Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
The Internet

The Honeypot Project 162

Wallahalla writes "Interesting article on ZDNet about HoneyPots (intentionally vulnerable computers placed on the net in hopes of attracting hackers). Security professionals, programmers and psychologists are all working together to try to enhance network security in the face of increasing attacks by the hordes of script kiddies running the net today." We mentioned these quite awhile ago. Actually its an interesting article. I'd like to say pretend that when I got 0wn23d that it was really just my HoneyPot fooling them.
This discussion has been archived. No new comments can be posted.

The Honeypot Project

Comments Filter:
  • I like this idea. Study the ways of your adversary. The US spies on other countries 24/7/365. Why can't we monitor our own networks and learn to protect them to the best of our abilities. Some people might say that this is deception and just a corporate scheme to get some kids arrested. If I owned a high profile, or even low profile, network, I would want someone protecting my network at all times. And this may mean hiring another person to figure out why my network is getting cracked/hacked.

    If a kid walks into a store, steals a candybar, and is caught on video tape, then he deserves to be punished/arrested. If a kid breaks into my website, defames it, steal information, and causes damage to my systems, then he/she deserves to be arrested.


    Being aware of your surroundings can help protect yourself.

  • I was about to give up, but I'm feeling masochistic tonight, so let me give it one more shot.

    I understand the overall point of his post. However, I focused on one somewhat tangental implication that he was making, namely, that there exist "white hat crackers" that are morally different from "black hat crackers", and thus they should be treated differently, in case the managers of the honey pots intended to prosecute break-ins (which personally I think is a good idea).

    That's the point I took issue with. I don't think there is any difference between white/black hat hackers, except for motivation, and I don't care about motivation.

    To summarize -- my point is about black hat hackers versus white hat hackers, and the fact that I don't recognize the distinction. That point is independent of any honey pot issues.

    A honey pot is a machine that is intended to be broken into -- thus a black hat cracker breaking into one isn't bad at all, so long as you can log what he does and analyze it.

    By the way, the purpose of a "honey pot" is not to be broken into, any more than a canary's purpose is to die in a coal mine. They're just indicators of a problem. Obviously it's bad when it gets broken into, because that indicates you have a security problem.


  • Blocking "known" attackers sounds like a great idea...at first. And then you remember that many people are on a modem with a dynamic IP, and that most attacks are executed from previously hacked boxes. This is why counter-attacks are almost never a good idea; you generally end up attacking someone who's in your position, and then they mistake you for the real attacker, and you end up with a nice pretty lawsuit.

    And the whole time the real attacker sits back and laughes his butt off.
  • And for those who are even more adventuresome, reactive honeypots can be configured to flood the intruder's IP...

    There was a case quite a while ago about whether "hacking back" was legal or not. I don't really remember the details, but I think someone hacked into a company's servers, and the IT staff at the company saw this and "hacked back" (maybe they just DoS'd the attacker).

    The one thing I still remember from this is the line (to paraphrase, most likely) "Not only did they do something illegal; they issued a press release bragging to the world that they did it."

    The bottom line - think twice about this. Even if you are 100% sure that the IP you're about to flood is the IP of someone who's trying to bring down your system. I don't know the laws, but I don't think the same kind of "personal defense" laws apply here. (I could be wrong.)

  • The one thing I'd like to stress is this - poking around isn't necessarily wrong.

    Sure, if I randomly decided to "poke around" at guessing the root password on the company's main server, I could understand being fired. But finding a new server on the network and seeing if your account works should not be something you challenge - provided that they only try their account.

    BTW, people who try to crack the desktop of a security professional should be put on record as having being fired for both attempting to breach system security and for stupidity. ("Oh, let's go hack the IT security guy's desktop. Bet he'll never figure it out!" Duh...)

  • Then my question still stands, whatever happened to that box? Did it get cracked?

  • Some people might say that this is... just a corporate scheme to get some kids arrested.

    You're absolutely right, but this is an outrageous idea. There was a huge discussion over whether or not this was "entrapment" (which only the FBI can do, or something like that). You're catching them in the act. Your example of a video camera is good. You are not really doing anything different (by running a honeypot), except it can deny them access to your network. But if you see the person who stole the candy bar trying to come into your store, and you tell him to stay out, is this entrapment? I think not!

  • The problem with "White Hat Hackers" is how do you tell the difference ? Chances are very good, you can't tell the difference until its too late. If I were a "Black Hat Hacker", one of the things I'd probably do is try to develope a relationship with the System Administrater by letting him know about one or two holes, make him think I'm on his side. Social Engineering is a skill most Hackers pickup pretty early on. The safest thing to do is don't trust anyone who is not a legal user of your system, assume anyone breaking into your system intends to harm it and act accordingly.

    Jesus died for sombodies sins, but not mine.

  • If you don't have the key it's your problem.
    Your car can be used to commit a crime, even a murder.
    Locking your car is a good thing for the society even if it's a bad thing for you.
  • by LameBrain ( 213401 ) on Tuesday December 19, 2000 @01:48PM (#547809) Homepage
    the door was unlocked because the lock is broken and now its going to cost me $100 bucks to get a locksmith out here and i'll have to wait an hour for him to get here.

    just leave it alone. if my battery goes dead enough times then i'll learn my lesson.

    you are not entitled to screw around with with other peoples property just because you think you know whats best for them. feel free to voice your opinion but keep your hands off. thank you very much. i don't think that's an unreasonable request.
  • Just set up your router to allow incoming connections but not outgoing. Then if they get in they don't go anywhere.

    That's not enough to forestall all types of attacks. Ping flooding, which doesn't require a connection, for example.

  • It's quite an old news, please go to The Motives and Psychology of Black-hats in RootPrompt [rootprompt.org] for detail.

    Reading the IRC logs in the article you will find that there's one Pakistani hacker D1ck got caught in the honeypot, I suspected 'a group of suspected Pakistani hackers' is an overstatement, because the rest of the hackers are americans, say j4n3.

    D1ck did say his main target was indian's website, but he did also initiate DDOS attack to some US websites, with the help of other US hackers.

    In my point of view, it's more accurate to say "a group of US hackers and a pakistani hacker"

    The ZDNet article does not mention how to build a honeypot, read Build a Honeypot [rootprompt.org] for a hint.

  • Who do you think made the tools that the script kiddies use? Obviously, not stupid people ... at least people smart enough to know that if made readily available, the software could and would be used maliciously.

  • I meant that you could run several honeypots on a single machine. It would look like a fully network of boxes. You could "rebuild" a rooted system by making a backup of a single file (the loop'ed fs) and restoring it. You could refresh a system in 30 seconds.
  • Wouldn't it be embarrassing to break into one of those? It's like breaking into a police station WHILE EVERYONE IS THERE! hehe
  • I've always been for putting a spare computer/box/whatever for use as honeypot. Not only can you learn a little (after weeding out script kiddie traffic) about what tactics are most widespread but you can also learn VERY valuable information from mistakes you leave (intentionally or unintentionally) on the honeypot before it gets to the network you are trying to protect. I know a lot of people consider these just stomping grounds for computer crime but I feel that while that could be and is partially true the potential benefit from having such things outweights the presumed negative effects.
    | aim: | bagel is back |
    | icq: | 158450 |
  • Milne would also cry that, as two of us are parents, we SLAUGHTERED his name... E, A, they're both vowels, right?

    that's what I get for typing faster than I think...

  • I'd like to, say, pretend that when I got owned, that it was really just my HoneyPot fooling them.


  • I've done something similar in a very minor sense. When I was a big MUD admin, I'd startup a mud with the general codebase, and invite a buncha hackers into it to crash it and exploit any bug or cheat. Logged everyone, plugged all the holes, and it still runs without a player caused crash since the public opening.
    But always remember that you can never be 100% secure, because crackers will always find another hole, no matter how tight the security.

  • Was there any outcome to that entire thing? I believe you are referring to the "crack this box" site that microsoft put up with a near final version of Windows 2000.

  • To summarize -- my point is about black hat hackers versus white hat hackers, and the fact that I don't recognize the distinction. That point is independent of any honey pot issues.

    Oh. Then ignorance is the source of our problem, as I suspected.

    You see, there is in fact an entity known in security circles as the "white hat". The "white hat" is the security expert that is on your side -- the white hat is the one who will, once a security hole is discovered, will tell you about it, or hack the code themselves to fix it. As opposed to the black hat who tries to break in to whatever he can, take whatever he can, and not tell anyone so he can do it again.

    A true white hat wouldn't try to break into your honey pot unless he knew it was a honey pot, and he knew it was OK for him to try (either by being told, asking, or seeing a public announcment). If he succeded, he'd make sure you knew exactly what he did. The white hat wouldn't try to break into your main system at all, unless you contracted him to. In short, he wouldn't do things that piss you off.

    So there is a big difference in action, not just motivation.

    The original poster didn't make this distinction clear. In answer to his question, someone who breaks in and 'fixes things' without permission isn't a white hat. But it is there.

    Obviously it's bad when it gets broken into, because that indicates you have a security problem.

    Heh. Right. And since there are no elephants around, that means my elephant repellent works perfectly, right?

    Actually, it's good when your honey pot gets broken into, and your main machines don't. You've realized there is a hole, and because the honey pot is not connected to anything important, the break-in didn't cost you anything, and you can fix the vulnerability before you lose 10,000 of your customers' credit cards.

    The assumption is that you have security holes you don't know about, and letting the "black hats" tell you about them by exploiting them in a safe way is the point.

    A honey pot that doesn't get cracked proves very little, and shouldn't make you feel much safer.
  • There is also the fustration of the sys admin saying "This is not a secure way of doing this" and someone higher up saying "Yes, but your proposed way is more difficult. Lets do it the easy way."

    "Gee...lets just let anyone telnet into the system from anywhere because if we require ssh, then what if they don't have access?"

    Well, anyone can sniff across that wire and capture the passwords.

    "Well, then put ssh on the machine, but also leave telnet open. That should help."

    Okay...by the way - can I put you down as a reference?
  • I think it would be embarassing to break into one of these. That is a good analogy. -- ibjhb
  • If I happen to leave the windows open in my house, I do not want strangers "for my own good" climbing in the window, poking around, checking the locks, and then "fixing" anything they find. I'm going to throw their butt in jail just like any other criminal.

    This white hat cracker discussion reminds me of a sting the police conducted here a few Christmases ago. They put a new television in the back seat of a car and parked it unlocked in a shopping center lot. They were unsuccessful because passersby kept noticing the situation and would lock the car door. People will attempt to do good deeds, even if, as in your case and theirs, it's unwanted.

  • You're the F***ing troll, you imposter.
  • by tiny69 ( 34486 ) on Tuesday December 19, 2000 @06:28PM (#547825) Homepage Journal
    Spotting a Honeypot is fairly easy. The first thing you do when you gain access to a computer is ask yourself one simple question,

    What is this computer used for?

    Then try to answer that question. People don't attach computers to the internet for no reason. What services is it running? If it's an ftp server, what files are available? Is it a webserver? Look at the webpage. If ftp services are being provided but the ftp directory is empty or the webpage has is the default one install with the OS, then something is up.

    Check for user activity. Are there any users? Goto ~/.netscape (if the machine is unix). What are the timestamps on the files. Does the user have any email. By looking at the appropriate files (depending on OS) you can tell when it was installed. Has anything changed since then? Do a find on files changed over the last seven days. If there is no user activity, something is definitly wrong!!

    Check for changes made to configuration files. Check the files that a sysadmin would most likely change. If you can't find any changes (other than LOTS of logging - another Red Flag!), check to see if the system looks like a default install (if you are into this, you should know what default installs look like/the common security holes the vendor leaves open/etc.). If it is a default install and the install is older than a week, congratulations, you've found a Honey Pot.

    One last check before getting the hell out of dodge, sniff the network. Who else is one it? Honey Pots tend to be isolated. If the only activity you see is yourself (unless you are connected at midnight, but then you deserve to get caught) or the only other traffic is logging activity (from the one you are on to somewhere else), You've been had!! Just for shits and grins, ping the subnet you are on. People and companies don't waste network equipment as it is fairly expensive. If the machine you are on is the only one on that subnet....

    do a quick `rm -rf /` and never go back.

  • From what I've seen, the ``dotcom shakeout'' had little to do with the competency of the people working in the server room, and everything to do with the flawed business practices of the suits out in the front office.

    If you don't have a valid plan for making profits, it doesn't matter how much you're paying your system administrators, or how clueless they are.
  • I have not locked the doors to my Jeep once in three years, and nobody has ever locked it for me.
  • Sure, they crave attention -- but not from the admins of the boxes they break into. Social engineering [securify.com] is probably the most effective, amusing, and easiest method of cr/hacking. Misrepresentation is the key, so of course they'll say, "why yes, I am a white hack cracker". Please.

    Later they'll go back to irc and brag to their friends, especially about any social engineering hacks. That's how they "get the chicks" (uhhh, right)

    Frankly, in this day and age social engineering takes more ingenuity and originality than any insipid root kit or named exploit (imho, of course). Firewalls, honeypots, and NIDSes can't compete against a single gullible sysadmin and a phone.


  • Remember the lesson that Winnie the Pooh taught us. If you try to disguise yourself as a little black rain cloud you can still get stung by the bees.
  • by Samrobb ( 12731 ) on Tuesday December 19, 2000 @06:55PM (#547830) Homepage Journal
    A few times it was IS staffers. Then we'd follow the same drill, try to determine what they were doing & why, then when called in if they couldn't give a good accounting of themselves cut them loose, again on the spot.

    Let me get this straight... you dump a box onto some internal network; and then when an IS staffer says to him/herself "What the frick is that thing? It wasn't there yesterday..." and tries to figure out what your admittedly suspicious looking box is doing on the network they're responsible for...

    Then you fire them?

    You really shouldn't have to. Any decent IS staffer subjected to this kind of treatment should give you exactly what you deserve - a rude gesture - and walk out.

  • I think you have to be invited to be considered a "White Hat" -- if you do nice things without an invitation, that makes you a "Gray Hat", and if you do bad things that makes you a "Black Hat". -Alec
  • Apparently you aren't exactly clued in as to what a "honey pot" is. It's a machine put on the 'net for the express purpose of (bold and itallics, so maybe it sinks in) letting it be cracked. If you don't want anyone on your system, obviously you wouldn't be running a honey pot.

    Also, for your continued enlightenment, in security parlance the "white hats" are the guys on your side -- they are trying to help you, by discovering exploits, going over code, etc and reporting what they find, so people's security can be increased. They aren't attempting cracks on unsuspecting people's boxes. But a honey pot (see above) would be fair game, no?
  • Also, suppose you had a white hat cracker. Would anyone running a honey pot care if the cracker broke in and plugged all the holes to prevent the kiddies from doing some real damage?

    There's no such thing as a "white hat cracker". Quite frankly, I don't care if you find a vulnerability in my system. STAY THE HELL OUT OF MY SYSTEM. Send me an e-mail, fine, thank you. But I don't need roving bands of do-gooders changing my system (and more than likely screwing it up in the process).

    Put it this way: If I happen to leave the windows open in my house, I do not want strangers "for my own good" climbing in the window, poking around, checking the locks, and then "fixing" anything they find. I'm going to throw their butt in jail just like any other criminal.


  • I have this great idea for a honeypot, although it might seem a little futuristic.

    Picture this: we create a series of directories that contain apparently classified military information. We'll call it something obscure, some sort of acronymn, like SDINet, for example . . . I bet that would keep a dedicated hacker occupied for hours, especially if you mixed in some binary files so they had to check each one before trying to view it on the server.

    I know it seems bizzare, but I think it actually might work! And the best part is I don't think anyone [berkeley.edu] has ever come up with anything like this before!

    Let me know if you think it would work?


  • by Anonymous Coward
    Just set up your router to allow incoming connections but not outgoing. Then if they get in they don't go anywhere.
  • Recourse Technologies [recourse.com]
    Commercial honeypots like these prolly are a bit more sticky than handcrafted ones.
    /*shameless plug*/
    Honestly though it's much better to know where people are and what they are doing, than wondering where they are and what they are doing.
  • by Anonymous Coward
    Hey this was in the wall street journal this morning, then on wired, or whereever else it might be.

    Are we getting spammed? Or would this be like a DoS, DoI (Denial of Information/Intelligence)? Much better than a DuI.

    I think it's a coordinated press assault. They are forcing news on us no matter how many times they have to say it.

    Long live the Conspiracy Theories!

    This message was brought to you by the letter B.

  • If I leave my garden hose outside, and then somebody strangles somebody with it, am I liable?

    My point is -- we know guns are made to shoot things, computers are *not* made to attack other systems. "Computers don't attack people, people attack people." :)
  • RealityMaster101 claims, "There's no such thing as a 'white hat cracker.'" However I beleive I was such a creature (I am now, mostly retired) Back in the days of BBSes I used to send electronic mail to varrious sysops stating my intent to attempt to compromise their BBS, I said that if I do I would tell them how I did it, possibly suggust a fix, and not tell anyone else. I would then await a responce, usualy I got a go-ahead. I would then crack the system, or try to, then send in my results to the sysop.

    So, RealityMaster101, I ask, do you consider my actions "White Hat Cracker" actions or "Black Hat?" Or something completly different?

    BTW I realize that what I did is not what most people who claim the title "White Hat Cracker" do, and I do not mean to imply that they do or do not deserve their claimed title.
  • Black hats are entirely too proud of their blackhat status and will flaunt it at every opportunity -- calling themselves a white hat would be counter to their mission in life of instilling fear.

    Those are just the dumbass ones. Like someone who robs a bank and buys drinks for everyone at the local bar the next night, bragging about their big score. Those are probably the ones to be the least concerned about. They are at the low end with the ones you never hear from at the top.

  • And for those who are even more adventuresome, reactive honey pots can be configured to flood the intruder's IP, denying access not only to your own machine but to all potential victims.
    Sounds like a bad idea to me... most attacks are launched from previously 0wned boxes.
  • Which is why, while I distrust the government to an extent, I distrust corporations far more.
  • Possibly a lack of commas, more likely Taco failing to decide between 'say' or 'pretend'. Particularly in light of the fact that he typo'd on 0wn3d too.

    More evidence of the downward spiral of editorial quality here.
  • by istartedi ( 132515 ) on Tuesday December 19, 2000 @12:42PM (#547851) Journal

    If the honeypot is intentionally more vulnerable than the real server, then you are just demonstrating known exploits.

    If the honeypot is *more* secure than the real server, why did you waste time securing the honeypot that could have been spent securing the real server?

    Finally, if the honeypot is equal in security to the real server, you are cutting the odds of a real server being hacked to:


    In most large organizations honeypots will be a very small number compared to reals. In small organizations you could make a difference, but how many small orgs can afford an extra server or two?

    The idea that you can learn about the attacker while watching him closely is intriguing, but while you're watching the honeypot, who's watching the reals?

    My gut tells me that money would be better spent helping NetBSD and others with code audits. Of course IANASecurity Expert, so what do I know...

  • by Chuck Flynn ( 265247 ) on Tuesday December 19, 2000 @12:46PM (#547852)
    There are two types of honeypots -- the passive kind and the reactive kind. The former merely sits there and alerts you when someone enters your system. The latter actually responds to the attack by reconfiguring your system to deny access to the intruder. The latter is a far better implementation.

    The way reactive honey pots work is to tell the firewall to block access from the intruder's address, temporarily or even permanently. Linux really shines here, since the firewall code in the kernel is particularly well suited to this sort of solution, though you can accomplish the same effect with most any operating system. And for those who are even more adventuresome, reactive honey pots can be configured to flood the intruder's IP, denying access not only to your own machine but to all potential victims.

    Passive honeypots are good as an information-gathering tool for measuring your visibility on the net and the current state of script-kiddy activity, but reactive honeypots are definitely the way to go. They're the proactive solution to a chronic problem.
  • by SirSlud ( 67381 ) on Tuesday December 19, 2000 @12:46PM (#547853) Homepage
    If Mitnick prooved anything, it was that social engineering will always be a greater threat than the script kiddie thing. Attacks from 'within' are more dangerous, and often harder to detect than outside attacks. I still believe the best measure of your systems' vulnerability is the inside-facing attitude your team and co-workers have towards your security methodologies.

    Also, because the internet is as subject to fads and trends as any other social medium, I think you'll find 'script kiddy-ing' become less and less 'cool' over the days. There is always a renaissance towards the more hand-made, home-grown ways of doing something; in the case of hacking, this narrows the list of possible offenders considerably due to the increased need for talent and knowledge in such hacking styles.

  • much like the people who manufacture crowbars, boltcutters and powerdrills.

  • Lesson - Dont use ftp.

    anonymous file transfers? - use apache

    authenticated file transfers - use ssh+(scp/sftp)

    I mean, how the hell do you firewall a passive
    ftp server? or active for clients? add nat and things get screwed. Yes everething is possible, but why do it the hard and unsecure way?

    Yes, lusers love ftp, but life is hard.
  • Look, a black hat isn't a script kidde in IRC advertising how many boxes he's (I'm sure the women out there will forgive me for not using a gender-neutral pronoun in this case) owned. Not the guy who wrote the script-kiddie tools and bragged about those either.

    A black hat is a cracker with malicious intent. While this may mean kiddies, it also includes the people trying to grab a couple thousand credit cards so they can go on a shopping spree. It includes the cracker performing industrial espionage, so their employer can get a competitive advantage. It includes whoever would want your data, and sure as hell isn't going to brag about getting it on IRC.

    Script kiddies are annoying, but what makes them annoying is also what makes them the least of your concerns.
  • Oh, then why did the line you quoted include the line "honey pot"?

    As to missing the &lt/b&gt tag, my excuse is sleep deprivation. What is your excuse for missing the word you yourself quoted?
  • A large hosting company I have worked with use honeypots to divert crackers away from production machines. They name them enticing names like "finance.xyz.com" and "credit.xyz.com" to attract crackers. They run pretty much out-the-box (unpatched) installs of *BSD, Solaris, etc and just sit back and watch.
  • it refers to the "tewwetruggur" contingency... we collectively post under one ID... usually at least 3 of us conspire on the posts together. When I type "I", it is because one of us (me) does most of the actual posting. It's a bizarre experiment, but so far, damn interesting and entertaining.

  • I'd be scared to see what Winnie the Pooh would look like if it was e. e. milne... :-)

    ...actually, I tried to post what it would look like in e. e. cummings style, but CowboyNeal's lameness filter prevented me! Now *that's* funny...
  • by dave-fu ( 86011 ) on Tuesday December 19, 2000 @12:51PM (#547871) Homepage Journal
    I'm guessing that rfp said it best [neohapsis.com]...
    Yes, it's likely entrapment. No, no one's really sure whether it'll hold up in court. No, you don't know what you're hoping to accomplish. Yes, it's a really bad idea. Worry about getting your IDS and firewall rules up to date and your security policies and tripwires strictly monitored before you bother with nonsense like a honeypot.
  • Finally, if the honeypot is equal in security to the real server

    You could try out a new service that isn't put on the server yet. You could think of it as a testbench.
  • I wonder if Dick Clark would be interested in hosting a television program that shows server log messages?


    Capt. Ron

  • So, assuming script kiddies are such a big problem, what are the ethics of writing these scripts? Does that serve any purpose, other than weakening security?

    Just wondering what people think about this...
  • by MattW ( 97290 ) <matt@ender.com> on Tuesday December 19, 2000 @01:19PM (#547875) Homepage
    Recourse [recourse.com]'s first product was a honeypot. They have a remarkable technical team, which, commercially, makes them the one to watch in this space.

    Honeypots are some of the fluffiest of security products, imo, far less useful that firewalls, integrity verification software, etc. But having a cage environment to examine the activities and practices of a cracker can be useful in determining how to post-mortem a bad situation, as well as help gather evidence to get law enforcement involved.

    Honeypots that want to provide maximum auditing and usefulness tend to try to run a virtual machine -- either by virtue of chroot'd cages, or virtual machines. The problem is keeping a sophisticated attacker in the cage. As was pointed out on Bugtraq, it is fairly easy, owing to kernel behavior, to detect that one is in a cage. You can send kill signals to pids that aren't in your visible process list, and the kernel responses will tip you off that you are only being shown part of the process table (the Recourse product simulates a live /proc fs within the cage). Other tipoffs include memory locations, pids for processes like init, etc.

    Nonetheless, my real-world experience tells me that your greatest risk is an attack from the script kiddies, with the fresh d/l from bugtraq or the like, or even unreleased exploits, not sophisticated crackers seeking entry into specific boxes. In this case, the honeypot can be very valuable -- first as an easily-cleaned distraction (a good honeypot LOOKS like it is a machine at work, but isn't) -- then as a trace of activities, so you can prevent further incidents. Properly placed, it can help lure in attacks first, providing a warning that can be responded to before other real product boxes get compromised.

    It has been pointed out, and bears repeating, that the right place for a honeypot is on a DMZ, where it does not have priveleged access to protected hosts. People have put honeypots behind firewalls in protected nets, and then had them be used as jump-off points for much more serious compromises.

  • by Samrobb
    Let me get this straight... you dump a box onto some internal network; and then when an IS staffer says to him/herself "What the frick is that thing? It wasn't there yesterday..." and tries to figure out what your admittedly suspicious looking box is doing on the network they're responsible for...

    Then you fire them?

    Damn right - Bang! Gone.

    Mis-clicks are fine, we all do them. Even rattling the door-knob is kewl. But the minute you try to break in you're outta there. I run big networks, stuff comes & goes all of the time and a certain degree of interest is expected (& welcomed.)

    This does not extend to trying to trying to break into boxes that aren't yours.

    I don't care if it's called "Hax0rs l00t" once you've determined the front door is closed then pass it onto the right folks & move on. Raise the alarm, stick your head into the Net Security Admin's office, ask them for follow-ups, bring it up at a Change Control meeting, whatever but breaking into something that isn't yours & you haven't the authority to access is grounds for (immediate) termination.

    No apologies, no excuses.

    Again, we have folks in charge of keeping the network organized, they should know about anything new or different on the network, ask or tell them. We have folks in charge of security, they should be notified about any concerns you have. Unless your job-description specifically includes it and you've got written permission from someone above you so empowered you do not go breaking into things - I don't care how justified you think you are or how suspicious (or innocuous) it looks. If you haven't the brains to do this then good riddance.

    I've had boxes on my networks that did everything from SEC compliance monitoring to transferring billions of dollars of bonds daily to running high-power X-ray machines treating live humans in real-time. Your fucking around could harm any one of those - at that point not only would I fire your ass but I'd see that charges were pressed against you (in addition to those from next-of-kin of the person's whose radiation therapy you just screwed.)

    I work in the real world where boxes are doing important things and no Lone Ranger can be expected to track everything themselves. We've got ways things are done & they're there precisely so things don't slip through the cracks, don't become security issues and some kid who can't keep his fingers out of things doesn't break something important.

    To paraphrase (and reinterpret) your closing line:

    Any decent IS staffer respects the environment they work in & works with their team. If they can't do that then they get what they deserve - a final paycheck & a walk to the door.

  • Yeah, I know, I was shooting for maybe a (+1, Funny) on that post, but it looks like most people are missing the joke. It's basically exactly what Cliff Stoll did in his book back then. The link on "anyone" goes to his homepage.

    Ah, you young Slashdotters disappoint me. Such quality reading material [amazon.com] out there that you seem to have missed . . . :-)


  • Again, rattling the doorknob is fine. I expect the night-watchman to wander through the building and make sure doors are closed and the appropriate ones are locked; This is reasonable for an IS staffer to do also.

    However, this does not extend to trying to break into something.

    If you suspect a problem go talk to the folks who would know about it, or tell security. Hell, my pager number is pasted on my office door flag me! DON'T go breaking into stuff blindly.

    I've said this more thoroughly in another thread but yes, you're right, there is an acceptable level of "Huh? What're you doing here?" and then there's going beyond one's authority. If someone can't appreciate the difference between these two then they're judgement is so poor I don't want them no matter how tight the job market.

    Marlo Thomas - Free To Be ... You And Me (1972 Television Cast) "There's some kinds of help that are the kind of help we can all do without."

  • Oh, then why did the line you quoted include the line "honey pot"?

    OK, let's take this slowly. The original poster's comment that I quoted was:

    Also, suppose you had a white hat cracker. Would anyone running a honey pot care if the cracker broke in and plugged all the holes to prevent the kiddies from doing some real damage?

    The key concept that I pulled out is the implication that we shouldn't care if "white hat crackers" break into systems and "plug all the holes". Whether it's a honey pot system or not is irrelevent; the point is that he implies that we should look favorably upon people who break into systems with goodness and purity in their heart in order to fix them.


  • It seemed funny and innocent enough at the time. I mean, a pot of honey is a good thing, right? And it sounds kind of humorous, right?

    I wish to hell that I'd looked up the technical definition of "honeypot" before I registered honeypot.net. You wouldn't believe the amount of crap my firewall picks up. I can't count the number of Windows-specific trojans I get scanned for on a daily basis. Yeah, I try to report as many as possible, but it's pretty much a losing battle.

    A hint to l33t skr1pt k1dd13z: if a box has "honeypot" in the name, then it's probably not really a honeypot. Just leave it alone, would ya?

  • Thus, as script kiddies and other interested parties invade the vulnerable cell, the detection and prevention abilities of the immune system improve.

    Gee, wonder where they got their inspiration...


  • Thats fine if all they do is knock is on the door. The white hat cracker however is like a missionary who comes in without an invitation. And not only that but if the front door is locked he'll walk around the house and try the windows, the basement door, and the back door. If it is a particuarly vigorus white hat cracker he'll even climb up a ladder and try the upstairs windows. And once he gets in how do I know he didn't make a copy of the key that was laying on my dresser so he can get back in any time?

    In an ideal world this wouldn't be an issue, but this isn't an ideal world. How do we know that a "white hat" isn't a black hat pretending to be a white hat. He'll point out the obvious holes in your box, and leave a way that only he knows about to get in. Then six months latter when you've forgotten about it you find out your network that he has systematically infiltriated is being used for to coordinate a DDOS attack against somebody like the FBI.

    I don't have a problem with scans. I don't have a problem with someone saying "I saw that the version of bind that you are runing is out of date, there are security holes in it" But when someone uses that vulnerability to break into my system it becomes a whole new ball game.
  • You think you're joking [vnunet.com]...
  • In several companies I've consulted for we've put honeypots (decoys) on the corporate network. Generally they've been end-of-life boxes stuck in a closet & intentionally locked out of the rest of the network (sometimes down to the router level.)

    Generally we give them names of interest to tech-types but nothing the general user community, sometimes just make 'em look like standard workstations, occasionally we called them things like "payroll" or other tempting titles. We then track all traffic to & from these boxes identifying the source & their intentions. Generally we'd get a few mistake-hits or just-clicking-around ones a week but often enough we'd find someone with some intent trying to get onto them.

    Generally it was a semi-knowledgeable employee just poking around & seeing what they could get into. We'd usually then track their other activities closely in order to make sure they hadn't gotten into anyplace they ought not have. After we'd assured ourselves they weren't nefarious we'd usually call them in, put a scare to them with the records of their exploits & warn them to cut it out or loose their job. Occasionally where they were using tools or other more-then-casual attempts we'd just fire them on the spot.

    A few times it was IS staffers. Then we'd follow the same drill, try to determine what they were doing & why, then when called in if they couldn't give a good accounting of themselves cut them loose, again on the spot. Actually we'd usually delay them with paperwork & other excuses while we ran a complete lock-out and performed fast reviews of any systems they could have compromised. In one case where the fellow wanted to storm out a fast-thinking HR staffer got someone to 'accidentally' block their car & wait a half hour while we found the 'bad-parker'.

    IS folks with that poor judgement and too easy access were just asking for future trouble & they aren't worth it. Of the few that I've fired this way over the years at least two later came to bad ends, including one who diddled with another companies accounting system.

    Needless to say none of this was ever advertised within the company, particularly with IS. It was all on a strictly need-to-know basis & only done in-person, nothing emailed or electronically documented (wow - a reason for interoffice mail!) Oftentimes we'd hire a trusted outside firm to install the systems & track the activity (had one guy come in for years as a "special cleaner" specializing in electrical closets!)

    Firewalls and elaborate outside security are great things but most serious damage comes from folks inside. Keeping a check with decoys and other measures is only prudent.

    -- Michael

    Then there's that contractor I discovered trying to crack my personal desktop box...

  • Your reasoning is so ridiculous, it is traumatic. He's not a black hat, because he says he's not. Truly amazing logic there. Flabbergasting

    Besides, if you can't trust people on the net where stuff doesn't really matter, then where can you trust them? Astounding. Just astounding. I'm glad credit cards don't really matter, because I just noticed a bunch of charges on my card that don't belong to me.
  • How about...

    The honeypot is far more vulnerable than the reals. Whenever someone breaks into the honeypot (using a known exploit)..or hell, even connects to the honeypot at all, that IP is denied access to the rest of the network.
  • by GlobalEcho ( 26240 ) on Tuesday December 19, 2000 @01:29PM (#547899)
    Right at the very end of the article is the most important point of general corporate security. Namely, that by far the biggest threats are from within, by employees or other authorized users. It's certainly more sensational to be cracked, but it's a lot more damaging to be scammed by somebody who knows exactly where you keep the crown jewels.
  • C'mon now .. its more the other way .. hacks that 'come from the outside', but are really someone you know and trust. Or someone who has gained valuable information from someone you know and trust. It's the same in all walks of life: abuse, murder .. why stop at hacking? I'm not saying that there is /no/ hacking from cold-callers .. I'm just saying that the number pales in comparison to those you'd least suspect.

    People who wish to steal or break in usually do so only because they know what the value of what's inside ....

  • Actually I lead an indecently wonderful life.

    I have a wonderful lover, a challenging job that pays remarkably well yet allows me to take off very longs periods of time, live in a great city with a vibrant nightlife & fantastic cuisine. I've marvellous friends who I value deeply & they seem to do the same in return, and parent's I've become good friends with.

    Back to the original point (& before your own emotional projection) I've hacked & cracked systems. The difference was that I was clever about it & had permission.

    Fer instance I used to contract then work for an well known publisher/financial services company. It was a great place but IS was a complete mess. Nobody stayed for more then a year, oftentimes it was only a few days, and the standard means of resignation was to leave one's keycard on the desk & simply never return.

    This of course meant that we regularly had boxes on the network that nobody had any idea what they were. Since I was invariably the one they called ("It looks like one of your boxes & you run most of the boxes anyway") I soon became adept at getting permission to break in & find out what the damn thing was doing.

    The clever part was I did my homework & got permission FIRST. I'd see if there was any traffic to the box, if so from where and what sort? Could I identify any of it's users and then what did they know about it? Heck, I'd even call Purchasing and see if anyone had bought one of these recently. This generally took only a few minutes and the assistance of folks whose job it was anyway. The result was I knew what I was going into before I did it, and no big screw ups.

    In your world expecting this kind of professionalism may be the sign of a prick - in mine it's called someone you want on your team.

    I'm glad you're happy with your expectations because I'm quite happy with mine & their results. It is a good life.

  • by billybob2001 ( 234675 ) on Tuesday December 19, 2000 @10:25AM (#547904)
    Micro$oft did this months ago!
  • The article doesn't seem to mention prosecution. Do the people running the honey pots just sit back and watch what the script kiddies are doing, plug the holes, and forget about it? Or are they filing in court? Also, suppose you had a white hat cracker. Would anyone running a honey pot care if the cracker broke in and plugged all the holes to prevent the kiddies from doing some real damage?
  • Whether it's a honey pot system or not is irrelevent

    Maybe to you, but I don't think that was the original poster's intent. That's why he said "honey pot", not something else. As I said, what you quoted contradicts your claim that he wasn't talking about honey pots.

    He was asking if you would prosecute someone who broke into your honey pot (a ridiculous question if you take out the word honey pot, eh?), and if you would be pissed if someone plugged up the holes in said honeypot.

    Why you decided this meant systems in general is beyond me. Which is why I put that in bold, since you seemed to have missed some key info.

    And lastly, asking "would you care if..." is not the same as "you shouldn't care if...", and the latter wasn't what the poster said either.
  • I'm not sure I understand what you're trying to say. Did you mean that telling them to look elsewhere is more likely to make them want to attack the system?

    Possibly, but this quickly becomes similar to the poison-drinking scene in "The Princess Bride".

    BTW, who said anything about being a l33t webmaster-d00d? I needed to domain name for the computer on my LAN, and I wanted it to be public addressable, so I bought a domain. I didn't serve web pages until a year or so later.

  • by bluelip ( 123578 ) on Tuesday December 19, 2000 @10:30AM (#547916) Homepage Journal
    I forgot to mention that getting prior approval is a necessity is an understatement. It is a CYA statement. Imagine how fast your job will go down the tubes when the Big Boss realizes that the major security breach that was highly publicized came from someone getting out of your toy honeypot. Not that they wouldn't try something if you got the approval anyhow, but it's usually best to lean towards the cautious side.
  • Maybe to you, but I don't think that was the original poster's intent. That's why he said "honey pot", not something else. As I said, what you quoted contradicts your claim that he wasn't talking about honey pots.

    You insist on trying to tell me what my point is. I don't care whether his point was about honey pots or not, my point is that I'm taking issue with the whole question of whether a "white hat cracker" is good or not.

    If it makes you happy, then feel free to limit my point to saying that yes, a white hat cracker breaking into a honey pot is just as bad as a black hat cracker breaking into one. But my point is broader than that.


  • by chazR ( 41002 ) on Tuesday December 19, 2000 @03:41PM (#547920) Homepage
    My gut tells me that money would be better spent helping NetBSD and others with code audits. Of course IANASecurity Expert, so what do I know...

    Damn straight you're not a security expert. (And I think you meant OpenBSD). Nobody is a security "expert". Some of us are older, wiser, and bear a lot more scars than others, but *none* of us are experts.

    Until you have had a system properly fucked over, you know *nothing* about security.

    There are a surprising number of companies saying "We are InfoSec Experts" out there who leave there own internal systems open to flagrant abuse. Like leaving certain ports (137, 139 etc) open to the Internet, and then give the receptionist a domain account. How hard is *that* to crack? ("Hello, I'm from the auditors. What name do you type in to the computer in the morning? Good, that sound right. Now, just let me check. What do you type in the other box? Thankyou. That's the right answer!)

    Back on topic: Honeypots are tremendously valuable if, and only if, they are well run.

    In the ongoing battle between the infosec "good guys" (mostly sysadmins) and the infosec "bad guys" (mostly l33t k1dd13s, but with a peppering of serious, professional criminals) the good guys are at a crippling disadvantage. We have to get every single thing right all the time. The bad guys only need to find one single, trivial mistake, and then it's w00t! r00tkit!

    These nasty little untalented, bored, socially malformed little twerps have all the cards; That wouldn't be so bad, but they freely give these cards to anyone. Nothing wrong with that. Except that some of the recipients (OK, a small number, but it only takes one) are working for serious, professional blow-your-brains-out-and-cover-you-in-concrete professionals.

    Honeypots are one of the few tools that let us monitor, study and comprehend what's going on. (That, and assiduous reading of alt.2600 etc.)

    We, the responsible victims of attacks, choose to monitor the attackers in any way we can. We do this because we want the Internet to be a useful place. And we are happy to forward information gained to law-enforcement types.

    If script kiddies dont like this then, hey! Build your own sodding network. When you get 100 million people connected, I'll come and look.
  • Do the people running the honey pots just sit back and watch what the script kiddies are doing, plug the holes, and forget about it? Or are they filing in court?

    In Australia, the Attorney-General recently determined (and did not announce) that evidence from honeypot machines can't be used in prosecuting offenders unless there's a wiretap order (warrant) for that system. The reasoning was that creating a system that is "intended to be broken into" is sort of like giving permission to the intruder and likely to jeopardise a case.

  • Interesting how much emphasis the security people place on script kiddies. I guess the most dangerous invaders are the bored and clueless. Are these the same people put so much effort into getting FIRST POST?


  • It's only entrapment if the police (or another government agency) does it, and then prosecutes.

    Why do people continue to believe the the protections we have against the government (Bill of Rights, etc) apply to people who aren't the government at all?

    -- Fester
  • by Anonymous Coward
    yeah, your an idiot. There is such a thing as white hat crackers, sorry. Since your analogy was poor, I'll provide a poor one as well. I walk past your car in a parking lot and notice that your lights are on, after looking around and calling a little bit, no one comes, since of course I don't know who to call because your name isn't written on the car. I reach in, shut the light off and lock the doors.
  • The problem with that is that the IP might be dynamicly assigned from an ISP. OTOH, reporting the IP and the time to the ISP is a good idea, so that they can check logs and LART 'em.

  • How do you attract people to your honeypot system if it's configured just like your other systems, as the article said?

    I've read of configurations with all traffic to unsupported ports redirected to a honeypot system: "someone trying to telnet/ftp to my web server? I'll send you to my honeypot for observation instead."

    But if you're running a standard, normally configured system as the article mentioned, this doesn't make sense anymore. How's this work?

  • by flynt ( 248848 ) on Tuesday December 19, 2000 @10:31AM (#547935)
    From the people I know who do this, they never report it to authorities, but rather to CERT's and the like. The goal is to learn new cracker techniques and watch behavior once they break into the system. A lot of DDOS tools get found this way, because crackers will upload them to machines they have broken into. The goal is to then share this information with the security community, not just to bust a couple unsuspecting people.
  • by Anonymous Coward on Tuesday December 19, 2000 @10:32AM (#547939)
    "Oh, bother." -- Winnie the Cracker
  • I first came across this idea while reading "The Cuckoos's Egg" in junior high school. I'd like to say that I thought it was an excellent book, the entire story was very exciting to me. I enjoyed the cloak and dagger senario placed in the computer world.

    Not much to really say, but that the books grabs you (or me at least) and is a quick read. Very enthralling, just watching the cat and mouse game play out between the cracker and the other guy.

    ...and I'm not sure we should trust this Kyle Sagan either.
  • by S. Allen ( 5756 ) on Tuesday December 19, 2000 @10:33AM (#547941)
    This is a perfect application for user-mode-linux. You can setup and run any number of complete virtual linux systems on a single box without compromising the integrity of the host system.
  • by nicholasperez ( 249531 ) on Tuesday December 19, 2000 @10:34AM (#547943)
    I would just like to say to the "script kiddies" of the world--YOU SUCK. God, it took me 4 hours to fix my damn system. Using pitiful log cleaners and then leaving a paper trail as long as the Nile, my old FTP server was exploited. It was sad. I caught them within 4 hours of being rooted. I quickly patched the hole(sometimes I wonder if I am an idiot) and quickly started on a firewall project, which I finished later that night. For all the other people that have been rooted, I feel for you. And my advice to sys admins, watch your systems, little things like load averages can point to a break in.

    I don't care what it looks like, it WORKS doesn't it!?!
  • by hectorh ( 113198 ) on Tuesday December 19, 2000 @10:34AM (#547944) Homepage
    If my honeypot is hacked into and then it is used to launch an attack against another system, am I liable for intentionally leaving an unsecured server on the internet?

    Is this similar to leaving a gun rack unlocked, then somebody takes one of the guns and commits a crime with it?
  • You insist on trying to tell me what my point is.

    Not at all. You must not get my point.

    You said you don't want anyone cracking your box, and this was abundantly clear. However it was also abundantly clear that the original poster was talking about honey pots, not machines in general. So your response made no sense -- I figured you must have missed a word or two. I guess not.

    I don't care whether his point was about honey pots or not

    But then why were you going on about "context" and "the key point I extraced"? Apparently the poster's context didn't mean anything to you.

    So you don't want people breaking into your box for any reason-- well no shit. As I already pointed out, you are not the kind of person who'd be running a honey pot, so what purpose did your post serve?

    white hat cracker breaking into a honey pot is just as bad as a black hat cracker breaking into one.

    A honey pot is a machine that is intended to be broken into -- thus a black hat cracker breaking into one isn't bad at all, so long as you can log what he does and analyze it. That you feel it would be bad means you wouldn't be running a honey pot. This is why I responded in the first place -- it seemed you must not know what a honey pot is.

    But my point is broader than that.

    Who cares? You're "broader point" is that you don't want white hats breaking into your box. But since you wouldn't be running a honey pot anyway, your "point" can only apply to the very machines about which the poster was specifically not asking about. So much for "context".

    So instead of thinking you missed information (sorry about that), I'm instead thinking "why the hell did he reply to a post with the exact opposite of what the post asked about?"
  • Hey, I'm forming an idea here...

    Set up a system that is rather easy to crack, but will take a good amount of time to crack. Then whip up a small script that will - the second *anyone* successfully logs in - shutdown the server.

    I would pay money to see the look on the crackers face as they see this:

    Welcome... (MOTD)
    [root@firewall /root]#
    Message from root:
    This system is going down NOW!

    It would be nice to turn the tables around and, for once, make the script kiddy the one who gets ticked off...

  • by B.D.Mills ( 18626 ) on Tuesday December 19, 2000 @01:42PM (#547955)
    The other Slashdot article has a link to an article (http://rootprompt.org/article.php3?article=210 [rootprompt.org]) describing how honeypots are configured. Often they go through a firewall that allows anything in, but restricts traffic out. In this case, the firewall is protecting the Internet from the menace of the honeypot, rather than firewalling the honeypot from the menace of the Internet.

  • by winter fantom ( 182140 ) on Tuesday December 19, 2000 @10:34AM (#547957)
    I think this is a great idea, and I don't know why this kind of thing wasn't implemented earlier. The so-called "hackers" that this targets are the ones that won't know the difference between a honeypot and won't care. If these jerks know that there is a possibility of them being setup, I don't think they will be so ready to go randomly try to screw people over.

    Its really interesting, because I used to be the type of person that would not neccessarily approve of such a trap in the name of protecting the curious individual who wanted to see what was out there. But the fact is, the people doing these things are becoming too big of a problem. And it seems that the whole purpose of snooping around has been sort of eliminated with the open source movement and Linux. Why snoop around when you can have your own *nix box with just about anything available at your fingertips, for free?

  • typically the honey pot will be on a subnet with just its self, with far to many services running than necessary but not so many that it seem obvious. Then it is heavly loged not to procecute people but to find out how they are trying and make sure their real servers can't be cracked in this way. But if they do break into a real server then you can see how they did and possibly be able to find them.
  • by tewwetruggur ( 253319 ) on Tuesday December 19, 2000 @10:36AM (#547959) Homepage
    my god! I'be been 0wn3d by P00h B3ar! E.E.Milne would cry...

  • Even though they often are technological neophytes, script kiddies pose a big threat to corporate security. While "people laugh at them," says Spitzner, "they've compromised an awful lot of corporate sites."

    And this, my comrades, is EXACTLY why the "dotcom shakeout" happened. When Job Admin can't keep a 10 year from breaking into his site using a script, which by the way takes advantage of a 3 month old exploit and the kid barely understands, how can one expect that site to make a profit.

  • by BMIComp ( 87596 ) on Tuesday December 19, 2000 @11:05AM (#547961)
    I'd love to have a honeypot, and I'm sure it would be fun to play around with them.. but this reminds me about the true nature of many network adminstrators.

    The reality is that most administrators know about most vulnerabilities, but a large number of them are too lazy or busy to fix them. A lot of them have the "nobody cares enough to hack me" mentality.. which isn't really effective since people scan blocks of IP addresses at a time.

    Hopefully some adminstrators will get their acts together after reading about honeypots.

    "War is hell" -- General Sherman Techumseh

If you suspect a man, don't employ him.