Open proxy honeypots
Results 1 to 8 of 8

Thread: Open proxy honeypots

  1. #1

    Open proxy honeypots



    I'm planning on setting up something like these links describe:

    http://www.webappsec.org/projects/honeypots/
    http://honeypots.sourceforge.net/ope..._honeypots.pdf

    Some things I need:

    -Proxy software (free please)
    -Various sniffing software (ethereal tcpdump cain are on the list...)
    -Legal advice (disclaimers, cautions, anyone w/ experience)

    Hopefully this will be my sunday project. Anyone care to help out with the above? I have no clue where to start choosing a proxy.

    http://www.securityfocus.com/news/4004
    But that monitoring is what federal criminal law calls "interception of communications," said Salgado, a felony that carries up to five years in prison. Fortunately for honeypot operators, there are exemptions to the Federal Wiretap Act that could be applied to some honeypot configurations, but they still leave many hacker traps in a legal danger zone
    Thanks!

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Honeypots are tricky business, especially if you raise the stakes and host them on your corp/Govt. network.

    The issues are, as you have already seen, that the law is cloudy in some areas. This leaves argumentive opportunity for lawyers. This translates into criminal charges and/or damage payouts to the "victim". We setup a small farm of honeypots about 2 years ago and our legal team quickly had us shut them down. The things that caused concern were:

    1) No disclaimer about monitoring (this defeats the purpose of having a honeypot)
    2) Entrapment (leaving a temptation that is too great for them to pass up) In our case, we left a bogus credit card number database vulnerable to attack.
    3) Liability from collateral networks. We couldn't overlock the boxes otherwise we'd tip off those with talent. This meant that these people could use our hosts to attack other networks and we could be held liable.

    These were the major concerns. We sat down and tried to mitigate the issues but the solutions would defeat the purpose of having the honeypots to begin with. Of course the chances of you getting pressed for using a honeypot are slim, our lawyers never leave a single opportunity for litigation if they can help it. In this case, it was easy for them to cry wolf and shut us down.

    Be careful, you may get more honey than you expect.

    We have one option available to us that you may not have. Since we're still very interested in research, we can kick up scenarios to Federal agency labs and then get the results handed back to us. While this isn't ideal, it still works for us.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    1) No disclaimer about monitoring (this defeats the purpose of having a honeypot)
    Without this wouldn't it make it more evident that it is a honeypot? Particularly if all your other systems have these warnings? If the honeypot is supposed to be a realistic mimic of a real server, why not have the disclaimers? (an attacker will still attack much like a thief will still break in even if you have "No Trespassing" and "Attack Cat on Duty" signs).


    2) Entrapment (leaving a temptation that is too great for them to pass up) In our case, we left a bogus credit card number database vulnerable to attack.
    Isn't this only relavent if you work in law enforcement or represent law enforcement? I thought that was one of the issues that Lance Spitzner had brought up.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    On the first example, yes, your standard "punishable by law..." statement will be there, however, it's not a "factually true" disclaimer and you're not telling people you're running a honeypot, therefore the poor criminal may find his rights violated or he may not understand what the system is really there for. Don't get me started...

    On the second, yes, and that is my case as you already are well aware of.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Hrmm.. has any honeypot been challenged in court? AFAIK, I haven't seen any save for those setup by Cliff Stoll (and that was many moons ago and in a time far, far away). I don't think I've heard of recent cases, or any case for that matter, that have been challenged in court.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    Senior Member
    Join Date
    Oct 2003
    Posts
    707
    Soda_Popinsky why dont you just buy the book Know Your Enemy 2nd Edition ? It contains an entire chapter for
    Legal advice (disclaimers, cautions, anyone w/ experience)
    ... Heck you can even download the chapter here Chapter 8 Know Your Enemy 2nd Edition

    As for your other questions just flip around The Honeynet Project pages and you might find what you need ...

    Hope that helps ....
    Operation Cyberslam
    \"I\'ve noticed that everybody that is for abortion has already been born.\" Author Unknown
    Microsoft Shared Computer Toolkit
    Proyecto Ututo EarthCam

  7. #7
    1. This isn't a project I'm doing at work
    2. I don't plan to prosecute / tattletale / hack back anyone. I would like to believe that this would mean being accused of entrapment is not possible. The dollar on a string trick isn't illegal, is it?

    When I say "open proxy honeypot", I basically mean I'm going to monitor the traffic passing through the proxy, and that's it. Finding ways to attract more malicious users is valuable here.

    Hi Agent Steal-

    I've had all both those books for a looong time . This is a scenario that isn't covered though, I have to allow outbound traffic for this to be worth anything. This leaves the gaping possibility that I could be liable for an attack. Plus I don't want to take any chances with the law.

    also...

    I still have no clue what software I could use for a proxy. I've looked at these so far:

    http://tinyproxy.sourceforge.net/
    http://www.squid-cache.org/

    Suggestions would help, easier is better. Thanks!

  8. #8
    Senior Member
    Join Date
    Oct 2003
    Posts
    707
    I still have no clue what software I could use for a proxy.
    I did a little more searching for you and I ran into these links [Hope they help] :

    [1] Exposing The Underground : Adventures Of An Open Proxy
    [2] GIAC Certified Intrusion Anylyst [GIAC] Practical Assignment Version 3.4 Open Proxy Honeypot
    [3] ProxyPot

    I've had all both those books for a looong time
    Oops my bad...
    Operation Cyberslam
    \"I\'ve noticed that everybody that is for abortion has already been born.\" Author Unknown
    Microsoft Shared Computer Toolkit
    Proyecto Ututo EarthCam

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides