Re: Cracked; rootkit - entrapment question?

[sysadmin () SASSPRODUCTIONS COM (Seth Georgion)]

I keep reading various news articles that indicate that federal law
currently states that the FBI is not allowed to investigate if they believe
that the damage is under 5,000 dollars per computer and if they find out,
during the course of the investigation, that the damages are less they must
stop. I've seen a couple of articles on this on MSNBC, Yahoo and HNN over
the past weeks with the DoS happening and all. They seem to all indicate it
is part of Title 80 law but if so I ask this to the group then; Why is it
that everyone talks about getting the authorities involved when almost all
computer crime occurs state to state rather than intrastate? Doesn't a honey
pot, by nature, eliminate the damage factor? Maybe all of these articles are
completely bogus but I saw a quote from Janet Reno where she was urging the
5,000 dollar rule to be dismissed and most experts will tell you that the
FBI will not investigate if the damage is under 10,000. So what's the deal?
All I hear about is  trapping someone for the authorities and "I always
alert the Authorities!" and "It's a wiretap! be careful if you want a
conviction!" Is this all a load of crap from people who don't have a clue or
are all these stories and quotes BS?

By the way our company investigated pursuing damages once, just for kicks,
and our legal representatives informed us that damage can only be calculated
as loss of critical business and whatever the dollar amount per hour of the
employees involved amounts to. This would only include time spent fixing it
not time BSing and investigating and stopping work just because you'd like
to verify that all 24,000 company computers weren't subject to attack.

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Craig H. Rowland
Sent: Thursday, March 09, 2000 8:25 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Cracked; rootkit - entrapment question?

Hi Lamont

On Fri, 3 Mar 2000 lamont () icopyright com wrote:

> On Thu, 2 Mar 2000, Craig H. Rowland wrote:
> > If you are facing a serious compromise situation where an attacker has
> > gained full internal access, and you want to contain and analyze the
> > damage, you may wish to deploy a honey pot. For most cases though I
think
> > running a honey pot on your external border is not a good idea.
>
> I've pretty much shared your opinion about honey pots, but one idea I've
> been toying with recently is deploying "canary" systems internally so that
> if someone smarter than me does get through the perimeter, if they hit the
> canary system it'll alert me.  I'd probably use just a default redhat 6.0
> install (got enough root holes there to make it east), call it something
> tempting like "cybercash" and then modify sh/bash and csh/tcsh to e-mail a
> warning anytime they are run (and turn off cron jobs to eliminate the
> false positives).

I know several people who do this, but they generally make the systems
hard to crack and just put up a boatload of port monitoring
software/sniffers to detect the probes. It seems to be a little more sane
than leaving a vulnerable system hanging around.

I just get edgy when people want to coax another person into performing a
particular type of action. Unfortunately you just can't rule out the
attacker doing something to surprise you that falls outside of the planned
response that may have been established. Humans have a way of being
unpredictable at times (or lucky -- as the case may have it).

As I posted in a previous message and on my website, I think putting up
honey pots before doing other tangible security measures (filters,
patches, etc.) is just not a good plan of attack. Besides giving an
attacker a potential toe-hold onto your network, you provide the positive
feedback necessary to encourage them into looking further.

The one key item I've found that differentiates a successful attacker from
an unsuccessful one is time. The shorter amount of time you give an
attacker to look/poke/prod your network the less chance they have to find
success.  Unfortunately, leaving a vulnerable system around affords an
attacker more time. Not a good thing -- IMHO.

-- Craig