Security Incidents mailing list archives
Re: Cracked; rootkit - entrapment question?
From: jpr5 () BOS BINDVIEW COM (Jordan Ritter)
Date: Fri, 3 Mar 2000 18:23:33 -0500
On Thu, 2 Mar 2000, rain forest puppy wrote: # Just my $.02 on the subject, but I think administrators are using the # concept of a honeypot as some personal vindictive revenge tool. # # It is not. # # For those of you who think honeypots are there to 'lure' hackers, and # to 'learn their attack tactics' by 'enticing them to log in', you've # been watching too many Bond flicks. Maybe it's the inner hacker # within you trying to get out, but, um, NO. You have so many # entrapment legalities to deal with, and arguably you won't learn # anything. I agree that the average System Administrator's understanding of the purpose of a honeypot is misguided and wrong. They generally don't have the time to be playing cat and mouse games with crackers anyway; their job is to run networks, and make sure they stay running. While some can argue it's an unfortunate consequence of this day and age that sysadmins often have to play the role of security analyst, it doesn't mean that, on average, they'll be able to do it well, or even at all. Perhaps honeypots don't really belong in the system administrator's vocabulary -- the concept is more for a dedicated security analyst or consultant. It's useful as an early warning detection system, but the concepts involved, the understanding required, well, it's just not in your average sysadmin's job description. So, for the admin, yes, it's ludicrous for him to think that he will have the time to properly set up, maintain, and monitor a honeypot for the sole purposes of luring hackers and learning their attack tactics. That is rather movie-ish, and is, as you described, a lot of overhead for little to no return. But, let's not completely downplay this particular role of our honeypot! Early warning detection is good, but it's also useful to a security analyst for the purposes of luring that cracker, for seeing what he's doing. Crackers generally have enormous egos, and luring one in, especially if you have some idea of who you're trying to get, is not nearly as hard as you think.. # The best one I hear is 'entice him with juicy, but fake, data'. Um, # how the hell is he supposed to know what data is on the box without # breaking in? Therefore, where is the enticement? I think the key to a good honeypot is to make it look interesting. Not entirely out of place, but if you're going to lure someone (versus using your honeypot as an early warning detection system), you have to make it, well, interesting. Pique your cracker's curiosity, maybe make your honeypot look legitimately/commonly misconfigured. Sometimes you have to sacrifice some real data, but most times not. You just keep high in mind and to your advantage the fact that you know what's going on, and the cracker probably doesn't. A cracker's worst nightmare is that his actions were recorded in a traceable and reproducible manner. He believes, blindly, that he is untouchable. Touch him, and his world changes. While legal recourse is almost always the official "corporate" goal, really what you want is to make them go away. Armed with that log, you control their destiny, legal or not. One phone call to their place of residence, a little Indian "tag you're it", and your problem will, 9 times out of 10, go away. Jordan Ritter RAZOR Security BindView Corporation
Current thread:
- E-mail attatchment, (continued)
- E-mail attatchment xum mux (Mar 02)
- Re: Cracked; rootkit - entrapment question? Ryan Russell (Mar 02)
- Re: Cracked; rootkit - entrapment question? David Brumley (Mar 02)
- Re: Cracked; rootkit - entrapment question? Lance Spitzner (Mar 02)
- Re: Cracked; rootkit - entrapment question? Paul L Schmehl (Mar 02)
- Re: Cracked; rootkit - entrapment question? Mike Fratto (Mar 02)
- Re: Cracked; rootkit - entrapment question? Simple Nomad (Mar 02)
- Re: Cracked; rootkit - entrapment question? Dave Dittrich (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? rain forest puppy (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jordan Ritter (Mar 03)
- Re: Cracked; rootkit - entrapment question? CL: Nelson, Jeff (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 02)
- Re: Cracked; rootkit - entrapment question? Granquist, Lamont (Mar 03)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 07)
- Mail Server attack Joel Michael (Mar 07)
- Re: Mail Server attack Omachonu Ogali (Mar 08)
- Re: Mail Server attack Joel Michael (Mar 08)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 09)
- Re: Cracked; rootkit - entrapment question? Seth Georgion (Mar 11)