honeynet.org

For discussions about security.
Post Reply
Message
Author
User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

honeynet.org

#1 Post by prehistoric »

This is a request for feedback from people with relevant experience. I just became aware of honeynet.org when I did a search while explaining some problems of Internet security and spam email to a naive user.

This sounds like something I wanted to do back around 2010. It is also dealing with a shift in tactics I've been following. While there are still plenty of poorly-configured servers out there, I am seeing more client-side exploits. These can take place either while targets are browsing the web, or while they are reading HTML email, and assuming they aren't really at risk because they are using a service they consider secure. ("See, it even says HTTPS.")

A couple of tools discussed include Thug and Rumal.

This also suggests a use for the legions of old computers we collect which aren't up to running the latest bloatware. Configure these as honeypots and plug them in when you leave the keyboard to get some sleep.

I've been wasting way too much time dealing with the consequences of malware and spam. I feel it's well past time to start shooting back. :P

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#2 Post by Flash »

Could you include a synopsis of what they do, how they work?

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

#3 Post by prehistoric »

@Flash

If you are asking about the organization, that is what I'm asking others to tell me. All I can say is what their stated aims are. I'm just starting to read material about them, so my understanding is not reliable.

If you're asking about the two tools I linked: thug behaves like a browser, as seen from the Internet, and collects information about what happens when it visits a site. This material is quite complicated, so Rumal displays the data as a web page to help people analyze that data.

The two together yield information about suspect web sites, given only the URL to start with.

This would have saved a great deal of time when BarryK and others were being hit with attacks defacing their sites with pornography; underneath there were redirects to university sites with poisoned SEO caches that sent people to sites selling V*i*a*g*r*a, while the real purpose was to redirect people into drive-by downloads of malware. We had to follow quite a long trail to get to the source.

These are just two open-source tools that happened to catch my eye.

I'm very discouraged about the ability of major companies selling programs said to control a problem which provides them a steady revenue stream. M$ sells an OS with serious deficiencies which invite attacks; Symantec sells security software to sort of patch the problem; when security fails, victims suffer from ID theft for which Lifelock sells solutions. M$ owns Symantec which now owns Lifelock. Don't expect the problem to go away as a result of anything this commercial combination does.

I've been surprised at how long it took for DDoS attacks to bring down major businesses, as in the Dyn attack. I know damn well that companies and governments will sit on information they have, leaving the public at risk. The answer seems to me to be a distributed response, making major attacks a losing proposition. You don't have to have perfect security, you just need to cost exploiters money.

If the only effect of running traps is to get yourself blacklisted by spammers, that is still worth something.

An example which I was explaining to a naive user will help to motivate this. I've attached a file of text from a spam email. There is no executable code. The text was actually not visible to the recipient because of cascading style sheets. Because I don't run HTML email it was easy for me to find this text.

Does anyone think it takes advanced AI to tell that a message containing this is spam? What else would you expect to find at URLs included in the message?
Attachments
clickbait.txt.gz
keywords "salting" email message to get past spam filters
(7.27 KiB) Downloaded 88 times

Post Reply