Caution: Honey Pot
A honey pot machine is a trap for intruders. In "An Evening with Berferd," Bill Cheswick describes how he and his colleagues set up their jail machine, also known as "roach motel." They monitored an intruder in an environment where he could do no harm, while, at the same time, lured him away from more precious resources.
In The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage (Pocket Books, 2000, ISBN 0743411463), Cliff Stoll describes how he invented a complete governmental project with realistic-looking documents and memoranda. The intruder(s) spent long hours examining and downloading the information, giving Cliff plenty of opportunity for his tracing efforts.
The machine that features in this article is part of Lance Spitzner's Honeynet project (http://project.honeynet.org/). While we examined the data that he kindly made available to us, we could not fail to notice how tricky it can be to operate a honey pot. We point out here the real or potential pitfalls that were most obvious to us.
- Downstream liability. It may be exciting to lure an intruder into your honey pot, but other people will be less amused when they find out that you are providing the intruder with a launchpad for attacks on their systems. Unless you have the resources to watch your honey pot around the clock in real time, you have to severely limit its ability to connect to other systems.
- History keeps coming back. As we discussed in previous articles, computer systems can be like the tar pits of old, with the bones, carcasses, and fossilized remains of the past in the unallocated storage areas. We found files from several operating systems that were installed previously, including firewall configuration information and other items that could be of interest to an intruder.
- With a network honey pot machine, erasing past history is simply a matter of writing zeros over the entire disk before installing the operating system. This also has the benefit that disk image copies compress better, and that deleted files are easier to find.
- Information leaks. A not so obvious pitfall is using the honey pot machine for real work. Even a remote login from the honey pot into a sensitive machine can be enough to expose information to intruders. If you let sensitive information into the honey pot via whatever means, then it may stick forever in unallocated storage space or in swap space until you explicitly erase it.
- False evidence. It can be really tempting to use the honey pot machine for your own break-ins and other security exercises. After all, the machine exists solely for the purpose of being broken into. The problem with using a honey pot machine for target practice is that you're literally shooting yourself in the foot by producing massive amounts of false evidence. It quickly becomes difficult to distinguish between the acts of random (or not-so-random) intruders and the acts of your own personnel.
D.F. and W.V.