So what happens? You spend hours and weeks scanning your own networks, and fix as many vulnerabilities as you can. But there are always a few left. You can't remove all functionality in the name of security.

And then, after you've done your best, the bad guys come along with their scanning tools, and your defensive efforts now tell them exactly where to attack. They won't go after the things you have fixed; they'll go after the open electronic doors and windows, which their scanners point out to them. Your best protective security efforts are now working against you! You've reduced your target suite and told them exactly where to attack. Counterproductive, don't you think?

So try using some deception against them! Some of the benefits are obvious:

  • Works against insiders and outsiders
  • Applies tried and true techniques
  • Masks the leftover holes
  • Multiplies target suite
  • Ambushes the attacker
  • Makes attacks riskier propositions
  • Creates an automatic hands-off management detection/response

And what are some secondary benefits? Scanners, legal or not, suddenly become useless. The deception can include entire suites to thwart scanning, such as:

  • Showing network vulnerabilities by the hundreds
  • Telnet open
  • Default passwords are in effect

Of course, it makes sense to reconfigure deception periodically so no one catches on to what you are doing. On the other hand, you might choose to announce deception at logon to scare off would-be attackers. The use of deception mechanisms to keep attackers online for extended periods of time is another ruse to assist in identifying them.

Deception comes in many guises:

There isn't any one action against deception that is right for every individual or every situation. Deception offers an entire suite of capabilities that should be picked judiciously in any application. The following is useful deception taxonomy based upon military experiences and history.

Concealment:
Physical: Hiding through the use of natural cover, obstacles or great distance. Trees, branches; Terrain; Mountain Passes; Valleys.

Virtual: Use best defensive practices for 'real' network services: Patches, Service Packs, Policy, Configuration. The object is to properly use and manage those basic security services that come with protective products and general applications.

Camouflage:
Physical: Hiding movements and defensive postures (troops) behind natural camouflage.

Virtual: Hide the vulnerable points with network access rights, archiving, etc.

False/Planted Information:
Physical: Letting opposition have the information you want them to have. Planting information you choose: False radio broadcasts, morphed pictures, videos and other misleading information aimed at enemies, leadership and general populations.

Virtual: Broadcast false network information from servers that are being scanned. Use the wrong IP address and the right IP address and other conflicting information to confuse your network adversary.

Ruses:

Physical: Where equipment and procedures are used to deceive the enemy; carry their flag/colors; march troops in the same formations; use the same uniforms and adversary radio frequencies (false orders). Initiate cries of help as if from the enemy troops.

Virtual: Tell the attacking scanner that a legitimate scan is being conducted. Reinforce to the attacker that he is safely doing what he is doing. Pretend to be another hacker working on the same system. Again, one goal is to keep the hacker there for longer periods of time to gather forensic information.

Displays:
Physical: Make the enemy see (or think he sees) what isn't really there. Horses pulling logs, thousands of campfires, fake artillery, rubber tanks, dummy airfields.

Virtual: Tell the attacker you are calling the IP police; create a fake CERT alert; tell them you are 'tracing' them; show fake firewalls and IP barriers

Demonstrations:
Physical: Make a move that suggests imminent action, such as moving troops to the left, when you really are preparing to attack on the right; move troops constantly back and forth.

Virtual: Create an automatic defender that seems to follow the attacker; create a daemon that appears to launch a log/sniffer action or a trace.

Feints:
Physical: Demonstrate an attack. Use false attacks as a means of covering up the real mission/movements. Use false retreats to encourage chase by the other side.

Virtual: Appear to be only looking at the attacker, when you're really switching defense modes. Appear to be helpless and defenseless when launching other means. Start an automatic response, then stop and seem to try something else, but really maintain the first one. Be loud about all moves by telling your adversary, or appearing to be so stupid that he thinks he's listening to your moves without you knowing it.

The Many Faces of Deception:

Physical Lies: Lie to the enemy in any way that suits your needs. Use the media to lie. Use perception management to get the attacker to believe what you want him to believe. Initiate protracted but futile negotiations. Circulate false reports on the 'Net. Fabricate treasonable letters.

Virtual: Use electronic lying in the same way. Let the system tell the attacker anything that furthers your goals. Use creative perception management. Initiate protracted, but futile, negotiations. Circulate false reports on the 'Net. Fabricate treasonable letters

Insight

Physical: Out-think one's adversary. Study the oppositions past engagements and learn from their mistakes. Know your enemy better than he knows you. Stay one step ahead. It's a chess game: predict your opponent's moves.

Virtual: Understand his motivation. Learn the techniques. Collect logs of previous activities. Recognize the different types of attacks - ankle-biters, serious or professional. Research is currently being done to understand hacker motivations -- map those against technical skills and techniques and then develop predictive models based upon early attack detections.

Honey Pots

Physical: Make a target so attractive that your enemy comes running into a trap. Think sneak attack/ambushes.

Virtual: Clifford Stoll placed seemingly valuable national secrets on his computer to draw in the attackers. Create files with attractive information, for example: Come and get it! Privacy Violations: medical, salary, etc.; Rich intellectual property; Corporate secrets; New products; Classified military information; Secrets of Saddam. Then trap, track & trace.

In Closing:

Anything goes with deception!

Lies are good when it concerns thwarting hackers, so use them. The construction of custom deception suites is an attractive means for specific applications and industries that want to use deception:

  • Suck the attacker into a mirror of your Web banking applications to get the bad guys into a harmless area where you can watch, collect information and trace. The main Web banking application remains uncorrupted and functional.
  • Brokerage firms can honey-pot the attackers into private information files/directories, which are really meaningless. Suck them in with "private, confidential investment information."

Law enforcement, military and government sites will be using the same approaches by picking and developing appropriate deception suites that meet their specific goals. I would recommend that you speak with legal counsel who have real cyber-knowledge about the proper means to collect forensic information that can be used in subsequent prosecutions.

Deception is simple to use as long as you understand some of the fundamental rules.

  • Hide your moves from your opponent.
  • Never let your opponent see you as you are.
  • It's all about time. Waste the hackers time by presenting scenarios for useless attacks, and keep the hacker around long enough so that you can trace them.
  • Announce your deceptive existence to scare them away in short order.

Remember:
"There can never be enough deception."
- Sun Tzu

Winn Schwartau is a security maven, writer and speaker. His recent book "Time Based Security," creates a new paradigm for measuring and quantifying security in any network. His hit books include "Information Warfare" in all three editions. He owns http://www.infowar.com, the worlds’ biggest site for security and information warfare. His team provides extensive security consulting on three continents. In addition, he is a popular, inventive and exciting speaker a boon to any event. Winn can be reached at winn@infowar.com or (727) 393-6600.

 
Related Links: How to Detect a Lie (forum)

Related Reading: The Art of Lying (book) | True Lies (movie)

 

 

Bookmark Us! || About Us | Feedback | Tell a Friend | Newsletter | Privacy Policy | Contact

Copyright  2000 NoDeception.com All rights reserved
You will need the latest version of Macromedia Flash to enjoy this site, click here to install.