The HoneyNet project has been getting a lot of publicitly lately, does anyone here run a HoneyPot on their network:

http://www.honeynet.org/

If you do, what type of success have you had with it?

I can't disclose that kind of information about what's actually in use at work, but from what I've heard elsewhere they're definately useful for large networks. If I ever have the equipment to spare I might try setting up a basic one at home. (Spare computers? Ha!)

I've seen honeypot before but never understood what it was? Any one shed some light please?

A honeypot is a decoy :). It is a server set up on a protected network, that is left deceptively vulnerable. The idea is to allow an attacker to break into the server. An administrator then collects the logs and other data from the attack and uses that information to better secure the rest of the network.

Just Google it (http://www.google.com/search?q=honeypots) :)

That's kewl. So then the "HoneyPot" community exchanges it with eachother?

Originally posted by interactive:

That's kewl. So then the "HoneyPot" community exchanges it with eachother?

Sometimes, some security admins keep the information to themselves, but many do work with others in the security community to share information.

Originally posted by allan:

A honeypot is a decoy :). It is a server set up on a protected network, that is left deceptively vulnerable. The idea is to allow an attacker to break into the server. An administrator then collects the logs and other data from the attack and uses that information to better secure the rest of the network.

Ahh now I see :banana:

I found a interesting article about HoneyPots over at Security focus:
http://www.securityfocus.com/news/4004

I think that a hacker would have a very hard time trying to convince a judge that someone attempting to hack one of your systems, would be your fault.

I was just thinking about that article.
That leaves a third "provider exemption" as the most promising for honeypot fans. This allows the operator of a system to eavesdrop for the purpose of protecting their property or services from attack. But even that exemption probably wouldn't apply to a system that's designed to be hacked, Salgado said. "The very purpose of your honeypot is to be attacked... so it's a little odd to say we're doing our monitoring of this computer to prevent it from being attacked."Either the author of the article didn't explain the third exemption well or Salgado didn't think about it much there. According to the article you may use the exemption to protect your "propery or services," not just the property (in this case, the honeypot) that was already hacked.

From what I understand though, is if the law is passed, you'll just have to have your honeypot close to your production server. Which really wouldn't be that hard. Salgado just looks like a lawyer looking for business IMHO.

Ok, here is my dilemma... can be arrested if i break into a honeypot?

kunal

Originally posted by kunal:

Ok, here is my dilemma... can be arrested if i break into a honeypot?

kunal

Of course..it is still considered illegal activity. Just like if you go looking for a prostitute and she (or he, depending on your preference) turns out to be a cop, you can still be arrested for solicitation.

hmm... but that isnt fair is it? Since the reason the honey pot exists is for people to come and poke around. How can you tempt them and then blaim them for giving in too their temptation that was purposely created by you? isnt that entrapment?

kunal

Originally posted by kunal:

hmm... but that isnt fair is it? Since the reason the honey pot exists is for people to come and poke around. How can you tempt them and then blaim them for giving in too their temptation that was purposely created by you? isnt that entrapment?


No, entrapment would be if you put a server on Internet and said, "come attack me", then arrested the people who did so. Simply putting a vulnerable server on the Internet is not entrapment, since people should not be trying to break into other's people's servers.

Originally posted by allan:

No, entrapment would be if you put a server on Internet and said, "come attack me", then arrested the people who did so. Simply putting a vulnerable server on the Internet is not entrapment, since people should not be trying to break into other's people's servers.


hmm... good point, but arnt you putting a "honey-pot" online for the sole purpose of getting hacked so that you can monitor a hackers movement?

kunal

If a hacker asks "Is this a honeypot?" and you deliberately say "No it is not", that would be entrapment. Ignore them or answer truthfully and when they break in they're busted.

Ah... oh ok... but i yet find it unfair... putting something out there just so that it can be broken into.. and then arresting the person for breaking into it is completely wrong.

kunal

Originally posted by kunal:

Ah... oh ok... but i yet find it unfair... putting something out there just so that it can be broken into.. and then arresting the person for breaking into it is completely wrong.


I'm sure the company that loses thousands of dollars because someone broke into their network would say that trying to break into the network in the first place was wrong.

Originally posted by allan:

I'm sure the company that loses thousands of dollars because someone broke into their network would say that trying to break into the network in the first place was wrong.


agreed, but not if the machine that was broken into was a honey pot, whos sole purpose is to attract attacks.

kunal

I think the purpose of the honey pot is to learn about potential exploits in the network, not necessarily entrap and torture (though that would be fun) the would-be intruder. Since it's a crime to knowingly break into a computer system, simply conspire to do such an act is reason enough for prosecution. Actually executing the break-in and then whining about it being a trap probably wouldn't be much of a defense.

Remember, the purpose is to attract the attacks to learn from them, not simply to catch as many rodents as you can. Setting an example of the intruders by prosecuting them to whatever extent you can is just a happy side effect. I think.

Originally posted by kunal:

agreed, but not if the machine that was broken into was a honey pot, whos sole purpose is to attract attacks.

kunal I don't understand what the problem is...are you implying that they would lose money if their honeypots got broken into?

Originally posted by kunal:

Ah... oh ok... but i yet find it unfair... putting something out there just so that it can be broken into.. and then arresting the person for breaking into it is completely wrong.

kunal

I don't see how it's unfair? In the USA police in big cities setup cars leave them unlocked in busy parking lots, and have a security system (where they can remotelsy lock and shutoff the car) installed.Someone steals the car drives about 10 miles, the lock the doors and shut it off. Then nab the person. I remember when they first started doing it where I live, and poeple freaked out to begin with. I don't think it's really unfair. But then again thats just my opinion.

Originally posted by no1v2:

I don't understand what the problem is...are you implying that they would lose money if their honeypots got broken into?

I am not saying any such thing. All I am saying is that, the whole purpose of the honey pot is to attract an attacker and study how he attacks the system. The honey pot is soo called because it tempts a person to break in.

DizixCom, from what your saying, if a security consultant broke into a clients network, could he be prosecuted? Also, I agree its not necessary to entrap them BUT that is one of the by-products of the entire outcome?

Robert, I think that is unfair and simply illegal. You can not tempt someone and then blaim them for falling pray to temptation.

Think about this scenerio. You are a doctor. You have a patient who is very diabetic. You hand him a lolipop which could kill him. He opens it and eats it. Then you yell at him, because he ate it. Do you think that the yelling is ok?

kunal

DizixCom, from what your saying, if a security consultant broke into a clients network, could he be prosecuted? Also, I agree its not necessary to entrap them BUT that is one of the by-products of the entire outcome?Absolutely she should be held accountable. Unless this consultant was contracted to breach security, they have no business breaking into their clients network. I'd be more leary of a consultant breaking into my network than anyone else because they will likely have more sinister reasons. Industrial espionage comes to mind...

On the other hand, if you've contracted the consultant specifically to break into your network then you've given them permission and there is no reason to even want to prosecute.