[ISN] Security 'Honey Pots' May Snare Private Details

InfoSec News isn at c4i.org
Wed Dec 8 02:59:26 EST 2004


By Michael Myser 
December 7, 2004 

Though some legal issues still surround "honey pots," their use within
the security industry is fairly common and is considered a critical
weapon in fighting malicious hackers and viruses.

"They're an incredibly valuable tool," said Rich Mogull, research
director at analyst firm Gartner Inc. of Stamford, Conn. "You can't
really know what's happening without monitoring what's going on in the
world. Honey pots and honey nets do a good job of this."

Setting up an unprotected server or network invites attackers to
infect or examine the system. The honey pots are then used to track
the hackers and collect data on the way the intruders operate.  
Information collected in honey pots is typically used to power early
warning and prediction systems.

"It's not something every organization needs, but I expect all
security vendors to do be doing something [like this]," Mogull said.  
"That's how you're going to find out what the new threats are, without
compromising your real systems."

IMlogic Inc. of Waltham, Mass., told eWEEK.com it would use IM honey
pots to drive its Threat Center initiative, which will warn vendors of
new spam and malware attacks.

Though Gartner's Mogull wasn't at all surprised that IMlogic would
employ this technique, legal issues still can arise from honey pots if
security vendors and enterprises aren't careful.

For one, enterprises could be found liable if hackers were to use
honey pots as a launching pad to harm another entity.

"If you've created a dangerous, open resource, you've created a tool
for hackers to use," said Benjamin Wright, an attorney and instructor
at the SANS Institute. "You need to avoid anything that encourages
damage to a third party."

One way to avoid that, he said, is to label the honey pot as off
limits, or a resource that is private property, which outsiders are
not authorized to use. Such labeling also would help ward off the
common defense tactic of citing "entrapment" in the case of

"Entrapment is when somebody induces the criminal to do something he
was not otherwise imposed to do," Wright said. He explained that it's
a common misconception that organizations can be sued for entrapment,
when in reality, it's used only to defend the accused and should not
be a concern for enterprises.

Lance Spitzner, founder of the nonprofit security organization
Honeynet Project, agreed, saying that neither liability nor entrapment
has been an issue, but that privacy is a concern.

"From a privacy perspective, you need to consider what you capture,
how you capture it, and what you use it for," Spitzner said. He said
the main concern surrounds violating the federal Wiretap Act, which
prohibits intercepting the content of communications.

"Are you getting the conversations themselves?" he asked. "The more
data you're pulling, the more potential privacy issues there are."

If a firm is capturing transactional information such as IP addresses,
or examining malware contained in the communications, there likely is
little to be concerned about. IMlogic told eWEEK.com its honey pots
would likely only receive spam or malware, so conversations wouldn't
be an issue.

But there are still no hard and fast answers to some of these legal

"There is no absolute authority, because there are so many variables
involved and no precedents," Spitzner said. The Honeynet Project
recently published a book [1] on honey pots, which includes a chapter
(here in PDF form) [2] on legal concerns by Richard Salgado of the
Department of Justice.

Security firm Sophos, based in the United Kingdom, isn't much
concerned with the legal aspects of honey pots and is one of many
vendors using various types to develop cyber-defenses.

"We receive millions of spam messages into our traps from around the
world," said Gregg Mastoras, senior security analyst at Sophos. "We
take those messages, dissect them, try to understand them, where
they're coming from, and build protection around it for our clients."

Because it's a closed system—the spam and viruses the company receives
don't get distributed from the Sophos system—and the company isn't
building legal cases against spammers, there aren't legal implications
for its spam traps.

"Most of the security research companies use honey pots to get
information on bad guys, malware, viruses and things like that,"  
Honeynet's Spitzner said. "Honey pots are also becoming more commonly
accepted, so they're being used for marketing purposes by security

"If you're going to develop products and services to defeat these,
you've got to understand the basics of what they're delivering by
actually getting some of them yourself," Sophos' Mastoras said.

[1] http://www.amazon.com/exec/obidos/ASIN/0321166469/c4iorg
[2] http://www.honeynet.org/book/Chp8.pdf

More information about the ISN mailing list