| Nettime-l on Wed, 27 Jun 2001 20:10:08 +0200 (CEST) |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| [Nettime-bold] Re: <nettime> Honeypots and the Honeynet Project |
You wrote: >[via: Felix Stalder <felix@openflows.org>] > > >From: Bruce Schneier <schneier@counterpane.com> >CRYPTO-GRAM June 15, 2001 >Back issues are available at ><http://www.counterpane.com/crypto-gram.html>. > ><...> > > Honeypots and the Honeynet Project > > In warfare, information is power. The better you understand your enemy, >the more able you are to defeat him. In the war against malicious hackers, >network intruders, and the other black-hat denizens of cyberspace, the >good guys have suprisingly little information. Most security >professionals, even those designing security products, are ignorant of the >tools, tactics, and motivations of the enemy. And this state of affairs is >to the enemy's advantage. > >The Honeynet Project was initiated to shine a light into this darkness. >This team of researchers has built an entire computer network and >completely wired it with sensors. Then it put the network up on the >Internet, giving it a suitably enticing name and content, and recorded >what happened. (The actual IP address is not published, and changes >regularly.) Hackers' actions are recorded as they happen: how they try to >break in, when they are successful, what they do when they succeed. > >The results are fascinating. A random computer on the Internet is scanned >dozens of times a day. The life expectancy of a default installation of >Red Hat 6.2 server, or the time before someone successfully hacks it, is >less than 72 hours. A common home user setup, with Windows 98 and file >sharing enabled, was hacked five times in four days. Systems are subjected >to NetBIOS scans an average of 17 times a day. And the fastest time for a >server being hacked: 15 minutes after plugging it into the network. > >The moral of all of this is that there are a staggering number of people >out there trying to break into *your* computer network, every day of the >year, and that they succeed surprisingly often. It's a hostile jungle out >there, and network administrators that don't take drastic measures to >protect themselves are toast. > >The Honeynet Project is more than a decoy network of computers; it is an >ongoing research project into the modus operandi of predatory hackers. The >project currently has about half a dozen honeynets in operation. Want to >try this in your own network? Several companies sell commercial versions, >much simpler, of what the Honeynet Project is doing. Called "honeypots," >they are designed to be installed on an organization's network as a decoy. >In theory, hackers find the honeypot and waste their time with it, leaving >the real network alone. > >I am not sold on this as a commercial product. Honeynets and honeypots >need to be tended; they're not the kind of product you can expect to work >out of the box. Commercial honeypots only mimic an operating system or >computer network; they're hard to install correctly and much easier to >detect than the Honeynet Project's creations. And what's the point? You'd >be smarter to monitor activity on your real network and leave off the >honeypot. If you're interested in learning about hackers and how they >work, by all means purchase a honeypot and take the time to use it >properly. But if you're just interested in protecting your own network, >you'd be better off spending the time on other things. > >The Honeynet Project, on the other hand, is pure research. And I am a >major fan. The stuff they produce is invaluable, and there's no other >practical way to get it. When an airplane falls out of the sky, everyone >knows about it. There is a very public investigation, and any airline >manufacturer can visit the National Traffic Safety Board and read the >multi-hundred-page reports on all recent airline crashes. And any airline >can use that information to design better aircraft. When a network is >hacked, it almost always remains a secret. More often than not, the victim >has no idea he's been hacked. If he does know, there is enormous market >pressure on him not to go public with the fact. And if he does go public, >he almost never releases detailed information about how the hack happened >and what the results were. > >This paucity of real information makes it much harder to design good >security products. The Honeynet Project team is working to change that. I >urge everyone involved in computer security to visit their Web site. Great >stuff, and it's all real. > ><http://project.honeynet.org> > >The "Know Your Enemy" series of essays: ><http://project.honeynet.org/papers/> > >Articles: ><http://www.zdnet.com/zdnn/stories/news/0,4586,2666273,00.html> ><http://news.cnet.com/news/0-1014-201-5784065-0.html> ><http://www.linuxsecurity.com/feature_stories/feature_story-84.html> ><http://www.computerworld.com/rckey73/story/0,1199,NAV63_STO59072,00.html> > > >** *** ***** ******* *********** ************* > ><....> > >Copyright (c) 2001 by Counterpane Internet Security, Inc. > > > > > ># distributed via <nettime>: no commercial use without permission ># <nettime> is a moderated mailing list for net criticism, ># collaborative text filtering and cultural politics of the nets ># more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body ># archive: http://www.nettime.org contact: nettime@bbs.thing.net > _______________________________________________ Nettime-bold mailing list Nettime-bold@nettime.org http://www.nettime.org/cgi-bin/mailman/listinfo/nettime-bold