[ISN] Honeypots get stickier for hackers

From: InfoSec News (isnat_private)
Date: Mon Apr 14 2003 - 01:01:14 PDT

  • Next message: InfoSec News: "[ISN] Florida taps Symantec for security tools"

    http://news.com.com/2100-1009-996574.html
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    April 11, 2003
    
    VANCOUVER, British Columbia -- If Lance Spitzner has his way, network
    defenders will get sweeter on the "honeypot"--a traditional method of
    detecting online intruders.
    
    Spitzner and two dozen members of the Honeynet Project hope new
    changes to the group's open-source honeypot technology will help the
    method become much more popular among security companies and others.  
    The technology is designed to help users forge their own
    honeypots--faked computers and networks that serve as decoys for
    discovering online miscreants.
    
    The changes, to be outlined in a paper that will be published online
    Monday, were described in a speech Spitzner gave here at the
    CanSecWest security show. The new features will help honeypots become
    harder for intruders to detect and easier to deploy for companies and
    even home users.
    
    "It's an arms race," said Spitzner, founder of the Honeynet Project.  
    "We are coming up with new stuff, and the bad guys will look at it. We
    are staying ahead of 99 percent of the crowd."
    
    Honeypots solve a major problem of intrusion-detection systems, which
    frequently flag innocuous network traffic as a potential attack. These
    "false positives," as they're called, make the systems difficult to
    manage. They also create a "crying wolf" situation, in which genuine
    threats can be overlooked.
    
    Honeypots can solve the problem because they only detect data sent to
    a specific server--one that, because it's fake, shouldn't have any
    data sent to it at all.
    
    "Honeypots have no authorized activity, so if anyone interacts with
    (one) then you know (the interaction) is most likely malicious," said
    Spitzner, adding that such considerations make the warnings generated
    by honeypots very valuable.
    
    That value was demonstrated recently when security company Digital
    Defense caught an attacker trying to compromise a system that was
    essentially a honeypot, said HD Moore, a security consultant for the
    company. The system had been set up for a single purpose, and when an
    online intruder started sending other commands to it, Moore knew
    something was up.
    
    By observing the attack, the security consultant discovered that the
    intruder had gotten access to the system by way of a previously
    unknown flaw in Samba, a widely used open-source program for sharing
    Windows files between Unix and Linux systems.
    
    "As long as the honeypot looks like a target that is interesting,
    (attackers) will use a zero-day exploit to get access," Moore said. A
    zero-day exploit is a program the takes advantage of a flaw that
    hasn't yet been uncovered by developers, security professionals or
    others. Honeypots can thus help uncover such flaws before they're used
    to do any real damage.
    
    The changes to the Honeynet Project's honeypot system make it easier
    to manage and harder to detect.
    
    Because attackers generally encrypt their communications with a
    compromised server after successfully breaking in, the group has
    modified the operating system used with its system--currently
    Linux--to enable it to parrot the commands back to the administrator.  
    Essentially a wiretap, the function lets administrators see any
    commands that are being seen by the operating system.
    
    "Bad guys are all using encryption now," said Spitzner. "Even if you
    don't have encryption on your system, the bad guys will install it for
    you."
    
    Moreover, the technology has been tweaked to prevent intruders from
    using the honeypot itself as a platform of attack. Any attacks sent
    out by the honeypot system to other computers will have a single byte
    modified to break the attack.
    
    The honeypot setup also includes software to spoof responses back to
    commonly used mapping software, so that the decoy system can pretend
    to be anything from a single system to a large network.
    
    In addition, a new utility called Honey Inspector, set to be released
    in a few weeks, allows honeypots to be managed and analyzed through a
    graphical user interface. Finally, in three to six months, the
    Honeynet Project expects to release a bootable CD-ROM that will make
    installing its version of a honeypot easy.
    
    Spitzner also said more features are under development.
    
    "Honeypots are really at the beginning, there are a lot more advances
    coming," Spitzner said, likening the current stage of honeypot
    evolution to that of the firewall of five years ago.
    
    Today, even personal computer users run their own firewalls to keep
    out attackers. Soon, online intruders may also have to get by the
    additional confusion sown by honeypots.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Apr 14 2003 - 03:28:10 PDT