Proven tradition out in the wild. I gather there are SSH honeypots that allow logins with trivial attempts (pi/raspberry, admin/admin..), then simply record which commands the attacker runs first. Usually they'll be scripted commands to scope out the compromised system, and if it passes muster it dials home. I don't think those honeypots are designed to make much of a human attacker, but they allow rapid identification and classification of who's attacking and offer some scope for countermeasures. For example, if your attacker is running a certain command and capturing a certain form of expected output, what happens if your honeypot gives it too much, or a different kind of output? :) Is your automated attacker using SQL to store attack data? I hope it's escaping input.. Is your attacker using stars in any commands ('grep foobar *')? Did you know you can have filenames that look like shell command flags and bash will uncritically pass them as arguments? On 03/02/15 18:55, Natanael wrote:
Den 3 feb 2015 19:19 skrev "coderman" <coderman@gmail.com <mailto:coderman@gmail.com>>:
On 2/3/15, dan@geer.org <mailto:dan@geer.org> <dan@geer.org
<mailto:dan@geer.org>> wrote:
... John, you know this I'm sure, but for the record the highest security places use sacrificial machines to receive e-mail and the like, to print said transmissions to paper, and then those (sacrificial) machines are sacrificed, which is to say they are reloaded/rebooted. Per message. The printed forms then cross an air gap and those are scanned before transmission to a final destination on networks of a highly controlled sort. I suspect, but do not know, that the sacrificial machines are thoroughly instrumented in the countermeasure sense.
this is defense to depths layered through hard experience lessons ;)
... For the entities of which I speak, the avoidance of silent failure is taken seriously -- which brings us 'round to your (and my) core belief: The sine qua non goal of security engineering is "No Silent Failure."
there was an interesting thread here last year on instrumenting runtimes to appear stock (vulnerable) but which fail in obvious ways when subversion is attempted. (after all, being able to observe an attack is the first step in defending against such a class...)
"hack it first yourself, before your attacker does..."
Canary bugs / honeypot bugs?
-- Scientific Director, IndieBio Irish Programme Got a biology-inspired business idea that $50,000 - & 3 months in a well equipped lab could accelerate? Apply for the Summer programme in Ireland: http://indie.bio/apply-to-ireland Twitter: @onetruecathal Phone: +353876363185 miniLock: JjmYYngs7akLZUjkvFkuYdsZ3PyPHSZRBKNm6qTYKZfAM peerio.com: cathalgarvey