Security-Why Not Watch The Crackers?

An Anonymous Coward asks: "Over the years I have heard the idea of luring in Crackers into a honeypot, so you can watch them and see what they are doing. It has always seemed to me to be a better idea to keep the Crackers completely away with a low profile and a firewall. What do you think?" This is an interesting approach to security and one I have also thought about from time to time...assuming you can build a convincing enough trap so you can learn how they work. "Forewarned is forearmed", especially when it comes to Cracking. How likely would such traps fool really good crackers? Update: 04/07 03:09 by CT : originally this story misused 'hacker' quite offensively. I corrected it.

Re:Honeypots can be illegal

[Gleef]

Shafik wrote:

Unless you are in law enforcement it can not be considered entrapment. This has been discussed on Bugtraq and many other lists. www.securityfocus.com, goto forums and then bugtraq, I don't remeber the title of the discussion though but it was within the last month or so.

A bit of an oversimplification. In most states, it also is entrapment if you are acting as an agent of law enforcement (i.e. Police, District Attorneys, FBI, and a number of Federal, State and Local Government agencies). Basically, if the law gets involved, or if you have any special arrangements with a law enforcement agency, take down any uncompromised honeypots or they might get in the way of apprehending or prosecuting the invader. If you don't care about apprehending or prosecuting the invader, honeypots don't cause any problems here.

Although you might be liable if they use your machine as a jump point to lauch more attacks.

I am not a lawyer, but I'd say you probably would be held liable if it could be shown that you deliberately allowed the unauthorized user access to your system.

----

Simulated environment is not a good idea

[stx23]

If you set up a simulated environment, e.g. The Matrix, and someone notices, they are likely to do their damndest to get out of the honeypot, then f**k up the rest of your system.
Additionally, two points spring to mind:-
1. Define 'hacker'. As a slashdot editor, you shuold know better. 2. Isn't a honeypot considered entrapment?

Re:Simulated environment is not a good idea

[tiny69]

2. Isn't a honeypot considered entrapment?

No. Here is a good explanation.

Some good links on the sublect:

http://www.robertgraham.com/pubs/network-intrusion -detection.html#11

http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ .htm

Re:Building a _hornets_ nest

[arcade]

Building a honey pot no matter how good a security expert you think you are, is a bad idea.

That, my friend, depends on what your goals are. There are several good reasons to build honeypots.

First of, if you are pretty sure about your network, and that you are an idealist -- creating a honeypot let you see where scans originate from. After that, you can contact the admin of the machine it originated from -- and tell him that he probably is cracked. You've made a friend.

Secondly, if you don't have important data on your network, and just want to catch some fish and watch the ruckus -- i'm sure it can be great fun.

In other words, it depends on your goals, what kind of person you are, and so forth.

Nevermind the fact that you have intentionally left an easily crackable machine on the internet, from which crackers can launch other attacks.

That depends on what you leave on the machine. It also depends on the firewall rules. Not to forget, if you monitor the machine, you may see what he attacks from the machine -- and thereby alert the machine new machine he just cracked into. Someone would've found that other vulnerable machine in time anyways -- so I don't see the damage.

And, if your firewall denies outgoing ICMP's (in heavy quata, and with spoofed ips..) it may not be used in a smurf attacks. Furthermore, if the firewall says "no more than 10 outgoing SYN requests per 5 seconds" we can forget about synflooding too:)

I personally don't know who has the time to set up decoy machines, when it's difficult enough keeping servers patched in a 24x7 production environment.

Not everybody who builds a honeypot is a security professional with little time on his hand to secure a large companys network. I totally agree with you if that is the case. Building honeypots on large companies networks is a Bad Thing (imho).


--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet

Honeypots can be illegal

[SWroclawski]

Check your local laws.

Honeypots can be a form of entrapment.

Also, one might argue:

1) A bad honeypot can be detremental (ie if the user really does have control over the system)

2) Honeypots encourage the hacker, while a closed door might frustrate them and they'd go away.

Anyway- just some things to keep in mind.

Re:Honeypots can be illegal

[Battra]

There was a huge thread about this on one of the security mailing lists recently. There was a lot of debate about whether or not a honeypot was entrapment. The short answer is maybe. In some areas, and for some agencies (like the US military) honeypots are considered an illegal form of entrapment. If you are thinking at all about implementing one, check with you local authorities first.

You also need to take a good look at your security policy and determine what your security goals are. For most businesses, trying to catch the person who rooted your box is a secondary goal at best. The most important thing is to get the systems back on line and minimize the downtime. A honeypot only makes sense if you are trying to gather information that you will use to try to prosecute the attacker.

Getting decent evidence that will be admissable in court is extremely diffcult, so many people don't really try. For more information on gathering forensic evidence, check out this PDF from a recent SANS conference.

http://www.sans.org/TALKS/KRUSE.PDF

YMMV, but in my own opinion, the time and effort you put into a honeypot would be better spent securing your actual boxes.

You need Gooood skills to make a goood honeypot.

[arcade]

First of all, its no problem to make a honeypot. You install a buggy system, and watch what happens.

The problem is .. are you a likely target for someone older than a 15 year old scriptkiddie who "rules on IRC" ? Probably not. Most cracked sites get cracked by scriptkiddies who want a box to install a eggie on, so that they can join it into their IRC botnet.

But, back to the question. A good honeypot would be a system that didn't get cracked, but where you created an environment that - for the cracker - seemed to be a normal unix system. First of, you need to create the programs that listenes to different ports. You probably want to listen to port 21, 23, 25, 53, 80, 110, 6000, and probably a couple more -- so that it seems to be a regular system. You should also scan a redhat 5.2 box (or something) and find the exact banners they show. You need to recreate *Exactly* what happens, when someone executes "the" bufferoverflow that usually happens, and so forth.

The question "will it fool good hackers" or whatever the question was - is quite void in my eyes. Good crackers wont scan enourmous subnets for crackable hosts. Its the scriptkiddies that does that kind of thing. And yes -- you will catch them. You will catch hundreds of them. The problem is - the scans and breakins will originate either from wingates - or from other cracked hosts. Sure, its a nice gesture to notify them -- but you probably won't catch any fishes.


--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet

don't waste your time on honeypots

[Ken+Williams]

99.9% of the people who consider putting honeypots on their networks should instead spend that time securing their vunlerable networks, checking for and applying the latest patches, and reading up on security trends and issues.

that said, honeypots are a really cool concept, nevertheless. but a network or security admin needs to focus on more fundamental security issues though. those NT network admins, for instance, should be deploying a second, or third, or fourth firewall on BSDi or Linux, instead of wasting time and compromising their security with a misconfigured NT honeypot. honeypots are best left for IT security research environments, or for people who have too much time to waste.

a notable exception is NAI's Cybercop Sting. Sting emulates Cisco IOS 11.2, Solaris 2.6, and WinNT 4, running common services. with Sting, you can pipe all of your legitimate traffic thrugh Sting, and utilize the excellent logging capabilities of Sting for an added layer of security. additionally, Sting can be, should be, and often is utilized to monitor employees (i.e. internal hacking/cracking attempts). since most of the security incidents will be from internal sources, honeypots are an excellent way to monitor for suspicious LAN activity.

there was an excellent discussion recently of the honeypot concept, with a wide range of opinions and views from all sectors of the Net population, on the Security Focus Incidents mailing list. the thread was entitled "Cracked; rootkit - entrapment question?", and was back in late February and early March.

for those who have more interest in honeypots, check out the following:

To Build a Honeypot - article by Lanace Spitzner

CyberCop Sting - product by NAI

dtk - Fred Cohen's Deception Toolkit

NFR's BackOffice Friendly - product by Marcus Ranum and L0pht

and finally, a cool new product that i saw at RSA2000
ManTrap - product by Recourse Technologies that is based on Solaris 7

This is very wrong!!!!

[segmond]

"Update: 04/07 03:09 by CT: originally this story misused 'hacker' quite offensively. I corrected it."

I must object, and I hope that many people object as well, You bring news to us, and you should bring it the way it came, raw and original, irrelevant of it is offensive to you or not. "hacker" used for a computer cracker might be an offensive term to you, but what about me? I work in the computer security industry, so have you more credits to tell me what to refer a computer criminal as? I call them hackers, why? because that is what it means now, till the media comes up with a new term, the original old term is lost, and you can't do shit about it. But I digress, I do not care what you call them or what anyone call them, I call them "script kiddies", "computer criminals or intruders", but back to the gist of my post. You should never never ever modify a post! I hope this is the last we see this on slashdot, because this is misinformation. I saw a comment by someone thinking that this guy had a clue because he refered to computer intruders as crackers, if only you had left the post as the original, the owner of the comment might have thought twice. What next? tomorrow andovernet will ask you to edit a news because it is offensive? You commited a big boo boo, but it is okay, we all make mistakes once, but I really hope that this doesn't happen again!!!