The Honeypot Project 162
Wallahalla writes "Interesting article on ZDNet about HoneyPots (intentionally vulnerable computers placed on the net in hopes of attracting hackers). Security professionals, programmers and psychologists are all working together to try to enhance network security in the face of increasing attacks by the hordes of script kiddies running the net today." We mentioned these quite awhile ago. Actually its an interesting article. I'd like to say pretend that when I got 0wn23d that it was really just my HoneyPot fooling them.
Cool (Score:1)
If a kid walks into a store, steals a candybar, and is caught on video tape, then he deserves to be punished/arrested. If a kid breaks into my website, defames it, steal information, and causes damage to my systems, then he/she deserves to be arrested.
Amigori
------------
Being aware of your surroundings can help protect yourself.
Re:OK. But what about . . . (Score:1)
I was about to give up, but I'm feeling masochistic tonight, so let me give it one more shot.
I understand the overall point of his post. However, I focused on one somewhat tangental implication that he was making, namely, that there exist "white hat crackers" that are morally different from "black hat crackers", and thus they should be treated differently, in case the managers of the honey pots intended to prosecute break-ins (which personally I think is a good idea).
That's the point I took issue with. I don't think there is any difference between white/black hat hackers, except for motivation, and I don't care about motivation.
To summarize -- my point is about black hat hackers versus white hat hackers, and the fact that I don't recognize the distinction. That point is independent of any honey pot issues.
A honey pot is a machine that is intended to be broken into -- thus a black hat cracker breaking into one isn't bad at all, so long as you can log what he does and analyze it.
By the way, the purpose of a "honey pot" is not to be broken into, any more than a canary's purpose is to die in a coal mine. They're just indicators of a problem. Obviously it's bad when it gets broken into, because that indicates you have a security problem.
--
Re:Reactive honeypots are key (Score:1)
And the whole time the real attacker sits back and laughes his butt off.
Re:Reactive honeypots are key (Score:1)
There was a case quite a while ago about whether "hacking back" was legal or not. I don't really remember the details, but I think someone hacked into a company's servers, and the IT staff at the company saw this and "hacked back" (maybe they just DoS'd the attacker).
The one thing I still remember from this is the line (to paraphrase, most likely) "Not only did they do something illegal; they issued a press release bragging to the world that they did it."
The bottom line - think twice about this. Even if you are 100% sure that the IP you're about to flood is the IP of someone who's trying to bring down your system. I don't know the laws, but I don't think the same kind of "personal defense" laws apply here. (I could be wrong.)
Re:Honeypots inside the firewall (Score:2)
Sure, if I randomly decided to "poke around" at guessing the root password on the company's main server, I could understand being fired. But finding a new server on the network and seeing if your account works should not be something you challenge - provided that they only try their account.
BTW, people who try to crack the desktop of a security professional should be put on record as having being fired for both attempting to breach system security and for stupidity. ("Oh, let's go hack the IT security guy's desktop. Bet he'll never figure it out!" Duh...)
Re:Hang on... (Score:2)
Re:Cool (Score:1)
You're absolutely right, but this is an outrageous idea. There was a huge discussion over whether or not this was "entrapment" (which only the FBI can do, or something like that). You're catching them in the act. Your example of a video camera is good. You are not really doing anything different (by running a honeypot), except it can deny them access to your network. But if you see the person who stole the candy bar trying to come into your store, and you tell him to stay out, is this entrapment? I think not!
Re:OK. But what about . . . (Score:1)
The problem with "White Hat Hackers" is how do you tell the difference ? Chances are very good, you can't tell the difference until its too late. If I were a "Black Hat Hacker", one of the things I'd probably do is try to develope a relationship with the System Administrater by letting him know about one or two holes, make him think I'm on his side. Social Engineering is a skill most Hackers pickup pretty early on. The safest thing to do is don't trust anyone who is not a legal user of your system, assume anyone breaking into your system intends to harm it and act accordingly.
Jesus died for sombodies sins, but not mine.
Keep your car locked. (Score:1)
Your car can be used to commit a crime, even a murder.
Locking your car is a good thing for the society even if it's a bad thing for you.
Thanks for locking me out of my car (Score:4)
just leave it alone. if my battery goes dead enough times then i'll learn my lesson.
you are not entitled to screw around with with other peoples property just because you think you know whats best for them. feel free to voice your opinion but keep your hands off. thank you very much. i don't think that's an unreasonable request.
Re:Legal risks of a honeypot? (Score:1)
That's not enough to forestall all types of attacks. Ping flooding, which doesn't require a connection, for example.
ZDNet posted quite an old news (Score:1)
It's quite an old news, please go to The Motives and Psychology of Black-hats in RootPrompt [rootprompt.org] for detail.
Reading the IRC logs in the article you will find that there's one Pakistani hacker D1ck got caught in the honeypot, I suspected 'a group of suspected Pakistani hackers' is an overstatement, because the rest of the hackers are americans, say j4n3.
D1ck did say his main target was indian's website, but he did also initiate DDOS attack to some US websites, with the help of other US hackers.
In my point of view, it's more accurate to say "a group of US hackers and a pakistani hacker"
The ZDNet article does not mention how to build a honeypot, read Build a Honeypot [rootprompt.org] for a hint.
Is it really the script kiddies? (Score:1)
Re:perfect application for user-mode linux (Score:2)
Erm... (Score:2)
Honeypots, etc. (Score:2)
.--bagel--.---------------.
| aim: | bagel is back |
| icq: | 158450 |
Re:Beware of the Pooh... (Score:1)
that's what I get for typing faster than I think...
Re:what the... (Score:1)
--
I've done something similar (Score:1)
But always remember that you can never be 100% secure, because crackers will always find another hole, no matter how tight the security.
--
Re:Hang on... (Score:2)
Re:OK. But what about . . . (Score:2)
Oh. Then ignorance is the source of our problem, as I suspected.
You see, there is in fact an entity known in security circles as the "white hat". The "white hat" is the security expert that is on your side -- the white hat is the one who will, once a security hole is discovered, will tell you about it, or hack the code themselves to fix it. As opposed to the black hat who tries to break in to whatever he can, take whatever he can, and not tell anyone so he can do it again.
A true white hat wouldn't try to break into your honey pot unless he knew it was a honey pot, and he knew it was OK for him to try (either by being told, asking, or seeing a public announcment). If he succeded, he'd make sure you knew exactly what he did. The white hat wouldn't try to break into your main system at all, unless you contracted him to. In short, he wouldn't do things that piss you off.
So there is a big difference in action, not just motivation.
The original poster didn't make this distinction clear. In answer to his question, someone who breaks in and 'fixes things' without permission isn't a white hat. But it is there.
Obviously it's bad when it gets broken into, because that indicates you have a security problem.
Heh. Right. And since there are no elephants around, that means my elephant repellent works perfectly, right?
Actually, it's good when your honey pot gets broken into, and your main machines don't. You've realized there is a hole, and because the honey pot is not connected to anything important, the break-in didn't cost you anything, and you can fix the vulnerability before you lose 10,000 of your customers' credit cards.
The assumption is that you have security holes you don't know about, and letting the "black hats" tell you about them by exploiting them in a safe way is the point.
A honey pot that doesn't get cracked proves very little, and shouldn't make you feel much safer.
Re:Admins (Score:1)
Boss:
"Gee...lets just let anyone telnet into the system from anywhere because if we require ssh, then what if they don't have access?"
Admin:
Well, anyone can sniff across that wire and capture the passwords.
Boss:
"Well, then put ssh on the machine, but also leave telnet open. That should help."
Admin:
Okay...by the way - can I put you down as a reference?
Re:Erm... (Score:1)
White hat crackers == human nature (Score:1)
This white hat cracker discussion reminds me of a sting the police conducted here a few Christmases ago. They put a new television in the back seat of a car and parked it unlocked in a shopping center lot. They were unsuccessful because passersby kept noticing the situation and would lock the car door. People will attempt to do good deeds, even if, as in your case and theirs, it's unwanted.
Re:honeypot (Score:1)
Re:honeypots, dangers, products (Score:4)
What is this computer used for?
Then try to answer that question. People don't attach computers to the internet for no reason. What services is it running? If it's an ftp server, what files are available? Is it a webserver? Look at the webpage. If ftp services are being provided but the ftp directory is empty or the webpage has is the default one install with the OS, then something is up.
Check for user activity. Are there any users? Goto ~/.netscape (if the machine is unix). What are the timestamps on the files. Does the user have any email. By looking at the appropriate files (depending on OS) you can tell when it was installed. Has anything changed since then? Do a find on files changed over the last seven days. If there is no user activity, something is definitly wrong!!
Check for changes made to configuration files. Check the files that a sysadmin would most likely change. If you can't find any changes (other than LOTS of logging - another Red Flag!), check to see if the system looks like a default install (if you are into this, you should know what default installs look like/the common security holes the vendor leaves open/etc.). If it is a default install and the install is older than a week, congratulations, you've found a Honey Pot.
One last check before getting the hell out of dodge, sniff the network. Who else is one it? Honey Pots tend to be isolated. If the only activity you see is yourself (unless you are connected at midnight, but then you deserve to get caught) or the only other traffic is logging activity (from the one you are on to somewhere else), You've been had!! Just for shits and grins, ping the subnet you are on. People and companies don't waste network equipment as it is fairly expensive. If the machine you are on is the only one on that subnet....
do a quick `rm -rf /` and never go back.
Re:Interesting (Score:2)
If you don't have a valid plan for making profits, it doesn't matter how much you're paying your system administrators, or how clueless they are.
Re:Yeah, and if I find the 'good samaratian' that' (Score:1)
It's all about "social engineering" (Score:1)
Later they'll go back to irc and brag to their friends, especially about any social engineering hacks. That's how they "get the chicks" (uhhh, right)
Frankly, in this day and age social engineering takes more ingenuity and originality than any insipid root kit or named exploit (imho, of course). Firewalls, honeypots, and NIDSes can't compete against a single gullible sysadmin and a phone.
---
Even Pooh got stung trying to get the honey pot (Score:1)
Re:Honeypots inside the firewall (Score:3)
Let me get this straight... you dump a box onto some internal network; and then when an IS staffer says to him/herself "What the frick is that thing? It wasn't there yesterday..." and tries to figure out what your admittedly suspicious looking box is doing on the network they're responsible for...
Then you fire them?
You really shouldn't have to. Any decent IS staffer subjected to this kind of treatment should give you exactly what you deserve - a rude gesture - and walk out.
Re:OK. But what about . . . (Score:2)
Re:OK. But what about . . . (Score:2)
Also, for your continued enlightenment, in security parlance the "white hats" are the guys on your side -- they are trying to help you, by discovering exploits, going over code, etc and reporting what they find, so people's security can be increased. They aren't attempting cracks on unsuspecting people's boxes. But a honey pot (see above) would be fair game, no?
Re:OK. But what about . . . (Score:4)
Also, suppose you had a white hat cracker. Would anyone running a honey pot care if the cracker broke in and plugged all the holes to prevent the kiddies from doing some real damage?
There's no such thing as a "white hat cracker". Quite frankly, I don't care if you find a vulnerability in my system. STAY THE HELL OUT OF MY SYSTEM. Send me an e-mail, fine, thank you. But I don't need roving bands of do-gooders changing my system (and more than likely screwing it up in the process).
Put it this way: If I happen to leave the windows open in my house, I do not want strangers "for my own good" climbing in the window, poking around, checking the locks, and then "fixing" anything they find. I'm going to throw their butt in jail just like any other criminal.
--
How about faking a super-secret miliary project? (Score:2)
I have this great idea for a honeypot, although it might seem a little futuristic.
Picture this: we create a series of directories that contain apparently classified military information. We'll call it something obscure, some sort of acronymn, like SDINet, for example . . . I bet that would keep a dedicated hacker occupied for hours, especially if you mixed in some binary files so they had to check each one before trying to view it on the server.
I know it seems bizzare, but I think it actually might work! And the best part is I don't think anyone [berkeley.edu] has ever come up with anything like this before!
Let me know if you think it would work?
--
Re:Legal risks of a honeypot? (Score:2)
Commerical Honeypots (Score:1)
Commercial honeypots like these prolly are a bit more sticky than handcrafted ones.
Honestly though it's much better to know where people are and what they are doing, than wondering where they are and what they are doing.
WSJ (Score:1)
Are we getting spammed? Or would this be like a DoS, DoI (Denial of Information/Intelligence)? Much better than a DuI.
I think it's a coordinated press assault. They are forcing news on us no matter how many times they have to say it.
Long live the Conspiracy Theories!
This message was brought to you by the letter B.
Re:Legal risks of a honeypot? (Score:2)
My point is -- we know guns are made to shoot things, computers are *not* made to attack other systems. "Computers don't attack people, people attack people."
Re:OK. But what about . . . (Score:1)
So, RealityMaster101, I ask, do you consider my actions "White Hat Cracker" actions or "Black Hat?" Or something completly different?
BTW I realize that what I did is not what most people who claim the title "White Hat Cracker" do, and I do not mean to imply that they do or do not deserve their claimed title.
Re:Isn't that a bit extreme? (Score:2)
Those are just the dumbass ones. Like someone who robs a bank and buys drinks for everyone at the local bar the next night, bragging about their big score. Those are probably the ones to be the least concerned about. They are at the low end with the ones you never hear from at the top.
Re:Reactive honeypots are key (Score:2)
Re:Entrapment, plain and simple. (Score:2)
Re:what the... (Score:2)
More evidence of the downward spiral of editorial quality here.
Honeypot Logic? (Score:4)
If the honeypot is intentionally more vulnerable than the real server, then you are just demonstrating known exploits.
If the honeypot is *more* secure than the real server, why did you waste time securing the honeypot that could have been spent securing the real server?
Finally, if the honeypot is equal in security to the real server, you are cutting the odds of a real server being hacked to:
reals/(honeypots+reals)
In most large organizations honeypots will be a very small number compared to reals. In small organizations you could make a difference, but how many small orgs can afford an extra server or two?
The idea that you can learn about the attacker while watching him closely is intriguing, but while you're watching the honeypot, who's watching the reals?
My gut tells me that money would be better spent helping NetBSD and others with code audits. Of course IANASecurity Expert, so what do I know...
Reactive honeypots are key (Score:3)
The way reactive honey pots work is to tell the firewall to block access from the intruder's address, temporarily or even permanently. Linux really shines here, since the firewall code in the kernel is particularly well suited to this sort of solution, though you can accomplish the same effect with most any operating system. And for those who are even more adventuresome, reactive honey pots can be configured to flood the intruder's IP, denying access not only to your own machine but to all potential victims.
Passive honeypots are good as an information-gathering tool for measuring your visibility on the net and the current state of script-kiddy activity, but reactive honeypots are definitely the way to go. They're the proactive solution to a chronic problem.
Again, social engineering will always beat hacking (Score:4)
Also, because the internet is as subject to fads and trends as any other social medium, I think you'll find 'script kiddy-ing' become less and less 'cool' over the days. There is always a renaissance towards the more hand-made, home-grown ways of doing something; in the case of hacking, this narrows the list of possible offenders considerably due to the increased need for talent and knowledge in such hacking styles.
http://www.mp3.com/subatomicacorn
Re:Is it really the script kiddies? (Score:2)
//rdj
Re:Being Rooted Sucks (Score:2)
anonymous file transfers? - use apache
authenticated file transfers - use ssh+(scp/sftp)
I mean, how the hell do you firewall a passive
ftp server? or active for clients? add nat and things get screwed. Yes everething is possible, but why do it the hard and unsecure way?
Yes, lusers love ftp, but life is hard.
Which culture are you talking about? (Score:2)
A black hat is a cracker with malicious intent. While this may mean kiddies, it also includes the people trying to grab a couple thousand credit cards so they can go on a shopping spree. It includes the cracker performing industrial espionage, so their employer can get a competitive advantage. It includes whoever would want your data, and sure as hell isn't going to brag about getting it on IRC.
Script kiddies are annoying, but what makes them annoying is also what makes them the least of your concerns.
Re:OK. But what about . . . (Score:2)
As to missing the </b> tag, my excuse is sleep deprivation. What is your excuse for missing the word you yourself quoted?
Re:Attracting to the honeypot - how? (Score:2)
Re:Beware of the Pooh... (Score:2)
Re:Beware of the Pooh... (Score:2)
...actually, I tried to post what it would look like in e. e. cummings style, but CowboyNeal's lameness filter prevented me! Now *that's* funny...
Entrapment, plain and simple. (Score:3)
Yes, it's likely entrapment. No, no one's really sure whether it'll hold up in court. No, you don't know what you're hoping to accomplish. Yes, it's a really bad idea. Worry about getting your IDS and firewall rules up to date and your security policies and tripwires strictly monitored before you bother with nonsense like a honeypot.
Re:Honeypot Logic? (Score:2)
You could try out a new service that isn't put on the server yet. You could think of it as a testbench.
Smile! You're on Canded Server! (Score:2)
;-)
Capt. Ron
Script Ethics (Score:2)
Just wondering what people think about this...
honeypots, dangers, products (Score:5)
Honeypots are some of the fluffiest of security products, imo, far less useful that firewalls, integrity verification software, etc. But having a cage environment to examine the activities and practices of a cracker can be useful in determining how to post-mortem a bad situation, as well as help gather evidence to get law enforcement involved.
Honeypots that want to provide maximum auditing and usefulness tend to try to run a virtual machine -- either by virtue of chroot'd cages, or virtual machines. The problem is keeping a sophisticated attacker in the cage. As was pointed out on Bugtraq, it is fairly easy, owing to kernel behavior, to detect that one is in a cage. You can send kill signals to pids that aren't in your visible process list, and the kernel responses will tip you off that you are only being shown part of the process table (the Recourse product simulates a live
Nonetheless, my real-world experience tells me that your greatest risk is an attack from the script kiddies, with the fresh d/l from bugtraq or the like, or even unreleased exploits, not sophisticated crackers seeking entry into specific boxes. In this case, the honeypot can be very valuable -- first as an easily-cleaned distraction (a good honeypot LOOKS like it is a machine at work, but isn't) -- then as a trace of activities, so you can prevent further incidents. Properly placed, it can help lure in attacks first, providing a warning that can be responded to before other real product boxes get compromised.
It has been pointed out, and bears repeating, that the right place for a honeypot is on a DMZ, where it does not have priveleged access to protected hosts. People have put honeypots behind firewalls in protected nets, and then had them be used as jump-off points for much more serious compromises.
Re:Honeypots inside the firewall (Score:3)
Damn right - Bang! Gone.
Mis-clicks are fine, we all do them. Even rattling the door-knob is kewl. But the minute you try to break in you're outta there. I run big networks, stuff comes & goes all of the time and a certain degree of interest is expected (& welcomed.)
This does not extend to trying to trying to break into boxes that aren't yours.
I don't care if it's called "Hax0rs l00t" once you've determined the front door is closed then pass it onto the right folks & move on. Raise the alarm, stick your head into the Net Security Admin's office, ask them for follow-ups, bring it up at a Change Control meeting, whatever but breaking into something that isn't yours & you haven't the authority to access is grounds for (immediate) termination.
No apologies, no excuses.
Again, we have folks in charge of keeping the network organized, they should know about anything new or different on the network, ask or tell them. We have folks in charge of security, they should be notified about any concerns you have. Unless your job-description specifically includes it and you've got written permission from someone above you so empowered you do not go breaking into things - I don't care how justified you think you are or how suspicious (or innocuous) it looks. If you haven't the brains to do this then good riddance.
I've had boxes on my networks that did everything from SEC compliance monitoring to transferring billions of dollars of bonds daily to running high-power X-ray machines treating live humans in real-time. Your fucking around could harm any one of those - at that point not only would I fire your ass but I'd see that charges were pressed against you (in addition to those from next-of-kin of the person's whose radiation therapy you just screwed.)
I work in the real world where boxes are doing important things and no Lone Ranger can be expected to track everything themselves. We've got ways things are done & they're there precisely so things don't slip through the cracks, don't become security issues and some kid who can't keep his fingers out of things doesn't break something important.
To paraphrase (and reinterpret) your closing line:
Any decent IS staffer respects the environment they work in & works with their team. If they can't do that then they get what they deserve - a final paycheck & a walk to the door.
Re:How about faking a super-secret miliary project (Score:2)
Yeah, I know, I was shooting for maybe a (+1, Funny) on that post, but it looks like most people are missing the joke. It's basically exactly what Cliff Stoll did in his book back then. The link on "anyone" goes to his homepage.
Ah, you young Slashdotters disappoint me. Such quality reading material [amazon.com] out there that you seem to have missed . . . :-)
--
Re:Honeypots inside the firewall (Score:2)
However, this does not extend to trying to break into something.
If you suspect a problem go talk to the folks who would know about it, or tell security. Hell, my pager number is pasted on my office door flag me! DON'T go breaking into stuff blindly.
I've said this more thoroughly in another thread but yes, you're right, there is an acceptable level of "Huh? What're you doing here?" and then there's going beyond one's authority. If someone can't appreciate the difference between these two then they're judgement is so poor I don't want them no matter how tight the job market.
Marlo Thomas - Free To Be ... You And Me (1972 Television Cast) "There's some kinds of help that are the kind of help we can all do without."
Re:OK. But what about . . . (Score:2)
Oh, then why did the line you quoted include the line "honey pot"?
OK, let's take this slowly. The original poster's comment that I quoted was:
The key concept that I pulled out is the implication that we shouldn't care if "white hat crackers" break into systems and "plug all the holes". Whether it's a honey pot system or not is irrelevent; the point is that he implies that we should look favorably upon people who break into systems with goodness and purity in their heart in order to fix them.
--
Dammit - why did I register honeypot.net? (Score:2)
It seemed funny and innocent enough at the time. I mean, a pot of honey is a good thing, right? And it sounds kind of humorous, right?
I wish to hell that I'd looked up the technical definition of "honeypot" before I registered honeypot.net. You wouldn't believe the amount of crap my firewall picks up. I can't count the number of Windows-specific trojans I get scanned for on a daily basis. Yeah, I try to report as many as possible, but it's pretty much a losing battle.
A hint to l33t skr1pt k1dd13z: if a box has "honeypot" in the name, then it's probably not really a honeypot. Just leave it alone, would ya?
Evolution of Security (Score:2)
Gee, wonder where they got their inspiration...
--
Re:Isn't that a bit extreme? (Score:2)
In an ideal world this wouldn't be an issue, but this isn't an ideal world. How do we know that a "white hat" isn't a black hat pretending to be a white hat. He'll point out the obvious holes in your box, and leave a way that only he knows about to get in. Then six months latter when you've forgotten about it you find out your network that he has systematically infiltriated is being used for to coordinate a DDOS attack against somebody like the FBI.
I don't have a problem with scans. I don't have a problem with someone saying "I saw that the version of bind that you are runing is out of date, there are security holes in it" But when someone uses that vulnerability to break into my system it becomes a whole new ball game.
Re:Hang on... (Score:2)
Honeypots inside the firewall (Score:5)
Generally we give them names of interest to tech-types but nothing the general user community, sometimes just make 'em look like standard workstations, occasionally we called them things like "payroll" or other tempting titles. We then track all traffic to & from these boxes identifying the source & their intentions. Generally we'd get a few mistake-hits or just-clicking-around ones a week but often enough we'd find someone with some intent trying to get onto them.
Generally it was a semi-knowledgeable employee just poking around & seeing what they could get into. We'd usually then track their other activities closely in order to make sure they hadn't gotten into anyplace they ought not have. After we'd assured ourselves they weren't nefarious we'd usually call them in, put a scare to them with the records of their exploits & warn them to cut it out or loose their job. Occasionally where they were using tools or other more-then-casual attempts we'd just fire them on the spot.
A few times it was IS staffers. Then we'd follow the same drill, try to determine what they were doing & why, then when called in if they couldn't give a good accounting of themselves cut them loose, again on the spot. Actually we'd usually delay them with paperwork & other excuses while we ran a complete lock-out and performed fast reviews of any systems they could have compromised. In one case where the fellow wanted to storm out a fast-thinking HR staffer got someone to 'accidentally' block their car & wait a half hour while we found the 'bad-parker'.
IS folks with that poor judgement and too easy access were just asking for future trouble & they aren't worth it. Of the few that I've fired this way over the years at least two later came to bad ends, including one who diddled with another companies accounting system.
Needless to say none of this was ever advertised within the company, particularly with IS. It was all on a strictly need-to-know basis & only done in-person, nothing emailed or electronically documented (wow - a reason for interoffice mail!) Oftentimes we'd hire a trusted outside firm to install the systems & track the activity (had one guy come in for years as a "special cleaner" specializing in electrical closets!)
Firewalls and elaborate outside security are great things but most serious damage comes from folks inside. Keeping a check with decoys and other measures is only prudent.
-- Michael
Then there's that contractor I discovered trying to crack my personal desktop box...
Re:Isn't that a bit extreme? (Score:2)
Besides, if you can't trust people on the net where stuff doesn't really matter, then where can you trust them? Astounding. Just astounding. I'm glad credit cards don't really matter, because I just noticed a bunch of charges on my card that don't belong to me.
Re:Honeypot Logic? (Score:2)
The honeypot is far more vulnerable than the reals. Whenever someone breaks into the honeypot (using a known exploit)..or hell, even connects to the honeypot at all, that IP is denied access to the rest of the network.
Almost Buried the Most Important Point (Score:3)
Re:Again, social engineering will always beat hack (Score:2)
People who wish to steal or break in usually do so only because they know what the value of what's inside
http://www.mp3.com/subatomicacorn
Re:Honeypots inside the firewall (Score:2)
I have a wonderful lover, a challenging job that pays remarkably well yet allows me to take off very longs periods of time, live in a great city with a vibrant nightlife & fantastic cuisine. I've marvellous friends who I value deeply & they seem to do the same in return, and parent's I've become good friends with.
Back to the original point (& before your own emotional projection) I've hacked & cracked systems. The difference was that I was clever about it & had permission.
Fer instance I used to contract then work for an well known publisher/financial services company. It was a great place but IS was a complete mess. Nobody stayed for more then a year, oftentimes it was only a few days, and the standard means of resignation was to leave one's keycard on the desk & simply never return.
This of course meant that we regularly had boxes on the network that nobody had any idea what they were. Since I was invariably the one they called ("It looks like one of your boxes & you run most of the boxes anyway") I soon became adept at getting permission to break in & find out what the damn thing was doing.
The clever part was I did my homework & got permission FIRST. I'd see if there was any traffic to the box, if so from where and what sort? Could I identify any of it's users and then what did they know about it? Heck, I'd even call Purchasing and see if anyone had bought one of these recently. This generally took only a few minutes and the assistance of folks whose job it was anyway. The result was I knew what I was going into before I did it, and no big screw ups.
In your world expecting this kind of professionalism may be the sign of a prick - in mine it's called someone you want on your team.
I'm glad you're happy with your expectations because I'm quite happy with mine & their results. It is a good life.
Hang on... (Score:5)
OK. But what about . . . (Score:2)
Re:OK. But what about . . . (Score:2)
Maybe to you, but I don't think that was the original poster's intent. That's why he said "honey pot", not something else. As I said, what you quoted contradicts your claim that he wasn't talking about honey pots.
He was asking if you would prosecute someone who broke into your honey pot (a ridiculous question if you take out the word honey pot, eh?), and if you would be pissed if someone plugged up the holes in said honeypot.
Why you decided this meant systems in general is beyond me. Which is why I put that in bold, since you seemed to have missed some key info.
And lastly, asking "would you care if..." is not the same as "you shouldn't care if...", and the latter wasn't what the poster said either.
Re:Dammit - why did I register honeypot.net? (Score:2)
I'm not sure I understand what you're trying to say. Did you mean that telling them to look elsewhere is more likely to make them want to attack the system?
Possibly, but this quickly becomes similar to the poison-drinking scene in "The Princess Bride".
BTW, who said anything about being a l33t webmaster-d00d? I needed to domain name for the computer on my LAN, and I wanted it to be public addressable, so I bought a domain. I didn't serve web pages until a year or so later.
OH yeah, get approval first (Score:3)
Re:OK. But what about . . . (Score:2)
Maybe to you, but I don't think that was the original poster's intent. That's why he said "honey pot", not something else. As I said, what you quoted contradicts your claim that he wasn't talking about honey pots.
You insist on trying to tell me what my point is. I don't care whether his point was about honey pots or not, my point is that I'm taking issue with the whole question of whether a "white hat cracker" is good or not.
If it makes you happy, then feel free to limit my point to saying that yes, a white hat cracker breaking into a honey pot is just as bad as a black hat cracker breaking into one. But my point is broader than that.
--
Correct. You're not an expert. (Score:3)
Damn straight you're not a security expert. (And I think you meant OpenBSD). Nobody is a security "expert". Some of us are older, wiser, and bear a lot more scars than others, but *none* of us are experts.
Until you have had a system properly fucked over, you know *nothing* about security.
There are a surprising number of companies saying "We are InfoSec Experts" out there who leave there own internal systems open to flagrant abuse. Like leaving certain ports (137, 139 etc) open to the Internet, and then give the receptionist a domain account. How hard is *that* to crack? ("Hello, I'm from the auditors. What name do you type in to the computer in the morning? Good, that sound right. Now, just let me check. What do you type in the other box? Thankyou. That's the right answer!)
Back on topic: Honeypots are tremendously valuable if, and only if, they are well run.
In the ongoing battle between the infosec "good guys" (mostly sysadmins) and the infosec "bad guys" (mostly l33t k1dd13s, but with a peppering of serious, professional criminals) the good guys are at a crippling disadvantage. We have to get every single thing right all the time. The bad guys only need to find one single, trivial mistake, and then it's w00t! r00tkit!
These nasty little untalented, bored, socially malformed little twerps have all the cards; That wouldn't be so bad, but they freely give these cards to anyone. Nothing wrong with that. Except that some of the recipients (OK, a small number, but it only takes one) are working for serious, professional blow-your-brains-out-and-cover-you-in-concrete professionals.
Honeypots are one of the few tools that let us monitor, study and comprehend what's going on. (That, and assiduous reading of alt.2600 etc.)
We, the responsible victims of attacks, choose to monitor the attackers in any way we can. We do this because we want the Internet to be a useful place. And we are happy to forward information gained to law-enforcement types.
If script kiddies dont like this then, hey! Build your own sodding network. When you get 100 million people connected, I'll come and look.
Re:OK. But what about . . . (Score:2)
In Australia, the Attorney-General recently determined (and did not announce) that evidence from honeypot machines can't be used in prosecuting offenders unless there's a wiretap order (warrant) for that system. The reasoning was that creating a system that is "intended to be broken into" is sort of like giving permission to the intruder and likely to jeopardise a case.
Script Kiddies (Score:2)
__________________
Re:Entrapment, plain and simple. (Score:2)
Why do people continue to believe the the protections we have against the government (Bill of Rights, etc) apply to people who aren't the government at all?
-- Fester
Idiot (Score:2)
Re:Honeypot Logic? (Score:2)
The problem with that is that the IP might be dynamicly assigned from an ISP. OTOH, reporting the IP and the time to the ISP is a good idea, so that they can check logs and LART 'em.
Attracting to the honeypot - how? (Score:2)
How do you attract people to your honeypot system if it's configured just like your other systems, as the article said?
I've read of configurations with all traffic to unsupported ports redirected to a honeypot system: "someone trying to telnet/ftp to my web server? I'll send you to my honeypot for observation instead."
But if you're running a standard, normally configured system as the article mentioned, this doesn't make sense anymore. How's this work?
Re:OK. But what about . . . (Score:4)
Honeypots? (Score:3)
Cuckoo's Egg (Score:2)
Not much to really say, but that the books grabs you (or me at least) and is a quick read. Very enthralling, just watching the cat and mouse game play out between the cracker and the other guy.
perfect application for user-mode linux (Score:4)
Being Rooted Sucks (Score:3)
___________
I don't care what it looks like, it WORKS doesn't it!?!
Legal risks of a honeypot? (Score:4)
Is this similar to leaving a gun rack unlocked, then somebody takes one of the guns and commits a crime with it?
Re:OK. But what about . . . (Score:2)
Not at all. You must not get my point.
You said you don't want anyone cracking your box, and this was abundantly clear. However it was also abundantly clear that the original poster was talking about honey pots, not machines in general. So your response made no sense -- I figured you must have missed a word or two. I guess not.
I don't care whether his point was about honey pots or not
But then why were you going on about "context" and "the key point I extraced"? Apparently the poster's context didn't mean anything to you.
So you don't want people breaking into your box for any reason-- well no shit. As I already pointed out, you are not the kind of person who'd be running a honey pot, so what purpose did your post serve?
white hat cracker breaking into a honey pot is just as bad as a black hat cracker breaking into one.
A honey pot is a machine that is intended to be broken into -- thus a black hat cracker breaking into one isn't bad at all, so long as you can log what he does and analyze it. That you feel it would be bad means you wouldn't be running a honey pot. This is why I responded in the first place -- it seemed you must not know what a honey pot is.
But my point is broader than that.
Who cares? You're "broader point" is that you don't want white hats breaking into your box. But since you wouldn't be running a honey pot anyway, your "point" can only apply to the very machines about which the poster was specifically not asking about. So much for "context".
So instead of thinking you missed information (sorry about that), I'm instead thinking "why the hell did he reply to a post with the exact opposite of what the post asked about?"
Re:Pure Entertainment (Score:2)
Set up a system that is rather easy to crack, but will take a good amount of time to crack. Then whip up a small script that will - the second *anyone* successfully logs in - shutdown the server.
I would pay money to see the look on the crackers face as they see this:
Welcome... (MOTD) /root]#
[root@firewall
Message from root:
This system is going down NOW!
It would be nice to turn the tables around and, for once, make the script kiddy the one who gets ticked off...
Re:Legal risks of a honeypot? (Score:4)
--
This idea... (Score:3)
Its really interesting, because I used to be the type of person that would not neccessarily approve of such a trap in the name of protecting the curious individual who wanted to see what was out there. But the fact is, the people doing these things are becoming too big of a problem. And it seems that the whole purpose of snooping around has been sort of eliminated with the open source movement and Linux. Why snoop around when you can have your own *nix box with just about anything available at your fingertips, for free?
Re:Attracting to the honeypot - how? (Score:2)
Beware of the Pooh... (Score:5)
Interesting (Score:2)
And this, my comrades, is EXACTLY why the "dotcom shakeout" happened. When Job Admin can't keep a 10 year from breaking into his site using a script, which by the way takes advantage of a 3 month old exploit and the kid barely understands, how can one expect that site to make a profit.
Admins (Score:5)
The reality is that most administrators know about most vulnerabilities, but a large number of them are too lazy or busy to fix them. A lot of them have the "nobody cares enough to hack me" mentality.. which isn't really effective since people scan blocks of IP addresses at a time.
Hopefully some adminstrators will get their acts together after reading about honeypots.
"War is hell" -- General Sherman Techumseh