Honeypots mailing list archives
Re: Heisenberg in the honeypot
From: PCSage Information Services <info () pcsage biz>
Date: Tue, 22 Jun 2004 10:53:48 -0400
Maybe I'm entirely missing the point of honeypots/honeynets, but isn't a successful implementation meant to be transparent to an outside hacker? If this is the case, in truth any hacker could never possibly know if he/she/it is in a honeypot or on a legitimate business host. While it's true that no security system can ever truly be complete, honeypots present for beleaguered system administrators an opportunity to witness attack vectors in situ and allow them the ability to recognize these attacks if they happen against legitimate business hosts. It seems, to me at least, that while observation may in fact change the event in some way, it is no less worthwhile to witness the methods that attackers may use to infiltrate personal or company systems so as to be better prepared to deal with those attacks should they come. A good analogy may be this: I have a shed, I store some of my valuable property in it and although I know that there are bolt cutters in the world, it doesn't make it useless for me to put a hasp and padlock on it, as I have at least put due diligence into securing my property. It is neither useless for me to implement video surveillance of my shed should I wish to be able to later identify the person who thinks to use his/her/its bolt-cutters on my fine lock. HUP or no, honeypots are an excellent method to learn about exploits as they are developed or perpetrated on hosts.
Just my two cents on Heisenberg, Sean Swayze swayze AT pcsage DOT biz On 22-Jun-04, at 6:44 AM, Harlan Carvey wrote:
HUP applies to quantum physicsYes, I'm aware of that.- there is no reason why observing a honeypot has to change the behaviour of the person who is using it.I never said anything about observing a honeypot. What I'm referring to is using honeypots as a mechanism to observe the behaviour of attackers.I've seen a spectacularly inept cracker forget to remove the install files for one of his/her root kits - stored in /rk no less - so it's entirely possible a given attacker won't know it's a honeypot.I'm sure...but again, you've completely missed the point. What I'm looking at is this...if attackers with 0-day exploits know that honeypots are out there (being used to observe them and their techniques), then would they (the attackers) be more likely to target systems and networks where they know for sure are no honeypots, for fear that their exploits/techniques would be disassembled, examined, explained, and protected against? Perhaps another way of putting it...say I have a brand spanking new exploit (not blocked by firewalls, and no IDS rules exist for it), something no one has ever even considered. Let's say that I'm particularly nefarious, and intend to use this exploit for malicious purposes. Now, do you think I would run this exploit against arbitrary targets, knowing that somewhere out there, a honeypot would collect the data and someone might figure out what I was doing? Or do you think I would do a little recon (even of a physical nature) first, to ensure that I've got a really juicy, easy to access target...with NO honeypots?
Current thread:
- Re: Minefields, (continued)
- Re: Minefields MrDemeanour (Jun 23)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 21)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot James Riden (Jun 22)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- Re: Heisenberg in the honeypot PCSage Information Services (Jun 22)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)