Slashdot Mirror
The Honeypot Project
Wallahalla writes "Interesting article on ZDNet about HoneyPots (intentionally vulnerable computers placed on the net in hopes of attracting hackers). Security professionals, programmers and psychologists are all working together to try to enhance network security in the face of increasing attacks by the hordes of script kiddies running the net today." We mentioned these quite awhile ago. Actually its an interesting article. I'd like to say pretend that when I got 0wn23d that it was really just my HoneyPot fooling them.
Sure, if I randomly decided to "poke around" at guessing the root password on the company's main server, I could understand being fired. But finding a new server on the network and seeing if your account works should not be something you challenge - provided that they only try their account.
BTW, people who try to crack the desktop of a security professional should be put on record as having being fired for both attempting to breach system security and for stupidity. ("Oh, let's go hack the IT security guy's desktop. Bet he'll never figure it out!" Duh...)
________________________________________________
suwain_2
Then my question still stands, whatever happened to that box? Did it get cracked?
the door was unlocked because the lock is broken and now its going to cost me $100 bucks to get a locksmith out here and i'll have to wait an hour for him to get here.
just leave it alone. if my battery goes dead enough times then i'll learn my lesson.
you are not entitled to screw around with with other peoples property just because you think you know whats best for them. feel free to voice your opinion but keep your hands off. thank you very much. i don't think that's an unreasonable request.
I meant that you could run several honeypots on a single machine. It would look like a fully network of boxes. You could "rebuild" a rooted system by making a backup of a single file (the loop'ed fs) and restoring it. You could refresh a system in 30 seconds.
Wouldn't it be embarrassing to break into one of those? It's like breaking into a police station WHILE EVERYONE IS THERE! hehe
I've always been for putting a spare computer/box/whatever for use as honeypot. Not only can you learn a little (after weeding out script kiddie traffic) about what tactics are most widespread but you can also learn VERY valuable information from mistakes you leave (intentionally or unintentionally) on the honeypot before it gets to the network you are trying to protect. I know a lot of people consider these just stomping grounds for computer crime but I feel that while that could be and is partially true the potential benefit from having such things outweights the presumed negative effects.
.--bagel--.---------------.
| aim: | bagel is back |
| icq: | 158450 |
( o ) one could say I'm rather baked
Was there any outcome to that entire thing? I believe you are referring to the "crack this box" site that microsoft put up with a near final version of Windows 2000.
To summarize -- my point is about black hat hackers versus white hat hackers, and the fact that I don't recognize the distinction. That point is independent of any honey pot issues.
Oh. Then ignorance is the source of our problem, as I suspected.
You see, there is in fact an entity known in security circles as the "white hat". The "white hat" is the security expert that is on your side -- the white hat is the one who will, once a security hole is discovered, will tell you about it, or hack the code themselves to fix it. As opposed to the black hat who tries to break in to whatever he can, take whatever he can, and not tell anyone so he can do it again.
A true white hat wouldn't try to break into your honey pot unless he knew it was a honey pot, and he knew it was OK for him to try (either by being told, asking, or seeing a public announcment). If he succeded, he'd make sure you knew exactly what he did. The white hat wouldn't try to break into your main system at all, unless you contracted him to. In short, he wouldn't do things that piss you off.
So there is a big difference in action, not just motivation.
The original poster didn't make this distinction clear. In answer to his question, someone who breaks in and 'fixes things' without permission isn't a white hat. But it is there.
Obviously it's bad when it gets broken into, because that indicates you have a security problem.
Heh. Right. And since there are no elephants around, that means my elephant repellent works perfectly, right?
Actually, it's good when your honey pot gets broken into, and your main machines don't. You've realized there is a hole, and because the honey pot is not connected to anything important, the break-in didn't cost you anything, and you can fix the vulnerability before you lose 10,000 of your customers' credit cards.
The assumption is that you have security holes you don't know about, and letting the "black hats" tell you about them by exploiting them in a safe way is the point.
A honey pot that doesn't get cracked proves very little, and shouldn't make you feel much safer.
The enemies of Democracy are
What is this computer used for?
Then try to answer that question. People don't attach computers to the internet for no reason. What services is it running? If it's an ftp server, what files are available? Is it a webserver? Look at the webpage. If ftp services are being provided but the ftp directory is empty or the webpage has is the default one install with the OS, then something is up.
Check for user activity. Are there any users? Goto ~/.netscape (if the machine is unix). What are the timestamps on the files. Does the user have any email. By looking at the appropriate files (depending on OS) you can tell when it was installed. Has anything changed since then? Do a find on files changed over the last seven days. If there is no user activity, something is definitly wrong!!
Check for changes made to configuration files. Check the files that a sysadmin would most likely change. If you can't find any changes (other than LOTS of logging - another Red Flag!), check to see if the system looks like a default install (if you are into this, you should know what default installs look like/the common security holes the vendor leaves open/etc.). If it is a default install and the install is older than a week, congratulations, you've found a Honey Pot.
One last check before getting the hell out of dodge, sniff the network. Who else is one it? Honey Pots tend to be isolated. If the only activity you see is yourself (unless you are connected at midnight, but then you deserve to get caught) or the only other traffic is logging activity (from the one you are on to somewhere else), You've been had!! Just for shits and grins, ping the subnet you are on. People and companies don't waste network equipment as it is fairly expensive. If the machine you are on is the only one on that subnet....
do a quick `rm -rf /` and never go back.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
From what I've seen, the ``dotcom shakeout'' had little to do with the competency of the people working in the server room, and everything to do with the flawed business practices of the suits out in the front office.
If you don't have a valid plan for making profits, it doesn't matter how much you're paying your system administrators, or how clueless they are.
Let me get this straight... you dump a box onto some internal network; and then when an IS staffer says to him/herself "What the frick is that thing? It wasn't there yesterday..." and tries to figure out what your admittedly suspicious looking box is doing on the network they're responsible for...
Then you fire them?
You really shouldn't have to. Any decent IS staffer subjected to this kind of treatment should give you exactly what you deserve - a rude gesture - and walk out.
"Great men are not always wise: neither do the aged understand judgement." Job 32:9
I think you have to be invited to be considered a "White Hat" -- if you do nice things without an invitation, that makes you a "Gray Hat", and if you do bad things that makes you a "Black Hat". -Alec
Apparently you aren't exactly clued in as to what a "honey pot" is. It's a machine put on the 'net for the express purpose of (bold and itallics, so maybe it sinks in) letting it be cracked. If you don't want anyone on your system, obviously you wouldn't be running a honey pot.
Also, for your continued enlightenment, in security parlance the "white hats" are the guys on your side -- they are trying to help you, by discovering exploits, going over code, etc and reporting what they find, so people's security can be increased. They aren't attempting cracks on unsuspecting people's boxes. But a honey pot (see above) would be fair game, no?
The enemies of Democracy are
Also, suppose you had a white hat cracker. Would anyone running a honey pot care if the cracker broke in and plugged all the holes to prevent the kiddies from doing some real damage?
There's no such thing as a "white hat cracker". Quite frankly, I don't care if you find a vulnerability in my system. STAY THE HELL OUT OF MY SYSTEM. Send me an e-mail, fine, thank you. But I don't need roving bands of do-gooders changing my system (and more than likely screwing it up in the process).
Put it this way: If I happen to leave the windows open in my house, I do not want strangers "for my own good" climbing in the window, poking around, checking the locks, and then "fixing" anything they find. I'm going to throw their butt in jail just like any other criminal.
--
Sometimes it's best to just let stupid people be stupid.
I have this great idea for a honeypot, although it might seem a little futuristic.
Picture this: we create a series of directories that contain apparently classified military information. We'll call it something obscure, some sort of acronymn, like SDINet, for example . . . I bet that would keep a dedicated hacker occupied for hours, especially if you mixed in some binary files so they had to check each one before trying to view it on the server.
I know it seems bizzare, but I think it actually might work! And the best part is I don't think anyone has ever come up with anything like this before!
Let me know if you think it would work?
--
Rob Carlson
Just set up your router to allow incoming connections but not outgoing. Then if they get in they don't go anywhere.
If I leave my garden hose outside, and then somebody strangles somebody with it, am I liable?
:)
My point is -- we know guns are made to shoot things, computers are *not* made to attack other systems. "Computers don't attack people, people attack people."
Never underestimate the bandwidth of a 747 filled with CD-ROMs.
Those are just the dumbass ones. Like someone who robs a bank and buys drinks for everyone at the local bar the next night, bragging about their big score. Those are probably the ones to be the least concerned about. They are at the low end with the ones you never hear from at the top.
"When it rains, it pours." --Morton's Salt
Which is why, while I distrust the government to an extent, I distrust corporations far more.
The enemies of Democracy are
Possibly a lack of commas, more likely Taco failing to decide between 'say' or 'pretend'. Particularly in light of the fact that he typo'd on 0wn3d too.
More evidence of the downward spiral of editorial quality here.
If the honeypot is intentionally more vulnerable than the real server, then you are just demonstrating known exploits.
If the honeypot is *more* secure than the real server, why did you waste time securing the honeypot that could have been spent securing the real server?
Finally, if the honeypot is equal in security to the real server, you are cutting the odds of a real server being hacked to:
reals/(honeypots+reals)
In most large organizations honeypots will be a very small number compared to reals. In small organizations you could make a difference, but how many small orgs can afford an extra server or two?
The idea that you can learn about the attacker while watching him closely is intriguing, but while you're watching the honeypot, who's watching the reals?
My gut tells me that money would be better spent helping NetBSD and others with code audits. Of course IANASecurity Expert, so what do I know...
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
There are two types of honeypots -- the passive kind and the reactive kind. The former merely sits there and alerts you when someone enters your system. The latter actually responds to the attack by reconfiguring your system to deny access to the intruder. The latter is a far better implementation.
The way reactive honey pots work is to tell the firewall to block access from the intruder's address, temporarily or even permanently. Linux really shines here, since the firewall code in the kernel is particularly well suited to this sort of solution, though you can accomplish the same effect with most any operating system. And for those who are even more adventuresome, reactive honey pots can be configured to flood the intruder's IP, denying access not only to your own machine but to all potential victims.
Passive honeypots are good as an information-gathering tool for measuring your visibility on the net and the current state of script-kiddy activity, but reactive honeypots are definitely the way to go. They're the proactive solution to a chronic problem.
Read the rest of this comment...
If Mitnick prooved anything, it was that social engineering will always be a greater threat than the script kiddie thing. Attacks from 'within' are more dangerous, and often harder to detect than outside attacks. I still believe the best measure of your systems' vulnerability is the inside-facing attitude your team and co-workers have towards your security methodologies.
Also, because the internet is as subject to fads and trends as any other social medium, I think you'll find 'script kiddy-ing' become less and less 'cool' over the days. There is always a renaissance towards the more hand-made, home-grown ways of doing something; in the case of hacking, this narrows the list of possible offenders considerably due to the increased need for talent and knowledge in such hacking styles.
http://www.mp3.com/subatomicacorn
"Old man yells at systemd"
much like the people who manufacture crowbars, boltcutters and powerdrills.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
Lesson - Dont use ftp.
anonymous file transfers? - use apache
authenticated file transfers - use ssh+(scp/sftp)
I mean, how the hell do you firewall a passive
ftp server? or active for clients? add nat and things get screwed. Yes everething is possible, but why do it the hard and unsecure way?
Yes, lusers love ftp, but life is hard.
signatures pending - ansa@kos.to - (dont mail there)
Look, a black hat isn't a script kidde in IRC advertising how many boxes he's (I'm sure the women out there will forgive me for not using a gender-neutral pronoun in this case) owned. Not the guy who wrote the script-kiddie tools and bragged about those either.
A black hat is a cracker with malicious intent. While this may mean kiddies, it also includes the people trying to grab a couple thousand credit cards so they can go on a shopping spree. It includes the cracker performing industrial espionage, so their employer can get a competitive advantage. It includes whoever would want your data, and sure as hell isn't going to brag about getting it on IRC.
Script kiddies are annoying, but what makes them annoying is also what makes them the least of your concerns.
The enemies of Democracy are
Oh, then why did the line you quoted include the line "honey pot"?
As to missing the </b> tag, my excuse is sleep deprivation. What is your excuse for missing the word you yourself quoted?
The enemies of Democracy are
A large hosting company I have worked with use honeypots to divert crackers away from production machines. They name them enticing names like "finance.xyz.com" and "credit.xyz.com" to attract crackers. They run pretty much out-the-box (unpatched) installs of *BSD, Solaris, etc and just sit back and watch.
Hi! This is the Sig, blatantly attached to the end of this comment.
I'd be scared to see what Winnie the Pooh would look like if it was e. e. milne... :-)
...actually, I tried to post what it would look like in e. e. cummings style, but CowboyNeal's lameness filter prevented me! Now *that's* funny...
I'm guessing that rfp said it best...
Yes, it's likely entrapment. No, no one's really sure whether it'll hold up in court. No, you don't know what you're hoping to accomplish. Yes, it's a really bad idea. Worry about getting your IDS and firewall rules up to date and your security policies and tripwires strictly monitored before you bother with nonsense like a honeypot.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
;-)
Capt. Ron
crazy dynamite monkey
So, assuming script kiddies are such a big problem, what are the ethics of writing these scripts? Does that serve any purpose, other than weakening security?
Just wondering what people think about this...
Recourse's first product was a honeypot. They have a remarkable technical team, which, commercially, makes them the one to watch in this space.
/proc fs within the cage). Other tipoffs include memory locations, pids for processes like init, etc.
Honeypots are some of the fluffiest of security products, imo, far less useful that firewalls, integrity verification software, etc. But having a cage environment to examine the activities and practices of a cracker can be useful in determining how to post-mortem a bad situation, as well as help gather evidence to get law enforcement involved.
Honeypots that want to provide maximum auditing and usefulness tend to try to run a virtual machine -- either by virtue of chroot'd cages, or virtual machines. The problem is keeping a sophisticated attacker in the cage. As was pointed out on Bugtraq, it is fairly easy, owing to kernel behavior, to detect that one is in a cage. You can send kill signals to pids that aren't in your visible process list, and the kernel responses will tip you off that you are only being shown part of the process table (the Recourse product simulates a live
Nonetheless, my real-world experience tells me that your greatest risk is an attack from the script kiddies, with the fresh d/l from bugtraq or the like, or even unreleased exploits, not sophisticated crackers seeking entry into specific boxes. In this case, the honeypot can be very valuable -- first as an easily-cleaned distraction (a good honeypot LOOKS like it is a machine at work, but isn't) -- then as a trace of activities, so you can prevent further incidents. Properly placed, it can help lure in attacks first, providing a warning that can be responded to before other real product boxes get compromised.
It has been pointed out, and bears repeating, that the right place for a honeypot is on a DMZ, where it does not have priveleged access to protected hosts. People have put honeypots behind firewalls in protected nets, and then had them be used as jump-off points for much more serious compromises.
Damn right - Bang! Gone.
Mis-clicks are fine, we all do them. Even rattling the door-knob is kewl. But the minute you try to break in you're outta there. I run big networks, stuff comes & goes all of the time and a certain degree of interest is expected (& welcomed.)
This does not extend to trying to trying to break into boxes that aren't yours.
I don't care if it's called "Hax0rs l00t" once you've determined the front door is closed then pass it onto the right folks & move on. Raise the alarm, stick your head into the Net Security Admin's office, ask them for follow-ups, bring it up at a Change Control meeting, whatever but breaking into something that isn't yours & you haven't the authority to access is grounds for (immediate) termination.
No apologies, no excuses.
Again, we have folks in charge of keeping the network organized, they should know about anything new or different on the network, ask or tell them. We have folks in charge of security, they should be notified about any concerns you have. Unless your job-description specifically includes it and you've got written permission from someone above you so empowered you do not go breaking into things - I don't care how justified you think you are or how suspicious (or innocuous) it looks. If you haven't the brains to do this then good riddance.
I've had boxes on my networks that did everything from SEC compliance monitoring to transferring billions of dollars of bonds daily to running high-power X-ray machines treating live humans in real-time. Your fucking around could harm any one of those - at that point not only would I fire your ass but I'd see that charges were pressed against you (in addition to those from next-of-kin of the person's whose radiation therapy you just screwed.)
I work in the real world where boxes are doing important things and no Lone Ranger can be expected to track everything themselves. We've got ways things are done & they're there precisely so things don't slip through the cracks, don't become security issues and some kid who can't keep his fingers out of things doesn't break something important.
To paraphrase (and reinterpret) your closing line:
Any decent IS staffer respects the environment they work in & works with their team. If they can't do that then they get what they deserve - a final paycheck & a walk to the door.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Yeah, I know, I was shooting for maybe a (+1, Funny) on that post, but it looks like most people are missing the joke. It's basically exactly what Cliff Stoll did in his book back then. The link on "anyone" goes to his homepage.
Ah, you young Slashdotters disappoint me. Such quality reading material out there that you seem to have missed . . . :-)
--
Rob Carlson
However, this does not extend to trying to break into something.
If you suspect a problem go talk to the folks who would know about it, or tell security. Hell, my pager number is pasted on my office door flag me! DON'T go breaking into stuff blindly.
I've said this more thoroughly in another thread but yes, you're right, there is an acceptable level of "Huh? What're you doing here?" and then there's going beyond one's authority. If someone can't appreciate the difference between these two then they're judgement is so poor I don't want them no matter how tight the job market.
Marlo Thomas - Free To Be ... You And Me (1972 Television Cast) "There's some kinds of help that are the kind of help we can all do without."
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Oh, then why did the line you quoted include the line "honey pot"?
OK, let's take this slowly. The original poster's comment that I quoted was:
The key concept that I pulled out is the implication that we shouldn't care if "white hat crackers" break into systems and "plug all the holes". Whether it's a honey pot system or not is irrelevent; the point is that he implies that we should look favorably upon people who break into systems with goodness and purity in their heart in order to fix them.
--
Sometimes it's best to just let stupid people be stupid.
It seemed funny and innocent enough at the time. I mean, a pot of honey is a good thing, right? And it sounds kind of humorous, right?
I wish to hell that I'd looked up the technical definition of "honeypot" before I registered honeypot.net. You wouldn't believe the amount of crap my firewall picks up. I can't count the number of Windows-specific trojans I get scanned for on a daily basis. Yeah, I try to report as many as possible, but it's pretty much a losing battle.
A hint to l33t skr1pt k1dd13z: if a box has "honeypot" in the name, then it's probably not really a honeypot. Just leave it alone, would ya?
Dewey, what part of this looks like authorities should be involved?
Gee, wonder where they got their inspiration...
--
A feeling of having made the same mistake before: Deja Foobar
Thats fine if all they do is knock is on the door. The white hat cracker however is like a missionary who comes in without an invitation. And not only that but if the front door is locked he'll walk around the house and try the windows, the basement door, and the back door. If it is a particuarly vigorus white hat cracker he'll even climb up a ladder and try the upstairs windows. And once he gets in how do I know he didn't make a copy of the key that was laying on my dresser so he can get back in any time?
In an ideal world this wouldn't be an issue, but this isn't an ideal world. How do we know that a "white hat" isn't a black hat pretending to be a white hat. He'll point out the obvious holes in your box, and leave a way that only he knows about to get in. Then six months latter when you've forgotten about it you find out your network that he has systematically infiltriated is being used for to coordinate a DDOS attack against somebody like the FBI.
I don't have a problem with scans. I don't have a problem with someone saying "I saw that the version of bind that you are runing is out of date, there are security holes in it" But when someone uses that vulnerability to break into my system it becomes a whole new ball game.
"You can't fight in here! This is the war room" --Dr. Stra
You think you're joking...
Generally we give them names of interest to tech-types but nothing the general user community, sometimes just make 'em look like standard workstations, occasionally we called them things like "payroll" or other tempting titles. We then track all traffic to & from these boxes identifying the source & their intentions. Generally we'd get a few mistake-hits or just-clicking-around ones a week but often enough we'd find someone with some intent trying to get onto them.
Generally it was a semi-knowledgeable employee just poking around & seeing what they could get into. We'd usually then track their other activities closely in order to make sure they hadn't gotten into anyplace they ought not have. After we'd assured ourselves they weren't nefarious we'd usually call them in, put a scare to them with the records of their exploits & warn them to cut it out or loose their job. Occasionally where they were using tools or other more-then-casual attempts we'd just fire them on the spot.
A few times it was IS staffers. Then we'd follow the same drill, try to determine what they were doing & why, then when called in if they couldn't give a good accounting of themselves cut them loose, again on the spot. Actually we'd usually delay them with paperwork & other excuses while we ran a complete lock-out and performed fast reviews of any systems they could have compromised. In one case where the fellow wanted to storm out a fast-thinking HR staffer got someone to 'accidentally' block their car & wait a half hour while we found the 'bad-parker'.
IS folks with that poor judgement and too easy access were just asking for future trouble & they aren't worth it. Of the few that I've fired this way over the years at least two later came to bad ends, including one who diddled with another companies accounting system.
Needless to say none of this was ever advertised within the company, particularly with IS. It was all on a strictly need-to-know basis & only done in-person, nothing emailed or electronically documented (wow - a reason for interoffice mail!) Oftentimes we'd hire a trusted outside firm to install the systems & track the activity (had one guy come in for years as a "special cleaner" specializing in electrical closets!)
Firewalls and elaborate outside security are great things but most serious damage comes from folks inside. Keeping a check with decoys and other measures is only prudent.
-- Michael
Then there's that contractor I discovered trying to crack my personal desktop box...
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Your reasoning is so ridiculous, it is traumatic. He's not a black hat, because he says he's not. Truly amazing logic there. Flabbergasting
Besides, if you can't trust people on the net where stuff doesn't really matter, then where can you trust them? Astounding. Just astounding. I'm glad credit cards don't really matter, because I just noticed a bunch of charges on my card that don't belong to me.
Right at the very end of the article is the most important point of general corporate security. Namely, that by far the biggest threats are from within, by employees or other authorized users. It's certainly more sensational to be cracked, but it's a lot more damaging to be scammed by somebody who knows exactly where you keep the crown jewels.
C'mon now .. its more the other way .. hacks that 'come from the outside', but are really someone you know and trust. Or someone who has gained valuable information from someone you know and trust. It's the same in all walks of life: abuse, murder .. why stop at hacking? I'm not saying that there is /no/ hacking from cold-callers .. I'm just saying that the number pales in comparison to those you'd least suspect.
....
People who wish to steal or break in usually do so only because they know what the value of what's inside
http://www.mp3.com/subatomicacorn
"Old man yells at systemd"
Micro$oft did this months ago!
The article doesn't seem to mention prosecution. Do the people running the honey pots just sit back and watch what the script kiddies are doing, plug the holes, and forget about it? Or are they filing in court? Also, suppose you had a white hat cracker. Would anyone running a honey pot care if the cracker broke in and plugged all the holes to prevent the kiddies from doing some real damage?
Whether it's a honey pot system or not is irrelevent
Maybe to you, but I don't think that was the original poster's intent. That's why he said "honey pot", not something else. As I said, what you quoted contradicts your claim that he wasn't talking about honey pots.
He was asking if you would prosecute someone who broke into your honey pot (a ridiculous question if you take out the word honey pot, eh?), and if you would be pissed if someone plugged up the holes in said honeypot.
Why you decided this meant systems in general is beyond me. Which is why I put that in bold, since you seemed to have missed some key info.
And lastly, asking "would you care if..." is not the same as "you shouldn't care if...", and the latter wasn't what the poster said either.
The enemies of Democracy are
I forgot to mention that getting prior approval is a necessity is an understatement. It is a CYA statement. Imagine how fast your job will go down the tubes when the Big Boss realizes that the major security breach that was highly publicized came from someone getting out of your toy honeypot. Not that they wouldn't try something if you got the approval anyhow, but it's usually best to lean towards the cautious side.
Yep, I never spell check.
More incorrect spellings can be found he
Maybe to you, but I don't think that was the original poster's intent. That's why he said "honey pot", not something else. As I said, what you quoted contradicts your claim that he wasn't talking about honey pots.
You insist on trying to tell me what my point is. I don't care whether his point was about honey pots or not, my point is that I'm taking issue with the whole question of whether a "white hat cracker" is good or not.
If it makes you happy, then feel free to limit my point to saying that yes, a white hat cracker breaking into a honey pot is just as bad as a black hat cracker breaking into one. But my point is broader than that.
--
Sometimes it's best to just let stupid people be stupid.
My gut tells me that money would be better spent helping NetBSD and others with code audits. Of course IANASecurity Expert, so what do I know...
Damn straight you're not a security expert. (And I think you meant OpenBSD). Nobody is a security "expert". Some of us are older, wiser, and bear a lot more scars than others, but *none* of us are experts.
Until you have had a system properly fucked over, you know *nothing* about security.
There are a surprising number of companies saying "We are InfoSec Experts" out there who leave there own internal systems open to flagrant abuse. Like leaving certain ports (137, 139 etc) open to the Internet, and then give the receptionist a domain account. How hard is *that* to crack? ("Hello, I'm from the auditors. What name do you type in to the computer in the morning? Good, that sound right. Now, just let me check. What do you type in the other box? Thankyou. That's the right answer!)
Back on topic: Honeypots are tremendously valuable if, and only if, they are well run.
In the ongoing battle between the infosec "good guys" (mostly sysadmins) and the infosec "bad guys" (mostly l33t k1dd13s, but with a peppering of serious, professional criminals) the good guys are at a crippling disadvantage. We have to get every single thing right all the time. The bad guys only need to find one single, trivial mistake, and then it's w00t! r00tkit!
These nasty little untalented, bored, socially malformed little twerps have all the cards; That wouldn't be so bad, but they freely give these cards to anyone. Nothing wrong with that. Except that some of the recipients (OK, a small number, but it only takes one) are working for serious, professional blow-your-brains-out-and-cover-you-in-concrete professionals.
Honeypots are one of the few tools that let us monitor, study and comprehend what's going on. (That, and assiduous reading of alt.2600 etc.)
We, the responsible victims of attacks, choose to monitor the attackers in any way we can. We do this because we want the Internet to be a useful place. And we are happy to forward information gained to law-enforcement types.
If script kiddies dont like this then, hey! Build your own sodding network. When you get 100 million people connected, I'll come and look.
In Australia, the Attorney-General recently determined (and did not announce) that evidence from honeypot machines can't be used in prosecuting offenders unless there's a wiretap order (warrant) for that system. The reasoning was that creating a system that is "intended to be broken into" is sort of like giving permission to the intruder and likely to jeopardise a case.
__________________
yeah, your an idiot. There is such a thing as white hat crackers, sorry. Since your analogy was poor, I'll provide a poor one as well. I walk past your car in a parking lot and notice that your lights are on, after looking around and calling a little bit, no one comes, since of course I don't know who to call because your name isn't written on the car. I reach in, shut the light off and lock the doors.
How do you attract people to your honeypot system if it's configured just like your other systems, as the article said?
I've read of configurations with all traffic to unsupported ports redirected to a honeypot system: "someone trying to telnet/ftp to my web server? I'll send you to my honeypot for observation instead."
But if you're running a standard, normally configured system as the article mentioned, this doesn't make sense anymore. How's this work?
From the people I know who do this, they never report it to authorities, but rather to CERT's and the like. The goal is to learn new cracker techniques and watch behavior once they break into the system. A lot of DDOS tools get found this way, because crackers will upload them to machines they have broken into. The goal is to then share this information with the security community, not just to bust a couple unsuspecting people.
"Oh, bother." -- Winnie the Cracker
I first came across this idea while reading "The Cuckoos's Egg" in junior high school. I'd like to say that I thought it was an excellent book, the entire story was very exciting to me. I enjoyed the cloak and dagger senario placed in the computer world.
...and I'm not sure we should trust this Kyle Sagan either.
Not much to really say, but that the books grabs you (or me at least) and is a quick read. Very enthralling, just watching the cat and mouse game play out between the cracker and the other guy.
This is a perfect application for user-mode-linux. You can setup and run any number of complete virtual linux systems on a single box without compromising the integrity of the host system.
I would just like to say to the "script kiddies" of the world--YOU SUCK. God, it took me 4 hours to fix my damn system. Using pitiful log cleaners and then leaving a paper trail as long as the Nile, my old FTP server was exploited. It was sad. I caught them within 4 hours of being rooted. I quickly patched the hole(sometimes I wonder if I am an idiot) and quickly started on a firewall project, which I finished later that night. For all the other people that have been rooted, I feel for you. And my advice to sys admins, watch your systems, little things like load averages can point to a break in.
___________
I don't care what it looks like, it WORKS doesn't it!?!
If my honeypot is hacked into and then it is used to launch an attack against another system, am I liable for intentionally leaving an unsecured server on the internet?
Is this similar to leaving a gun rack unlocked, then somebody takes one of the guns and commits a crime with it?
You insist on trying to tell me what my point is.
Not at all. You must not get my point.
You said you don't want anyone cracking your box, and this was abundantly clear. However it was also abundantly clear that the original poster was talking about honey pots, not machines in general. So your response made no sense -- I figured you must have missed a word or two. I guess not.
I don't care whether his point was about honey pots or not
But then why were you going on about "context" and "the key point I extraced"? Apparently the poster's context didn't mean anything to you.
So you don't want people breaking into your box for any reason-- well no shit. As I already pointed out, you are not the kind of person who'd be running a honey pot, so what purpose did your post serve?
white hat cracker breaking into a honey pot is just as bad as a black hat cracker breaking into one.
A honey pot is a machine that is intended to be broken into -- thus a black hat cracker breaking into one isn't bad at all, so long as you can log what he does and analyze it. That you feel it would be bad means you wouldn't be running a honey pot. This is why I responded in the first place -- it seemed you must not know what a honey pot is.
But my point is broader than that.
Who cares? You're "broader point" is that you don't want white hats breaking into your box. But since you wouldn't be running a honey pot anyway, your "point" can only apply to the very machines about which the poster was specifically not asking about. So much for "context".
So instead of thinking you missed information (sorry about that), I'm instead thinking "why the hell did he reply to a post with the exact opposite of what the post asked about?"
The enemies of Democracy are
Set up a system that is rather easy to crack, but will take a good amount of time to crack. Then whip up a small script that will - the second *anyone* successfully logs in - shutdown the server.
I would pay money to see the look on the crackers face as they see this:
Welcome... (MOTD) /root]#
[root@firewall
Message from root:
This system is going down NOW!
It would be nice to turn the tables around and, for once, make the script kiddy the one who gets ticked off...
________________________________________________
suwain_2
Its really interesting, because I used to be the type of person that would not neccessarily approve of such a trap in the name of protecting the curious individual who wanted to see what was out there. But the fact is, the people doing these things are becoming too big of a problem. And it seems that the whole purpose of snooping around has been sort of eliminated with the open source movement and Linux. Why snoop around when you can have your own *nix box with just about anything available at your fingertips, for free?
-winter fantom
Hi! This is the Sig, blatantly attached to the end of this comment.
And this, my comrades, is EXACTLY why the "dotcom shakeout" happened. When Job Admin can't keep a 10 year from breaking into his site using a script, which by the way takes advantage of a 3 month old exploit and the kid barely understands, how can one expect that site to make a profit.
Burn Hollywood Burn
I'd love to have a honeypot, and I'm sure it would be fun to play around with them.. but this reminds me about the true nature of many network adminstrators.
The reality is that most administrators know about most vulnerabilities, but a large number of them are too lazy or busy to fix them. A lot of them have the "nobody cares enough to hack me" mentality.. which isn't really effective since people scan blocks of IP addresses at a time.
Hopefully some adminstrators will get their acts together after reading about honeypots.
"War is hell" -- General Sherman Techumseh