The Cuckoo’s Egg

Back in the mid-80’s and early 90’s security was an after thought when designing networks and computers. Many thought of it as just a roadblock to actually being able to use computing time. In fact, back then, most users thought it was just fine to share credentials with others, in case they were going on vacation. To read this today is a bit eye opening with how far we have come in the pursuit of educating users. Even if reported breaches are constantly in the press.

The Cuckoo’s Egg focuses on one man’s mission to hunt down a hacker. What starts as a simple calculating error, turns into one of the most interesting reads I have had in a while. Cliff Stoll documents how he tracks the attacker through actual print outs (literally, a printer printing the attackers commands onto paper), utilizes honeypots before they were called honeypots, and fights the apathy of America’s top agencies.

This book was amazing in its ability to show how some of the major techniques we use today evolved from their nascent origins. In the book, the simple idea of the honeypot, which today many have taken to labeling ‘Deception Technology’, was just stumbled upon by Cliff’s roommate. Using a cache of fake documents, Cliff and co. were able to attract the attention of the attacker. Funnily, this ended up creating much more work for Cliff, because they had to continually update the documents with new information and ‘correspondence’.

Today one of the challenges faced by Security Analysts and Engineers is tuning and developing their toolkit. Cliff immediately caught onto the idea that the honeypot would need constantly updated and changed. A static cache of documents, emails, and memos would make the attacker suspicious. Lecture and conference talks all over the world today cover how important it is with detection technology to provide realistic targets. Don’t just create a single VM labeled ‘Credit Card Database’, create documents strewn throughout your environment with relevant names. Create VM’s that look like test machines for production that got left on. Be proactive.

Several times Cliff pointed out that he knew the attacker had ‘System’ permissions on his network and could destroy the entire thing without Cliff being able to stop him. What is amazing, and Cliff states this, is that his boss, and the Department of Energy (which funded the department he worked for) approved the ongoing surveillance. Today we are seeing rising reports of attackers covering their tracks by completely destroying the environment.

I highly recommend this book for any information security personnel. The beginning of our entire field are neatly documented in this adventurous book. Even if you aren’t in the security field, give it a go, it’s entertaining enough for anyone!