Nettime-l on Wed, 27 Jun 2001 20:10:08 +0200 (CEST)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Nettime-bold] Re: <nettime> Honeypots and the Honeynet Project

You wrote:

>[via: Felix Stalder <>]
>From: Bruce Schneier <>
>CRYPTO-GRAM June 15, 2001
>Back issues are available at
>       Honeypots and the Honeynet Project
> In warfare, information is power. The better you understand your enemy,
>the more able you are to defeat him. In the war against malicious hackers,
>network intruders, and the other black-hat denizens of cyberspace, the
>good guys have suprisingly little information. Most security
>professionals, even those designing security products, are ignorant of the
>tools, tactics, and motivations of the enemy. And this state of affairs is
>to the enemy's advantage.
>The Honeynet Project was initiated to shine a light into this darkness.
>This team of researchers has built an entire computer network and
>completely wired it with sensors. Then it put the network up on the
>Internet, giving it a suitably enticing name and content, and recorded
>what happened. (The actual IP address is not published, and changes
>regularly.) Hackers' actions are recorded as they happen: how they try to
>break in, when they are successful, what they do when they succeed.
>The results are fascinating. A random computer on the Internet is scanned
>dozens of times a day. The life expectancy of a default installation of
>Red Hat 6.2 server, or the time before someone successfully hacks it, is
>less than 72 hours. A common home user setup, with Windows 98 and file
>sharing enabled, was hacked five times in four days. Systems are subjected
>to NetBIOS scans an average of 17 times a day. And the fastest time for a
>server being hacked: 15 minutes after plugging it into the network.
>The moral of all of this is that there are a staggering number of people
>out there trying to break into *your* computer network, every day of the
>year, and that they succeed surprisingly often. It's a hostile jungle out
>there, and network administrators that don't take drastic measures to
>protect themselves are toast.
>The Honeynet Project is more than a decoy network of computers; it is an
>ongoing research project into the modus operandi of predatory hackers. The
>project currently has about half a dozen honeynets in operation. Want to
>try this in your own network? Several companies sell commercial versions,
>much simpler, of what the Honeynet Project is doing. Called "honeypots,"
>they are designed to be installed on an organization's network as a decoy.
>In theory, hackers find the honeypot and waste their time with it, leaving
>the real network alone.
>I am not sold on this as a commercial product. Honeynets and honeypots
>need to be tended; they're not the kind of product you can expect to work
>out of the box. Commercial honeypots only mimic an operating system or
>computer network; they're hard to install correctly and much easier to
>detect than the Honeynet Project's creations. And what's the point? You'd
>be smarter to monitor activity on your real network and leave off the
>honeypot. If you're interested in learning about hackers and how they
>work, by all means purchase a honeypot and take the time to use it
>properly. But if you're just interested in protecting your own network,
>you'd be better off spending the time on other things.
>The Honeynet Project, on the other hand, is pure research. And I am a
>major fan. The stuff they produce is invaluable, and there's no other
>practical way to get it. When an airplane falls out of the sky, everyone
>knows about it. There is a very public investigation, and any airline
>manufacturer can visit the National Traffic Safety Board and read the
>multi-hundred-page reports on all recent airline crashes. And any airline
>can use that information to design better aircraft. When a network is
>hacked, it almost always remains a secret. More often than not, the victim
>has no idea he's been hacked. If he does know, there is enormous market
>pressure on him not to go public with the fact. And if he does go public,
>he almost never releases detailed information about how the hack happened
>and what the results were.
>This paucity of real information makes it much harder to design good
>security products. The Honeynet Project team is working to change that. I
>urge everyone involved in computer security to visit their Web site. Great
>stuff, and it's all real.
>The "Know Your Enemy" series of essays:
>** *** ***** ******* *********** *************
>Copyright (c) 2001 by Counterpane Internet Security, Inc.
>#  distributed via <nettime>: no commercial use without permission
>#  <nettime> is a moderated mailing list for net criticism,
>#  collaborative text filtering and cultural politics of the nets
>#  more info: and "info nettime-l" in the msg body
>#  archive: contact:

Nettime-bold mailing list