Slashdot Mirror

msm1267 writes "Conpot, short for Control Honeypot, is one of the first publicly available honeypots for industrial control systems (ICS) and SCADA gear. Built by two researchers from the Honeynet Project, the hope is that others will take what they started, deploy it on their own critical infrastructure networks and share the findings. 'The main goal is to make this kind of technology available for a general audience,' said Lukas Rist, one of the developers. 'Not just for security researchers, but also for people who are sysadmins setting up ICS systems who have no clue what could happen and want to see malware attacks against their systems and not put them in any danger.'" Unlike previous ICS Honeypots, this one simulates the control systems rather than requiring that you happen to own an actual industrial control system.

First time accepted submitter anavictoriasaavedra writes "In October, two German computer security researchers created a map that allows you to see a picture of online cyber-attacks as they happen. The map isn't out of a techno-thriller, tracking the location of some hacker in a basement trying to steal government secrets. Instead, it's built around a worldwide project designed to study online intruders. The data comes from honeypots. When the bots go after a honeypot, however, they're really hacking into a virtual machine inside a secure computer. The attack is broadcast on the map—and the researchers behind the project have a picture of how a virus works that they can use to prevent similar attacks or prepare new defenses."

thomsomc writes "Joe Stewart from the Conficker Working Group has created an eye chart that allows for online identification of Conficker B and C infections. Using basic knowledge of the blacklisting that Conficker employs to avoid attempting to infect IPs that belong to popular Anti-Virus and security firms (including Microsoft), the group whipped up this very simple test to see if you can load content from the various pages. If you can see all of the images, you're more than likely Conficker-free. According to Honeynet, 'This detection method should be more reliable than network scanning based tests. Happy scanning!'" Related: Tech Fragments notes in passing that nothing much seems to have come of conficker's dreaded April 1 deadline.

Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."

rsiles writes "Honeynet solutions were seen just as a research technology a couple of years ago. It is not the case anymore. Due to the inherent constraints and limitations of the current and widely deployed intrusion detection solutions, like IDS/IPS and antivirus, it is time to extended our detection arsenal and capabilities with new tools: virtual honeypots. Do not get confused about the book title, specially about the "virtual" term. The main reason to mention virtual honeypots, although the book covers all kind of honeynet/honeypot technologies, is because during the last few years virtualization has been a key element in the deployment of honeynets. It has offered us a significant cost reduction, more flexibility, reusability and multiple benefits. The main drawback of this solution is the detection of virtual environments by some malware specimens." Read below for the rest of Raul's review. Virtual Honeypots: From Botnet Tracking to Intrusion Detection author Niels Provos and Thorsten Holz pages 440 publisher Addison-Wesley Professional rating THE current reference about honeynet technologies and solutions. reviewer Raul Siles ISBN 0321336321 summary improve your capabilities with easy to deploy virtual honeypot solutions The detection of honeypots has always been one of the main concerns in the honeynet community, because if the attacker can identify them, they are useless. For this reason, one of the chapters is just focused on providing some light tips and tricks about what an adversary can really accomplish. In fact, we have not seen lots of real-world incidents where the attacker actively checks the existence of honeynet setups.

The first chapter is a very brief introduction to honeynet technologies and basic tools. You can jump through it if you are not new to this field. Then, the book covers the main two honeypot types: high and low interaction. The high interaction section provides details about the tools to virtualize your honeypots: VMware, UML, or more specific solutions, such as Argos. The low interaction section provides details about some the most relevant honeypot types to cover lots of detection scenarios: worms, traditional server attacks, Google Hacking, Web-based attacks, etc. It is a wide overview that will give you lot of ideas for new deployments.

The whole book has been cooked with a how-to mentality , and it explains in detail how to install and configure the different tools and software elements covered. Additionally, it provides guidelines, best practices, and analysis recommendations for each tool based on the authors experience. However, the how to portions take into account that most of the solutions are Linux-based, and the installation and setup process will vary based on the tool version and the Linux distribution you are using (library dependencies, etc). In any case, the step by step guides are very useful as a general setup reference.

From my perspective, the most valuable part of the book is chapters 4 to 6. The authors, Niels Provos and Throsten Holz, are the lead developers/architects for honeyd (chapter 4 and 5) and nephentes (chapter 6), respectively. These two are the most famous and advanced low-interaction server-based honeypot and malware honeypot. They know what they are talking about, and you cannot find a better reference out there for these two tools. The book is an excellent guide, covering the design principles and innovative deployment ideas, to all kinds of configuration options and possibilities, including limitations on real-world scenarios. Chapter 6 is complemented with other less popular malware-based honeypots (except for Honeytrap).

The book includes some extra material covering academic and research hybrid solutions still in their early stages, which can give you and idea of where these technologies are evolving to and the major challenges we are facing now. This pretty much theoretical content is well balanced with the case studies chapter, where real incidents involving different honeypot types are presented. These are always a fun read and a way of getting experience and learn how to deal with intrusions.

Finally, one of the main expansion areas we are involved today is the creation of new client-based honeypot technologies. This book section (highly recommended) does a great job introducing multiple high and low interaction honeyclients currently available, their benefits and drawbacks (chapter 7). This information is perfectly complemented by the last two chapters, focused on tracking botnets and analyzing malware with sandbox environments. Once a client is compromised, it typically becomes a member of a botnet, and for easy and quick categorization, we start by performing a malware analysis of the specimens. I recommend you to add all this knowledge to your incident handling and response capabilities.

Something I would have liked to see in the book is a section about a fully virtualized honeynet environment, showing how using VMware, you can build up a virtual Honeywall (just slightly mentioned on chapter 2) and different honeypots, creating a complete, cheap, mobile and multi-purpose virtual honeynet infrastructure. Also, we receive multiple questions related to this kind of setup in the Honeynet Project mailing lists, because all the previous whitepapers are obsoleted now. I've been deploying these type of solutions for fun and professionally during the last few years and I strongly recommend you to start using them. You won't be disappointed about how much you can learn of what is going on in your networks and systems, and this book is the best starting point.

If you have any relationship with the intrusion detection, incident handling and forensics, threat analysis, or SOC and CERT security side of things, definitely this book is for you. Go through it and improve your capabilities with easy to deploy virtual honeypot solutions. You just need a (not so new) computer, virtualization software, and some time.

I have been working with honeynets during the last 5 years. We founded the Spanish Honeynet Project on 2004, and almost at the same time we became part of The Honeynet Project and released the Scan of the Month 32. The main honeynet/pot book reference till last year was the book published by the Honeynet Project. As this is a rapidly evolving field, definitely it has been replaced by this book, written by two project members.

You can purchase Virtual Honeypots: From Botnet Tracking to Intrusion Detection from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

rsiles writes "Honeynet solutions were seen just as a research technology a couple of years ago. It is not the case anymore. Due to the inherent constraints and limitations of the current and widely deployed intrusion detection solutions, like IDS/IPS and antivirus, it is time to extended our detection arsenal and capabilities with new tools: virtual honeypots. Do not get confused about the book title, specially about the "virtual" term. The main reason to mention virtual honeypots, although the book covers all kind of honeynet/honeypot technologies, is because during the last few years virtualization has been a key element in the deployment of honeynets. It has offered us a significant cost reduction, more flexibility, reusability and multiple benefits. The main drawback of this solution is the detection of virtual environments by some malware specimens." Read below for the rest of Raul's review. Virtual Honeypots: From Botnet Tracking to Intrusion Detection author Niels Provos and Thorsten Holz pages 440 publisher Addison-Wesley Professional rating THE current reference about honeynet technologies and solutions. reviewer Raul Siles ISBN 0321336321 summary improve your capabilities with easy to deploy virtual honeypot solutions The detection of honeypots has always been one of the main concerns in the honeynet community, because if the attacker can identify them, they are useless. For this reason, one of the chapters is just focused on providing some light tips and tricks about what an adversary can really accomplish. In fact, we have not seen lots of real-world incidents where the attacker actively checks the existence of honeynet setups.

The first chapter is a very brief introduction to honeynet technologies and basic tools. You can jump through it if you are not new to this field. Then, the book covers the main two honeypot types: high and low interaction. The high interaction section provides details about the tools to virtualize your honeypots: VMware, UML, or more specific solutions, such as Argos. The low interaction section provides details about some the most relevant honeypot types to cover lots of detection scenarios: worms, traditional server attacks, Google Hacking, Web-based attacks, etc. It is a wide overview that will give you lot of ideas for new deployments.

The whole book has been cooked with a how-to mentality , and it explains in detail how to install and configure the different tools and software elements covered. Additionally, it provides guidelines, best practices, and analysis recommendations for each tool based on the authors experience. However, the how to portions take into account that most of the solutions are Linux-based, and the installation and setup process will vary based on the tool version and the Linux distribution you are using (library dependencies, etc). In any case, the step by step guides are very useful as a general setup reference.

From my perspective, the most valuable part of the book is chapters 4 to 6. The authors, Niels Provos and Throsten Holz, are the lead developers/architects for honeyd (chapter 4 and 5) and nephentes (chapter 6), respectively. These two are the most famous and advanced low-interaction server-based honeypot and malware honeypot. They know what they are talking about, and you cannot find a better reference out there for these two tools. The book is an excellent guide, covering the design principles and innovative deployment ideas, to all kinds of configuration options and possibilities, including limitations on real-world scenarios. Chapter 6 is complemented with other less popular malware-based honeypots (except for Honeytrap).

The book includes some extra material covering academic and research hybrid solutions still in their early stages, which can give you and idea of where these technologies are evolving to and the major challenges we are facing now. This pretty much theoretical content is well balanced with the case studies chapter, where real incidents involving different honeypot types are presented. These are always a fun read and a way of getting experience and learn how to deal with intrusions.

Finally, one of the main expansion areas we are involved today is the creation of new client-based honeypot technologies. This book section (highly recommended) does a great job introducing multiple high and low interaction honeyclients currently available, their benefits and drawbacks (chapter 7). This information is perfectly complemented by the last two chapters, focused on tracking botnets and analyzing malware with sandbox environments. Once a client is compromised, it typically becomes a member of a botnet, and for easy and quick categorization, we start by performing a malware analysis of the specimens. I recommend you to add all this knowledge to your incident handling and response capabilities.

Something I would have liked to see in the book is a section about a fully virtualized honeynet environment, showing how using VMware, you can build up a virtual Honeywall (just slightly mentioned on chapter 2) and different honeypots, creating a complete, cheap, mobile and multi-purpose virtual honeynet infrastructure. Also, we receive multiple questions related to this kind of setup in the Honeynet Project mailing lists, because all the previous whitepapers are obsoleted now. I've been deploying these type of solutions for fun and professionally during the last few years and I strongly recommend you to start using them. You won't be disappointed about how much you can learn of what is going on in your networks and systems, and this book is the best starting point.

If you have any relationship with the intrusion detection, incident handling and forensics, threat analysis, or SOC and CERT security side of things, definitely this book is for you. Go through it and improve your capabilities with easy to deploy virtual honeypot solutions. You just need a (not so new) computer, virtualization software, and some time.

I have been working with honeynets during the last 5 years. We founded the Spanish Honeynet Project on 2004, and almost at the same time we became part of The Honeynet Project and released the Scan of the Month 32. The main honeynet/pot book reference till last year was the book published by the Honeynet Project. As this is a rapidly evolving field, definitely it has been replaced by this book, written by two project members.

You can purchase Virtual Honeypots: From Botnet Tracking to Intrusion Detection from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

rsiles writes "Honeynet solutions were seen just as a research technology a couple of years ago. It is not the case anymore. Due to the inherent constraints and limitations of the current and widely deployed intrusion detection solutions, like IDS/IPS and antivirus, it is time to extended our detection arsenal and capabilities with new tools: virtual honeypots. Do not get confused about the book title, specially about the "virtual" term. The main reason to mention virtual honeypots, although the book covers all kind of honeynet/honeypot technologies, is because during the last few years virtualization has been a key element in the deployment of honeynets. It has offered us a significant cost reduction, more flexibility, reusability and multiple benefits. The main drawback of this solution is the detection of virtual environments by some malware specimens." Read below for the rest of Raul's review. Virtual Honeypots: From Botnet Tracking to Intrusion Detection author Niels Provos and Thorsten Holz pages 440 publisher Addison-Wesley Professional rating THE current reference about honeynet technologies and solutions. reviewer Raul Siles ISBN 0321336321 summary improve your capabilities with easy to deploy virtual honeypot solutions The detection of honeypots has always been one of the main concerns in the honeynet community, because if the attacker can identify them, they are useless. For this reason, one of the chapters is just focused on providing some light tips and tricks about what an adversary can really accomplish. In fact, we have not seen lots of real-world incidents where the attacker actively checks the existence of honeynet setups.

The first chapter is a very brief introduction to honeynet technologies and basic tools. You can jump through it if you are not new to this field. Then, the book covers the main two honeypot types: high and low interaction. The high interaction section provides details about the tools to virtualize your honeypots: VMware, UML, or more specific solutions, such as Argos. The low interaction section provides details about some the most relevant honeypot types to cover lots of detection scenarios: worms, traditional server attacks, Google Hacking, Web-based attacks, etc. It is a wide overview that will give you lot of ideas for new deployments.

The whole book has been cooked with a how-to mentality , and it explains in detail how to install and configure the different tools and software elements covered. Additionally, it provides guidelines, best practices, and analysis recommendations for each tool based on the authors experience. However, the how to portions take into account that most of the solutions are Linux-based, and the installation and setup process will vary based on the tool version and the Linux distribution you are using (library dependencies, etc). In any case, the step by step guides are very useful as a general setup reference.

From my perspective, the most valuable part of the book is chapters 4 to 6. The authors, Niels Provos and Throsten Holz, are the lead developers/architects for honeyd (chapter 4 and 5) and nephentes (chapter 6), respectively. These two are the most famous and advanced low-interaction server-based honeypot and malware honeypot. They know what they are talking about, and you cannot find a better reference out there for these two tools. The book is an excellent guide, covering the design principles and innovative deployment ideas, to all kinds of configuration options and possibilities, including limitations on real-world scenarios. Chapter 6 is complemented with other less popular malware-based honeypots (except for Honeytrap).

The book includes some extra material covering academic and research hybrid solutions still in their early stages, which can give you and idea of where these technologies are evolving to and the major challenges we are facing now. This pretty much theoretical content is well balanced with the case studies chapter, where real incidents involving different honeypot types are presented. These are always a fun read and a way of getting experience and learn how to deal with intrusions.

Finally, one of the main expansion areas we are involved today is the creation of new client-based honeypot technologies. This book section (highly recommended) does a great job introducing multiple high and low interaction honeyclients currently available, their benefits and drawbacks (chapter 7). This information is perfectly complemented by the last two chapters, focused on tracking botnets and analyzing malware with sandbox environments. Once a client is compromised, it typically becomes a member of a botnet, and for easy and quick categorization, we start by performing a malware analysis of the specimens. I recommend you to add all this knowledge to your incident handling and response capabilities.

Something I would have liked to see in the book is a section about a fully virtualized honeynet environment, showing how using VMware, you can build up a virtual Honeywall (just slightly mentioned on chapter 2) and different honeypots, creating a complete, cheap, mobile and multi-purpose virtual honeynet infrastructure. Also, we receive multiple questions related to this kind of setup in the Honeynet Project mailing lists, because all the previous whitepapers are obsoleted now. I've been deploying these type of solutions for fun and professionally during the last few years and I strongly recommend you to start using them. You won't be disappointed about how much you can learn of what is going on in your networks and systems, and this book is the best starting point.

If you have any relationship with the intrusion detection, incident handling and forensics, threat analysis, or SOC and CERT security side of things, definitely this book is for you. Go through it and improve your capabilities with easy to deploy virtual honeypot solutions. You just need a (not so new) computer, virtualization software, and some time.

I have been working with honeynets during the last 5 years. We founded the Spanish Honeynet Project on 2004, and almost at the same time we became part of The Honeynet Project and released the Scan of the Month 32. The main honeynet/pot book reference till last year was the book published by the Honeynet Project. As this is a rapidly evolving field, definitely it has been replaced by this book, written by two project members.

You can purchase Virtual Honeypots: From Botnet Tracking to Intrusion Detection from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

An anonymous reader sends us to a technical white paper written by the Honeynet Project & Research Alliance: Know Your Enemy: Web Application Threats. Based on analysis of malware collected by the project, the paper outlines a number of HTTP-based attacks against web applications and some ways of protecting Web servers. Included are code injection, remote code-inclusion, SQL injection, cross-site scripting, and exploitation of the PHPShell application.

edsonie writes "CircleID is reporting on the recent Honeynet Project, 'Know your Enemy: Phishing', aimed at discovering practical information on the practice of phishing. The study reports on a number of real world examples of phishing attacks and the typical activities performed by attackers during the full lifecycle of such incidents. The research also suggests that phishing attacks "are becoming more widespread and well organized". Also with regards to the speed of such attacks, "phishing attacks can occur very rapidly, with only limited elapsed time between the initial system intrusion and a phishing web site going online with supporting spam messages to advertise the web site, and that this speed can make such attacks hard to track and prevent." Check out the full report here presenting actual techniques and tools used by phishers."

edsonie writes "CircleID is reporting on the recent Honeynet Project, 'Know your Enemy: Phishing', aimed at discovering practical information on the practice of phishing. The study reports on a number of real world examples of phishing attacks and the typical activities performed by attackers during the full lifecycle of such incidents. The research also suggests that phishing attacks "are becoming more widespread and well organized". Also with regards to the speed of such attacks, "phishing attacks can occur very rapidly, with only limited elapsed time between the initial system intrusion and a phishing web site going online with supporting spam messages to advertise the web site, and that this speed can make such attacks hard to track and prevent." Check out the full report here presenting actual techniques and tools used by phishers."

g0bshiTe writes "Ever hear the saying, 'given enough time a room full of monkeys could type out Shakespeare'? Well Microsoft seems to be taking this saying to heart, and taking a cue from the Honeynet project, they have created what they have dubbed 'honeymonkeys.' Security Focus has an article which describes this honeymonkey network, which is little more than a network of virtual Windows XP boxes in various patch states. These boxes are setup to crawl the seedier side of the web in search of vulnerabilities not bieng reported, and are being actively exploited in an attempt to further secure their product. Sounds like a decent idea from the Redmond crew to me."

Susan Saradon writes "The Honeynet Project has released a new paper which deals with the observation of botnets. "Know Your Enemy: Tracking Botnets" discusses what Botnets are, who is using them, how, and why. It als introduces the tools "mwcollect" and "drone" which can be used for collecting an tracking Botnet activity. Nice to read and looking forward to the release of these tools."

Susan Saradon writes "The Honeynet Project has released a new paper which deals with the observation of botnets. "Know Your Enemy: Tracking Botnets" discusses what Botnets are, who is using them, how, and why. It als introduces the tools "mwcollect" and "drone" which can be used for collecting an tracking Botnet activity. Nice to read and looking forward to the release of these tools."

AlanS2002 points out today's article from Iain Thomson on vnu.net, which says that "Linux systems are getting tougher for hackers to crack, security experts have reported today," summarizing "A study conducted by the Honeynet Project has found that it takes about 3 months before a unpatched Linux machine will be owned, compared with about 72 hours in the past. According to a report on the study default installations are now more secure with less services enabled by default, added to this is newer versions of software such as OpenSSH being more secure. Interestingly Solaris 8 and 9 did not fare so well."

Allnighterking writes "The Honeypot project Honeynet.org has released their study on the expected lifetime of an unpatched default Linux install. If some of you remember AvanteGarde recently did a study of its own with several versions of Windows products and found that the average lifetime was about four minutes. Internet Week has an article on the study and the PDF with the full details of the study is available on Honeynet.org. Needless to say, from my viewpoint this is a good reason to limit Windows installations in IT that any PHB and/or Smiling Man can understand. Have them put into a spreadsheet and see what this kind of security means to their bottom line."

Allnighterking writes "The Honeypot project Honeynet.org has released their study on the expected lifetime of an unpatched default Linux install. If some of you remember AvanteGarde recently did a study of its own with several versions of Windows products and found that the average lifetime was about four minutes. Internet Week has an article on the study and the PDF with the full details of the study is available on Honeynet.org. Needless to say, from my viewpoint this is a good reason to limit Windows installations in IT that any PHB and/or Smiling Man can understand. Have them put into a spreadsheet and see what this kind of security means to their bottom line."

UnderAttack writes "The Internet Storm Center published a graph showing historic trends for the "Survival Time" of unpatched, unprotected (windows) computers connected to the internet. Turns out, this number dropped from about 40 minutes last year, to 20 minutes this year. The survival time is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe. The data is collected from a large number of networks with different types of upstream protection. So if you are on an unprotected cable/DSL line, you may see probes much more frequently. Either way, 20 minutes is not long enough to download patches. The Honeynet Project did publish a paper with some stats back in 2001."

UnderAttack writes "The Internet Storm Center published a graph showing historic trends for the "Survival Time" of unpatched, unprotected (windows) computers connected to the internet. Turns out, this number dropped from about 40 minutes last year, to 20 minutes this year. The survival time is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe. The data is collected from a large number of networks with different types of upstream protection. So if you are on an unprotected cable/DSL line, you may see probes much more frequently. Either way, 20 minutes is not long enough to download patches. The Honeynet Project did publish a paper with some stats back in 2001."

Ben Rothke writes "Within law enforcement, establishing a modus operandi is one of the crucial things that can make the difference between finding a criminal and not. For example, a daylight murder with a single bullet to the head is quite different from finding a decapitated and mutilated body in a ditch. While both victims are equally dead, the manner of their deaths is radically different. So too with computer crime; knowing the modus operandi of the attacker can mean the difference between finding the perpetrator and not. In Know Your Enemy: Learning about Security Threats, the members of the Honeynet Project have written an excellent security reference that can enable one to begin to understand the motives of those who are attacking and compromising their systems." Read on for the rest of Rothke's review. Know Your Enemy : Learning about Security Threats (2nd Edition) author The Honeynet Project pages 742 publisher Pearson Education rating 8 reviewer Ben Rothke ISBN 0321166469 summary Observe intruders without putting your data at risk by building a tempting honeynet.

KYE was not written by a single author, rather by The Honeynet Project. They are a group of 30 individuals with complementary technical and legal skills. This diverse authorship creates a book with an abundance of valuable information.

The book details setting up a honeypot (a single host designed to gain the attention of network intruders) and a honeynet (a network designed to be penetrated to understand the motives of the attackers). If you can get an intruder to attack the bogus network, the double benefit is that 1) the attacker can do no damage to production data, while 2) his activities are being monitored, and with analysis can be understood.

The book's premise is that it is not simply enough to know you have enemies; you need to understanding what exactly it is they are doing, how they are doing it, the tools they are employing, and their objectives. Armed with such information, a company can ensure that they are best using their resources to defend and defeat their enemy.

This is the second edition of KYE and honeynets have changed significantly since the first edition came out. With that, the first five chapters of the book goes into what exactly a honeynet is, and then explains the differences between first and second-generation honeynets. The main difference between the editions is that the first edition focused more on honeypots, or individual hosts. The second edition expands that to networks meant to be broken into, namely honeynets.

The opening chapters also go into details about the specific value of honeynets. For those that entertain the idea that their honeynet is going to enable them to catch the next Kevin Mitnick, they will be clearly disappointed. The main benefit of honeypots and honeynets is information. Information is power, especially in computer security. For most hackers, their greatest fear is not necessarily getting caught, but rather having someone watch and gather information on them without their knowledge. And that is exactly what a honeynet attempts to do.

Chapter 8 (written by an attorney from the U.S. Dept. of Justice) concludes part one of the book with a look at the legal issues involved with honeynets. There are legal issues that one needs to take into consideration before rolling out a honeynet. Failing to take their legal issues to heart can change a honeynet from being an invaluable forensics tool into an expensive legal liability. Those in the corporate arena are well served to work with their legal counsel before deploying a honeynet.

Part 2 (chapters 9-15) goes into the important area of analysis. Collecting data, after all, is only the first part. Analyzing it and making sense of it all is the difference between an experienced detective and a Keystone Cop. The analogy is real in that a honeynet is a potential crime scene.

Data analysis and forensics are crucial in that it is the only way to interpret the various types of data involved. The key for those involved is turnout and extracting different types of data and turning that data into valuable information. Effective forensics enables digital investigators to know the difference between an innocuous attack and a malicious one.

While Part 2 is the most technical section of the book, Part 3 (chapters 16-21) attempts to explain the sociological reasons why whitehats and blackhats do what they do. Just as Clarice Starling in The Silence of the Lambs was able to profile Hannibal Lecter, knowing a profile of your adversary is crucial in containing the damage he can do. Identifying and understanding those attacking your system is just as important as the technical and analytical skills you will use in exposing them.

Know Your Enemy is a unique book in that it details how not to simply install and configure security devices, but how to use those devices to ensure a much greater level of security. It shows how you can take an offensive approach to computer security and to understand the mindset of the attacker. That is something not easily found in other books.

The CD-ROM that comes with the book includes 10 of the book's 21 chapters, a number of informative white papers, all of the open source tools that the authors use, and a video about honeynets.

Those who enjoyed Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage by Clifford Stoll will similarly find KYE entertaining and invaluable.

The companion web site for the book is honeynet.org/book. In and of itself, it is a great website, and complements a great book.

Overall, KYE is a most informative book on a fascinating subject. Unlike many computer security books, KYE is light on theory and screen dumps, but heavy on valuable and useful information on security hosts and networks from adversaries. If you are looking for a proactive way to secure your corporate network, Know Your Enemy is the perfect place to start.

You can purchase Know Your Enemy : Learning about Security Threats (2nd Edition) from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

scubacuda writes "Laurent Oudout, an active member of the French Honeynet Project (part of the Honeynet Alliance), has written a paper evaluating the usefulness of using honeypots in fighting Internet worms. (Imagine a well-constructed honeypot framework capturing a worm, redirecting worm traffic to fake services, and launching counter attacks to clean infected hosts!)"

Fyodor is the driving force behind Insecure.org and the top-rated Nmap network exploration and security auditing tool. He's also involved in The Honeynet Project (and is a coauthor of the project's book, Honeynet: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community). One question per post, please. We'll run Fyodor's answers to 10 of the highest-moderated questions as soon as he gets them back to us.

Niels Provos would like you to help create the perfect lure for crackers. In the style of similar challenges presented by the Honeynet Project, Provos, a doctoral candidate at CITI (a research institute at the University of Michigan) has announced a public competition for contributions to his honeyd project, which the project page describes as "a small daemon that creates virtual hosts on a network." Honeyd does more than that terse description implies, though: read on to see how you can contribute to creative cracker snaring.

Behind door number three ... Rather than wait for production systems to be cracked, honeypot makers arrange sting operations: they set up as traps intentionally tempting target machines loaded with tools to observe any break-ins.

Though the projects' names (and their rosters of hackers) are confusingly similar, honeyd is distinct from the Honeynet Project. Both are concerned with watching intruders' behavior for analysis and, in the long run, preventing their exploits, but the projects vary in their scope. Honeyd offers specific software tools to effect the appearance of a crackable box (and can simulate thousands of crackable machines at once); the Honeynet Project is broader, and uses honeyd within its larger framework of studying cracker attacks.

"Honeyd creates virtual honeypots that simulate operating system characteristics to such a degree that it fools fingerprinting tools like nmap or xprobe," says Provos. "As such it is a virtual honeypot that may be used for all kinds of purposes -- network sensors, decoys, et cetera. As the Honeynet project investigates interesting honeypot technologies, Honeyd got me involved with the [Honeynet Project] and is my contribution."

The competition Provos is organizing is in turn a chance for others to contribute to his honeypot tool; a variety of prizes (including a trip to CanSecWest/core03) will go to the programmers who provide the best improvements to the current version (0.5) of honeyd. He's hoping to field contributions to upgrade the user interface, better analyze information captured as intruders try to break in, provide simulated P2P programs, and more. Though there's a list of suggestions on the site, anything to more effectively mimic genuine target machines is welcome.

License requirements are friendly to open source programmers: "Source code features to be integrated into Honeyd need to be covered by a BSD-like license. Service emulations and graphical user interface [submissions] may be either BSD-like or GPL."

Though the honeynet.org page says that Provos is sponsoring the challenge, he says others (like Honeynet Project lead Lance Spitzer) have put up the prizes. "As I am still a poor student, I anticipate that my only financial expenses are going to be shipping costs."

What inspired the idea of a contest, rather than simply waiting for code to roll in from interested hackers? "The Honeynet project has held very successful challenges in the past," says Provos. "Additionally, Lance Spitzer and Marcus Ranum have been giving tutorials on honeypots and noticed that all the participants really enjoyed working with Honeyd. As a result, Lance encouraged me to hold this challenge."

What's in it for them? Spitzer, one of the challenge judges, lists a few things he'd like to see come out of this contest. "All the plumbing and features are there for developing your own honeypots. I would love to see these capabilities extended and making it easier to use. For example, it would be great [to see] new emulated services added, a port to Windows, and a GUI to make it easier to use."

Spitzer has recently published a book about honeynets as well, so he has a good reason to want some attention focused on this sort of calculated intruder watching.

"I am most interested in the balance of getting realism with as little risk of abuse," says Job de Haas, another judge for the competition and CEO of security consulting firm ITSX. "The idea is to build simulated services, but you want to end the realism where it starts to undermine the security of the system beyond control." De Haas says that one of the system's weak points right now is that it's simply difficult for new users to know where to begin. "Hopefully lots of useful examples will come out of the challenge, to make it easier to get started."

I send you this file to ask your advice about breaking in.

Code submissions from hundreds of contributors (all of them savvy enough about cracking to contribute in the first place) raise the prospect of at least a few of them trying to sneak in their own malware to subvert the competition, but the organizers discount the possibility of a backdoor or other crack being submitted.

While it's unlikely that malicious code would make it far, Provos says that to be on the safe side (and make sure it doesn't hurt his working environment), "Personally, I run all new code under a systrace sandbox, and before new code gets integrated into the official honeyd source code it has to pass a source code audit."

Similarly, De Haas says that he's not worried about malicious code, but is "alert that someone might try. Generally we're quite used to dealing with untrusted code. On the other hand I don't consider myself unhackable, it can always happen. You mostly try to minimize the damage it can do."

"Generally the community is very good about this." says Spitzner. "While I doubt this would happen, you do have to be concerned about it. Fortunately, the judges we have (except for me :) are outstanding at code review."

Further reading: We've mentioned the Honeynet Project a few times before -- here's one story from July 2001 and other from July 2002; a search on "honeynet" will yield several more.

Mike Clark writes "There are many security books on the shelves today. Most of them describe the same hacker tools and methods. They don't get very technical and once you've read one, you've read them all. Building Open Source Network Security Tools is a different breed of security book." Read on for the rest of Mike's review. Building Open Source Network Security Tools author Mike D. Schiffman pages 424 publisher John Wiley & Sons rating 9 reviewer Mike Clark ISBN 0471205443 summary How to use open source libraries, such as libpcap and libdnet, to build network security tools.

Building Open Source Network Security Tools , just as the name suggests, is about how to build network security tools. This is a technical book, so you are going to have a little knowledge of C and your networking principles. This is definitely not a manager's book.

First the book describes some basic principles in developing security software. This is a quick primer in case you have never been involved in software development. Next the book goes on to describe several commonly used libraries like libnet and libpcap. For each library, the structures and functions are explained, then there is sample code. I have written programs using libpcap and libnet before, and I still learned something. There is even a section on OpenSSL programming. OpenSSL is a rather large and cryptic, no pun intended, library (in my experience anyways). This book sheds some light on it! These chapters are a great reference to have when making a new security tool.

The author then goes on to explain the several techniques like attack and penetration and active reconnaissance. Not only does the author tell you how they would in a technical sense, he provides code that does it, and explains each piece. This is very useful since most tools in the wild aren't very well commented ;) There is also a chapter on buffer overflows and format string vulnerabilities. These chapters are very well done and do a good job in explaining how they work and how to write code to use them. It may sound like this is an offensive hacker book, but it also gives examples on how to write defensive programs, like a port scan detection tool. At the end of the book the author ties it all together with a large program that utilizes many of the techniques mentioned in the book.

I found this book to be very refreshing. I had been waiting for a good security programming reference, and this is it. As a part of the Honeynet Project, I have seen a large number of compromises and tools, and one thing I've found is that in order to truly know who your enemy is, and how they operate, you need to know how their tools work. I wish this book had been released years ago when I first became interested in network security. It would have saved me from stumbling around old web pages and dead links. If you're an information security professional, this book is a must have for your library.

You can purchase Building Open Source Network Security Tools from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Mike Clark writes "There are many security books on the shelves today. Most of them describe the same hacker tools and methods. They don't get very technical and once you've read one, you've read them all. Building Open Source Network Security Tools is a different breed of security book." Read on for the rest of Mike's review. Building Open Source Network Security Tools author Mike D. Schiffman pages 424 publisher John Wiley & Sons rating 9 reviewer Mike Clark ISBN 0471205443 summary How to use open source libraries, such as libpcap and libdnet, to build network security tools.

Building Open Source Network Security Tools , just as the name suggests, is about how to build network security tools. This is a technical book, so you are going to have a little knowledge of C and your networking principles. This is definitely not a manager's book.

First the book describes some basic principles in developing security software. This is a quick primer in case you have never been involved in software development. Next the book goes on to describe several commonly used libraries like libnet and libpcap. For each library, the structures and functions are explained, then there is sample code. I have written programs using libpcap and libnet before, and I still learned something. There is even a section on OpenSSL programming. OpenSSL is a rather large and cryptic, no pun intended, library (in my experience anyways). This book sheds some light on it! These chapters are a great reference to have when making a new security tool.

The author then goes on to explain the several techniques like attack and penetration and active reconnaissance. Not only does the author tell you how they would in a technical sense, he provides code that does it, and explains each piece. This is very useful since most tools in the wild aren't very well commented ;) There is also a chapter on buffer overflows and format string vulnerabilities. These chapters are very well done and do a good job in explaining how they work and how to write code to use them. It may sound like this is an offensive hacker book, but it also gives examples on how to write defensive programs, like a port scan detection tool. At the end of the book the author ties it all together with a large program that utilizes many of the techniques mentioned in the book.

I found this book to be very refreshing. I had been waiting for a good security programming reference, and this is it. As a part of the Honeynet Project, I have seen a large number of compromises and tools, and one thing I've found is that in order to truly know who your enemy is, and how they operate, you need to know how their tools work. I wish this book had been released years ago when I first became interested in network security. It would have saved me from stumbling around old web pages and dead links. If you're an information security professional, this book is a must have for your library.

You can purchase Building Open Source Network Security Tools from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Anton Chuvakin submitted this review of Lance Spitzner's Honeypots: Tracking Hackers. Spitzner has previously contributed to a book and many online documents about the Honeynet Project. Chuvakin starts off, "If you liked "Know Your Enemy" by the Honeynet Project, you will undoubtedly like Lance Spitzner's (the Honeynet Project founder) new book "Tracking Hackers" much more. In fact, even if you did not quite like "Know Your Enemy", you will likely be deeply impressed with the new book on honeypots and their use for tracking hackers." "Honeypots: Tracking Hackers" author Lance Spitzner pages 480 publisher AWL rating 5/5 reviewer Anton Chuvakin, Ph.D, GCIA ISBN 0321108957 summary using honeypots to track electronic intruders

The structure of the book is different from the "Know Your Enemy": Lance starts from the very beginning - namely, his first honeypot penetration experience and then goes on to talk about all aspects of honeypots. In-depth and structured background on honeypot technology is provided. Honeypots are sorted by the level of interaction with attacker they are able to provide.

In addition, the book covers the business benefits of using honeypots. By classifying the value of honeypots into prevention, detection and response (exactly as done in Honeynet Project white papers) Lance Spitzner analyzes the honeypot technology contributions to an overall security posture. Also, the book describes the differences between the research and production honeypots and demonstrates the benefits of both for various deployment scenarios.

A good part of the book is devoted to particular honeypot solutions: 'honeyd' by Niels Provos and several commercial honeypots with detailed explanation of how they work. For example, there is a clear description of ARP spoofing and how it is used by the 'honeyd' honeypot daemon. An interesting chapter on "homegrown" honeypot solutions (such as the ones used to capture popular worms of 2001) sheds some light on the simplest honeypots that can be built for specific purposes, such as to capture a popular attack by means of a simple port listener. Use of UNIX chroot() jail environment for honeypots is also analyzed.

Of course, a special chapter is devoted to honeynets - Project's primary weapon in a war against malicious hackers. The Generation II (GenII) honeynet technology is first introduced in a book. The chapter not only lists honeynet deployment and maintenance suggestions, but also talks about the risks of honeynets.

Another great feature of the book is a chapter on honeypot implementation strategies and methods, such as using NAT to forward traffic to a honeypot and DMZ honeypot installation. The information is then further demonstrated using the two full honeypot case studies, from planning to operation.

What is even more important, maintaining the honeypot architecture is covered in a separate chapter. Honeypots are a challenge to run, mainly since no 'lock it down and maintain state' is possible. One has to constantly build defenses and hide and dodge attacks that cannot be defended against.

"Tracking hackers" also has a "Legal Issues" chapter, written with a lot of feedback from the DoJ official. It dispels some of the misconceptions about the honeypots such as the "entrapment" issue, summarizes wiretap laws and related data capture problems.

The book describes an almost cutting edge of the honeypot research and technology. To truly get the cutting edge and to know about the Honeynet Project latest activities in detail, wait for the second edition of "Know Your Enemy" (coming out next year). In "Tracking Hackers" Lance makes some predictions about honeypots in "Future of Honeypots" chapter. Honeypot-based early warning system and distributed deployments, analysis of new threats and expanding research applications, making honeypots easier to deploy and maintain are all in this chapter.

To conclude, Marcus Ranum's enthusiastic preface is not an overstatement, it is indeed a great book for both security professionals and others interested in this exciting technology. While I was already familiar with most of the information in the book, it was a fascinating read! This is the kind of book you don't want or even cannot put down until the last page is turned.

Anton Chuvakin, Ph.D., GCIA (http://www.chuvakin.org) is a Senior Security Analyst with a major security company.

You can purchase Honeypots: Tracking Hackers from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

asqui writes: "The Reverse Challenge was a contest from The Honeynet Project to essentially reverse engineer a binary captured in the wild running on a compromised honeypot. The contest ran during May of this year and the submissions have been judged and the winners announced. Dion Mendel took first place with 43.4 points out of a possible 50. The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11. This binary is currently being used in the wild but there is little reported activity, probably because sysadmins are focused on the other more dominant protocols."

asqui writes: "The Reverse Challenge was a contest from The Honeynet Project to essentially reverse engineer a binary captured in the wild running on a compromised honeypot. The contest ran during May of this year and the submissions have been judged and the winners announced. Dion Mendel took first place with 43.4 points out of a possible 50. The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11. This binary is currently being used in the wild but there is little reported activity, probably because sysadmins are focused on the other more dominant protocols."

asqui writes: "The Reverse Challenge was a contest from The Honeynet Project to essentially reverse engineer a binary captured in the wild running on a compromised honeypot. The contest ran during May of this year and the submissions have been judged and the winners announced. Dion Mendel took first place with 43.4 points out of a possible 50. The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11. This binary is currently being used in the wild but there is little reported activity, probably because sysadmins are focused on the other more dominant protocols."

asqui writes: "The Reverse Challenge was a contest from The Honeynet Project to essentially reverse engineer a binary captured in the wild running on a compromised honeypot. The contest ran during May of this year and the submissions have been judged and the winners announced. Dion Mendel took first place with 43.4 points out of a possible 50. The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11. This binary is currently being used in the wild but there is little reported activity, probably because sysadmins are focused on the other more dominant protocols."

asqui writes: "The Reverse Challenge was a contest from The Honeynet Project to essentially reverse engineer a binary captured in the wild running on a compromised honeypot. The contest ran during May of this year and the submissions have been judged and the winners announced. Dion Mendel took first place with 43.4 points out of a possible 50. The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11. This binary is currently being used in the wild but there is little reported activity, probably because sysadmins are focused on the other more dominant protocols."

asqui writes: "The Reverse Challenge was a contest from The Honeynet Project to essentially reverse engineer a binary captured in the wild running on a compromised honeypot. The contest ran during May of this year and the submissions have been judged and the winners announced. Dion Mendel took first place with 43.4 points out of a possible 50. The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11. This binary is currently being used in the wild but there is little reported activity, probably because sysadmins are focused on the other more dominant protocols."

dlur (among many others) writes: "According to this ZDNet article, a Washington think tank known as the Alexis de Tocqueville Institution is soon to release a study stating that Open Source Software allows terrorists an easy time hacking into our systems. It's little suprise that this group takes money from Microsoft." The Register's story is good too. All the whoring reports in the world won't make open source any less secure. This same institute backed destabilizing, unworkable '80s missile defense and thinks Alexis de Tocqueville would have wanted the V-22 Osprey deathplane. Also, see what their coin-operated policy dispenser spat out for internet privacy (eat what you're fed) and antitrust (advantage of Microsoft monopoly: "manufacturers of computer hardware need to provide only one driver"). We weren't going to run this, but there were a lot of submissions, so ...

cjpez writes: "The people at the Honeynet have issued another challenge on the Bugtraq mailing list. Instead of hacking into a box, though, this time your goal is to submit the best analysis of a binary file they'll post on Monday, May 6th. Think you're good at reverse engineering? Then try it out! They're even offering actual prizes, so you can get something besides the feeling of personal fulfillment for your trouble. The post hasn't quite made it to SecurityFocus' Bugtraq Archive yet, but I did find it at another Bugtraq archive in Germany (slashdottings abound!). The URL included in the email, http://project.honeynet.org/reverse/, doesn't seem to be active yet, so presumably we can assume it'll go up on Monday. The post fails to address other concerns, though: will the winner be in violation of the DMCA? :P The challenge was also issued, obviously enough, on SecurityFocus' Honeypot mailing list."" In a later note, he points out that the announcement has finally made it to the Bugtraq archive page." (And that URL is active now.)

cjpez writes: "The people at the Honeynet have issued another challenge on the Bugtraq mailing list. Instead of hacking into a box, though, this time your goal is to submit the best analysis of a binary file they'll post on Monday, May 6th. Think you're good at reverse engineering? Then try it out! They're even offering actual prizes, so you can get something besides the feeling of personal fulfillment for your trouble. The post hasn't quite made it to SecurityFocus' Bugtraq Archive yet, but I did find it at another Bugtraq archive in Germany (slashdottings abound!). The URL included in the email, http://project.honeynet.org/reverse/, doesn't seem to be active yet, so presumably we can assume it'll go up on Monday. The post fails to address other concerns, though: will the winner be in violation of the DMCA? :P The challenge was also issued, obviously enough, on SecurityFocus' Honeypot mailing list."" In a later note, he points out that the announcement has finally made it to the Bugtraq archive page." (And that URL is active now.)

edsonw writes "The Honeynet Project published an interesting paper about their work. They say: "We are psyched to announce our newest paper , Know Your Enemy: Statistics. Based on eleven months of data, we analyze the past and attempt to predict the future (...) We demonstrate just how aggressive the blackhat community is.""

edsonw writes "The Honeynet Project published an interesting paper about their work. They say: "We are psyched to announce our newest paper , Know Your Enemy: Statistics. Based on eleven months of data, we analyze the past and attempt to predict the future (...) We demonstrate just how aggressive the blackhat community is.""

edsonw writes "The Honeynet Project published an interesting paper about their work. They say: "We are psyched to announce our newest paper , Know Your Enemy: Statistics. Based on eleven months of data, we analyze the past and attempt to predict the future (...) We demonstrate just how aggressive the blackhat community is.""

bewmIES writes "The guys over at the Honeynet project have released the latest chapter in their "Know Your Enemy" series describing how to implement a honeynet. This is great reading even if you don't have any plans to implement one and does a very good job explaining the elementary concepts behind it all, along with the implications." Extremely interesting reading here.

bewmIES writes "The guys over at the Honeynet project have released the latest chapter in their "Know Your Enemy" series describing how to implement a honeynet. This is great reading even if you don't have any plans to implement one and does a very good job explaining the elementary concepts behind it all, along with the implications." Extremely interesting reading here.

AltGrendel writes with a welcome followup: "The Honeynet Project has announced a winner. OK, actually they announced the three winners and have posted the results here. Details as to how all this was accomplished will be posted though the next few weeks. Congratulations to all finalists!" This project has been mentioned a few times before; if you thought running Linux made you obscure enough to largely escape the attention of random and non-random malice, this is a thorough (if depressing) reason to think otherwise. Hats off to the Honeynet Project and participants for putting this labor-intensive analysis together.

AltGrendel writes with a welcome followup: "The Honeynet Project has announced a winner. OK, actually they announced the three winners and have posted the results here. Details as to how all this was accomplished will be posted though the next few weeks. Congratulations to all finalists!" This project has been mentioned a few times before; if you thought running Linux made you obscure enough to largely escape the attention of random and non-random malice, this is a thorough (if depressing) reason to think otherwise. Hats off to the Honeynet Project and participants for putting this labor-intensive analysis together.

BoomMike writes "While the popular media drools over eWEEK magazine's contrived Open Hack Challenge, which offers modest cash prizes for cracking a carefully arranged network, real geeks can compete in the Honeynet Project's new Forensic Challenge, and pick up the trail of a hacker who cracked one of the project's Linux-based honeypots last November. Mount the file system images and pour through the IDS logs to figure out the who, what, where, when, why and how of the attack, and you can win a book. SecurityFocus has the story." In a much related vein to the Honeynet crack RH6.2/7 there's a story on C|Net concerning the "worm" that's a new popular exploit set with the script kiddies on RH 6/7 servers.