Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tracking Hackers

Posted by michael on from the nyah-nyah-can't-catch-me dept.

Anton Chuvakin submitted this review of Lance Spitzner's Honeypots: Tracking Hackers. Spitzner has previously contributed to a book and many online documents about the Honeynet Project. Chuvakin starts off, "If you liked "Know Your Enemy" by the Honeynet Project, you will undoubtedly like Lance Spitzner's (the Honeynet Project founder) new book "Tracking Hackers" much more. In fact, even if you did not quite like "Know Your Enemy", you will likely be deeply impressed with the new book on honeypots and their use for tracking hackers." "Honeypots: Tracking Hackers" author Lance Spitzner pages 480 publisher AWL rating 5/5 reviewer Anton Chuvakin, Ph.D, GCIA ISBN 0321108957 summary using honeypots to track electronic intruders

The structure of the book is different from the "Know Your Enemy": Lance starts from the very beginning - namely, his first honeypot penetration experience and then goes on to talk about all aspects of honeypots. In-depth and structured background on honeypot technology is provided. Honeypots are sorted by the level of interaction with attacker they are able to provide.

In addition, the book covers the business benefits of using honeypots. By classifying the value of honeypots into prevention, detection and response (exactly as done in Honeynet Project white papers) Lance Spitzner analyzes the honeypot technology contributions to an overall security posture. Also, the book describes the differences between the research and production honeypots and demonstrates the benefits of both for various deployment scenarios.

A good part of the book is devoted to particular honeypot solutions: 'honeyd' by Niels Provos and several commercial honeypots with detailed explanation of how they work. For example, there is a clear description of ARP spoofing and how it is used by the 'honeyd' honeypot daemon. An interesting chapter on "homegrown" honeypot solutions (such as the ones used to capture popular worms of 2001) sheds some light on the simplest honeypots that can be built for specific purposes, such as to capture a popular attack by means of a simple port listener. Use of UNIX chroot() jail environment for honeypots is also analyzed.

Of course, a special chapter is devoted to honeynets - Project's primary weapon in a war against malicious hackers. The Generation II (GenII) honeynet technology is first introduced in a book. The chapter not only lists honeynet deployment and maintenance suggestions, but also talks about the risks of honeynets.

Another great feature of the book is a chapter on honeypot implementation strategies and methods, such as using NAT to forward traffic to a honeypot and DMZ honeypot installation. The information is then further demonstrated using the two full honeypot case studies, from planning to operation.

What is even more important, maintaining the honeypot architecture is covered in a separate chapter. Honeypots are a challenge to run, mainly since no 'lock it down and maintain state' is possible. One has to constantly build defenses and hide and dodge attacks that cannot be defended against.

"Tracking hackers" also has a "Legal Issues" chapter, written with a lot of feedback from the DoJ official. It dispels some of the misconceptions about the honeypots such as the "entrapment" issue, summarizes wiretap laws and related data capture problems.

The book describes an almost cutting edge of the honeypot research and technology. To truly get the cutting edge and to know about the Honeynet Project latest activities in detail, wait for the second edition of "Know Your Enemy" (coming out next year). In "Tracking Hackers" Lance makes some predictions about honeypots in "Future of Honeypots" chapter. Honeypot-based early warning system and distributed deployments, analysis of new threats and expanding research applications, making honeypots easier to deploy and maintain are all in this chapter.

To conclude, Marcus Ranum's enthusiastic preface is not an overstatement, it is indeed a great book for both security professionals and others interested in this exciting technology. While I was already familiar with most of the information in the book, it was a fascinating read! This is the kind of book you don't want or even cannot put down until the last page is turned.

Anton Chuvakin, Ph.D., GCIA (http://www.chuvakin.org) is a Senior Security Analyst with a major security company.

You can purchase Honeypots: Tracking Hackers from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

8 of 87 comments (clear)

  1. Use of honeypots by TrueKonrads · · Score: 4, Insightful

    I don't understand why everybody suddenly wants to have a honeypot? You are not a fed and you won't mail them "Look there is a ssh scanner poking my network, go arrest them, oh brave ones". Stick to snort with decent rulesets and be set. Add kernel patches and protect your butt from exploits. Honeypots seem to be overhyped.

    --
    Lone Gunmen crew.
    1. Re:Use of honeypots by Hayzeus · · Score: 2, Insightful
      Good point. I suppose a honeypot might be a useful tool for organizations like banks and other places that might be targets for organized attempts at breakins-for-profit. In such a situation, a honeypot might provide both a good early warning system and keep the intruders around long enough for the feds or whomever to do something useful.

      Or maybe not. Otherwise, I pretty much agree with your post. Not only does this seem like an expensive waste of time, but potentially dangerous if some idiot comes along and misconfigures the honeypot (or if an idiot put it up in the first place). Unless your workplace is idiot-free. Then it would be OK.

      --

      Roving Web-Teleoperated Robot
    2. Re:Use of honeypots by kasperd · · Score: 2, Insightful

      potentially dangerous if some idiot comes along and misconfigures the honeypot

      This is all about where you place the honeypot. Place the honeypot where it has no more access to your important network than a random computer on the internet would have had. In that case your network is no more vulnurable with the honeypot than without.

      Placing the honeypot in an important network behind your firewall is plain stupid. Placing the honeypot outside the firewall is acceptable. Placing the honeypot in a DMZ zone with nothing else is also acceptable, if the firewall is configured correctly. If the extra leg on the firewall causes more bugs in the setup, two independend firewalls would have been better.

      --

      Do you care about the security of your wireless mouse?
  2. How many arrests? by Animats · · Score: 4, Insightful
    Is this actually leading to arrests? If so, we need more honeypots; if not, it's a waste of time.

    There's a tendency in what passes for a computer security community today to focus on the most numerous threats, rather than the most effective one. Maybe there's only one hit a month from the guy who's breaking in and reading your credit card number file, but that's the person you need to find.

    1. Re:How many arrests? by freuddot · · Score: 5, Insightful

      Is this actually leading to arrests? If so, we need more honeypots; if not, it's a waste of time

      This is Soooo Year 2002 thinking.

      How 'bout
      Is this actually leading to less cracked systems? If so, we need more honeypots; if not, it's a waste of time

      Guys, wake up, the whole point is not to arrest people doing bad things. The points is stopping those bad things from happening.

    2. Re:How many arrests? by bourne · · Score: 4, Insightful

      Is this actually leading to arrests? If so, we need more honeypots; if not, it's a waste of time.

      Honeypots provide a way for people to learn how to deal with an incident on the real servers they protect. Just like emergency personnel hold disaster preparedness drills, just as the US Military stages large red team exercises in the desert, just as medical students use cadavers to learn what they're doing before they cut into a live patient.

      Let's face it - when your database server gets compromised, do you want the guy responding to thrash around, destroy evidence and erase tracks, and generally screw up the response? Or do you want him to do a careful, correct job?

      Honeypots are where admins learn NOT to run around like a chicken with their head cut off.

  3. That's CRAKCERS not HACKERS by Neil+Watson · · Score: 4, Insightful

    Get it right. Crackers are the criminals. Hackers are law abiding citizens who are also computer experts.

    --
    UNIX/Linux Consulting
  4. Re:Use of honeypots - for educational purposes by Anonymous Coward · · Score: 2, Insightful

    Honeypots are very interesting for educational purposes. If you're a security professional (or want to become one), then using a honeypot can provide 'real-world' experience with dealing with crackers, analyzing logs, studying behavior etc. This way if you end up with a job in computer security you won't have to look at your boss after a security breach and shrug "I dunno, I've never actually seen this before". There is a difference between reading and doing. You can learn a lot from reading about something, but you'll learn it in a different way when your fingers are actually on the keyboard and it is actually happening.