Slashdot Mirror

and the honeynet project's new website with newest challenges is at http://www.honeynet.org/ strange that they have an old and a new site, with no links from the old site going to the new site... but an excellent project anyway! everyone should go enter their new challenges

The excellent honeynet project has some exciting challenges - examples of viruses and hacking in the wild, well packaged. The old 'Forensic challenge' is perhaps the most exciting for students to do: http://old.honeynet.org/challenge/index.html

But you don't. A critical part of the server is the private key. Without the private key any server you may have created is worthless.

THUMP. THUMP.

That's my forehead on the desk. You're right, the good guys don't have access to the real C&C server. Therefore, the command signing process can't be spied. Therefore, there's no way to spoof valid signed commands.

I lost track of the "not owning the real server" issue. That's what happens when you fall in love with an idea; love is blind.

So, lacking any weaknesses in any client bot you can get hold of, the best you can probably do is to note clients as they try to contact the spoofed server and get notification out to the owner of the botted machine. For a quarter-million nodes, that's a lot of work.

UPDATE: Looks like honeynet.org thinks there is an unspecified weakness in Waledec's crypto methodology, and payloads can be decrypted. I don't know if that's enough to step into the place of the real C&C network, though.

Actually there is a chance that if someone breaks into your machine and you log their activities that they can hit you with the wiretapping act. Which is why the MOTD is usually something along the lines of authorized access only blah blah, which will help your case. http://www.honeynet.org/book/Chp8.pdf (page 4)

did something like this in 2000. See p. 15 of this 3 MB zipped Powerpoint.

See also P-p-p-Powerbook! for a possible laugh.

ok so why are they not focusing on these "nodes"?

The group running the system is taking precautions to avoid detection, such as using Fast Flux Also it is speculated that they are in a former Soviet block country, which tend to have very poor laws and few resources to go after such people.

Has a lot more detail: http://www.honeynet.org/papers/ff/fast-flux.html

Irritating Windoze defender, Macthorpe, pretends there's a GNU/Linux botnet problem:

Have you ever heard of Q8bot or kaiten? Probably not, but they're Unix/Linux flavoured bots. So much for your 'all botnets are Windoze' FUD.

Well, no, I had not heard of such things. Ever helpful Macthorpe even offered a link to tell me why I don't hear about such things. They are listed under this heading:

Besides these three types of bots which we find on a nearly daily basis, there are also other bots that we see more seldom. Some of these bots offer "nice" features and are worth mentioning here:

In the description, they note they have yet to find the mechanism of spread. A reasonable person will conclude that Botnets are a Windoze created problem and not something to worry about. After all, study after study shows the average time it takes to break a Windoze box is on the order of minutes, but a GNU/Linux box will last for months out of the box. A paranoid person will wonder if M$ has not honeynetted honeynet themselves with bogus infected GNU/Linux machines.

That they are looking into the problem is a good start. Gmen reading are advised to consult with the Honeynet Project and regard vector vendor "help" with suspicion. It would also be nice to see them call a spade a spade and abandon the false OS neutrality that keeps them for doing so. This is a Windows problem and the relative risks should be published. Otherwise they are lying to us and keeping information we can all use locked away. Most importantly, though, they need to clean their own house.

I got done reading this, and it's pretty dumb.

"If you're a big company, you already have a security team. If not, hire one." DOH!

That smacks me of the same kind of response from slashdot about legal advice... "Im being sued by the RIAA, should I ignore it?"

Still, why not gander around and see what the the real security experts and such say about such matters:

The Coroners Toolkit Tools for Unix

Nagios detection suite

Honeypots for 'sticking hackers'

And there's the wonderful tools in the Linux kernel for bridges and such that can be made to monitor data as if there was no computer there at all. Also, PF in FreeBSD can route and filter based on much more criteria than Linux netfilter can (like via OS).

You should have a secure layout of your network along with a respectable sensor network. The Sensornet should be separate from the general network.

If you already work in IT, these things should be obvious, as it is the similar measures required for data recovery on non-hack problems.

A more accurate measurement might be: average time to system compromise / number of attacks.

Any real world test would be better than this silly patch counting, but the number usually reported is time to ownership. People don't really care about how many attempts it takes to break a system as much as they care about how often they need to do things. It might take an attacker 100,000 tries to brute force a password, what matters is how long it took. The trick is to make sure your network looks like a typical network and to describe those conditions so others can compare.

The usual result of tests like that is that Windoze machines are taken down in as little as four minutes with a half life of 12 minutes. Red Hat, out of the box, takes three or four months.

• four minutes in 2004
• 20 minute survival time in 2004
• 12 minute survival time in 2005

The Honeynet Project has all sorts of studies to further enlighten you. The bottom line is the result: More than 25% of Windoze computers are part of a bot net that's screwing everyone. It happens faster than you can download patches that won't really do you any good anyway.

Reference here for upstream bandwidth:
http://www.honeynet.org/papers/bots/

and here for the amount of bugfixes since XP rollout:
http://www.washingtonpost.com/wp-dyn/content/artic le/2006/09/23/AR2006092300510.html/

EVERY Home PC that runs Windows XP needs updates, to remain stable and sane. How many home users run P2P? Very tiny fraction, IMO.

Amazing... my rectum's got more wisdom than your brain, perhaps.

Generally speaking, it comes out that hackers are usually brilliant, inventive, and determined. They generally feel anger and rebellion towards authorities and narrowmindedness, seen as a menace for civil liberties. Hacking is conceived as a technique and a way of life with curiosity and to put themselves through the hoops, or as a power tool useful for raising awareness among the general public about political and social issues. Normally, they are driven by the love for knowledge. Nevertheless, there are also hackers who have profit purposes and, therefore, practice phishing/pharming, carding, or industrial espionage. Their preferred targets are military and governmental systems, as well as information systems of corporations, telecommunication societies, schools, and universities, but also end users and SOHO.

You've got to be kidding.

What's the methodology for this profile? Googling the word "hacker"? Please. Tell me something I didn't know years ago. (For example, MEECES.

Seriously, these guys sound like they have a seriously flawed survey methodology, in that all they are doing is self-selecting their sample and parroting the results. Moreover, I don't see how they plan to create anything useful out of the forensic data they expect everyone to send them. In that regard, I see little difference between what they say they are going to do and what the Honeynet Project has been doing for years.

If the boxes were so secure, how did they get in there? Why were the Windows boxes having "logs" of where the data was sent and so on. What kind of trojan would log their own activity on the compromised machine?

And the million dollar question is: how the f*ck they tied the Chinese *GOVERNMENT* with a Chinese *HACKER*... In fact, the first thought to occur to a government trying to hack into US's servers would be to hire hackers from another country to do it.

Add to this the constant FUD that US spread that Lenovo puts spying chips in ThinkPads and similar conspiracy theories. It's apparent US find China a convenient target to blame, just the way they did with Iraq after 9/11.

HELL YES!!!!

I plan on downloading this as soon as I get back to work. This is ALMOST exactly what I need for some professional development.

Now - if you'd do a similar course on analysing network protocols using ethereal - something that would bring me from basic networking through to being able to take part in various honeypot challenges then I would be a happy happy man.

p.s. by "basic level" I mean someone who has studied tanenbaum in knowledge, and is around CCNA level in implimentation skills.

Q8bot is a very small bot, consisting of only 926 lines of C-code. And it has one additional noteworthiness: It's written for Unix/Linux systems. It implements all common features of a bot: Dynamic updating via HTTP-downloads, various DDoS-attacks (e.g. SYN-flood and UDP-flood), execution of arbitrary commands, and many more. In the version we have captured, spreaders are missing. But presumably versions of this bot exist which also include spreaders.

How is this fighting this in thier own way? Don't lots of other orgs do this same thing...?

Well, it's their own way in that other organizations are not so irresponsible as to allow the machine to send 18 million &#$% spam messages while they ooh and aahh over their creation. Microsoft "embraces and extends" yet again...

From The Fine Article:

"In those 20 days, this one computer received 5 million connection requests from spammers, and sent 18 million spam messages," said Cranton.

That amount of data was impossible to analyze, so Microsoft focused on the three most-active spamming days, when 470,00 connection requests were made of the PC, and about 1.8 million messages were sent through it.

How nice: they allowed 18M junk messages to go through, but could be bothered to look at only 10% of the data. Unbelievable.

... rather than the honeynet project who have better tools, and far more experience at this sort of thing?

... rather than the honeynet project who have better tools, and far more experience at this sort of thing?

Related links:
Digital Forensic Tool Testing Images
Brian's Tools - Includes links to SleuthKit and Autopsy
Forensic Tool Kit free trial

FTK is a nice tool to play around with for Windows users, especially with the testing images. The free trial does have a limit of 5,000 files per image so if you create or work on testing images you may have to get rid of extraneous junk and leave the good stuff. SleuthKit and Autopsy are great for the *nix environment. After you get those tools working you might give Scan of the Month challenges 24 and 26 from The Honeynet Projecta shot. They're both pretty fun and challenging. Don't worry if you don't know what you're doing. Both of the challenges have writeups done on how to accomplish the tasks and what tools were used if you need guidance.

Related links:
Digital Forensic Tool Testing Images
Brian's Tools - Includes links to SleuthKit and Autopsy
Forensic Tool Kit free trial

FTK is a nice tool to play around with for Windows users, especially with the testing images. The free trial does have a limit of 5,000 files per image so if you create or work on testing images you may have to get rid of extraneous junk and leave the good stuff. SleuthKit and Autopsy are great for the *nix environment. After you get those tools working you might give Scan of the Month challenges 24 and 26 from The Honeynet Projecta shot. They're both pretty fun and challenging. Don't worry if you don't know what you're doing. Both of the challenges have writeups done on how to accomplish the tasks and what tools were used if you need guidance.

Related links:
Digital Forensic Tool Testing Images
Brian's Tools - Includes links to SleuthKit and Autopsy
Forensic Tool Kit free trial

FTK is a nice tool to play around with for Windows users, especially with the testing images. The free trial does have a limit of 5,000 files per image so if you create or work on testing images you may have to get rid of extraneous junk and leave the good stuff. SleuthKit and Autopsy are great for the *nix environment. After you get those tools working you might give Scan of the Month challenges 24 and 26 from The Honeynet Projecta shot. They're both pretty fun and challenging. Don't worry if you don't know what you're doing. Both of the challenges have writeups done on how to accomplish the tasks and what tools were used if you need guidance.

I've got to agree with this. Reverse engineering an obfuscated binary may seem like a very daunting task at first, but it certainly can be done. Take a look at the Honeynet Project's Scan of the Month 33, for example; reading the answers is quite interesting, even for someone who (like me) otherwise has no practical knowledge regarding reverse engineering. :)

Horseshit.

http://www.honeynet.org/papers/trends/life-linux.p df

Read that. And that was only December 2004 findings.

5 Redhat 7.3 == 3 compromised after 3 months
8 Redhat 9 == 1 compromised after 3 months
2 FC 1 == 0 compromised

Windows ... well here:
"This life expectancy is all the more surprising when compared to vulnerable Win32 systems. Data from the Symantec Deepsight Threat Management System indicates a vulnerable Win32 system has life expectancy not measured in months, but merely hours. The limited number of Win32 honeypots we have deployed support this, several being compromised in mere minutes. However, we did have two Win32 honeypots in Brazil online for several months before being compromised by worms."

I can easily see that the timeframes are getting smaller across the board. The majority of the linux assualts succeeded with SHTTP exploits. I am unsure as of this moment if that is still the case or not. Apparently RH9 may have been a turning point (maybe sooner) for many, but I aint gonna bet that for moment. The lesson here isnt that the machines can break -- but that carelessness (READ - plugged into lan at install time, before AV/AntiSpyware/Firewall are all setup) kills you. Linux isnt the target much right now. Windows is. Dont believe me -- RTFA and the link I posted and see for yourself.

You should know your enemy. http://honeynet.org/papers/phishing/

1. Remove the IE shortcut from the desktop
2. Add a Firefox shortcut to the desktop
3. Rename said shortcut "Internet Explorer"
4. Change icon of said shortcut to the blue "E"
5. Download and install a Firefox theme which emulates the look and feel of IE.

And there you have it! You have adapted the malicious tactics of Phishers to keep your people safe from Phishers.

They did release the .config file used to build their kernel. If you don't want to download their whole "fLinux" source tree just to look at it, I put it up on my web space. Give it a look-over; I imagine this would be the easiest component of the device to replace. Modify the kernel with e.g. Sebek and you should be able to get a good idea of what's going on under the hood.

Also, the GNU_Source_Code.zip includes fLinux.tar.gz and games.tar.gz, so if you get the zip file the other two are redundant.

Hear Hear!

cynical side notes:
There is no technical reason why I should not be able to walk into compusa, ask for a computer that by design doesn`t "get viruses" and not get laughed at. The orange book described what a secure computer system should look like, multics shows what a secure OS and computer system look like in reality... and they did so thirty f$%#ing years ago! (Also the morris worm was in 88) There is only one conclusion possible, everyone who can fix these problems once and for all has been abducted by aliens for twenty years now and noone noticed... or whatever. Their excuse better be good!

The fact that noone goes into compusa to ask for a computer that does not spend most of its time spreading worms and ddos might also be a small factor. This is ofcourse not going to change until the raporting on computer security moves on from spreading symantec FUD to doing real reviews of the stuff on the market. This would interfere with the megahurts/marchitecture "benchmarks" though...

To be fair this rapport isn`t all bad. It has the usual vaguely defined growing graphs, percentages only, no absolute numerbs and everything "Source: Symantec coorporation". You wont find those in honeynet and SANS data and analysis. Being ductape salesmen the symantecs of this world need their FUD...

However to the end the rapport has some real data from what looks like an impressive honeynet. You will have to go through the usual "number of rapported vulnerabilities" graphs comparing mozilla and internet explorer first though.

http://it.slashdot.org/article.pl?sid=05/03/15/134 1203&tid=172&tid=1

RTFA!

I am pretty sure the BBC news post is just a dumbed down version of this report:

http://www.honeynet.org/papers/bots/

So it begs the question why is this news... Does /. think we didn't RTFA in the first place or too dumb to understand it... We needed the diluted verion i guess.... or maybe Zonk and Camander Taco don't compaire notes... who knows. EIther way same story twice in 3 days = yuck.
out
DarthVain

From honeypot FAQ:

8. Do you prosecute the people that compromise systems within the Honeynet? No. The prime directive of the Honeynet Project is research and to share those lessons learn. It is not our goal to catch and prosecure blackhats. We do forward information about compromised systems to CERT so CERT can notify admins of compromised systems. We limit our contact with authorities only when the Project feels there is a critical need. If we were to become involved in a major legal case everytime a system was compromised, we would not have time for research, let alone our real jobs.

read more about honeypot here. It seems they probably could, but are not going to.

While I was going to submit this as a story, it would seem more appropriate as a link from this one.

News.com has an interesting article talking about how bot nets have migrated mainly from DoS to wide-spread spys. A growing increase in bot nets have been used to gather sensitive identity information and install adware and spyware. The Honeynet Project estimates that some of the networks are made up of more than 50,000 computers.

Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. This means that a unpatched Linux system with commonly used configurations (such as server builds of RedHat 9.0 or Suse 6.2) have an online mean life expectancy of 3 months before being successfully compromised.

You are opening a technical discourse again.

Last a checked a default fedora installation still took about 30 mins to be owned which is still a lot better than the 3 minutes it used to take.

And where did I say anything about not updating systems?

Are you seriously blind enough to think that you should rely on one level of security? That's insane, if you are a network engineer I suggest you quit your job to make room for someone capable of securing anything.

What security does a firewall provide against a buffer overflow or other vulnerability over a port it is not blocking? None. The purpose of a firewall is to be an additional, port-based security layer. Whether this firewall runs on a dedicated hardware plays no role in a home environment. More important would be to ensure that the installed system only runs the nescessary services. Introducing "magic security" in form of a hardware box can even be harmfull for the security awareness in that respect.

No OS is perfect so you might as well take steps to minimize risk rather than complaining.

Seriously, even in a home environment a personal firewall like a linksys ain't a bad idea, it allows any device to hop on the net, my parents don't use it for security, they use it because it makes having a laptop and a desktop on the net easy. So now you've just eliminated the OS variable alltogether for $60. I fail to see what is wrong with that.

"Wrong" with it is that it introduces an embedded closed source system into my LAN whose correctness I can not determine. Embedded systems can be hacked, too.
Wrong is to see that $60 dollar gadget as nescessary step in connecting a home computer to the internet.

The article refers to another vunet article, Linux Fights Off Hackers by Iain Thomson, which refers a whitepaper published by the Honeynet Project. It really looks as though McGrath is claiming that the Honeynet Project's data has been falsified.

From the Honeynet white paper,

"By combining the data from all of the Linuxsystems deployed, we see a mean life expectancy of 3.0 months for systems that were compromised. For systems still uncompromised, we see a mean of 4.46 months. Finally, for the entire population of machines, we see a mean time of survival,including those still uncompromised: 4.1 months. The longest surviving Linux honeypot was an unpatched Red Hat 7.3 system that was online (and never compromised) for over 9 months. This is a dramatic increase from the life expectancy for default Linux systems of 72 hours seen in 2001/2002.",

as well as

"This life expectancy is all the more surprisingwhen compared to vulnerable Win32 systems.Data from the Symantec Deepsight ThreatManagement System indicates a vulnerableWin32 system has life expectancy notmeasured in months, but merely hours. Thelimited number of Win32 honeypots we havedeployed support this, several beingcompromised in mere minutes. However, wedid have two Win32 honeypots in Brazil onlinefor several months before being compromisedby worms."

and

"Meanwhile, the time to live for unpatchedWin32 systems appears to continues todecrease. Such observations have beenreported by various organizations, includingSymantec [1], Internet Storm Center[2] andeven USAToday[3]. "

The article refers to another vunet article, Linux Fights Off Hackers by Iain Thomson, which refers a whitepaper published by the Honeynet Project. It really looks as though McGrath is claiming that the Honeynet Project's data has been falsified.

From the Honeynet white paper,

"By combining the data from all of the Linuxsystems deployed, we see a mean life expectancy of 3.0 months for systems that were compromised. For systems still uncompromised, we see a mean of 4.46 months. Finally, for the entire population of machines, we see a mean time of survival,including those still uncompromised: 4.1 months. The longest surviving Linux honeypot was an unpatched Red Hat 7.3 system that was online (and never compromised) for over 9 months. This is a dramatic increase from the life expectancy for default Linux systems of 72 hours seen in 2001/2002.",

as well as

"This life expectancy is all the more surprisingwhen compared to vulnerable Win32 systems.Data from the Symantec Deepsight ThreatManagement System indicates a vulnerableWin32 system has life expectancy notmeasured in months, but merely hours. Thelimited number of Win32 honeypots we havedeployed support this, several beingcompromised in mere minutes. However, wedid have two Win32 honeypots in Brazil onlinefor several months before being compromisedby worms."

and

"Meanwhile, the time to live for unpatchedWin32 systems appears to continues todecrease. Such observations have beenreported by various organizations, includingSymantec [1], Internet Storm Center[2] andeven USAToday[3]. "

I thought it was Honeynet but that is quite old, and only talks about RH6.2. Do you have a source for a more up to date study?

Thanks for the info on other distributions. FYI, we use Debian primarily for intranet servers but occasionally for day-to-day development. I'm a developer not a sysadmin, so I don't have the time to stay up to date on anything we don't actually run. We looked at RHEL primarily for the support but were unimpressed to the point of standardising on Debian.

Jon.

How does it compare to the bible of all IDS analysts, Network Intrusion Detection by Stephen Northcutt & Judy Novak

If you've learned the basics of TCP/IP protocols and run an open source or commercial intrusion detection system, you may be asking, "What's next" If so, this book is for you.

Network Throttling is nothing new, the honeynet project has been doing this for years.http://project.honeynet.org/tools/index.html Now they are using Inline Snort (Snort + IPtables) to make a signature base firewall. Essential a layer 7 firewall, but with the cool feature to modify packets and not just block them.

Try the honeynet project: http://www.honeynet.org/tools/cdrom/

QUOTE
# PURPOSE
# To deploy Data Control requirements for a Honeynet deployment.
# This script uses IPTables to create a gateway that counts inbound
# and outbound connections and blocks connections once a limit
# has been met. Also has the capability to work with Snort-Inline.
# Script can work in either GenI(routing) or GenII(bridging) mode.
# For more about Honeynets, refer to
#
# http://www.honeynet.org/papers/honeynet/
UNQUOTE
link

More than just a switch :)

CC.

The link provided (http://www.honeynet.org/book/) gives two chapters of the book in PDF form. They are both well worth the read. Especially chapter 16 on profiling. WARNING: Like all works of sociology, it will make you realize that we are just monkeys.


Still haven't used the links? Here's an excerpt from ch.16 that I find beautiful. Subject is an analysis of the Jargon File, believe it or not...

One of the more surprising (and prominent) thematic categories to arise from the analysis is the magic/religion category. While this was one of the a priori thematic categories that we anticipated would emerge from the analysis, it is one that often surprises people who are not familiar with the hacker community. The most common comment that arises when this result is discussed is "You mean hackers are religious??? You've got to be kidding."

The answer to this quandary can be found in the nature of the technology that lies at the heart of this counterculture. Many members of the hacker community deal with complex operating systems, program applications, and network architectures where it is often not possible to answer with certainty the question "If I perform action A, will the operating system/program/network behave precisely with result B?" That is, because of the complexity of modern operating systems, programs, and network topologies, there is a disconnect between the classical forces of cause and effect. Whenever you have a situation where you cannot logically reconstruct the linkage between cause and effect, you in effect have an instance of "magic." (emphasis mine)

The link provided (http://www.honeynet.org/book/) gives two chapters of the book in PDF form. They are both well worth the read. Especially chapter 16 on profiling. WARNING: Like all works of sociology, it will make you realize that we are just monkeys.


Still haven't used the links? Here's an excerpt from ch.16 that I find beautiful. Subject is an analysis of the Jargon File, believe it or not...

One of the more surprising (and prominent) thematic categories to arise from the analysis is the magic/religion category. While this was one of the a priori thematic categories that we anticipated would emerge from the analysis, it is one that often surprises people who are not familiar with the hacker community. The most common comment that arises when this result is discussed is "You mean hackers are religious??? You've got to be kidding."

The answer to this quandary can be found in the nature of the technology that lies at the heart of this counterculture. Many members of the hacker community deal with complex operating systems, program applications, and network architectures where it is often not possible to answer with certainty the question "If I perform action A, will the operating system/program/network behave precisely with result B?" That is, because of the complexity of modern operating systems, programs, and network topologies, there is a disconnect between the classical forces of cause and effect. Whenever you have a situation where you cannot logically reconstruct the linkage between cause and effect, you in effect have an instance of "magic." (emphasis mine)

In addition the study only covered successful attacks. How many unsuccessful ones were there? The measure of vulnerability should surely be the ratio of successful/failed attacks, not just a raw number.

Finally how were these attack figures reached? Where these based on government/company IT figures? (in which case factor in maturity of systems/staff and how much easier breaches can be discovered in Linux using free tools like Tripwire) Or packet sniffing of certain domains? (Linux is used by more domains, some of which are set up deliberately to be hacked).

The only conclusion that can be safely drawn is that Linux appears to be a more popular target for manual attack - whether by necessity (automated attacks being far harder), desire (more of a challenge) or familiarity (easier to learn the internals of a free system, especially if you lack the money/connections needed for commercial counterparts). And security is hardly ignored on Linux either - with tools like ipfilters, tcpwrappers and Bastille, admins have little excuse for running a non-secure system.

Something that very many of you seem to be missing is the fact that the world needs hackers. While I don't condone the release of a virus (that is actually executing it in the wild) I think that it's absolutely necessary for them to exist. The guys who do this sort of coding set the standards for the industry. If nobody ever pointed out the flaws in microsoft's code, then it would never be fixed. If you all are going to sit here and point fingers at people who write exploits, I'd hope you stop and think first about the contributions that hackers have made to the infosec industry. RainForestPuppy, K2, Solar Designer, and these kinds of people are there on some middle ground doing things that we need to have done. These kids writing exploit code for the windows flaws are just doing their part. While there is a fine ethical line that need not be crossed when writing viruses (that line being somewhere around the 'releasing them into the wild' step) the flaws and exploits serve a very real purpose that people (whiners) need to acknowledge. A good example of hackers for the benefit of society: the honeynet project. Just because it can be dangerous to flirt with the dark side of computing, doesn't mean we ought not to ever go there. The virus writers and code exploiters do very similar things that our so-called 'real world' medical doctors do -- after all, wouldn't it be really easy for genetic engineers to design a killer bacterium that could wipe out half of the planet? Do you contend that we cease all research in the field because it could possibly be put to some malicious use? That's like saying that we shouldn't work on AI becuase you may end up with 'the Matrix,' and come on, that's really immature.

What I'm interested in is was it possible to do forensics before the box was switched off, and was there an IDS (such as Snort) installed and positioned in such a place as to be useful? If so then hopefully the attacker may have been logged by the IDS which may leave some vital clues as to the methodology the hacker used, and may even have logged the root exploit's raw packets.

For anyone that's curious I'd recommend a look at the Honeynet Project's Challenges page, esp. the Scan of the Month sample incident and submitted answers from the community - very good for learning how to perform an analysis.

What I'm interested in is was it possible to do forensics before the box was switched off, and was there an IDS (such as Snort) installed and positioned in such a place as to be useful? If so then hopefully the attacker may have been logged by the IDS which may leave some vital clues as to the methodology the hacker used, and may even have logged the root exploit's raw packets.

For anyone that's curious I'd recommend a look at the Honeynet Project's Challenges page, esp. the Scan of the Month sample incident and submitted answers from the community - very good for learning how to perform an analysis.

He was probably refering to setting up a NAT based router in front of the windows box. They are cheap (a 386 will do), and they are fairly easy to setup using rc.firewall.

It's worked well for me for years now. That's not to say it's the only option, but it's a good one.

It is a much better way to learn about the real security risks than trying to come up with a network secured against threats learned from books only.

Another good idea to enlighten your students is to have them install one redhat 6.0 box, and a current one. Likely, the 6.0 box will be rooted in a matter of hours, or, if you are lucky, days. Then, use the slashdot search engine to compare the number of posts claiming that Linux is inherently secure when RH6.0 was current vs. today - likely, you'll find that they are the same. Lesson learned: No matter what people tell you, all software sucks. The best thing to know as someone dealing with security.