Honeypots mailing list archives
Re: deceptive content on honeypots
From: Jeremy Bennett <jeremy_f_bennett () yahoo com>
Date: Mon, 31 Mar 2003 16:53:08 -0800 (PST)
Deceptive content is a broad topic. Roughly I'd say that topic includes the following: * Distributing falsified or deceptive content through valid channels. * Tagging content with tracers (ie HoneyTokens) * Populating honeypots with believable content Or any combination of the above. The first has been done for thousands of years and is really not all that new even in computer security. We've seen fake vulnerabilities published. We've seen fake products advertized. We've seen fake features of real products publicized. This tactic, though, is mostly appropriated when you are planning for the long term. In order to set the field correctly you want to control perceptions. The second has been discussed for many years as well. It was tagged with the term HoneyTokens on this list a while back. If you've ever had to deal with identity theft you've probably had your credit card numbers put on a watch list. This is a list of numbers that the CC companies maintain. When a card on the list is used alarms go off and an investigation is started even if one normally would not have been based on other factors. The final one is the one I think is most interesting to this discussion. The idea is to provide content in the honeypot to engage attackers and/or to attract a higher quality set of attackers. If you just plug an unpatched RedHat 7.0 box into the network you'll invariable get a barrage of kiddies. On the otherhand if you put up a fully patched Solaris 8 box with very few services running but interesting content you may attract a real hacker. What that interesting content is is the hard part. It is very dependant on what the attacker expects to see. Attacking a CC company you'd expect to find a DB of credit cards. If you're attacking an auto company you expect to find CAD drawings of new cars, etc. For companies deploying high interaction honeypots the best content is probably some derivative of the very content they are trying to protect. For researches that content can be anything but must be consistent with the rest of the honeynet. I seem to recall the South Florida HoneyNet was doing some interesting stuff in this area: http://www.sfhn.net. Richard La Bella did a presentation at the Las Vegas HoneyPots conference that detailed a project for a 'Covert Honeynet.' That is a simulated corporation built of many different honeypots containing believable data. I'd be interested to hear if they've developed any tools or techniques to help in this effort. -J --- Richard Stevens <mail () richardstevens de> wrote:
Hi,I'm researching deception in computer security, and would bedelighted todiscuss deceptive content-- here or off-line: jjyuill () eos ncsu eduI would be very interested in discussing that topic, too, so please if there are no objections by other list members or Lance, please discuss it openly. Thanks, Richard
ATTACHMENT part 2 application/pgp-signature
Current thread:
- Re: deceptive content on honeypots Jeremy Bennett (Mar 31)
- <Possible follow-ups>
- RE: deceptive content on honeypots Richard La Bella (Florida Honeynet) (Apr 01)
- Re: deceptive content on honeypots Jim Yuill (Apr 02)
- Re: deceptive content on honeypots Jim Yuill (Apr 08)
- Re: deceptive content on honeypots Jeremy Bennett (Apr 10)