Slashdot Mirror
Tracking Hackers
The structure of the book is different from the "Know Your Enemy": Lance starts from the very beginning - namely, his first honeypot penetration experience and then goes on to talk about all aspects of honeypots. In-depth and structured background on honeypot technology is provided. Honeypots are sorted by the level of interaction with attacker they are able to provide.
In addition, the book covers the business benefits of using honeypots. By classifying the value of honeypots into prevention, detection and response (exactly as done in Honeynet Project white papers) Lance Spitzner analyzes the honeypot technology contributions to an overall security posture. Also, the book describes the differences between the research and production honeypots and demonstrates the benefits of both for various deployment scenarios.
A good part of the book is devoted to particular honeypot solutions: 'honeyd' by Niels Provos and several commercial honeypots with detailed explanation of how they work. For example, there is a clear description of ARP spoofing and how it is used by the 'honeyd' honeypot daemon. An interesting chapter on "homegrown" honeypot solutions (such as the ones used to capture popular worms of 2001) sheds some light on the simplest honeypots that can be built for specific purposes, such as to capture a popular attack by means of a simple port listener. Use of UNIX chroot() jail environment for honeypots is also analyzed.
Of course, a special chapter is devoted to honeynets - Project's primary weapon in a war against malicious hackers. The Generation II (GenII) honeynet technology is first introduced in a book. The chapter not only lists honeynet deployment and maintenance suggestions, but also talks about the risks of honeynets.
Another great feature of the book is a chapter on honeypot implementation strategies and methods, such as using NAT to forward traffic to a honeypot and DMZ honeypot installation. The information is then further demonstrated using the two full honeypot case studies, from planning to operation.
What is even more important, maintaining the honeypot architecture is covered in a separate chapter. Honeypots are a challenge to run, mainly since no 'lock it down and maintain state' is possible. One has to constantly build defenses and hide and dodge attacks that cannot be defended against.
"Tracking hackers" also has a "Legal Issues" chapter, written with a lot of feedback from the DoJ official. It dispels some of the misconceptions about the honeypots such as the "entrapment" issue, summarizes wiretap laws and related data capture problems.
The book describes an almost cutting edge of the honeypot research and technology. To truly get the cutting edge and to know about the Honeynet Project latest activities in detail, wait for the second edition of "Know Your Enemy" (coming out next year). In "Tracking Hackers" Lance makes some predictions about honeypots in "Future of Honeypots" chapter. Honeypot-based early warning system and distributed deployments, analysis of new threats and expanding research applications, making honeypots easier to deploy and maintain are all in this chapter.
To conclude, Marcus Ranum's enthusiastic preface is not an overstatement, it is indeed a great book for both security professionals and others interested in this exciting technology. While I was already familiar with most of the information in the book, it was a fascinating read! This is the kind of book you don't want or even cannot put down until the last page is turned.
Anton Chuvakin, Ph.D., GCIA (http://www.chuvakin.org) is a Senior Security Analyst with a major security company.
You can purchase Honeypots: Tracking Hackers from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
I don't understand why everybody suddenly wants to have a honeypot? You are not a fed and you won't mail them "Look there is a ssh scanner poking my network, go arrest them, oh brave ones". Stick to snort with decent rulesets and be set. Add kernel patches and protect your butt from exploits. Honeypots seem to be overhyped.
Lone Gunmen crew.
There's a tendency in what passes for a computer security community today to focus on the most numerous threats, rather than the most effective one. Maybe there's only one hit a month from the guy who's breaking in and reading your credit card number file, but that's the person you need to find.
Personally his books are very intersting. His indepth look, and maybe slight obsession with, hacker's and the such is captivating. I am looking forward to reading this next book.
Any documented cases of ill-designed honeypots that ended up as staging platforms of network attack?
honeypot penetration experience
*sigh* I remember mine fondly too...
The structure of the book is different from the "Know Your Enemy": Lance starts from the very beginning - namely, his first honeypot penetration experience and then goes on to talk about all aspects of honeypots.
:)
yow. interesting topic to start off a book on hackers.
Cretin - a powerful and flexible CD reencoder
I wish slashdot would clearly mark availability of books reviewed/previewed. Given the number of times
publication has been delayed on books reviewed here, this would be a valuable add-on category for the
review.
...misconceptions about the honeypots such as the "entrapment" issue...
:)
You mean Pooh never really got his head stuck in one of those things?
There is no mod option "-1: Disagree" for a reason. "Overrated" is not an acceptable substitute. Post something instead.
Get it right. Crackers are the criminals. Hackers are law abiding citizens who are also computer experts.
UNIX/Linux Consulting
"This is the kind of book you don't want..."
If I don't want it, why is your review so enthusiastic?
Tracking a hacker is extremly difficult without becoming one yourself. Most of the time any hacker hacks from another hacked machine. 90% of the time, these machines are ones owned by people who have no clue how to use them, and who's response to being hacked is a fresh default install. So unless you speak chinese, you're probably not going to have a whole lot of luck, unless the hacker is either stupid, or just really screws up.
Cliff Stoll set up a honeypot when he was tracking the German hackers.
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
Honeypots are very interesting for educational purposes. If you're a security professional (or want to become one), then using a honeypot can provide 'real-world' experience with dealing with crackers, analyzing logs, studying behavior etc. This way if you end up with a job in computer security you won't have to look at your boss after a security breach and shrug "I dunno, I've never actually seen this before". There is a difference between reading and doing. You can learn a lot from reading about something, but you'll learn it in a different way when your fingers are actually on the keyboard and it is actually happening.
The guy was so in hurry to post it, that he even misspelled "crackers".
Once again a corporate stooge spews FUD in the interest of profits. If he was realy an expert he would not use the term "Hacker". Mis-using terminology, though iritating, is understandable from the stupid media, but unaccetpable from so called experts. It appears that these "Security" companies are attempting to create an enviroment of fear in order to increase buisness.
I have just discovered my home server has been used to host a load of PS2 software. D'oh
Word to the wise, dont over look the allow anonymous logons in IIS / FTP. Better pay more attention to the setup in future!
Do honeypots have any value for teaching security experts? Could the study of crackers and cracking techniques ever belong outside the Sociology Dept. at a university?
I can certainly envision course projects surrounding the analysis of a real honeypot or perhaps a system that has been compramised by the teacher. But would this actually help the students or would they be better off learning in a more theoretical fashion? (Because cracking is too variable and changes too quickly for the study of specific techniques to be of value.)
Although the review seems pretty interesting, don't you think that it might be a little biased? He is doing a talk on a conference lead by Lance Spitzner pretty soon. (Look for COUNTER-INTELLIGENCE IN INTERNET SECURITY: HONEYPOT BEST PRACTICES)
I want to know how many kneecappings and crushed hands have resulted from skript kiddiez going after the wrong targets.
Teach the ankle-biters to steer clear of networks owned (in all senses of the word) by Guido and "doze computer-talking guys dat be wit us, watchacall'em, geeks or sumthin? fuggetabout'it."
Hit count takes on a whole new meaning in this context,
Capice?
Disclaimer IANAMM (I am not a made man, but my brother-in-law was, at least until they found him stuffed in the trunk of his caddy)
would you trust someone who got owned?
the hacker who does not take credit is who survives, not some of those self-proclaimed security "experts".
just find any of us and hand him or her a mirror
--fetch daddy's blue fright wig, i must be handsome when i release my rage
Detectives study the behavior of criminals, The FBI studies the behavior of terrorists, ROTC students study the behavior of attacking armies, and network security analysts study the behavior of crackers.
Not every cop is a "Criminologist", not every sysadmin needs to be a "Security Analyst".
I do not deploy Linux. Ever.
My employer is hosting an extremely intricate and rather sizeable home-grown honeypot solution.
It was supposed to be our corporate web server, but our sysadmin is a dolt.
You have to place an advance order and wait a month and a bit till it comes out.
Amazon.com has a cheaper price ($31.49) and an early release date (Sept 20th) than Barnes&Noble.com ($35.99, release Sept 27th).
Looking forward on reading it :-)
Opensource=Openmind=Freedom
My handle may not mean anything to you, but I'm well known in the l337 hax0r circles. I've started hacking in the early 80s when I aquired an old 80486 compute. Withing months I made my way into the inner circle by filling my tiny by todays hard-drive with over 3 giga-bytes of 0 day warez. Later I installed FreeBSD (liux wasnt avalible back in the 80s) and j00wned hundreds of machines woithoput ever getting caught. The 3l337 is out there. Phear me.
Down with Crapitali$m. Anarchy NOW!
What entrapment issue? Entrapment only happens when a person is convinced by a law enforcement official to do something that they wouldn't ordinarily do.
If someone gets stuck in a honeypot, he ordinarily would've been attempting to scan my system...
- In Capitalist America, law violates YOU!
for a hippy/hacker band.
Ladies and gentlemen, please welcome the Honeypot Penetration Experience!
Who put this thing together? Me, that's who.
Google should.
Every so often we hear of a book such as
...wouldn't get published?
"Hacking Exposed", "Lean how to Hack!" and other sensationalist titles to increase sales.
Typically these aren't what they masquerade as since if they did it
So, can anyone tell me where I might find a published book telling people how to hack maliciously with little intent on how to prevent it.
Perhaps there's some old ones available that got published before people relised what hacking is?
I'd find it amusing to get a book like it from the library.
In fact, I'd love to find a "Banned Books" second hand book store, tat could be a laugh.
I expect I may have to come from a country with more / different approach to freedom of speech such as around asia, Russia, Central-Americas.
A blog I run for the wealth