Author: James Hurff
Author: Mayank Sharma
A honeypot is software that attracts hostile activity by masquerading as a vulnerable system. While it’s running, the honeypot gathers information about attackers and their techniques and patterns. Honeypots distract crackers from more valuable machines on a network, and provide early warning about attacks and exploitation trends.
LaBrea was conceived in the aftermath of the Code Red worm attack in July 2001, when software developer Tom Liston posted an idea on the INTRUSIONS list at incidents.org for a means of combatting the constant scanning of his IP addresses and ports. A port scan is a method used by crackers to determine what ports are open or in use on a system in a network. By using various tools a cracker can send data to TCP or UDP ports one at a time. Based on the response received the port scan utility determines if that port is in use. The cracker uses this information to focus his efforts to exploit weaknesses on the ports that are open.
Liston’s idea got a positive response from Mihnea Stoenescu, who used a modified version of a comprehensive security program called Couic. Tom hacked Couic for his purpose and called it CodeRedneck. He further improved CodeRedneck to fake machines with fake vulnerabilities — in essence creating the honeypot which he now called LaBrea.
LaBrea keeps a watch to see if someone is trying to find a free IP address on your network. LaBrea looks for address resolution protocol (ARP) requests without any ARP replies to see whether that IP is in use. When LaBrea sees this behavior it assumes this is a cracker port-scanning your system, and creates an ARP reply with a bogus MAC address and sends it back to the requester. This helps determine the IP address of the port scanner.
LaBrea then listens to all incoming traffic to the bogus MAC address it just created. To convince the attacker that he is talking to a real machine, LaBrea allows TCP connections. The cracker sends an SYN (synchronize) packet, which is acknowledged with a SYN/ACK (acknowledgment). You can configure LaBrea to keep track of its activity in a log file or display it on your screen.
Please note that there are legal implications in some countries for using honeypots. For instance, some countries have laws against wiretapping, and in one sense, implementing a honeypot can be seen as a serious violation of wiretapping law [why?].
Setting it up
As root, first install the libdnet RPM:
rpm -i libdnet-1.7-0.1.fc2.dag.i386.rpm
Next extract the LaBrea tarball and install it:
tar -zxvf labrea-2.5-stable-1.tar.gz cd labrea ./configure --wth-libdnet=/usr make make install
LaBrea also needs to be run as root.
LaBrea has lots of switches. Understand which ones to use for better results. For instance:
labrea -i eth1 -o -v -z
This invokes LaBrea in the verbose (
-v) mode sending all the log info to stdout (standard output) instead of syslog (
-o). To specify which interface LaBrea listens to, specify the
-i switch. The
-z option turns off nag messages that your LAN cards might not support.
Testing the setup
To test your new software, find a machine on your network and try to ping an unused local IP address. After three ‘Request timed out’ messages you should start getting a response. You can increase or decrease the time period that LaBrea takes to respond using the
On the machine you just set up, you’ll see the IP address of the machine from which the ping originated.
Now for the real stuff. Run Nessus on a free IP address. It’ll find the address as valid. On my network it reported security holes and security warnings on my unoccupied IP! Nmap showed more than 2,000 open ports and the services running on the virtual machine!
A honeypot like LaBrea is a useful security tool that complements intrusion detection systems and firewalls.
Mayank Sharma is a freelance technology writer and FLOSS migration consultant in New Delhi, India.
Author: Chris Preimesberger
In fact, DaimlerChrysler proved that it had complied with the original contract by certifying its use of Unix System V code with SCO Group 11 weeks (on April 6, 2004) before Michigan Judge Rae Lee Chabot’s dismissal of most of the case on July 21. DaimlerChrysler IT manager Norman Powell did this by attesting that no SCO-owned code had been used in DaimlerChrysler’s shop for more than seven years, thus there were no CPUs to be counted. (With thanks to Pam Jones at Groklaw, see DaimlerChrysler’s Motion for Summary Dismissal, dated April 15, 2004.)
DaimlerChrysler: Full compliance with agreement
“DaimlerChrysler has provided SCO with a certification that complies with the express requirements of Section 2.05 (of the original contract with AT&T Information systems),” the company said on Page 24 of its 54-page Motion for Summary Dismissal. “Specifically, the DaimlerChrysler letter provides SCO with the required information about Designated CPUs (explaining that none are in use); certifies that an authorized person reviewed DaimlerChrysler’s use; and states that no software product licensed under the subject agreement is being used or has been used in more than seven years, and as a result, there is full compliance with the provisions of the subject agreement,” DaimlerChrysler said.
SCO Group then accepted DaimlerChrysler’s certification response, company spokesman Blake Stowell told Newsforge. In effect, an out-of-court agreement was reached, although it was not made public. At this point, SCO Group could have dropped the litigation, but its counsel elected not to do so.
“We’re satisfied that DaimlerChrysler did finally certify their compliance with the existing software agreement,” SCO Stowell said.
Then why didn’t SCO Group drop the suit, after its customer (DaimlerChrysler) offered its explanation of compliance on April 6?
“One of the reasons our lawyers decided to pursue the case is that I think they wanted to investigate further whether DaimlerChrysler had any possible misuse of our code within Linux in their systems,” Stowell said on Monday.
However, the SCO lawyers’ plan backfired when Judge Chabot stuck to the letter of the contract, which dealt strictly with certification of Unix System V code usage. As it turned out, DaimlerChrysler “was not obligated to tell us anything about their use of Linux,” Stowell said.
More litigation to come?
Will SCO Group continue its investigation into whether DaimlerChrysler is somehow misusing proprietary Unix code in its Linux systems?
“I don’t know,” Stowell said. “I can’t answer that. It’s up to our lawyers.”
For this particular case, SCO Group retained the Southfield, Mich., firm of Seyburn, Kahn, Ginn, Bess and Serlin. A call to case lead attorney Joel Serlin Monday afternoon was not returned to NewsForge.
Detroit-based DaimlerChrysler spokeswoman Mary Gauthier, who did not return calls requesting comment today, told ComputerWorld on July 21 — the day of the judgment — that “we are pleased with the judge’s ruling, and we look forward to finally resolving the one open issue.”
Stowell said he does not believe SCO Group will pursue the final point in the Michigan case that is still open — that SCO Group wants to know why DaimlerChrysler didn’t respond to the certification request in a reasonable amount of time.
In fact, DC responded to SCO on April 6 — about a month after the lawsuit was filed — explained its legal point of view, and offered certification information. This information is all included in the motion filed on April 15. That meant DaimlerChrysler took about three and a half months to respond to SCO’s first letter on Dec. 18, 2003 requesting an accounting of its Unix System V code.
Author: JT Smith
“Back in December iCanProgram.com announced that it would be offering its
online “Introduction to Linux Programming” courses without fees in return
for a voluntary donation to Cancer Research by the participants. These donations were made in memory of one of our founding partners who lost her own battle with Cancer last summer.
This “learning for charity” formula has been a success far beyond our expectations. We have now offered our courses under this format to over 350 students worldwide.
For those of you who missed out the first time round there are still openings in the 2 remaining courses that will be offered in the 2002 spring session.
The 02 Apr edition of the
Introduction to Linux Programming course has room.
The 02 Apr edition of our newest advanced Linux Programming course titled
Linux Programming the SIMPL way
has room as well.
m as well.
Thanks once again to all those who have participated so far and given so generously to the cause of fighting Cancer.”
Author: JT Smith
“This article is a followup to an article entitled The Myth of Open Source Security Revisited. The original article tackled the common misconception
amongst users of Open Source Software(OSS) that OSS is a panacea when it comes to creating secure software. The article presented anecdotal evidence
taken from an article written by John Viega, the original author of GNU Mailman, to illustrate its point. This article follows up the anecdotal
evidence presented in the original paper by providing an analysis of similar software applications, their development methodology and the frequency of
the discovery of security vulnerabilities.”
Author: JT Smith
Author: JT Smith
Author: JT Smith