Security-Why Not Watch The Crackers?

An Anonymous Coward asks: "Over the years I have heard the idea of luring in Crackers into a honeypot, so you can watch them and see what they are doing. It has always seemed to me to be a better idea to keep the Crackers completely away with a low profile and a firewall. What do you think?" This is an interesting approach to security and one I have also thought about from time to time...assuming you can build a convincing enough trap so you can learn how they work. "Forewarned is forearmed", especially when it comes to Cracking. How likely would such traps fool really good crackers? Update: 04/07 03:09 by CT : originally this story misused 'hacker' quite offensively. I corrected it.

Re:Hackers, Hackers, Hakcers!!!

The word hacker for programmers has been DISCONTINUED. When will you get this through your heads????

Re:Fooling?

Signal 11 has a good point. Fortunately, his hair covers it.

Building a _hornets_ nest

Building a honey pot no matter how good a security expert you think you are, is a bad idea. Nevermind the fact that you have intentionally left an easily crackable machine on the internet, from which crackers can launch other attacks. Are you going to monitor the system 24x7? Deny access from that machine to outside and inside subnets? The cracker will catch on, and what's worse if the cracker thinks they've found a decoy machine, they may become malicous in an attempt to save their skin.

So you have this honey pot that you've built, you are entertained by watching script kiddies crack the machine left and right. Meanwhile the time (and money) you should've spent hardening the rest of your network ends up getting breached. I personally don't know who has the time to set up decoy machines, when it's difficult enough keeping servers patched in a 24x7 production environment.

If you are looking for trouble then by all means build yourself a honey pot. Fix the bugs one by one so you can _learn_ how the cracker works. Just don't be surprised when you're honey pot of a machine bites you in the ass.


Bob Tribit

Re:Building a _hornets_ nest

[Spirilis]

An echo-request packet *is* a standard ping packet, isn't it?

Re:Building a _hornets_ nest

[kcarnold]

And, if your firewall denies outgoing ICMP's (in heavy quata, and with spoofed ips..) it may not be used in a smurf attacks. Furthermore, if the firewall says "no more than 10 outgoing SYN requests per 5 seconds" we can forget about synflooding too:)

Even simpler: set up the firewall to only allow outgoing connections to the originating client and its subnet. Sure this could be easily noticed (when Mr. H4cx0r does 'ping slashdot.org' ... then okay allow all ICMP, but rewrite all ICMP echo-request packets to be standard ping; this might be complicated though), but it would allow the hacker to connect to whatever he wants on his own system (well if you log the connections, you can connect there too :-).

Of course this would need some tweaking to make it totally transparent.

Ken

Re:Building a _hornets_ nest

[kcarnold]

I meant the ones with > 56 data bytes, malformed packets, etc.

Re:Building a _hornets_ nest

[Abigail-II]

The funny thing is, all the points you bring up are addressed in the article. Which makes me wonder whether you read the article.

-- Abigail

Re:Building a _hornets_ nest

[arcade]

Building a honey pot no matter how good a security expert you think you are, is a bad idea.

That, my friend, depends on what your goals are. There are several good reasons to build honeypots.

First of, if you are pretty sure about your network, and that you are an idealist -- creating a honeypot let you see where scans originate from. After that, you can contact the admin of the machine it originated from -- and tell him that he probably is cracked. You've made a friend.

Secondly, if you don't have important data on your network, and just want to catch some fish and watch the ruckus -- i'm sure it can be great fun.

In other words, it depends on your goals, what kind of person you are, and so forth.

Nevermind the fact that you have intentionally left an easily crackable machine on the internet, from which crackers can launch other attacks.

That depends on what you leave on the machine. It also depends on the firewall rules. Not to forget, if you monitor the machine, you may see what he attacks from the machine -- and thereby alert the machine new machine he just cracked into. Someone would've found that other vulnerable machine in time anyways -- so I don't see the damage.

And, if your firewall denies outgoing ICMP's (in heavy quata, and with spoofed ips..) it may not be used in a smurf attacks. Furthermore, if the firewall says "no more than 10 outgoing SYN requests per 5 seconds" we can forget about synflooding too:)

I personally don't know who has the time to set up decoy machines, when it's difficult enough keeping servers patched in a 24x7 production environment.

Not everybody who builds a honeypot is a security professional with little time on his hand to secure a large companys network. I totally agree with you if that is the case. Building honeypots on large companies networks is a Bad Thing (imho).


--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet

Re:Simulated environment is not a good idea

It matters not you buttwipe. The word is popularly used in literature, periodicals and other forms of mass media to describe the mythical, dressed-all-in-black computer whizzes that are forced to destroy websites by renaming index.html to index2.html in fits of boredom. This is now a definition of the word. This is how languages evolve. You're going to have to deal with it. A word can have multiple meanings. A hacker can be a machetti-wielding mass murderer, a suckie golfer, a programming whiz, or my aforementioned script-kiddie monster. You're just going to have to sort out the meaning from context. Like every other word in the English language. If you can't deal with that, come up with your own language. One where words cannot take on new meanings. You can use the same 50 Phonics we have have in English. Good luck.

Oh yeah, and Shut Your Mouth.

Re:Honeypots can be illegal

I guess it's too much to ask to read the article before posting, huh?

It can't be entrapment if you are not interested in prosecuting. This guy is talking about setting up a system that looks attractive to crackers that is set up similar to his real hosts so he can find out what methods are being used to probe and crack so he can better protect his real hosts.

He puts the honeypot behind a firewall with rules set to deny outgoing connections that the cracker might use to attack other hosts. He keeps a close eye on it and kicks the cracker off and fixes the holes used to a) keep him from using it to stage attacks on other networks b) keep him busy trying to get back in rather than having time to launch attacks c) find out what other vulnerabilities this guy knows about and will try next.

>Honeypots encourage the hacker, while a closed door might frustrate them and they'd go away.

Read the article, please.

Re:chroot jail ??

You must keep in mind that root is never "jailed" by chroot since he can chroot back out.

What? How do you chroot back further than what the current / is? chroot / /bin/sh would be redundant, and I highly doubt chroot ../../ /bin/sh would work. Granted, as root you can get whatever you want done (i.e. write a program to read data by sector), but I still think it's impossible to chroot below the current root in a chrooted environment.

1. • Word to your mother, nigger.

1. • 
     .
     ..

Re:Simulated environment is not a good idea

GIVE IT UP AND GET OVER IT!
"hacker" is as dead a word for programmers as "gay" is a word for describing happiness.

Deception Toolkit

As mentioned in the article, put the Deception Toolkit on an old machine in the DMZ. The DTK is a bunch of scripts which let crackers waste time without giving them real programs with real bugs to attack. And make all your machines label themselves as running the DTK, whether they are or not.

The DTK is for poisoning the well. If you really have the time to watch what a cracker is doing, by all means put in a honeypot. But then you have to monitor it, figure out what is happening, and apply similar fixes to your production machines.

No matter what you do, you should have a firewall or two anyway. The main firewall should block everything that you don't need to let through. There can also be a DMZ firewall between your Internet server machines and the Internet which has weaker limitations, if needed by your services. (The standard configuration is a separate DMZ net for your Internet servers and a net for your internal company LAN, with a very strict firewall/proxy between the LAN and the Internet).

Solution: two firewalls

[shaldannon]

The author of the article referenced indicates that for this very reason he put the honeypot on a dedicated firewall which allowed access ONLY to the honeypot. He also set it up so that it would allow almost all incoming and limited outgoing traffic (he said basically the reverse of what a firewall is designed for). This means that all traffic on the firewall is suspicious (pull out your camera, Bob, we got a snooper).

He also points out that he wants to make the honeypot irresistable so he names it something tantalizing like ns1.domain.com or mail.domain.com. Finally, he uses reboot (WALL "routine Maintenance") to kick the cracker off so he can examine the logs and fix the holes and modifications.

As one earlier poster said, the author tosses this off like its all in a days' work, while it leaves me shaking my head in impressed amazement. You really should read the article....its quite informative.


Who am I?
Why am here?
Where is the chocolate?

Re:Wild Weasel Facts

[sighup]

I wasn't really going to post on this thread, but your message reminded me of The Deception Toolkit available at http://all.net/dtk/.

The Deception Toolkit is a tool for building honeypots, but with a twist. It listens at port 365 and just says something like "Smile, you're on candid camera". The idea being, that if enough DTK boxes are out there, if someone sees a port open at 365 they will aim their scripts elsewhere.

Ain't decoy's grand?

Two types of honeypots?

[Storm]

In my way of viewing things, there are two types of honeypots. The first is the "dedicated" honeypot, which is what everyone seems to be discussing. Its a box that it pulled out of service, given seemingly gaping holes and dangled out in front of the wolves. Personally, I don't think these are terribly effective, for many of the reasons stated by other posters. (e.g. possible entrapment, enticing people to hack, most of the takers will be scriptkiddies.) I am not saying this type of honepot is completely useless. It all boils down to who you are trying to attract and what you are trying to protect.

If you are looking for scriptkiddies, this type of honeypot is perfect for you. Scriptkiddies look for the easy kill, the box that shows the listening port that they can try the newest 'sploit on. However, the "professional" cracker generally has a specific target in mind, goes for that target and nothing else. The other thing is that he gets in, gets what he wants and gets out, and nobody is the wiser.

The other question that should drive your decision to deploy a dedicated honeypot (and your entire security policy) is what you are trying to protect. Are you using the honeypot for learning purposes? Then this is probably the type of 'pot for you. If you are setting it up as a tripwire or trigger to watch for untoward activities, then you might consider setting up something a little different. You should also consider what type of network you are setting this up on, and what the cracker stands to gain if he owns that particular box.

The second type of honeypot involves setting up scripts and whatnot on existing machines. It falls as much into the range of Intrusion Detection as it does Deception.

This method uses scripts which listen on common unused ports. Not running pop3? Set up a perl script on port 110 that logs activity occuring on it. As Lance Spitzner says in his whitepaper To Build A Honeypot, don't get too fancy, or you're setting yourself up for a DoS attack.

While I am not saying honeypots are inherently bad, I am saying some forthought can save you considerable work. Figure out what you want to do and whether a honeypot is your best solution.

Oh.

[Mr.+Neutron]

Sorry, but I took one look at the story title, and I pictured all of these security experts watching Penn Gillette navigate through a three-dimentional filesystem interface while "Zero Cool" and Lara Croft and Emmanuel Goldstein uploaded the "Donnetello Virus" onto his system.

--

Re:Fooling?

[Peter+La+Casse]

If you kill ALL the bandwidth - with packets, then there is nothing the target can do. NOTHING. Nothing whatsoever.

I disagree. The target can have their upstream provider figure out where the majority of the flooding packets are coming from and filter that half of the country, etc.

In order to get around this defensive tactic, the attacker would essentially have to flood the entire internet, DOS'ing everybody. At that point it would be more practical to simply use real weapons (or a backhoe) and blow up network infrastructure.

Re: definitely not entrapment

[Ricdude]

walk down the street in a crimeridden neighborhood looking like an easy target, then [...] pulling out a gun and holfding them until the police arrived

I assume you are doing this in a state where you are not violating any concealed carry laws in doing so. =) Statistically, concealed carry laws have the effect of lowering such crime rates, specifically because criminals are much more careful if they don't know whether or not a target is armed. But that's another matter. If you park a car in a "bad" neighborhood (or a "good" neighborhood, for that matter), and forget to lock your car door, can someone claim entrapment if they get caught stealing it? I think not. Besides, all that is required to get around the entrapment clause is that different officers make the arrest and set the trap. In this particular case, unauthorized use of my/my company's computing resources is still unauthorized use, regardless of whether I have left a diversion out there to attract the gullible.

The Best Honeypot

[ink]

The best honeypot isn't a honeypot at all. Take an old machine; install Linux on it and throw all the ports open. If someone is targeting your network, it'll be the first machine that comes to mind. Do all your news, irc, and everything from that box.

It works great :)

The wheel is turning but the hamster is dead.

Re:You need Gooood skills to make a goood honeypot

[thulldud]

Yup, that's what I meant.

Re:You need Gooood skills to make a goood honeypot

[thulldud]

I wouldn't call that a "honeypot"; I would call it a "Wild Weasel" box. But it would be a Wild Weasel using remote-controlled, unmanned flight hardware. A much more career-friendly implementation than its Vietnam-era namesake. Not a bad idea at all....

Re:This is very wrong!!!!

[dvdeug]

It couldn't be anomyous, because it was up
with the "hacker" terminology first. It would
be obvious to some that it had changed, and
confusing to others when they read the comments
complaining about the "hacker" terminology. Why
not post it there - it's already public, this
just makes it clear.

Re:A better solution

[unitron]

"why not ban kids from owning a network-capable PC before they are 18?"
Could Slashdot survive with its audience reduced to only about 100 users?

Re:Fooling?

[Signal+11]

If you kill ALL the bandwidth - with packets, then there is nothing the target can do. NOTHING. Nothing whatsoever.

If. If your ISP has more bandwidth than the attack and you set the border routers to drop the traffic, you should survive. Yahoo had enough bandwidth... they just hadn't configured their routers correctly. :(

As to the 'net being more fragile... well, yes.. a few bad BGP advertisements would take care of the whole eastern seaboard. Your point?

No worries, You already have a HoneyPot.

[BrookHarty]

I've noticed that people are so busy buying/merging networks,
trying to get projects in on time, keeping Manglerment happy,
that you dont see the HoneyPot sitting right in front of you..

-IronWolve
That and hire another NetAdmin we would have 2.

Re:Honey Pot

[scrytch]

> I guess that is why we get married. Guaranteed access to the honeypot.

Yer in for a world of disappointment in a few years, boy. :-/

Re:Hacker != Cracker [OT]

[JamesKPolk]

Well.. if the story submission has errors, don't quote it!

But, whatever is done, mis-representing what is sent, to me seems far worse than anything else, for a "news" site.

Political Correctness hits Slashdot

[JamesKPolk]

I have to say, I'm offended by the sudden editing out of the word Hacker.

Note that the entire post was edited, *including* the original AC submission!

Is Hacker to be to slashdot readers, what Nigger is to some other people? Is it to be a word that is "offensive" when others use it, but OK to use to each other?

Re:M*tnick got caught in one of these. -True story

[Sloppy]

they set up a single 386 on the dialin network he was exploiting to look like an entire network filled with great goodies.

Hey, I think I just figured out a reason why someone would want to run 41000 instances of Linux on a mainframe!

---

Re:A friend did something like this

[Crambone]

On a more serious note, what would be nice is if there was a set-up that noticed a portscan in progress and blocked that IP (plus notified the administrator etc). Anyone know of something like this?

This can be done with Internet Security System's RealSecure.

http://www.iss.net/securing_e-business/security_ products/intrusion_detection/realsecure_en gine/

Cheswick & Bellovin did just that ...

[Ricochet]

Check out "Firewalls and Internet Security: Repelling the Wily Hacker" (ISBN 0-201-63357-4). There is a chapter called "An Evening with Berferd" where they did just that.

I would warn you that special precautions are necessary, this is something you should think very carefully about before attempting.

Am I missing something here?

[CodeShark]

Isn't the idea of a "honeypot" to invite cracking attempts?

It seems like the whole point is to find out how the cracking attempt is being done, so it makes sense to me to do what others have done, which is to have cracking contests with tangible rewards, and then progressively harden the target machine to repel the attacks. As soon as someone cracks the machine, they get the reward/recognition, etc.

Of course, if the right company/person were in charge of the targeted machine, they would be able to advise, Apache, RH, M$, etc. of how the crack was done, and give the coders a jump on blocking the crack before restarting the whole process with the newly hardened target.

Hell, if I were in charge of one of the big OS/Software companies, I'd probably try to set something like this up just for that purpose. Cheaper than finding out about an exploit just after you received your new order of 10,000 CD-ROMS, don't you think?

Terminology

[forcer]

It's cracker not hacker, in this case. I always thought slashdot gets this distinction right quite well. :)

Re:A friend did something like this

[cowbutt]

On a more serious note, what would be nice is if there was a set-up that noticed a portscan in progress and blocked that IP (plus notified the administrator etc). Anyone know of something like this?

Whilst this sounds like a good idea, and can be done using most IDS/firewall combos (e.g. RealSecure from ISS or NFR from... er... NFR, in practice most admins shy away from using it for fear of it being turned against them and their networks (think spoofed attacks that appear to be from the "victim's" business partners).

Re:Simulated environment is not a good idea

[Kaa]

Isn't a honeypot considered entrapment?

No, especially if it's a not a publicly accesible system.

If I have a fake safe at home to distract the thieves from a real one, that's not entrapment.

Kaa

Honeypots

[Metameme]

One problem with a honeypot. If you allow crackers to telnet (or otherwise network) to the outside world through the system, you may be liable for aiding a breakin if they use the box for a "jumping-off point" to mount attacks on other systems. This is especially true if you set up a honeypot and watch the people, knowing perfectly well what their intentions are and that they are using your computer resources to work towards that goal.

If you don't allow access outside, it makes the system look kind of suspicious. And if they find out you've set them up, they will be determined to return.

Crackers, Crackers, Crakcers!!!

[Crutcher]

This is probably a redundant post, but I have to put it up.

Shame, Shame on Cliff for letting this through, shame, shame on the AC for posting this to slashdot.

It is "Cracker" not "Hacker" in this context, and for this nonsense to show up on slashdot, I suggest we do what we have been told to do over the years, send esr's letter available form here to slashdot.

Check out the Deception Tookit

[gdon]

The Deception Toolkit might be something you'll find useful for your honeypot.

Re:Honeypots can be illegal

[sporty]

In defense of my poor sig...it's from a song. Poetry, which lyrics might be considered as, are usually seperated by commas. I don't want a vertical .sig, so it's totally horizontal. I should have probably used /'s, but I didn't. As for the final period, poetic license. Then again, it might have been gobbled up by slashdot.org

---

Re:Monitoring employees

[Ken+Williams]

do you want your employers/coworkers/underlings to live in fear that they will get caught if they attempt to find security holes? i'd much prefer that they be encouraged to look for holes and report them, so that they won't be exploited maliciously.

in corporate environments, the only employees who should be doing vulnerability assessments are those contracted specifically to do so, or those (network and security admins) who have this duty listed specifically in their job descriptions.

anybody who trips my honeypot sensors is obviously snooping around where they are not supposed to be - they have no valid reason to be hitting the honeypot. furthermore, they are most likely not doing the tasks/jobs that they were assigned to do.

when you get out into a large corporate environment, you'll quickly learn that the network admins do not want you to be snooping around, and probably that you don't have the time to snoop around anyway.

i do vulnerability assessments and security audits for a living, but if i contact one of the network admins here and tell him that i found a security hole, the first thing he'll ask is why the heck i was poking around HIS servers without HIS expressed, written, contracted permission in the first place. my poking around has created more work for him, and for the other ppl who check those logs, respond to the alarms, etc.

i personally found a security hole once in the censorware running in my the media center of my school library. i informed the librarian of the hole and was promptly banned from the library for the rest of the year. not having read the library's computer use policy, i didn't realize until years later that the policy specifically said to report any security holes found.

corporate life is very different. when you are working on a $500 million project, and the network admin notices that you're poking around in an R&D database that you're supposed to have only limited access to, or no access to at all, you'll be hung, drawn, and quartered, because you are now one of the zillions of people suspected every year of stealing and selling corporate secrets, or of sabotaging the company for whatever reason. after you die, they'll ask your next-of-kin why you were poking around that server in the first place.

if you work someplace where they actually pay you to perform random security audits whenever you get the urge to nmap or smurf all of your corporate nodes, and want you to report your findings, then that's great. i really doubt that any Fortune 1000 (or virtually any) company encourages their employees to practice corporate security audits on the company LANs as a hobby though, especially while working.

(posting anonymously because my employer has really bad security policies)

after you're done packet-fragging the company's production web servers, feel free to contact me to help you develop a more reasonable security policy.

[note: don't take the apparent harshness of my reply personally - i work _very_ long hours and weeks, and it's friday, so i'm using you as my venting scapegoat. i'll return to normal after my second cup of coffee monday morning. thanks for taking the time to comment on my post - you have raised thought-provoking, interesting points.]

Re:Honeypots can be illegal

[Shafik]

HoneyPots can be a form of entrapment


Unless you are in law enforcement it can not be considered entrapment. This has been discussed on Bugtraq and many other lists. www.securityfocus.com, goto forums and then bugtraq, I don't remeber the title of the discussion though but it was within the last month or so.<BR>

Although you <I>might </I> be liable if they use your machine as a jump point to lauch more attacks.

The military uses them...

[starman97]

In one of my training classes in a previous life,
we had a former DOD info security person, the subjects of crackers came up via discussing java class decompilers.
He used to run a few systems that were in .mil that were connected to the Internet. They had systems with basic levels of security that were filtered mirrors of systems that had non-classified info. They used them to attract/eavesdrop on system crackers to learn their techniques. They logged all packets and system operations transparently to the cracker. What they really wanted was the cracking tools, they would let the system be compromised and 'owned' for a while in order to get the binaries to site cracking tools. They had the budget to write decompilers and object code identifiers that could examine a binary and determine what language and compiler revision had generated it.( I guess not many cracking tools are written in assembler) He said they would decompile the tool, examine it's code and after a while pull the system when nothing new had shown up, apply fixes to block the old tools, rename it, then wait to see what new attacks showed up. They used this only to gather info-war techniques, not to arrest crackers, although I'm sure they tried to identify them for future reference/surveillence. This was his team's only job, they would keep upping the bar to getting into the system, or leave the newest exploit open for a while to see how it was done.
In all, it was a pretty interesting discussion we had after one of our class sessions...

Honeypot

[ajakk]

The best thing to do with a honeypot is to have it set up behind your firewall. If someone breaks through your firewall and scans your internal network, they will be attracted to your honeypot first. This will probably give you enough time to see the intrusion taking place and take appropriate measures. Check out the Deception Toolkit for a decent program to handle the honeypot.

Before you even begin to work on setting up a honeypot, you should first secure your network as well as you can. The honeypot should only be used as a second(or third) line of defense.

it's called iplog and a perl script

[aithien]

On a more serious note, what would be nice is if there was a set-up that noticed a portscan in progress and blocked that IP (plus notified the administrator etc). Anyone know of something like this?

Run iplog to stdout and use a perl script as a "wrapper", then manipulate your firewall rules based on the output.

BackOfficer Friendly

[nutsy]

MS-Windows version is cashware, UNIX version is downloadable after you fill in a nosy marketing survey ... I mean registration.

Re:An Evening with Berferd

[Pelerin]

The PostScript version of this paper can be found here

Re:Honeypots can be illegal

[Mignon]

Like putting a larger fake diamond in front of your more valueable, more hidden valuables.

I once heard someone say they would leave a $100 bill lying around in an obvious place in their house. Their idea was that encountering a burglar was potentially worse than actually being robbed. Their hope was that a burglar would take the easy reward and split, rather than linger, looking for the better (but harder to carry) goods, or risk encountering the resident.

Re:Honeypots, entrapment, and you

[Mignon]

3. They send their logs to another system for 'safe keeping'; a sniffer will see this traffic.

Can you send the logs through a direct serial connection to help prevent a sniffer from detecting it?

Re:Simulated environment is not a good idea

[zztong]

I don't believe it is entrapment for two reasons...

1. There's a crime already in progress.

2. Entrapment is when a law enforcement official temps you into committing a crime, or something like that.

... of course I'm not a lawyer and this is just how I understand things to be.

Example of a Honeypot from SDSC

[paul930]

Off a link from the cryptogram newsletter at counterpane.com

Note that they did not publicize it in any way. They just set up the system and left. Not exactly entrapment.

SDSC honeypot Paul

Re:Honeypots can be illegal

[PinkPanther]

It can only be entrapment if you are trying to prosecute them. If the point is to simply watch them and better understand their tactics, then the only issue IMO is moral, not legal.

I think the point to the honeypot is to encourage hackers to come in. You are trying to get them to come so that you can monitor them (at least that's how I read the original question).

Besides, closed doors don't frustrate hackers...it simply forces them to look harder for ways in.

Re:Dumb idea

[Alanzilla]

"But I'm not suave and sophisticated... I mean, I'm not no Charles Bronson!" - Nick, on Family Ties

Re:Dumb idea

[paRcat]

um, as many have pointed out, this isn't entrapment. Your 'firm' could even be a law enforcement agency and the cracker STILL couldn't claim entrapment. The reason being: you aren't openly trying to get anyone to break the law. Your server is there, it's the cracker's choice whether to target it or not.

This is NOT Entrapment

[CentrX]

A honeypot is not entrapment. The legal definition of entrapment is a situation whereby law enforcement officers encourage somebody to commit a crime that they were not already disposed to do. The American Heritage Dictionary of the English Language, Third Edition defines "entrapment" as the noun for the verb "entrap," which means "To lure into performing a previously or otherwise uncontemplated illegal act."

By the legal definition, if you are not a law enforcement officer, you cannot entrap. By both the legal definition and the dictionary definition, a honeypot is also not entrapment. A hacker who cracks the honeypot system is doing it of his own volition, without outside enticement. It is not a previously uncontemplated act, nor is the hacker not otherwise disposed to do it. The person who sets up the honeypot is not going out and telling everyyone about the system. So, in order for it to be found vulnerable, the person has to specifically find the vulnerable system, which is just one of many which the person scans, looking for systems to crack. If the person who sets up the honeypot system "advertised" the system and presented some sort of bounty for a successful penetration, it would fall into the dictionary definition and part of the legal definition. As the person is not a law enforcement officer, it does not fulfill the legal definition. Also, the article states that the goal is not to capture the cracker, but rather to monitor what they do.

And consider this: what about those groups such as LinuxPPC that specifically request someone to crack the system for a prize. Is this illegal? No. They are not law enforcement officers, nor is the goal to capture and punish the intruder(s).

Chris Hagar

Re:"Cuckoo's Egg"

[LostOne]

Yup, that's exactly what Cliff Stoll did. However, it took him many months of time and considerable resources to do the watching (not to mention the admins of sites that were getting broken into were unresponsive, "My site is impenetrable..."). I wouldn't think it would be very useful for the average sysadmin who is under pressure from "management" to "cut costs" and "keep the system working at peak efficiency" and all those "buzzwords".

Then again, "The Cuckoo's Egg" should be required reading for anyone who plans to do system administration.

I agree - some thoughts

[Delusion_]

I love the Jargon File, and I've contributed to it. To me, the "cracker vs hacker" is its primary weakness.

Rather than being language lawyers and trying to call a spade a club, we as geeks need to get used to the fact that English is a much looser language than C.

It's about context. "Hacker" is like any word that has different meanings in different contexts. Demanding we call people who call themselves hackers "crackers" doesn't make them look any worse, it makes us look uninformed and petty.

Hacker also means a (good?) golfer. When I saw a shop called "The Hacker's Hole", I didn't march into the store and demand they change the word "hacker" to "golfer".

Hackers vs crackers

[spinkham]

This is a dumb debate. The "crackers" that I know, both "white hat" and "black hat" call themselves hackers.
To coders, a hacker is one who can make computer do cool things.
To security prople, a hacker is someone who breaks into sustems.
To Engineers, a hacker is one who does shoddy work.
ESR is a rather smart guy, but enforcing his termonology on everyone else is just dumb.

Re:Honeypots can be illegal

[AndrewHowe]

So the distinction is between passive and active? So if you are passive it's OK, but if you perform some act to encourage the bad guy, then that's entrapment.
I can see that point of view, but it seems to me that the question then becomes, "how active is this honeypot"? It doesn't seem 100% passive to me. Surely you are by definition inducing them "to perform an illegal action that they would not have otherwise performed."
Otherwise, why did you bother with the honeypot?
Is it OK to instrument your system so you can watch anyone who turns up, but you're not particularly bothered whether they do or not?

Re:What, no pedantism?

[babbage]

whatever

Re:What, no pedantism?

[babbage]

s/pedantism/pedantry/, no?

the most useful thing in the article

[tackle]

The linux repair disks mentioned in the article are the coolest and most useful Tech helper I have come across in a long time.
This is the one mentioned in the article it works great.

tomsrtbt

Re:Simulated environment is not a good idea

[punkass]

That said, it's time you got yourself a new sig. Thank you.

Just so you know, your sig is a waste of space. Telling people in your sig (or at least the last line of every message) the exact same thing in the exact same way everytime will belittle people's feeling and make them feel like you aren't giving them enough personal attention. How do we know that you aren't a person, but actually a bot configured to attack and respond to specific sigs? Besides, the repitition might lead people to believe that you're a (sakes-alive!) troll.

That said, it's time you got yourself a new sig. Thank you.

a trolling ask slashdot question...

[matman]

If you ask me, i'd say that this is a pretty low quality ask slashdot question. Read pretty much ANY security book and they'll cover honeypots. It's like me doing an ask slashdot asking "Does X4 support truetype fonts?".

Mat.

Re:a reference for previous work

[heliocentric]

I personally loved that book and would like to add that it's not only up to date enough to be useful, it's entertaining.

If you are an admin concerned in the least with security, don't bye into the recent hype about supposed security books that just republish commonly known things (like don't use password for your password).

{h|cr}acker issue

[rlowe69]

I'm a bit surprised that the lead article didn't split hairs about the whole {h|cr}acker thing.

I'm not.

The days of (hack == good) are over. More and more people are associating the term with the negative stigma the computer ignorant media has given it. Techs don't want to use this term because they may be risking offending an ignorant party (like their bosses).

We tried "cracker" out on the media, but it just didn't take. "Hacker" has a better ring to it; with that attack-with-an-axe connotation that makes people shiver just at the sound of the word in a newspaper headline.

Although it's unfortunate these people are unaware of the origins of it, we just have to accept that and move on. The definition of a word is usually the one which is most commonly used, not necessarily the correct one.

Of course, we'll still use it in our circles. It'll be our little "joke". :)

whoa!

[mattr]

Slashdotted already! Keerist!

Re:Simulated environment is not a good idea

[Eil]

This is exactly the point I was trying to prove, except I wasn't quite as... er... ya know. And also the guy (Shane) that replied to this post with his definitions of various groups has it right on the money. I just didn't have the time earlier today to go through all that. Had a point and I stated it.

Re:Simulated environment is not a good idea

[Eil]

The AC who submitted the above comment gets a hardy handshake from me. And here's why.

I, for one, am thoroughly sick of the *NIX, OSS, programming, etc communities on a mad rampage about the definition of a single word. I mean, waltzing around going "Oh, you must mean 'cracker,' because a 'hacker' is just another name for a programmer." So based on that statement, it would make perfect sense for a university to offer a class called "Object Oriented Hacking using C++"? Get serious.

Bottom line, if hackers themselves want to be known as hackers and you want to change their label (what they are known as), that seems to me to be worse than any sin the open-source software community exists to rebel against.
Cases in point:

• 2600: The Hacker's Quarterly.
• PHRACK (combo of phreak and hack)

It seems to be that some are just irate that the word "hack" has two different definitions: one which applies to two separate groups of people, and one definition that applies only to a certain group. And they can't deal with the fact that the audience might have to use their brain to figure out the correct definition based on context.

</END RANT>

Rules of entrapment

[DebtAngel]

There is one major rule to entrapment that makes the honeypot legal. In order to claim entrapment, the defendent has to prove the police/corporation/whatever made you commit a crime that you would not have normally done. In the classic example, if you fence some goods to a cop, there is no entrapment. But, if the cop bullied you into robbing a place and then fencing the goods to him, there is obvious entrapment.

Entrapment would only apply in this area if you did something like set up a cracking contest, and then charged the winner of the contest for cracking the system.

Hacker / Cracker Give it up already

[Tweezer]

Is anyone besides me just sick of people trying to make this distinction? Talk about a total waste of time. Let's face the music on this one folks, the war is over and we lost. The use of the term "hacker" media has caused the definition of the word to change and nothing can be done about it. Now let us get over it and move onto something else. Someone please come up with a new word we can use and everything will be fine.
Feel free to moderate this as flamebait or off topic, but I just couldn't take it anymore.

Done

[spuk]

There is a document about something like this entitled 'An Evening with Berferd - A cracker from Norway is "lured, endured, and studied."' on the Documentation section of rootshell. Here is the link:
http://rootshell.com/docs/berferd_cheswick. ps.gz
Check it out.

Re:Honeypots can be illegal

[B1]

Surely you are by definition inducing them "to perform an illegal action that they would not have otherwise performed." Otherwise, why did you bother with the honeypot?

I see your point. I'm not sure where you draw *that* line. Maybe there's a difference between encouraging an intruder to stay logged in, vs. encouraging him to break in in the first place? It's probably a good idea to involve law enforcement if you're looking to prosecute using evidence obtained from a honeypot system, so they can help you avoid entrapment.

Personally, I think you're OK if you don't make special efforts to bring intruders to your system. In other words, if you set one up, don't go and announce it on #scriptkiddies to draw visitors--that's probably entrapment.

If they find your system on their own, decide to break in (again, on their own), and then make obvious attempts to damage it (on their own), then your case is much stronger.

The one thing I'm not sure about is whether you can prosecute, if they only get into your honeypot. Even if somebody breaks in and tries to wipe it out, you might have a tough time proving actual damage--after all, you *probably* didn't have anything valuable on it to begin with.

Clifford Stoll wrote "The Cuckoo's Egg", which is based on a true story. If you're at all interested in computer security, I highly recommend it--he does a good job of writing for the average reader, while not dumbing it down too much for the rest of us :)

Re:Honeypots can be illegal

[B1]

As far as I know (and I'm not a lawyer), you have to induce somebody to perform an illegal action that they would not have otherwise performed.

A well-planned sting operation is legal, but you have to set it up so that the suspect commits the illegal act on their own. An undercover cop posing as a drug dealer is fine, provided the customers initiate the deal of their own intent.
Approaching a stranger, trying to get him to buy drugs, then arresting him when he does, is entrapment.

In the case of a honeypot, they've already decided to break into your system. The idea isn't so much to see what kind of damage they intended to do (though it that would probably support a case against them as far as showing malice). The idea behind a honeypot is to keep them busy long enough that you can log them, and maybe trace the attack back to the source.

Re:Simulated environment is not a good idea

[S_hane]

For the sake of this argument, let me define the following four groups:

Group A: People who attempt to gain illegal access to machines on the internet for the 'fun' of it, but with no malicious intent.

Group B: People who attempt to gain illegal access to machines on the internet WITH malicious intent.

Group C: People who are adept at writing C/C++ code very quickly to do a specific thing (or similar)

Group D: Everybody else (esp. mainstream media).

Right.

Group A call themselves "Hackers".
Group A call Group B "Crackers".
Group B usually call themselves 31337 H4x0r5
Group B usually try to lump group A in with themselves.

Group C call themselves "Hackers".
Group C also call Group A "Hackers".
Many people in Group A are also in Group C.
Most people (but not all) in Group B are NOT in Group C.

Group D hasn't got a f**king clue, and calls them all the same thing - "hackers". The hasn't got a f**king clue bit is fairly immaterial in this case, as they all call each other "hackers" anyway...

Basically, I think that the following naming scheme is appropriate:

Group A: Hacker
Group B: Cracker
Group C: Hacker (as well. Use context.)
Group D: Morons

-Shane Stephens

Re:Hacker != Cracker [OT]

[RollingThunder]

Why?

Because there's a huge contingent of clueless idjits reading here that think that the stuff in italics is written by the Slashdot team, rather than being whatever the submitter wrote, accurate or not.

If you're going to get blamed for it (and you can see that people were blaming them for it), then you might as well edit it... especially if you're an editor, rather than a moderator. I am of two minds on it, I'd like the CT and the rest to correct blatant errors, but the setup isn't exactly reporter -> editor.

Re:Fooling?

[gid-foo]

That's a great idea, except it seems to only weed out the spoofed ips with no real identity behind it (i.e. source x spoofing as y where y doesn't exist). But in the event you can get a valid connection to the remote host...
The goal is to shut out real ips not made up ones. Therefore, you could start at any point in the ip address range (preferably one you know is valid) and march through subnets. The NIDS tries doing a backwards syn/ack. The invalid ips will get dropped but the valid ones will be banned? Hmmmm this syn/ack methodology doesn't appear to solve anything.

Re:You need Gooood skills to make a goood honeypot

[gid-foo]

Actually, that's one great use for Honeypots. Get the source for the latest and greatest root kits and other tools. There's a great example of this at (I think) the UC Davis security page. If you check over at security focus you can find some links re: honeypots. Honeypots are useful for documenting current best practices in use by illicit hackers (and crackers).
sorry for the lack of real links, I'm still finishing my coffee, even typing this is a great strain.

Re:Fooling?

[gid-foo]

This then becomes the DOS. If you're a site which wants to have the general public show up shutting out large portions of the net doesn't work. That's the problem with NIDS that auto link to your firewall/router and start denying access to unfriendly networks. Anyone can spoof ips and by doing so in an organized way a decent attack could shut down your site by using the "advanced" capabilities of your IDS.

Re:Detection

[gid-foo]

Oops I meant Chiswick and Bellovin.

Re:You need Gooood skills to make a goood honeypot

[AndyL]

A primitive version of what you sugest is "BackOfficer Friendly". It's great fun. When a skript kiddy port scans you it reports that a bunch of your ports are open. And it reports that you're running Back Orifice. Then you can sit back and watch as they try to be 31337 hackers.

Unfortunetly it only carries the illusion so far. There are no files to be FTPed and no matter what login/password combo they try they can't log in through telnet. It'd be cool to have a progeam that carries this to the next level.

BOF can be found here. Although It doesn't seem to be shareware anymore. At least I can't find the download.

Re:Honeypots can be illegal

[Dazed&Confused]

The subject on this mail is actually quite deceiving. Entrapment is not illegalm rather it makes it difficult if not impossible to prosecute the perpetrator. If all you are considering is that you want to have a place to keep the script-kiddies busy, then have a good time. Otherwise, I would suggest trying to keep your box as secure as possible so that you never have to question how experienced your hacker really is.

This is good, real good...

[MicroBerto]

This guy knows his stuff well, and from what i'm reading, i'm saying "easier said than done!"

He has many steps, taken here:

Firewall that's logging stuff and can give reports/alerts.

Logging local stuff on a remote server so that if the honeypot's logs are destroyed, they're still really around..

Then run a sniffer, capturing, like the first 300 bytes of each packet, checking for evil words (kinda like the USA CIA captures certain words if you're on the phone with someone... there's like a list of 500 no-no words on the phone).

Then he runs tripwire to see if any binaries have been changed.

When a cracker gets root, he monitors it and sees what he does. This is VERY important, becuase you must know your enemy, and then for future reference, secure anything that he would want to touch.

And then he's like "that's it", and brushes it off his shoulder. Were I to do much of this, I'd have lots of learning to do!

Mike Roberto (roberto@soul.apk.net) - AOL IM: MicroBerto

Re:Simulated environment IS a good idea

[kbh3rd]

Didn't Computer Associates or some such actually create a system for this purpose? I even recall that it could simulate an entire network.

NAI has CyberCop Sting. It's supposed to simulate an entire subnet with various boxes on it, all simulated in software on one machine. I'm sure you can read about it on NAI's site. Sounds like fun. Whether it's wise in a given situation is a question I'll leave to others.

Honeypots ARE useful

[MattW]

Honeypots can be useful, but you need to maintain control over the system. The ideal honeypot runs its external services in a chrooted cage, and has an administrative access that isn't apparent from the outside (say, ssh on a high filtered port that to most ips will seem like there's no service there). Under such circumstances, crackers can reveal their MO, helping to keep an eye on other machines, or even upload their tools. I've seen cases where this has been incredibly useful. Moreover, it may be possible to track them while connected and distracted, but primarily, powerful logging will give you a much better idea of who's doing the dirty deeds and why. Getting a copy of a modified sshd the intruder is installing on vulnerable boxes, for example, might yield the secret backdoor password and make it easier to check for other compromised boxes, etc. It's irresponsible to give them a box on a platter that isn't in a cage. (even though it may be possible to escape it, history has shown most crackers don't notice until its too late)

CIA

[bobv-pillars-net]

I've heard that the CIA does this. A friend of mine tells the story that he and some buddies broke into a government computer system while they were in high school. Slowly, they burrowed through layer upon layer of security checks. And when they finally got to the bottom, they found a note congratulating them on their efforts and giving them the choice of joining the CIA or going to jail.

Actually, only the ringleader got the "jail" alternative. The others got an offer of employment, plus the warning that they'd be watched from now on.

To this day, the guy is paranoid about computer security. His email bounces through a dozen more-or-less anonymous remailers before he gets it, and he's got at least three pseudonyms on the net, none of them related to his real name.

Re:Fooling?

[gordzilla]

There may indeed be a way of thwarting a DDoS attack. Check out this article...

http://rootprompt.org/article.php3?article=297

Typical Security Move

[Life+Blood]

This sounds a lot like current security methods for secure installations like large banks. The basic idea is that someone will be able to get into your secure site if they're determined enough. There is always a security hole somewhere so getting in is the (relatively) easy part. You break in, you snoop, you go for the goodies. But you can't get out. Secure installations are designed to prevent crooks from leaving not from entering. They are traps. According to security individuals this is a much more efficient method of security because once you catch the crook you can find out how he got in and fix/monitor the hole.

Is this "entrapment"? Not in the legal sense. Legal entrapment would be hiring the "hacker" to break into your honeypot. Or saying, "I bet you can't break into this box" or such. This is not the case, though. If you simply have a honeypot and the "hacker" is breaking in uninvited this is not entrapment in the legal sense.

The problem is that this technique won't work as well online. The "hacker" can always just hang up and he's gone no matter how tight your e-trap. It may, however, allow you to flag hackers and find security holes much more quickly, so its still worth a try.

cheswickian ideas

[thelaw]

it's a tough decision to make. on one hand, observing a honeypot machine carefully could be very valuable for finding out how a cracker works. this might even yield good findings on new exploits, etc.

on the other hand, if they compromise the machine with your knowledge and start attacking other sites with it because you were too busy to shut it down, then there are definitely cases where you might be liable. an easy way around this would be to use ipchains or a firewall to block outgoing connections from that machine.

another consideration: does the machine go inside or outside of your firewall? if inside, you've just given 31337 h4x0r prime access to your network (even if it's a switched ethernet). if outside, you can't keep control of the honeypot's network usage.

probably the best setup for a honeypot is that described in cheswick/bellovin (1994), firewalls and internet security. they implemented their honeypot as a chroot jail on the outside gateway. they set up a "callsucker" that would snag outside connections, relay them to the inside gateway, log the traffic, relay the connection back to the outside gateway (i haven't figured that one out yet) and then to the chroot "jail." from here they were able to log all access to the jail and monitor berferd's activities.

still, they trod in dubious legal territory by allowing berferd to attack outside sites with their full knowledge.

it's a tough call.

jon

Re:"Cuckoo's Egg"

[thelaw]

what stoll describes is a real-machine-turned-honeypot. AC was suggesting a machine dedicated to monitoring activities, so no important accounts or information could be compromised. stoll's compromised box was still being used for departmental affairs (an odd choice) but monitored. in this case, the admins would not allow anything important to get on the honeypot.

jon

simply for education

[StanSmith]

It's my feeling that a honeypot is a great tool if you're interested in learning the behavior of crackers, but not a good tool for increasing your network security.

They're used to attract, and attracting attention is not really what you're after. Simply having a network connected to the internet is honey enough to keep any number of security people busy.

Save the honeypots for people conducting research, and then just learn from the risks they took.

Re:Crackers? What term is this? Doofy MCSE's??

[Caspuh]

does this mean that just because someone is a criminal, they aren't a hacker?

i remember a honeypot

[Jeep+Bastard]

I rememeber this time Southwestern bell made a honeypot to catch me. It was a VAX running VMS offa their x.25 subnetwork for their internals. They had noticed us because of a slip up of my friend in patching Sys V login that was already modified for special logins for CAT terms. They sweeted the pot by dumping a bunch of Bellcore Hacker warning digests. these digest basically outlined what attcks people were using and who the gonverment was monitoring and what hacker hang outs (chats and bbses) they were logging and stuff. It was VERY interesting. One problem was we had downloaded them all already (thanks ameritech!) , so it didn't work. Isn't it great that hackers don't have access to Telco internals anymore? The world is a better place!

http://www.iretro.com

Making a GOOD honeypot.

[Jeep+Bastard]

I think just making a system with holes in it is not enough. If there is nothing to hack there , you won't get a chance to see any good skills.

The best way to make a honeypot is probably make it a nice machine in your network that somehow forgot to be put behind the firewall. Name it something nice too. Like secure.domainname.com
or communications.domainname.com . Something more esoteric will do too. Something that will raise curiosity.

The machine should have obvious things blocked so you can see the real toys come out. The machine should also give a message on connect thats quite interesting and then disconnect

*************************
* this system is for *
* authorized users only *
* super.domain.com *
* cell phone database *
*************************

guys will try all day long with the big guns! probably pass it to a dude who knows what he is doing.

remember.. this is entrapment. You wanna see the big guns though? do it right. You might get more than you bargained for.


http://www.iretro.com

Good article on honeypots

[cutshade]

I found this article on honeypots to be quite interesting and informative. Gives examples of how to track people and prevent them from getting any further than the honey pot.

Hacker != Cracker

[Dman33]

I think it was edited because the word hacker is too broad of a term for this context. In other words, an cracker can be a subset of a hacker, but a hacker is not a cracker.

The context in this story is of one who cracks into computers/networks. This is a cracker. Whether this cracker is also a hacker is not proven in this context, so using the term hacker is completely inaccurate.

Hacker == one who uses unconventional tactics to solve a given problem.
Cracker == one who uses known security flaws to gain access to a computer (or program) that they do not have rights to access.
Are all crackers hackers? no.
Are all hackers crackers? no.
Can a hacker be a cracker? yes.
Should the two terms be used synonomously? no.
Is this story about crackers? yes.
Is this story about hackers? no.

I am sure that this misunderstanding will never go away..

Re:Hacker != Cracker

[JamesKPolk]

How does any argument about definitions justify CT editing the text of an article submission?

CT should have just eliminated the AC quote, if he wanted to remove the word Hacker.

Misrepresentations are no fun. What if it had been a registered user's submission, instead of an AC's?

Better than a honeypot...

[rjwoodhead]

For some time, I've been considering creating a site that had an open invitation for cracking attempts, and offered prizes to those who (a) managed to get in and (b) documented their exploit and provided the information needed to seal the hole. Just haven't had the time to get around to it, alas (blame the wife and kids, they chew up altogether too much prime hacking time!) The true hacker ethic, as I learned it back in the dark ages, is that hackers BUILD; never destroy. Thus, a true hacker, assuming he is bored and has absolutely nothing better to do than break into other people's computers, documents the exploit, scrupulously avoids any damage or interference with the target, and informs them of not only the vulnerability but also the solution. It's far more emotionally gratifying. Teaching ethical behavior to the younger generation is an obligation those of us old enough to remember when "hacker" was a badge of honor ought to take very seriously.

Re:A better solution

[DrEldarion]

Yes! They could be sent down to an office to wait in insanely long lines, only to be given a 10 minute test.

Successfully passing this test would allow you to stand in even MORE long lines so you can get your picture for your "Surfing License".

And, yes, of course this sounds great... only to us people over 18, though.... think about all the people who are younger than us getting violent upon reading these posts...

-- Dr. Eldarion --

Distract them, not attract them

[ltcordelia]

A very good use for a honeypot is as a distraction machine - but rather than having an "open" machine, have it running nicely locked down services. I've run a "portchaffer" on my home firewall before - it listens to all of the ports in /etc/services (which has been mod'ed to include some "hacker" ports), allows connections to be made, and terminates the connection after about five seconds. You'd be amazed at how long antagonists will spend trying to figure out how to get into the system.

And while those script kiddies/hackers/crackers are hammering away at that illusion, they aren't off hammering away at my neighbors' computers.

Everyone should run a honeypot. Create an environment so rich in targets that the bad guys won't know who to attack.
Information wants to be free

no honey

[MonkeyMagic]

...assuming you can build a convincing enough trap so you can learn how they work.

Possibly this is a way to do it, but surely the time would be better spent on the more mundane sysadmin task of securing your system.

Necessary Redundancy Here...

[phossie]

Read The Article!

He is discussing the honeypot idea as a way to learn about the existing vulnerabilities in his production systems. The article has nearly nothing to do with any kind of legal action. He wants to make his production systems more secure, so he's basically allowing others to analyze the security of his real systems without putting them in danger.

The only legal issue is whether his honeypot can be used to exploit external systems.

Make it a _very_ good honeypot...

[CaptJay]

If you were to set up a complete virtual environment with say a copy of the original files on your system and let the hacker in there, you could probably fool more than a few script kiddies. However such a trap would have to be very well thought out, so that the cracker's interactions with it seem to have a real effect on the environment. For example, if the cracker kills a process, it should at least pretend to die ;)

On the other hand, fooling a very experienced cracker into thinking he is really on your system is probably alot harder than keeping him out (which is a large enough problem by itself).

Re:Simulated environment is not a good idea

[jbarnett]

True. You don't go onto IRC and say "Hey will someone help me crack this machine?" err excuse me, I mean "hELp hAx0r thA MAcHInE @ 192.168.17.0"

You setup the machine on the network, don't advertise it to be cracked and put a warning message in the MOTD or something like that, that says "Do not access this machine without permission or you will be punished under law XYZ of the USA"

If you park your car and leave the doors unlocked in a public place and go inside and film it with a camera, if someone breaks in, they broke in, you didn't "fool" them into taking your car, you just made it alittle easier for them to take it.

Re: definitely not entrapment

[jbarnett]

Claim the machine is a "test bed" for new software and services that you wish to test out on a non-productive machine before you slap version "0.0.0.1 ALPHA root admin made easy" on your high profile web server. It is a test system and it being re-installed all the time, to try new OS and new version of software so you can avoid installed a new version of XYZ software that hasn't been though tested with your setup.

Since it is always being (re)installed with new software/OSes, just claim security was "layed back", because it wasn't meant to be a high profile server, but an internal test bed and due to this a lot of security was "forgot about" since it wasn't a mission crtical server.

At home I have an old 486, and I try allot of new software on there, in the last six months it has had about 5 differant OS on it, just to test them out, and aton of differant software that I didn't want to put on my workstation till I knew it was bug-free and didn't pose a risk to my workstation (since it has all my documents stored locally). If someone cracked this machine, I won't care, and won't really be surpised.

Re:Simulated environment is not a good idea

[Sheldo]

Well, if you could outplay the "hackers" maybe. Engage them with the CyberPatrol brag of having strong anti-hacker measures and you're begging on bended knee for the (well-deserved) shaft. It seems more likely that the "hackers" could pour the honeypot of hot grits down the pants of the supposed ambushers.

Re:chroot jail ??

[Nate+Eldredge]

# mknod hda 3 1 # mount ./hda /foo # chroot /bin/sh /foo

It's not the good ones to worry about ...

[Hephaestus_Lee]

Most of the people who know what they are doing do not try to illegally access computers. As for the others, 90%+ are script kiddies so we already know how they operate ... SATAN.

--
Hephaestus_Lee

On A Serious Note: Portsentry

[Tildedot]

Portsentry does just what you want: watches for a portscan in progress and blocks/drops route to that IP. It's slick, and runs very stealthily.

It's been running on my box for months now, and I get about 4 hits a week, usually from some compromised box in .cz or .ru

Get it at freshmeat, you won't regret it.

Note: No electrons were harmed during the sending of this message.

Re:Dumb idea

[JWRose]

I think you have the wrong idea of what the honeypots purpose is. From my understanding, the purpose is to find vulnerabilities in your system and then repair them. It is not to capture crackers. As others have pointed, that could be considered entrapment.

Nothing exists except atoms and empty space; everything else is opinion.

Re:Honeypots, entrapment, and you

[steelwraith]

I would have, but they decided to send it over the network anyway, through a SSH session (which would make me suspicious).

Re:This is very wrong!!!!

[aclaudet]

I agree. That was a very, very big no-no. It's on the level of what Censorware and all those other "Your Rights Online" subjects do.

Potential Security Risk

[Lizard_King]

The idea of setting up a honeypot to study "hacker" (r u sure this is the correct word?) activity is a questionable idea.

This is not a recommended approach for any but the most experienced and knowledgable sysadmins. Setting up a honeypot in some system can do much more damage than good if set up inproperly (read insecurely). I am not confident that the general sysadmin population (here come the flames ;]) is competent enough to create realistic, secure, safe honey-pot environments.

Honeypots are NOT illegal...

[nick_danger]

...if all you want to do with them is learn about system weaknesses by observing hackers in action (which is my read on the original post).

If you dangle it as bait trying to catch a cracker, that is another matter altogether.

Re:Honeypots are NOT illegal...

[coyote-san]

If you dangle it as bait trying to catch a cracker...

That's totally irrelevant. By this logic, it's not your fault for stealing from the grocery store's cash register if the clerk is so silly as to turn away while the tray was open. It's not your fault for stealing from the shelves if the grocery store was so silly as to leave the merchandise out in plain sight and reach.

Either you're an adult able to control yourself when confronted with such temptations, or you're a legal infant unable to do so and not entitled to any of the rights of an adult - you can't vote, you can't drive (can't risk you deciding to run a red light because the city hasn't installed physical barriers to stop you!), you sure as hell can't own a gun, etc.

The *ONLY* issue with entrapment (vs. stings) is whether the cops somehow enticed the person to do something they wouldn't normally do. In countless cases the courts have held that merely presenting an *opportunity* to commit an illegal act is not, in itself, entrapment. There must be some overt act encouraging the criminal acts. E.g., an underage agent offering a citizen $20 to buy a six-pack of beer... and telling them they'll get to keep the change.

Re:Simulated environment is not a good idea

[Fishstick]

>2. Isn't a honeypot considered entrapment?

If he was using it to attempt to catch and prosecute, yeah. He is using it to learn. His approach is to make the system nodescript, watch what goes on, take notes and pull the plug before the cracker realizes what is going on.

I would think setting out bait and then attempting to bust the cracker would be a rather bad idea. He's says he's trying to improve his knowledge and better protect his network by setting up a box apart from the rest of his network and then just keeping a close eye on what goes on.

Re:You need Gooood skills to make a goood honeypot

[Fishstick]

>but you probably won't catch any fishes.

The point of the article seems to learn what the crackers do to probe and compromise your system, rather than to bust anyone.

Re:You need Gooood skills to make a goood honeypot

[Fishstick]

>Thank you for leading me onto that thought-path. :)

Er, you're welcome. I guess. :|

Re:You need Gooood skills to make a goood honeypot

[Fishstick]

Isn't wild weasel the airforce name for air defense supression mission profile? I thought I remembered seeing this on discovery channel or something where they sweep in ahead of the bombers with drones that simulate a radar signature of a bomber with the F-4's trailing a bit behind. Then when the SAM site starts to paing the drone, the F-4's pop-up and launch HARM's or Shrikes which home in on the SAM's radar and knock it out in advance of the bomber strike.

Is that what you mean when you call it a wild weasel box? You put that out there as a decoy to lure crackers into tipping their hand then you ruin their day before they have a chance to do any damage any of your real hardware?

Additional login - wizard-code

[jfwcc]

Here, you can "only" use telnet or ftp to get ON the machine.
I've not concentrated on ftp yet,
but I think an additional login-layer will help.

I use a root only executable (a script), that runs and prompts you for an additional "password".
It's not killable, since trapped by "trap 'exit 1' 1 2 3 9 15".
/etc/profile exits, if you kill this wizardcode-prompt, or if you give the wrong answer.

To get rid of that, you first have to be ON the system, to kill it.
There's only LUCK to get thru this additional door.
Script on request.

We regret to inform you....

[Bastiaan]

You failed the test for your internet license. Please disconnect and format your hard disk!

Regards,

Your examinator.

PS You flunked your public telephone usage test too.

Re:Simulated environment is not a good idea

[bluebomber]

a 'hacker' is just another name for a programmer.

I call myself a "hacker" when I'm going golfing.

I call myself an "engineer" when I'm working (i.e. writing software). Engineers write code, programmers blow PALs... ;)

(Yes, I guess you could call this a troll. Deal with it.)

Re:Honeypots can be illegal

[EfromVT]

I don't think he mentioned anywhere catching the black hat and having them arrested. He just wanted to see how they got into the system so he could fix the problem so it wouldn't happen on the real server.

No arrest. No entrapment.

Eric

Detection

[scott-thomason]

This brings up a subject I have been trying (unsuccessfully!) to get posted for days--in the Linux arena, what are the favorite intrusion detection packages, techniques, and tricks for you among the Slashdot community? I recently got DSL (yea!) and am setting up a server for some pet projects. I've "hardened" a copy of RH62, got my firewall in place, but there are so many choices for IDS...

Re:Detection

[sammy+baby]

Spafford and Garfinkel wrote "Practical Unix and Internet Security," also a recommended read.

Re:Detection

[gid-foo]

Get a copy of tripwire. On an at home system I can't see much more than that being required as far ID goes. Run nmap against your system to see what's open and make sure it's what you expect (are you running apache, etc). Read buqtraq and keep on top of patches for whatever binaries you're running.
And you could read the Spafford and Garfinkel book on Internet Security.

Re:Honeypots can be illegal

[MaxGrant]

If we follow this line of reasoning too far, then system logs would be considered legal. A honeypot can be either a system to figure out what the hacker is doing, or a decoy to keep him away from your real stuff. In any case, it's more like having a video camera in your convenience store. The installer of the honeypot does not explicitly invite hackers into his system. He simply puts it up there to see what happens. He's entitled to that -- it's _his_ system, after all.

Is it worth the effort?

[jayhawk88]

If one has the skill and expertise to create a "honeypot" capable of fooling, say, 60% of hackers/crackers/script kiddies/whatever, wouldn't that persons time and effort be better spent properly securing a network? Something like this might be interesting from a purely academic standpoint, but in practice not worth it. Especially when you consider how quickly tools and techniques change; any information would be outdated very quickly.

For certain things, Honeypots could work.

[babykong]

Given the recent spate of ddos attacks, honeypots could help stop an attack before it takes place or at least give a heads up.

This however requires a cooperative effort at security by the community. If an agent such as trinoo is left on a honeypot, it is being left not to attack the owner of the honeypot but someone else.

If that agent is then anylized. To get a knowledge of what configurable options are being used, a suitable defense may be grafted (i.e. the sending of shutdown signals to other agents during an attack provided they can be weeded out of all the spoofed addreses.)

If the honeypot is being monitored at the time the agent is planted, it may be possible to find or at least get closer to the source.

This of course is all useless if everyone is only out to protect themselves.

Re:Dumb idea

[JordanArendt]

I don't understand all of this talk about entrapment. If you have a "Beware of Dog" sign on your door and a burglar breaks into YOUR house, and gets attacked by your pitbull, how is that entrapment? You didn't ask him to break in! You warned him.

Your analogy is no good. As system administrators, we are not asking for people to break into our systems. They come and deliberately try to break in.

Now, entrapment would be if you started publishing the IP of the honeypot on IRC and Usenet. The same way that putting adds in the paper that your house has no security and you don't have a dog.

Disadvantages?

[trafalmadore]

Having an open system inside your network is generally plain stupid.

Would you feel safe in an environment which could always turn out to be working more against you than you might have expected (which it would as soon as any experienced people were to enter your very kingdom)?

Hell, there's so many things one could do. Random DoS inside that network could actually slightly slow your net down. And if they only broadcast enough stuff, at least the segment that machine is into would suffer from it.

Sniffing? Now what's that! That guy is behaving no good, he actually abuses the resources we just gave away freely. ICMP Redirects? ARP Spoofing? Anything.

The funny thing is that any control and log mechanisms would be the ones to be replaced first.

What do you wanna do? Build a perfectly emulated environment? Chroot and alike can easily be circumvented, but why not do an environment where all the socketcalls even are just fake? Would certainly rule, but I'd like to see that one first.

Re:CR4CK3RZ N0t H4X0RZ

[xenon54]

Learning about computer security is great, as long as you don't compromise someone else's security in the process. Why do so many /.ers support breaking into other systems? If someone broke into my house and walked around I would be rather ticked off, even if they didn't actually steal anything. The same thing goes for my computer systems. The only way to get people to stop referring to programmers as "hackers" is to stop acting like we think we own the world and to start respecting other people's property.

Re:I'm going to do this

[mattypants]

Why bother? The only advantage to yourself is to enrage the cracker community. They *enjoy* having that knowledge to themselves. When it is discovered, it is usually by someone in the security industry having that same intuitive leap that the craker has already had... automating the process of discovering vulnerabilities only reduces the thrill of the chase and the craft of the detection. Jobs depend on it!

Watching the Hackers

[herwin]

Yes, some people set up honeypots (see Amoroso's and Bace's books on intrusion detection). I also suspect some folks have developed trap systems that actively counterattack attempted intrusions, even if launched through innocent third parties. I have even heard there is a phone company in Southern California that uses these approaches for revenue enhancement--if they catch you, they bill you. I can't say any of these approaches are particularly good ideas. The back-fire potential appears to be high. Of course, I might be an old fogy...

definition is incorrect

[smack_attack]

I define a black-hat as anyone who is attempting un-authorized access to a system. This could be an 15 year old kid from Seattle, or a 45 year old company employee in accounting. Also, I refer to our black-hat as a he, however we have no idea what the true gender of the black-hat is.

This statement is absolutely false... Everyone knows that people in accounting don't know how to use their computers.

whiners

[magnum32]

what is wrong with honeypots? Doing a simple scan with nmap onecan usually tell even most novices that something is wrong espicially when almost every port on the server is wide open. Only losers fall for honeypots so that pretty much excludes anyone here on slashdot so we have not a DAMN think to worry about.

Deception Toolkit: check it out

[Jonnie]

A flexible toolkit already exists for putting together honeypots and distributing honeypot-ish services through a cluster of servers. I use it and have had some success with it, and not just script kiddies wind up on the other side of the Fickle Finger of Fate. The bottom line is that a honeypot is part of an overall security strategy, not a replacement for good firewall policies and other access controls. Like any tool, they must be wielded competantly to avoid doing harm. That being said, I won't often recommend them to clients unless they have a pretty savvy staff.

One other point is that honeypots are not 'lightening rods,' but are part of your last line of defense. Like Tripwire and other intrusion detection systems, they exist to let you know the game is going badly after your other countermeasures have failed. Certainly the majority of a security effort should be spend on making sure no one gets past security controls in the first place, but if they did you'd like to know abut it, wouldn't you?

Hit http://all.net/dtk for the goodies.

-- Jonnie

When I registered honeypot.net...

[Just+Some+Guy]

...I was completely unfamiliar with this usage of the term. Imagine my surprise one morning at finding the reason behind a million would-be haxx0r d00ds doing their damnedest to get past my firewall. Suddenly it all became clear.

Oh, and don't bother trying to get there right now. A router flash upgrade left my connection utterly dead, and I'm waiting for the replacement to arrive. FreeBSD has made for zero downtime, except for that which I've managed to cause along the way.

A friend did something like this

[tilly]

He wrote a simple server that pretended to be an ftp server. It wasn't, of course. But if the same IP address tried to log into it somewhere between 5-10 times in a row, then bingo! You are in!

You see a small directory with interesting looking files. (eg passwords.gz).

So go to download and it goes ssslllooowwwlllyyy. (You aren't getting anything meaningful, just 100 bytes/second or so to make you go away and shut up.)

Worked quite well...

On a more serious note, what would be nice is if there was a set-up that noticed a portscan in progress and blocked that IP (plus notified the administrator etc). Anyone know of something like this?

Cheers,
Ben

Re:A friend did something like this

[orangecat]

Portsentry does this. The monitoring/blocking portion, anyways - when it detects a portscan, it adds the hosts to hosts.deny and sets a firewall rule to deny all further packets from that host. And, IIRC, you can set it up to take some action (such as notifying the administrator), as well as logging everything, though that may be in conjunction with one of their other products, logcheck.

Re:Fooling?

[arcade]

Signal11. You should know better than saying that you can prepare for DDoS attacks. Nobody can survive a properly executed DDoS attack. Not yahoo.com, not ebay, nobody.

If you kill ALL the bandwidth - with packets, then there is nothing the target can do. NOTHING. Nothing whatsoever.

All it takes, is enough clients to smurf, SYNflood and so forth. The bandwidth will be saturated, and nothing can stop it.

The Net obviously more fragile than you realize.


--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet

Re:You need Gooood skills to make a goood honeypot

[arcade]

Well, I don't think you'll learn anything by setting up a honeypot. To set up a honeypot you already need to know MUCH more than the average scriptkiddie. And, I'm pretty sure that you'll get 100 scriptkiddies -- or probably even more -- before you catch a SINGLE new and revolutionary cracker.

The best defence against crackers is to follow bugtraq and other security mailinglists. Closely.

otoh, I think it might be useful to set up honeypots VERY FAST after a new type of major bug is found. For example -- if you had set up some honeypots with exploitable BIND daemons just after the vulnerability was released -- my guess would be that you would catch the 'new and C00l' tools for breaking into bind faster.

That actually was a great idea. Next time there is a major Linux bug, i think i'll use a spare machine, install the buggy software on it, and monitor it CLOSELY. That was actually a swell idea. Thank you for leading me onto that thought-path. :)


--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet

Re:Fooling?

[arcade]

That is a good tactic against a DOS attack. Not against a DDoS attack. A properly executed DDoS attack includes thousands of machines from all over the world. It is impossible to find a solution to the problem at the moment. If you have enough time on your hands, its no problem involved in scanning millions of ip addresses and finding thousands of vulnerable boxes. With that many boxes under your command - a DDoS attack is a piece of cake to execute.

There is no way to stop it. Your upstream will have to filter out everything - since the SYNpackets will be spoofed. They cannot know the difference between a forged SYN and a legitimate one. As for ICMP's, they can be filtered.


--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet

Re:Fooling?

[arcade]

If you check out the slashdot thread with that article as a subject, you can read my article (and other) which rebuffed the theory. It is not a good theory. in short - it sucked. :)


--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet

Re:Taking the TIME

[Abigail-II]

Do you have the TIME it takes to dedicate to the honeypot?

Some people do. It just depends how important you find it to secure your network. Some companies employ people whose only task is network security.

A possible way to run the honeypot: Use VMware/virtual PC/bochs and have it run the honeypot environment. The honeypot then has the ports open to the outside world. To fix the pot-a simple file copy.

Not good for 2 reasons. First, it takes more work to set up, second, it doesn't resemble the way you have your other machines run, and that was the point. The point is to find out whether your own machines are secure. Having a honeypot that is configured differently doesn't help. If you're a sysadmin in a larger company, it shouldn't take much time to do a standard install of your machines; in my previous company we had it down to about 5 minutes of sysadmin work.

About all you may be able to add to the world of computer security is YOU might be lucky to report the 1st break-in of type X, or help trace back someone. But, most likely, any traceback will dead-end with people who don't want to take the time to care, and they will use a known hole you should know about via bugtraq/cert.

It's easy to say you should have known about holes via bugtraq/cert, but there's a difference between theory and practise. If you take a machine configured identical as your important machines, make it reachable for crackers, and monitor there success, you will find out whether your installation indeed doesn't have any known holes, or whether you've forgotten something.

-- Abigail

M*tnick got caught in one of these. -True story.

[brad.hill]

This is not really a new idea, and yes it can catch the best of them.

Back about ten years ago, a certain K**** M*tnick was hacking into the systems of a certain small California company that sells Un*x for x86 boxen.

They realized that they had an intruder, but couldn't catch him, so they set up a single 386 on the dialin network he was exploiting to look like an entire network filled with great goodies. They watched him enter the system and start poking around the "virtual network" while they traced the call and sent the police to arrest him. They caught him logged in, "red handed" at his girlfriend's place.

I don't think charges were ever pressed because said company was embarrased about being hacked, but the honeypot certainly got it's fly.

Its Fixed, and fast too.

[Crutcher]

Glad to see CmdrTaco on the ball looking for stuff like this. It felt odd sending "the letter" to slashdot.

I am not a Troll

[Crutcher]

I have to put this in, cause I ain't no troll. I sent a letter (the letter) to Rob, and he fixxed the article, and that's how it should be. And then some boob comes along that didn't pay attentiion to the first posting of the Article (which referred to "crackers" as "hackers") and marked me as a Troll.

I am offended.

Just setting the record less crocked.

Re:Honeypots can be illegal

[sporty]

I thought the point of honeypots were to divert hackers from getting to more ...valueable machines. Like putting a larger fake diamond in front of your more valueable, more hidden valuables.
Besides, if a hacker went through THAT much trouble to break into a system, which should be somewhat secure, what would have stopped them from hacking a different machine?

---

Words and meaning

[extrasolar]

I wonder what real difference is there in what words we use.

It doesn't matter in the abstract, except that words convey meaning.

If you use the word cracker rather than hacker, what difference does it make? If we use the word hacker to denote crackers, what word would we use to denote hacker? Or if we do as we on Slashdot often do now and denote hacker as hacker and cracker as cracker, then what word do we use to replace the old meaning cracker -- the food. Perhaps someone can open up a dictionary and find a suitable word to use for "clever programmer".

Oh well.

But remember that English would be a far different language if it was governed chiefly by common usage.

If the above paragragh seems

Re:Honeypots can be illegal

[ryanr]

Actually, it was our Incidents list:

Re: Cracked; rootkit - entrapment question?

There was no real final resolution to the entrapment question. There's some good arguement for both sides, though.

Re:Dumb idea

[ryanr]

A real life example would be to walk down the street in a crimeridden neighborhood looking like an easy target, then when you get mugged, shouting "I got you" "I got you!" and pulling out a gun and holfding them until the police arrived.

Hey, it works for Charles Bronson.

Simulated environment IS a good idea

[Izaak]

I've seen this discussed before... only it was called a Sacrificial Goat. The idea is that if your network attracts cracker attacks anyway, why not at least draw them off onto a harmless system. Put a non-critical system outside your firewall to occupy the time of the crackers. It will at least give you some early warning when an attack occurs.

Didn't Computer Associates or some such actually create a system for this purpose? I even recall that it could simulate an entire network. Personally, I think it is more useful to use an actual server to learn the real exploits that are being put in use. Just make sure you have a good firewall between the fake system and the real network.

Later,

Thad

Re:Simulated environment IS a good idea

[Mignon]

I even recall that it could simulate an entire network.

This sounds like a good job for one of those old mainframes running 41,000 copies of Linux. Just set it up as a chain of virtual networks: that is, the first VM sees the internet and the second VM; the second VM sees the first VM and the third VM; etc.

By the time someone makes it to the 41,000'th VM, you'll have time to decide how to deal with them...

Re:Simulated environment IS a good idea

[barleyguy]

There was an episode of 60 Minutes about 10 years ago where Diane Sawyer went to a market where there were gypsy pickpockets. She had a bunch of stuff in her purse and pockets that she didn't mind losing, and had a good inventory. However, she also had her keys, stashed as far down in her purse as possible, in a little pocket in the very bottom.

She lost a bunch of trivial stuff, and proved her point. However, somebody also got the keys from the bottom of her purse - the one thing that she really didn't want to lose.

The moral of the story - if you are doing this to acknowledge the fact that there really are crackers, purely for educational purposes, then you might learn something. If you are doing it because you think it will distract anyone from the stuff you really don't want to lose, you are probably sorely mistaken. It might even give you a false sense of security, which is a bad thing.

honeytrap werks as much as hewked en fonikz

[segmond]

Yeah, it does work!!!

1 finger
2 date
3 dir
4 help
5 d
6 list
7 ls
8 ls /p
9 ftp ftp.rootshell.com
10 pkunzip rootkit.tgz
11 tar -zxvf rootkit.tgz
12 gcc bda.c
13 gcc bad.c
14 edit
15 edit bad.c
16 edit.com
17 pico bad.c
18 gcc bad.c
19 a.out
20 a.exe
21 a.out -help
22 ./.aout
23 ./a.out
24 dir
25 shit@##$@#
26 ls
27 ./a.out -hlocalhost
28 md ...
29 mkdir ...
30 cp ./a.out ...
31 finger
32 cd \etc
33 cd /etc
34 edit motd
35 pico motd
36 quit
37 exit

If the above logs is how you are going to learn how hackers operate, then go ahead and setup a honeypot. You will only attract script kiddies, we call them that for a reason. They can barely gcc and ./a.out. The only dangerous thing about them is that they have no fucking clue what they are doing. The real "hackers/crackers", the ones with a fucking clue, do not go out probing systems cuz they are bored. If anything, they have their own network which they hack and figure out, when they go out to attack, they have a motive, they have a reason, they know what they want. Anyone with a little clue will realise that something is wrong if they login into the kind of honeypot described by this guy. If you do a last command, you will notice no one uses the system. If you do a process listing, you will notice that there is no interesting process running, so what the hell is the server for? The script kiddies with a clue, will not really care much about hacking it, they will just try to use it to stash their warez, porn and IRC.

Some info

[NME]

http://rootshell.com/docs/berferd_cheswick.ps.gz
I'd recommend reading the above for a good write up of this sort of situation. I think it illustrates some of the difficulties in keeping up this charade quite nicely.
Notice that the author knows his stuff extremely well, and remeber that when you start thinking about doing this yourself.

-nme!

Wild Weasel Facts

[_Sprocket_]

Some good shots and basic history of the Wild Weasel mission (especially the F4-G) can be found at:

http://www.wpafb.af.mil/museum/annex /an10a.htm

http://www.wpafb.af.mil/museum/annex /an10a.htm

I have a fond memories of the F-4G having spent a handfull of years working on and/or around the aircraft (Electronic Warfare - specifically the AN/APR-47 RHAW system, AN/ALE-40 Flar/Chaff, and AN/ALQ-131 or AN/ALQ-184 ECM Pods).

Interesting mission. There's a few bits of lore that aren't mentioned by the above resources that might be applied to this discussion (decoy / defensive hosts).

Wild Weasel aircraft didn't need a drone to be usefull. Quite often they flew in hunter/killer pairs with other airframes (the last teams to fly were F-16 and F-4G teams). This meant the Wild Weasel aircraft themselves were often the target for ground weapons systems. The first Electronic Warfare Officer who was approuched during Vietnam with the mission replied (forgive me if I murder the quote):

"You want me to sit behind a stick jockey who thinks he's invincible, flying in an aircraft to hunt weapons systems designed to shoot down aircraft? You've GOT to be shitting me!"

The first Wild Weasel patches have a picture of a weasel with a shocked expression and the letters YGTBSM.

This quote seems to fit in with the question of how wise it is to deploy decoys in your environment.

However, there's also another interesting tidbit out of Wild Weasel history. At the beginning of hostilities during the Gulf War, Wild Weasel aircraft escorted most missions and decimated Iraqi air defence systems. This defense lead to a high demand for Wild Weasel escorts - more demand than available aircraft.

Commanders took a gamble. It was noted that enemy SAM and AAA sites would shut down immediately on discovering F-4 radar signitures in the area. So some missions got F-4C (unarmed reconnaissance aircraft) escorts. Since the F-4Cs were indistinguishable from their deadly F-4G cousins, F-4Cs were able to effectively supress enemy weapons systems by their mere pressence.

I suppose you could propose the question - if enough decoy systems show up in the environment, would it make potential attackers a bit jumpy if they couldn't tell the real from the decoys?

What, no pedantism?

[babbage]

I'm a bit surprised that the lead article didn't split hairs about the whole {h|cr}acker thing. Are we growing up and learning to cut a little slack? Nah, this is Slashdot -- probably just an oversight...

Re:Fooling?

[strombrg]

I don't buy for a second that 80% of intrusions are internal in origin. I've seen this many times, and I think it's getting to be past time that people questioned this.

I work as a sysad at a university campus. We get portscanned at -least- a few times a week, and deal with breakins a couple of times a month.

So far, I have not been made aware of a single internal breakin. Every one I've gotten involved with has been external. Ok, except that student who forged a faculty member's e-mail recently, but that doesn't count as a breakin by a long shot.

The only way most breakins are internal (for us, and probably for you too), is if we've had a lot of internal crackers breaking into remote machines, and from there breaking back into internal machines.

I mean think about it: if you're on the internet, just how much huger is the internet than the population of your business or government agency or university?

Once, in a fit of pique about this oft-quoted bit of unlikely "wisdom", I did a survey. The number of respondents was small, but it did show that most respondents had suffered more external breakins than internal.

Solution: Hire a Hacker

[Sienne]

At least that's what we've done.

A few other people have posted the idea that most of the people who actually know what they're doing aren't spending their time intruding into our systems. I believe this. Case in point is one of my co-workers, a truly brilliant hacker (and yes, I'm going to use this word as it was originally intended,) whose calling is in security. Yes, he roots our boxes on a regular basis. Yes, he tells us that he did so, and how. And then he helps us plug the holes. He has had me watch as he gets my password off what I thought was a secure system, (result: we got one that IS secure.) He also helps us find the holes in our new products, and is teaching the rest of us to do the same, (our work is in the early developement stages, so we're in a perfect position to find and fix the flaws.) I should probably add that I knew him before he worked here and had a good idea of his character before recruiting him.

The script kiddies grow up, and some of them do continue to learn. Those that do can be your greatest security asset. Why lure in the bad eggs and criminalize them, when there are so many out there who actually want to be legitimized?

a reference for previous work

[Mike+Connell]

"Firewalls and Internet Security", by William R Cheswick and Steven M. Bellovin. Addison-Wesley 1994, ISBN 0-201-63357-4.

Has a chapter about a breakin where they construct a faked environment to observe the behaviour of the hacker.

Perhaps a little out of date now, but generally still interesting (both the chapter, and the rest of the book).

Mike

Taking the TIME

[mr]

Do you have the TIME it takes to dedicate to the honeypot?

Most sysadmin jobs have 10 hours of work each day to fit into 8 hours. So sysadminning become more like triage, or the gerbil on the excersise wheel. If you run fast or go slow, you end up in the same place at the end of a day of running. And some days, some jerk comes into your cage, rattles it or, while you are on the wheel running your little heart out for that paycheck, they jam something in the wheel to make it stop suddenly.

A possible way to run the honeypot:
Use VMware/virtual PC/bochs and have it run the honeypot environment. The honeypot then has the ports open to the outside world. To fix the pot-a simple file copy.

Will this help? Depends on if you have the time to drop EVERYTHING to watch the box when something happens. Me personally, I watched some dud break into my box. (It alerted me at the point of the break-in) At the point when s/he started deleting files, I typed in halt. About all I learned is they were using 2 porn sites and one at MIT. They used a known issue with BIND. (bad me, I didn't upgrade bind.) Had I been busy/at a client site, they would have been able to poke around on the box. This particular attack showed me I had a problem with bind. (big whoop. I KNEW that, and chose to ignore it.) And the ISP's who were used in the attack? One was rude "who the hell are you to call me that I have problems with my systems, I can't control the internet" and the other was "they are not affecting production, so I don't want to disturb them"

And, had they been GOOD, they would have not set off my alert system. But, they wern't GOOD enough. So, depending on how you work your system, they might just be better than you, and your honeypot becomes a host to launch the next attack from. The truly skilled break-in artist is nearly impossible to detect.

About all you may be able to add to the world of computer security is YOU might be lucky to report the 1st break-in of type X, or help trace back someone. But, most likely, any traceback will dead-end with people who don't want to take the time to care, and they will use a known hole you should know about via bugtraq/cert.

Lance Spitzner wrote some articles.
http://rootprompt.org/article.php3?a rticle=159 is the start of his series

"Cuckoo's Egg"

[xTown]

Maybe I'm missing something, but isn't this exactly what Cliff Stoll describes in "The Cuckoo's Egg"? Seems to me it worked pretty well there. However, I would imagine that that is only a good idea if you know you have intruders and want to see what they're doing and keep them coming back. If you're thinking more of getting people who otherwise wouldn't touch your system, then that can be a problem, as others have said, with entrapment.

Dumb idea

[348]

Plain and simple, I think this is a dumb idea. Odd twist being 180 degrees out from security through obscurity, but still off the mark. A real life example would be to walk down the street in a crimeridden neighborhood looking like an easy target, then when you get mugged, shouting "I got you" "I got you!" and pulling out a gun and holfding them until the police arrived.

Wouldn't a better approach be, if you had to be in the neighborhood, pick a route that provides the path of least resistance? Then go through the neighborhood in a car, with a couple of people with you etc.

Entrapment is entrapment, frankly I wouldn't want to put my firm through the headaches in the first place.

HoneyPots? Auditing? The key is resources.

[RedPhoenix]

My last employer was a high security government organisation that had a real focus on IT - so much so, that we had 6 dedicated operational IT security staff - a number which far outweighs the number normally available in other Australian government departments. (I mean dedicated in both senses of the word - committed, and ONLY working on IT Security)

During a period of increased threat, our primary internet web server effectively became a honey-pot without our consent. There was a great deal of activity in the media surrounding the department in question, and a heck of a lot of interest from the public about the organisation. As such, we believed that the web server would be the subject of significantly more attacks than normal.

We effectively halved our security section during the period of hightened activity - 3 were responsible for the normal IT security tasks, the other three were allocated full time to the task of securing and monitoring the system. We instituted significantly increased network and host auditing (pushing the data out via a one-way data diode to an auditing server, and then onto CD), and put a 'revolving checksum' alert on all web pages (again, sent out via the one-way comms circuit). Any modificatons to the checksum, or any cessation of the 'heartbeat' through the data diode, would set off an alarm in our communications centre, and an operator would literally pull the plug at our firewall to the internet, and call one of the security people. There were also a fair number of host security features enabled on the system - one of which was full C2-level auditing (with about 10,000 lines of perl to provide an intrusion detection facility for the logs).

Sure enough, the level of attacks on our server increased approximately 5 fold. Our logs by the end of 2 weeks were in the multi-gigabyte range, we'd had a couple of false alarms, but no intrusions. We'd provided management with analysis / summary reports for all attacks on the server, including graphical summaries.

So lets just review what it takes to effectively actively monitor a high-threat, high-risk system like the one I've described above:
* 3 experienced security staff, normal working hours - conducting audit analysis, extrapolation.
* A 24x7 monitoring cell
* 1 experienced security staffer, on call 24x7
* Custom development of intrusion detection code (about 4 months worth).

Now I'm not saying that every honey-pot is going to take these sort of resources. But if you want to make effective use of the tool, then you have to be prepared to put the time in.
* If you're putting in something someone else has developed, then are you sure there's no EXTRA risk to your system by installing it? (Remember FakeBO?)
* Do you have the time to analyse the results of the honey-pot logs?
* Is the information going to be of any use to anyone?
* Sure you may learn a few tricks here and there, but a majority of your probes are likely to be tradidional nmap/satan/nessus probes, or script-kiddies with the latest cgi scanner. Can the time that you have spent setting up the system be better spent on setting up a small test network, and playing with a few exploit scripts yourself?

There are several grades of security that you need to choose from based on the resources that you have available - and I'd put honeypots right at the end (ie: Security value per resource availability):
1) Patch / monitor security updates.
2) Patch + a network intrusion detection system.
3) Patch + NIDS + firewall log analysis
4) Patch + NIDS + firewall log analysis + host audit.
5) Patch + NIDS + firewall log analysis + host audit + honeypot.

The question that you need to ask yourself is: Am I getting value out of the tool, for the resources I'm putting in. If in your case, the answer is 'yes!', then go for it. But be sure that you know what you want to get out of it first.

Red.

is not about keeping them out

[henninrp420]

although most would like to keep crackers out of their systems completely, the type of person who becomes a system administrator is generally one that thirsts for knowledge and others' outlooks to problem solving. if watching someone who has illegally obtained access to your system will help you to prevent these types of access in the future, then by all means, do it. it may sound like strange logic, but watching the activity of someone attempting to crack your system is _fun_! ...and just may open your eyes to a security hole that _you_ forgot to close.

Honeypots, entrapment, and you

[steelwraith]

Honeypots have already been created that mirror not only the environment of one system, but a whole subnet. They are convincing up to a point, but do have some flaws:
1. If someone scans the box they will find the false subnet; if they run a sniffer on the subnet they won't see any traffic.
2. They're very hardware intensive.
3. They send their logs to another system for 'safe keeping'; a sniffer will see this traffic.

Basically a careful and methodical cracker (read PARANOID) will notice something fishy and bail due to the way the network is responding (or not responding) to various tools and commands - it'll just be 'too good' and way too open. Script kiddies will just punch along and not do any real damage.

As for entrapment - for systems in the U.S. government, they are supposed to place a warning banner on all possible services that can be used to access the system warning you that: 'You are entering a government computer blah blah blah'.

So you know that you're not supposed to be there, that you are subject to monitoring if you choose to access the system, and that you will be prosecuted to the full extent of the law if you do something malicious. You were warned and are responsible for your actions after that point.

If the site doesn't have a warning then it's time for dueling lawyers, depending on what they try to tag you with. If it's a gov site without the banner they can't try to bury you for electronic B&E on a gov site (which is a federal offense), just electronic B&E in general (which can still just ruin your day).

If you're going to crack you can't whine about entrapment; John V. isn't holding a gun to your head and making you punch keys.

I'm going to do this

[foofc7ca]

When my new machine arrives, I'm putting the old workstation/Linux box off the switch as a honeypot.
Here's the idea:
Since this is a switch, I'll just hang it off directly

It will have a different IP block range from the other internal LAN machines

The router machine (running *bsd) will be changed so the input rules redirect everything except a couple of services (DNS and SMTP) to the honeypot box

Other ipfw rules will drop any packets from that box to any other internal machine (ie, don't kill my soft internal machines)

Finally, If I'm really mean, I'll deny all SYN packets to "well known TCP scanning targets" so that scanning is tougher.

The goal is to record everything going to the honeypot machine.. unpublished exploits suddenly make their way unto Bugtraq, certain file caches get exposed and looted, other compromised systems are revealed.

Plus it's nice wholesome fun for the whole family! grin

Decoy...

[Spectre]

Well, I've found leaving a locked down machine(running nothing other than a decent "PING" responder) with an attractive hostname (gateway, firewall, doorway, secure) around that does nothing tends to keep people away from the "real" machines sitting next to it... The nice thing is any old computer can be used as a decoy, including an old 386 laptop nobody wants to use. It does nothing to keep the pros out, but the script kiddies will pound on it all day long... helps keep those DOS attacks from the clueless from affecting anything of importance (until they manage to saturate bandwidth).

Fooling?

[Signal+11]

Depends. Considering 80% of your intrusions won't come from hackers, but disgruntled employees, maybe the better question should be "Have I kept my mouth shut when talking to my peers about this?" Script kiddie attempts do little damage for a prepared system administrator - a good backup, a contingency plan, and knowledge can take care of everything up to, and including, the little DDoS that happened to yahoo.com, ebay.com, and the other "dot coms". There was no reason Yahoo should have been down more than about 30 minutes - they had the equipment to handle the attacks.. but it was sitting in a storage closet unplugged. So stop worrying about outside attacks, and be more cost effective: put a firewall between Finances/HR and the rest of the organization. You DID install managed switches, didn't you?

Re:This is very wrong!!!!

[scrytch]

Oh balls. Editorial discretion in any kind of publication allows for all kinds of corrections, from terminology to spelling and grammar. I guarantee the majority letters to the editor you read in the paper are not printed verbatim. Just about the only ones who get through unedited are syndicated columnists, and that's because they have their own editor who makes technical corrections before it's submitted.

It is, however, highly unprofessional to make public this correction. A private note to the submitter regarding the change would have been more than sufficient. I've submitted all of one story to slashdot (rejected, possibly on procedure grounds for choosing the wrong category). I'll think twice before submitting again.

Re:Simulated environment is not a good idea

[Bad+Mojo]

I enjoyed this quote from the first link you provided...

"UNIX design flaws: There are number of inherent flaws in the UNIX operating system that frequently lead to intrusions. The chief problem is the access control system, where only 'root' is granted administrative rights. As a result,"

That's it. Seriously, the page had no more to say and seemed to end mid-sentance. Hrm. Very intereting, some l33t h4x0r must have deleted the text to cover his tracks while compromising the server.

Bad Mojo

Thank you Slashdot

[Dionysus]

I know I was unable to write any programs before the word *hacker* was corrected to cracker.

Of course, in the future, in order to not offend anyone, I expect that M$/Microshaft/Microsleuth/Micro$soft etc. be changed to Microsoft Inc.

Slovaris be changed to Solaris (SunOS 6-> is also acceptable).

Linux will be changed to GNU/Linux or Linux/GNU in all text.

RMS will be changed ESR. Linus Thorvald will be changed to Richard M. Stallman.

EvilHat, the Next M$, whatever people wants to call RedHat, to RedHat.

Also, while we are at it, I find any mention of GNOME being better than KDE also highly offensive. Please substitute all GNOME articles with KDE articles.

I'm glad these features have been implemented, BECAUSE OTHERWISE I WOULD BE SO OFFENDED.

An Evening with Berferd

[jabber]

Sounds a lot like An Evening with Berferd.

Sorry for the hyperlinked version, there's a PS file out there that makes for better reading IMHO.

This is half wrong

[Sloppy]

If the AC who submitted the story used the word "hacker", then in the part where he quotes the AC, he should use the word "hacker." I agree that changing someone else's words is a Bad Thing, even if those words are incorrect.

But in the headline and CT's own comments ("This is an interesting approach .. when it comes to cracking"), he should use real language. In spite of the submitter's linguistic error, the actual subject matter of the story is not about using honeypots to catch hackers; it's about using honeypots to catch crackers. For the headline, it is appropriate to "translate" their meaning into our terminology. Thus, the usage of "hacker" in the headline was misleading and inaccurate, and CT was right in correcting it.

---

Honeypot issues

[ryanr]

Building a honeypot isn't hard. Any box that you don't care about getting broken into will do.

Properly watching a honeypot can be challenging. You don't need one if you're not going to pay close attention to it. You also need to be concerned that ownership of the honeypot doesn't jeopardize any real systems, either due to network trust, or increased ability to do traffic monitoring. You also have to consider that you'll be a danger to other sites on the net. At least one poster to our Incidents forum claimed that when he contacted the admin of a box that was being used to attack him, the admin knew it was 0wned, and refused to take it down because he was monitoring the attacker.

You need to consider why you want a honeypot. It's probably an easy choice to put one up if you're in the business of watching crackers. If not, some folks think they want one to distract or act as early warning. What do you do when you catch a cracker? Unless you've got a clear trail back to the attacker in the same country as you, not much. You can notify his admin, which has mixed results. You can try law enforcement, which also has mixed results.. especially when you're talking about a honeypot, and can't really place a dollar value on "damages".

Consider whether you want to take a chance on pissing off a cracker. Lots of crackers are untouchable from where they are. Unless you already piss off the crackers by your very existence (MS, Antionline..) Most people don't want to be targeted by a cracker with no fear of being punished.

Most security folks believe that the intersection of sets of people who break into systems and people who are good hackers is small. That means that chances are small that you'll see some unknown attack against your particular honeypot. You can certainly set one up with the common holes, but then you'll be tracking common crackers.

The Berferd story was interesting because they caught a semi-skillful attacker. Stoll's case was interesting for much the same reason. In neither case did they start out with a honeypot. They built a jail for Berferd. In Stoll's case, he used production systems for his "honeypots". This was back in an age when these sorts of things were much less common, and you didn't have hundreds of script kiddies scanning the entire Internet looking for machines to own. The owning has even become much less interesting, due to the DDoS tools the crackers now want to install and move on..

If you want the excitement of an evening with Berferd on your system, don't run a honeypot. Watch your real systems very carefully, and polish your tools for tracking him when he shows up.

Re:Honeypots can be illegal

[Gleef]

Shafik wrote:

Unless you are in law enforcement it can not be considered entrapment. This has been discussed on Bugtraq and many other lists. www.securityfocus.com, goto forums and then bugtraq, I don't remeber the title of the discussion though but it was within the last month or so.

A bit of an oversimplification. In most states, it also is entrapment if you are acting as an agent of law enforcement (i.e. Police, District Attorneys, FBI, and a number of Federal, State and Local Government agencies). Basically, if the law gets involved, or if you have any special arrangements with a law enforcement agency, take down any uncompromised honeypots or they might get in the way of apprehending or prosecuting the invader. If you don't care about apprehending or prosecuting the invader, honeypots don't cause any problems here.

Although you might be liable if they use your machine as a jump point to lauch more attacks.

I am not a lawyer, but I'd say you probably would be held liable if it could be shown that you deliberately allowed the unauthorized user access to your system.

----

Simulated environment is not a good idea

[stx23]

If you set up a simulated environment, e.g. The Matrix, and someone notices, they are likely to do their damndest to get out of the honeypot, then f**k up the rest of your system.
Additionally, two points spring to mind:-
1. Define 'hacker'. As a slashdot editor, you shuold know better. 2. Isn't a honeypot considered entrapment?

Re:Simulated environment is not a good idea

[tiny69]

2. Isn't a honeypot considered entrapment?

No. Here is a good explanation.

Some good links on the sublect:

http://www.robertgraham.com/pubs/network-intrusion -detection.html#11

http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ .htm

Honeypots can be illegal

[SWroclawski]

Check your local laws.

Honeypots can be a form of entrapment.

Also, one might argue:

1) A bad honeypot can be detremental (ie if the user really does have control over the system)

2) Honeypots encourage the hacker, while a closed door might frustrate them and they'd go away.

Anyway- just some things to keep in mind.

Re:Honeypots can be illegal

[Battra]

There was a huge thread about this on one of the security mailing lists recently. There was a lot of debate about whether or not a honeypot was entrapment. The short answer is maybe. In some areas, and for some agencies (like the US military) honeypots are considered an illegal form of entrapment. If you are thinking at all about implementing one, check with you local authorities first.

You also need to take a good look at your security policy and determine what your security goals are. For most businesses, trying to catch the person who rooted your box is a secondary goal at best. The most important thing is to get the systems back on line and minimize the downtime. A honeypot only makes sense if you are trying to gather information that you will use to try to prosecute the attacker.

Getting decent evidence that will be admissable in court is extremely diffcult, so many people don't really try. For more information on gathering forensic evidence, check out this PDF from a recent SANS conference.

http://www.sans.org/TALKS/KRUSE.PDF

YMMV, but in my own opinion, the time and effort you put into a honeypot would be better spent securing your actual boxes.

You need Gooood skills to make a goood honeypot.

[arcade]

First of all, its no problem to make a honeypot. You install a buggy system, and watch what happens.

The problem is .. are you a likely target for someone older than a 15 year old scriptkiddie who "rules on IRC" ? Probably not. Most cracked sites get cracked by scriptkiddies who want a box to install a eggie on, so that they can join it into their IRC botnet.

But, back to the question. A good honeypot would be a system that didn't get cracked, but where you created an environment that - for the cracker - seemed to be a normal unix system. First of, you need to create the programs that listenes to different ports. You probably want to listen to port 21, 23, 25, 53, 80, 110, 6000, and probably a couple more -- so that it seems to be a regular system. You should also scan a redhat 5.2 box (or something) and find the exact banners they show. You need to recreate *Exactly* what happens, when someone executes "the" bufferoverflow that usually happens, and so forth.

The question "will it fool good hackers" or whatever the question was - is quite void in my eyes. Good crackers wont scan enourmous subnets for crackable hosts. Its the scriptkiddies that does that kind of thing. And yes -- you will catch them. You will catch hundreds of them. The problem is - the scans and breakins will originate either from wingates - or from other cracked hosts. Sure, its a nice gesture to notify them -- but you probably won't catch any fishes.


--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet

don't waste your time on honeypots

[Ken+Williams]

99.9% of the people who consider putting honeypots on their networks should instead spend that time securing their vunlerable networks, checking for and applying the latest patches, and reading up on security trends and issues.

that said, honeypots are a really cool concept, nevertheless. but a network or security admin needs to focus on more fundamental security issues though. those NT network admins, for instance, should be deploying a second, or third, or fourth firewall on BSDi or Linux, instead of wasting time and compromising their security with a misconfigured NT honeypot. honeypots are best left for IT security research environments, or for people who have too much time to waste.

a notable exception is NAI's Cybercop Sting. Sting emulates Cisco IOS 11.2, Solaris 2.6, and WinNT 4, running common services. with Sting, you can pipe all of your legitimate traffic thrugh Sting, and utilize the excellent logging capabilities of Sting for an added layer of security. additionally, Sting can be, should be, and often is utilized to monitor employees (i.e. internal hacking/cracking attempts). since most of the security incidents will be from internal sources, honeypots are an excellent way to monitor for suspicious LAN activity.

there was an excellent discussion recently of the honeypot concept, with a wide range of opinions and views from all sectors of the Net population, on the Security Focus Incidents mailing list. the thread was entitled "Cracked; rootkit - entrapment question?", and was back in late February and early March.

for those who have more interest in honeypots, check out the following:

To Build a Honeypot - article by Lanace Spitzner

CyberCop Sting - product by NAI

dtk - Fred Cohen's Deception Toolkit

NFR's BackOffice Friendly - product by Marcus Ranum and L0pht

and finally, a cool new product that i saw at RSA2000
ManTrap - product by Recourse Technologies that is based on Solaris 7

This is very wrong!!!!

[segmond]

"Update: 04/07 03:09 by CT: originally this story misused 'hacker' quite offensively. I corrected it."

I must object, and I hope that many people object as well, You bring news to us, and you should bring it the way it came, raw and original, irrelevant of it is offensive to you or not. "hacker" used for a computer cracker might be an offensive term to you, but what about me? I work in the computer security industry, so have you more credits to tell me what to refer a computer criminal as? I call them hackers, why? because that is what it means now, till the media comes up with a new term, the original old term is lost, and you can't do shit about it. But I digress, I do not care what you call them or what anyone call them, I call them "script kiddies", "computer criminals or intruders", but back to the gist of my post. You should never never ever modify a post! I hope this is the last we see this on slashdot, because this is misinformation. I saw a comment by someone thinking that this guy had a clue because he refered to computer intruders as crackers, if only you had left the post as the original, the owner of the comment might have thought twice. What next? tomorrow andovernet will ask you to edit a news because it is offensive? You commited a big boo boo, but it is okay, we all make mistakes once, but I really hope that this doesn't happen again!!!