638 Stopping Hackers To help identify potential hackers, many system administrators rely on a special program called a honeypot, which acts like a trap to snare hackers. A honeypot creates an entirely phony part of a computer network and loads it with tempting, but fake data, such as blueprints for a new weapon, a list of Social Security numbers, or usernames and passwords of nonexistent employees. No authorized users would ever need to browse though the fake files of a honeypot because authorized users won’t know the honeypot even exists. The moment anyone accesses the phony honeypot files, the IDS can positively identify that user as an intruder. A honeypot isolates an intruder into a fictional part of the computer network where he (or she) can’t cause any damage. However, after a hacker has accessed a computer network, system administrators have two problems. One, they have to find a way to keep the intruder out. Two, they need to make sure the intruder can never get back in. Rootkit detectors After breaking into a computer network, the hacker’s first goal is to plant a rootkit. A rootkit provides tools for covering the hacker’s tracks to avoid detection along with providing tools for punching holes in the computer network’s defenses from the inside. By installing a rootkit on a computer network, hackers insure that if one way into the network gets discovered, they still have half a dozen other ways to get right back into that same network all over again. Even if a honeypot isolates a hacker from sensitive areas of a network, the mere presence of a hacker means that some part of the network’s defenses has been breached. To insure that hackers can’t get back into a computer, system administrators need to rely on rootkit removal programs. Rootkit removal programs simply automate the process a computer expert would follow to look for and remove a rootkit from a network. Unfortunately, hackers develop new rootkits all the time, and one rootkit might hide in a different way than another rootkit. Rather than create a single rootkit removal program, system administrators often have to create custom rootkit removal programs. An IDS can find a hacker, and a rootkit removal program can detect and wipe out a rootkit from a network. For many companies, those two tasks alone are enough to keep an army of programmers busy. But if a company wants to take legal action against a hacker, they’ll need to provide evidence of the hacker’s activities, and that evidence falls under the category of forensics.
Secure Computing 639 Forensics If you’ve ever accidentally deleted a file and then recovered it again, you’ve practiced a simple form of forensics. Basically, forensics is about finding and restoring deleted data. When hackers break into a computer network, the network often keeps track of all activity on the computer in a special file, or a log. To cover their tracks, hackers often modify this log to erase all traces of the hacker’s activities on the computer network. Of course, anything deleted on a computer can always be recovered again, so computer forensics captures and restores this information. Such forensics computer evidence can pinpoint exactly what day and time a hacker entered a computer network, what the hacker did while on the network, and which computer the hacker used to access the network. This pile of evidence can pinpoint the hacker’s physical location, which the police can use to find and arrest the hacker. Computer forensics has another use in supporting criminal cases unrelated to computer hacking. Many Internet predators store e-mail and photographs of their contact with their victims, but if they suspect the police might be watching them, they’ll erase this incriminating evidence off their hard disk. To recover this evidence, the police can turn to computer forensics to retrieve these missing e-mails and photographs. Finally, computer forensics can come in handy if a hacker or malware wipes out an entire hard disk loaded with valuable files. Forensics can simply recover these files as if they were never wiped out at all. The art of computer forensics involves low-level access to computer hardware, which means forensic practitioners are often skilled in assembly language and C programming. If the idea of combining detective work with mysteries and computer programming sounds appealing, computer forensics and computer security might be a field for you. Book VII Chapter 3 Computer Security Secure Computing Most computer security revolves around preventing intrusions and fixing any problems that occur because of the intrusion. Such a reactive approach is fine, but for a proactive approach that stops malware and hackers from attacking at all, programmers are learning a new field — secure computing. The idea behind secure computing is to design computer programs with security in mind right from the start. This might seem logical until you realize that nearly all software has been developed without thinking of security at all. If anything, security has always been considered a distant afterthought.