Honeypots

On January 2004, the American analysts' forecasts indicate a spade with regard to crime and cyber-terrorism experts are alarmed about the increasing sophistication of computer crimes.
In an attempt to identify the threat from within and to study the activities of these cyber pirates, the community of computer security experts continue to deploy a new concept: that of honeypots.

A concept "potpourri", using different anti-intrusion techniques that form the state of the art, that is, in general, to establish voluntary systems vulnerable, ie ie designed to be scanned, attacked and compromised, in order either to observe the behavior and know the tools and methods of attack pirates (research honeypots) or contribute directly to the security policy of a organization (production honeypots). Concept, colorful, leading the fight against crime but which quickly reveals itself facing serious legal issues.

Honeypots, the "pirates trap" Myths and Reality

The term honeypot is an idea which consist primarily to attract and trap hackers by deception. Such a definition suggests that very soon we are located on land close to incitement to crimes and offenses.

This association of ideas may explain in part the low rate of use of honeypots in production environments, uncertainty about the legal risks relating to the security mechanism designed to curb the organizations in the adoption of a system.

But thanks to Lance Spitzner, a founder of the very media "Honeynet Project (see NOTE)" this image of "trap pirates" amount to provocation is a misleading quickly and can convince users septic on the usefulness of honeypots.

NOTE: Project born in June 2000, bringing together professionals from the security, consisting in deploying networks to crack in various places around the world and whose goal is primarily educational (learning the tech ¬ niques, strategies and motivations of hackers to better protect and share sensitive information). The Honeynet Project: http://www.honeynet.org/

Operating Principle

The honeypots are security systems that have no production value. Accordingly, any user or any other resource should in principle have to communicate with him. The activity or the expected traffic on the honeypot is zero at the base, we deduce a contrary that any activity recorded by this resource is suspicious in nature.

Thus, all traffic, while data stream sent to a honeypot is likely a test, a scan or an attack. All traffic initiated by a honeypot is to be interpreted as a probable compromise of the system and means that the attacker is making connections rebound.

Generally, a honeypot behaves like a black box, passively recording all activity and all traffic that passes through it.
It is very important to take into account the use of data will be critical in determining the legal impact in the field of honeypots.

It is very important to take into account the use of data will be critical in determining the legal impact in the field of honeypots.

Honeypots, tracking hackers: what limits the capture of data and monitoring the activity of the attackers?

You should know that traffic received by the honeypots is both small (microscopic effect) and suspicious in nature. Files records of events (log files) are therefore less bulky and is easier to identify malicious activity. Depending on the nature of the data collected, we can accurately track and flows:
provenance
activity,
date,
term
volume ... and even
content of the data exchanged (keystrokes, IRC messages for example).


However, the capture of such data requires to ask the right questions:
What is the nature of the data collected and the legal regime applicable? (applicability of legislation on the protection of personal data)
What are the limits to monitoring the activity of the in ¬ trus (problem of "attacks") and means used to capture such data (keystrokes, chat interception)?