Re: Heisenberg in the honeypot

[Harlan Carvey <keydet89 () yahoo com>]

> Maybe I'm entirely missing the point of
> honeypots/honeynets, but isn't 
> a successful implementation meant to be transparent
> to an outside hacker? 

You're right...that's the case.  However, there are
advertised honeypots...many folks are aware of the
HoneyNet project.  Also, I've received more than on
email (directly, not to the list) from individuals
stating that they have honeypots that (essentially)
aren't configured properly.  Meant be transparent,
yes...but firewalls, IDS, and anti-virus software are
meant to do certain things, too...things they can't do
if they're not configured and maintained properly.

> If this is the case, in truth any hacker
> could never possibly 
> know if he/she/it is in a honeypot or on a
> legitimate business host. 

At this point, I really think we're getting into
semantics, which is something I want to avoid. 
Suffice to say, if I were to discover a unique exploit
or technique, and I had malicious intent, I would
avoid using that technique on networks/targets that I
was not relatively sure did NOT have well-managed and
well-maintained honeypots.  

> While it's true that no security system can ever
> truly be complete, 
> honeypots present for beleaguered system
> administrators an opportunity 
> to witness attack vectors in situ and allow them the
> ability to recognize these attacks 

Again, we're getting into semantics, but I have to
ask...if the sysadmin is "beleaguered" as you
describe, then how can that sysadmin be expected to
properly manage a honeypot, and then understand what
its telling him?  To me, "beleaguered" refers to
over-tasked, under-trained admins who can't monitor
even just their critical systems on a regular basis,
let alone set up and manage an entirely new system.  

> It seems, to me at least, that while
> observation may in fact 
> change the event in some way, it is no less
> worthwhile to witness the 
> methods that attackers may use to infiltrate
> personal or company 
> systems so as to be better prepared to deal with
> those attacks should they come. 

I agree with you, to some extent.  However, I'm not
entirely sure I see how useful a honeypot is if admins
don't know (for example) what failed login attempts
look like in the Windows Security Event Log.  

But that's not really my point.  What I'm asking
pertains more to zero-days...I've got something
entirely new, not just a variation on something that's
already been done.  If I truly intend to target an
organization with the intent of using my exploit to
gain access to information, I (personally) would want
to do so with some reasonable assurance I wouldn't get
caught...reduce the risk.  

A disgruntled employee might use a 0-day against a
former employer...having knowledge of the
infrastructure.  

There are plenty of non-technical means of getting
information that would lead you to believe (with a
reasonable level of certainty) what the level of
security (devices in place, knowledge level of the
staff, etc) of the target. 

Another way of putting it is this...we see wide spread
attacks by automated worms all the time, right?  A
vulnerability is announced/described and at some
point, a worm (or some other exploit) appears...right?
 By definition, that's not a zero-day...the
vulnerability has already been announced, and in many
cases, a patch (or some other mitigation mechanism)
has already been provided.  In a lot of cases, we'll
see announcements of new worms, but that new worm
takes advantage of already-patched vulnerabilities
(Code Red, etc.).

Now, go back to my original post..."what kind of
things are we really seeing in the honeypots?"  Are
0-days being detected?