Honypots are legal

[bballad]

Ok we hashed this out last month, but I feel this article answered a lot of the questions that we never fully agreed on.
http://www.securityfocus.com/infocus/1703

He has a wonderful description of entrapment for those of you that still think a honey pot causes you to commit entrapment.

Now perhaps the guy who wrote honyd will stop acting like a child and repost his work.

[Lv4]

what bballad is refering to is this thread that was posted back in the middle of April. It has/had some interesting debate in it, and some interesting points brought up by the article linked in that thread.

I'll go tool around the securityfocus site and read that article in a bit. Thanks for the update and link bballad.

[Lv4]

I just finished reading the article in my spare time here at work, and to me it's still rather nebulous.

There still stands the possibility that using a honeypot could be considered illegal. If it's not being used to secure an organization from unauthorized access then you could very well be in violation of either the Federal Wiretap Act, the Electronic Communication Privacy Act or various different state privacy acts.

This guy raises some very good points, but still there are parts that are left open. Like he said here:

At times, honeypots are used for research purposes, to better understand who the threat is and how they operate. Such honeypots do not directly secure an organization, instead the information they collect is indirectly used to help defend against threats. The less the honeypot is being used to protect your organization, the less likely it falls under exemption of Service Provider Protection

I'm sure that this is going to go to court at some point in the near to mid future. I'm also pretty sure that most of the lower courts will refuse to rule on this and it's going to have to go to one of the big federal courts or perhaps even the supreme court to be heard.

Also his discussion on bannering is right on target. You HAVE to have bannering up that says that any unauthorized access is prohibited, and that by logging in you are consenting to everything you do being logged and disseminated to others. A company I worked for a few years back got bit by that very thing. Someone hacked their network, there was nothing telling this person that it was illegal, and after going to court over it the "hacker" was freed. I started working for that organization as the court case was just wrapping up.

[bballad]

Originally posted here by Lv4
I just finished reading the article in my spare time here at work, and to me it's still rather nebulous.

There still stands the possibility that using a honeypot could be considered illegal. If it's not being used to secure an organization from unauthorized access then you could very well be in violation of either the Federal Wiretap Act, the Electronic Communication Privacy Act or various different state privacy acts.

This guy raises some very good points, but still there are parts that are left open. Like he said here:




I'm sure that this is going to go to court at some point in the near to mid future. I'm also pretty sure that most of the lower courts will refuse to rule on this and it's going to have to go to one of the big federal courts or perhaps even the supreme court to be heard.

Also his discussion on bannering is right on target. You HAVE to have bannering up that says that any unauthorized access is prohibited, and that by logging in you are consenting to everything you do being logged and disseminated to others. A company I worked for a few years back got bit by that very thing. Someone hacked their network, there was nothing telling this person that it was illegal, and after going to court over it the "hacker" was freed. I started working for that organization as the court case was just wrapping up.

Correct if you are useing a hony pot for reasearch it would be a good idea to put a banner on the most commen ports saying "this is a privet machine and all activity may be logged". If it is part of your security infustructure it is exempt form the privacy laws.

[mohaughn]

But if the attacker gains access to your system in such a way that they never see the banner, is it still ok to monitor them. I believe that was one of the other major issues raised by the previous article.

[Tedob1]

Lv4 if im not mistaken their were a couple cases like the one you spoke of but they all involved anonymous logon which was allowed by oversight. Which is why the DoD recommends a banner be displayed stating that the site is for use by authorized personal only. This does not apply to buffer overruns and other means of entry where no intended entrance exists.

An ao member was prosecuted for going a level higher on an ftp server than he was authorized to go using a double dot. No notice of un-authorized entry was shown and he reported this to the isp. He wound up in very deep ****.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

ELECTRONIC COMMUNICATIONS PRIVACY ACT

UNITED STATES CODE


TITLE 18. CRIMES AND CRIMINAL PROCEDURE
PART I--CRIMES
CHAPTER 119--WIRE AND ELECTRONIC COMMUNICATIONS INTERCEPTION AND
INTERCEPTION OF ORAL COMMUNICATIONS

(4) "intercept" means the aural or other acquisition of the
contents of any wire, electronic, or oral communication through
the use of any electronic, mechanical, or other device;

(5) "electronic, mechanical, or other device" means any
device or apparatus which can be used to intercept a wire, oral,
or electronic communication other than--

(a) any telephone or telegraph instrument, equipment or
facility, or any component thereof, (I) furnished to the
subscriber or user by a provider of wire or electronic
communication service in the ordinary course of its business and
being used by the subscriber or user in the ordinary course of
its business or furnished by such subscriber or user for
connection to the facilities of such service and used in the
ordinary course of its business; or (ii) being used by a
provider of wire or electronic communication service in the
ordinary course of its business, or by an investigative or law
enforcement officer in the ordinary course of his duties;

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

A security officer is an investigative officer and running a honeypot IS part of the ordinary course of his duties.

The Wiretap Act protects against unauthorized interception of electronic communications. If the communication is to/with my computer I have every right to monitor all activities on it. There’s no interception going on at all. I (my computer) am the intended recipient.

[bballad]

Originally posted here by mohaughn
But if the attacker gains access to your system in such a way that they never see the banner, is it still ok to monitor them. I believe that was one of the other major issues raised by the previous article.

Irelivant, as long as the banner is on the FTP, Telnet and SSH ports you have done your due diligance. THose are the expected entry points, if they come in some other way its not your fault that they didn't see the banner

[Lv4]

Tedob1 - well to be honest that case was about 6 or 7 years ago. It didn't involve an anonymous user at all, but it did involve a teen hacking in to the system and basically brute forcing his way on a username that was non-admin. He was pretty sloppy when he did it, but it was suprising about his defense.

I would rather not publically name the organization, but if you are interested in who it was feel free to PM me about it.