Security Incidents mailing list archives

Re: Cracked; rootkit - entrapment question?

From: crowland () PSIONIC COM (Craig H. Rowland)
Date: Thu, 2 Mar 2000 15:54:21 -0600

I am in the process of doing the same thing. I am setting up a shadow
intrusion detection system. I am also going to set up several dummy systems.
Right now, I have some things wide open in an attempt to catch some people
that have been poking around where they ought not to be. The 'wide-open' is
heavily monitored and very restricted in reality. However, the perp coming
in is not aware of this.


Generally honey pots are a horrible idea for most people. There are a
variety of reasons for this. The main reason being that most people don't
have the time to adequately manage the task. Also, you are making yourself
open to big-time problems if you aren't careful and you end up irritating
the attacker or they find another way in. I won't go into all my reasons
here, but I actually touched on this some in a presentation I gave. Here
is the link on my thought-process:

http://www.psionic.com/papers/present/defcon7/sld022.htm

Of course opinions are cheap, but network downtime is not. My core piece
of advice is that you should make the attacker move onto your neighbor. A
selfish stance, but necessary in the Internet environment. The reality is
that no matter what evidence you collect law enforcement is almost always
incapable of doing anything. This is not an attack on law enforcement,
it is just an opinion I hold as to the *current* state of law enforcement
capabilities and strategies. It is a manpower and education issue that has
been ignored for so long that most agencies are simply not prepared to
deal with the threat. To quelch the flames before they start, my degree
is in Criminology and Criminal Justice so I do have more than just a
surface insight into this area.

If you are facing a serious compromise situation where an attacker has
gained full internal access, and you want to contain and analyze the
damage, you may wish to deploy a honey pot. For most cases though I think
running a honey pot on your external border is not a good idea.

-- Craig

http://www.psionic.com

Current thread:

Re: Cracked; rootkit - entrapment question?, (continued)
- Re: Cracked; rootkit - entrapment question? Lance Spitzner (Mar 02)
- Re: Cracked; rootkit - entrapment question? Paul L Schmehl (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Mike Fratto (Mar 02)
- Re: Cracked; rootkit - entrapment question? Simple Nomad (Mar 02)
- Re: Cracked; rootkit - entrapment question? Dave Dittrich (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? rain forest puppy (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Jordan Ritter (Mar 03)
- Re: Cracked; rootkit - entrapment question? CL: Nelson, Jeff (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
  - Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 02)
    - Re: Cracked; rootkit - entrapment question? Granquist, Lamont (Mar 03)
    - Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 07)
    - Mail Server attack Joel Michael (Mar 07)
    - Re: Mail Server attack Omachonu Ogali (Mar 08)
    - Re: Mail Server attack Joel Michael (Mar 08)
    - Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 09)
    - Re: Cracked; rootkit - entrapment question? Seth Georgion (Mar 11)
- Re: Cracked; rootkit - entrapment question? Lison, Nathan (Mar 02)
- Re: Cracked; rootkit - entrapment question? Adam Pendleton (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jason Lewis (Mar 02)

(Thread continues...)