Re: deceptive content on honeypots

[Jeremy Bennett <jeremy_f_bennett () yahoo com>]

Deceptive content is a broad topic. Roughly I'd say that topic includes
the following:
* Distributing falsified or deceptive content through valid channels.
* Tagging content with tracers (ie HoneyTokens)
* Populating honeypots with believable content

Or any combination of the above. 
The first has been done for thousands of years and is really not all
that new even in computer security. We've seen fake vulnerabilities
published. We've seen fake products advertized. We've seen fake
features of real products publicized. This tactic, though, is mostly
appropriated when you are planning for the long term. In order to set
the field correctly you want to control perceptions. 

The second has been discussed for many years as well. It was tagged
with the term HoneyTokens on this list a while back. If you've ever had
to deal with identity theft you've probably had your credit card
numbers put on a watch list. This is a list of numbers that the CC
companies maintain. When a card on the list is used alarms go off and
an investigation is started even if one normally would not have been
based on other factors.

The final one is the one I think is most interesting to this
discussion. The idea is to provide content in the honeypot to engage
attackers and/or to attract a higher quality set of attackers. If you
just plug an unpatched RedHat 7.0 box into the network you'll
invariable get a barrage of kiddies. On the otherhand if you put up a
fully patched Solaris 8 box with very few services running but
interesting content you may attract a real hacker. What that
interesting content is is the hard part. It is very dependant on what
the attacker expects to see. Attacking a CC company you'd expect to
find a DB of credit cards. If you're attacking an auto company you
expect to find CAD drawings of new cars, etc. 
For companies deploying high interaction honeypots the best content is
probably some derivative of the very content they are trying to
protect. For researches that content can be anything but must be
consistent with the rest of the honeynet. I seem to recall the South
Florida HoneyNet was doing some interesting stuff in this area:
http://www.sfhn.net. 
Richard La Bella did a presentation at the Las Vegas HoneyPots
conference that detailed a project for a 'Covert Honeynet.' That is a
simulated corporation built of many different honeypots containing
believable data. 
I'd be interested to hear if they've developed any tools or techniques
to help in this effort.

-J

--- Richard Stevens <mail () richardstevens de> wrote:
> Hi,
>
> > I'm researching deception in computer security, and would be
> delighted to
> > discuss deceptive content-- here or off-line:  jjyuill () eos ncsu edu
>
> I would be very interested in discussing that topic, too, so please
> if there 
> are no objections by other list members or Lance, please discuss it
> openly.
>
> Thanks,
>
> Richard

> ATTACHMENT part 2 application/pgp-signature