[ISN] Interview with Lance Spitzner

From: InfoSec News (isnat_private)
Date: Mon Nov 25 2002 - 00:00:52 PST

  • Next message: InfoSec News: "[ISN] REVIEW: "VPNs: A Beginner's Guide", John Mairs"

    http://www.net-security.org/article.php?id=267
    
    by Mirko Zorz 
    19 November 2002
    
    Lance Spitzner is a geek who constantly plays with computers,
    especially network security.
    
    His passion is researching honeypot technologies and using them to
    learn more about the enemy.
    
    He is the founder of the Honeynet Project, moderator of the honeypot
    mailing list, co-author of "Know Your Enemy", author of "Honeypots:  
    Tracking Hackers" and also author of several whitepapers. He works as
    a senior security architect for Sun Microsystems, Inc.
    
    
    How did you gain interest in honeypots?
    
    My lack of understanding about badguys. I had no idea how they broke
    into computers, what they did afterwards, or even 'who' they were.  
    Honeypots were a great way to learn. Also, honeypots are very exciting
    because its a new field. I don't deal well with having to follow lots
    of rules. With honeypots, I get to make things up as I go, which I
    find to be lots of fun.
    
    
    What was it like writing "Honeypots: Tracking Hackers"? Any major
    difficulties?
    
    The book was actually alot of fun to write. It was something I really
    wanted to do, as it is the very first book out on honeypots. It also
    gave me the opportunity to put all my thoughts together. I learned a
    great deal from that book. The hardest part was making sure I was
    technically correct with all the different honeypots. The technology
    is changing so fast, such as with ManTrap and Honeyd, that I was
    having to learn some of the new features as I wrote the book.
    
    
    What security tools do you use on a daily basis?
    
    Firewalls and virus scanners. I have both network and host based
    firewalls, and everything is virus scanned on my PC's. Also, I REALLY
    like the automatic patching facilities that come with WindowsXP and
    RedHat Linux. Keeps systems current. Last, I'm always attempting to
    minimize and harden my systems.
    
    
    In your opinion what are the most important things an administrator
    has to do in order to keep a network secure?
    
    If you don't need it, remote it. If you do need it, patch it. Vast
    majority of attacks are for known vulnerable services. If the service
    is not there, they can't hack it. If the service is patched, they will
    have a damn hard time hacking it.
    
    
    What's the most amusing thing you ever saw someone do on a honeypot?
    
    Oh, good grief, there's so many. Not knowing the tools they are using
    (4 times to figure out how to untar a file). Accidently DoSing
    themselves, getting excited about Ping of Death, prefering to launch
    DoS attacks from Windows, announcing they like to smoke weed, etc.  
    However, I have also learned some very useful Unix commands from
    watching them, such as grepping for specific network connections.
    
    
    What's the longest an attacker has been on one of your honeypots?
    
    Three weeks. After that amount of time, there is little you can learn,
    with only increased risk of something going wrong.
    
    
    Recently the Honeypot Best Practices security conference took place,
    are you satisfied with the outcome?
    
    It was a great start, as it was the first honeypot conference.  
    However, I would like to see one that is more technical, covering a
    great spectrum of technologies (similar to my book). I'm currently
    teaching 3 day honeypot class that is very similar to this. You may
    also see some more exciting events next year :)
    
    
    What books, whitepapers, websites would you recommend to people that
    are starting to learn about computer security?
    
    Oh boy, that depends. Beginner worrying about securing their XP box at
    home, security engineer securing their network at work? For the common
    user, I just recommend getting a firewall and a virus scanner, that
    works for most. For the security professional, start with the basics.  
    For me, that was Stevens TCP/IP Illustrated Volume I. That has become
    my networking bible. The other most valuable thing for me has been a
    home lab. Build yourself a network of computers (old 486 systems are
    fine), and test everything you are learning in that environment
    (minimization, network sniffing, firewalls, attacks, etc). That hands
    on experience has proven invaluable to me.
    
    
    What are your future plans? Any exciting new projects?
    
    One of the most exciting things the Honeynet Projectis now working on
    is a bootable CDROM. We want to take our newly developed GenII
    technologies and build them into a bootable CDROM. This way if any
    organizations want to deploy a Honeynet (or multiple Honeynets), they
    simply boot off a CDROM and they have their Honeynet. All that is left
    is populating the network with target victims.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 03:22:39 PST