WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Google
Web CertiGuide






Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.4  Intrusion Detection

Previous Topic/Section
3.4.2.2  Passive Detection
Previous Page
Pages in Current Topic/Section
1
2
Next Page
 3.4.4  Incident Response
Next Topic/Section

3.4.3  Honey Pots
(Page 2 of 2)

Honey Pot Projects



Entire Internet projects such as Lance Spitzner’s Honeynet Project341 revolve around using honey pots to study black hats in their native habitat (out in what looks like “the wild”).

For more information about the Honeynet Project, including recounts of some attacks staged against it and how the Honeynet team reacted to them, see Know Your Enemy342, by The Honeynet Project.

Honey Pot Thoughts

In an email exchange between Tcat and Fred Cohen the chance came up to ask him about his honey pot, the Deception Took Kit (DTK). The following is re-printed with Mr. Cohen’s permission:

“I will share some of mine...

I am amazed that the bad guys have not come up with some DTK detector.

There are thousands of folks using the same DTK that came out 3+ years ago - I included - and I am flabbergasted at how many things it catches considering how simple and basic it is. I cannot believe how many people end up trying things 5 or 6 times before moving along. I figured it would be a program I would have to update constantly, but it turns out that it's not necessary in order to do its present function.

I am interested in what people think the next generation should be. I am working on several related things and am looking for any burning desires from the readership.

FC”


While most honey pots, including those at the Honeynet Project, have traditionally been UNIX-based, there are also tools for setting up honey pots on Windows systems, which even include servers such as the free-for-personal-use BackOfficer Friendly from NFR343) which simulate popular Trojan servers like BackOrifice, but log, instead of act on, their requests.

Legal Issues Around Honey Pots

“Luring? Deliberately going out of your way to create a target to attract ne’er-do-wells? What’s our legal department going to say?” The only answer we can give is: we don’t know. Some have claimed that honey pots are a form of entrapment. Others have pointed out that entrapment can only be committed by law enforcement, so random net administrators and security researchers aren’t affected by that regulation.

Additionally, if your honey pot is compromised, and the attacker does make off with information you wish he hadn’t… what do you do then? Does the fact that you set the honey pot up specifically for use by such individuals imply that they might have been (in some legally-defensible way) authorized users of that system and thus broke no privacy rules? It’s tough to say, since we’re still in the early stages of legal precedents in this area. There are enough questions here that, before you set up a honey pot of your own, you would be wise to confer with your legal counsel to determine potential legal ramifications344.

For more information on honey pots, check the paper by Lance Spitzner mentioned in the footnotes, as well as the http://www.honeynet.org site.


 __________________

341. http://www.honeynet.org

342. The Honeynet Project, Know Your Enemy, Addison-Wesley, September, 2001, http://www.nerdbooks.com/item.html?id=0201746131

343. http://www.nfr.net/products/bof

344. Spitzner, Lance, “Honeypots: Definitions and Value of Honeypots”, http://www.enteract.com/~lspitz/honeypot.html

Previous Topic/Section
3.4.2.2  Passive Detection
Previous Page
Pages in Current Topic/Section
1
2
Next Page
 3.4.4  Incident Response
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.