Security Incidents mailing list archives

Re: Cracked; rootkit - entrapment question?

From: crowland () PSIONIC COM (Craig H. Rowland)
Date: Thu, 9 Mar 2000 19:24:45 -0600


Hi Lamont

On Fri, 3 Mar 2000 lamont () icopyright com wrote:

On Thu, 2 Mar 2000, Craig H. Rowland wrote:

If you are facing a serious compromise situation where an attacker has
gained full internal access, and you want to contain and analyze the
damage, you may wish to deploy a honey pot. For most cases though I think
running a honey pot on your external border is not a good idea.


I've pretty much shared your opinion about honey pots, but one idea I've
been toying with recently is deploying "canary" systems internally so that
if someone smarter than me does get through the perimeter, if they hit the
canary system it'll alert me.  I'd probably use just a default redhat 6.0
install (got enough root holes there to make it east), call it something
tempting like "cybercash" and then modify sh/bash and csh/tcsh to e-mail a
warning anytime they are run (and turn off cron jobs to eliminate the
false positives).


I know several people who do this, but they generally make the systems
hard to crack and just put up a boatload of port monitoring
software/sniffers to detect the probes. It seems to be a little more sane
than leaving a vulnerable system hanging around.

I just get edgy when people want to coax another person into performing a
particular type of action. Unfortunately you just can't rule out the
attacker doing something to surprise you that falls outside of the planned
response that may have been established. Humans have a way of being
unpredictable at times (or lucky -- as the case may have it).

As I posted in a previous message and on my website, I think putting up
honey pots before doing other tangible security measures (filters,
patches, etc.) is just not a good plan of attack. Besides giving an
attacker a potential toe-hold onto your network, you provide the positive
feedback necessary to encourage them into looking further.

The one key item I've found that differentiates a successful attacker from
an unsuccessful one is time. The shorter amount of time you give an
attacker to look/poke/prod your network the less chance they have to find
success.  Unfortunately, leaving a vulnerable system around affords an
attacker more time. Not a good thing -- IMHO.

-- Craig

Current thread:

Re: Cracked; rootkit - entrapment question?, (continued)
- Re: Cracked; rootkit - entrapment question? rain forest puppy (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Jordan Ritter (Mar 03)
- Re: Cracked; rootkit - entrapment question? CL: Nelson, Jeff (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 02)
    - Re: Cracked; rootkit - entrapment question? Granquist, Lamont (Mar 03)
    - Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 07)
    - Mail Server attack Joel Michael (Mar 07)
    - Re: Mail Server attack Omachonu Ogali (Mar 08)
    - Re: Mail Server attack Joel Michael (Mar 08)
    - Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 09)
    - Re: Cracked; rootkit - entrapment question? Seth Georgion (Mar 11)
- Re: Cracked; rootkit - entrapment question? Lison, Nathan (Mar 02)
- Re: Cracked; rootkit - entrapment question? Adam Pendleton (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jason Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? Roy Wilson (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Filip M. Gieszczykiewicz (Mar 03)
- Re: Cracked; rootkit - entrapment question? Chuck Phillips (Mar 03)
- Re: Cracked; rootkit - entrapment question? Chuck Phillips (Mar 03)
- Re: Cracked; rootkit - entrapment question? Lison, Nathan (Mar 03)
- Re: Cracked; rootkit - entrapment question? Chuck Phillips (Mar 04)

(Thread continues...)