Open proxy honeypots

[Soda_Popinsky]

I'm planning on setting up something like these links describe:

http://www.webappsec.org/projects/honeypots/
http://honeypots.sourceforge.net/ope..._honeypots.pdf

Some things I need:

-Proxy software (free please)
-Various sniffing software (ethereal tcpdump cain are on the list...)
-Legal advice (disclaimers, cautions, anyone w/ experience)

Hopefully this will be my sunday project. Anyone care to help out with the above? I have no clue where to start choosing a proxy.

http://www.securityfocus.com/news/4004

But that monitoring is what federal criminal law calls "interception of communications," said Salgado, a felony that carries up to five years in prison. Fortunately for honeypot operators, there are exemptions to the Federal Wiretap Act that could be applied to some honeypot configurations, but they still leave many hacker traps in a legal danger zone

Thanks!

[thehorse13]

Honeypots are tricky business, especially if you raise the stakes and host them on your corp/Govt. network.

The issues are, as you have already seen, that the law is cloudy in some areas. This leaves argumentive opportunity for lawyers. This translates into criminal charges and/or damage payouts to the "victim". We setup a small farm of honeypots about 2 years ago and our legal team quickly had us shut them down. The things that caused concern were:

1) No disclaimer about monitoring (this defeats the purpose of having a honeypot)
2) Entrapment (leaving a temptation that is too great for them to pass up) In our case, we left a bogus credit card number database vulnerable to attack.
3) Liability from collateral networks. We couldn't overlock the boxes otherwise we'd tip off those with talent. This meant that these people could use our hosts to attack other networks and we could be held liable.

These were the major concerns. We sat down and tried to mitigate the issues but the solutions would defeat the purpose of having the honeypots to begin with. Of course the chances of you getting pressed for using a honeypot are slim, our lawyers never leave a single opportunity for litigation if they can help it. In this case, it was easy for them to cry wolf and shut us down.

Be careful, you may get more honey than you expect.

We have one option available to us that you may not have. Since we're still very interested in research, we can kick up scenarios to Federal agency labs and then get the results handed back to us. While this isn't ideal, it still works for us.

[MrLinus]

1) No disclaimer about monitoring (this defeats the purpose of having a honeypot)

Without this wouldn't it make it more evident that it is a honeypot? Particularly if all your other systems have these warnings? If the honeypot is supposed to be a realistic mimic of a real server, why not have the disclaimers? (an attacker will still attack much like a thief will still break in even if you have "No Trespassing" and "Attack Cat on Duty" signs).

2) Entrapment (leaving a temptation that is too great for them to pass up) In our case, we left a bogus credit card number database vulnerable to attack.

Isn't this only relavent if you work in law enforcement or represent law enforcement? I thought that was one of the issues that Lance Spitzner had brought up.

[thehorse13]

On the first example, yes, your standard "punishable by law..." statement will be there, however, it's not a "factually true" disclaimer and you're not telling people you're running a honeypot, therefore the poor criminal may find his rights violated or he may not understand what the system is really there for. Don't get me started...

On the second, yes, and that is my case as you already are well aware of.

[MrLinus]

Hrmm.. has any honeypot been challenged in court? AFAIK, I haven't seen any save for those setup by Cliff Stoll (and that was many moons ago and in a time far, far away). I don't think I've heard of recent cases, or any case for that matter, that have been challenged in court.

[Agent_Steal]

Soda_Popinsky why dont you just buy the book Know Your Enemy 2nd Edition ? It contains an entire chapter for

Legal advice (disclaimers, cautions, anyone w/ experience)

... Heck you can even download the chapter here Chapter 8 Know Your Enemy 2nd Edition

As for your other questions just flip around The Honeynet Project pages and you might find what you need ...

Hope that helps ....

[Soda_Popinsky]

1. This isn't a project I'm doing at work
2. I don't plan to prosecute / tattletale / hack back anyone. I would like to believe that this would mean being accused of entrapment is not possible. The dollar on a string trick isn't illegal, is it?

When I say "open proxy honeypot", I basically mean I'm going to monitor the traffic passing through the proxy, and that's it. Finding ways to attract more malicious users is valuable here.

Hi Agent Steal-

I've had all both those books for a looong time . This is a scenario that isn't covered though, I have to allow outbound traffic for this to be worth anything. This leaves the gaping possibility that I could be liable for an attack. Plus I don't want to take any chances with the law.

also...

I still have no clue what software I could use for a proxy. I've looked at these so far:

http://tinyproxy.sourceforge.net/
http://www.squid-cache.org/

Suggestions would help, easier is better. Thanks!

[Agent_Steal]

I still have no clue what software I could use for a proxy.

I did a little more searching for you and I ran into these links [Hope they help] :

[1] Exposing The Underground : Adventures Of An Open Proxy
[2] GIAC Certified Intrusion Anylyst [GIAC] Practical Assignment Version 3.4 Open Proxy Honeypot
[3] ProxyPot

I've had all both those books for a looong time

Oops my bad...