Forwarded From: William Knowles <erehwon@kizmiaz.dis.org>
http://www.wired.com/news/print_version/technology/story/18219.html?wnpg=all
[Wired.com] (3.3.99) With awe and alarm, security analysts have observed
the capabilities of Nmap, a network-scanning program that crackers are now
using to plot increasingly cunning attacks.
"Just before Christmas, we detected a new [network] scanning pattern we'd
never seen before," said John Green, a security expert on the "Shadow"
intrusion-detection team at the US Navy's Naval Surface Warfare Center.
"Other sites have seen the same activity. The problem was, no one knew
what was causing it."
Green made the remarks Tuesday in an online briefing hosted by the SANS
Institute, a nonprofit network-security research and education
organization. The group held the briefing to alert network administrators
of the alarming increase in the strategies of network attacks.
The culprit software prowling outside the doors of networks participating
in the study is Nmap, an existing software utility used by administrators
to analyze networks. In the hands of intruders, security analysts
discovered, Nmap is a potent tool for sniffing out holes and network
services that are ripe for attack.
The analysts didn't look for actual damage that was carried out. Instead,
they silently watched as various networks were scanned by untraceable Nmap
users.
"The intelligence that can be garnered using Nmap is extensive," Green
said. "Everything that the wily hacker needs to know about your system is
there."
Rather than feel in the dark to penetrate network "ports" at random, Nmap
allows intruders to perform much more precise assaults. The implications
are a bit unnerving for the network community. The tool makes planning
network intrusions more effective, while simultaneously bringing this
sophistication to a wider audience of hackers.
"It takes a lot of the brute force out of hacking," said Green. "It allows
[intruders] to map hosts and target systems that might be vulnerable."
And that should result in a higher success rate for attempted intrusions.
"I think we're going to see more coordinated attacks. You can slowly map
an entire network, while not setting off your detection system," said
software developer H. D. Moore, who debriefed network analysts at the
conference.
But Moore is part of the solution. He authored Nlog, software that
automatically logs activity at a network's ports and parlays it to a
database. Weekly checks of the database enable the user to tell if someone
is performing an Nmap analysis.
Nlog serves as a companion tool to Nmap. Just like intruders,
administrators can use Nmap to detect their own network weaknesses, then
plug the holes.
Prevention is the only defense, Green and Moore said. There is no other
known way to combat an Nmap-planned network attack.
"Right now it's basically a suffer-along scenario," Green said. But, at
least, Nmap lets administrators "know what the hackers know about you."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:29:56 1999