Interesting reading

Andre Kesteloot andre.kesteloot@ieee.org
Fri, 15 Jun 2001 11:12:48 -0400 

Hello Tacoistas,
An exerpt from an interesting Cryto-Gram
Andre'
***********************************

CRYPTO-GRAM, June 15, 2001
Date: 
Fri, 15 Jun 2001 00:56:08 -0500
From: 
Bruce Schneier <schneier@counterpane.com>
To: 
crypto-gram@chaparraltree.com




                  CRYPTO-GRAM

                 June 15, 2001

               by Bruce Schneier
                Founder and CTO
       Counterpane Internet Security, Inc.
            schneier@counterpane.com
          <http://www.counterpane.com>


A free monthly newsletter providing summaries, analyses, insights, and 
commentaries on computer security and cryptography.

Back issues are available at 
<http://www.counterpane.com/crypto-gram.html>.  To subscribe or 
unsubscribe, see below.


Copyright (c) 2001 by Counterpane Internet Security, Inc.


** *** ***** ******* *********** *************



** *** ***** ******* *********** *************

       Honeypots and the Honeynet Project



In warfare, information is power.  The better you understand your enemy, 
the more able you are to defeat him.  In the war against malicious
hackers, 
network intruders, and the other black-hat denizens of cyberspace, the
good 
guys have suprisingly little information.  Most security professionals, 
even those designing security products, are ignorant of the tools,
tactics, 
and motivations of the enemy.  And this state of affairs is to the
enemy's 
advantage.

The Honeynet Project was initiated to shine a light into this 
darkness.  This team of researchers has built an entire computer network 
and completely wired it with sensors.  Then it put the network up on the 
Internet, giving it a suitably enticing name and content, and recorded
what 
happened.  (The actual IP address is not published, and changes 
regularly.)  Hackers' actions are recorded as they happen: how they try
to 
break in, when they are successful, what they do when they succeed.

The results are fascinating.  A random computer on the Internet is
scanned 
dozens of times a day.  The life expectancy of a default installation of 
Red Hat 6.2 server, or the time before someone successfully hacks it, is 
less than 72 hours.  A common home user setup, with Windows 98 and file 
sharing enabled, was hacked five times in four days.  Systems are
subjected 
to NetBIOS scans an average of 17 times a day.  And the fastest time for
a 
server being hacked: 15 minutes after plugging it into the network.

The moral of all of this is that there are a staggering number of people 
out there trying to break into *your* computer network, every day of the 
year, and that they succeed surprisingly often.  It's a hostile jungle
out 
there, and network administrators that don't take drastic measures to 
protect themselves are toast.

The Honeynet Project is more than a decoy network of computers; it is an 
ongoing research project into the modus operandi of predatory hackers. 
The 
project currently has about half a dozen honeynets in operation.  Want
to 
try this in your own network?  Several companies sell commercial
versions, 
much simpler, of what the Honeynet Project is doing.  Called
"honeypots," 
they are designed to be installed on an organization's network as a 
decoy.  In theory, hackers find the honeypot and waste their time with
it, 
leaving the real network alone.

I am not sold on this as a commercial product.  Honeynets and honeypots 
need to be tended; they're not the kind of product you can expect to
work 
out of the box.  Commercial honeypots only mimic an operating system or 
computer network; they're hard to install correctly and much easier to 
detect than the Honeynet Project's creations.  And what's the point? 
You'd 
be smarter to monitor activity on your real network and leave off the 
honeypot.  If you're interested in learning about hackers and how they 
work, by all means purchase a honeypot and take the time to use it 
properly.  But if you're just interested in protecting your own network, 
you'd be better off spending the time on other things.

The Honeynet Project, on the other hand, is pure research.  And I am a 
major fan.  The stuff they produce is invaluable, and there's no other 
practical way to get it.  When an airplane falls out of the sky,
everyone 
knows about it.  There is a very public investigation, and any airline 
manufacturer can visit the National Traffic Safety Board and read the 
multi-hundred-page reports on all recent airline crashes.  And any
airline 
can use that information to design better aircraft.  When a network is 
hacked, it almost always remains a secret.  More often than not, the
victim 
has no idea he's been hacked.  If he does know, there is enormous market 
pressure on him not to go public with the fact.  And if he does go
public, 
he almost never releases detailed information about how the hack
happened 
and what the results were.

This paucity of real information makes it much harder to design good 
security products.  The Honeynet Project team is working to change
that.  I 
urge everyone involved in computer security to visit their Web site. 
Great 
stuff, and it's all real.

<http://project.honeynet.org>

The "Know Your Enemy" series of essays:
<http://project.honeynet.org/papers/>

Articles:
<http://www.zdnet.com/zdnn/stories/news/0,4586,2666273,00.html>
<http://news.cnet.com/news/0-1014-201-5784065-0.html>
<http://www.linuxsecurity.com/feature_stories/feature_story-84.html>
<http://www.computerworld.com/rckey73/story/0,1199,NAV63_STO59072,00.html>