Beruflich Dokumente
Kultur Dokumente
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 1
CyberLaw 101: A primer on US laws related to honeypot
deployments
GSEC Gold Certification
Aut hor : J er ome Radcl i f f e, j ay. r adcl i f f e@gmai l . com
Advi ser : J i mPur cel l
Accept ed: Febr uar y 1, 2007
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 2
Out l i ne
1. I nt r oduct i on 2
2. Honeypot Backgr ound 4
3. Pr i vacy and t he EPCA 6
4. Consent 10
5. Ent r apment 17
6. Checkl i st of pr ot ect i onar y measur es 17
7. Concl usi on 19
8. Ref er ences 21
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 3
1. Introduction
A Honeypot i s def i ned as an I nt er net - at t ached ser ver t hat act s
as a decoy, l ur i ng i n pot ent i al hacker s i n or der t o st udy t hei r
act i vi t i es and moni t or how t hey ar e abl e t o br eak i nt o a syst em
1
.
These devi ces have cr eat ed a conf usi ng i nt er act i on of l egal and cyber
i ssues, as di scussi ons of such devi ces ar e t ypi cal l y accompani ed by a
l egal di scl ai mer , yet , t hese l egal i ssues ar e not t ypi cal l y di scussed
due t o t i me const r ai nt s or l ack of exper i ence i n l egal mat t er s. At a
r ecent SANS conf er ence a l awyer i n t he gr oup l ect ur ed f or f i ve
mi nut es on t he need t o consul t a l egal t eambef or e depl oyi ng or usi ng
honeypot s when t he t opi c came up, and poi nt ed out t he many t r i cky
l egal i ssues sur r oundi ng such devi ces. Yet , t he same l awyer was not
abl e t o speci f y t he l egal i ssues nor was he abl e t o make suggest i ons
on how t o handl e such i ssues. Thi s l egal gr ay ar ea pr esent s t wo
i nt er est i ng i ssues. Fi r st , honeypot s ar e one of t he mor e esot er i c
i ssues t hat a cor por at e counsel woul d have t o addr ess and, i t i s ver y
possi bl e, a cor por at e l egal t eammi ght not have t he r equi r ed
knowl edge t o answer quest i ons on honeypot i ssues. Second, not al l I T
pr of essi onal s have has access t o cor por at e counsel and hi r i ng a
l awyer f or advi ce on t hi s speci f i c i ssue i s of t en not cost ef f ect i ve,
agai n, due t o t he esot er i c nat ur e of t he i ssue.
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 4
The goal of t hi s paper i s t o pr ovi de a gener al pr i mer on t wo
l egal i ssues r el at ed t o honeypot s, pr i vacy r i ght and ent r apment , and
t o pr ovi de pr act i cal advi ce r egar di ng pr udent act i ons t o t ake f or
l egal due di l i gence. By no means shoul d t hi s paper ser ve as a
r epl acement f or l egal advi ce f r omi nf or med l egal counsel . I nst ead
t hi s paper i s meant t o ser ve as a br i dge bet ween t he l egal and
t echni cal wor l d on t he honeypot i ssue.
Honeypot Background
The wor l d of honeypot s can be ver y compl i cat ed, as t hey ar e not
desi gned t o pr event at t acks, nor ar e t hey desi gned t o det ect at t acks
whi ch separ at e t hemf r omt r adi t i onal I nt r usi ons Det ect i on Syst ems
( I DS) , I nt r usi on Pr event i on Syst ems ( I PS) and f i r ewal l s
( r ef er ences)
2
. These devi ces ar e except i onal l y usef ul t ool s f or t he
comput er secur i t y pr of essi onal as t hey al l ow f or a f ul l end t o end
anal ysi s of an at t ack, i ncl udi ng al l of t he det ai l s t hat sur r ound t he
at t ack. Thr ough anal ysi s of t he l og f i l es i t i s easy t o i dent i f y t he
pr e- at t ack and post - at t ack act i ons t hat wer e t aken by t he i nt r uder .
Thi s woul d i ncl ude new r oot ki t s or di f f er ent payl oads t hat ar e
i nst al l ed af t er t he box has been compr omi sed. I n many cases t hi s i s
how new expl oi t s ar e f ound i n t he f i el d.
Honeypot s ar e of t en used i n t he pr ocess of cat chi ng and
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om`
pr osecut i ng cyber cr i mi nal s. Thi s cr i mi nal aspect of honeypot s has
l ead t o a scr ut i ny of l egal i ssues r el at ed honeypot s use i n t he I T
and f i el d. The compl exi t y of t he l aw pr event s many peopl e f r omt he
usi ng honeypot s. One of t he l egal compl i cat i ons i s t hat t he l aw
appl i es di f f er ent l y dependi ng on who i s act i ng ( i n t hi s case who
has act ual l y est abl i shed and moni t or ed t he honeypot )
3
. To under st and
t he l egal debat e t hr ee di st i nct gr oups need t o be not ed; f i r st t hose
act i ng on behal f of t he gover nment , second t hose non- gover nment al l y
f unded gr oups, and t hi r d i ndi vi dual s. Those act i ng f r oma
gover nment al per spect i ve i ncl ude l aw enf or cement , gover nment al
agenci es, or any f eder al or st at e f unded gr oup, such as t he l ocal
pol i ce set t i ng up a websi t e t ar get ed at onl i ne chi l d pr edat or s. The
second gr oup i ncl udes gr oups t hat ar e not gover nment al l y f unded, such
as cor por at i ons or pr i vat e r esear ch gr oups. An exampl e of t hat
second cat egor y woul d be J oe Smi t h, seni or syst emadmi ni st r at or f or
Acme Oi l , set t i ng up a honeypot on t hei r company net wor k. The t hi r d
gr oup woul d appl y t o i ndi vi dual , such as a per son who has set up a
honeypot on t hei r per sonal i nt er net connect i on ( DSL/ Cabl e, et c) . I n
each of t hese gr oups t he l aws appl i es di f f er ent l y.
Ther e, however , ar e some di sadvant ages t o honeypot s. Pr i mar i l y,
t hey ar e ver y t i me consumi ng t o set up and mai nt ai n. When a honeypot
i s depl oyed pr oper l y, i t at t r act s i nt r uder s qui ckl y and pl ent i f ul l y.
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` b
These i nt r uder s and t hei r act i ons can pr oduce a mount ai n of dat a t o
be anal yzed and di ssect ed. One can easi l y spend days di gest i ng t he
dat a t hat i s pr oduced by a si ngl e honeypot . As t hey ar e desi gned t o
be br oken i nt o honeypot s ar e of t en vi ct i ms of Deni al of Ser vi ce ( DoS)
at t acks as wel l as ot her at t acks t hat wi l l r equi r e hands on
admi ni st r at i on. Thi s can of t en l ead t o i nsuf f i ci ent r esour ces t o
mai nt ai n t he pr oduct i on I T act i vi t i es, or possi bl y di st r act st af f
f r omper f or mi ng t hei r pr i mar y t asks.
Privacy and The EPCA
The f i r st l egal t opi c t hat comes up i n r egar ds t o honeypot s i s
pr i vacy. Pr i vacy has a cont r over si al hi st or y i n US l aw. Compar ed t o
ot her i ssues i n l aw t hough, pr i vacy i s a new concept . Pr i vacy l aw
i t sel f di d not become codi f i ed unt i l t he 1960 s
4
. The gr ound br eaki ng
Supr eme Cour t case Kat z vs. U. S. , 389 U. S. 347, 350 ( 1967) , st ar t ed
t he j udi ci al syst ems wave of r ul i ngs on pr i vacy r i ght s. Wi t h
honeypot s, t he pr i vacy concer n comes f r omt he f act t hat a honeypot i s
r ecor di ng al l t he act i vi t y t hat i s occur r i ng on t hat devi ce. Upon
f i r st gl ace one mi ght ar gue t hat t hi s i s ver y si mi l ar t o t he act i on
of wi r e t appi ng, but t hi s compar i son woul d not be l egal l y accur at e.
The US Feder al l aw di st i nct l y separ at es spoken communi cat i ons f r om
el ect r oni c communi cat i ons
5
. The set of l aws t hat def i nes t hese t ypes
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om`
of communi cat i ons i s commonl y r ef er r ed t o as t he El ect r oni c
Communi cat i ons Pr i vacy Act or ECPA
6
. The EPCA out l i nes al l of t he
det ai l s r el at ed t o t he i nt er cept i on and r ecor di ng of el ect r oni c
communi cat i ons. To bet t er under st and t hese concept s i t i s necessar y
t o def i ne t he agent s i nvol ved i n basi c communi cat i ons. Fi r st , t her e
has t o be a mi ni mumof t wo agent s i nvol ved i n t he communi cat i ons
( agent A and B) . I n t hi s case i t does not mat t er i f A or B i ni t i at ed
t he communi cat i on. Thi s communi cat i on i s conduct ed over a gi ven
met hod, whi ch can t ake many di f f er ent f or ms, and t he det ai l s of t hat
met hod can have an ef f ect on t he i nt er pr et at i on of t he l aw. Ther e can
al so be a t hi r d par t y t hat i s not di r ect l y i nvol ved i n t he
communi cat i on, r ef er r ed t o as agent X. The agent X may or may not be
known t o ei t her A or B. The di agr ambel ow.
Appl yi ng t hi s di agr amt o a t ypi cal si ngl e devi ce honeypot wher e
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 8
A i s t he honeypot and B i s t he accessi ng user . The cont r ol l i ng
par t y of A can be cat egor i zed i nt o one of t wo gr oups under t he
EPCA: A per son act i ng under t he col or of t he l aw
7
, and A per son
not act i ng under t he col or of t he l aw
8
. I n ei t her case, because t he
honeypot i s owned and oper at ed by A, t hey ar e consi der ed a par t y
i nvol ved i n t he communi cat i on. Accor di ng t o t he EPCA i t i s l egal t o
i nt er cept and moni t or such communi cat i ons, wi t h an except i on. I f
t hose communi cat i ons ar e i nt er cept ed f or t he pur pose of commi t t i ng a
cr i me ( f or exampl e, you wer e har vest i ng cr edi t car d number s t o
per f or mf r audul ent char ges) t hen t hat act i on woul d not be l egal .
Any par t i es t hat ar e not di r ect l y i nvol ved i n t he communi cat i on
woul d be r epr esent ed i n t he di agr amas X. Ther e ar e t wo
ci r cumst ances under t he EPCA when i t woul d be l egal f or an X par t y
t o i nt er cept communi cat i ons bet ween A and B. The f i r st l egal
ci r cumst ance i s r ef er r ed t o as t he Pr ovi der Except i on of t he ECPA;
i n t hi s ci r cumst ance X can i nt er cept communi cat i ons when X owns
t he i nf r ast r uct ur e; such as an I SP. I n such a ci r cumst ance, t he
company woul d have a l egal r i ght t o i nt er cept t he communi cat i ons f or
t he pur poses of pr ot ect i ng t he I SP s ser vi ce and t o al l ow t he
compani es pr ovi di ng ser vi ce( s) t o t he publ i c t o moni t or t hei r syst ems
f or pot ent i al f ai l ur es or qual i t y i ssues. The second ci r cumst ance by
whi ch one coul d gai n l egal st at us t o i nt er cept communi cat i ons f r oma
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 9
non- par t y agent i s t hr ough consent .
An addi t i onal f act or i n t he l egal abi l i t y t o i nt er cept a
communi cat i on i s t he met hod by whi ch t he communi cat i ons t akes pl ace.
Wi r el ess communi cat i on has become a popul ar met hod of net wor ki ng,
bot h i n wor k and home envi r onment s. As t hese f or ms of wi r el ess
communi cat i ons can be r ecor ded and moni t or ed wi t h RF moni t or i ng
devi ces, t hey ar e l egal t o i nt er cept and moni t or
9
. The except i on t o
t hi s i s i f you t he use of any t ype of encr ypt i on wi t h a wi r el ess
communi cat i ons ( such as WEP) . The use of scr ambl ed or encr ypt ed
r adi o communi cat i on
10
changes t he communi cat i on t o become not
r eadi l y accessi bl e t o t he gener al publ i c
11
and, t hus, not l egal t o
i nt er cept . Moni t or i ng a nei ghbor s wi r el ess act i vi t y, i f t hey ar e
t r ansmi t t i ng unencr ypt ed, i s per f ect l y l egal under t he ECPA. I f t he
nei ghbor s wi r el ess AP i s usi ng WEP moni t or i ng t hat net wor k i s a
vi ol at i on of t he EPCA. The act i on of capt ur i ng t he t r ansmi ssi on i s
t he i nt er cept i on, so t he use of t ool s t o det er mi ne t he WEP key vi a
packet anal ysi s i s al so, ar guabl y, i n vi ol at i on of t he EPCA. These,
however , ar e ver y gr ay ar eas of t he l aw and t her e ar e no est abl i shed
cour t r ul i ngs wi t h whi ch t o cl ar i f y t hese mur ky ar eas. Aut hor s, such
as Or i n Ker r , have ar gued t hat t her e shoul d be no r easonabl e
expect at i on of pr i vacy of t he act ual encr ypt ed dat a ( or cr ypt - t ext )
12
due t o t he f act t hat i t i s j ust pl ai nt ext char act er s. The knowl edge
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 10
t hat any encr ypt i on i s br eakabl e vi a br ut ef or ce at t ack i s enough of
a vul ner abi l i t y t o est abl i sh t hat someone mi ght be abl e t o t r ansl at e
t he encr ypt ed dat a i nt o t he or i gi nal message t her eby makes i t l ess
pr i vat e. The EPCA however speci f i cal l y st at es t hat encr ypt ed or
scr ambl ed t r ansmi ssi ons ar e pr ot ect ed f r omi nt er cept i on.
Consent
Consent i s def i ned as a vol unt ar y agr eement t o anot her ' s
pr oposi t i on
13
. Thi s becomes an except i onal l y di f f i cul t t opi c due t o
number of di f f er ent ser vi ces t hat r un on any gi ven comput er syst em.
On most syst ems t her e ar e i nt er act i ve ser vi ces l i ke t el net , SSH, and
t er mi nal ser vi ces. I t i s f ai r y si mpl e t o cr eat e vi ewabl e consent
messages pr e and post l ogi n t o t hese i nt er act i ve ser vi ces. On a UNI X
based devi ce t he consent message i s i n / et c/ banner f or pr e- l ogi n and
/ et c/ mot d f or post - l ogi n coul d cover t he l egal r equi r ement s of
consent . Thi s consent banner t el l s t he user t hat , by l oggi ng i nt o
t he comput er syst em, t hey ar e consent i ng t o t he r ecor di ng and
moni t or i ng of al l communi cat i ons sent and r ecei ved by t hat user .
Ent er i ng t hei r passwor d t o gai n syst emaccess i s an accept ance of t he
t er ms gi ven i n t he banner message. To r ei nf or ce t he agr eement
f ur t her , t he post - l ogi n met hod of al er t i ng t he user t o moni t or i ng and
r ecor di ng message i s gi ven bef or e t he user i s al l owed t o i nt er act
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 11
wi t h t he syst em. On a wi ndows based syst em, one can per f or mt he same
pr e- l ogi n banner message. I t i s a l i t t l e mor e compl i cat ed, as i t
r equi r es manual changes t o t he r egi st r y, but t her e ar e di r ect i ons
l ocat ed at Mi cr osof t s websi t e
14
and ot her wi del y avai l abl e websi t es
wi t h si mi l ar i nf or mat i on.
Thi s i ssue of consent becomes mor e compl i cat ed wi t h ser vi ces
t hat ar e not as st r ai ght f or war d as aut hent i cat ed ser vi ces. Wi t h a web
ser ver , f or exampl e, i t i s ver y si mpl e t o add a l i nk t o t he bot t omof
ever y page publ i shed t hat poi nt t he user t o t he consent war ni ng. The
pr obl emi s t hat t her e i s no assur ance t hat t he user saw t hat l i nk or
t hat consent page. Thi s pr obl emhas no si mpl e sol ut i on. Ther e i s a
di scussi on about t hi s t opi c her e
( ht t p: / / www. webdevel oper . com/ f or um/ showt hr ead. php?t =12057) t hat
suggest s sever al t echnol ogy based sol ut i ons t o t he l i nk based consent
i ssue. An even mor e compl i cat ed si t uat i on comes f r omser vi ces t hat
r un behi nd t he scenes wher e di r ect user cont act shoul d never occur .
An exampl e woul d be SMTP ser vi ces wher e when a user sends an e- mai l
out and t her e i s no i nt er act i on wi t h t he act ual user i n t he pr ocess
of t he del i ver i ng t hat mai l . Ther e i s no met hod of del i ver i ng a
consent war ni ng i n t hi s t ype of si t uat i on. Anot her condi t i on wher e a
consent war ni ng cannot be del i ver ed i s t o unaut hor i zed backdoor
ser vi ces, such as Sub- Seven or Back Or i f i ce 2000. I n t he wor l d of
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 12
comput er secur i t y t her e ar e al ways ways of get t i ng on a syst emt hat
bypass t he aut hent i cat i on met hod and t her eby avoi d t he consent
banner . I n t hi s case t her e i s usual l y a per suasi ve ar gument t hat , i n
t he pr ocess of bypassi ng t he st andar d met hod of ent r y, t he user
knowi ngl y br eaki ng t he l aw and f or f ei t s t hei r pr i vacy pr ot ect i on. I n
many cases t he act of i mpl ement i ng banner s on al l banner - abl e
ser vi ces i s enough t o l egal l y car r y over t o t he banner - l ess ser vi ces.
J ust addi ng t he consent banner s t o ser ver s i s not enough. A
t i me mi ght come wher e evi dence of t he i nst al l at i on of consent banner s
i s needed. Ther e ar e sever al st eps t hat shoul d be t aken t o addr ess
t hi s i ssue. Fi r st , good document at i on of bui l d pr ocedur es f or ser ver s
i s needed t o pr ovi de a cl ear basel i ne of what a ser ver l ooked l i ke
when i t was bui l t . A l egal t eamcan use t hat document at i on as pr oof
t hat consent banner s wer e i n pl ace. The document at i on can be ver y
si mpl e; an exampl e woul d be usi ng comment s i n ki ckst ar t or har deni ng
scr i pt s used f or aut omat ed bui l d pr ocedur es. Addi ng t he comment
I nst al l i ng Consent War ni ng i n pr e and post l ogi n f i l es f or SSH
r i ght bef or e cr eat i ng t he banner s or copy t hemf r omanot her ser ver i s
of t en al l t hat i s needed. Be sur e t hat t he bui l d pr ocedur es ar e
bei ng f ol l owed. I f t he document at i on f or t he bui l d pr ocedur e i s i n a
bi nder on a shel f , t hen i t i s goi ng t o become out of dat e ver y
qui ckl y. Pol i ci es t hat ar e not f ol l owed ar e usel ess, and even
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 13
damagi ng, i n a l egal envi r onment . A second banner ver i f i cat i on
met hod i s a f ul l syst embackup, t hi s i s r ead- onl y and dat ed and can
al so be used i n a l egal envi r onment t o ver i f y t hat t he consent
war ni ng wer e i n pl ace.
The next quest i on i s what exact l y one shoul d put i n t he consent
message. Thi s i s wher e t he consul t at i on of l egal counsel i s needed.
As an exampl e her e i s a consent banner f r oma Depar t ment of Def ense
websi t e:
Thi s i s a Depar t ment of Def ense comput er syst em. Thi s comput er syst em,
i ncl udi ng al l r el at ed equi pment , net wor ks and net wor k devi ces ( speci f i cal l y
i ncl udi ng I nt er net access) , ar e pr ovi ded onl y f or aut hor i zed U. S. Gover nment
use. DoD comput er syst ems may be moni t or ed f or al l l awf ul pur poses, i ncl udi ng
t o ensur e t hat t hei r use i s aut hor i zed, f or management of t he syst em, t o
f aci l i t at e pr ot ect i on agai nst unaut hor i zed access, and t o ver i f y secur i t y
pr ocedur es, sur vi vabi l i t y, and oper at i onal secur i t y. Moni t or i ng i ncl udes
act i ve at t acks by aut hor i zed DoD ent i t i es t o t est or ver i f y t he secur i t y of
t hi s syst em. Dur i ng moni t or i ng, i nf or mat i on may be exami ned, r ecor ded,
copi ed, and used f or aut hor i zed pur poses. Al l i nf or mat i on, i ncl udi ng per sonal
i nf or mat i on, pl aced on or sent over t hi s syst emmay be moni t or ed. Use of t hi s
DoD comput er syst em, aut hor i zed or unaut hor i zed, const i t ut es consent t o
moni t or i ng of t hi s syst em. Unaut hor i zed use may subj ect you t o cr i mi nal
pr osecut i on. Evi dence of unaut hor i zed use col l ect ed dur i ng moni t or i ng may be
used f or admi ni st r at i ve, cr i mi nal , or ot her adver se act i on. Use of t hi s
syst emconst i t ut es consent t o moni t or i ng f or t hese pur poses.
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 14
ht t p: / / cap. publ i c. msg. wpaf b. af . mi l / ncbanner . ht m
Thi s sampl e banner i s a good pl ace t o st ar t . Whi l e i t i s
ver y l ong, i t i s l i kel y t hat t he DoD l egal t eamhas cover ed al l
t he bases and can pr ovi de a good pl ace t o st ar t bui l di ng a
consent message.
Entrapment
Ent r apment i s def i ned as t he act of l aw enf or cement of f i cer s or
gover nment agent s i nduci ng or encour agi ng a per son t o commi t a cr i me
when t he pot ent i al cr i mi nal expr esses a desi r e not t o go ahead
15
.
Thi s l egal gr ay ar ea of ent r apment i s of t en mi sunder st ood and can be
a conf usi ng ar ea of l aw. The f i r st ar ea of conf usi on r el at es t o t he
f act t hat ent r apment i s only a l egal def ense and not somet hi ng t hat
you can sue someone f or . Thi s means t hat t he concept of ent r apment i s
used by t he accused ( AKA t he def endant ) t o avoi d convi ct i on. The US
l egal syst em s pr esumpt i on, or X, si des wi t h t he pr osecut i on, meani ng
t hat t he cour t assumes t hat t he accused was not ent r apped i nt o t he
act i on of whi ch t hey ar e accused. Thi s i s an i mpor t ant f act as
pr esumpt i on i s di f f i cul t t o over come and, most of t he t i me; t he
accused has t he benef i t of pr esumpt i on i n al l ot her ar enas. Fur t her ,
ent r apment i s a ver y nar r owl y def i ned ci r cumst ance. To pr ove
ent r apment as a def ense one needs t o pr ove t hat t he accused woul d not
have t aken t he cr i mi nal act i on wi t hout t he i nf l uence of t he agent
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 1
act i ng under t he col or of l aw. Her e ar e t wo exampl es:
Scenar i o One: J ake ( a f i ct i onal ski l l ed comput er admi ni st r at or )
goes t o a 2600 meet i ng and t her e he meet s J udy and her f r i ends. J udy
and her f r i ends ar e t al ki ng about hacki ng i nt o Acme I nc. s web
ser ver . J udy asks J ake i f he want s t o t ake a t r y at hacki ng i nt o t he
ser ver , and J ake pol i t el y decl i nes. J udy pest er s J ake, cal l i ng i nt o
quest i on hi s ski l l z and gener al manl i ness. J ake accept s t he of f er
and pr oceeds t o hack i nt o Acme s web ser ver and st ar t s moni t or i ng i t s
t r af f i c. Li t t l e does J ake know t hat J udy i s wor ki ng as an under cover
agent .
Scenar i o Two: Mat t ( al so a f i ct i onal comput er admi ni st r at or )
goes t o a comput er secur i t y convent i on and meet s Tomat one of t he
cour ses. Tomment i ons t o Mat t t he he i s goi ng t o hack i nt o Acme s web
ser ver and he needs Mat t s hel p. Mat t says he doesn t do t hat sor t
of t hi ng. Af t er qui t e a bi t of pr oddi ng and i nsul t i ng, Mat t st i l l
i nsi st s t hat he uses hi s ski l l s onl y f or good. Tomt hen t akes out a
pi st ol and t hr eat ens Mat t s l i f e unl ess he hel ps Tom. Mat t concedes
and hacks i nt o Acme s web ser ver . Tomi s al so an under cover agent .
Bot h J ake and Mat t ar e char ged wi t h var i ous comput er cr i mes and
go t o t r i al . The quest i on at hand i s i f ei t her J ake or Mat t have a
st r ong ent r apment def ense. J ake s ent r apment ar gument i s goi ng t o be
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 1b
ver y weak as i t di d not t ake much t o get J ake t o change hi s mi nd and
commi t a cr i mi nal act . I f J ake chose not t o commi t a cr i mi nal act i on
t her e woul d have been mi ni mal consequences, ot her t hen a br ui sed ego.
Mat t , on t he ot her hand, f el t t hat hi s l i f e was i n danger and t hat
t he onl y al t er nat i ve he had was t o commi t t he cr i mi nal act i on t o
escape t he t hr eat . What makes ent r apment such a di f f i cul t def ense i s
i t i s i mpossi bl e t o det er mi ne i f t he accused i s pr e- di sposed t o
commi t t he cr i me i n quest i on.
The ent r apment i ssue ar i ses wi t h honeypot s because t he i nt ent i on
of a honeypot i s t o at t r act i nt r uder s. Thi s i s si mi l ar t o l aw
enf or cement usi ng under cover agent s masquer adi ng as dr ug deal er s t o
at t r act dr ug user s. Ther e ar e some si gni f i cant di f f er ences t hough.
Ther e i s no r ecr ui t ment of peopl e t o i nt er act wi t h t he honeypot nor
i s t her e any i nt er act i on wi t h t he user s t hat ar e i nt er act i ng wi t h t he
honeypot . As t her e ar e no i nt er act i ons wi t h peopl e, i t makes t he
def ense of ent r apment except i onal l y di f f i cul t t o est abl i sh. What i s
i mpor t ant , i n t er ms of ent r apment , i s any communi cat i ons r egar di ng
t he exi st ence of t he honeypot . I f a message was post ed on sever al
i nt er net message boar ds, as an anonymous user , exposi ng your honeypot
and encour agi ng ot her s t o hack i nt o i t t he act i on, i . e. maki ng t he
honeypot known, i ncr eases t he abi l i t y of t he accused t o use an
ent r apment def ense i n t he event of a cr i mi nal case. Ther e i s a di r ect
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 1
r el at i onshi p bet ween t he amount of communi cat i on wi t h t he accused,
and t hei r abi l i t y t o use an ent r apment def ense. I deal l y one woul d
want t o l i mi t t he amount of communi cat i ons about t he honeypot .
The pur pose of a honeypot mi ght not be f or cat chi ng cr i mi nal s.
Honeypot s ar e of t en used t o l ear n f r omi n a r esear ch set t i ng but t he
set t i ng does not change how t he ent r apment i ssue i s appr oached. Ther e
ar e many di f f er ent scenar i os i n whi ch a r esear ch- i nt ended honeypot i s
depl oyed and t hen a cr i mi nal case i s f or ced upon t he oper at or of t he
honeypot . One exampl e woul d be i n t he case of chi l d por nogr aphy.
Ther e ar e sever al j ur i sdi ct i ons wher e, i n t he event t hat an
i ndi vi dual wi t nesses chi l d por nogr aphy, i t i s a cr i mi nal of f ense t o
NOT r epor t i t . Even t hough t he i nt ent of t he honeypot was pur el y
educat i onal , t he l ack of adher ence t o good pr act i ce mi ght di mi ni sh
t he chances of pr osecut i ng t he cr i mi nal . Anot her possi bi l i t y i s t hat
t he honeypot mi ght be used i n at t acki ng ot her comput er s out si de of
t he honeypot net wor k. Thi s i s anot her scenar i o wher e one s
pr ocedur es and syst ems wi l l r esul t i n possi bl e cour t i nvol vement .
Ther e ar e a number of ot her r easons t hat t he honeypot mi ght be used
i n cour t t hat ar e beyond t he scope of t hi s di scussi on, many of whi ch
ar e ci vi l based l awsui t s.
Checklist of Protectionary Measures
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 18
Ther e ar e f our st eps t hat shoul d be t aken t o assur e t hat i n t he
event of a l egal si t uat i on t o cover t he i ssues of due di l i gence;
document , add banner s, consul t accept abl e use pol i ci es and f i nal l y,
cont ai nment . I n t he document at i on st ep t her e ar e many t hi ngs t o
consi der . A shor t checkl i st of i t ems t o document i ncl ude; a net wor k
di agr amt hat i s accur at e at t he t i me t he honeypot was depl oyed, any
communi cat i ons r egar di ng t he honeypot wi t h management , a f ul l backup
of t he honeypot at t he t i me of depl oyment , a copy of t he Access
Cont r ol Li st ( ACL) and f i r ewal l r ul es at t he t i me of depl oyment , and
an at t empt shoul d be made t o document t he i nt ent and pur pose of
depl oyi ng a honeypot . Ot her i t ems t hat coul d be usef ul t o document
woul d be t he cur r ent pol i ci es t hat mi ght appl y t o comput er usage or
anyt hi ng t hat mi ght change on a f r equent basi s r el at ed t o comput er
use. Legal pr oceedi ngs can of t en occur l ong af t er t he honeypot has
been t aken out of commi ssi on and t her e mi ght be a l egal need t o
r ecal l what t he pol i cy was f our year s i n t he past at t he t i me of
depl oyment . The second st ep t hat shoul d be t aken i s t he i nst al l at i on
of war ni ng and consent banner s on syst ems wher e ever appl i cabl e. Thi s
st ep hel ps ensur e t hat t her e i s a l egal r i ght t o r ecor d and i nt er cept
t r af f i c r el at ed t o t hat devi ce. Be sur e t o i ncl ude t he banner i n your
document at i on. The t hi r d st ep, cl osel y t i ed t o t he second st ep, i s a
r evi ew of Accept abl e Use Pol i ci es and Ter ms of Ser vi ce. These
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 19
pol i ci es al so hel p ensur e t he l egal r i ght t o r ecor d and i nt er cept
t r af f i c as wel l as def i ni ng t he pol i cy f or enf or ci ng t hose t hat
vi ol at e t he pol i cy t hat t he honeypot mi ght det ect . Si nce t hese
document s change f r equent l y t he Accept abl e use Pol i cy and Ter ms of
Ser vi ces shoul d be document ed at t he t i me of depl oyment . The f i nal
st ep i s t o empl oy some f or mof cont ai nment f or t he honeypot . The
cont ai nment of i nt r uder s i nt o t he honeypot wi l l hel p st op any at t acks
t hat t hose i nt r uder s mi ght l aunch f r omyour net wor k. Cr eat i ng
f i r ewal l r ul es t hat l i mi t out bound access i s a si mpl e and ef f ect i ve
st r at egy f or cont ai nment . Fi r ewal l s r ul es ar e al so easy t o document
and ver i f y.
Conclusion
The unknown l egal i mpl i cat i ons shoul d not be a det er r ent t o t he
use of honeypot t echnol ogy i n your comput er secur i t y t ool set . The
t wo maj or l egal i ssues t hat we ar e awar e of wi t h t he use of honeypot s
ar e pr i vacy and ent r apment . Bot h i ssues have si gni f i cance wi t h
r el at i on t o honeypot s. As wi t h al l l egal si t uat i ons t her e i s saf et y
i n t he f or mof document at i on. By pr ovi di ng document at i on, you ar e
pr ovi di ng t he t ool s t hat t he l egal syst emneeds t o def end your
act i ons.
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 20
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 21
2. Ref er ences
1
ht t p: / / honeypot s. sour cef or ge. net /
2
ht t p: / / www. honeypot s. net /
3
ht t p: / / www. l ect l aw. com/ def / e024. ht m
4
ht t p: / / www. r bs2. com/ pr i vacy. ht m
5
18 USC 2510 ( 2) ht t p: / / www. usi i a. or g/ l egi s/ ecpa. ht ml
b
ECPA Pub. L. 99- 508, Oct . 21, 1986, 100 St at . 1848, 18
U. S. C. 2510
7
18 USC 2511 ( 2) ( a) ( i i ) ( B) ( c)
8
18 USC 2511 ( 2) ( a) ( i i ) ( B) ( d)
9
18 USC 2511 2 ( A) ( i ) ( i )
10
18 USC 2510 ( 16) ( A)
11
18 USC 2510 ( 16)
12
Ker r , Or i n, Connect i cut Law Revi ew, Wi nt er 2001, 33 Conn. L.
Rev. 503
13
ht t p: / / di ct i onar y. l aw. com/ def aul t 2. Asp?sel ect ed=299
14
S
A
N
S
I
n
s
t
i
t
u
t
e
2
0
0
7
,
A
u
t
h
o
r
r
e
t
a
i
n
s
f
u
l
l
r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 22
ht t p: / / www. mi cr osof t . com/ t echnet / scr i pt cent er / r esour ces/ qanda/ j an05/ h
ey0117. mspx
1
Def i ned on ht t p: / / di ct i onar y. l aw. com/
Last Updated: April 4th, 2014
Upcoming SANS Training
Click Here for a full list of all Upcoming SANS Events by Location
FOR518 Mac Forensic Analysis Vienna, VAUS Apr 22, 2014 - Apr 27, 2014 Live Event
SANS Abu Dhabi 2014 Abu Dhabi, AE Apr 26, 2014 - May 04, 2014 Live Event
US Cyber Crime Conference Leesburg, VAUS Apr 27, 2014 - Apr 28, 2014 Live Event
SANS Austin 2014 Austin, TXUS Apr 28, 2014 - May 03, 2014 Live Event
Security Leadership Summit Boston, MAUS Apr 29, 2014 - May 07, 2014 Live Event
SANS Security West 2014 San Diego, CAUS May 08, 2014 - May 17, 2014 Live Event
SANS Secure Europe 2014 Amsterdam, NL May 10, 2014 - May 24, 2014 Live Event
SANS ICS410 London 2014 London, GB May 12, 2014 - May 16, 2014 Live Event
SANS Malaysia @MCMC 2014 Cyberjaya, MY May 12, 2014 - May 24, 2014 Live Event
SANS Melbourne 2014 Melbourne, AU May 12, 2014 - May 17, 2014 Live Event
SANS Bahrain May 2014 Manama, BH May 17, 2014 - May 22, 2014 Live Event
AUD307: Foundations of Auditing Security and Controls of IT
Systems
Oklahoma City, OKUS May 21, 2014 - May 23, 2014 Live Event
SANS Secure Thailand Bangkok, TH May 26, 2014 - May 31, 2014 Live Event
Digital Forensics & Incident Response Summit Austin, TXUS Jun 03, 2014 - Jun 10, 2014 Live Event
SANS Rocky Mountain 2014 Denver, COUS Jun 09, 2014 - Jun 14, 2014 Live Event
SANS Pen Test Berlin 2014 Berlin, DE Jun 15, 2014 - Jun 21, 2014 Live Event
SANS Milan 2014 Milan, IT Jun 16, 2014 - Jun 21, 2014 Live Event
SEC511 Continuous Monitoring and Security Operations Washington, DCUS Jun 16, 2014 - Jun 21, 2014 Live Event
SANSFIRE 2014 Baltimore, MDUS Jun 21, 2014 - Jun 30, 2014 Live Event
SANS Canberra 2014 Canberra, AU Jun 30, 2014 - Jul 12, 2014 Live Event
SANS 2014 OnlineFLUS Apr 05, 2014 - Apr 14, 2014 Live Event
SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced