thick gaps

Cathal Garvey cathalgarvey at cathalgarvey.me
Wed Feb 4 00:15:09 PST 2015


Proven tradition out in the wild. I gather there are SSH honeypots that 
allow logins with trivial attempts (pi/raspberry, admin/admin..), then 
simply record which commands the attacker runs first. Usually they'll be 
scripted commands to scope out the compromised system, and if it passes 
muster it dials home.

I don't think those honeypots are designed to make much of a human 
attacker, but they allow rapid identification and classification of 
who's attacking and offer some scope for countermeasures.

For example, if your attacker is running a certain command and capturing 
a certain form of expected output, what happens if your honeypot gives 
it too much, or a different kind of output? :)
Is your automated attacker using SQL to store attack data? I hope it's 
escaping input.. Is your attacker using stars in any commands ('grep 
foobar *')? Did you know you can have filenames that look like shell 
command flags and bash will uncritically pass them as arguments?

On 03/02/15 18:55, Natanael wrote:
> Den 3 feb 2015 19:19 skrev "coderman" <coderman at gmail.com
> <mailto:coderman at gmail.com>>:
>  >
>  > On 2/3/15, dan at geer.org <mailto:dan at geer.org> <dan at geer.org
> <mailto:dan at geer.org>> wrote:
>  > > ...
>  > > John, you know this I'm sure, but for the record the highest
>  > > security places use sacrificial machines to receive e-mail and
>  > > the like, to print said transmissions to paper, and then those
>  > > (sacrificial) machines are sacrificed, which is to say they
>  > > are reloaded/rebooted.  Per message.  The printed forms then
>  > > cross an air gap and those are scanned before transmission to
>  > > a final destination on networks of a highly controlled sort.
>  > > I suspect, but do not know, that the sacrificial machines are
>  > > thoroughly instrumented in the countermeasure sense.
>  >
>  > this is defense to depths layered through hard experience lessons ;)
>  >
>  >
>  >
>  > > ...  For the
>  > > entities of which I speak, the avoidance of silent failure is
>  > > taken seriously -- which brings us 'round to your (and my)
>  > > core belief: The sine qua non goal of security engineering is
>  > > "No Silent Failure."
>  >
>  > there was an interesting thread here last year on instrumenting
>  > runtimes to appear stock (vulnerable) but which fail in obvious ways
>  > when subversion is attempted. (after all, being able to observe an
>  > attack is the first step in defending against such a class...)
>  >
>  > "hack it first yourself, before your attacker does..."
>
> Canary bugs / honeypot bugs?
>

-- 
Scientific Director, IndieBio Irish Programme
  Got a biology-inspired business idea that $50,000 -
  & 3 months in a well equipped lab could accelerate?
  Apply for the Summer programme in Ireland:
  http://indie.bio/apply-to-ireland
Twitter:  @onetruecathal
Phone: +353876363185
miniLock: JjmYYngs7akLZUjkvFkuYdsZ3PyPHSZRBKNm6qTYKZfAM
peerio.com: cathalgarvey



More information about the cypherpunks mailing list