Security Incidents mailing list archives
Re: Cracked; rootkit - entrapment question?
From: leer2 () OGN AF MIL (1Lt Rob Lee)
Date: Tue, 7 Mar 2000 08:40:55 -0500
On whether Honeypots are legal or not?
From the FROM TITLE 18 CRIMES AND CRIMINAL PROCEDURES
CHAPTER 119. WIRE AND ELECTRONIC COMMUNICATIONS INTERCEPTION AND INTERCEPTION OF ORAL COMMUNICATIONS (2) (a) (i) It shall not be unlawful under this chapter [18 USCS ยงยง 2510 et seq.] for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks. I'm not sure the exact nature of how system administrators can monitor systems or a specific individual. It is definitely still a gray area and the best thing to do would be to contact the local authorities for guidance. While I know it is fine to use Intrusion Detection Systems and other logging mechanisms to monitor people from doing BAD things on your network. However, if you read the last part of the statement, you can see how setting up a honey pot is not exactly protecting your network. You are only allowed to monitor to ensure that you can PROTECT your systems. Once you discover a bad guy all you can really do is use the information to stop the compromise. If you set up extra monitoring, placing traps, fish-bowling, or monitoring a specific IP or network it becomes GREY as to whether you are really protecting your systems or conducting an illegal wiretap. Just be cautious is all I say. If it were me. I would just rebuild, set up the system again with appropriate patches, and ensure that my systems are protected. "Watching" a hacker via a honey pot is not exactly protecting a system. (But even THAT can be argued I know..) For officially sanctioned CONSENSUAL wiretaps for evidence gathering on behalf of law enforcement and approved by law, banners are necessary. It works like this. 1. You can watch for ANY IP coming in on a bannered port 2. You can watch for ANY PORT from a specific IP once it can be proven that that SUBJECT has seen the banner (e.g. Banner sent to his system) Ports can be bannered using TCP-WRAPPERS or PORT-SENTRY for example. The problem there is what do you do about ICMP, UDP, and TCP traffic that does not have bannering support with it? Not much. You hope you can catch the SUBJECT seeing a banner. Sooner or later the SUBJECT would have to move a file from one system to another either through secure copy or FTP. Either of which could be bannered. Then once proven that the SUBJECT has seen that banner, you can open up the wiretap to watch all traffic between the source IP and the VICTIM machine. TITLE 3 Wiretaps do not need banners since they are "non-consensual" wiretaps. Yet obtaining these are VERY rare and it take a lot of time. Hope this helps... Lt Rob Lee ____________________________________________________ Rob T. Lee, 1LT, USAF Chief, Intrusion and Monitoring Team Air Force Office of Special Investigations Email: leer2 () ogn af mil ____________________________________________________
Current thread:
- Re: Cracked; rootkit - entrapment question?, (continued)
- Re: Cracked; rootkit - entrapment question? Mike Fratto (Mar 02)
- Re: Cracked; rootkit - entrapment question? Simple Nomad (Mar 02)
- Re: Cracked; rootkit - entrapment question? Dave Dittrich (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? rain forest puppy (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jordan Ritter (Mar 03)
- Re: Cracked; rootkit - entrapment question? CL: Nelson, Jeff (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 02)
- Re: Cracked; rootkit - entrapment question? Granquist, Lamont (Mar 03)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 07)
- Mail Server attack Joel Michael (Mar 07)
- Re: Mail Server attack Omachonu Ogali (Mar 08)
- Re: Mail Server attack Joel Michael (Mar 08)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 09)
- Re: Cracked; rootkit - entrapment question? Seth Georgion (Mar 11)
- Re: Cracked; rootkit - entrapment question? Filip M. Gieszczykiewicz (Mar 03)