Interview to Lance Spitzner @BlackHat Europe 2003 - May, 14th 2003 Daniele Muscetta (this is the RAW transcript of our conversation. The interview has been published (an Italian Translation of it) on "IT Virtual Community" http://www.itvirtualcommunity.net/blackhat03/spitzner.asp Daniele> First of all, I am interested in this: you said several times that there are different kinds of honeypots, such as low interaction, high interaction, other than several choices between commercial products, freeware, open source, the landscape is quite big. I want to understand the reasons - why these things differenciate with each other: in particular, for research purpose you are mainly interested in HIGH intercation honeypots, while companies usually go for low interaction honeypots, because those give them just a basic DETECTION capability. Why do you think is not possible (better: how do you think IS possible) to have a little SHIFT in culture about honeypots? Organizations are mainly searching for stuff that's easy, something you just plug in and it works... they are not usually interested in research themselves, which would be a step further.... An also, which is the reason thet you like what you like, so research and HIGH interaction honeypots? Lance> I like to learn. I am not out to Protect anything, I just want to LEARN, so I like the HIGH interaction honeypots because they teach me much. For the corporations, they don't want to learn. They don't care. They just want to keep the bad guys out, or DETECT the bad guys when they're being bad. So the high interaction honeypots can do everything that low interaction honeypots do. but they're much more work AND much more risk. So the low interaction honeypots are probably what's better for commercial organizations. Daniele> Yes, but even with low interactions there are a lot of misconceptions around... I mean, many companies are just scared of approaching this technology. I see a lot of doubts, fear, sometimes people look really scared. Lance> There's a lot of misconception about honeypots. They have gotten sometimes a bad reputation because people think that they do different things, like deception, or things like that, so people need to understand that honeypots are just another very flexible tool. Daniele> But...is that also triggered by the name of one of the first honeypots ... "the deception toolkit"? Lance> exactly, People are having a hard time understaning their value. Well, honeypots can be very good at detection. they work in encrypted environment, they work in IPv6 if you want, they can detect new attacks, they really reduce false positives! So there's a lot of advantages to this technology that people are starting NOW to understand. Daniele> How much time will be needed, in your opinion? Lance> It is already happening, but it's happening more for research honeypots: like universities, governments, military organizations, security companies, like ISS or SecurityFocus. For commercial organizations, it's happening, but slowly. It'll probably take more than three years. Daniele> I see there are technical guys who watch at them, but the information does not yet arrive properly to the managers. Lance> Keep in mind, the other thing with honeypots is: the bad guys know what honeypots are; they can avoid them, and the honeypot'd have no value... Daniele> ...or they can fill (flood) them with lots of false attacks, to deceive us... Lance> Exactly, so if an organizations has honeypots deployed, they don't want anybody to know. So this happens a lot of times if a big organization HAS honeypots ... I mean: I KNOW very large financial organizations, manufacturing, that do have them deployed. Daniele> Could we take as an example the honeypot of ISS compromised a couple of days ago? http://www.zone-h.org/en/news/read/id=2657/ http://www.zone-h.org/en/news/read/id=2663/ http://xfiw.iss.net/ Lance> Yes, ISS.... Yes, it's kept very quite. Especially because sometimes they just don't want other parts of the community to know. Daniele> In many other cases organizations just can't be bothered with learning, they rather prefer to have outsourced solution, they just don't want to know, they're not interested in getting more knowledge: they want the system to work, without having to care about it! Lance> A lot of the times they just want a big, pretty commercially supported solution. And there's only a couple of commercial honeypots right now. We'll see more. It's just like with firewall seven years ago... it takes a couple of years. Daniele> Another issue: for what concerns legal issues: [...] Lately, they're not discussing anymore the issues about "entrapment" of which you talk in your book (http://www.tracking-hackers.com/book/), but rather... Lance> "Privacy" and "Liability"! I have written another paper on the legal issues of honeypots on securityfocus, it should be out in a couple of weeks. Daniele> Yes, privacy, for what concerns "interception of communications".... in the case on your honeypot the hacker is chatting with someone else, and you're recording that.... this sort of things. There was an article, someone said "honeypots are dangerous, you can go to prison!" and you replied on the SANS mailing list... Lance> Ah! yeah, that was the securityfocus article by Kevin Poulsen ("Use a Honeypot, Go to Prison?" - http://www.securityfocus.com/news/4004). That was really sensationalized! And keep in mind: me and you are sitting here talking about privacy issues: but for what country? Brazil? Italy? Australia? Different Hackers in different countries have different legal issues. Daniele> In some cases, we hear that really good/skilled/let's-say-dangerous hackers won't be trapped into our honeypot/honeynet.... and that the risk is of studying just a bunch of script kiddies. Who's going tyo study the really bad guys? Don't you think that we have a SOCIAL problem, and that with the current direction/trend of paranoia of the security market we are risking to send to jail a bunch of stupid kids (whose issue would be mainly to teach them not to play with fire - but that are maybe not a big threath) rather than the REAL criminals ? COuld we do something at the educational level? Lance> Maybe, but maybe not. Most of it is really criminally motivated activity. For example, the more economically depressed a coutry is the more hacking you see coming from it, like Romania. The vast majority of hacking comes from Romania, because they are so economically depressed. I mean Hacking it's just another form of crime. Daniele> It is, but in some cases there could be different motivations: some people might be hacking for pure curiosity and research, some others might really want to steal things. Lance> Most of them are out to steal things. Most of them are Criminally motivated. Daniele> I mean that there are also just a bunch of kids that do it for the challenge or the thrill of it, but of course they can still do damages. Lance> Exactly, but they are not an issue. I believe the vast majority are criminals. They want to steal money, to steal credit cards. Daniele> In some cases you see a lot of silly things happening, even watching the logs of my firewall, even little systems are costantly probed for things that everybody who knows a tiny bit would keep closed and secured. Lance> Where there is anything with an IP stack, a lot of people will attack it. Daniele> Is the situation going to be much worse with IPv6, with the coverage it will have. Lance> That's true. More IP to be attacked. More IP for all the devices of every person. Daniele> I mean your toaster can be attacked, or your fridge, and so on. Lance> Exactly. Daniele> Last question, a naughty one: ~el8 - project mayhem ? Last summer we have seen this people trying to put you and other security professionals in ridiculous, to take the mick out of you... what has happened lately? have these people been catched? How has the issue impacted your projects? Do you think they might be really dangerous (their "declaration of war against the security community/industry") or is it not something to worry about ? What happened lately? Lance> Not much, we don't pay them much attention. They were just making a lot of noise. We have better things to do. They were out to make as much noise as possible. The people that concerns me are the people you don't hear about, the quiet ones. Those are the scary guys. Daniele> Which is the possible evolution of research in that sense: how are you trying to focus more on those quite ones that are so difficult to catch? Lance> Yes we are tryinjg to focus more on those, by deploying systems of high value, systems that will trap them. Daniele> Like the automatic redirection to the honeypot IN CASE the firewall detects an attack to the real system? Lance> Yes. They maybe have a high value mail server, or eCommerce server that gives HIGH profile attacks. A real production system. When the attacks are detected they are redirected to the honeypot.