Bruce Schneier on Wed, 27 Jun 2001 05:56:25 +0200 (CEST) |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
[Nettime-bold] Honeypots and the Honeynet Project |
[via: Felix Stalder <stalder@fis.utoronto.ca>] CRYPTO-GRAM June 15, 2001 Back issues are available at <http://www.counterpane.com/crypto-gram.html>. <...> Honeypots and the Honeynet Project In warfare, information is power. The better you understand your enemy, the more able you are to defeat him. In the war against malicious hackers, network intruders, and the other black-hat denizens of cyberspace, the good guys have suprisingly little information. Most security professionals, even those designing security products, are ignorant of the tools, tactics, and motivations of the enemy. And this state of affairs is to the enemy's advantage. The Honeynet Project was initiated to shine a light into this darkness. This team of researchers has built an entire computer network and completely wired it with sensors. Then it put the network up on the Internet, giving it a suitably enticing name and content, and recorded what happened. (The actual IP address is not published, and changes regularly.) Hackers' actions are recorded as they happen: how they try to break in, when they are successful, what they do when they succeed. The results are fascinating. A random computer on the Internet is scanned dozens of times a day. The life expectancy of a default installation of Red Hat 6.2 server, or the time before someone successfully hacks it, is less than 72 hours. A common home user setup, with Windows 98 and file sharing enabled, was hacked five times in four days. Systems are subjected to NetBIOS scans an average of 17 times a day. And the fastest time for a server being hacked: 15 minutes after plugging it into the network. The moral of all of this is that there are a staggering number of people out there trying to break into *your* computer network, every day of the year, and that they succeed surprisingly often. It's a hostile jungle out there, and network administrators that don't take drastic measures to protect themselves are toast. The Honeynet Project is more than a decoy network of computers; it is an ongoing research project into the modus operandi of predatory hackers. The project currently has about half a dozen honeynets in operation. Want to try this in your own network? Several companies sell commercial versions, much simpler, of what the Honeynet Project is doing. Called "honeypots," they are designed to be installed on an organization's network as a decoy. In theory, hackers find the honeypot and waste their time with it, leaving the real network alone. I am not sold on this as a commercial product. Honeynets and honeypots need to be tended; they're not the kind of product you can expect to work out of the box. Commercial honeypots only mimic an operating system or computer network; they're hard to install correctly and much easier to detect than the Honeynet Project's creations. And what's the point? You'd be smarter to monitor activity on your real network and leave off the honeypot. If you're interested in learning about hackers and how they work, by all means purchase a honeypot and take the time to use it properly. But if you're just interested in protecting your own network, you'd be better off spending the time on other things. The Honeynet Project, on the other hand, is pure research. And I am a major fan. The stuff they produce is invaluable, and there's no other practical way to get it. When an airplane falls out of the sky, everyone knows about it. There is a very public investigation, and any airline manufacturer can visit the National Traffic Safety Board and read the multi-hundred-page reports on all recent airline crashes. And any airline can use that information to design better aircraft. When a network is hacked, it almost always remains a secret. More often than not, the victim has no idea he's been hacked. If he does know, there is enormous market pressure on him not to go public with the fact. And if he does go public, he almost never releases detailed information about how the hack happened and what the results were. This paucity of real information makes it much harder to design good security products. The Honeynet Project team is working to change that. I urge everyone involved in computer security to visit their Web site. Great stuff, and it's all real. <http://project.honeynet.org> The "Know Your Enemy" series of essays: <http://project.honeynet.org/papers/> Articles: <http://www.zdnet.com/zdnn/stories/news/0,4586,2666273,00.html> <http://news.cnet.com/news/0-1014-201-5784065-0.html> <http://www.linuxsecurity.com/feature_stories/feature_story-84.html> <http://www.computerworld.com/rckey73/story/0,1199,NAV63_STO59072,00.html> ** *** ***** ******* *********** ************* <....> Copyright (c) 2001 by Counterpane Internet Security, Inc. _______________________________________________ Nettime-bold mailing list Nettime-bold@nettime.org http://www.nettime.org/cgi-bin/mailman/listinfo/nettime-bold