Honeypots mailing list archives
Re: Jail Time for Honeypots?
From: "Bernie, CTA" <cta () hcsin net>
Date: Sun, 20 Apr 2003 16:46:38 -0400
Bernie CTA>>> I do not believe a honeypot operator would be in violation of any law if one deploys a honepot connected to a public IP address / block assigned to them (statically or dynamically) by their upstream provider, as a security measure and practice. Given that any traffic sent to any of the IP address(s) assigned to the honeypot could be inspected, recorded and interacted with, as the operator could establish "reasonable evidence" that "it" was the intended recipient. I therefore see no evidence of any illegal interception or reason why the operator of the honeypot (operator) could not legitimately analyze the information (activity) recorded to develop and enhance security safeguards for their systems, and otherwise disclose any discovered vulnerabilities, threats and attack profiles to any interested party. This in my opinion is analogous to using a Telephone answering machine on your home phone as a security measure to screen calls and protect your privacy. You may alert you friends to a caller who is trying to invade your privacy, or better yet, report them to the FTC for violation of the new Telemarketing Sales Rule (TSR). On the other hand, unlike most home telephone systems the attacker may be able to compromise the honeypot and use it to facilitate an attack upon "private systems" i.e., systems outside of the operator's control or authority. If the operator cannot establish that a "good faith effort" was made to install industry recognized safeguards to prevent such abuse, then I would tend to believe that the operator could have civil and possibly criminal liability. Here is another interesting dilemma for honeypot deployments. If we restrict the "output" of the honeypot in order to prevent an attacker from using it to facilitate an attack on another "private system" could we truly obtain quantifiable intelligence of attackers who pose the greatest threat/risk to system security? I would have to believe that most if not all seasoned hackers, crackers and phrackers could easily discovery the prophylactic and move on to another target without leaving much of a finger print. Then again, I am sure we could catch a bunch of script kiddies. But how quantifiable would that intelligence "noise" be if we were to compare the resources consumed to deploy and analyze the honeypot and its "noise" to the risks associated with the unidentified but known threats? My suggestion is to deploy honeypots "intelligently". That is, design the honeypot as an interactive threat mitigation and analysis component of your security topology. Instead of planting honeypots to catch and respond to random noise, deploy the honeypot in countermeasure topology to actively intercept and respond to security triggers/traps generated from production systems. In addition, define the use of honeypots in your Systems Security Policy as on the security threat mitigation and analysis components of your topology. Be sure to include some language about your procedures/practices for handling of information, incidents and testing of safeguards to prevent compromise and control attacker egress activity. While I do not believe current honeypot designs significantly help in identifying attackers who could do the most damage and pose the greatest risk, I do feel that there is a benefit if properly deployed and managed. Besides, the script kiddies need a place to take their noise and play. bhh<<< On 19 Apr 2003, at 22:59, George Chamales wrote:
Eko, I sincerely thank you for bringing the securityfocus article to the group's attention. I read my email much more than I read securityfocus and the article may otherwise have slipped by me. I think the article itself is an extremely good read and represents a refreshingly level-headed approach to the legal issues that may (someday) affect honeynets. I feel that the the blurb taken from broadbandreports.com, is inflamatory FUD. Richard Salgado's very reasonable quotes are taken out of context and I believe the broadbandreports.com summary does not do the article justice. george Eko Sulistyo said:When I brwose around I find this interesting http://www.broadbandreports.com/shownews/27605 A Justice Department attorney warned this week that using a honeypot, or "wireless mousetrap" for research or otherwise could put you on the wrong side of the law. According to this Security Focus article, using honeypots could backfire by allowing the person you monitor to launch a lawsuit, as well as run afoul of federal wiretapping laws. "There are some legal issues here, and they are not necessarily trivial, and they're not necessarily easy," says Richard Salgado, attorney for the Department of Justice's computer crime unit. Honeypots could be considered as "interception of communications," a felony that carries up to five years in prison. For full story : http://www.securityfocus.com/news/4004 Wow, I'm shocked. And all this time I thought we are the good guys.... That's make me wonder. It seems we have to change the color of our hat to gray, or even worse, black. ^_^
- - **************************************************** Bernie Chief Technology Architect Chief Security Officer cta () hcsin net Euclidean Systems, Inc. ******************************************************* // "There is no expedient to which a man will not go // to avoid the pure labor of honest thinking." // Honest thought, the real business capital. // Observe> Think> Plan> Think> Do> Think> *******************************************************
Current thread:
- Honeyd Censorship John Lyons (Apr 10)
- Re: Honeyd Censorship Byrne Ghavalas (Apr 10)
- Re: Honeyd Censorship Jeremy Bennett (Apr 10)
- Re: Honeyd Censorship Seth Arnold (Apr 10)
- Re: Honeyd Censorship Niels Provos (Apr 15)
- Jail Time for Honeypots? Eko Sulistyo (Apr 19)
- Re: Jail Time for Honeypots? George Chamales (Apr 19)
- Re: Jail Time for Honeypots? Bernie, CTA (Apr 20)
- Re: Jail Time for Honeypots? Octavian POPESCU (Apr 21)
- Re: Jail Time for Honeypots? Fernando Martins (Apr 21)
- Re: Jail Time for Honeypots? yannick san (Apr 21)
- Re: Jail Time for Honeypots? Kevin Saenz (Apr 21)
- Re: Jail Time for Honeypots? Jimi Thompson (Apr 21)
- Re: Jail Time for Honeypots? InformationSecurity (Apr 22)
- Re: Jail Time for Honeypots? Fernando Martins (Apr 22)
- Re: Jail Time for Honeypots? yannick san (Apr 24)
- Re: Jail Time for Honeypots? Jimi Thompson (Apr 24)
- Re: Jail Time for Honeypots? yannick san (Apr 24)
- Re: Honeyd Censorship Seth Arnold (Apr 10)