Security Incidents mailing list archives
Re: Cracked; rootkit - entrapment question?
From: crowland () PSIONIC COM (Craig H. Rowland)
Date: Thu, 2 Mar 2000 15:54:21 -0600
I am in the process of doing the same thing. I am setting up a shadow intrusion detection system. I am also going to set up several dummy systems. Right now, I have some things wide open in an attempt to catch some people that have been poking around where they ought not to be. The 'wide-open' is heavily monitored and very restricted in reality. However, the perp coming in is not aware of this.
Generally honey pots are a horrible idea for most people. There are a variety of reasons for this. The main reason being that most people don't have the time to adequately manage the task. Also, you are making yourself open to big-time problems if you aren't careful and you end up irritating the attacker or they find another way in. I won't go into all my reasons here, but I actually touched on this some in a presentation I gave. Here is the link on my thought-process: http://www.psionic.com/papers/present/defcon7/sld022.htm Of course opinions are cheap, but network downtime is not. My core piece of advice is that you should make the attacker move onto your neighbor. A selfish stance, but necessary in the Internet environment. The reality is that no matter what evidence you collect law enforcement is almost always incapable of doing anything. This is not an attack on law enforcement, it is just an opinion I hold as to the *current* state of law enforcement capabilities and strategies. It is a manpower and education issue that has been ignored for so long that most agencies are simply not prepared to deal with the threat. To quelch the flames before they start, my degree is in Criminology and Criminal Justice so I do have more than just a surface insight into this area. If you are facing a serious compromise situation where an attacker has gained full internal access, and you want to contain and analyze the damage, you may wish to deploy a honey pot. For most cases though I think running a honey pot on your external border is not a good idea. -- Craig http://www.psionic.com
Current thread:
- Re: Cracked; rootkit - entrapment question?, (continued)
- Re: Cracked; rootkit - entrapment question? Lance Spitzner (Mar 02)
- Re: Cracked; rootkit - entrapment question? Paul L Schmehl (Mar 02)
- Re: Cracked; rootkit - entrapment question? Mike Fratto (Mar 02)
- Re: Cracked; rootkit - entrapment question? Simple Nomad (Mar 02)
- Re: Cracked; rootkit - entrapment question? Dave Dittrich (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? rain forest puppy (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jordan Ritter (Mar 03)
- Re: Cracked; rootkit - entrapment question? CL: Nelson, Jeff (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 02)
- Re: Cracked; rootkit - entrapment question? Granquist, Lamont (Mar 03)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 07)
- Mail Server attack Joel Michael (Mar 07)
- Re: Mail Server attack Omachonu Ogali (Mar 08)
- Re: Mail Server attack Joel Michael (Mar 08)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 09)
- Re: Cracked; rootkit - entrapment question? Seth Georgion (Mar 11)