August 13, 2010
Turning the Honeypot
I'm reading a govt. security manual this weekend, because ... well, doesn't everyone?
To give it some grounding, I'm building up a cross-reference against my work at the CA. I expected it to remain rather dry until the very end, but I've just tripped up on this Risk in the section on detecting incidents:
2.5.7. An agency constructs a honeypot or honeynet to assist in capturing intrusion attempts, resulting in legal action being taken against the agency for breach of privacy.
Posted by iang at August 13, 2010 08:06 PM
Yeah, it's highly moronic, but when the Government does something like that, it's considered an illegal wiretap and/or a violation of the Privacy Act of 1974. It goes back to Watergate and the findings of the Church Commission where it was discovered that the Government was spying on US citizens.
So yeah, doesn't make too much sense tactically, but strategically it does.
highly politicized environments place all sorts of restrictions on the actions an information security team can perform. prohibiting honeypots sounds reasonable when one considers some decisions affecting one's security posture are much more ridiculous: blocking an entire country's IP address range is frowned upon in some environments (they're afraid of causing an international incident). If one cannot block a country's IP range here-or-there even on a temporary basis it's like having your hands tied. one may as well go ahead and publish the firewalls' configuration on the entity homepage.
What if; in designing the honeypot they revealed a flaw that proved to be a significant point from which to leverage the rest of the system?? It would stand to reason that honeypot design must be highly specialized.
Aside from some odd wire tap laws there is also FOI and other information legislation to be considered.
If a Federal organisation has information stored in a database of any form (paper in a filing cabinate to computer log files) you can if it is not specificaly exempted request it as it is public (payed for) information...
Thus it is possible to consider that the log files on a Honeynet could be requested and used to start legal action for a number of reasons...
Another issue is "standard design" doccuments. Most US Gov agencies have "quality of staff" issues when it comes to ICT, thus any Honeypot/net setups are likley to be based on a "standard design" template. Guess what the template etc are tax payer paid for and thus subject to FOI etc as well...
All of that aside have you considered how you can find a Honeynet without revealing anything of real use to it?
And even how you find it and enumerate it all without setting of it's alarms?
It's actually not that difficult for many Honeynets, which kind of obviates their purpose...