Honeypots mailing list archives
RE: Heisenberg in the honeypot
From: Harlan Carvey <keydet89 () yahoo com>
Date: Mon, 21 Jun 2004 11:22:59 -0700 (PDT)
Chuck,
Since I'm not well versed on the Principle, I'd have to say the application is flawed.
Okay, fair enough.
As far as lab testing, this may work if your a security tester in a large corporation who have everything they need in the lab to test it. But what about the guy with no lab.
That's where I can see your point...that someone found something, and tests/hones it on the Internet b/c he/she doesn't have any other means of doing so.
People scan all the time. When a Honeypot responds to a scan favoratively to a cracker, then he just found his target to test it on (Along with a number of people who don't keep their servers patched). To the Cracker, it all looks the same. It won't be until he's poked around in the box that he may be able to figure out it's a honeypot.
True, but scanning and exploiting unpatched systems doesn't exactly qualify as zero-day. And my point isn't knowing that a box is a honeypot or not, but instead targeting network where I know there are no honeypots. For example, if I meet someone online or in a bar and find out they're a sysadmin, I can get to know them, chat w/ them, develop an understanding of their technical abilities...then mention honeypots. If they tell me, "yeah, but we don't have any" or simply don't know what I'm talking about...
With Honeypots being used to keep exploits withheld from large scale use... I think it's just the opposite. It's honeypots that are first in finding many of the 0 day exploits.
Two things really quick...as I may agree with your comments. First is, I'm not saying that honeypots are keeping exploits withheld so much as I'm suggesting that b/c honeypots are out there, the folks w/ the 0-days may be more careful in targeting...the distinction may be subtle. The second thing is...I'm not familiar w/ any sites that are providing information on 0-days discovered w/ honeypots. Do you have any sites you can provide, aside from the ubiquitous Google? I am familiar w/ the HoneyNet project, as well, and I have even participated (been a while) in analysis of information, but to be honest, there wasn't anything 0-day about what I saw.
Current thread:
- Re: Heisenberg in the honeypot, (continued)
- Re: Heisenberg in the honeypot MrDemeanour (Jun 21)
- Re: Heisenberg in the honeypot Christian Kreibich (Jun 21)
- Re: Heisenberg in the honeypot Robert Judy (Jun 21)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
- Minefields Lance Spitzner (Jun 22)
- Re: Minefields MrDemeanour (Jun 23)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 21)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot James Riden (Jun 22)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)