OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Cracked; rootkit - entrapment question?
From: Lison, Nathan (Nathan.LisonFORTJAMESMAIL.COM)
Date: Fri Mar 03 2000 - 15:08:10 CST

Jason I agree totally with you. Everyone is talking about honeypots but
aren't trying to fix the problem. I would think it takes more time to setup
a honeypot than to go over your system with some known exploits and make
sure you are secure. I would think at least putting up a firewall would
stop some of the hacking. The police would not help you anyway. What are u
going to dial "911" and tell them someone just hacked you box and they need
to bust them eventhough the hacker originates from the other side of the
united states. The FBI would help if it was a goverent issue or a major
company but a tiny local business isn't going to get help from the feds.
Just take a look at www.attrition.org and check how how many pages have been
hacked. Probably only a tiny few of the hackers were ever busted for there
"crime" of renaming your index.html page and putting up a differant one. I
hate all the crying over this "hacker" defaced my page. Put some time into
security and maybe you won't have to worry as much.

Nathan Lison
Fort James Corporation
Transportation
Phone: (920) 438-2952
> * nathan.lisonfortjamesmail.com

-----Original Message-----
From: Jason Lewis [mailto:jlewisJASONLEWIS.NET]
Sent: Thursday, March 02, 2000 6:51 PM
To: INCIDENTSSECURITYFOCUS.COM
Subject: Re: Cracked; rootkit - entrapment question?

Drew Smith wrote:

> I'd like to create a honeypot of sorts; a chroot environment that
looks
> and feels like the machine, and that allows the cracker to do
everything
> he normally would want to from the shell. I'd like to log everything
to
> another machine, and get the police in on it.

<snip>

Why go through all the time and effort to create a honeypot. Why don't
you concentrate on securing the systems they have and putting up some
kind of firewall. Are you getting paid to exact revenge for someone
exploiting a lack of security? Will you leave that machine sitting
forever waiting for the attacker to come back? Don't you think you will
be doing your client more of a service by wiping the machine, starting
from scratch and making sure it is secure when you leave?

I may be naive, but it seems like calling in the FBI is like trying to
kill a housefly with an Elephant gun. Don't they have enough to do
without worrying about every insecure machine on the Internet that has
been compromised. I am still waiting to hear who is responsible for the
DoS attacks. I don't think they will ever find the culprit. Since when
did the FBI become the Internet police? I log several attacks a day,
mostly from out of the country. Do I call the FBI for every attack?

Instead of trying to have the attackers (who are probably under 18)
jailed, why don't we work towards making sure people are aware of the
problem and have tools available to help secure their machines. It
seems the common answer is to throw everyone in jail, when we should be
concentrating on educating people.

Jason
http://www.jasonlewis.net