No honeypot? Don't bother calling yourself a security pro

I'm constantly amazed by how many companies don't bother running honeypots, despite evidence that they're incredibly high-value, low-noise defense assets. A honeypot is a computer software or device that exists simply to be attacked. You can take any computer -- typically one you're getting ready to decommission because it's old and underpowered -- and use it as a honeypot. Because it's no longer a legitimate production asset, no person or service should be connecting to it. When something (such as a hacker or malware) connects to it, the honeypot sends an alert that can trigger an immediate incident response.

[ See Roger Grimes' comparative review: Intrusion detection honeypots simplify network security. | Learn how to secure your systems with the Web Browser Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ] Honeypots are excellent early-warning systems. After a little fine-tuning, they're incredibly low noise, producing few false positives -- unlike firewalls or IDSes (intrusion detection systems). They can easily capture zero-day exploits, freshly minted malware, and roaming APT hackers. Honeypots are great at detecting malicious activity from both outsiders and insiders; they turn up rogue exploits the other tools miss. Best of all, they do it at very low cost with little ongoing maintenance.

Sticky business: Honeypots compared In preparing for a recent customer engagement, I had the opportunity to check out the latest honeypot technology and see how the players were doing. Unfortunately, no one appears to be getting rich developing honeypot software. Of the 30 or so projects listed by the Honeynet Project, perhaps 90 percent are dead or headed in that direction. That's the bad news. The good news is that great open source and commercial honeypot projects are alive and well.

Glastopf is a low-interaction, open source honeypot that emulates a vulnerable Web server. Running on Python, PHP, and MySQL, Glastopf can emulate literally thousands of vulnerabilities and is intended to be Web crawled, a recognition that today's attackers frequently use search engines to find innocent websites to infect. Glastopf has GUI management and reporting features, and it's actively maintained and updated. Specter, a commercial honeypot, hasn't been updated significantly in years, but it's still actively sold and supported. It's GUI-based and has a few interesting features (it updates its own content, has "marker" files that can be used to trace hackers, and more) that make it a honeypot to check out. I also like the free USB emulation honeypot known as Ghost USB. It mounts as a fake USB drive to enable easier capture and analysis of malware that uses USB drives to replicate. It could come in very handy during the next USB worm outbreak.

But my favorite commercial honeypot, KFSensor, still leads the way by a large margin. It's easily the most feature-rich and mature honeypot product out there. Its developer continues to add new features, and while this post isn't an official Test Center review, I can't find anything else that holds a candle close to it. If you want a great commercial honeypot product with enterprise features, KFSensor is it. Just deploy it If you're not running a honeypot, now's the time. I can tell you from experience: They work. I've never installed a production honeypot that failed to catch some malicious behavior or software within a few days. If you're worried about zero days, APT hackers, or rogue insiders, you can't beat honeypots as a solid early-warning defense.

I don't care how well the malware is written or how good the hacker is -- a malicious actor moving laterally in a network is going to have to at least touch boxes. With a few honeypots deployed in strategic places, it's a lot easier to ferret out the bad guys and their rogue software. If you're not running one and you claim to care about security, what's your excuse?

Share This on Twitter | Share This Link on Facebook | Share This on Linkedin

Reuters editor charged with hacking: I was fired

SACRAMENTO, Calif. (AP) — A social media editor who has worked for two of the nation's largest news-gathering organizations is scheduled to appear in federal court Tuesday to face charges that he conspired with hackers to deface the website of the Los Angeles Times. The attorney for 26-year-old Matthew Keys said he will plead not guilty during the arraignment in Sacramento, his first court appearance since charges were filed last month. On Monday, Keys said via his Twitter account that he had been fired by his most recent employer, the Reuters news agency. The federal charges stem from an incident that occurred before he was employed by the company.

Keys is charged with giving the hacking group Anonymous the log-in credentials to the computer system of The Tribune Co., which owns the Los Angeles Times, Chicago Tribune, Baltimore Sun and other media properties. He was fired by a Sacramento television station owned by Tribune two months before the Times' website was hacked. The charging documents say a hacker identified as "Sharpie" used information Keys supplied in an Internet chat room to access the Times' web system and alter a headline on a December 2010 story. The headline was changed to read "Pressure builds in House to elect CHIPPY 1337," an apparent reference to another hacking group.

Keys, of Secaucus, N.J., said in a Facebook posting last month that he did not provide the log-in information. He "absolutely, 100 percent ... denies these allegations," said Keys' Ventura-based attorney, Jay Leiderman. He said his client is not talking to reporters. Prosecutors say Keys encouraged Anonymous members to hack into the Tribune's website and applauded their success. "Anyone can use any nickname in any chat room at any time," Leiderman said. "If in fact those things were said, they were not said by him."

Keys is charged with two counts that each carry a maximum penalty of 10 years in prison — transmitting and attempting to transmit information with the intent of damaging a protected computer. He faces a third count of conspiring to transmit that information, which carries a maximum sentence of five years. Legal experts say Keys likely would spend far less time in prison if convicted, especially if he has no prior criminal history. The indictment fed an ongoing debate over when an online prank becomes an Internet crime and whether the government is going too far in punishing the perpetrator.

The debate was sparked by the suicide in January of Aaron Swartz, a 26-year-old Internet activist who was found dead in his Brooklyn apartment as he awaited trial on allegations that he illegally downloaded millions of academic articles and helped post millions of court documents on the Internet. Tribune employees spent 333 hours responding to the 2010 hacking that Keys is charged with orchestrating, costing the company of $17,650 in labor costs alone, according to an October 2012 search warrant affidavit filed by the FBI. The FBI searched Keys' three-bedroom, two bathroom apartment looking for computer equipment. In the affidavit, FBI Special Agent Gabriel Andrews said there is probable cause to believe that Keys broke into the Tribune Media computer system after he was fired in October 2010 by the Tribune-owned FOX affiliate KTXL-TV in Sacramento. He stole an email list of FOX 40's customers, then "offered to sell this list to members of Anonymous," according to the affidavit.

"Keys also used this list to send spurious emails to FOX 40's customers and to disrupt the business operations of FOX 40," the affidavit said. Leiderman, his attorney, denied the allegations. The television station told the FBI that Keys also changed the passwords to the station's Twitter and Facebook accounts after he was fired. He deleted 6,000 followers from the station's Twitter account and posted news headlines from the station's competitors during the four days he had unauthorized control of the accounts, according to the affidavit. Leiderman said that involved "a dispute over ownership" of personal accounts Keys had been using on behalf of the station.

Keys was not charged with any of the alleged incidents involving FOX 40. The station referred requests for comment to Tribune Corp. spokesman Gary Weitman, who declined comment. Keys was working at Thomson Reuters Corp.'s New York office at the time the charges were announced and was suspended with pay. A company spokesman on Monday would not elaborate on why it no longer employed Keys, but the social media editor said in a Twitter posting that it was not because of the indictment. Rather, Keys tweeted a copy of a "final written warning" he said he received from Reuters in October, which admonished him for unprofessional behavior after he mocked a Google executive from a fake Twitter account. Keys said his union, the Newspaper Guild, would file a grievance on his behalf.

Share This on Twitter | Share This Link on Facebook | Share This on Linkedin