thick gaps
Cathal Garvey
cathalgarvey at cathalgarvey.me
Wed Feb 4 00:15:09 PST 2015
Proven tradition out in the wild. I gather there are SSH honeypots that
allow logins with trivial attempts (pi/raspberry, admin/admin..), then
simply record which commands the attacker runs first. Usually they'll be
scripted commands to scope out the compromised system, and if it passes
muster it dials home.
I don't think those honeypots are designed to make much of a human
attacker, but they allow rapid identification and classification of
who's attacking and offer some scope for countermeasures.
For example, if your attacker is running a certain command and capturing
a certain form of expected output, what happens if your honeypot gives
it too much, or a different kind of output? :)
Is your automated attacker using SQL to store attack data? I hope it's
escaping input.. Is your attacker using stars in any commands ('grep
foobar *')? Did you know you can have filenames that look like shell
command flags and bash will uncritically pass them as arguments?
On 03/02/15 18:55, Natanael wrote:
> Den 3 feb 2015 19:19 skrev "coderman" <coderman at gmail.com
> <mailto:coderman at gmail.com>>:
> >
> > On 2/3/15, dan at geer.org <mailto:dan at geer.org> <dan at geer.org
> <mailto:dan at geer.org>> wrote:
> > > ...
> > > John, you know this I'm sure, but for the record the highest
> > > security places use sacrificial machines to receive e-mail and
> > > the like, to print said transmissions to paper, and then those
> > > (sacrificial) machines are sacrificed, which is to say they
> > > are reloaded/rebooted. Per message. The printed forms then
> > > cross an air gap and those are scanned before transmission to
> > > a final destination on networks of a highly controlled sort.
> > > I suspect, but do not know, that the sacrificial machines are
> > > thoroughly instrumented in the countermeasure sense.
> >
> > this is defense to depths layered through hard experience lessons ;)
> >
> >
> >
> > > ... For the
> > > entities of which I speak, the avoidance of silent failure is
> > > taken seriously -- which brings us 'round to your (and my)
> > > core belief: The sine qua non goal of security engineering is
> > > "No Silent Failure."
> >
> > there was an interesting thread here last year on instrumenting
> > runtimes to appear stock (vulnerable) but which fail in obvious ways
> > when subversion is attempted. (after all, being able to observe an
> > attack is the first step in defending against such a class...)
> >
> > "hack it first yourself, before your attacker does..."
>
> Canary bugs / honeypot bugs?
>
--
Scientific Director, IndieBio Irish Programme
Got a biology-inspired business idea that $50,000 -
& 3 months in a well equipped lab could accelerate?
Apply for the Summer programme in Ireland:
http://indie.bio/apply-to-ireland
Twitter: @onetruecathal
Phone: +353876363185
miniLock: JjmYYngs7akLZUjkvFkuYdsZ3PyPHSZRBKNm6qTYKZfAM
peerio.com: cathalgarvey
More information about the cypherpunks
mailing list