Slashdot Mirror
The Honeypot Project
Wallahalla writes "Interesting article on ZDNet about HoneyPots (intentionally vulnerable computers placed on the net in hopes of attracting hackers). Security professionals, programmers and psychologists are all working together to try to enhance network security in the face of increasing attacks by the hordes of script kiddies running the net today." We mentioned these quite awhile ago. Actually its an interesting article. I'd like to say pretend that when I got 0wn23d that it was really just my HoneyPot fooling them.
the door was unlocked because the lock is broken and now its going to cost me $100 bucks to get a locksmith out here and i'll have to wait an hour for him to get here.
just leave it alone. if my battery goes dead enough times then i'll learn my lesson.
you are not entitled to screw around with with other peoples property just because you think you know whats best for them. feel free to voice your opinion but keep your hands off. thank you very much. i don't think that's an unreasonable request.
What is this computer used for?
Then try to answer that question. People don't attach computers to the internet for no reason. What services is it running? If it's an ftp server, what files are available? Is it a webserver? Look at the webpage. If ftp services are being provided but the ftp directory is empty or the webpage has is the default one install with the OS, then something is up.
Check for user activity. Are there any users? Goto ~/.netscape (if the machine is unix). What are the timestamps on the files. Does the user have any email. By looking at the appropriate files (depending on OS) you can tell when it was installed. Has anything changed since then? Do a find on files changed over the last seven days. If there is no user activity, something is definitly wrong!!
Check for changes made to configuration files. Check the files that a sysadmin would most likely change. If you can't find any changes (other than LOTS of logging - another Red Flag!), check to see if the system looks like a default install (if you are into this, you should know what default installs look like/the common security holes the vendor leaves open/etc.). If it is a default install and the install is older than a week, congratulations, you've found a Honey Pot.
One last check before getting the hell out of dodge, sniff the network. Who else is one it? Honey Pots tend to be isolated. If the only activity you see is yourself (unless you are connected at midnight, but then you deserve to get caught) or the only other traffic is logging activity (from the one you are on to somewhere else), You've been had!! Just for shits and grins, ping the subnet you are on. People and companies don't waste network equipment as it is fairly expensive. If the machine you are on is the only one on that subnet....
do a quick `rm -rf /` and never go back.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
Let me get this straight... you dump a box onto some internal network; and then when an IS staffer says to him/herself "What the frick is that thing? It wasn't there yesterday..." and tries to figure out what your admittedly suspicious looking box is doing on the network they're responsible for...
Then you fire them?
You really shouldn't have to. Any decent IS staffer subjected to this kind of treatment should give you exactly what you deserve - a rude gesture - and walk out.
"Great men are not always wise: neither do the aged understand judgement." Job 32:9
Also, suppose you had a white hat cracker. Would anyone running a honey pot care if the cracker broke in and plugged all the holes to prevent the kiddies from doing some real damage?
There's no such thing as a "white hat cracker". Quite frankly, I don't care if you find a vulnerability in my system. STAY THE HELL OUT OF MY SYSTEM. Send me an e-mail, fine, thank you. But I don't need roving bands of do-gooders changing my system (and more than likely screwing it up in the process).
Put it this way: If I happen to leave the windows open in my house, I do not want strangers "for my own good" climbing in the window, poking around, checking the locks, and then "fixing" anything they find. I'm going to throw their butt in jail just like any other criminal.
--
Sometimes it's best to just let stupid people be stupid.
If the honeypot is intentionally more vulnerable than the real server, then you are just demonstrating known exploits.
If the honeypot is *more* secure than the real server, why did you waste time securing the honeypot that could have been spent securing the real server?
Finally, if the honeypot is equal in security to the real server, you are cutting the odds of a real server being hacked to:
reals/(honeypots+reals)
In most large organizations honeypots will be a very small number compared to reals. In small organizations you could make a difference, but how many small orgs can afford an extra server or two?
The idea that you can learn about the attacker while watching him closely is intriguing, but while you're watching the honeypot, who's watching the reals?
My gut tells me that money would be better spent helping NetBSD and others with code audits. Of course IANASecurity Expert, so what do I know...
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
There are two types of honeypots -- the passive kind and the reactive kind. The former merely sits there and alerts you when someone enters your system. The latter actually responds to the attack by reconfiguring your system to deny access to the intruder. The latter is a far better implementation.
The way reactive honey pots work is to tell the firewall to block access from the intruder's address, temporarily or even permanently. Linux really shines here, since the firewall code in the kernel is particularly well suited to this sort of solution, though you can accomplish the same effect with most any operating system. And for those who are even more adventuresome, reactive honey pots can be configured to flood the intruder's IP, denying access not only to your own machine but to all potential victims.
Passive honeypots are good as an information-gathering tool for measuring your visibility on the net and the current state of script-kiddy activity, but reactive honeypots are definitely the way to go. They're the proactive solution to a chronic problem.
Read the rest of this comment...
If Mitnick prooved anything, it was that social engineering will always be a greater threat than the script kiddie thing. Attacks from 'within' are more dangerous, and often harder to detect than outside attacks. I still believe the best measure of your systems' vulnerability is the inside-facing attitude your team and co-workers have towards your security methodologies.
Also, because the internet is as subject to fads and trends as any other social medium, I think you'll find 'script kiddy-ing' become less and less 'cool' over the days. There is always a renaissance towards the more hand-made, home-grown ways of doing something; in the case of hacking, this narrows the list of possible offenders considerably due to the increased need for talent and knowledge in such hacking styles.
http://www.mp3.com/subatomicacorn
"Old man yells at systemd"
I'm guessing that rfp said it best...
Yes, it's likely entrapment. No, no one's really sure whether it'll hold up in court. No, you don't know what you're hoping to accomplish. Yes, it's a really bad idea. Worry about getting your IDS and firewall rules up to date and your security policies and tripwires strictly monitored before you bother with nonsense like a honeypot.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Recourse's first product was a honeypot. They have a remarkable technical team, which, commercially, makes them the one to watch in this space.
/proc fs within the cage). Other tipoffs include memory locations, pids for processes like init, etc.
Honeypots are some of the fluffiest of security products, imo, far less useful that firewalls, integrity verification software, etc. But having a cage environment to examine the activities and practices of a cracker can be useful in determining how to post-mortem a bad situation, as well as help gather evidence to get law enforcement involved.
Honeypots that want to provide maximum auditing and usefulness tend to try to run a virtual machine -- either by virtue of chroot'd cages, or virtual machines. The problem is keeping a sophisticated attacker in the cage. As was pointed out on Bugtraq, it is fairly easy, owing to kernel behavior, to detect that one is in a cage. You can send kill signals to pids that aren't in your visible process list, and the kernel responses will tip you off that you are only being shown part of the process table (the Recourse product simulates a live
Nonetheless, my real-world experience tells me that your greatest risk is an attack from the script kiddies, with the fresh d/l from bugtraq or the like, or even unreleased exploits, not sophisticated crackers seeking entry into specific boxes. In this case, the honeypot can be very valuable -- first as an easily-cleaned distraction (a good honeypot LOOKS like it is a machine at work, but isn't) -- then as a trace of activities, so you can prevent further incidents. Properly placed, it can help lure in attacks first, providing a warning that can be responded to before other real product boxes get compromised.
It has been pointed out, and bears repeating, that the right place for a honeypot is on a DMZ, where it does not have priveleged access to protected hosts. People have put honeypots behind firewalls in protected nets, and then had them be used as jump-off points for much more serious compromises.
Damn right - Bang! Gone.
Mis-clicks are fine, we all do them. Even rattling the door-knob is kewl. But the minute you try to break in you're outta there. I run big networks, stuff comes & goes all of the time and a certain degree of interest is expected (& welcomed.)
This does not extend to trying to trying to break into boxes that aren't yours.
I don't care if it's called "Hax0rs l00t" once you've determined the front door is closed then pass it onto the right folks & move on. Raise the alarm, stick your head into the Net Security Admin's office, ask them for follow-ups, bring it up at a Change Control meeting, whatever but breaking into something that isn't yours & you haven't the authority to access is grounds for (immediate) termination.
No apologies, no excuses.
Again, we have folks in charge of keeping the network organized, they should know about anything new or different on the network, ask or tell them. We have folks in charge of security, they should be notified about any concerns you have. Unless your job-description specifically includes it and you've got written permission from someone above you so empowered you do not go breaking into things - I don't care how justified you think you are or how suspicious (or innocuous) it looks. If you haven't the brains to do this then good riddance.
I've had boxes on my networks that did everything from SEC compliance monitoring to transferring billions of dollars of bonds daily to running high-power X-ray machines treating live humans in real-time. Your fucking around could harm any one of those - at that point not only would I fire your ass but I'd see that charges were pressed against you (in addition to those from next-of-kin of the person's whose radiation therapy you just screwed.)
I work in the real world where boxes are doing important things and no Lone Ranger can be expected to track everything themselves. We've got ways things are done & they're there precisely so things don't slip through the cracks, don't become security issues and some kid who can't keep his fingers out of things doesn't break something important.
To paraphrase (and reinterpret) your closing line:
Any decent IS staffer respects the environment they work in & works with their team. If they can't do that then they get what they deserve - a final paycheck & a walk to the door.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Generally we give them names of interest to tech-types but nothing the general user community, sometimes just make 'em look like standard workstations, occasionally we called them things like "payroll" or other tempting titles. We then track all traffic to & from these boxes identifying the source & their intentions. Generally we'd get a few mistake-hits or just-clicking-around ones a week but often enough we'd find someone with some intent trying to get onto them.
Generally it was a semi-knowledgeable employee just poking around & seeing what they could get into. We'd usually then track their other activities closely in order to make sure they hadn't gotten into anyplace they ought not have. After we'd assured ourselves they weren't nefarious we'd usually call them in, put a scare to them with the records of their exploits & warn them to cut it out or loose their job. Occasionally where they were using tools or other more-then-casual attempts we'd just fire them on the spot.
A few times it was IS staffers. Then we'd follow the same drill, try to determine what they were doing & why, then when called in if they couldn't give a good accounting of themselves cut them loose, again on the spot. Actually we'd usually delay them with paperwork & other excuses while we ran a complete lock-out and performed fast reviews of any systems they could have compromised. In one case where the fellow wanted to storm out a fast-thinking HR staffer got someone to 'accidentally' block their car & wait a half hour while we found the 'bad-parker'.
IS folks with that poor judgement and too easy access were just asking for future trouble & they aren't worth it. Of the few that I've fired this way over the years at least two later came to bad ends, including one who diddled with another companies accounting system.
Needless to say none of this was ever advertised within the company, particularly with IS. It was all on a strictly need-to-know basis & only done in-person, nothing emailed or electronically documented (wow - a reason for interoffice mail!) Oftentimes we'd hire a trusted outside firm to install the systems & track the activity (had one guy come in for years as a "special cleaner" specializing in electrical closets!)
Firewalls and elaborate outside security are great things but most serious damage comes from folks inside. Keeping a check with decoys and other measures is only prudent.
-- Michael
Then there's that contractor I discovered trying to crack my personal desktop box...
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Right at the very end of the article is the most important point of general corporate security. Namely, that by far the biggest threats are from within, by employees or other authorized users. It's certainly more sensational to be cracked, but it's a lot more damaging to be scammed by somebody who knows exactly where you keep the crown jewels.
Micro$oft did this months ago!
I forgot to mention that getting prior approval is a necessity is an understatement. It is a CYA statement. Imagine how fast your job will go down the tubes when the Big Boss realizes that the major security breach that was highly publicized came from someone getting out of your toy honeypot. Not that they wouldn't try something if you got the approval anyhow, but it's usually best to lean towards the cautious side.
Yep, I never spell check.
More incorrect spellings can be found he
My gut tells me that money would be better spent helping NetBSD and others with code audits. Of course IANASecurity Expert, so what do I know...
Damn straight you're not a security expert. (And I think you meant OpenBSD). Nobody is a security "expert". Some of us are older, wiser, and bear a lot more scars than others, but *none* of us are experts.
Until you have had a system properly fucked over, you know *nothing* about security.
There are a surprising number of companies saying "We are InfoSec Experts" out there who leave there own internal systems open to flagrant abuse. Like leaving certain ports (137, 139 etc) open to the Internet, and then give the receptionist a domain account. How hard is *that* to crack? ("Hello, I'm from the auditors. What name do you type in to the computer in the morning? Good, that sound right. Now, just let me check. What do you type in the other box? Thankyou. That's the right answer!)
Back on topic: Honeypots are tremendously valuable if, and only if, they are well run.
In the ongoing battle between the infosec "good guys" (mostly sysadmins) and the infosec "bad guys" (mostly l33t k1dd13s, but with a peppering of serious, professional criminals) the good guys are at a crippling disadvantage. We have to get every single thing right all the time. The bad guys only need to find one single, trivial mistake, and then it's w00t! r00tkit!
These nasty little untalented, bored, socially malformed little twerps have all the cards; That wouldn't be so bad, but they freely give these cards to anyone. Nothing wrong with that. Except that some of the recipients (OK, a small number, but it only takes one) are working for serious, professional blow-your-brains-out-and-cover-you-in-concrete professionals.
Honeypots are one of the few tools that let us monitor, study and comprehend what's going on. (That, and assiduous reading of alt.2600 etc.)
We, the responsible victims of attacks, choose to monitor the attackers in any way we can. We do this because we want the Internet to be a useful place. And we are happy to forward information gained to law-enforcement types.
If script kiddies dont like this then, hey! Build your own sodding network. When you get 100 million people connected, I'll come and look.
From the people I know who do this, they never report it to authorities, but rather to CERT's and the like. The goal is to learn new cracker techniques and watch behavior once they break into the system. A lot of DDOS tools get found this way, because crackers will upload them to machines they have broken into. The goal is to then share this information with the security community, not just to bust a couple unsuspecting people.
"Oh, bother." -- Winnie the Cracker
This is a perfect application for user-mode-linux. You can setup and run any number of complete virtual linux systems on a single box without compromising the integrity of the host system.
I would just like to say to the "script kiddies" of the world--YOU SUCK. God, it took me 4 hours to fix my damn system. Using pitiful log cleaners and then leaving a paper trail as long as the Nile, my old FTP server was exploited. It was sad. I caught them within 4 hours of being rooted. I quickly patched the hole(sometimes I wonder if I am an idiot) and quickly started on a firewall project, which I finished later that night. For all the other people that have been rooted, I feel for you. And my advice to sys admins, watch your systems, little things like load averages can point to a break in.
___________
I don't care what it looks like, it WORKS doesn't it!?!
If my honeypot is hacked into and then it is used to launch an attack against another system, am I liable for intentionally leaving an unsecured server on the internet?
Is this similar to leaving a gun rack unlocked, then somebody takes one of the guns and commits a crime with it?
Its really interesting, because I used to be the type of person that would not neccessarily approve of such a trap in the name of protecting the curious individual who wanted to see what was out there. But the fact is, the people doing these things are becoming too big of a problem. And it seems that the whole purpose of snooping around has been sort of eliminated with the open source movement and Linux. Why snoop around when you can have your own *nix box with just about anything available at your fingertips, for free?
-winter fantom
Hi! This is the Sig, blatantly attached to the end of this comment.
I'd love to have a honeypot, and I'm sure it would be fun to play around with them.. but this reminds me about the true nature of many network adminstrators.
The reality is that most administrators know about most vulnerabilities, but a large number of them are too lazy or busy to fix them. A lot of them have the "nobody cares enough to hack me" mentality.. which isn't really effective since people scan blocks of IP addresses at a time.
Hopefully some adminstrators will get their acts together after reading about honeypots.
"War is hell" -- General Sherman Techumseh