Re: Heisenberg in the honeypot

[PCSage Information Services <info () pcsage biz>]

Maybe I'm entirely missing the point of honeypots/honeynets, but isn't 
a successful implementation meant to be transparent to an outside 
hacker? If this is the case, in truth any hacker could never possibly 
know if he/she/it is in a honeypot or on a legitimate business host. 
While it's true that no security system can ever truly be complete, 
honeypots present for beleaguered system administrators an opportunity 
to witness attack vectors in situ and allow them the ability to 
recognize these attacks if they happen against legitimate business 
hosts. It seems, to me at least, that while observation may in fact 
change the event in some way, it is no less worthwhile to witness the 
methods that attackers may use to infiltrate personal or company 
systems so as to be better prepared to deal with those attacks should 
they come. A good analogy may be this: I have a shed, I store some of 
my valuable property in it and although I know that there are bolt 
cutters in the world, it doesn't make it useless for me to put a hasp 
and padlock on it, as I have at least put due diligence into securing 
my property. It is neither useless for me to implement video 
surveillance of my shed should I wish to be able to later identify the 
person who thinks to use his/her/its bolt-cutters on my fine lock. HUP 
or no, honeypots are an excellent method to learn about exploits as 
they are developed or perpetrated on hosts.

Just my two cents on Heisenberg,

Sean Swayze
swayze AT pcsage DOT biz

On 22-Jun-04, at 6:44 AM, Harlan Carvey wrote:

> > HUP applies to quantum physics
>
> Yes, I'm aware of that.
>
> > - there is no reason why observing a
> > honeypot has to change the behaviour of the person
> > who is using it.
>
> I never said anything about observing a honeypot.
> What I'm referring to is using honeypots as a
> mechanism to observe the behaviour of attackers.
>
> > I've seen a spectacularly inept cracker forget to
> > remove the install
> > files for one of his/her root kits - stored in /rk
> > no less - so it's
> > entirely possible a given attacker won't know it's a
> > honeypot.
>
> I'm sure...but again, you've completely missed the
> point.
>
> What I'm looking at is this...if attackers with 0-day
> exploits know that honeypots are out there (being used
> to observe them and their techniques), then would they
> (the attackers) be more likely to target systems and
> networks where they know for sure are no honeypots,
> for fear that their exploits/techniques would be
> disassembled, examined, explained, and protected
> against?
>
> Perhaps another way of putting it...say I have a brand
> spanking new exploit (not blocked by firewalls, and no
> IDS rules exist for it), something no one has ever
> even considered.  Let's say that I'm particularly
> nefarious, and intend to use this exploit for
> malicious purposes.  Now, do you think I would run
> this exploit against arbitrary targets, knowing that
> somewhere out there, a honeypot would collect the data
> and someone might figure out what I was doing?  Or do
> you think I would do a little recon (even of a
> physical nature) first, to ensure that I've got a
> really juicy, easy to access target...with NO
> honeypots?