homepage Welcome to WebmasterWorld Guest from 54.226.80.196
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
Honeynets: Trapping attackers and naming names
Brett_Tabke




msg:3233954
 2:25 pm on Jan 27, 2007 (gmt 0)

[security.itworld.com...]

The Web Honeynet Project, an independent group of Honeynet researchers from Securiteam and the ITOSF have decided to launch web application honeynets with a new twist. The twist is, they plan to name not only the attack details, as is usual, but also to divulge the IP addresses and other tracking information about the attackers themselves.

See Also:


 

wilderness




msg:3233961
 2:38 pm on Jan 27, 2007 (gmt 0)

Interesting closure and reference.

"Note: In the interest of full disclosure, my company, <a href="http://www.microsolved.com/">MicroSolved, Inc.</a> sells a honeypot solution that we have created for organizations of various sizes.
Brent Huston is president and CEO of MicroSolved Inc., a systems and network security-consulting service for Fortune 500 companies and government facilities. He has 15 years of professional experience in cyber security testing, network monitoring, scanning protocols, firewalls, viruses and virus prevention formats, incident response, forensic computing and hacker techniques. He also served as co- author and technical editor of <a href=">http://www.amazon.com/Hack-Proofing-Your-Ecommerce-Site/dp/192899427X">Hack Proofing Your E- Commerce Site</a>."

Brett_Tabke




msg:3233977
 3:15 pm on Jan 27, 2007 (gmt 0)

That is why I included more references at the end - because it doesn't change the aritcle. That is the only place I could find the story reported. If you have another source - feel free to list it.

Anyway, I think it is finally time to pull out the checkbook and make a donation to honeynet.

wilderness




msg:3234073
 5:16 pm on Jan 27, 2007 (gmt 0)

Hey Brett,
I wasn't prodding, just thought it was bit funny that commericial links were included.

A google on "Web Honeynet Project" returns many interesting reads.
[google.com...]

The very first return from google actually lists IP ranges.
CONTINUED
then scroll down on second page.

volatilegx




msg:3234093
 5:27 pm on Jan 27, 2007 (gmt 0)

Listing those IP addresses could get them into trouble...

carguy84




msg:3234164
 6:30 pm on Jan 27, 2007 (gmt 0)

Are IP Address considered copyright infringement or something? Or protected assets?

wilderness




msg:3234225
 7:20 pm on Jan 27, 2007 (gmt 0)

Listing those IP addresses could get them into trouble...

Dan,
As you well aware, there are many open logs viewable by doing web searches on IP's or UA's.
The only difference I see is that rather than providing a full-log entry, somebody has provided analysis of the activity.

Are IP Address considered copyright infringement or something? Or protected assets?

Hardly!
They are openly accessible through ARIN, RIPE, APNIC or any of the others.
However copying the registrars data and then presneting in a similar fashion might be considered infringement.
There are web sites and companies that have accumulated the data and present the entire data set by countries of origin.

Brett_Tabke




msg:3234901
 4:54 pm on Jan 28, 2007 (gmt 0)

Posting an ip address has yet to be an issue tested in court. Some consider it akin to posting someones personal information (name, address, etc). Either way, sounds like the honeynet project is going to test the waters.

wilderness




msg:3234933
 5:30 pm on Jan 28, 2007 (gmt 0)

Brett and carguy,
I neglected to mention (in regard to IP's) previously, the possibility of litigation that may result in presenting a statement that anothers IP range was doing this or doing that, sending this or sending that.

Either instance would certainly be a possibility for litigation.

However as previously stated, just providing a range of IP's should really NOT present any issues.

Don

volatilegx




msg:3235354
 2:18 am on Jan 29, 2007 (gmt 0)

The reason I brought it up is that posting somebody's IP address along with a claim that they are attacking computers could be seen as libel/slander.

wilderness




msg:3235387
 3:36 am on Jan 29, 2007 (gmt 0)

The reason I brought it up is that posting somebody's IP address along with a claim that they are attacking computers could be seen as libel/slander

Aye, I agree!

Thus is the ip and Whois were submitted with a complete log entry and not statement accompanied neither documet (EX: "heads up") than how might is possibly be construed as libel/slander.

Now here come another user and says "Oh yeah that harvester was at my site", however doesn't quote or provide the original Whosis or log entry?
Than what actually is the 2nd party libel for? ;)

Of course, it's hypothetical hodge podge.

acronym




msg:3235866
 3:17 pm on Jan 29, 2007 (gmt 0)

The article mentions ITOSF. Anyone know what this is? I couldn't find it anywhere.

blend27




msg:3236211
 6:56 pm on Jan 29, 2007 (gmt 0)

--- IP address along with a claim that they are attacking computers ---

I would Gladly provide a list of 75-100 IPs along with the Data they are trying to post to our Guest Book form on Daily Bases

For Free

GaryK




msg:3236405
 9:33 pm on Jan 29, 2007 (gmt 0)

The reason I brought it up is that posting somebody's IP address along with a claim that they are attacking computers could be seen as libel/slander.

It's only libel (libel is written, slander is oral) if you knowingly post false information with malicious intent. If the information is correct what's there to worry about?

wilderness




msg:3236464
 10:16 pm on Jan 29, 2007 (gmt 0)

If the information is correct what's there to worry about?

Many litigation's and their outcome are not solved immediately.
Long awaited and/or delayed trial dates may actually benefit the wrong person.
in the end, it all may boil down to whom either desires or has the capibilities to finance continuious filling of documentation that the court may require or the wrongful party may file.

Many people (especially with lesser means) have just been known to throw in the towel because the potential expense is beyond their capabilities.

volatilegx




msg:3236622
 12:51 am on Jan 30, 2007 (gmt 0)

If the information is correct what's there to worry about?

That reminds me of a story...

A guy and his friend are sitting in his living room talking when all of a sudden a commotion breaks out in the street in front of the house. Two robbers are having a gun battle with police and bullets are flying everywhere. One guy lays on the floor behind the couch and the other stands up to see what's going on.

"What in heaven's name are you doing?", said the man on the floor, "Do you want to get killed?"

"Why should I worry?" said the man who was standing, "I didn't do anything wrong."

My point is... why make yourself a target?

GaryK




msg:3237589
 8:39 pm on Jan 30, 2007 (gmt 0)

why make yourself a target?

I suppose the same question could be asked of the RDNS blacklists, or the people who distribute .htaccess files, or browscap/browsercaps files. The best answer I can give you is sometimes the risk of being a target is outweighed by the potential good you can do as a target.

incrediBILL




msg:3237855
 2:25 am on Jan 31, 2007 (gmt 0)

Guess I really don't see the difference between a botnet IP list or and a list of spammers as long as you don't accuse any PERSON of doing the crime, just that some activity has been associated with the IP address.

Maybe the IP address was spoofed, maybe it's in a DHCP pool used by more than one machine, who knows what human is associated with the action, but the FACT remains that the activity was tracked and associated with the IP address and it's recorded in your server log.

As long as you're sticking to facts and not falsehoods you're usually in good shape.

There's also a big difference between claiming ThePlanet appears to have a botnet running in their network vs. claiming ThePlanet is actually running the botnet. We all know severs get compromised, and home PCs, it's just a way of life, a fact. Now the only real problem I see is once the problem has been corrected, how do the victims get off the list, bad PR removed from search engines, etc.?

Guess I don't see how saying "0.0.0.0 is involved in a botnet" is accusing any specific human or company, it's just reporting activity, not making accusations. No worse IMO than saying I heard gunshots in the vicinity of 1300 Block of Mockingbird Lane.

If this were a real problem all the RBL's, DNSBL's and such would cease to exist. There is also a fine line drawn in how you label your list. Calling it a "blacklist" which has a very negative connotation to anyone in the list vs. a "blocklist" which sounds more like a security or policy thing.

Also, reasons for IPs to exist on the list need to follow a clearly written policy of how IPs are selected for the list, otherwise you could end up in an ORBS-like situation (sued) if you're peddling a list filled with falsehoods.

[edited by: incrediBILL at 2:29 am (utc) on Jan. 31, 2007]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved