Re: honeypot in conjunction with pen test?
From: Bennett Todd (bet@rahul.net)Date: 06/06/02
- Previous message: Free, Bob: "RE: Visual Source Safe Crack"
- Next in thread: Mike Riley: "Re: honeypot in conjunction with pen test?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 6 Jun 2002 10:22:30 -0400 From: Bennett Todd <bet@rahul.net> To: pen-test@securityfocus.com
I've gotten a lot of thoughtful feedback on my proposal; I think
there's a lot of agreement that it's either a purely bad idea (a
possibility I don't reject out of hand:-), or else if it is to be
done, extreme care must be taken to tune the honeypot so that
excessive resources aren't wasted by the pen-testers.
So we shouldn't have things that tempt the pen-testers to waste a
lot of time trying to break in, and whatever the honeypot offers it
shouldn't be so easy and obvious as to look out of place, nor so
obscure that it cannot be found, nor so serious that they feel they
have to make an emergency report.
So far one idea has occurred to me; toss a sacrificial box out
there, run BIND on it, but don't have NS records pointing to it in
public DNS. BIND is a security catastrophe, so just make sure the
version is one down-rev so there are known security problems, and
see if they find it.
-Bennett
- application/pgp-signature attachment: stored
- Previous message: Free, Bob: "RE: Visual Source Safe Crack"
- Next in thread: Mike Riley: "Re: honeypot in conjunction with pen test?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
