April 11, 2003 1:04 PM PDT
Honeypots get stickier for hackers
Spitzner and two dozen members of the Honeynet Project hope new changes to the group's open-source honeypot technology will help the method become much more popular among security companies and others. The technology is designed to help users forge their own honeypots--faked computers and networks that serve as decoys for discovering online miscreants.
The changes, to be outlined in a paper that will be published online Monday, were described in a speech Spitzner gave here at the CanSecWest security show. The new features will help honeypots become harder for intruders to detect and easier to deploy for companies and even home users.
"It's an arms race," said Spitzner, founder of the Honeynet Project. "We are coming up with new stuff, and the bad guys will look at it. We are staying ahead of 99 percent of the crowd."
Honeypots solve a major problem of intrusion-detection systems, which frequently flag innocuous network traffic as a potential attack. These "false positives," as they're called, make the systems difficult to manage. They also create a "crying wolf" situation, in which genuine threats can be overlooked.
Honeypots can solve the problem because they only detect data sent to a specific server--one that, because it's fake, shouldn't have any data sent to it at all.
"Honeypots have no authorized activity, so if anyone interacts with (one) then you know (the interaction) is most likely malicious," said Spitzner, adding that such considerations make the warnings generated by honeypots very valuable.
That value was demonstrated recently when security company Digital Defense caught an attacker trying to compromise a system that was essentially a honeypot, said HD Moore, a security consultant for the company. The system had been set up for a single purpose, and when an online intruder started sending other commands to it, Moore knew something was up.
By observing the attack, the security consultant discovered that the intruder had gotten access to the system by way of a previously unknown flaw in Samba, a widely used open-source program for sharing Windows files between Unix and Linux systems.
"As long as the honeypot looks like a target that is interesting, (attackers) will use a zero-day exploit to get access," Moore said. A zero-day exploit is a program the takes advantage of a flaw that hasn't yet been uncovered by developers, security professionals or others. Honeypots can thus help uncover such flaws before they're used to do any real damage.
The changes to the Honeynet Project's honeypot system make it easier to manage and harder to detect.Because attackers generally encrypt their communications with a compromised server after successfully breaking in, the group has modified the operating system used with its system--currently Linux--to enable it to parrot the commands back to the administrator. Essentially a wiretap, the function lets administrators see any commands that are being seen by the operating system.
"Bad guys are all using encryption now," said Spitzner. "Even if you don't have encryption on your system, the bad guys will install it for you."
Moreover, the technology has been tweaked to prevent intruders from using the honeypot itself as a platform of attack. Any attacks sent out by the honeypot system to other computers will have a single byte modified to break the attack.
The honeypot setup also includes software to spoof responses back to commonly used mapping software, so that the decoy system can pretend to be anything from a single system to a large network.
In addition, a new utility called Honey Inspector, set to be released in a few weeks, allows honeypots to be managed and analyzed through a graphical user interface. Finally, in three to six months, the Honeynet Project expects to release a bootable CD-ROM that will make installing its version of a honeypot easy.
Spitzner also said more features are under development.
"Honeypots are really at the beginning, there are a lot more advances coming," Spitzner said, likening the current stage of honeypot evolution to that of the firewall of five years ago.
Today, even personal computer users run their own firewalls to keep out attackers. Soon, online intruders may also have to get by the additional confusion sown by honeypots.