Slashdot Mirror
Security-Why Not Watch The Crackers?
An Anonymous Coward asks: "Over the years I have heard the idea of luring in Crackers into a
honeypot, so you can watch them and see what they are doing. It has always seemed to me to be a better idea to keep the Crackers completely away with a low profile and a firewall. What do you think?" This is an interesting approach to security and one I have also thought about from time to time...assuming you can build a convincing enough trap so you can learn how they work. "Forewarned is forearmed", especially when it comes to Cracking. How likely would such traps fool really good crackers? Update: 04/07 03:09 by CT : originally this story misused 'hacker' quite offensively. I corrected it.
Well, I've found leaving a locked down machine(running nothing other than a decent "PING" responder) with an attractive hostname (gateway, firewall, doorway, secure) around that does nothing tends to keep people away from the "real" machines sitting next to it... The nice thing is any old computer can be used as a decoy, including an old 386 laptop nobody wants to use. It does nothing to keep the pros out, but the script kiddies will pound on it all day long... helps keep those DOS attacks from the clueless from affecting anything of importance (until they manage to saturate bandwidth).
"Flame away, I wear asbestos underwear"
Depends. Considering 80% of your intrusions won't come from hackers, but disgruntled employees, maybe the better question should be "Have I kept my mouth shut when talking to my peers about this?" Script kiddie attempts do little damage for a prepared system administrator - a good backup, a contingency plan, and knowledge can take care of everything up to, and including, the little DDoS that happened to yahoo.com, ebay.com, and the other "dot coms". There was no reason Yahoo should have been down more than about 30 minutes - they had the equipment to handle the attacks.. but it was sitting in a storage closet unplugged. So stop worrying about outside attacks, and be more cost effective: put a firewall between Finances/HR and the rest of the organization. You DID install managed switches, didn't you?
Oh balls. Editorial discretion in any kind of publication allows for all kinds of corrections, from terminology to spelling and grammar. I guarantee the majority letters to the editor you read in the paper are not printed verbatim. Just about the only ones who get through unedited are syndicated columnists, and that's because they have their own editor who makes technical corrections before it's submitted.
It is, however, highly unprofessional to make public this correction. A private note to the submitter regarding the change would have been more than sufficient. I've submitted all of one story to slashdot (rejected, possibly on procedure grounds for choosing the wrong category). I'll think twice before submitting again.
I've finally had it: until slashdot gets article moderation, I am not coming back.
I enjoyed this quote from the first link you provided...
"UNIX design flaws: There are number of inherent flaws in the UNIX operating system that frequently lead to intrusions. The chief problem is the access control system, where only 'root' is granted administrative rights. As a result,"
That's it. Seriously, the page had no more to say and seemed to end mid-sentance. Hrm. Very intereting, some l33t h4x0r must have deleted the text to cover his tracks while compromising the server.
Bad Mojo
Bad Mojo
"If you can't win by reason, go for volume." -- Calvin
I know I was unable to write any programs before the word *hacker* was corrected to cracker.
Of course, in the future, in order to not offend anyone, I expect that M$/Microshaft/Microsleuth/Micro$soft etc. be changed to Microsoft Inc.
Slovaris be changed to Solaris (SunOS 6-> is also acceptable).
Linux will be changed to GNU/Linux or Linux/GNU in all text.
RMS will be changed ESR. Linus Thorvald will be changed to Richard M. Stallman.
EvilHat, the Next M$, whatever people wants to call RedHat, to RedHat.
Also, while we are at it, I find any mention of GNOME being better than KDE also highly offensive. Please substitute all GNOME articles with KDE articles.
I'm glad these features have been implemented, BECAUSE OTHERWISE I WOULD BE SO OFFENDED.
Je ne parle pas francais.
Sounds a lot like An Evening with Berferd.
Sorry for the hyperlinked version, there's a PS file out there that makes for better reading IMHO.
-- What you do today will cost you a day of your life.
If the AC who submitted the story used the word "hacker", then in the part where he quotes the AC, he should use the word "hacker." I agree that changing someone else's words is a Bad Thing, even if those words are incorrect.
But in the headline and CT's own comments ("This is an interesting approach .. when it comes to cracking"), he should use real language. In spite of the submitter's linguistic error, the actual subject matter of the story is not about using honeypots to catch hackers; it's about using honeypots to catch crackers. For the headline, it is appropriate to "translate" their meaning into our terminology. Thus, the usage of "hacker" in the headline was misleading and inaccurate, and CT was right in correcting it.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Building a honeypot isn't hard. Any box that you don't care about getting broken into will do.
Properly watching a honeypot can be challenging. You don't need one if you're not going to pay close attention to it. You also need to be concerned that ownership of the honeypot doesn't jeopardize any real systems, either due to network trust, or increased ability to do traffic monitoring. You also have to consider that you'll be a danger to other sites on the net. At least one poster to our Incidents forum claimed that when he contacted the admin of a box that was being used to attack him, the admin knew it was 0wned, and refused to take it down because he was monitoring the attacker.
You need to consider why you want a honeypot. It's probably an easy choice to put one up if you're in the business of watching crackers. If not, some folks think they want one to distract or act as early warning. What do you do when you catch a cracker? Unless you've got a clear trail back to the attacker in the same country as you, not much. You can notify his admin, which has mixed results. You can try law enforcement, which also has mixed results.. especially when you're talking about a honeypot, and can't really place a dollar value on "damages".
Consider whether you want to take a chance on pissing off a cracker. Lots of crackers are untouchable from where they are. Unless you already piss off the crackers by your very existence (MS, Antionline..) Most people don't want to be targeted by a cracker with no fear of being punished.
Most security folks believe that the intersection of sets of people who break into systems and people who are good hackers is small. That means that chances are small that you'll see some unknown attack against your particular honeypot. You can certainly set one up with the common holes, but then you'll be tracking common crackers.
The Berferd story was interesting because they caught a semi-skillful attacker. Stoll's case was interesting for much the same reason. In neither case did they start out with a honeypot. They built a jail for Berferd. In Stoll's case, he used production systems for his "honeypots". This was back in an age when these sorts of things were much less common, and you didn't have hundreds of script kiddies scanning the entire Internet looking for machines to own. The owning has even become much less interesting, due to the DDoS tools the crackers now want to install and move on..
If you want the excitement of an evening with Berferd on your system, don't run a honeypot. Watch your real systems very carefully, and polish your tools for tracking him when he shows up.
If you dangle it as bait trying to catch a cracker...
That's totally irrelevant. By this logic, it's not your fault for stealing from the grocery store's cash register if the clerk is so silly as to turn away while the tray was open. It's not your fault for stealing from the shelves if the grocery store was so silly as to leave the merchandise out in plain sight and reach.
Either you're an adult able to control yourself when confronted with such temptations, or you're a legal infant unable to do so and not entitled to any of the rights of an adult - you can't vote, you can't drive (can't risk you deciding to run a red light because the city hasn't installed physical barriers to stop you!), you sure as hell can't own a gun, etc.
The *ONLY* issue with entrapment (vs. stings) is whether the cops somehow enticed the person to do something they wouldn't normally do. In countless cases the courts have held that merely presenting an *opportunity* to commit an illegal act is not, in itself, entrapment. There must be some overt act encouraging the criminal acts. E.g., an underage agent offering a citizen $20 to buy a six-pack of beer... and telling them they'll get to keep the change.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
There was an episode of 60 Minutes about 10 years ago where Diane Sawyer went to a market where there were gypsy pickpockets. She had a bunch of stuff in her purse and pockets that she didn't mind losing, and had a good inventory. However, she also had her keys, stashed as far down in her purse as possible, in a little pocket in the very bottom.
She lost a bunch of trivial stuff, and proved her point. However, somebody also got the keys from the bottom of her purse - the one thing that she really didn't want to lose.
The moral of the story - if you are doing this to acknowledge the fact that there really are crackers, purely for educational purposes, then you might learn something. If you are doing it because you think it will distract anyone from the stuff you really don't want to lose, you are probably sorely mistaken. It might even give you a false sense of security, which is a bad thing.
--- "So THAT's what an invisible barrier looks like!" - Time Bandits
Shafik wrote:
Unless you are in law enforcement it can not be considered entrapment. This has been discussed on Bugtraq and many other lists. www.securityfocus.com, goto forums and then bugtraq, I don't remeber the title of the discussion though but it was within the last month or so.
A bit of an oversimplification. In most states, it also is entrapment if you are acting as an agent of law enforcement (i.e. Police, District Attorneys, FBI, and a number of Federal, State and Local Government agencies). Basically, if the law gets involved, or if you have any special arrangements with a law enforcement agency, take down any uncompromised honeypots or they might get in the way of apprehending or prosecuting the invader. If you don't care about apprehending or prosecuting the invader, honeypots don't cause any problems here.
Although you might be liable if they use your machine as a jump point to lauch more attacks.
I am not a lawyer, but I'd say you probably would be held liable if it could be shown that you deliberately allowed the unauthorized user access to your system.
----
----
Open mind, insert foot.
If you set up a simulated environment, e.g. The Matrix, and someone notices, they are likely to do their damndest to get out of the honeypot, then f**k up the rest of your system.
Additionally, two points spring to mind:-
1. Define 'hacker'. As a slashdot editor, you shuold know better. 2. Isn't a honeypot considered entrapment?
Building a honey pot no matter how good a security expert you think you are, is a bad idea.
That, my friend, depends on what your goals are. There are several good reasons to build honeypots.
First of, if you are pretty sure about your network, and that you are an idealist -- creating a honeypot let you see where scans originate from. After that, you can contact the admin of the machine it originated from -- and tell him that he probably is cracked. You've made a friend.
Secondly, if you don't have important data on your network, and just want to catch some fish and watch the ruckus -- i'm sure it can be great fun.
In other words, it depends on your goals, what kind of person you are, and so forth.
Nevermind the fact that you have intentionally left an easily crackable machine on the internet, from which crackers can launch other attacks.
That depends on what you leave on the machine. It also depends on the firewall rules. Not to forget, if you monitor the machine, you may see what he attacks from the machine -- and thereby alert the machine new machine he just cracked into. Someone would've found that other vulnerable machine in time anyways -- so I don't see the damage.
And, if your firewall denies outgoing ICMP's (in heavy quata, and with spoofed ips..) it may not be used in a smurf attacks. Furthermore, if the firewall says "no more than 10 outgoing SYN requests per 5 seconds" we can forget about synflooding too:)
I personally don't know who has the time to set up decoy machines, when it's difficult enough keeping servers patched in a 24x7 production environment.
Not everybody who builds a honeypot is a security professional with little time on his hand to secure a large companys network. I totally agree with you if that is the case. Building honeypots on large companies networks is a Bad Thing (imho).
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
"Rune Kristian Viken" - http://www.nwo.no - arca
Check your local laws.
Honeypots can be a form of entrapment.
Also, one might argue:
1) A bad honeypot can be detremental (ie if the user really does have control over the system)
2) Honeypots encourage the hacker, while a closed door might frustrate them and they'd go away.
Anyway- just some things to keep in mind.
First of all, its no problem to make a honeypot. You install a buggy system, and watch what happens.
.. are you a likely target for someone older than a 15 year old scriptkiddie who "rules on IRC" ? Probably not. Most cracked sites get cracked by scriptkiddies who want a box to install a eggie on, so that they can join it into their IRC botnet.
The problem is
But, back to the question. A good honeypot would be a system that didn't get cracked, but where you created an environment that - for the cracker - seemed to be a normal unix system. First of, you need to create the programs that listenes to different ports. You probably want to listen to port 21, 23, 25, 53, 80, 110, 6000, and probably a couple more -- so that it seems to be a regular system. You should also scan a redhat 5.2 box (or something) and find the exact banners they show. You need to recreate *Exactly* what happens, when someone executes "the" bufferoverflow that usually happens, and so forth.
The question "will it fool good hackers" or whatever the question was - is quite void in my eyes. Good crackers wont scan enourmous subnets for crackable hosts. Its the scriptkiddies that does that kind of thing. And yes -- you will catch them. You will catch hundreds of them. The problem is - the scans and breakins will originate either from wingates - or from other cracked hosts. Sure, its a nice gesture to notify them -- but you probably won't catch any fishes.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
"Rune Kristian Viken" - http://www.nwo.no - arca
99.9% of the people who consider putting honeypots on their networks should instead spend that time securing their vunlerable networks, checking for and applying the latest patches, and reading up on security trends and issues.
that said, honeypots are a really cool concept, nevertheless. but a network or security admin needs to focus on more fundamental security issues though. those NT network admins, for instance, should be deploying a second, or third, or fourth firewall on BSDi or Linux, instead of wasting time and compromising their security with a misconfigured NT honeypot. honeypots are best left for IT security research environments, or for people who have too much time to waste.
a notable exception is NAI's Cybercop Sting. Sting emulates Cisco IOS 11.2, Solaris 2.6, and WinNT 4, running common services. with Sting, you can pipe all of your legitimate traffic thrugh Sting, and utilize the excellent logging capabilities of Sting for an added layer of security. additionally, Sting can be, should be, and often is utilized to monitor employees (i.e. internal hacking/cracking attempts). since most of the security incidents will be from internal sources, honeypots are an excellent way to monitor for suspicious LAN activity.
there was an excellent discussion recently of the honeypot concept, with a wide range of opinions and views from all sectors of the Net population, on the Security Focus Incidents mailing list. the thread was entitled "Cracked; rootkit - entrapment question?", and was back in late February and early March.
for those who have more interest in honeypots, check out the following:
To Build a Honeypot - article by Lanace Spitzner
CyberCop Sting - product by NAI
dtk - Fred Cohen's Deception Toolkit
NFR's BackOffice Friendly - product by Marcus Ranum and L0pht
and finally, a cool new product that i saw at RSA2000
ManTrap - product by Recourse Technologies that is based on Solaris 7
-- ken williams
"Update: 04/07 03:09 by CT: originally this story misused 'hacker' quite offensively. I corrected it."
I must object, and I hope that many people object as well, You bring news to us, and you should bring it the way it came, raw and original, irrelevant of it is offensive to you or not. "hacker" used for a computer cracker might be an offensive term to you, but what about me? I work in the computer security industry, so have you more credits to tell me what to refer a computer criminal as? I call them hackers, why? because that is what it means now, till the media comes up with a new term, the original old term is lost, and you can't do shit about it. But I digress, I do not care what you call them or what anyone call them, I call them "script kiddies", "computer criminals or intruders", but back to the gist of my post. You should never never ever modify a post! I hope this is the last we see this on slashdot, because this is misinformation. I saw a comment by someone thinking that this guy had a clue because he refered to computer intruders as crackers, if only you had left the post as the original, the owner of the comment might have thought twice. What next? tomorrow andovernet will ask you to edit a news because it is offensive? You commited a big boo boo, but it is okay, we all make mistakes once, but I really hope that this doesn't happen again!!!
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind