Testing Various

Interested in learning
more about security?

SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
CyberLaw 101: A primer on US laws related to
honeypot deployments
The goal of this paper is to provide a general primer on two legal issues related to honeypots, privacy right
and entrapment, and to provide practical advice regarding prudent actions to take for legal due diligence. By
no means should this paper serve as a replacement for legal advice from informed legal counsel. Instead this
paper is meant to serve as a bridge between the legal and technical world on the honeypot issue.
Copyright SANS Institute
Author Retains Full Rights
A
D

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
SANS Institute 2007, As part of the Information Security Reading Room Author retains full rights.
|y|.lu 101` ! .1m. on |S 1u: .1ud o honyo d1oymn:
kudc11LL, ].om` 1

CyberLaw 101: A primer on US laws related to honeypot
deployments
GSEC Gold Certification
Aut hor : J er ome Radcl i f f e, j ay. r adcl i f f e@gmai l . com
Advi ser : J i mPur cel l

Accept ed: Febr uar y 1, 2007

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 2
Out l i ne
1. I nt r oduct i on 2
2. Honeypot Backgr ound 4
3. Pr i vacy and t he EPCA 6
4. Consent 10
5. Ent r apment 17
6. Checkl i st of pr ot ect i onar y measur es 17
7. Concl usi on 19
8. Ref er ences 21

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 3
1. Introduction
A Honeypot i s def i ned as an I nt er net - at t ached ser ver t hat act s
as a decoy, l ur i ng i n pot ent i al hacker s i n or der t o st udy t hei r
act i vi t i es and moni t or how t hey ar e abl e t o br eak i nt o a syst em
1
.
These devi ces have cr eat ed a conf usi ng i nt er act i on of l egal and cyber
i ssues, as di scussi ons of such devi ces ar e t ypi cal l y accompani ed by a
l egal di scl ai mer , yet , t hese l egal i ssues ar e not t ypi cal l y di scussed
due t o t i me const r ai nt s or l ack of exper i ence i n l egal mat t er s. At a
r ecent SANS conf er ence a l awyer i n t he gr oup l ect ur ed f or f i ve
mi nut es on t he need t o consul t a l egal t eambef or e depl oyi ng or usi ng
honeypot s when t he t opi c came up, and poi nt ed out t he many t r i cky
l egal i ssues sur r oundi ng such devi ces. Yet , t he same l awyer was not
abl e t o speci f y t he l egal i ssues nor was he abl e t o make suggest i ons
on how t o handl e such i ssues. Thi s l egal gr ay ar ea pr esent s t wo
i nt er est i ng i ssues. Fi r st , honeypot s ar e one of t he mor e esot er i c
i ssues t hat a cor por at e counsel woul d have t o addr ess and, i t i s ver y
possi bl e, a cor por at e l egal t eammi ght not have t he r equi r ed
knowl edge t o answer quest i ons on honeypot i ssues. Second, not al l I T
pr of essi onal s have has access t o cor por at e counsel and hi r i ng a
l awyer f or advi ce on t hi s speci f i c i ssue i s of t en not cost ef f ect i ve,
agai n, due t o t he esot er i c nat ur e of t he i ssue.

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 4
The goal of t hi s paper i s t o pr ovi de a gener al pr i mer on t wo
l egal i ssues r el at ed t o honeypot s, pr i vacy r i ght and ent r apment , and
t o pr ovi de pr act i cal advi ce r egar di ng pr udent act i ons t o t ake f or
l egal due di l i gence. By no means shoul d t hi s paper ser ve as a
r epl acement f or l egal advi ce f r omi nf or med l egal counsel . I nst ead
t hi s paper i s meant t o ser ve as a br i dge bet ween t he l egal and
t echni cal wor l d on t he honeypot i ssue.
Honeypot Background
The wor l d of honeypot s can be ver y compl i cat ed, as t hey ar e not
desi gned t o pr event at t acks, nor ar e t hey desi gned t o det ect at t acks
whi ch separ at e t hemf r omt r adi t i onal I nt r usi ons Det ect i on Syst ems
( I DS) , I nt r usi on Pr event i on Syst ems ( I PS) and f i r ewal l s
( r ef er ences)
2
. These devi ces ar e except i onal l y usef ul t ool s f or t he
comput er secur i t y pr of essi onal as t hey al l ow f or a f ul l end t o end
anal ysi s of an at t ack, i ncl udi ng al l of t he det ai l s t hat sur r ound t he
at t ack. Thr ough anal ysi s of t he l og f i l es i t i s easy t o i dent i f y t he
pr e- at t ack and post - at t ack act i ons t hat wer e t aken by t he i nt r uder .
Thi s woul d i ncl ude new r oot ki t s or di f f er ent payl oads t hat ar e
i nst al l ed af t er t he box has been compr omi sed. I n many cases t hi s i s
how new expl oi t s ar e f ound i n t he f i el d.
Honeypot s ar e of t en used i n t he pr ocess of cat chi ng and

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om`
pr osecut i ng cyber cr i mi nal s. Thi s cr i mi nal aspect of honeypot s has
l ead t o a scr ut i ny of l egal i ssues r el at ed honeypot s use i n t he I T
and f i el d. The compl exi t y of t he l aw pr event s many peopl e f r omt he
usi ng honeypot s. One of t he l egal compl i cat i ons i s t hat t he l aw
appl i es di f f er ent l y dependi ng on who i s act i ng ( i n t hi s case who
has act ual l y est abl i shed and moni t or ed t he honeypot )
3
. To under st and
t he l egal debat e t hr ee di st i nct gr oups need t o be not ed; f i r st t hose
act i ng on behal f of t he gover nment , second t hose non- gover nment al l y
f unded gr oups, and t hi r d i ndi vi dual s. Those act i ng f r oma
gover nment al per spect i ve i ncl ude l aw enf or cement , gover nment al
agenci es, or any f eder al or st at e f unded gr oup, such as t he l ocal
pol i ce set t i ng up a websi t e t ar get ed at onl i ne chi l d pr edat or s. The
second gr oup i ncl udes gr oups t hat ar e not gover nment al l y f unded, such
as cor por at i ons or pr i vat e r esear ch gr oups. An exampl e of t hat
second cat egor y woul d be J oe Smi t h, seni or syst emadmi ni st r at or f or
Acme Oi l , set t i ng up a honeypot on t hei r company net wor k. The t hi r d
gr oup woul d appl y t o i ndi vi dual , such as a per son who has set up a
honeypot on t hei r per sonal i nt er net connect i on ( DSL/ Cabl e, et c) . I n
each of t hese gr oups t he l aws appl i es di f f er ent l y.
Ther e, however , ar e some di sadvant ages t o honeypot s. Pr i mar i l y,
t hey ar e ver y t i me consumi ng t o set up and mai nt ai n. When a honeypot
i s depl oyed pr oper l y, i t at t r act s i nt r uder s qui ckl y and pl ent i f ul l y.

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` b
These i nt r uder s and t hei r act i ons can pr oduce a mount ai n of dat a t o
be anal yzed and di ssect ed. One can easi l y spend days di gest i ng t he
dat a t hat i s pr oduced by a si ngl e honeypot . As t hey ar e desi gned t o
be br oken i nt o honeypot s ar e of t en vi ct i ms of Deni al of Ser vi ce ( DoS)
at t acks as wel l as ot her at t acks t hat wi l l r equi r e hands on
admi ni st r at i on. Thi s can of t en l ead t o i nsuf f i ci ent r esour ces t o
mai nt ai n t he pr oduct i on I T act i vi t i es, or possi bl y di st r act st af f
f r omper f or mi ng t hei r pr i mar y t asks.
Privacy and The EPCA
The f i r st l egal t opi c t hat comes up i n r egar ds t o honeypot s i s
pr i vacy. Pr i vacy has a cont r over si al hi st or y i n US l aw. Compar ed t o
ot her i ssues i n l aw t hough, pr i vacy i s a new concept . Pr i vacy l aw
i t sel f di d not become codi f i ed unt i l t he 1960 s
4
. The gr ound br eaki ng
Supr eme Cour t case Kat z vs. U. S. , 389 U. S. 347, 350 ( 1967) , st ar t ed
t he j udi ci al syst ems wave of r ul i ngs on pr i vacy r i ght s. Wi t h
honeypot s, t he pr i vacy concer n comes f r omt he f act t hat a honeypot i s
r ecor di ng al l t he act i vi t y t hat i s occur r i ng on t hat devi ce. Upon
f i r st gl ace one mi ght ar gue t hat t hi s i s ver y si mi l ar t o t he act i on
of wi r e t appi ng, but t hi s compar i son woul d not be l egal l y accur at e.
The US Feder al l aw di st i nct l y separ at es spoken communi cat i ons f r om
el ect r oni c communi cat i ons
5
. The set of l aws t hat def i nes t hese t ypes

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om`
of communi cat i ons i s commonl y r ef er r ed t o as t he El ect r oni c
Communi cat i ons Pr i vacy Act or ECPA
6
. The EPCA out l i nes al l of t he
det ai l s r el at ed t o t he i nt er cept i on and r ecor di ng of el ect r oni c
communi cat i ons. To bet t er under st and t hese concept s i t i s necessar y
t o def i ne t he agent s i nvol ved i n basi c communi cat i ons. Fi r st , t her e
has t o be a mi ni mumof t wo agent s i nvol ved i n t he communi cat i ons
( agent A and B) . I n t hi s case i t does not mat t er i f A or B i ni t i at ed
t he communi cat i on. Thi s communi cat i on i s conduct ed over a gi ven
met hod, whi ch can t ake many di f f er ent f or ms, and t he det ai l s of t hat
met hod can have an ef f ect on t he i nt er pr et at i on of t he l aw. Ther e can
al so be a t hi r d par t y t hat i s not di r ect l y i nvol ved i n t he
communi cat i on, r ef er r ed t o as agent X. The agent X may or may not be
known t o ei t her A or B. The di agr ambel ow.

Appl yi ng t hi s di agr amt o a t ypi cal si ngl e devi ce honeypot wher e

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 8
A i s t he honeypot and B i s t he accessi ng user . The cont r ol l i ng
par t y of A can be cat egor i zed i nt o one of t wo gr oups under t he
EPCA: A per son act i ng under t he col or of t he l aw
7
, and A per son
not act i ng under t he col or of t he l aw
8
. I n ei t her case, because t he
honeypot i s owned and oper at ed by A, t hey ar e consi der ed a par t y
i nvol ved i n t he communi cat i on. Accor di ng t o t he EPCA i t i s l egal t o
i nt er cept and moni t or such communi cat i ons, wi t h an except i on. I f
t hose communi cat i ons ar e i nt er cept ed f or t he pur pose of commi t t i ng a
cr i me ( f or exampl e, you wer e har vest i ng cr edi t car d number s t o
per f or mf r audul ent char ges) t hen t hat act i on woul d not be l egal .
Any par t i es t hat ar e not di r ect l y i nvol ved i n t he communi cat i on
woul d be r epr esent ed i n t he di agr amas X. Ther e ar e t wo
ci r cumst ances under t he EPCA when i t woul d be l egal f or an X par t y
t o i nt er cept communi cat i ons bet ween A and B. The f i r st l egal
ci r cumst ance i s r ef er r ed t o as t he Pr ovi der Except i on of t he ECPA;
i n t hi s ci r cumst ance X can i nt er cept communi cat i ons when X owns
t he i nf r ast r uct ur e; such as an I SP. I n such a ci r cumst ance, t he
company woul d have a l egal r i ght t o i nt er cept t he communi cat i ons f or
t he pur poses of pr ot ect i ng t he I SP s ser vi ce and t o al l ow t he
compani es pr ovi di ng ser vi ce( s) t o t he publ i c t o moni t or t hei r syst ems
f or pot ent i al f ai l ur es or qual i t y i ssues. The second ci r cumst ance by
whi ch one coul d gai n l egal st at us t o i nt er cept communi cat i ons f r oma

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 9
non- par t y agent i s t hr ough consent .
An addi t i onal f act or i n t he l egal abi l i t y t o i nt er cept a
communi cat i on i s t he met hod by whi ch t he communi cat i ons t akes pl ace.
Wi r el ess communi cat i on has become a popul ar met hod of net wor ki ng,
bot h i n wor k and home envi r onment s. As t hese f or ms of wi r el ess
communi cat i ons can be r ecor ded and moni t or ed wi t h RF moni t or i ng
devi ces, t hey ar e l egal t o i nt er cept and moni t or
9
. The except i on t o
t hi s i s i f you t he use of any t ype of encr ypt i on wi t h a wi r el ess
communi cat i ons ( such as WEP) . The use of scr ambl ed or encr ypt ed
r adi o communi cat i on
10
changes t he communi cat i on t o become not
r eadi l y accessi bl e t o t he gener al publ i c
11
and, t hus, not l egal t o
i nt er cept . Moni t or i ng a nei ghbor s wi r el ess act i vi t y, i f t hey ar e
t r ansmi t t i ng unencr ypt ed, i s per f ect l y l egal under t he ECPA. I f t he
nei ghbor s wi r el ess AP i s usi ng WEP moni t or i ng t hat net wor k i s a
vi ol at i on of t he EPCA. The act i on of capt ur i ng t he t r ansmi ssi on i s
t he i nt er cept i on, so t he use of t ool s t o det er mi ne t he WEP key vi a
packet anal ysi s i s al so, ar guabl y, i n vi ol at i on of t he EPCA. These,
however , ar e ver y gr ay ar eas of t he l aw and t her e ar e no est abl i shed
cour t r ul i ngs wi t h whi ch t o cl ar i f y t hese mur ky ar eas. Aut hor s, such
as Or i n Ker r , have ar gued t hat t her e shoul d be no r easonabl e
expect at i on of pr i vacy of t he act ual encr ypt ed dat a ( or cr ypt - t ext )
12

due t o t he f act t hat i t i s j ust pl ai nt ext char act er s. The knowl edge

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 10
t hat any encr ypt i on i s br eakabl e vi a br ut ef or ce at t ack i s enough of
a vul ner abi l i t y t o est abl i sh t hat someone mi ght be abl e t o t r ansl at e
t he encr ypt ed dat a i nt o t he or i gi nal message t her eby makes i t l ess
pr i vat e. The EPCA however speci f i cal l y st at es t hat encr ypt ed or
scr ambl ed t r ansmi ssi ons ar e pr ot ect ed f r omi nt er cept i on.
Consent
Consent i s def i ned as a vol unt ar y agr eement t o anot her ' s
pr oposi t i on
13
. Thi s becomes an except i onal l y di f f i cul t t opi c due t o
number of di f f er ent ser vi ces t hat r un on any gi ven comput er syst em.
On most syst ems t her e ar e i nt er act i ve ser vi ces l i ke t el net , SSH, and
t er mi nal ser vi ces. I t i s f ai r y si mpl e t o cr eat e vi ewabl e consent
messages pr e and post l ogi n t o t hese i nt er act i ve ser vi ces. On a UNI X
based devi ce t he consent message i s i n / et c/ banner f or pr e- l ogi n and
/ et c/ mot d f or post - l ogi n coul d cover t he l egal r equi r ement s of
consent . Thi s consent banner t el l s t he user t hat , by l oggi ng i nt o
t he comput er syst em, t hey ar e consent i ng t o t he r ecor di ng and
moni t or i ng of al l communi cat i ons sent and r ecei ved by t hat user .
Ent er i ng t hei r passwor d t o gai n syst emaccess i s an accept ance of t he
t er ms gi ven i n t he banner message. To r ei nf or ce t he agr eement
f ur t her , t he post - l ogi n met hod of al er t i ng t he user t o moni t or i ng and
r ecor di ng message i s gi ven bef or e t he user i s al l owed t o i nt er act

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 11
wi t h t he syst em. On a wi ndows based syst em, one can per f or mt he same
pr e- l ogi n banner message. I t i s a l i t t l e mor e compl i cat ed, as i t
r equi r es manual changes t o t he r egi st r y, but t her e ar e di r ect i ons
l ocat ed at Mi cr osof t s websi t e
14
and ot her wi del y avai l abl e websi t es
wi t h si mi l ar i nf or mat i on.
Thi s i ssue of consent becomes mor e compl i cat ed wi t h ser vi ces
t hat ar e not as st r ai ght f or war d as aut hent i cat ed ser vi ces. Wi t h a web
ser ver , f or exampl e, i t i s ver y si mpl e t o add a l i nk t o t he bot t omof
ever y page publ i shed t hat poi nt t he user t o t he consent war ni ng. The
pr obl emi s t hat t her e i s no assur ance t hat t he user saw t hat l i nk or
t hat consent page. Thi s pr obl emhas no si mpl e sol ut i on. Ther e i s a
di scussi on about t hi s t opi c her e
( ht t p: / / www. webdevel oper . com/ f or um/ showt hr ead. php?t =12057) t hat
suggest s sever al t echnol ogy based sol ut i ons t o t he l i nk based consent
i ssue. An even mor e compl i cat ed si t uat i on comes f r omser vi ces t hat
r un behi nd t he scenes wher e di r ect user cont act shoul d never occur .
An exampl e woul d be SMTP ser vi ces wher e when a user sends an e- mai l
out and t her e i s no i nt er act i on wi t h t he act ual user i n t he pr ocess
of t he del i ver i ng t hat mai l . Ther e i s no met hod of del i ver i ng a
consent war ni ng i n t hi s t ype of si t uat i on. Anot her condi t i on wher e a
consent war ni ng cannot be del i ver ed i s t o unaut hor i zed backdoor
ser vi ces, such as Sub- Seven or Back Or i f i ce 2000. I n t he wor l d of

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 12
comput er secur i t y t her e ar e al ways ways of get t i ng on a syst emt hat
bypass t he aut hent i cat i on met hod and t her eby avoi d t he consent
banner . I n t hi s case t her e i s usual l y a per suasi ve ar gument t hat , i n
t he pr ocess of bypassi ng t he st andar d met hod of ent r y, t he user
knowi ngl y br eaki ng t he l aw and f or f ei t s t hei r pr i vacy pr ot ect i on. I n
many cases t he act of i mpl ement i ng banner s on al l banner - abl e
ser vi ces i s enough t o l egal l y car r y over t o t he banner - l ess ser vi ces.
J ust addi ng t he consent banner s t o ser ver s i s not enough. A
t i me mi ght come wher e evi dence of t he i nst al l at i on of consent banner s
i s needed. Ther e ar e sever al st eps t hat shoul d be t aken t o addr ess
t hi s i ssue. Fi r st , good document at i on of bui l d pr ocedur es f or ser ver s
i s needed t o pr ovi de a cl ear basel i ne of what a ser ver l ooked l i ke
when i t was bui l t . A l egal t eamcan use t hat document at i on as pr oof
t hat consent banner s wer e i n pl ace. The document at i on can be ver y
si mpl e; an exampl e woul d be usi ng comment s i n ki ckst ar t or har deni ng
scr i pt s used f or aut omat ed bui l d pr ocedur es. Addi ng t he comment
I nst al l i ng Consent War ni ng i n pr e and post l ogi n f i l es f or SSH
r i ght bef or e cr eat i ng t he banner s or copy t hemf r omanot her ser ver i s
of t en al l t hat i s needed. Be sur e t hat t he bui l d pr ocedur es ar e
bei ng f ol l owed. I f t he document at i on f or t he bui l d pr ocedur e i s i n a
bi nder on a shel f , t hen i t i s goi ng t o become out of dat e ver y
qui ckl y. Pol i ci es t hat ar e not f ol l owed ar e usel ess, and even

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 13
damagi ng, i n a l egal envi r onment . A second banner ver i f i cat i on
met hod i s a f ul l syst embackup, t hi s i s r ead- onl y and dat ed and can
al so be used i n a l egal envi r onment t o ver i f y t hat t he consent
war ni ng wer e i n pl ace.
The next quest i on i s what exact l y one shoul d put i n t he consent
message. Thi s i s wher e t he consul t at i on of l egal counsel i s needed.
As an exampl e her e i s a consent banner f r oma Depar t ment of Def ense
websi t e:
Thi s i s a Depar t ment of Def ense comput er syst em. Thi s comput er syst em,
i ncl udi ng al l r el at ed equi pment , net wor ks and net wor k devi ces ( speci f i cal l y
i ncl udi ng I nt er net access) , ar e pr ovi ded onl y f or aut hor i zed U. S. Gover nment
use. DoD comput er syst ems may be moni t or ed f or al l l awf ul pur poses, i ncl udi ng
t o ensur e t hat t hei r use i s aut hor i zed, f or management of t he syst em, t o
f aci l i t at e pr ot ect i on agai nst unaut hor i zed access, and t o ver i f y secur i t y
pr ocedur es, sur vi vabi l i t y, and oper at i onal secur i t y. Moni t or i ng i ncl udes
act i ve at t acks by aut hor i zed DoD ent i t i es t o t est or ver i f y t he secur i t y of
t hi s syst em. Dur i ng moni t or i ng, i nf or mat i on may be exami ned, r ecor ded,
copi ed, and used f or aut hor i zed pur poses. Al l i nf or mat i on, i ncl udi ng per sonal
i nf or mat i on, pl aced on or sent over t hi s syst emmay be moni t or ed. Use of t hi s
DoD comput er syst em, aut hor i zed or unaut hor i zed, const i t ut es consent t o
moni t or i ng of t hi s syst em. Unaut hor i zed use may subj ect you t o cr i mi nal
pr osecut i on. Evi dence of unaut hor i zed use col l ect ed dur i ng moni t or i ng may be
used f or admi ni st r at i ve, cr i mi nal , or ot her adver se act i on. Use of t hi s
syst emconst i t ut es consent t o moni t or i ng f or t hese pur poses.

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 14
ht t p: / / cap. publ i c. msg. wpaf b. af . mi l / ncbanner . ht m
Thi s sampl e banner i s a good pl ace t o st ar t . Whi l e i t i s
ver y l ong, i t i s l i kel y t hat t he DoD l egal t eamhas cover ed al l
t he bases and can pr ovi de a good pl ace t o st ar t bui l di ng a
consent message.
Entrapment
Ent r apment i s def i ned as t he act of l aw enf or cement of f i cer s or
gover nment agent s i nduci ng or encour agi ng a per son t o commi t a cr i me
when t he pot ent i al cr i mi nal expr esses a desi r e not t o go ahead
15
.
Thi s l egal gr ay ar ea of ent r apment i s of t en mi sunder st ood and can be
a conf usi ng ar ea of l aw. The f i r st ar ea of conf usi on r el at es t o t he
f act t hat ent r apment i s only a l egal def ense and not somet hi ng t hat
you can sue someone f or . Thi s means t hat t he concept of ent r apment i s
used by t he accused ( AKA t he def endant ) t o avoi d convi ct i on. The US
l egal syst em s pr esumpt i on, or X, si des wi t h t he pr osecut i on, meani ng
t hat t he cour t assumes t hat t he accused was not ent r apped i nt o t he
act i on of whi ch t hey ar e accused. Thi s i s an i mpor t ant f act as
pr esumpt i on i s di f f i cul t t o over come and, most of t he t i me; t he
accused has t he benef i t of pr esumpt i on i n al l ot her ar enas. Fur t her ,
ent r apment i s a ver y nar r owl y def i ned ci r cumst ance. To pr ove
ent r apment as a def ense one needs t o pr ove t hat t he accused woul d not
have t aken t he cr i mi nal act i on wi t hout t he i nf l uence of t he agent

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 1
act i ng under t he col or of l aw. Her e ar e t wo exampl es:
Scenar i o One: J ake ( a f i ct i onal ski l l ed comput er admi ni st r at or )
goes t o a 2600 meet i ng and t her e he meet s J udy and her f r i ends. J udy
and her f r i ends ar e t al ki ng about hacki ng i nt o Acme I nc. s web
ser ver . J udy asks J ake i f he want s t o t ake a t r y at hacki ng i nt o t he
ser ver , and J ake pol i t el y decl i nes. J udy pest er s J ake, cal l i ng i nt o
quest i on hi s ski l l z and gener al manl i ness. J ake accept s t he of f er
and pr oceeds t o hack i nt o Acme s web ser ver and st ar t s moni t or i ng i t s
t r af f i c. Li t t l e does J ake know t hat J udy i s wor ki ng as an under cover
agent .
Scenar i o Two: Mat t ( al so a f i ct i onal comput er admi ni st r at or )
goes t o a comput er secur i t y convent i on and meet s Tomat one of t he
cour ses. Tomment i ons t o Mat t t he he i s goi ng t o hack i nt o Acme s web
ser ver and he needs Mat t s hel p. Mat t says he doesn t do t hat sor t
of t hi ng. Af t er qui t e a bi t of pr oddi ng and i nsul t i ng, Mat t st i l l
i nsi st s t hat he uses hi s ski l l s onl y f or good. Tomt hen t akes out a
pi st ol and t hr eat ens Mat t s l i f e unl ess he hel ps Tom. Mat t concedes
and hacks i nt o Acme s web ser ver . Tomi s al so an under cover agent .
Bot h J ake and Mat t ar e char ged wi t h var i ous comput er cr i mes and
go t o t r i al . The quest i on at hand i s i f ei t her J ake or Mat t have a
st r ong ent r apment def ense. J ake s ent r apment ar gument i s goi ng t o be

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 1b
ver y weak as i t di d not t ake much t o get J ake t o change hi s mi nd and
commi t a cr i mi nal act . I f J ake chose not t o commi t a cr i mi nal act i on
t her e woul d have been mi ni mal consequences, ot her t hen a br ui sed ego.
Mat t , on t he ot her hand, f el t t hat hi s l i f e was i n danger and t hat
t he onl y al t er nat i ve he had was t o commi t t he cr i mi nal act i on t o
escape t he t hr eat . What makes ent r apment such a di f f i cul t def ense i s
i t i s i mpossi bl e t o det er mi ne i f t he accused i s pr e- di sposed t o
commi t t he cr i me i n quest i on.
The ent r apment i ssue ar i ses wi t h honeypot s because t he i nt ent i on
of a honeypot i s t o at t r act i nt r uder s. Thi s i s si mi l ar t o l aw
enf or cement usi ng under cover agent s masquer adi ng as dr ug deal er s t o
at t r act dr ug user s. Ther e ar e some si gni f i cant di f f er ences t hough.
Ther e i s no r ecr ui t ment of peopl e t o i nt er act wi t h t he honeypot nor
i s t her e any i nt er act i on wi t h t he user s t hat ar e i nt er act i ng wi t h t he
honeypot . As t her e ar e no i nt er act i ons wi t h peopl e, i t makes t he
def ense of ent r apment except i onal l y di f f i cul t t o est abl i sh. What i s
i mpor t ant , i n t er ms of ent r apment , i s any communi cat i ons r egar di ng
t he exi st ence of t he honeypot . I f a message was post ed on sever al
i nt er net message boar ds, as an anonymous user , exposi ng your honeypot
and encour agi ng ot her s t o hack i nt o i t t he act i on, i . e. maki ng t he
honeypot known, i ncr eases t he abi l i t y of t he accused t o use an
ent r apment def ense i n t he event of a cr i mi nal case. Ther e i s a di r ect

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 1
r el at i onshi p bet ween t he amount of communi cat i on wi t h t he accused,
and t hei r abi l i t y t o use an ent r apment def ense. I deal l y one woul d
want t o l i mi t t he amount of communi cat i ons about t he honeypot .
The pur pose of a honeypot mi ght not be f or cat chi ng cr i mi nal s.
Honeypot s ar e of t en used t o l ear n f r omi n a r esear ch set t i ng but t he
set t i ng does not change how t he ent r apment i ssue i s appr oached. Ther e
ar e many di f f er ent scenar i os i n whi ch a r esear ch- i nt ended honeypot i s
depl oyed and t hen a cr i mi nal case i s f or ced upon t he oper at or of t he
honeypot . One exampl e woul d be i n t he case of chi l d por nogr aphy.
Ther e ar e sever al j ur i sdi ct i ons wher e, i n t he event t hat an
i ndi vi dual wi t nesses chi l d por nogr aphy, i t i s a cr i mi nal of f ense t o
NOT r epor t i t . Even t hough t he i nt ent of t he honeypot was pur el y
educat i onal , t he l ack of adher ence t o good pr act i ce mi ght di mi ni sh
t he chances of pr osecut i ng t he cr i mi nal . Anot her possi bi l i t y i s t hat
t he honeypot mi ght be used i n at t acki ng ot her comput er s out si de of
t he honeypot net wor k. Thi s i s anot her scenar i o wher e one s
pr ocedur es and syst ems wi l l r esul t i n possi bl e cour t i nvol vement .
Ther e ar e a number of ot her r easons t hat t he honeypot mi ght be used
i n cour t t hat ar e beyond t he scope of t hi s di scussi on, many of whi ch
ar e ci vi l based l awsui t s.
Checklist of Protectionary Measures

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 18
Ther e ar e f our st eps t hat shoul d be t aken t o assur e t hat i n t he
event of a l egal si t uat i on t o cover t he i ssues of due di l i gence;
document , add banner s, consul t accept abl e use pol i ci es and f i nal l y,
cont ai nment . I n t he document at i on st ep t her e ar e many t hi ngs t o
consi der . A shor t checkl i st of i t ems t o document i ncl ude; a net wor k
di agr amt hat i s accur at e at t he t i me t he honeypot was depl oyed, any
communi cat i ons r egar di ng t he honeypot wi t h management , a f ul l backup
of t he honeypot at t he t i me of depl oyment , a copy of t he Access
Cont r ol Li st ( ACL) and f i r ewal l r ul es at t he t i me of depl oyment , and
an at t empt shoul d be made t o document t he i nt ent and pur pose of
depl oyi ng a honeypot . Ot her i t ems t hat coul d be usef ul t o document
woul d be t he cur r ent pol i ci es t hat mi ght appl y t o comput er usage or
anyt hi ng t hat mi ght change on a f r equent basi s r el at ed t o comput er
use. Legal pr oceedi ngs can of t en occur l ong af t er t he honeypot has
been t aken out of commi ssi on and t her e mi ght be a l egal need t o
r ecal l what t he pol i cy was f our year s i n t he past at t he t i me of
depl oyment . The second st ep t hat shoul d be t aken i s t he i nst al l at i on
of war ni ng and consent banner s on syst ems wher e ever appl i cabl e. Thi s
st ep hel ps ensur e t hat t her e i s a l egal r i ght t o r ecor d and i nt er cept
t r af f i c r el at ed t o t hat devi ce. Be sur e t o i ncl ude t he banner i n your
document at i on. The t hi r d st ep, cl osel y t i ed t o t he second st ep, i s a
r evi ew of Accept abl e Use Pol i ci es and Ter ms of Ser vi ce. These

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 19
pol i ci es al so hel p ensur e t he l egal r i ght t o r ecor d and i nt er cept
t r af f i c as wel l as def i ni ng t he pol i cy f or enf or ci ng t hose t hat
vi ol at e t he pol i cy t hat t he honeypot mi ght det ect . Si nce t hese
document s change f r equent l y t he Accept abl e use Pol i cy and Ter ms of
Ser vi ces shoul d be document ed at t he t i me of depl oyment . The f i nal
st ep i s t o empl oy some f or mof cont ai nment f or t he honeypot . The
cont ai nment of i nt r uder s i nt o t he honeypot wi l l hel p st op any at t acks
t hat t hose i nt r uder s mi ght l aunch f r omyour net wor k. Cr eat i ng
f i r ewal l r ul es t hat l i mi t out bound access i s a si mpl e and ef f ect i ve
st r at egy f or cont ai nment . Fi r ewal l s r ul es ar e al so easy t o document
and ver i f y.
Conclusion
The unknown l egal i mpl i cat i ons shoul d not be a det er r ent t o t he
use of honeypot t echnol ogy i n your comput er secur i t y t ool set . The
t wo maj or l egal i ssues t hat we ar e awar e of wi t h t he use of honeypot s
ar e pr i vacy and ent r apment . Bot h i ssues have si gni f i cance wi t h
r el at i on t o honeypot s. As wi t h al l l egal si t uat i ons t her e i s saf et y
i n t he f or mof document at i on. By pr ovi di ng document at i on, you ar e
pr ovi di ng t he t ool s t hat t he l egal syst emneeds t o def end your
act i ons.

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 20

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 21
2. Ref er ences

1
ht t p: / / honeypot s. sour cef or ge. net /
2
ht t p: / / www. honeypot s. net /
3
ht t p: / / www. l ect l aw. com/ def / e024. ht m
4
ht t p: / / www. r bs2. com/ pr i vacy. ht m
5
18 USC 2510 ( 2) ht t p: / / www. usi i a. or g/ l egi s/ ecpa. ht ml
b
ECPA Pub. L. 99- 508, Oct . 21, 1986, 100 St at . 1848, 18
U. S. C. 2510
7
18 USC 2511 ( 2) ( a) ( i i ) ( B) ( c)
8
18 USC 2511 ( 2) ( a) ( i i ) ( B) ( d)
9
18 USC 2511 2 ( A) ( i ) ( i )
10
18 USC 2510 ( 16) ( A)
11
18 USC 2510 ( 16)
12
Ker r , Or i n, Connect i cut Law Revi ew, Wi nt er 2001, 33 Conn. L.
Rev. 503
13
ht t p: / / di ct i onar y. l aw. com/ def aul t 2. Asp?sel ect ed=299
14

S
A
N
S

I
n
s
t
i
t
u
t
e

2
0
0

7
,

A
u
t
h
o
r

r
e
t
a
i
n
s

f
u
l
l

r
i
g
h
t
s
.
kudc11LL, ].om` 22

ht t p: / / www. mi cr osof t . com/ t echnet / scr i pt cent er / r esour ces/ qanda/ j an05/ h
ey0117. mspx
1
Def i ned on ht t p: / / di ct i onar y. l aw. com/
Last Updated: April 4th, 2014
Upcoming SANS Training
Click Here for a full list of all Upcoming SANS Events by Location
FOR518 Mac Forensic Analysis Vienna, VAUS Apr 22, 2014 - Apr 27, 2014 Live Event
SANS Abu Dhabi 2014 Abu Dhabi, AE Apr 26, 2014 - May 04, 2014 Live Event
US Cyber Crime Conference Leesburg, VAUS Apr 27, 2014 - Apr 28, 2014 Live Event
SANS Austin 2014 Austin, TXUS Apr 28, 2014 - May 03, 2014 Live Event
Security Leadership Summit Boston, MAUS Apr 29, 2014 - May 07, 2014 Live Event
SANS Security West 2014 San Diego, CAUS May 08, 2014 - May 17, 2014 Live Event
SANS Secure Europe 2014 Amsterdam, NL May 10, 2014 - May 24, 2014 Live Event
SANS ICS410 London 2014 London, GB May 12, 2014 - May 16, 2014 Live Event
SANS Malaysia @MCMC 2014 Cyberjaya, MY May 12, 2014 - May 24, 2014 Live Event
SANS Melbourne 2014 Melbourne, AU May 12, 2014 - May 17, 2014 Live Event
SANS Bahrain May 2014 Manama, BH May 17, 2014 - May 22, 2014 Live Event
AUD307: Foundations of Auditing Security and Controls of IT
Systems
Oklahoma City, OKUS May 21, 2014 - May 23, 2014 Live Event
SANS Secure Thailand Bangkok, TH May 26, 2014 - May 31, 2014 Live Event
Digital Forensics & Incident Response Summit Austin, TXUS Jun 03, 2014 - Jun 10, 2014 Live Event
SANS Rocky Mountain 2014 Denver, COUS Jun 09, 2014 - Jun 14, 2014 Live Event
SANS Pen Test Berlin 2014 Berlin, DE Jun 15, 2014 - Jun 21, 2014 Live Event
SANS Milan 2014 Milan, IT Jun 16, 2014 - Jun 21, 2014 Live Event
SEC511 Continuous Monitoring and Security Operations Washington, DCUS Jun 16, 2014 - Jun 21, 2014 Live Event
SANSFIRE 2014 Baltimore, MDUS Jun 21, 2014 - Jun 30, 2014 Live Event
SANS Canberra 2014 Canberra, AU Jun 30, 2014 - Jul 12, 2014 Live Event
SANS 2014 OnlineFLUS Apr 05, 2014 - Apr 14, 2014 Live Event
SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced

Testing Various

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Testing Various

Hochgeladen von

Copyright:

Verfügbare Formate

Interested in learning

more about security?

Das könnte Ihnen auch gefallen