Re: Jail Time for Honeypots?

["Bernie, CTA" <cta () hcsin net>]

Bernie CTA>>>
I do not believe a honeypot operator would be in violation of 
any law if one deploys a honepot connected to a public IP 
address / block assigned to them (statically or dynamically) by 
their upstream provider, as a security measure and practice. 
Given that any traffic sent to any of the IP address(s) assigned 
to the honeypot could be inspected, recorded and interacted 
with, as the operator could establish "reasonable evidence" that 
"it" was the intended recipient. I therefore see no evidence of 
any illegal interception or reason why the operator of the 
honeypot (operator) could not legitimately analyze the 
information (activity) recorded to develop and enhance security 
safeguards for their systems, and otherwise disclose any 
discovered vulnerabilities, threats and attack profiles to any 
interested party.
 
This in my opinion is analogous to using a Telephone 
answering machine on your home phone as a security 
measure to screen calls and protect your privacy. You may 
alert you friends to a caller who is trying to invade your 
privacy, or better yet, report them to the FTC for violation of the 
new Telemarketing Sales Rule (TSR).  

On the other hand, unlike most home telephone systems the 
attacker may be able to compromise the honeypot and use it to 
facilitate an attack upon "private systems" i.e., systems outside 
of the operator's control or authority. If the operator cannot 
establish that a "good faith effort" was made to install industry 
recognized safeguards to prevent such abuse, then I would 
tend to believe that the operator could have civil and possibly 
criminal liability. 

Here is another interesting dilemma for honeypot deployments. 
If we restrict the "output" of the honeypot in order to prevent an 
attacker from using it to facilitate an attack on another "private 
system" could we truly obtain quantifiable intelligence of 
attackers who pose the greatest threat/risk to system security? 
I would have to believe that most if not all seasoned hackers, 
crackers and phrackers could easily discovery the prophylactic 
and move on to another target without leaving much of a finger 
print. Then again, I am sure we could catch a bunch of script 
kiddies. But how quantifiable would that intelligence "noise" be 
if we were to compare the resources consumed to deploy and 
analyze the honeypot and its "noise" to the risks associated 
with the unidentified but known threats?
My suggestion is to deploy honeypots "intelligently". That is, 
design the honeypot as an interactive threat mitigation and 
analysis component of your security topology. Instead of 
planting honeypots to catch and respond to random noise, 
deploy the honeypot in countermeasure topology to actively 
intercept and respond to security triggers/traps generated from 
production systems. In addition, define the use of honeypots in 
your Systems Security Policy as on the security threat 
mitigation and analysis components of your topology. Be sure 
to include some language about your procedures/practices for 
handling of information, incidents and testing of safeguards to 
prevent compromise and control attacker egress activity. 

While I do not believe current honeypot designs significantly 
help in identifying attackers who could do the most damage and 
pose the greatest risk, I do feel that there is a benefit if 
properly deployed and managed. Besides, the script kiddies 
need a place to take their noise and play.

bhh<<<


On 19 Apr 2003, at 22:59, George Chamales wrote:

> Eko,
>
> I sincerely thank you for bringing the securityfocus article to
> the group's attention.  I read my email much more than I read
> securityfocus and the article may otherwise have slipped by me. 
> I think the article itself is an extremely good read and
> represents a refreshingly level-headed approach to the legal
> issues that may (someday) affect honeynets. I feel that the the
> blurb taken from broadbandreports.com, is inflamatory FUD. 
> Richard Salgado's very reasonable quotes are taken out of context
> and I believe the broadbandreports.com summary does not do the
> article justice. george
>
> Eko Sulistyo said:
> > When I brwose around I find this interesting
> > http://www.broadbandreports.com/shownews/27605
> >
> > A Justice Department attorney warned this week that
> > using a honeypot, or "wireless mousetrap" for research
> > or otherwise could put you on the wrong side of the
> > law. According to this Security Focus article, using
> > honeypots could backfire by allowing the person you
> > monitor to launch a lawsuit, as well as run afoul of
> > federal wiretapping laws. "There are some legal issues
> > here, and they are not necessarily trivial, and
> > they're not necessarily easy," says Richard Salgado,
> > attorney for the Department of Justice's computer
> > crime unit. Honeypots could be considered as
> > "interception of communications," a felony that
> > carries up to five years in prison.
> >
> > For full story :
> > http://www.securityfocus.com/news/4004
> >
> > Wow, I'm shocked. And all this time I thought we are
> > the good guys....
> > That's make me wonder. It seems we have to change the
> > color of our hat to gray, or even worse, black. ^_^
-


-
****************************************************
Bernie 
Chief Technology Architect
Chief Security Officer
cta () hcsin net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************