Honeypots: Building the Better Hacker
Honeypots are usually programs that emulate services on a designated port, but once successfully cracked, offer no real power to the attacker. The honeypot program will then alert the admin that an attack is in progress, and will allow the admin to track the attacker's every move. Honeypots will also show the methods the attacker is using to gain entry, and what methods the attacker is using to cover his or her tracks. In this article, I will show how honeypots work, why honeypots are not generally practical for most security situations, and how honeypots are breeding both smarter crackers and dumber admins.
How Honeypots Work
Honeypots are designed to operate on many levels. They increase the time an attacker will spend cracking because the honeypot makes it unclear which attacks work and which ones don't. They let the admin know what method an attacker is using before they succeeds - such as port scanning, brute forcing a password, or a Sendmail attack. Once honeypots are widely implemented, crackers will be forced to spend more time in a system that may be closely watched, and will eventually be scared off. Also, once xy63r n1nja the script kiddie stops going anywhere near the system, admins can focus all their attention on fending off people with actual skill.
In one of the honeypot advertisements I read, port 365 was being used as the honeypot port. This means that a scan that returns port 365 as active will make the would-be attacker turn and run off, and that systems that are not running the honeypot can use port 365 as a bluff, so that when xy36r n1nja the script kiddie sees it and the system looks sexy, he will be less inclined to go in because he thinks that the vulnerabilities he sees are a deception. According to SecTech systems administrator Dan Adams, honeypots are: "Like opening a fake store, loading it with cool stuff, and sitting back hoping someone will break into it."
Honeypots are catching allot of pretty serious heat from the legal and ethical community. Some critics are calling honeypots entrapment. Let me clear this up for you. Entrapment occurs when a person is coerced to commit a crime that they would not under normal circumstances engage in. It's going to be next to impossible for poor xy63r n1nja to use an entrapment defense in court, because by the time po po shows up, it will be obvious he was lame-assing around of his own accord. However, if a crafty admin goes on IRC and tells everyone that his honeypot is actually the fabled government computer that holds the truth about the Kennedy assassination, Area 51, and ancient methods of dolphin flogging and people hack him, then an entrapment defense would stand a chance. The reason is that the admin could never prove that xy63r n1nja and his crew were going to hack his system without being enticed. Other critics say that honeypots are akin to electronic wiretapping. This I can agree with. Since there is not much legal regulation of honeypot technology, and the closest legal procedures are loose at best, some very scary things could happen.
Other companies could expand the basic thrust of the technology, perhaps into the P2P networks. At that point it would be us, the hacker community, that stands up and tells the world that this is a gross invasion of privacy. Then, pretty much just like the MPAA did to us, all they would conceivably have to say is: "Consider the source your honor. Hackers want this technology stopped. Hackers are criminals. You don't want to side with criminals do you? We are here to protect the American people from hackers, and we need you to be brave and give us the power to shut these nasty people down." Then in all likelihood, the corporations would roll right over us again. I don't think it takes a major leap of logic to see that this is where honeypot technology, or more specifically, technology that clearly violates people's rights under the guise of protection, could be headed. Also, I don't trust the "good guys" any farther than I can throw them. We need to put a handle on the situation before the "security community" gets any ideas on how to further expand their powers past our rights on the backs of the hacker community they demonize to get their way.
Why Honeypots are Not Practical for Everyone
The good news is that honeypots are not a true "solution." Using a honeypot to fish for crackers isn't where the power of the honeypot is. The best application for a honeypot is to track an intruder that has already made a home in the system. The most noteworthy case of this happening was documented by Clifford Stoll in his book The Cuckoo's Egg." Stoll was an admin at Berkeley when he found an intruder using his system to steal secrets. But only an admin who has been around the block a few times and watches his system often can make full use of honeypots. Apart from that, over 90% of attacks against a system come from inside, and there is nothing a honeypot can do to stop someone who has internal access from running amok.For the average company, the extent of a honeypot's effectiveness is to keep xy63r n1nja and the rest of the script kiddies away, and to show that there is a real threat of people breaking into the system. It is almost unheard of, that a honeypot traps someone with real skill because it is designed to keep the kiddies at bay.
Better Crackers/Dumber Admins
In the digital arms race that is crackers vs. admins, tightening the existing security holes will only force the crackers to get better, while the admins get complacent. Most admins are only slightly better than good 'ole xy63r n1nja in the first place - they get the latest and greatest piece of ready-made software and call themselves experts. What is bound to happen in the majority of the situations is that a company sets up a honeypot and never bothers to spend the time it takes to maximize its effectiveness. Of course, the true answer is for admins and software programmers to actually take a little pride in their work and do their jobs properly. Also, it would help if software companies would take some responsibility when they find security holes in their product and to update accordingly. System admins should also feel obligated to keep their software current, and to make sure nobody within their company is given more access than they need.
Shout outs: stankdawg, grifter, debug, project honeynet, and an apology if anybody actually uses the name xy63r n1nja.