Honeypots get stickier for hackers

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1009-996574.html

By Robert Lemos 
Staff Writer, CNET News.com
April 11, 2003

VANCOUVER, British Columbia -- If Lance Spitzner has his way, network
defenders will get sweeter on the "honeypot"--a traditional method of
detecting online intruders.

Spitzner and two dozen members of the Honeynet Project hope new
changes to the group's open-source honeypot technology will help the
method become much more popular among security companies and others.  
The technology is designed to help users forge their own
honeypots--faked computers and networks that serve as decoys for
discovering online miscreants.

The changes, to be outlined in a paper that will be published online
Monday, were described in a speech Spitzner gave here at the
CanSecWest security show. The new features will help honeypots become
harder for intruders to detect and easier to deploy for companies and
even home users.

"It's an arms race," said Spitzner, founder of the Honeynet Project.  
"We are coming up with new stuff, and the bad guys will look at it. We
are staying ahead of 99 percent of the crowd."

Honeypots solve a major problem of intrusion-detection systems, which
frequently flag innocuous network traffic as a potential attack. These
"false positives," as they're called, make the systems difficult to
manage. They also create a "crying wolf" situation, in which genuine
threats can be overlooked.

Honeypots can solve the problem because they only detect data sent to
a specific server--one that, because it's fake, shouldn't have any
data sent to it at all.

"Honeypots have no authorized activity, so if anyone interacts with
(one) then you know (the interaction) is most likely malicious," said
Spitzner, adding that such considerations make the warnings generated
by honeypots very valuable.

That value was demonstrated recently when security company Digital
Defense caught an attacker trying to compromise a system that was
essentially a honeypot, said HD Moore, a security consultant for the
company. The system had been set up for a single purpose, and when an
online intruder started sending other commands to it, Moore knew
something was up.

By observing the attack, the security consultant discovered that the
intruder had gotten access to the system by way of a previously
unknown flaw in Samba, a widely used open-source program for sharing
Windows files between Unix and Linux systems.

"As long as the honeypot looks like a target that is interesting,
(attackers) will use a zero-day exploit to get access," Moore said. A
zero-day exploit is a program the takes advantage of a flaw that
hasn't yet been uncovered by developers, security professionals or
others. Honeypots can thus help uncover such flaws before they're used
to do any real damage.

The changes to the Honeynet Project's honeypot system make it easier
to manage and harder to detect.

Because attackers generally encrypt their communications with a
compromised server after successfully breaking in, the group has
modified the operating system used with its system--currently
Linux--to enable it to parrot the commands back to the administrator.  
Essentially a wiretap, the function lets administrators see any
commands that are being seen by the operating system.

"Bad guys are all using encryption now," said Spitzner. "Even if you
don't have encryption on your system, the bad guys will install it for
you."

Moreover, the technology has been tweaked to prevent intruders from
using the honeypot itself as a platform of attack. Any attacks sent
out by the honeypot system to other computers will have a single byte
modified to break the attack.

The honeypot setup also includes software to spoof responses back to
commonly used mapping software, so that the decoy system can pretend
to be anything from a single system to a large network.

In addition, a new utility called Honey Inspector, set to be released
in a few weeks, allows honeypots to be managed and analyzed through a
graphical user interface. Finally, in three to six months, the
Honeynet Project expects to release a bootable CD-ROM that will make
installing its version of a honeypot easy.

Spitzner also said more features are under development.

"Honeypots are really at the beginning, there are a lot more advances
coming," Spitzner said, likening the current stage of honeypot
evolution to that of the firewall of five years ago.

Today, even personal computer users run their own firewalls to keep
out attackers. Soon, online intruders may also have to get by the
additional confusion sown by honeypots.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.