Tracking Hackers 87
"Honeypots: Tracking Hackers" | |
author | Lance Spitzner |
pages | 480 |
publisher | AWL |
rating | 5/5 |
reviewer | Anton Chuvakin, Ph.D, GCIA |
ISBN | 0321108957 |
summary | using honeypots to track electronic intruders |
The structure of the book is different from the "Know Your Enemy": Lance starts from the very beginning - namely, his first honeypot penetration experience and then goes on to talk about all aspects of honeypots. In-depth and structured background on honeypot technology is provided. Honeypots are sorted by the level of interaction with attacker they are able to provide.
In addition, the book covers the business benefits of using honeypots. By classifying the value of honeypots into prevention, detection and response (exactly as done in Honeynet Project white papers) Lance Spitzner analyzes the honeypot technology contributions to an overall security posture. Also, the book describes the differences between the research and production honeypots and demonstrates the benefits of both for various deployment scenarios.
A good part of the book is devoted to particular honeypot solutions: 'honeyd' by Niels Provos and several commercial honeypots with detailed explanation of how they work. For example, there is a clear description of ARP spoofing and how it is used by the 'honeyd' honeypot daemon. An interesting chapter on "homegrown" honeypot solutions (such as the ones used to capture popular worms of 2001) sheds some light on the simplest honeypots that can be built for specific purposes, such as to capture a popular attack by means of a simple port listener. Use of UNIX chroot() jail environment for honeypots is also analyzed.
Of course, a special chapter is devoted to honeynets - Project's primary weapon in a war against malicious hackers. The Generation II (GenII) honeynet technology is first introduced in a book. The chapter not only lists honeynet deployment and maintenance suggestions, but also talks about the risks of honeynets.
Another great feature of the book is a chapter on honeypot implementation strategies and methods, such as using NAT to forward traffic to a honeypot and DMZ honeypot installation. The information is then further demonstrated using the two full honeypot case studies, from planning to operation.
What is even more important, maintaining the honeypot architecture is covered in a separate chapter. Honeypots are a challenge to run, mainly since no 'lock it down and maintain state' is possible. One has to constantly build defenses and hide and dodge attacks that cannot be defended against.
"Tracking hackers" also has a "Legal Issues" chapter, written with a lot of feedback from the DoJ official. It dispels some of the misconceptions about the honeypots such as the "entrapment" issue, summarizes wiretap laws and related data capture problems.
The book describes an almost cutting edge of the honeypot research and technology. To truly get the cutting edge and to know about the Honeynet Project latest activities in detail, wait for the second edition of "Know Your Enemy" (coming out next year). In "Tracking Hackers" Lance makes some predictions about honeypots in "Future of Honeypots" chapter. Honeypot-based early warning system and distributed deployments, analysis of new threats and expanding research applications, making honeypots easier to deploy and maintain are all in this chapter.
To conclude, Marcus Ranum's enthusiastic preface is not an overstatement, it is indeed a great book for both security professionals and others interested in this exciting technology. While I was already familiar with most of the information in the book, it was a fascinating read! This is the kind of book you don't want or even cannot put down until the last page is turned.
Anton Chuvakin, Ph.D., GCIA (http://www.chuvakin.org) is a Senior Security Analyst with a major security company.
You can purchase Honeypots: Tracking Hackers from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Use of honeypots (Score:4, Insightful)
Re:Use of honeypots (Score:1, Informative)
Unless you are in the security software biz, honeynets are a complete waste of money.
Re:Use of honeypots (Score:2, Insightful)
Or maybe not. Otherwise, I pretty much agree with your post. Not only does this seem like an expensive waste of time, but potentially dangerous if some idiot comes along and misconfigures the honeypot (or if an idiot put it up in the first place). Unless your workplace is idiot-free. Then it would be OK.
Re:Use of honeypots (Score:1)
Re:Use of honeypots (Score:2, Insightful)
This is all about where you place the honeypot. Place the honeypot where it has no more access to your important network than a random computer on the internet would have had. In that case your network is no more vulnurable with the honeypot than without.
Placing the honeypot in an important network behind your firewall is plain stupid. Placing the honeypot outside the firewall is acceptable. Placing the honeypot in a DMZ zone with nothing else is also acceptable, if the firewall is configured correctly. If the extra leg on the firewall causes more bugs in the setup, two independend firewalls would have been better.
Re:Use of honeypots (Score:2, Funny)
Perhaps they just sound like really good idea on a lonely Saturday night.
Re:Use of honeypots (Score:1)
Re:Use of honeypots (Score:1)
Re:Use of honeypots - for educational purposes (Score:2, Insightful)
Re:Use of honeypots (Score:2)
As for using a honeypot with known vulns. I think it is an ok way to learn but a dangerous one. My honeypots only capture the exploit and then lock out the cracker.
How many arrests? (Score:4, Insightful)
There's a tendency in what passes for a computer security community today to focus on the most numerous threats, rather than the most effective one. Maybe there's only one hit a month from the guy who's breaking in and reading your credit card number file, but that's the person you need to find.
Re:How many arrests? (Score:1)
Re:How many arrests? (Score:3, Informative)
Perhaps a honeynet on it's own is not terribly useful to the general population. However, the documentation, case studies and other material provided by this SPECIFIC honeynet project has enormous value. Their whitepapers [honeynet.org] are a very thorough look at real life hacking situations. I could see university classes formed based upon the research and publishing they have done.
As everybody knows, theory is great but real world examples can be just as, if not more, valuable. And here we have a project that has provided those examples.
Re:How many arrests? (Score:5, Insightful)
This is Soooo Year 2002 thinking.
How 'bout
Is this actually leading to less cracked systems? If so, we need more honeypots; if not, it's a waste of time
Guys, wake up, the whole point is not to arrest people doing bad things. The points is stopping those bad things from happening.
Re:How many arrests? (Score:2)
More common than not is deploying the honeypot internally as something like "finance server 1" or something similarly obvious. Usually it's not someone breaking in to get the credit card file, it's someone already in who's digruntled, or perhaps a little too curious for their own good.
Re:How many arrests? (Score:4, Insightful)
Is this actually leading to arrests? If so, we need more honeypots; if not, it's a waste of time.
Honeypots provide a way for people to learn how to deal with an incident on the real servers they protect. Just like emergency personnel hold disaster preparedness drills, just as the US Military stages large red team exercises in the desert, just as medical students use cadavers to learn what they're doing before they cut into a live patient.
Let's face it - when your database server gets compromised, do you want the guy responding to thrash around, destroy evidence and erase tracks, and generally screw up the response? Or do you want him to do a careful, correct job?
Honeypots are where admins learn NOT to run around like a chicken with their head cut off.
Hit count, not arrest count. (Score:2, Funny)
I want to know how many kneecappings and crushed hands have resulted from skript kiddiez going after the wrong targets.
Teach the ankle-biters to steer clear of networks owned (in all senses of the word) by Guido and "doze computer-talking guys dat be wit us, watchacall'em, geeks or sumthin? fuggetabout'it."
Hit count takes on a whole new meaning in this context,
Capice?
Disclaimer IANAMM (I am not a made man, but my brother-in-law was, at least until they found him stuffed in the trunk of his caddy)
I love the books (Score:1)
"honeypot penetration experience" (Score:5, Funny)
honeypot penetration experience
*sigh* I remember mine fondly too...
Great Name.... (Score:1)
for a hippy/hacker band.
Ladies and gentlemen, please welcome the Honeypot Penetration Experience!
Didn't I read this on alt.sex.erotica? (Score:1, Redundant)
yow. interesting topic to start off a book on hackers.
not available yet (Score:1, Troll)
publication has been delayed on books reviewed here, this would be a valuable add-on category for the
review.
Silly ole' bear (Score:2, Funny)
You mean Pooh never really got his head stuck in one of those things?
That's CRAKCERS not HACKERS (Score:4, Insightful)
Get it right. Crackers are the criminals. Hackers are law abiding citizens who are also computer experts.
Re:That's CRAKCERS not HACKERS (Score:1)
Except amongst dog afficionados, i.e. professional dog breeders and those Westminster(sp?) Kennel Club types.
Allowing pop-culture language to take over the specialized vernacular of a special interest group is as foolish as to expect the general public to directly adopt the language of a special interest group. By muddying the meaning of the word "hacker" and letting "cracker" fall into obscurity, you're making efficient communication more difficult.
If Slashdot wants to be "corerct for nerds" the differences between hacker and cracker should stand. If just pop-culture is desired, hacker is good by itself.
Please don't feed trolls. (Score:1)
Re:That's CRAKCERS not HACKERS (Score:1)
Re:That's CRAKCERS not HACKERS (Score:1)
Hes ensuring accurate communication is conducted.
Hackers == Crackers only in pop-culture, and this is a nerd culture so the proper name for those people should be used. CRACKERS!
Re:That's CRAKCERS not HACKERS (Score:1)
Re:That's CRAKCERS not HACKERS (Score:2)
-my $.02
Re:That's CRAKCERS not HACKERS (Score:1)
So should we get it or not? (Score:1)
If I don't want it, why is your review so enthusiastic?
Re:So should we get it or not? (Score:1)
"This is the kind of book you don't want (...) to put down until the last page is read."
Not gunna happen. (Score:1)
Stoll did it too... (Score:1)
Well thats timely! (Score:1)
Word to the wise, dont over look the allow anonymous logons in IIS / FTP. Better pay more attention to the setup in future!
Re:Well thats timely! (Score:1)
If a children's toy (PS2 running Linux :) is more secure than your server (running a toy OS), you've got worse problems than a lack of attention!
Academic Value? (Score:2, Interesting)
Do honeypots have any value for teaching security experts? Could the study of crackers and cracking techniques ever belong outside the Sociology Dept. at a university?
I can certainly envision course projects surrounding the analysis of a real honeypot or perhaps a system that has been compramised by the teacher. But would this actually help the students or would they be better off learning in a more theoretical fashion? (Because cracking is too variable and changes too quickly for the study of specific techniques to be of value.)
Real world applications? (Was "Academic Value?") (Score:2)
Detectives study the behavior of criminals, The FBI studies the behavior of terrorists, ROTC students study the behavior of attacking armies, and network security analysts study the behavior of crackers.
Not every cop is a "Criminologist", not every sysadmin needs to be a "Security Analyst".
Re:Academic Value? (Score:1)
Use the kata system: have student set up a honeypot, updated and "secure".
Nugatory its security/function in some way, giving them concrete experience, have 'em set it up again, secure. Nugatory it in some different way. They're warned that it's going to be defeated, yet the experience of having to discover when/what/where/how it was defeated creates vigilance-meaningfulness in their mind. Book-knowing cannot do this. Ever.
( back to the kata-system ) When they've got the hang of dealing with one compromise at a time, hit 'em with a multi-compromise script using some group of problems that will test ( but not panic/break ) 'em. Do it again, using different combos, mixing 'em up, designing the choice-of-attacks so that they get to deal with as fundamentally diverse a group of attacks as possible ( rather than 20 variations of a single motif )
Book-knowing and theory don't deeply convince, and cannot convince, in ways that change living-expression ( compared with concrete experience -- just compare someone who's "read about" grief with someone who's embedded in it: one knowing doesn't change one's Mind, the other deeply/really does ).
Biased review? (Score:1)
Although the review seems pretty interesting, don't you think that it might be a little biased? He is doing a talk [frallc.com]on a conference lead by Lance Spitzner pretty soon. (Look for COUNTER-INTELLIGENCE IN INTERNET SECURITY: HONEYPOT BEST PRACTICES)
tracking hackers is easy for the slashdot crowd (Score:2)
Got one here (Score:5, Funny)
It was supposed to be our corporate web server, but our sysadmin is a dolt.
Pre-Order Only (Score:2, Informative)
You have to place an advance order and wait a month and a bit till it comes out.
Amazon.com has a cheaper price ($31.49) and an early release date (Sept 20th) than Barnes&Noble.com ($35.99, release Sept 27th).
Looking forward on reading it :-)
Re:Come and get me. (Score:1)
Entrapment Issue? (Score:2)
If someone gets stuck in a honeypot, he ordinarily would've been attempting to scan my system...