Re: Cracked; rootkit - entrapment question?

[jpr5 () BOS BINDVIEW COM (Jordan Ritter)]

On Thu, 2 Mar 2000, rain forest puppy wrote:

# Just my $.02 on the subject, but I think administrators are using the
# concept of a honeypot as some personal vindictive revenge tool.
#
# It is not.
#
# For those of you who think honeypots are there to 'lure' hackers, and
# to 'learn their attack tactics' by 'enticing them to log in', you've
# been watching too many Bond flicks.  Maybe it's the inner hacker
# within you trying to get out, but, um, NO.  You have so many
# entrapment legalities to deal with, and arguably you won't learn
# anything.

I agree that the average System Administrator's understanding of the
purpose of a honeypot is misguided and wrong.  They generally don't have
the time to be playing cat and mouse games with crackers anyway; their job
is to run networks, and make sure they stay running.  While some can argue
it's an unfortunate consequence of this day and age that sysadmins often
have to play the role of security analyst, it doesn't mean that, on
average, they'll be able to do it well, or even at all.  Perhaps honeypots
don't really belong in the system administrator's vocabulary -- the
concept is more for a dedicated security analyst or consultant.  It's
useful as an early warning detection system, but the concepts involved,
the understanding required, well, it's just not in your average sysadmin's
job description.

So, for the admin, yes, it's ludicrous for him to think that he will have
the time to properly set up, maintain, and monitor a honeypot for the sole
purposes of luring hackers and learning their attack tactics.  That is
rather movie-ish, and is, as you described, a lot of overhead for little
to no return.

But, let's not completely downplay this particular role of our honeypot!
Early warning detection is good, but it's also useful to a security
analyst for the purposes of luring that cracker, for seeing what he's
doing.  Crackers generally have enormous egos, and luring one in,
especially if you have some idea of who you're trying to get, is not
nearly as hard as you think..

# The best one I hear is 'entice him with juicy, but fake, data'.  Um,
# how the hell is he supposed to know what data is on the box without
# breaking in?  Therefore, where is the enticement?

I think the key to a good honeypot is to make it look interesting.  Not
entirely out of place, but if you're going to lure someone (versus using
your honeypot as an early warning detection system), you have to make it,
well, interesting.  Pique your cracker's curiosity, maybe make your
honeypot look legitimately/commonly misconfigured.  Sometimes you have to
sacrifice some real data, but most times not.  You just keep high in mind
and to your advantage the fact that you know what's going on, and the
cracker probably doesn't.

A cracker's worst nightmare is that his actions were recorded in a
traceable and reproducible manner.  He believes, blindly, that he is
untouchable.  Touch him, and his world changes.

While legal recourse is almost always the official "corporate" goal,
really what you want is to make them go away.  Armed with that log, you
control their destiny, legal or not.  One phone call to their place of
residence, a little Indian "tag you're it", and your problem will, 9 times
out of 10, go away.

Jordan Ritter
RAZOR Security
BindView Corporation