Slashdot Mirror
The Honeypot Project
Wallahalla writes "Interesting article on ZDNet about HoneyPots (intentionally vulnerable computers placed on the net in hopes of attracting hackers). Security professionals, programmers and psychologists are all working together to try to enhance network security in the face of increasing attacks by the hordes of script kiddies running the net today." We mentioned these quite awhile ago. Actually its an interesting article. I'd like to say pretend that when I got 0wn23d that it was really just my HoneyPot fooling them.
Recourse's first product was a honeypot. They have a remarkable technical team, which, commercially, makes them the one to watch in this space.
/proc fs within the cage). Other tipoffs include memory locations, pids for processes like init, etc.
Honeypots are some of the fluffiest of security products, imo, far less useful that firewalls, integrity verification software, etc. But having a cage environment to examine the activities and practices of a cracker can be useful in determining how to post-mortem a bad situation, as well as help gather evidence to get law enforcement involved.
Honeypots that want to provide maximum auditing and usefulness tend to try to run a virtual machine -- either by virtue of chroot'd cages, or virtual machines. The problem is keeping a sophisticated attacker in the cage. As was pointed out on Bugtraq, it is fairly easy, owing to kernel behavior, to detect that one is in a cage. You can send kill signals to pids that aren't in your visible process list, and the kernel responses will tip you off that you are only being shown part of the process table (the Recourse product simulates a live
Nonetheless, my real-world experience tells me that your greatest risk is an attack from the script kiddies, with the fresh d/l from bugtraq or the like, or even unreleased exploits, not sophisticated crackers seeking entry into specific boxes. In this case, the honeypot can be very valuable -- first as an easily-cleaned distraction (a good honeypot LOOKS like it is a machine at work, but isn't) -- then as a trace of activities, so you can prevent further incidents. Properly placed, it can help lure in attacks first, providing a warning that can be responded to before other real product boxes get compromised.
It has been pointed out, and bears repeating, that the right place for a honeypot is on a DMZ, where it does not have priveleged access to protected hosts. People have put honeypots behind firewalls in protected nets, and then had them be used as jump-off points for much more serious compromises.
Generally we give them names of interest to tech-types but nothing the general user community, sometimes just make 'em look like standard workstations, occasionally we called them things like "payroll" or other tempting titles. We then track all traffic to & from these boxes identifying the source & their intentions. Generally we'd get a few mistake-hits or just-clicking-around ones a week but often enough we'd find someone with some intent trying to get onto them.
Generally it was a semi-knowledgeable employee just poking around & seeing what they could get into. We'd usually then track their other activities closely in order to make sure they hadn't gotten into anyplace they ought not have. After we'd assured ourselves they weren't nefarious we'd usually call them in, put a scare to them with the records of their exploits & warn them to cut it out or loose their job. Occasionally where they were using tools or other more-then-casual attempts we'd just fire them on the spot.
A few times it was IS staffers. Then we'd follow the same drill, try to determine what they were doing & why, then when called in if they couldn't give a good accounting of themselves cut them loose, again on the spot. Actually we'd usually delay them with paperwork & other excuses while we ran a complete lock-out and performed fast reviews of any systems they could have compromised. In one case where the fellow wanted to storm out a fast-thinking HR staffer got someone to 'accidentally' block their car & wait a half hour while we found the 'bad-parker'.
IS folks with that poor judgement and too easy access were just asking for future trouble & they aren't worth it. Of the few that I've fired this way over the years at least two later came to bad ends, including one who diddled with another companies accounting system.
Needless to say none of this was ever advertised within the company, particularly with IS. It was all on a strictly need-to-know basis & only done in-person, nothing emailed or electronically documented (wow - a reason for interoffice mail!) Oftentimes we'd hire a trusted outside firm to install the systems & track the activity (had one guy come in for years as a "special cleaner" specializing in electrical closets!)
Firewalls and elaborate outside security are great things but most serious damage comes from folks inside. Keeping a check with decoys and other measures is only prudent.
-- Michael
Then there's that contractor I discovered trying to crack my personal desktop box...
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Micro$oft did this months ago!
Hi! This is the Sig, blatantly attached to the end of this comment.
I'd love to have a honeypot, and I'm sure it would be fun to play around with them.. but this reminds me about the true nature of many network adminstrators.
The reality is that most administrators know about most vulnerabilities, but a large number of them are too lazy or busy to fix them. A lot of them have the "nobody cares enough to hack me" mentality.. which isn't really effective since people scan blocks of IP addresses at a time.
Hopefully some adminstrators will get their acts together after reading about honeypots.
"War is hell" -- General Sherman Techumseh