[H-GEN] RE: [SAGE-AU] Security Tool (fwd)

Raymond Smith raymonds at uq.net.au
Fri May 4 02:26:14 EDT 2001 

[ Humbug *General* list - semi-serious discussions about Humbug and  ]
[ Unix-related topics.  Please observe the list's charter.           ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]

My apologies to sagers who have already seen this.

I was talking to someone about honeypots at a previous HUMBUG meeting.
This is an interesting post arguing aginst honeypots. The original poster
wanted a program that pretends to be standard inteneret services; with the
purpose of entraping crackers.

(A honeypot is jargon for a system set up for the purpose of allowing
crackers to break in. You might then try to entrap them, or whatever.)

---
raymond at humbug.org.au                     All that we see, or seem,
                                    Is but a dream, within a dream.
                                           -- Edgar Allen Poe

---------- Forwarded message ----------
Date: Fri, 4 May 2001 02:05:00 +1000
From: Andrew van der Stock <ajv at greebo.net>
To: Travers <mailreader at optushome.com.au>
Cc: sage-au at sage-au.org.au
Subject: RE: [SAGE-AU] Security Tool
Resent-Date: Fri, 4 May 2001 15:49:21 +1000
Resent-From: raymond.smith at iona.com
Resent-To: raymond at humbug.org.au

It's called the Deception Toolkit, and the purpose is flawed. Please, I beg
you, do not install this on a machine out on the Internet.

http://all.net/dtk/dtk.html

Honey pots, such as this toolkit, or the Honeynet project do not serve any
known useful purpose, and have many bad outcomes. There are enough real
systems with real problems without encouraging the little $#&*s.

In my opinion, honeypots have the following problems:

1. they attract idiots like flies to infrastructure that, itself, likely has
flaws. The flawed infrastructure will most likely not be your
infrastructure, which is where the problem lies.
2. once they realise they've been had, the little $&#!s usually recriminate
strongly
- DoS attacks are the least offensive thing they do, and it's a WAFTAM for
you, your ISP and all your ISP's customers, and the ISP's backbone
provider(s), and the pacific link (the morons are very occasionally
Australian), and a host of vulnerable system owners whose systems they've
cracked between you and them.
3. honeypots don't teach you anything new: they emulate known
vulnerabilities.
4. Legally, honeypots are akin to setting a mantrap behind an unlocked balsa
door you've installed, painted with a bright yellow sign saying you'll be
back at 5 pm. I would not like your chances of getting indemnity insurance
against litigation from a big player like most backbone providers if they
can prove (easily) that you installed something very bloody stupid on your
host with a sole aim: to attract attackers. You are getting indeminity
insurance, and the permission of your upstream ISP and their upstream ISP
(ad nauseam) and notifying the Federal Police and AusCERT you intend to do
this, aren't you? The last two are optional, but if the attacker goes on a
rampage and does real damage, it's nice to shortcut investigations to the
responsible party within easy jurisdictional reach.

If you want to learn something useful about security, learn how problems
occur and maybe join a security audit team. Fixing problems is a far better
way to reduce the risk for everyone of unauthorized intrusion.

If you want to learn about a particular crack, download the crack from
packetstorm and install the vulnerable software on another host you own, and
do it to yourself on your machines *off* *the* *Internet*. You'll learn more
that way than from *any* honey pot.

If you're doing this as a litmus box behind a firewall or DMZ to test the
firewall's effectiveness, I suggest putting in a OpenBSD box with IP Filter
set to log all incoming packets. Extremely sensitive (including IP options
(URG etc), sequence numbers, etc), excellent logging, immediate scriptable
escaltion and best yet, few remote vulnerabilities. Install tripwire and
backup regularly in case something bad happens. Make sure it's a really
recent IP filter; there are some problems with the state engine that have
only recently been fixed. Make sure the surrounding firewall rules do not
allow this host to go *anywhere* by itself. No outbound connections beyond
escalation should be allowed.

Andrew

-----Original Message-----
From: sage-au-admin at sage-au.org.au
[mailto:sage-au-admin at sage-au.org.au]On Behalf Of Travers
Sent: Friday, 4 May 2001 12:41 AM
To: sage-au at sage-au.org.au
Subject: [SAGE-AU] Security Tool


Hi,

A few years ago I had a security tool that would imitate services
such as telnet, sendmail, named, ftp, basically all common
intrusion services on Linux.  It would reply with what you would
normally expect the service to, the whole time not doing anything
but loging the persons commands and IP and spitting out dummy
replies to their commands.

My problem is I have forgoten what this software was, has anyone
heard of this and remember what it was called?

I will sumarise to the list.

Travers


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.

More information about the General mailing list