Slashdot Mirror

← Back to Stories (view on slashdot.org)

Know Your Enemy, 2nd Edition

Posted by ryuzaki0 on from the about-5'10"-and-arrogant dept.

Ben Rothke writes "Within law enforcement, establishing a modus operandi is one of the crucial things that can make the difference between finding a criminal and not. For example, a daylight murder with a single bullet to the head is quite different from finding a decapitated and mutilated body in a ditch. While both victims are equally dead, the manner of their deaths is radically different. So too with computer crime; knowing the modus operandi of the attacker can mean the difference between finding the perpetrator and not. In Know Your Enemy: Learning about Security Threats, the members of the Honeynet Project have written an excellent security reference that can enable one to begin to understand the motives of those who are attacking and compromising their systems." Read on for the rest of Rothke's review. Know Your Enemy : Learning about Security Threats (2nd Edition) author The Honeynet Project pages 742 publisher Pearson Education rating 8 reviewer Ben Rothke ISBN 0321166469 summary Observe intruders without putting your data at risk by building a tempting honeynet.

KYE was not written by a single author, rather by The Honeynet Project. They are a group of 30 individuals with complementary technical and legal skills. This diverse authorship creates a book with an abundance of valuable information.

The book details setting up a honeypot (a single host designed to gain the attention of network intruders) and a honeynet (a network designed to be penetrated to understand the motives of the attackers). If you can get an intruder to attack the bogus network, the double benefit is that 1) the attacker can do no damage to production data, while 2) his activities are being monitored, and with analysis can be understood.

The book's premise is that it is not simply enough to know you have enemies; you need to understanding what exactly it is they are doing, how they are doing it, the tools they are employing, and their objectives. Armed with such information, a company can ensure that they are best using their resources to defend and defeat their enemy.

This is the second edition of KYE and honeynets have changed significantly since the first edition came out. With that, the first five chapters of the book goes into what exactly a honeynet is, and then explains the differences between first and second-generation honeynets. The main difference between the editions is that the first edition focused more on honeypots, or individual hosts. The second edition expands that to networks meant to be broken into, namely honeynets.

The opening chapters also go into details about the specific value of honeynets. For those that entertain the idea that their honeynet is going to enable them to catch the next Kevin Mitnick, they will be clearly disappointed. The main benefit of honeypots and honeynets is information. Information is power, especially in computer security. For most hackers, their greatest fear is not necessarily getting caught, but rather having someone watch and gather information on them without their knowledge. And that is exactly what a honeynet attempts to do.

Chapter 8 (written by an attorney from the U.S. Dept. of Justice) concludes part one of the book with a look at the legal issues involved with honeynets. There are legal issues that one needs to take into consideration before rolling out a honeynet. Failing to take their legal issues to heart can change a honeynet from being an invaluable forensics tool into an expensive legal liability. Those in the corporate arena are well served to work with their legal counsel before deploying a honeynet.

Part 2 (chapters 9-15) goes into the important area of analysis. Collecting data, after all, is only the first part. Analyzing it and making sense of it all is the difference between an experienced detective and a Keystone Cop. The analogy is real in that a honeynet is a potential crime scene.

Data analysis and forensics are crucial in that it is the only way to interpret the various types of data involved. The key for those involved is turnout and extracting different types of data and turning that data into valuable information. Effective forensics enables digital investigators to know the difference between an innocuous attack and a malicious one.

While Part 2 is the most technical section of the book, Part 3 (chapters 16-21) attempts to explain the sociological reasons why whitehats and blackhats do what they do. Just as Clarice Starling in The Silence of the Lambs was able to profile Hannibal Lecter, knowing a profile of your adversary is crucial in containing the damage he can do. Identifying and understanding those attacking your system is just as important as the technical and analytical skills you will use in exposing them.

Know Your Enemy is a unique book in that it details how not to simply install and configure security devices, but how to use those devices to ensure a much greater level of security. It shows how you can take an offensive approach to computer security and to understand the mindset of the attacker. That is something not easily found in other books.

The CD-ROM that comes with the book includes 10 of the book's 21 chapters, a number of informative white papers, all of the open source tools that the authors use, and a video about honeynets.

Those who enjoyed Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage by Clifford Stoll will similarly find KYE entertaining and invaluable.

The companion web site for the book is honeynet.org/book. In and of itself, it is a great website, and complements a great book.

Overall, KYE is a most informative book on a fascinating subject. Unlike many computer security books, KYE is light on theory and screen dumps, but heavy on valuable and useful information on security hosts and networks from adversaries. If you are looking for a proactive way to secure your corporate network, Know Your Enemy is the perfect place to start.

You can purchase Know Your Enemy : Learning about Security Threats (2nd Edition) from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.

103 comments

  1. Not to be confused with "No, Your Enemy" by Anonymous Coward · · Score: 3, Funny

    My dating guide for single guys.

    1. Re:Not to be confused with "No, Your Enemy" by Jacer · · Score: 4, Funny

      If you could write a book "Know your enemy" intended to help single guys better understand women that actually had substance. You'd probably have a best seller on your hands.

      --
      --fetch daddy's blue fright wig, i must be handsome when i release my rage
    2. Re:Not to be confused with "No, Your Enemy" by MarsDefenseMinister · · Score: 0, Offtopic

      You just killed my erection. Thanks.

      --
      No weapon in the arsenals of the world is so formidable as the will and moral courage of free men.-Ronald Reagan
    3. Re:Not to be confused with "No, Your Enemy" by gurps_npc · · Score: 1, Offtopic
      No it would be too small.

      The basics are fairly obvious, the complex stuff varies so much it is not helpful to print:

      1)There is little if any difference between women and men, except that generated by cultural differences.

      2)The major cultural differences are: a)Women are expected to take care of any children they have so b)they have a more reasonable fear of sex, c)men persue the women, d) the women make them self more attractive pursuits via make up, etc., e) the women insist on cash for taking care of the child, f) they insist that there are huge cultural differences between men and women (because everything above is to their advantage now that Abortion is legal) in order to maintain the current status quo, and g) some men subconciously /conciously understand the situation, so some of them act to preserve the few benefits men have (pay inequalities for example) or develop criminal rage (rape, etc.) towards the women.

      Cynical? maybe. But lets face it if men had the kind of cultural power that women had we would abuse it the same way women do. If I could get a date simply by losing weight and dressing skimpily, I would probably insist that she buy me dinner too.

      --
      excitingthingstodo.blogspot.com
    4. Re:Not to be confused with "No, Your Enemy" by Anonymous Coward · · Score: 0

      The (false) premise here is that they CAN be undestood.

    5. Re:Not to be confused with "No, Your Enemy" by Jacer · · Score: 1

      If I could get a date simply by losing weight and dressing skimpily, I would probably insist that she buy me dinner too. That's the best quote. EVER.

      --
      --fetch daddy's blue fright wig, i must be handsome when i release my rage
    6. Re:Not to be confused with "No, Your Enemy" by MarsDefenseMinister · · Score: 0, Offtopic

      I haven't been this disappointed since a MS-DOS compiler told me that it was out of stack space. 64K stack? Not stacked NEARLY enough.

      --
      No weapon in the arsenals of the world is so formidable as the will and moral courage of free men.-Ronald Reagan
    7. Re:Not to be confused with "No, Your Enemy" by johnnyb · · Score: 1

      "1)There is little if any difference between women and men, except that generated by cultural differences."

      That's completely wrong. We are biochemically and physically very different. If you don't think that affects your personality, you should see how much food affects your behavior, disposition, and outlook. And food is pretty minor compared to the biological differences between men and women.

      Honestly, there's a lot of difference between woman A and woman A (yes, I _meant_ to type that). When a woman gives birth to her first child, she changes. This is not a result of society, but rather a result of the biochemical and physical changes that happen in childbirth. Women's bone placement changes, their biochemistry changes, a _lot_ of things change before, during, and after pregnancy. Women are almost literally not the same person. My wife, for example, even has different allergies now than she had before she was pregnant.

      Your examples are amusing, and probably true to some degree. But the differences between men and women are real. I would venture to guess that many of the societal differences between men and women came about _because_ of the physical differences as well.

      To sum it up - women _are_ very different from men.

      --
      Engineering and the Ultimate
    8. Re:Not to be confused with "No, Your Enemy" by antic · · Score: 2, Informative


      I think this is what you're looking for:

      Book For Geeks
      Getting a Girl

      --
      'Thats they exact same thing a banana wrench monkey.'
    9. Re:Not to be confused with "No, Your Enemy" by garote · · Score: 1

      Actually what I think the poster meant was, "The differences between individial people are far greater, and far more important, than any generalized differences between men and women."

    10. Re:Not to be confused with "No, Your Enemy" by nacturation · · Score: 1

      No, my enemy? I don't get it. Sheesh... at least get the grammar correct. You mean "No, You're Enemy". You're == You Are.

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    11. Re:Not to be confused with "No, Your Enemy" by Anonymous Coward · · Score: 0
      There is little if any difference between women and men

      Except for my wang. That's a huge different.

      Note to self: Don't post to ./ while drunk..

    12. Re:Not to be confused with "No, Your Enemy" by dnahelix · · Score: 1

      more like,
      "NO!" - Your Enemy

      --
      Slashdot Eds Link Anonymous Posts With Logged Posts
      They Are Vermin Feeding On Each Other's Feces.
      I Hate \.
    13. Re:Not to be confused with "No, Your Enemy" by gurps_npc · · Score: 1
      I of course realize there are physical differences. The question is are there mental differences.

      And for that, your argument fails.

      Mentally, the so called "differences" between men and women are practically none existent, except for the cultural ones, at least as compared to the mental differences between say a white jewish guy and a black atheist guy.

      The question here was what can we tell men about how women think differently from men, and the answer is basically, they think the same way men would if men were in the position of growing up worrying about getting pregnant, trying to convince a woman to pursue them, and trying to get the women to support them and/or any children they might have.

      --
      excitingthingstodo.blogspot.com
  2. before you know it.... by Crzysdrs · · Score: 5, Funny

    We will be getting arrested on code profiling!

    Programmer: I swear I didn't do it.
    FBI: Well, you have a different style of formatting your code, we know it was you.

    1. Re:before you know it.... by ackthpt · · Score: 1
      We will be getting arrested on code profiling!

      Maybe. Or maybe we'll just send these people around to pay you a visit.

      --

      A feeling of having made the same mistake before: Deja Foobar
    2. Re:before you know it.... by mikeage · · Score: 2, Funny

      Just remember, the real Sal Wise programs in italics

      --
      -- Is "Sig" copyrighted by www.sig.com?
  3. Hope its better than the first. by j_kenpo · · Score: 5, Insightful

    I remember the first KYE, and I remember the most annoying thing was the last section was a huge dump of IRC logs from a bunch of script kiddies. While it wasn't a bad thing to get to know the enemy, I don't think it warrants the whole last 1/3 of the book being dedicated to it, maybe as an appendix. From the authors description it sounds more like this book is geared towards the wonders of the Honeynet.

    1. Re:Hope its better than the first. by Anonymous Coward · · Score: 0

      I really hope it's better that the first edition. The first edition was one of the worst books I've ever read on Information security topics; filled with repetitions ("remember that..."), lacking technical details on the attacks (although that's not the main focus of the book). The analysis of the IRC logs is a waste of space. Nothing can really be learned from the first edition and it's not even a fun read.

  4. Simulation... by Short+Circuit · · Score: 2, Interesting

    Has anyone ever made a door game that simulates hacking into a network? It'd make for an entertaining addition to a BBS.

    The other alternative could be to set up a honeynet behind a firewall, either using VMWare or old hardware, and give users access to (some) of the systems.

    --
    tasks(723) drafts(105) languages(484) examples(29106)
    1. Re:Simulation... by mike_stay · · Score: 4, Interesting

      Yeah, there's lots of them. here here here and here.

    2. Re:Simulation... by Jeremi · · Score: 1
      Has anyone ever made a door game that simulates hacking into a network?


      Never mind that, the real question is: have any of these games ever done the "Ender's Game" trick and set up one of the levels to be a proxy server forwarding to the real world? (say, to SCO's legal department's file server?)

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
  5. Could someone elaborate on legal issues? by Tibor+the+Hun · · Score: 5, Interesting

    While "Chapter 8 (written by an attorney from the U.S. Dept. of Justice) concludes part one of the book with a look at the legal issues involved with honeynets. There are legal issues that one needs to take into consideration before rolling out a honeynet. Failing to take their legal issues to heart can change a honeynet from being an invaluable forensics tool into an expensive legal liability. Those in the corporate arena are well served to work with their legal counsel before deploying a honeynet." is legally a teriffic summary, could someone (legally) elaborate on the illegalities of honeypots and nets?

    --
    If you don't know what AltaVista is (was), get off my lawn.
    1. Re:Could someone elaborate on legal issues? by stratjakt · · Score: 5, Informative

      Look up the wiretapping laws in your state/jurisdiction. It varies from place to place. In some states it's legal to tape your phone calls, in some it requires that both parties agree to the recording. (Ie; Linda Tripp running afoul of MD's wiretapping laws when she taped Lewinski)

      Same types of things apply to the internet.

      You think you have some hacker dead to rights, and wind up being sued. You know, those "rights to privacy" slashdotters are always on about - other people have those too.

      --
      I don't need no instructions to know how to rock!!!!
    2. Re:Could someone elaborate on legal issues? by plcurechax · · Score: 3, Informative

      could someone (legally) elaborate on the illegalities of honeypots and nets?

      The many issue is for government (and perhaps government contractors) running honeypots/honeynets and the legal definition of entrapment.

      The rest is mainly a risk taking or adversion decision. At the very least a criminal caught using evident from a honeypot/net may launch a lawsuit.

    3. Re:Could someone elaborate on legal issues? by ewhac · · Score: 4, Interesting

      Others have already pointed out the wiretapping statutes you can run afoul of, but there are other concerns as well.

      For example: you deploy a honeynet for forensic analysis. A blackhat enters your network and, as you watch it happen, sets up a child porn server.

      What is your liability in this case? Aiding and abetting? Accessory? Heck, it doesn't even need to be as heinous as child porn -- it could simply be a w4r3z repository, in which case you could face contributory infringement charges.

      Schwab

      --
      Editor, A1-AAA AmeriCaptions
    4. Re:Could someone elaborate on legal issues? by nlawalker · · Score: 4, Informative
      IANAL, and I may be completely wrong here, but I'm just kind of curious. Parent brings forward a good topic for discussion.

      How are wiretapping or entrapment even applicable? If a honeynet is a secure network (in this case, very light security) and is broken in to by a cracker, snooped around in, and exited, is this not synonymous to someone breaking and entering your home and leaving evidence at the crime scene? No one says that the network has to have a big sign over it that says "Honeynet - Hack here and you'll be caught!" For all anyone knows, it really could be a protected resource, so it's not like you're luring that burglar into the house and having the cops wait for him. As for wiretapping laws, the cracker has illegitimately accessed your system, and any information he leaves behind now exists on your storage property. Who's to say you can't use that information?

    5. Re:Could someone elaborate on legal issues? by wayward · · Score: 1

      The chapter mentioned child porn, and suggested that the administrators should quickly contact law enforcement if they find this on the network.

    6. Re:Could someone elaborate on legal issues? by afay · · Score: 4, Informative

      As far as I can tell, entrapment would not apply at all in this case. Entrapment actually has a fairly strict legal definition. Giving someone the opportunity to commit a crime is not enough. The crime must have been suggested by government agents (police, FBI, whatever) and the person must have been unwilling to commit the crime before the agents talked to him/her (they had to convince him).

      A good example of entrapment might be someone who had a regular job, but was very short on money. If the police approached him to make a quick drug sell and earn an easy $5000 and the individual wouldn't have considered selling drugs before the police approached him (upstanding citizen, etc.), then that would be entrapment. Honeypots/nets are only providing an opportunity to commit a crime and don't fit the other two conditions of entrapment.

      --
      Best slashdot comment
    7. Re:Could someone elaborate on legal issues? by John+M+Ford · · Score: 1

      Wow. Just... wow.

      I could not imagine calling the police and actually telling them that there is illegal material on my network. And even if I did, I would fully expect them to look at me as the main "person of interest."

      There is no way I'd be that trusting. But that's just me.

      John

      --
      I may disagree with what you have to say, but I shall defend, to the death, your right to say it. jya.com/ap.htm
    8. Re:Could someone elaborate on legal issues? by Anonymous Coward · · Score: 0

      One legal quagmire that might arise is if a hacker breaks into your honeynet and then uses it to launch subsequent attacks on other servers (belonging to companies other than yourself). Since you have setup your honeynet for this express purpose, and you are monitoring and have knowledge of these activities, you may be legally bound to prevent them from continuing and/or have liability in regards to any damage done by the hacker to other people's servers.

      I'm sure if competitor X traced their network intrusions back to competitor Y that they would be pissed. Call it a honeynet, call it whatever, just be sure to not fall into the category of aiding and abetting.

    9. Re:Could someone elaborate on legal issues? by gcaseye6677 · · Score: 1

      At the very least a criminal caught using evident from a honeypot/net may launch a lawsuit.

      If I were a corporate IT director, I would absolutely not be concerned about this. As other posters have explained, it is not entrapment. A criminal has no reasonable expectation of privacy on someone else's property. If the intruder sued, the corporate lawyers would use every stonewalling tactic in the book, then launch a counter-suit for the intrusion. In the United States anyway, the one with the better lawyer wins. Since most hackers have little money to spend on lawyers, I don't believe I need to spell out the result of the lawsuits. This is a non-issue.

    10. Re:Could someone elaborate on legal issues? by 0racle · · Score: 1

      Its not so much if they have an expectation to privacy, but do you have a right to record it, just like was already mentioned in some states you can't tape a call you receive. On top of that, never underestimate the litigious nature of the United States and a felon winning a case because his 'rights' to commit a felony were infringed upon.

      --
      "I use a Mac because I'm just better than you are."
    11. Re:Could someone elaborate on legal issues? by plcurechax · · Score: 1

      If the intruder sued, the corporate lawyers...

      Sorry I wasn't clear, regardless of whether the lawsuit has merit it does tie up employee time, gathering and presenting evidence, and spends corporate dollars rather than contributing to profitable activities like developing and selling products.

      A risk-adverse organization will avoid this expense whereas a larger organization that determines that it stands to gain from understanding its attackers, and so it may consider it a jusitifible expense.

    12. Re:Could someone elaborate on legal issues? by carnivore302 · · Score: 1

      I think Kevin Mitnick can :-) At least he had the time to think about it...

      I have also read The art of deception by Mitnick. I think people enjoying KYE will enjoy Mitnicks book as well.

      ---- Friendly request to visit this site if you're interested in elliott waves.

      --
      Please login to access my lawn
    13. Re:Could someone elaborate on legal issues? by MadRocketScientist · · Score: 1

      If a honeynet is a secure network (in this case, very light security)
      If you deliberately deploy a less secure network (one that you designed to raise flags on automated scanning tools), then that could be viewed as the legal equivalent to leaving an open window in your house in front of a table with a pile of cash on it. You're inviting a potential criminal to pursue the "low hanging fruit".

    14. Re:Could someone elaborate on legal issues? by rebel47 · · Score: 1

      I don't think that wiretap laws come into this at all. Let's just remember the recent case where a provider of an email service opened and read email messages sent by users of his service. If I remember correctly, the judge found in favor of this creep. His reasoning was that wiretapping laws covered messages being 'transmitted'. As the emails were on the server and read from what was stored, not what was being transmitted, there was no breach of the wiretap laws. Think the same thing would apply in this case.

      --
      One day I woke up and saw all my rights had disappeared, that's the day I knew the terrorists had won.
  6. Honeypot/Honeynet? by grunt107 · · Score: 4, Funny

    So... my #1 suspected enemy is Winnie the Pooh!!!

    1. Re:Honeypot/Honeynet? by Anonymous Coward · · Score: 0

      Pooh's usual trick to getting "Hunny" is to disguise himself as a raincloud so he can trick the bees out of it! Not sure what that looks like on a packet dump though...

    2. Re:Honeypot/Honeynet? by GMFTatsujin · · Score: 5, Funny

      0h, b07h3r.

  7. Definition by nlawalker · · Score: 4, Funny

    Honeynet (noun): 1. Used to replace another noun indicating a network resource that has been Slashdotted in order to indicate slowness. Syn. Molassesnet, Ketchupnet. Ant. Local Area Network. Usage: "Fsking Slashdot! This place is a honeynet now."

  8. How does it compare? by plcurechax · · Score: 3, Interesting


    Is it worth / recommended for the owner the first edition to buy/read the 2nd edition?

    How does it compare to the "additional material" originally presented in Honeypots: Tracking Hackers by Lance Spitzner (member of Honeynet Project) which was to address the growing and changing nature of honeypots and the early evolution of honeynets?

    1. Re:How does it compare? by Anonymous Coward · · Score: 0

      RTF writeup, christ, you don't even need to RTFA

  9. I enjoyed Cuckoos Egg years ago.. by dan+dan+the+dna+man · · Score: 4, Interesting

    but I wouldn't use it as a textbook on "knowing the enemy" in a modern network environment. Your comparison worries me enough to warrant me not buying the book you're reviewing..

    --
    I don't read your sig, why do you read mine?
    1. Re:I enjoyed Cuckoos Egg years ago.. by DAldredge · · Score: 1

      Why does it worry you so?

    2. Re:I enjoyed Cuckoos Egg years ago.. by dan+dan+the+dna+man · · Score: 4, Insightful

      Because Cuckoos Egg is light on technical details, and is really throwaway, populist fluff. It wasn't written for a technical audience, just a curious one.
      If I want a book to tell me about network security I don't want it written in laymans language - I want it written in a language a competent systems administrator appreciates. It's not about NAT'ing your home system, it's about protecting a network...
      It's a bad parallel to draw as far as I'm concerned. Cuckoos Egg was a great book compared to some of the other books on "Hacking" that proliferated in the early 1990's, but it was never a manual on keeping your systems secured. The internet was a very different beast when that book was written.

      --
      I don't read your sig, why do you read mine?
    3. Re:I enjoyed Cuckoos Egg years ago.. by iamcf13 · · Score: 1

      If I remember correctly, I read that entire book in one long session--it was that *good!*

      I found it a fascinating account of Cliff Stoll's efforts to nab the patient, methodical computer cracker who was halfway around the world in another country with only a small, overlookable anomaly as the only clue that starts the pursuit in full swing.

      I should still have it lying around somewhere (along with Steve Levy's Hackers) so that I could re-read it(them) someday....

      Bryan Taylor
      iamcf13@hotpop.com
      SpamByte code: 7
      (see http://www.cf13.com/game-over-spammers.htm )
      All email containing unwanted content will be summarily deleted or reported as spam.

  10. Know your enemy by Anne_Nonymous · · Score: 0, Flamebait

    I'm pretty sure that in this day and age law enforcement is the enemy.

  11. Metaphors be with you by Anonymous Coward · · Score: 0

    Thank you for the enlightening comparison of a subject in which I am sort-of-maybe competent (computer security), to one in which I am functionally impotent (field forensics).

  12. Honeynet and Hacker Psychology by cbelt3 · · Score: 5, Interesting
    Interesting note in the article : "For most hackers, their greatest fear is not necessarily getting caught, but rather having someone watch and gather information on them without their knowledge. And that is exactly what a honeynet attempts to do. "

    Reminds me of what happened to Gene Hackman's character in The Conversation . I personally think that it's more of a challenge / territorial thing- that once hacked, you become motivated to try again without getting caught. Kind of like a Respawn... I agree with the article that the primary purpose is not to 'catch' the hamsters, but to learn their patterns as they race around in their safe little wheels.

    As far as organizing the system, why not set it up like George Carlin's old joke - When they put you on hold, they play music. Why not just connect all the people on hold together, and let them talk to each other ?

    1. Re:Honeynet and Hacker Psychology by kfg · · Score: 2, Funny

      When they put you on hold, they play music. Why not just connect all the people on hold together, and let them talk to each other ?

      And charge them $4.95/minute.

      KFG

    2. Re:Honeynet and Hacker Psychology by JAD+lifter · · Score: 1

      For most hackers, their greatest fear is not necessarily getting caught, but rather having someone watch and gather information on them without their knowledge

      I'd strongly disagree with that. I think that most hackers would place getting caught as being the pinnacle of bad things that can happen as a result of hacking.

    3. Re:Honeynet and Hacker Psychology by minas-beede · · Score: 3, Interesting

      Interesting note in the article : "For most hackers, their greatest fear is not necessarily getting caught, but rather having someone watch and gather information on them without their knowledge. And that is exactly what a honeynet attempts to do. " Agreed. On a volume basis it's likely that most abuse is committed by spammers. They've suurvived for years precisely because they have not been watched in any manner (at the abuse level - all the attention is focused at and after the destination server.) Do even the crudest honeypot you can think of as an anti-spammer tool and you very likely will succeed in gathering information the spammer would rather you not have. Set up an MTA that doesn't ever deliver anything - you'll trap the test messages sent by spammers (mostly in China, Taiwan, and Korea now.) (Guess how I know.) What the heck, here's one: the spammer sends his test messages to a231.b233@msa.hinet.net. A US spammer has sent tests to smtps1@transedge.com, another to meristar1@cox.net. A more complete open relay honeypot can collect spam evidence as well. All the spam that comes ot the honeypot is spam that doens't get delivered independently of whether the intended victim has any protection mechanisms in place or not. Then there's open proxy honeypots. A few people have done honeypot-like things with wpam zombie servers. It's still a field in which very useful things can be done...

  13. Honeynets are good for learning by Anonymous Coward · · Score: 0

    like this one:

    node10.bluenotch.net
    node11.bluenotch.net
    node 12.bluenotch.net
    node13.bluenotch.net
    node14.blu enotch.net

  14. Call me silly... by Anonymous Coward · · Score: 0

    ...but if I'm going to kill people, I don't stick to the same method each time; I choose whatever method is the simplest, safest and least likely to leave anything around for someone to catch me.

    1. Re:Call me silly... by Floody · · Score: 2, Insightful

      ...but if I'm going to kill people, I don't stick to the same method each time; I choose whatever method is the simplest, safest and least likely to leave anything around for someone to catch me.

      Sure, that makes reasonable sense. You forget, however, that the hardest killers to catch (those who kill strangers) aren't motivated by reason, but rather by a psychosexual urge for gratification. This means they tend to kill in whatever way best gratifies them, and that makes them profilable.

      I imagine this doesn't apply to "hackers." God, at least I hope not. ;)

  15. Differences by errxn · · Score: 5, Funny

    For example, a daylight murder with a single bullet to the head is quite different from finding a decapitated and mutilated body in a ditch.

    Perhaps, if you happen to be a crime scene investigator and are used to this. For me, both of the above items would fit quite nicely into the "Jesus Christ on a Popsicle Stick, I Just Found a Dead Body, HolyShitHolyShitHolyShit!" category.

    --
    In Soviet Russia, Chuck Norris will still kick your ass.
  16. What gentle prose... by ryanvm · · Score: 4, Funny

    For example, a daylight murder with a single bullet to the head is quite different from finding a decapitated and mutilated body in a ditch.

    Yikes - I hope you don't write the church newsletter.

    1. Re:What gentle prose... by ultramk · · Score: 1

      For example, a daylight murder with a single bullet to the head is quite different from finding a decapitated and mutilated body in a ditch.

      So... It's like the difference between UT2k4 and Doom3?

      What does that have to do with anything? Am I missing the point?

      m-

      --
      You catch enchiladas by picking them up behind the head and holding them underwater until they don't kick anymore -VeGas
    2. Re:What gentle prose... by Rob+Carr · · Score: 4, Funny
      For example, a daylight murder with a single bullet to the head is quite different from finding a decapitated and mutilated body in a ditch.

      Yikes - I hope you don't write the church newsletter.

      You're right. The church newsletter needs to be clear. The above example mixes elements of MO and signature. Signature is born of the fantasy life of the criminal - it's the sorts of things that don't need to be done to accomplish the crime.

      An MO might be using a 22 to the back of the skull - simple, effective, and it's not likely to leave a lot of blood spatter. This demonstrates criminal sophistication and planning.

      The MO of the body in the ditch would depend on the cause of death, but clearly the homicide is a case of overkill. One does not need to decapitate someone to kill them - severing the carotid arteries is sufficient, if a bit messy and more likely to create blood spatter and other forensic evidence. That would indicate a lack of sophistication. The mutilation and decapitation indicate rage and some of the fantasy aspects of the criminal, and are part of the signature. The presence of the body in the ditch might simply be convenience, but it suggests an attempt to further degrade the victim. Victimology might give us further insight into the criminal's thoughts. Is the victim the primary target, or is the victim standing in for someone else.

      A great book on this topic is the Crime Classification Manual. It covers this in depth.

      Funny you should mention the church newsletter. I no longer write ours. Perhaps I wasn't clear enough.

      --
      This sig seemed like a good idea at the time....
    3. Re:What gentle prose... by alkali · · Score: 1

      I second the recommendation of the Crime Classification Manual, which was written by the guy at the FBI who is known for "profiling" serial killers. Suffice it to say that "profiling" criminals does not involve pseudo-ESP insights into the minds of the deranged, but instead involves the application of some common sense insights derived from large aggregations of data -- which is actually more interesting.

      By way of example, there are about 5 reasons someone commits arson: vandalism, thrill-seeking/perversion, revenge, concealing a crime, or profit (e.g., insurance fraud). If the target is a school, the reason for the arson is almost certainly vandalism, and the wrongdoer is almost certainly a teenaged male. If the target is a warehouse in an industrial area, the reason for the arson is almost certainly either revenge or profit, in which case you are looking at the insured or (less likely) one of his enemies. Etc., etc. It's an interesting book.

    4. Re:What gentle prose... by Jonah+Hex · · Score: 1
      there are about 5 reasons someone commits arson
      Forgot about tradition, as in our local, quaint yearly celebration of Devil's Night here in Detroit. ;)

      Jonah Hex
      --
      Horror & SciFi Erotic Nudes
    5. Re:What gentle prose... by DNS-and-BIND · · Score: 1
      Isn't that known as "profiling"? I thought that was illegal.

      Let's get this straight - school burns down, it's OK to say it's a teenage male. Bank of New York explodes, it's not OK to say it's a middle eastern man aged 18-34?

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    6. Re:What gentle prose... by MikeBabcock · · Score: 1

      Profiling is a very well-used tool in law enforcement. Profiling is only illegal when it involves race and other naughty issues.

      As a person who doesn't "get" racism at all, I believe that if sa 80% of Uzi shootings in Toronto are done by black males, 18-25 and 75% of 30-30 shootings are done by while males, 35-50 then when someone is shot with an Uzi, they might want to check the local black male population.

      Racial profiling can also be bad of course, and one must always remember the other 20/25% (in my made-up numbers that have no resemblance to reality whatsoever). That said, you don't look for the shooter to be a two year old a local grade school when the weapon was a PSG-1 either, but is that age discrimination?

      --
      - Michael T. Babcock (Yes, I blog)
  17. Soda profiling. by mikeophile · · Score: 4, Funny

    1) Set up soda machine in office.
    2) Track Mountain Dew purchases.
    3) Use data to identify potential "troublemakers".

    1. Re:Soda profiling. by Anonymous Coward · · Score: 0

      4) ???
      5) Profit!

    2. Re:Soda profiling. by tidepool · · Score: 1

      haha. "Dude, let's go get some FUCKING Mt. Dew" Too funny.

  18. Bad reference by Anonymous Coward · · Score: 0

    > Just as Clarice Starling in The Silence of the Lambs was able to profile

    One does not refer to fictious plot-lines / stories when discussing real-world topics.

  19. Honeynets and Privacy by wayward · · Score: 1

    I looked at the PDF of Chapter 8, and it seemed a little vague. It stated that intruders do not have a reasonable expectation of privacy and owners have a right to monitor their networks, but that there could still be some issues, especially on government-owned networks. They recommended a banner saying that by logging on, the user consented to monitoring. It was still a little confusing; I would have liked to see an example of a court case that found in favor of the intruder.

  20. Financial Motivations by wayward · · Score: 1

    The authors also point out that in countries with weak economies, e.g. Romania, hackers are often interested in financial gain. Not too surprising. If the computer-related job market keeps getting worse, I wonder if there will be an increase in hacking for money.

  21. Follow the link, read the excerpts by tsm_sf · · Score: 4, Informative

    The link provided (http://www.honeynet.org/book/) gives two chapters of the book in PDF form. They are both well worth the read. Especially chapter 16 on profiling. WARNING: Like all works of sociology, it will make you realize that we are just monkeys.


    Still haven't used the links? Here's an excerpt from ch.16 that I find beautiful. Subject is an analysis of the Jargon File, believe it or not...

    One of the more surprising (and prominent) thematic categories to arise from the analysis is the magic/religion category. While this was one of the a priori thematic categories that we anticipated would emerge from the analysis, it is one that often surprises people who are not familiar with the hacker community. The most common comment that arises when this result is discussed is "You mean hackers are religious??? You've got to be kidding."

    The answer to this quandary can be found in the nature of the technology that lies at the heart of this counterculture. Many members of the hacker community deal with complex operating systems, program applications, and network architectures where it is often not possible to answer with certainty the question "If I perform action A, will the operating system/program/network behave precisely with result B?" That is, because of the complexity of modern operating systems, programs, and network topologies, there is a disconnect between the classical forces of cause and effect. Whenever you have a situation where you cannot logically reconstruct the linkage between cause and effect, you in effect have an instance of "magic."     (emphasis mine)

    --
    Literalism isn't a form of humor, it's you being irritating.
    1. Re:Follow the link, read the excerpts by TyrranzzX · · Score: 1

      Magic is also what hackers refer to when they don't want you to know how they do something, just like ordinary tricksters.

      Guy1: Hey, Jacktl, how'd you get the admin cg on my server?!

      JackTl: Majik

      Guy1: Arr, I don't like that.

      Me: We should enjoy jacks capacity for mischief and making pretty things on other people's server.

      JackTL: Yeah

      Guy1: Put the CG away or I'll kick you.

      Jack: Ok....[jack now goes limp for about 5 minutes]

      *all of a sudden, about 20 small tanks decend upon guy1 with pull lasers and targeting lasers. He gets carried off while being pointed at. Guy1 then tries to ban jacktl, and instead bans and kicks himself becuase he reversed the GUID's*

      Me: How?

      JackTL: Majik

      Unfortunatly, I think the guy who wrote that book has had the wool pulled over his head "magically", to put it in the proper terminoliogy.

      --


      Candy-Coated Knowledge

    2. Re:Follow the link, read the excerpts by tsm_sf · · Score: 1

      Unfortunatly, I think the guy who wrote that book has had the wool pulled over his head "magically", to put it in the proper terminoliogy.

      Proving only that you didn't follow the link and read the chapter. That quote was included just because I thought it was neat.

      --
      Literalism isn't a form of humor, it's you being irritating.
    3. Re:Follow the link, read the excerpts by TyrranzzX · · Score: 2, Informative

      I'll come out and say it, just from reading that paragraph I can tell this book is a big read for idiots who can't/don't understand the IT culture. About 99% of the IT culture can be inferred from reading, writing, and talking with people who are in the culture, and when people don't make the effort to understand that culture by at least trying to grasp some of the simpler consepts, they make themselves out to be a village idiot.

      Really, I think that most of this book stems from bosses not understanding how the culture of IT people differs from that of the rest of the work force or corporate culture. It's nice that they don't want to offend IT people, as most people go out of their way to do so, but frankly, I think that most bosses don't understand precisely how their buisinesses work anymore and when their technicians know more about it than they do, they get insecure and feel inferior to the technicians who have to know how all parts of the business work or else they can't do their jobs. This is amplified, of course, when bosses come to rely on their IT staff for many of their decisions. When the bosses make decisions nowadays, they often have to do so taking advice from IT people, and if they don't fallow what the IT people say, who are often right, then their business often takes a big punishment. They desperatly want to be on par but don't understand how to becuase they come from a culture, the corporate culture, which disables them from doing so.

      If bosses really want to understand the IT Culture, they should start by asking questions to their IT staff and taking notes, not by reading books who take something that can be inferred in about 10 seconds by a regular IT person and turning it into an incorrect 3 paragraph essay. If normal people really want to get on the good side of the culture, they should start with the words "thank you" and end with an apology for being dumb if they keep on having to ask stupid or similar questions over and over.

      --


      Candy-Coated Knowledge

    4. Re:Follow the link, read the excerpts by tsm_sf · · Score: 1

      Sweet Jesus. I totally regret including that blurb now.

      You wrote THREE paragraphs that have NOTHING to do with either my post, the chapter I linked to, or the original article.

      However, I'm starting to see that simply mentioning the Jargon File is something of a troll. I apologize for my naivete. Truly, I must be new here.

      --
      Literalism isn't a form of humor, it's you being irritating.
    5. Re:Follow the link, read the excerpts by TyrranzzX · · Score: 1

      so what the heck were you saying then?

      --


      Candy-Coated Knowledge

    6. Re:Follow the link, read the excerpts by tsm_sf · · Score: 1

      basically that one of the chapters is really interesting.

      Btw, I kind of flew off the handle there... sorry about that. Time to cut back on the coffee, i guess =p

      --
      Literalism isn't a form of humor, it's you being irritating.
    7. Re:Follow the link, read the excerpts by TyrranzzX · · Score: 1

      And I was making a joke that the guys who wrote the book are morons for making a relitivally simple idea and writing a 3 paragraphs on it.

      Don't drink coffie. It's a bad solution for not having energy. Read this

      http://www.ideatown.com/ntxa/index.html

      I had really bad aggression problems until I started staying off that stuff. Eat fruit salad for breakfast after a good nights rest and if you really need it, take an energy drink instead of coffie since it's more powerful and they usually use a combo cocktail of herbs to get you going instead of just caffine and sugar.

      --


      Candy-Coated Knowledge

  22. Re:What's the point ? by minas-beede · · Score: 3, Informative

    I think your example is probably close to what the book says (not having seen the book.) It's also a rather improbable scenario and seems to imply that if your honeypot/honeynet is vulnerable you bear some sort of liability that you wouldn't if it was just your desktop system that was abused in the same way. I don't understand that, and I also don't think such liability has ever been asserted in any case nor found to have existed by any court. I'm guessing the lawyer is Richard Salgado, who's issued this warning before. Notice that the nature of the warning he gives is that someone succeeds in committing abuse through your honeypot, which is not the goal when you set up the honeypot and is not normally what happens when you set up a honeypot. I think Salgado tries far too hard to find a problem where none exists - but then he's the lawyer, I'm not. (come to think of it, though, that's just how lawyers are.)

    I don't think the wiretap laws apply: you aren't tapping a wire, you're watching traffic deliberately sent to your system. Your system, let me repeat.

    I don't think entrapment applies (not even for law enforcement) the honeypot/honeynet is simply created, not advertised, and the felons seek it out on their own. That is not suggesting to someone that they commit a crime and then arresting them when they do. It's less a crime than for a shapely policewoman to wear a revealing red dress in a bar and then arrest a john who propositions her. If LEAs are worried about entrapment let them not set up honeypots. The book is for non-LEA people anyway.

    P.S. I think that, many years ago, I saw that policewoman. Seriously.

  23. Foreward? by DrVomact · · Score: 1
    I note that the web site claims to provide a downloadable "Foreward" for the book. Yaaaaagh! This is one of the word abuses that makes me think Western civilization is circling the drain. It's Foreword dammit!

    I wouldn't be so sensitive about this if I didn't occasionally see "Foreward" and "Forward" in actual books. Really! I don't know about you, but when I am contradicted by real, bound paper books, it sometimes makes me momentarily doubt myself. (Nothing I read online ever has this effect on me). What's next--admitting I could be wrong ? Hah!

    Happily, my infallibility is not threatened by this book--I downloaded the "Foreward" and was relieved to see that it's only a harmless "Foreword" after all.

    --
    Great men are almost always bad men--Lord Acton's Corollary
  24. hacker/cracker and the jargon file by ldanna · · Score: 2, Informative

    These fools did a detailed analysis of the jargon file.
    The jargon file explicitly states that it's about
    "perl hackers" and such as opposed to "l33t h4xors" and such.
    It would prefer you to call the latter "crackers" and not
    taint the word "hacker" with their association at all. At the
    very most, the cracker culture is a subculture of the
    hacker culture that the jargon file describes. This is
    a pretty obvious distinction that someone writing a book on the
    subject really shouldn't have missed.

  25. Know Ben Rothke by Anonymous Coward · · Score: 0

    Ben's quite infamous around eWEEK.

    He's the guy who wrote a provocative editorial claiming Big Brother cannot happen in the US.

    We need less of Ben Rothke.

  26. I have had my time wasted; someone must pay. by Anonymous Coward · · Score: 0

    Just as Clarice Starling in The Silence of the Lambs was able to profile Hannibal Lecter... Hey, hold up there... Agent Starling wasn't able to do any such thing. It was Dr. Lecter who had the brilliant profiling ability, and Starling was ordered to take advantage of it. I mention that not to reaffirm a gratuitous point of pop culture, but because the author's value as a book reviewer is defined by his heedlessness. It's one thing to remember wrongly or to misinterpret, but that wasn't even wrong. It was just.. arbitrary; an unconsidered, vaguely appropriate reference to fill the blank space between related yet unconnected sentences. I finished the piece with the feeling I'd get a more substantial and accurate sense of the book's content by reading the dust jacket.

  27. Hmm by Anonymous Coward · · Score: 0

    All very interesting, but who outside of law enforcement and The Honeynet Project and maybe academia is actually ever going to produce a honeynet? It's a lot of money for no real purpose. Good luck selling this book!

  28. "motives" by alex_tibbles · · Score: 2, Informative

    "Modus operandi" mean "means of operation", not motives. Understanding the means by which an attacker compromised a system is useful information but tells you next to nothing about why the attacker did it. Of course, a honeynet can tell you something about motives, perhaps.

    --
    Posters recognized by their sig,
  29. Just another incrememt in security by essreenim · · Score: 1

    you need to understanding what exactly it is they are doing, how they are doing it, the tools they are employing, and their objectives.
    Many hackers will buy this book. They will analyse the structure of the honeypot and honey net used to detect them. The will alter their strategy so as to counter this. They will use new tools so as to minimize detection and make it harder for analysts to profile. Though their objectives will not change there methods will, and many will mask their behaviour so as not to appear to have the objectives you think they have. Finally, this book is in the public domain, and many analysts will generally stick with the guidelines of books like these, whereas the hackers, generally being more creative, will not stick to guidelines. The best ones will always be one step ahead of this. Many can even now detect when they are penetrating a honey net or honey pot and will no doubt continue to do so.