Domain: recourse.com
Stories and comments across the archive that link to recourse.com.
Comments · 6
-
Symantec also bought Riptech and Recourse!
No kidding! Here's Riptech's press release and Recourse's news. This follows the purchase of MountainWave earlier this month.
Helevius
-
Re:Nothing really new...
Note that this sort of thing has already been done. Recourse Technologies already makes something that does this, but it's a pretty business oriented sort of thing.
Basically made for ISP's and large companies. The companies can set priorities and trust relationships to make sure things get blocked that need blocked. Plus their technology can actually scan a gig link which is a requirement for the larger companies. -
Honeypots and Law
Note that these machines are still considered part of the network, and are usually priced ~$3000 as at this price mark they will enter a different bracket of penalties for the hacker.
Also note the honeynet does not use sensors within the network to collect data, but relies upon the firewall to gather data. Anyone can pretty much do this with most any firewall.
Recourse's Mantrap documents everything on a per machine basis (incl. keystroke logging). This unfortunately is designed more for corperate use than for my home :/ -
honeypots, dangers, products
Recourse's first product was a honeypot. They have a remarkable technical team, which, commercially, makes them the one to watch in this space.
Honeypots are some of the fluffiest of security products, imo, far less useful that firewalls, integrity verification software, etc. But having a cage environment to examine the activities and practices of a cracker can be useful in determining how to post-mortem a bad situation, as well as help gather evidence to get law enforcement involved.
Honeypots that want to provide maximum auditing and usefulness tend to try to run a virtual machine -- either by virtue of chroot'd cages, or virtual machines. The problem is keeping a sophisticated attacker in the cage. As was pointed out on Bugtraq, it is fairly easy, owing to kernel behavior, to detect that one is in a cage. You can send kill signals to pids that aren't in your visible process list, and the kernel responses will tip you off that you are only being shown part of the process table (the Recourse product simulates a live /proc fs within the cage). Other tipoffs include memory locations, pids for processes like init, etc.
Nonetheless, my real-world experience tells me that your greatest risk is an attack from the script kiddies, with the fresh d/l from bugtraq or the like, or even unreleased exploits, not sophisticated crackers seeking entry into specific boxes. In this case, the honeypot can be very valuable -- first as an easily-cleaned distraction (a good honeypot LOOKS like it is a machine at work, but isn't) -- then as a trace of activities, so you can prevent further incidents. Properly placed, it can help lure in attacks first, providing a warning that can be responded to before other real product boxes get compromised.
It has been pointed out, and bears repeating, that the right place for a honeypot is on a DMZ, where it does not have priveleged access to protected hosts. People have put honeypots behind firewalls in protected nets, and then had them be used as jump-off points for much more serious compromises.
-
Commerical Honeypots
Recourse Technologies
Commercial honeypots like these prolly are a bit more sticky than handcrafted ones. /*shameless plug*/
Honestly though it's much better to know where people are and what they are doing, than wondering where they are and what they are doing. -
Re:Tidbits about this "icee" character.
One more tidbit; the homepage for this Recourse Technologies he works at is at http://www.recourse.com/, just in case anybody cares or couldn't figure it out on your own. In case your wondering, yes, this is the same company; look at the logo on Icee's shirt in the picture on his homepage and the logo on Recourse's homepage. They're the same