Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Technology

Know Your Enemy: Honeynets 73

Posted by CmdrTaco from the somewhere-in-outer-space dept.
bewmIES writes "The guys over at the Honeynet project have released the latest chapter in their "Know Your Enemy" series describing how to implement a honeynet. This is great reading even if you don't have any plans to implement one and does a very good job explaining the elementary concepts behind it all, along with the implications." Extremely interesting reading here.
This discussion has been archived. No new comments can be posted.

Know Your Enemy: Honeynets More

Know Your Enemy: Honeynets

Comments Filter:

  • Re:I am building one. (Score:1)

    by Anonymous Coward
    So spoof from their nameservers. Spoof from any host they generate a significant amount of traffic to. Spoof from their database server. Etc.

    The fact is, it's unwise to implement a straight packet drop. Look below and you'll see that he actually is doing it cluefully, so the post is not valid in his particular instance, but valid in many others.

    regards.

  • honeypots are great...! (Score:2)

    by Anonymous Coward
    We are still getting restitution checks from the script kiddie we busted with our honeypot. Looks like the money will pay for the honeypot and our time invested in it, several times over.
  • Break in, patch it yourself? :-)
  • > So how exactly do you tell someone that
    > their server/network/etc has security problems
    > without opening yourself up for nasty things?
    I don't think you can. I had a friend in high school who was suspended for the same reason. He pointed out a security flaw that someone (not him) later exploited.

    My advice, unless you're being paid to audit someone's security, don't bother. It isn't worth it.

  • PhOOHy (Score:1)

    by garcia ( 6573 )
    I think that Christopher Robin and his hackers (Pooh, Eeyore, Piglet, etc) would all be willing to get into this l33t deal!
  • Do the "white-hat" car jackers open up the car, get the registration, move it to a safe place, and then contact you about your easily defeatable car locks? :)
  • I don't think that accidentally creating a crappy network is the same thing as having a honeynet...
  • So what do I do? I spoof a portscan from the last hop between you and me. Lo, you block that IP. Lo, you lose your entire upstream.

    Now you won't. You don't know what you're talking about. Yes, you're going to drop all packets FROM THAT SOURCE IP ADDRESS ONLY. Unfortunately, there are a few billion other IP addresses on the Internet that your firewall will be happy to accept packets from.

    Feel free to ipchain-away your own first hop out, and see if it affects your ability to load, say, www.yahoo.com. Of course it won't.

    You're not really as an 3I33T4 H4X0R as you think you are. Leave this kind stuff to the professionals, please.

    ---

  • A network designed to be hacked, sounds like Microsofts corporate network to me.

  • Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Host 211.205.178.64 has been blocked via dropped route using command: "/etc/portsentry/portsentry.bash 211.205.178.64 111"

    The nice thing about portsentry is that you can have it issue a command in response to an attack. In this case instead of using the default portsentry settings, it executes a custom built script using the IP as an argument. If you trigger portsentry, you can still see port 80, and 443, but nothing else.

  • I am building one. (Score:3)

    by Mr. Flibble ( 12943 ) on Monday April 23, 2001 @12:21PM (#270754) Homepage
    I get hit with about 10-15 of these a day:

    Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Connect from host: 211.205.178.64/211.205.178.64 to TCP port: 111
    Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Host 211.205.178.64 has been blocked via dropped route using command: "/etc/portsentry/portsentry.bash 211.205.178.64 111"


    I know what the port 111 exploit is, but I have never used it, yet I get many hits from this exploit a day on my servers. This is just one hit. I know how to stop it (portsentry/ipchains is a wonderful thing) and as you can see it is logged.

    There are many more attacks coming in, this is just one example. Sure, I can read on how they are performed, but that only makes me book-smart. I need to be able to see in real-time (or playback) exactly what a black-hat is going to do with my systems.

    Honeypots/nets also give crackers a chance to practice their skills -- which can then be used against real targets -- with little repercussion.

    Perhaps you should read this [rootprompt.org]. It shows you the "proper" way to setup a honeypot so that it cannot be used as a jump-point. I don't want to be just book-smart when it comes to my network. I want to know how they get in and what they do. Yes, I have secured my network (as best as you can that is) but that is not the point. Eventually *SOMEONE* is going to get in, somehow. I am going to be the one picking up the pieces when it happens. I would love to say that I am "good enough" that no one will crack my network, but I don't believe anyone is.

    What I expect to learn from crackers hitting my honeypot is an overall "pattern". I expect to learn how to become a black hat, because it will make me a better white hat.

    How much more can we really learn from the drooling 13-year-old script kiddies of the world?

    Not all crackers fit that description I am guessing. Hopefully a honeypot will help me find this out for certain.

  • How is the honeynet system under more stress than the normal systems? Do you pay hackers to attack it in preference to your other systems? I don't see how that would work, since as soon as a hacker knows that this isn't a real box, they'll move on to more profitable and/or fun targets. If you incite hackers to attack it by making it an easy target, then you're not really testing what would happen to a real system, are you?

  • Just out of curiosity, how was a Welsh teenager arrested in Wales by the U.S. FBI? As Deng Xiaoping would say, "What about the U.K.'s sovereignty?".

  • That is a good reason, thanks for the explanation. I'm still not sure that it's the best use of resources, but it does sound like it provides some useful information.

  • I just thought it was interesting that it was reported as an FBI arrest, not a British arrest with FBI participation. If this keeps up, Jon Johanson may have something to fear from U.S. law enforcement after all...

  • I've been hearing about these for a while, but to be honest I don't see how a honeynet will really help your network.

    • If you want to monitor attacks against your network, you could just as easily do this on your real boxes and spend the extra time improving your tripwires, etc.
    • Another common reason for honeynets is "to observe hacking attempts in the wild", but I don't see how you can guarantee that the hacker with the new idea will attack your particular honeynet as opposed to your production machines or someone else's network entirely.
    • If someone else's honeynet is attacked, there's no way to be sure that they'll pass on the vulnerability information they've discovered about their own systems (although their vendor should let the world know once a patch is available).

    Maybe someone can explain the attraction to me, but it seems that although honeynets may observe a new attack technique every once in a while, on the whole they're not the most effective prevention method. The time would be better spent auditing the security level of your machines, improving your patch application time, analyzing log files from your production machines, etc.

  • You are apparently not familiar with portsentry, and have just parroted the most common misconception. Portsentry is configured by default to only block hosts when it is running in standard mode. In standard mode portsentry binds to each port it monitors and requires a host to complete a full TCP connection to the port before it will go off. On most modern operating systems it is nearly impossible to spoof a full TCP connection, variables like the ISN are generated from the machine's random number generator.

    The portsentry documentation explicitly states that is isn't smart to do dynamic blocking on anything other than TCP connections. There also exists a whitelist file of IP addresses that will never be blocked, it is encouraged to put the addresses of your critical internal machines and routers in it. According to the portsentry website they have not one confirmed report of someone baiting portsentry and having it DoS their own machine. Not that it can't happen but you would have to make several specific misconfigurations that go directly against what is written in the manual.

  • That's exactly why honeypots suck. Network admins have too many other things to be doing/working on than setting up systems and trying to catch hackers/crackers. There's just not enough time.
  • Yeah, after I posted I noticed it called a custom script :)

    Still, most people use the default action of completely dropping the connection, and they should know it's unwise to do so....

    -gleam

  • Re:I am building one. (Score:5)

    by gleam ( 19528 ) on Monday April 23, 2001 @12:51PM (#270763) Homepage

    I get hit with about 10-15 of these a day:

    Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Connect from host: 211.205.178.64/211.205.178.64 to TCP port: 111
    Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Host 211.205.178.64 has been blocked via dropped route using command: "/etc/portsentry/portsentry.bash 211.205.178.64 111"

    I know what the port 111 exploit is, but I have never used it, yet I get many hits from this exploit a day on my servers. This is just one hit. I know how to stop it (portsentry/ipchains is a wonderful thing) and as you can see it is logged.


    Portsentry/ipchains is *not* a wonderful thing in that instance. It would be much wiser for you to at least implement a brief timeout on the drop.

    Here's a scenario:

    I know your box is up, because I can connect to you at port 80, or whatever. So I portscan you.

    And your box isn't up. EH? Oh! You must have some sort of portscan detector that automatically drops packets! Let's see if I can get to port 80!

    Nope! Hmmmmm.

    So what do I do? I spoof a portscan from the last hop between you and me. Lo, you block that IP. Lo, you lose your entire upstream.

    Lo, you're screwed. All because you let an imperfect program control your TCP/IP stack.

    Sure, blocking port scanners is OK. Just don't let them use it as an opportunity to launch a denial of service attack.

    Think it through.

    -gleam
  • It seems to me that this whole idea seems rather like the legal doctrine of entrapment and also by non lawenforcement types. Scary.
  • Its a game of social engineering. You can tell the whole department so that everyone knows there. Now you aren't solely to blame. Tell the whole university and then you are to blame for being an accomplice. Usually its safe to keep your mouth shut until someone in authority learns their lesson -- the results though may not be favoured.

    ---
  • How do you tell someone that they are running a "Honeypot" server unintentionally?

    I answered this question in a previous article about Honeypots [slashdot.org]. This the link to the individual post doesn't work, I'll repost it here:

    Re:honeypots, dangers, products (Score:4, Informative) by tiny69 on Tuesday December 19, @10:28PM EST (#225) (User #34486 Info) http://www.linuxdoc.org

    Spotting a Honeypot is fairly easy. The first thing you do when you gain access to a computer is ask yourself one simple question,

    What is this computer used for?

    Then try to answer that question. People don't attach computers to the internet for no reason. What services is it running? If it's an ftp server, what files are available? Is it a webserver? Look at the webpage. If ftp services are being provided but the ftp directory is empty or the webpage has is the default one install with the OS, then something is up.

    Check for user activity. Are there any users? Goto ~/.netscape (if the machine is unix). What are the timestamps on the files. Does the user have any email. By looking at the appropriate files (depending on OS) you can tell when it was installed. Has anything changed since then? Do a find on files changed over the last seven days. If there is no user activity, something is definitly wrong!!

    Check for changes made to configuration files. Check the files that a sysadmin would most likely change. If you can't find any changes (other than LOTS of logging - another Red Flag!), check to see if the system looks like a default install (if you are into this, you should know what default installs look like/the common security holes the vendor leaves open/etc.). If it is a default install and the install is older than a week, congratulations, you've found a Honey Pot.

    One last check before getting the hell out of dodge, sniff the network. Who else is one it? Honey Pots tend to be isolated. If the only activity you see is yourself (unless you are connected at midnight, but then you deserve to get caught) or the only other traffic is logging activity (from the one you are on to somewhere else), You've been had!! Just for shits and grins, ping the subnet you are on. People and companies don't waste network equipment as it is fairly expensive. If the machine you are on is the only one on that subnet....

    do a quick `rm -rf /` and never go back.

    I just want to add a few thing:

    One of the things the HoenyNet Project does and has hinted at in some it's documents is changing the location of the configuration file for syslogd. Unfortunately it's doesn't seem to mention this in it's new paper. But how do you check it?

    # strings /usr/sbin/syslogd | grep "/etc/syslog.conf"

    If you don't get a response, the configuration file is NOT /etc/syslog.conf. This a DEFINITE indication that you are on a Honeypot.

    # strings /usr/sbin/syslogd | grep "^/"

    One of those files is being used as the configuration file. They've also done this with Bash's history file:

    # strings /bin/bash | grep ".bash_history"

    Nothing there, look at one of these responses:

    # strings /bin/bash | grep "~"

    And since this is a Honeypot, some of the commands used to hide your tracks may be modified or removed. There are more than a dozen ways to erase a hardrive without using `rm -rf /`, get to know some of them.... And as was pointed out in the results of their resent challenge, removing a file doesn't necessarily mean that it has been erased. *grin*

  • Last time I looked the slashdot submission bin was not everything2.. we dont need 3 different links to the story, what we do need is a single link to this "next chapter" you speak of. I dont see anything there that I havn't read before.
  • I'll take a meatnet over the honeynet anyday.

    IANAV (vegeterian).
  • You did all that you could do in this case. It really is not your problem. If it is your problem, i.e. you work for the company or you are an admin but on a different project, etc. Get the response in writing. Make sure that your warning is in writing too. That way, no one can blame you when some scanner out their smells a defective version of Bind and ends up owning your box.

  • Re:Entrapment (Score:3)

    by jonnythan ( 79727 ) on Monday April 23, 2001 @11:44AM (#270770)
    The other poster is absolutely right. It is not entrapment if the party in question was merely given the opportunity the commit a crime. It IS entrapment if the idea of the committing the crime came from the entrapping party. So, if leave my car door unlocked and booby trap it so that if someone enters, it locks them in, that's not entrapment. However, if i walk past a guy there and go "hey look at that car..it's open..wanna steal it?" ad it's my car, that is entrapment.
  • Use anonymous email. It protects you and looks more like a threat. Just for good measure, send it to the SAs first, then to their non-techie PHBs if no action is taken.

    --
  • First and foremost, if you bring a problem to someone's attention you should offer a solution. Saying "patch it" is not a solution. Offer up some websites, details, etc. Look at it from their side - no matter what your intentions, if you simply bring them a problem and dump it in their lap you are a whiner.

    Second, if you really care about the data and the security of the network then you should volunteer to help patch it. You can't run to the professor's supervisor because you'll still end up looking like a whiner.

    Third, stay anonymous when you notice some else isn't doing their job correctly. It's the only way to nudge someone into action in regards to their job duties but not embarass them or break any trust/respect you have with them.

  • I think what he's trying to get at is that setting up a honeypot to deceive crackers from your real network is not a viable security action. I can see the managers now thinking "Hey, if we set up a place for the hacker dudes to play, then they'll leave our real network alone."

    I do agree with you, honeypots are a great resources for studying crackers and their techniques, but they are not a means to securing a network no more than giving druggies a "Drug Park" to shot up in solves the drug problem.

  • Actually, I'd have to say its more like leaving an exact duplicate of your home locked with a run of the mill lock and some video cameras running to analyse them later. Would you call it entrapment if someone broke into your house and you used a videotape to prosecute them? You didn't invite them in, you just didn't happen to have a security service around to watch the video stream while they were robbing the place.

    Same thing goes for this. If you set up a system to act as a honeynet, you can still go after the people who hacked it. You didn't invite them in, and you even used the security settings that a given distribution comes with. (Sure, any decent sysadmin would've made them better, but you could argue that you did leave the door locked.)

    Now, if you set up the honeynet and started a 'who can crack it deepest' contest, then you're generally waiving that right.

  • OK. So what do you do if you get a cracker? Do you prosecute or do you just record data? If you do prosecute, does it depend on intent (just port sniffing (and maybe letting the sysadmin know of a security flaw), attempted breakin, successful breaking, 0wn1n9 the box, etc.)? I personally think that white hat crackers (say, just portsniffing letting the sysadmin know about security flaws) and some grey hats (maybe breaking in and then fixing some security flaws and then e-mailing the sysadmin) shouldn't be punished for just poking around (although the grey hat thing is iffy). Similarly, I think that black hats should be slapped down as quickly as possible. The best thing we can do is to stop the script kiddies as quickly as possible. If the honeynet data can be used for that, great. Otherwise, how is this any different than, say, reading a security bulletin?
  • Interesting but again.... this is not an attempt to prosecute people. It is watching them - the other part of entrapment is the goal - in entrapment the idea is to catch the criminal, here the goal is to "study the criminal in his natural habitat"... not to interfere, but to study (much like the discovery chanel where cameras will follow wild animals and document their activities, not stopping them from being killed by the elements or predetors, nor stopping them from killing other animals)

    It would be kind of like buying a car thats a common target, parking it in the good times parking lot (local place, more cars get stolen from that lot each week then the whole rest of the city combined - last i checked anyway), and then hiding cameras to watch it, and see how the theif gets in and takes it.

    does he use a slim jim? How does he defeat the ignition lock? etc etc. Maybe we will catch something that we havn't seen before.

    Not a wholly bad example eather. Evidently the "black hat" car stealing community has their own guide files and standard ways of teaching the trade, much like script kiddies. (saw a news show that interviewed an ex car theif and showed some of the manuals a while back)

    -Steve
  • Heh no. They sit around talking about how easy it would be for them to break into cars, if they wanted to, and go aroun dgiving people advice on how to not have their cars broken into :)

    -Steve

  • So how exactly do you tell someone that their server/network/etc has security problems without opening yourself up for nasty things?

    It's a big problem ! My response is to either invoice them for the work, or ignore it as it's just not my problem. If they want to know about site issues, then it's (part of) what I do for a living.

    If they're not a client, then their site isn't any of my business. It's a big 'Net - at any time, most of it is broken in some way -- and I'm never going to fix it all myself. Nothing good will come of pointing out the glaring holes

    If they can't afford me, then I might work for free -- but they're still a client, and there's a commercial relationship going on, even if no money changes hands. If we can't set this up right; i.e. they're going to listen to me, they're going to give me the authority to fix it properly, and they're not going to obstruct me doing it, then I can't work a proper client relationship and I'm best leaving it alone entirely.

    If they don't want to hear it, don't tell them.
    You wouldn't have got it fixed anyway, and their arrogance isn't worth involving yourself over.

    Someone else's bugs just aren't your problem. Even if this is "crashing airliner fault" territory, the current climate of legal, business, engineering and ethical practice just doesn't like whistleblowers -- messengers keep getting shot, because someone doesn't like their message.

  • Entrapment is creating a crime that wouldn't have otherwise occurred. It is NOT making oneself the preferential victim, or even being willing to assist in it's planning/execution (once asked). My understanding of entrapment would be going to a 'criminal' and saying:
    Hey, Mikey. I've got this
    huge stash of cocaine that I need to dump. I'll sell it to you for $25/ounce if you'll take it now.
    Goading him into buying it and then nailing him for posession, once he buys it. I think that it would still be entrapment if you nailed him for trying to sell the same cocain on the streets, because you provided both the idea and the means to a crime that would otherwise have been a no-op.

    If, on the other hand, he came to me, and said

    "Hey sam: I hear you've got a line on some coke. If you cut me in, I'll give you a good price.
    Then it becomes much easier to prosecute -- especially if I hum and haw, and vaguely try and disuade him before leting him twist my rubber arm.

    FOr another analogy, the honeypot is rather like a nice house with a cheap lock. No matter how cheap the lock, it's still illegal to break in. You breaking in is not likely to be entrapment unless I go to you and actually suggest that you break in -- or otherwise goad you into committing a crime which you might not arguably otherwise commit.

    IANAL I just like reading up on the law
    --

  • Somebody at our school tried to get the so-called "sysop" to fix a problem with the web-server: cgi-scripts were run as root and everybody could put cgi-scripts up on their personal webpages!

    The sysop didn't even respond to the third email containing detailed explanation on what to change in which files to correct the problem...

    To my knowledge the system was never fixed. We talked about making a web-page with one button: "don't push this!" causing a rm -Rf as root...

    and then mail the URL to the head of department!

    I wonder how many systems out there are as badly configured as this example?

  • "...'I think I might take a look at patching it sometime this summer...'...Now I am worried the same thing will happen.. my precious U's network will be compromised and the admin will be thinking 'Wait.. I remember someone who knew about this security problem..'"

    So, hack into it and patch it for the poor bastard. Never tell him. You'll be saving your own ass, saving the ass of the moron who can't find time to do his job, and your preserving University's security, all in one fell swoop.

    Or, just post the name of the University here on /., and I'm sure someone will help remind him of his gaping orifice.

    --SC

  • Hah,

    I recently set up a counter-strike server. I decided to install portsentry and a couple other detailed logging programs.

    I locked the machine down hunted down every last bug found that I had time for. Spent a couple of days hunting bugtraq etc.

    The sheer number of times I was portscanned was stupid. I had it set up to send me an email for each port scanning. I now get 4 a day!

    That is ok. The email server is closed and doesnt actually let anyone but localhost send mail. I cant count how many times that was pried at.

    FTP services run, every time the same exploits are attempted.

    People trying weird shit with my php and perl scripts I wrote / had on my server. Trying to get freaky with my URL variables ;) Pass in RAW SQL etc.

    In short only one person got r00t ;) he had a shell acount too. I instantly vaporized his ass. Its like a never ending battle. You cant hope to stop them all, just most of them.

    I think setting up a Honeynet would be kinda fun if I had time. I just dont really give a shit as long as no one is breaking my system down. Portscan all you want. Who cares. (Someone tried to flood ping me once.. too bad the machine is sitting on an OC-12, OC3 and redundant DS3's)

    You cant win. You can only hope to stay slightly ahead of the game.

    Jeremy

  • As with any criminal activity the person committing the crime will balance the risks of getting caught and the rewards of the crime. (Barring insanity; e.g. Mass murderers who eat people).

    If a system like this can analyze the patterns and signatures of the "blackhats" it provides part of the solution. If it is combined with the tracing abilities to determine where to hack came from (a script kiddie using a local ISP in Dallas, Texas or hacker using a computer at his work)

    There is the distinct possiblity that some people can get caught.

    Currently the only people being tracked and caught are the big news story ones, of credit card theft from Barnes and Noble etc. If we can empower people to present a threat back at these blackhats then we can work to prevent more of them. Eventually if these types of traps are set up and successful on a larger scale home users can implement a smaller honeynet to keep people out or track those who do the crimes.

    IMHO; computers will eventually be like Kwik-E-Marts or protective parents who video tape the baby sitter. All of the data will be tracked and stored and the analyzation tools will be easy enough that the person committing the crime will have a good chance of being caught. This will become more and more important as everyone gets always-on broadband connects attached to their home computers.

  • Even if you _don't_ leave your door locked, if someone comes into your house and steals things, you can still charge them.

    What difference does it make how hard you try to keep them out? Burglary is still a crime.

  • Well, when I told my school about their security problems, not a great deal happens.

    The I wrote a security analysis [wh3rd.net] paper, detailing how one would gather username and password pairs for virtually every student in the school.

    Then they started to listen ;)

  • I answered this question in a previous article about Honeypots. This the link to the individual post doesn't work, I'll repost it here:

    You can link to an individual post in an old article; the comment number is an anchor in the HTML document. So, you'd want to do it like so:

    http://slashdot.org/articles/00/12/19/1820227.shtm l#225 [slashdot.org]

    HTH.

    --

  • Understand: I am not a lawyer (though I play one on the Net) and a lawyer clueful in netlaw would be your best advisor. My understanding of The Way Things Work is that if you put a rig online, and are paying the costs of connection (rig itself, net feed, etc.) you have the final say on what goes on there, subject to your internet connection provider and local and national laws. (For instance, trading bomb recipes is ok, spam and kiddie porn are not.) If your ISP (or whoever) is OK with the honeypot/honeynet, and you declare open season on going in, then it should be as kosher as an orange. Of course, the responcibility will fall on you to prevent relay attacking (going from one telnet site to another to [somewhat] hide the attacker's origins) and spamming etc. (Jail sucks, from what I've been told ;) If you are good at what you're doing, and are 110% sure that no one can get out from your honey*, then go for it. The information gained from such a net are really useful. However, be forewarned.
    Windows.. Good for targeting rocks.
  • Yes,

    Was it necessary to include transcripts of an individual attack on a single system in order to illustrate the concept of honeynets?

    Would you rather it just say " we got cracked". If you don't like it you don't have to read it, but if you want to know then you got to read it to learn....


    ________


  • "All systems placed within the Honeynet are standard production systems. These are real systems and applications, the same you find on the Internet. Nothing is emulated nor is anything done to make the systems less secure."

    In other words a Honeynet is the same as any other firewall protected intranet, with the possible exception that someone is actually paying attention to the logs, etc.

    I have this new idea for a vehicle I call a "Safety Mobile." It's identical to any other car, except the person driving is acting responsible and paying attention. Do I get kewl write-ups and Slashdot props?


  • "Well then, break into his account, and change the password to something secure! When he gets back, he'll go straight to you for the correct password, and you can assure him that at least his account was safe."

    Unfortunately, that kind of thing can get a person fired. When you're working with people of the mentality that anyone who warns them of security holes is likely to be the one who later exploits that same hole, you are working with unpredictable, dangerously stupid people. Technically, if you log in to an account that is not yours, even with the intent of being helpful, it's an unauthorized access. The fact that you were clearly being helpful will not be met with any more common sense this time than the last.

  • Reminds me of the time the brilliant sysadmin (read hobbyist) at a company I used to work for upgraded the Netware server and put a paper in everyone mailbox (centrally located - mind you) telling everyone that their password would be changed to - you guessed it - "password" - over the weekend !

    When I informed a VP who was leaving on vacation for a week that he should have a trusted person change his password temporarily so it wouldn't be "password" for a whole week, you know what he said, right?

    "Oh .. if anyone breaks into my account, I'll know it was you!!!!!"

    I now work with much more competant people, thankfully, but that sure is a supporting anecdote for the theory that idiots rise to the top of the management hierarchy!

  • However, if i walk past a guy there and go "hey look at that car..it's open..wanna steal it?" ad it's my car, that is entrapment.

    The key word here, the courts have found, is "predisposition." If I remember the article correctly, in Randy Weaver vs. the FBI the FBI had caught him in a sting operation selling a sawed off shotgun. However, the judge ruled in his favor because he was not predisposed to that type of crime. (This is separate from the whole standoff incident, BTW.)

    So even if a police or civilian group "entraps" you in a sting operation, you may still go to jail if you were criminally predisposed, and you may go free if you were not.

    (I wish I had some relevant links, but time is short.)
    --

  • Slightly OT but... (Score:5)

    by Lostman ( 172654 ) on Monday April 23, 2001 @11:24AM (#270793)
    How do you tell someone that they are running a "Honeypot" server unintentionally?

    I used to have the habit of talking to people about security issues on networking around my high school. As people are, they scoffed at a kid explaining to them security issues... and when their network was compromised (not by me) my attempt at pointing out their security problems came to their mind... They remembered me speaking to them, of course, and since I knew about their security problems I "had to be" the person who compromised their system...

    That was high school -- I learned to keep my mouth shut...

    About a month ago, when I first started reading about the honeypot project I noticed that my Universities box was running a version of linux that had a few security issues.. as in the same security issues that allowed others to access and control the Honeypot for a little. (I am not mentioning my U's name!) -- I acted against reason and informed the administrator (who I had as a professor) about the problem... their answer was strange: "I know about the problem but I just don't have enough time to deal with it right now. I think I might take a look at patching it sometime this summer..."

    Now I am worried the same thing will happen.. my precious U's network will be compromised and the admin will be thinking "Wait.. I remember someone who knew about this security problem.."

    So how exactly do you tell someone that their server/network/etc has security problems without opening yourself up for nasty things?
  • Look, I am in High School currently:

    I'm know as the schools "hacker" (read: I can fix computers, not hack).

    What I did to insulate myself, once I learned that I was known as the hacker in my school, was to get to know the main computer teacher.

    Once he trusted me, I would mention that there were various holes in the school's server (Ex. the folder containing the school district's website was set to read/write over smb with no password) to the teacher and not the main network guy.

    That way I wasn't threatening the Guy In Charge but I was able to alert the proper folks without risking my neck. Though, I seem to get alot of comments about how "It's good your on our side."

    Moral of the Story: Don't tell the admin. Alert someone below the admin, who simply has to pass the message on.

    Kalrand

    -the voice of reason

  • Actually a virtual Honey Net implemented on a single machine which could deceive an intruder into thinking they were hopping from machine to machine.. with fake lag, etc. would be cool and much less expensive. Linux boxes masquerading as MVS or VAX VMS or old 3Com NetbuilderII's for that matter would all be neat fake-outs.
  • While this could be a great way to find out more information on the hackers' techniques, but with an open door, and potentially hundreds of hackers kicking down the door, how can they accurately track who did what, where?

    Thinking back to city riots -- cars overturned, stores looted, signs destroyed... who got caught? (not a perfect analogy, but you get my drift)

  • Note that these machines are still considered part of the network, and are usually priced ~$3000 as at this price mark they will enter a different bracket of penalties for the hacker.

    Also note the honeynet does not use sensors within the network to collect data, but relies upon the firewall to gather data. Anyone can pretty much do this with most any firewall.

    Recourse [recourse.com]'s Mantrap documents everything on a per machine basis (incl. keystroke logging). This unfortunately is designed more for corperate use than for my home :/
  • Probably due to the general "oh no! hackers!" scare, honeypots have recently become pretty popular security tactics. Unfortunately, they really do almost as much -- if not more -- harm than good.

    The problem with honeypots and honeynets is that, in the end, they end up simply encouraging crackers. When systems are put online for the specific purpose of being hacked, crackers are more than happy to ablige by comprosing them. And the more boxes they can crack, the more likely they are to get caught up in the whole "blackhat" mythos. Honeypots/nets also give crackers a chance to practice their skills -- which can then be used against real targets -- with little repercussion.

    Furthermore, putting a honeypot or honeynet up is almost asking for people to become blackhats. Most crackers / blackhats have huge egos, hence their need to deface web pages with their 1337 group names. These kind of people would love to be the subject of a honeypot study, if for no other reason then getting the chance to see that their childish actions have had an effect on somebody. Crackers want to be perceived as disruptive and a threat; they want to look "cool" and dangerous and mysterious. Why encourage these people by giving them the kind of attention they're looking for?

    And of course, there's also the fact that a honeypot is a waste of resources. It seems pretty silly to set up a system specifically to be cracked? There's plenty of better uses for a spare box; why not set up a distributed-processing unit or an open- source FTP server if you don't know what else to do with an old computer?

    I understand the need to find out cracking techniques. But this kind of stuff is hardly secret by now; I don't see any reason to continue useless navel-gazing "studies" of cracker behavior. How much more can we really learn from the drooling 13-year-old script kiddies of the world?

  • Really only addressing your first point, but:

    If you're running a real production network, you probably already do monitor attacks as they happen (provided you have a clue). The difference is, if you register an attack on your production boxes, you want, and need, to shut it down immediately--block the attack, patch the hole, get control again. Almost by definition, you are only going to catch initial compromise attacks that way--until, of course, that one time you don't.

    The idea with a honeynet is that you don't have to worry about immediately responding and securing the system against the compromise--you can let the intruder wander around a bit and get a feel for what he's going to do once he's inside. What's the second step? How can you secure yourself against that? Because at some point, you're going to get someone who you can't catch at the first step. So in my mind, that's the attraction. How can you build a defense in depth if you don't ever see what a hacker can do once they get inside? If you've got a honeynet running, you can leave the front door unlocked and see what the guy does after he's in the house--and then you know what to lock up inside the house. The next guy might not come in through the front door, but you'll still be in good shape.

  • The primary purpose of a honeynet is to gather intelligence about the enemy, to learn the tools, tactics, and motives of the blackhat community.

    tools: exploits downloaded off the various security websites
    tactics: gcc exploit.c -o exploit; ./exploit
    motives: 3y3 y4m a l33t hax0r d00d!!
  • I've been hearing about these for a while, but to be honest I don't see how a honeynet will really help your network. -- ethereal

    Presumably, these would be helpful for specialists and researchers, not for Joe Average Netgeek. If you're studying security issues in a comprehensive way, it makes sense that a honeynet could be a useful tool. It would also be a good testbed for simulated attacks. I don't think the authors were advocating that the general population set these things up all over the place.

    This approach struck me as analogous to using a live stress test as part of a system deployment. There are some things you can only find out with real systems instead of emulators.

    I might agree that the paper treats this as a more significant idea that the rest of us may think. But you can't blame the guys for wanting to describe it well -- would we prefer if they learned to stammer? JMHO
  • I don't know how to say this, but reading this article gives me an uneasy feeling, and sets off my bullshit detector. Its excessive use of buzzwords (honeynet, blackhat, etc) and attempts at sounding important just don't jibe with what I know. Example: "We have even captured real time video shots of blackhats involved in the attacks on our systems. This gives us insight on how blackhats target and attack systems." How does this follow? You got some webcam video of some guy sitting in front of a PC, what insight is to be gained from that? Jeez. Another gem: "one of the primary sources of information a Honeynet can gather is communication amongst blackhats, such as IRC" WHOO BOY! You can sit on irc and watch script kiddies talk...this is one of the primary uses of a "Honeynet"? Computer security folks have a bad enough reputation as it is for being scam artists and buzzword propagators, and I think we can safely put the people referenced by this article into the "full of bullshit" file.
  • So, a honeynet is just like any other firewall protected network, except for the fact that people are actually paying attention to network security?

    While I don't think I agree with the effectiveness of a 'dedicated' honeynet over any other real network, this does bring to light the interesting effect this will have on network security in general. Right now, l33t k1dd3z have a 'you can't catch me' attitude. Witness the recent exploits of a Welsh hacker [wired.com] who thought that he was so far above the law that he could do what he wanted to any website he wanted in the name of his own little sense of morality.

    Most of these kids *know*, not just think, that they are never going to be caught.

    As more and more business and organizatons employ honeypots and 'honeynets', trying to catch crackers before they crack, more and more cases of idiots like these are going to get in trouble for breaking the law. Rooting a server is going to be seen less and less like fairly innocent grafitti and more and more like knocking over a convenience store and beating up the clerk, and then walking out with only a slushee. People will still do it, but attacks will be fewer and further between, and the people who get cracked will be those who've invited it by not putting up the equivalents of bullet-proof glass and panic alarms.
  • Essentially, the FBI was along for the arrest because he would also be charged in the US. British police actually made the arrest. Given the "special relationship" that the US and UK have had since WWII (and earlier), this is not altogether surprising.
  • Well then, break into his account, and change the password to something secure! When he gets back, he'll go straight to you for the correct password, and you can assure him that at least his account was safe.

    -B

  • I pointed out a pathetic flaw at my school -- everyone has an account, but the default password is blank. The problem is, a lot of people don't know that they *have* an account... *Several* people have said, when I went to log off, "Oh, can you please just stay logged on? I don't have an account." I reply "Sure you do..." and help them, but, if I wanted to be malicious, I *could* just find their name, log into their account, and cause havoc...

    I told the system administrator -- as my school's computer policy *requires* me to. (I might add, however, that the policy says "the network... or the Internet... I could have some fun pointing out security flaws in a proxy server in Afghanistan...") I was told "Just for telling me that, I could suspend your account and ban you from the computer lab."

    I think the best approach is to just not help people unless they ask. Sure, it seems responsible to try to point out a security risk, but most network administrators seem to construe good-natured tips as being threats... The *real* ironic thing is that someone has been running a brute-force attempt to guess the admin's password for quite some time now; they're perfectly okay with this...
    ________________________________________________

  • It's pretty frankin' easy to avoid that scenario while automatically ignoring annoying hosts. You can automate stupidity, but you can also automate intelligence to a certain degree. Do I really need to state the ways to do this?
  • I've recently been involved in setting up a "honeynet" at a university who I do consultancy work for on their IT systems, including security. A major problem was the sheer number of times it was attacked by a large number of people at the university, often bouncing off external machines.

    I had expected them to catch a few people who had been virtually running wild on the network over the last year. As it turned out, there were too many attacks to be able to narrow it down or to follow up on every event logged.

    It made for a frightening reality as to the sheer volume of attacks that go on. A uni is obviously at more risk than most places due to the high volume of computer geeks with too much time to kill. Still, it's a real wakeup call to the scale of what goes on.
  • No, this is not like your so-called "safety mobile". This is more like an automotive crash test in which they get a production line car, ram it into a wall, and see how it breaks. Yeah, all the security studies in the world will "prove" that your network security tactics are up to snuff, but when it comes down to it, a semi-controlled test of situations closer to that found in the real world can teach you a lot more than having a good security policy.
  • RTA. The whole point of something like this is to see how real 31337 types act on real hardware, simply because you can have real lags without delay loops, etc, and to see if they exploit unknown/difficult to copy bugs.
  • I'm not saying that honeypot systems stress a network anymore or less than a standard system. All I'm saying is that a honeypot system is a more controlled environment in which to study a hacker "under glass", so to speak; perhaps using the honeypot to study a hacker so that the implementors of a honeypot are better prepared to protect the real network. A honeypot type system could also be used to experiment with rolling out new network security procedures and or computer systems, to see if the new procedures/systems are better suited to protecting your particular clients.

  • You mean "forensic analysis" (Score:3)

    by Spamalamadingdong ( 323207 ) on Monday April 23, 2001 @11:25AM (#270812) Homepage Journal
    It's not entrapment if you aren't trying to prosecute anyone. It's more like videotaping a burglar's activities at your door to find out how burglars break in, and analyzing the tool marks to see how to make the door secure against other burglars.
    --
    spam spam spam spam spam spam
    No one expects the Spammish Repetition!
  • Be careful of your nations laws. From the article:
    Until there are more clear judgments at the highest levels of the US Judicial system, we believe we are following the current laws and staying within the lines of propriety. (Those outside the US should consult your own legal agencies for guidance before implementing a Honeynet.)

  • That's not the point. (Score:3)

    by s20451 ( 410424 ) on Monday April 23, 2001 @11:32AM (#270814) Journal

    These kind of people would love to be the subject of a honeypot study, if for no other reason then getting the chance to see that their childish actions have had an effect on somebody. Crackers want to be perceived as disruptive and a threat; they want to look "cool" and dangerous and mysterious. Why encourage these people by giving them the kind of attention they're looking for?

    For one thing, the study results are expressed in generalities in terms of hacker tactics. How excited can a person become about being a statistic? I can't see someone seeking attention by publicly defacing web sites becoming overly enamored with the idea of being treated as an anonymous lab rat.

    I understand the need to find out cracking techniques. But this kind of stuff is hardly secret by now; I don't see any reason to continue useless navel-gazing "studies" of cracker behavior.

    How else do you propose to discover new cracking techniques, or examine cracking tactics? It seems to me that honeynets are an excellent opportunity to both conduct reconnaissance on crackers and validate security models in a practical environment. As the article states, black hat ingenuity should never be underestimated, and I can't see what is to be gained by being complacent about security. According to your argument, if we ignore the problem, it will go away. Attention is not the only thing these guys are seeking; some of them mean to do real harm, and we can't tell the difference a priori.

  • Is it just me, oir could this article have been shortened a bit, or at least presented as more of an outline? Was it necessary to include transcripts of an individual attack on a single system in order to illustrate the concept of honeynets? Way too long to read completely and thoroughly.

    Also, the content was kind of unrealistic, but I won't continue on that track. Karma's low enough without getting "redundant"-ed.

  • I dunno... if everyone set up a honeynet, cracking systems would become about the most frustrating thing ever. Since most of the time it would be 'fake'.

Slashdot Top Deals

Love may laugh at locksmiths, but he has a profound respect for money bags. -- Sidney Paternoster, "The Folly of the Wise"

Close