Honeypots: Bait for the Cracker

[InfoSec News <isn () C4I ORG>]

http://www.wired.com/news/culture/0,1284,42233,00.html

by Michelle Delio
2:00 a.m. Mar. 7, 2001 PST

Set up a server and fill it with tempting files. Make it hard but not
impossible to break into. Then sit back and wait for the crackers to
show up.

Observe them as they cavort around in the server. Log their
conversations with each other. Study them like you'd watch insects
under a magnifying glass.

That's the basic concept behind honeypots and honeynets, systems that
are set up specifically so that security experts can secretly observe
crackers in their natural habitats.

The Honeynet Project team, an invitation-only security group, has been
working with the project, a network that exists only to allow the team
to watch who cracks it, in order to determine what crackers do and why
they do it. The team will soon publish a paper on their research.

But some say that honeynets and honeypots, single servers used for
cracker observation, are really nothing more than electronic
wiretapping and entrapment and charge that the systems are unethical
and possibly illegal.

London SecTech systems administrator Dan Adams, who is following the
project closely, said that honeynets are ethically similar to
installing electronic surveillance equipment in a nursery school.

Honeynets give crackers a large space in which to roam. They present
obstacles that are challenging enough to engage them but not difficult
enough to frustrate them completely, Adams said.

"They get to play with stuff, and they chatter excitedly among
themselves about all the 'kewl warez' they are finding, while the
security people who set it up are watching their every move with
amusement," Adams said. "Frankly, I have mixed emotions about spying
on people, even if they aren't nice people."

Adams also feels that honeypots and honeynets come close to
entrapment.

"It's like opening a fake store, loading it with cool stuff, and
sitting back hoping someone will break into it," he said.

But since entrapment involves coercing someone to commit a crime they
would not otherwise have committed, attorney Jason Wilson said that
the typical honeynet or honeypot would not be considered entrapment
under United States law.

"If you, for example, asked the team members to anonymously spread the
word around the hacker corners of the Net that there was an
unprotected network chock full of goodies, then there could be an
argument made for entrapment," Wilson said.

Honeynet team member Saumil Shah said that nothing special is done to
attract crackers to the honeynet.

"The honeynet systems got hacked within just a week of being deployed.
The first attack occurred on June 4, 2000," Shah said. "There was no
publicity of the honeynet being live, the systems contained absolutely
no information of any value, yet they were hacked."

Shah said the team has learned about the tools that attackers use. But
perhaps more importantly, they have also learned about crackers'
motives for attacking systems: Many don't crack a system because they
want to access information, they crack it simply because they can.

The crackers also use systems to launch attacks on other networks or
to run private chat systems.

Since most crackers quickly set up private Internet Relay Chat proxy
servers on any system they can access, honeynet or honeypot observers
are often able to capture logs of the crackers' conversations.

The ability to monitor private conversations is one of the reasons
that some have ethical problems with honeynet.

One of the original honeynet team members, J.D. Glaser, director of
engineering at security firm Foundstone, recently resigned from the
project. He hopes it won't continue to grow.

Glaser said that he has become increasingly convinced that electronic
wiretapping is wrong, even when it's used for research.

He also feels that creating an enticing hazard in order to study
criminal behavior is wrong and may actually promote criminal behavior.

"Expanding the honeypot seems dangerously close to tramping on others'
rights, even criminals' rights," Glaser said. "There are not many laws
or precedence yet set in this area, and I think the success or failure
of honeypots will soon be a factor in determining new laws or
justifications for government activity.

"And it would be hypocritical for me to be against the government
doing it, but somehow find a way to justify my own reasons."

Glaser also believes that it's unfair to watch and not get involved in
situations where the team has knowledge that crackers they are
watching are also compromising other systems.

"If you monitor something, you are obligated to report what you learn,
both to (the person) who is getting robbed and to the authorities. You
cannot just watch and not get involved. In my mind it makes you part
of the act."

But Glaser also added that when the team did report the problems to
systems owners, "They were actually pissed at us. Out of about 125
people we contacted, only one was thankful. The others were very not
happy and looked at us as the bad guys."

The honeynet first went live in the last week of May. It started as a
homegrown project by Lance Spitzner, who is a part of Sun
Microsystems' GESS Global Security Team. The honeynet network is based
out of Lance's extra bedroom.

The honeynet is a standard production system, running real server
software and applications. Nothing is emulated, nor is anything done
to make the system more insecure.

And like virtually all other networks, a honeynet is protected by a
firewall that screens and filters inbound and outbound data. The risks
and vulnerabilities discovered within a honeynet are the same that
exist in many organizations today.

But the Honeynet Project does not focus on prosecution.

They do share all the information they gather on their website and
with security programs such as CERT and the SANS GIAC (System
Administration, Networking, and Security Institute). But they won't go
to any great lengths to track the crackers down.

Most security experts think that honeynets and honeypots are best used
to track, trap and trace crackers who have already entered a
particular system. The most famous honeypot of this type was devised
by Clifford Stoll and documented in his book Cuckoo's Egg.

Stoll was an astronomer who became a systems manager. When working in
the Lawrence Berkeley Lab, he noticed an intruder who was using the
lab as a launching board to crack into U.S. government networks, in
order to steal and sell military and intelligence information.

Stoll set up a honeypot and began to spy on the spy. A year later, his
honeypot had resulted in an international investigation of KGB cracker
Markus Hess.

Stoll's success aside, some security experts feel that honeynets and
honeypots, at best, provide little more than amusement for observers.

"You rarely hear about any really elite hackers falling into a
honeypot. They seem to draw in moderately skilled people, at best,"
said Adams.

"Honeypots and nets strike me as an interesting sociopolitical
experiment, and a great way to confirm what we already know -- that
systems are under constant attack. But I haven't learned anything that
I didn't already know."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".