Wednesday, 12 December 2007

When a Honeynet is not so Sweet.

Or the law of going to far.

HoneyPots are a passive means of drawing or redirecting attacks onto safe systems. These systems have several advantages including the capture of hackers’ methods, tools, or worm code for later analysis and possible prosecution. Since HoneyPots are completely passive and there should be no legitimate connections to them, any connection is highly suspect. This reduces the number of false positives to near zero.”

Andrew Ingle, “The new breed of cracker, verse the next generation of defences,” April 22, 2004, © SANS Institute 2004.

This works well until the administrator decides to go that little bit further, they divert from a passive HoneyPots to hacking back, or active counter hacking.

This is when you start with the real legal issues. HoneyPots have the issue that you may face civil liability if the attacker can attack from the Honeypot, but attack back and then it is a felony.

Most security practitioners have ached to retaliate rather then just applying an added patch and turning doing little more then watching. I admit that I have felt this way myself.
Further, software such as Enforcer and Simbiot has been developed with the capability to present this facility. The argument is along the lines “that a static defence is insufficient to defeat a determined and knowledgeable attacker, and the strike back features offer a deterrence or threat elimination capability that is otherwise absent”.

The issue is that you are ultimately responsible for what you configure. These software vendors may at worst face civil penalties, or even be held jointly responsible in some possible cases, but they are not criminally liable. They can not express intent. So when you decide that you will set a host to attack back, just remember how many hospitals have insecure networks. Remember how many have been targets of zombies and worms. Remember that attacking these could be an attack that endangers human life.

Or you may spend a long time in prison.

No comments: