Welcome to WebmasterWorld Guest from 54.161.64.174

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Honeynets: Trapping attackers and naming names

     
2:25 pm on Jan 27, 2007 (gmt 0)

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



[security.itworld.com...]

The Web Honeynet Project, an independent group of Honeynet researchers from Securiteam and the ITOSF have decided to launch web application honeynets with a new twist. The twist is, they plan to name not only the attack details, as is usual, but also to divulge the IP addresses and other tracking information about the attackers themselves.

See Also:

2:38 pm on Jan 27, 2007 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Interesting closure and reference.

"Note: In the interest of full disclosure, my company, <a href="http://www.microsolved.com/">MicroSolved, Inc.</a> sells a honeypot solution that we have created for organizations of various sizes.
Brent Huston is president and CEO of MicroSolved Inc., a systems and network security-consulting service for Fortune 500 companies and government facilities. He has 15 years of professional experience in cyber security testing, network monitoring, scanning protocols, firewalls, viruses and virus prevention formats, incident response, forensic computing and hacker techniques. He also served as co- author and technical editor of <a href=">http://www.amazon.com/Hack-Proofing-Your-Ecommerce-Site/dp/192899427X">Hack Proofing Your E- Commerce Site</a>."

3:15 pm on Jan 27, 2007 (gmt 0)

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



That is why I included more references at the end - because it doesn't change the aritcle. That is the only place I could find the story reported. If you have another source - feel free to list it.

Anyway, I think it is finally time to pull out the checkbook and make a donation to honeynet.

5:16 pm on Jan 27, 2007 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Hey Brett,
I wasn't prodding, just thought it was bit funny that commericial links were included.

A google on "Web Honeynet Project" returns many interesting reads.
[google.com...]

The very first return from google actually lists IP ranges.
CONTINUED
then scroll down on second page.

5:27 pm on Jan 27, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Listing those IP addresses could get them into trouble...
6:30 pm on Jan 27, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Are IP Address considered copyright infringement or something? Or protected assets?
7:20 pm on Jan 27, 2007 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Listing those IP addresses could get them into trouble...

Dan,
As you well aware, there are many open logs viewable by doing web searches on IP's or UA's.
The only difference I see is that rather than providing a full-log entry, somebody has provided analysis of the activity.

Are IP Address considered copyright infringement or something? Or protected assets?

Hardly!
They are openly accessible through ARIN, RIPE, APNIC or any of the others.
However copying the registrars data and then presneting in a similar fashion might be considered infringement.
There are web sites and companies that have accumulated the data and present the entire data set by countries of origin.

4:54 pm on Jan 28, 2007 (gmt 0)

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



Posting an ip address has yet to be an issue tested in court. Some consider it akin to posting someones personal information (name, address, etc). Either way, sounds like the honeynet project is going to test the waters.
5:30 pm on Jan 28, 2007 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Brett and carguy,
I neglected to mention (in regard to IP's) previously, the possibility of litigation that may result in presenting a statement that anothers IP range was doing this or doing that, sending this or sending that.

Either instance would certainly be a possibility for litigation.

However as previously stated, just providing a range of IP's should really NOT present any issues.

Don

2:18 am on Jan 29, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



The reason I brought it up is that posting somebody's IP address along with a claim that they are attacking computers could be seen as libel/slander.
3:36 am on Jan 29, 2007 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



The reason I brought it up is that posting somebody's IP address along with a claim that they are attacking computers could be seen as libel/slander

Aye, I agree!

Thus is the ip and Whois were submitted with a complete log entry and not statement accompanied neither documet (EX: "heads up") than how might is possibly be construed as libel/slander.

Now here come another user and says "Oh yeah that harvester was at my site", however doesn't quote or provide the original Whosis or log entry?
Than what actually is the 2nd party libel for? ;)

Of course, it's hypothetical hodge podge.

3:17 pm on Jan 29, 2007 (gmt 0)

10+ Year Member



The article mentions ITOSF. Anyone know what this is? I couldn't find it anywhere.
6:56 pm on Jan 29, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



--- IP address along with a claim that they are attacking computers ---

I would Gladly provide a list of 75-100 IPs along with the Data they are trying to post to our Guest Book form on Daily Bases

For Free

9:33 pm on Jan 29, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



The reason I brought it up is that posting somebody's IP address along with a claim that they are attacking computers could be seen as libel/slander.

It's only libel (libel is written, slander is oral) if you knowingly post false information with malicious intent. If the information is correct what's there to worry about?

10:16 pm on Jan 29, 2007 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



If the information is correct what's there to worry about?

Many litigation's and their outcome are not solved immediately.
Long awaited and/or delayed trial dates may actually benefit the wrong person.
in the end, it all may boil down to whom either desires or has the capibilities to finance continuious filling of documentation that the court may require or the wrongful party may file.

Many people (especially with lesser means) have just been known to throw in the towel because the potential expense is beyond their capabilities.

12:51 am on Jan 30, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



If the information is correct what's there to worry about?

That reminds me of a story...

A guy and his friend are sitting in his living room talking when all of a sudden a commotion breaks out in the street in front of the house. Two robbers are having a gun battle with police and bullets are flying everywhere. One guy lays on the floor behind the couch and the other stands up to see what's going on.

"What in heaven's name are you doing?", said the man on the floor, "Do you want to get killed?"

"Why should I worry?" said the man who was standing, "I didn't do anything wrong."

My point is... why make yourself a target?

8:39 pm on Jan 30, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



why make yourself a target?

I suppose the same question could be asked of the RDNS blacklists, or the people who distribute .htaccess files, or browscap/browsercaps files. The best answer I can give you is sometimes the risk of being a target is outweighed by the potential good you can do as a target.
2:25 am on Jan 31, 2007 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Guess I really don't see the difference between a botnet IP list or and a list of spammers as long as you don't accuse any PERSON of doing the crime, just that some activity has been associated with the IP address.

Maybe the IP address was spoofed, maybe it's in a DHCP pool used by more than one machine, who knows what human is associated with the action, but the FACT remains that the activity was tracked and associated with the IP address and it's recorded in your server log.

As long as you're sticking to facts and not falsehoods you're usually in good shape.

There's also a big difference between claiming ThePlanet appears to have a botnet running in their network vs. claiming ThePlanet is actually running the botnet. We all know severs get compromised, and home PCs, it's just a way of life, a fact. Now the only real problem I see is once the problem has been corrected, how do the victims get off the list, bad PR removed from search engines, etc.?

Guess I don't see how saying "0.0.0.0 is involved in a botnet" is accusing any specific human or company, it's just reporting activity, not making accusations. No worse IMO than saying I heard gunshots in the vicinity of 1300 Block of Mockingbird Lane.

If this were a real problem all the RBL's, DNSBL's and such would cease to exist. There is also a fine line drawn in how you label your list. Calling it a "blacklist" which has a very negative connotation to anyone in the list vs. a "blocklist" which sounds more like a security or policy thing.

Also, reasons for IPs to exist on the list need to follow a clearly written policy of how IPs are selected for the list, otherwise you could end up in an ORBS-like situation (sued) if you're peddling a list filled with falsehoods.

[edited by: incrediBILL at 2:29 am (utc) on Jan. 31, 2007]

 

Featured Threads

Hot Threads This Week

Hot Threads This Month