Re: Cracked; rootkit - entrapment question?

[leer2 () OGN AF MIL (1Lt Rob Lee)]

On whether Honeypots are legal or not?

> From the FROM TITLE 18 CRIMES AND CRIMINAL PROCEDURES

CHAPTER 119.    WIRE AND ELECTRONIC COMMUNICATIONS INTERCEPTION AND
INTERCEPTION OF ORAL COMMUNICATIONS

(2) (a) (i) It shall not be unlawful under this chapter [18 USCS §§ 2510 et
seq.] for an operator of a switchboard, or an officer, employee, or agent of
a provider of wire or electronic communication service, whose facilities are
used in the transmission of a wire or electronic communication, to
intercept, disclose, or use that communication in the normal course of his
employment while engaged in any activity which is a necessary incident to
the rendition of his service or to the protection of the rights or property
of the provider of that service, except that a provider of wire
communication service to the public shall not utilize service observing or
random monitoring except for mechanical or service quality control checks.

I'm not sure the exact nature of how system administrators can monitor
systems or a specific individual.  It is definitely still a gray area and
the best thing to do would be to contact the local authorities for guidance.
While I know it is fine to use Intrusion Detection Systems and other logging
mechanisms to monitor people from doing BAD things on your network.
However, if you read the last part of the statement, you can see how setting
up a honey pot is not exactly protecting your network.  You are only allowed
to monitor to ensure that you can PROTECT your systems.  Once you discover a
bad guy all you can really do is use the information to stop the compromise.
If you set up extra monitoring, placing traps, fish-bowling, or monitoring a
specific IP or network it becomes GREY as to whether you are really
protecting your systems or conducting an illegal wiretap.  Just be cautious
is all I say.  If it were me.  I would just rebuild, set up the system again
with appropriate patches, and ensure that my systems are protected.
"Watching" a hacker via a honey pot is not exactly protecting a system.
(But even THAT can be argued I know..)

For officially sanctioned CONSENSUAL wiretaps for evidence gathering on
behalf of law enforcement and approved by law, banners are necessary.

It works like this.

1.  You can watch for ANY IP coming in on a bannered port
2.  You can watch for ANY PORT from a specific IP once it can be proven that
that SUBJECT has seen the banner (e.g. Banner sent to his system)

 Ports can be bannered using TCP-WRAPPERS or PORT-SENTRY for example.

The problem there is what do you do about ICMP, UDP, and TCP traffic that
does not have bannering support with it?  Not much.  You hope you can catch
the SUBJECT seeing a banner.   Sooner or later the SUBJECT would have to
move a file from one system to another either through secure copy or FTP.
Either of which could be bannered.   Then once proven that the SUBJECT has
seen that banner, you can open up the wiretap to watch all traffic between
the source IP and the VICTIM machine.

TITLE 3 Wiretaps do not need banners since they are "non-consensual"
wiretaps.  Yet obtaining these are VERY rare and it take a lot of time.

Hope this helps...

Lt Rob Lee

____________________________________________________
Rob T. Lee, 1LT, USAF
Chief, Intrusion and Monitoring Team
Air Force Office of Special Investigations
Email:           leer2 () ogn af mil
____________________________________________________