Lock IT Down_ if You'Re Using a Honeypot, You May Be Breaking the Law - TechRepublic
3
22/6/2014 Lock IT Down: If you're using a honeypot, you may be breaking the law - TechRepublic http://www.techrepublic.com/article/lock-it-down-if-youre-using-a-honeypot-you-may-be-breaking-the-law/ 1/6 Explore legal ramifications of a honeypot Whether you are trying to deflect attacks against your systems or just trying to learn more about the latest hacker techniques, a honeypot or honeynet (a network of honeypots) may strike you as the perfect way to start. In the past, the technique has yielded considerable information for network administrators. A honeypot is simply a dedicated server connected to the Internet that contains tempting, but fake, data and software and that's lightly defended. In fact, a honeypot is connected to the Internet for the sole purpose of tricking hackers into trying to penetrate the system—and that's where there may be a legal problem. Why IT pros love honeypots A major advantage of using a honeypot to study hackers is that all traffic on a honeypot (with the exception of simple search engine bots) can be presumed to be unauthorized and probably hostile. This means that you don’t have to sort out the few hacker attacks from all legitimate network traffic on normal systems to analyze what hackers are doing. You can generate a great deal of useful information from the attacks made on a honeypot, especially if it’s configured the same way your working network is. Wiretapping laws Richard Salgado, senior counsel for the Department of Justice's computer crime unit, has warned IT professionals and security researchers that using honeypots may be in violation of civil and criminal statutes. In a September 20, 2002 message (http://cert.uni-stuttgart.de/archive/honeypots/2002/09/msg00161.html) on the Security Focus Honeypots' mailing list, Salgado said, “A honeypot operator should be careful about [the] monitoring of communications, even of intruders… The federal Wiretap Act and similar state statutes generally forbid the interception of communications unless one of the statutory exceptions applies. It is true that as a constitutional matter, an intruder has no reasonable expectation of privacy while he/she is trespassing on your network. This does not, however, answer the question of whether the Wiretap Act (or state statute) forbids the monitoring.” More recently, Salgado reminded attendees at April’s RSA Conference that there exist very real legal issues here that aren’t easy to understand, and it may not be easy to avoid the potential negative consequences. The problem lies in 18 U.S.C. 2511(1) (http://www4.law.cornell.edu/uscode/18/2511.html), better known as the federal Wiretap Act. Here's a sampling of the language in this document: “Any person who intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication…intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection; intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this SOCIAL ENTERPRISE Lock IT Down: If you're using a honeypot, you may be breaking the law By John McCormick May 12, 2003, 12:00 AM PST
-
Upload
nuno-caetano -
Category
Documents
-
view
215 -
download
1
Transcript of Lock IT Down_ if You'Re Using a Honeypot, You May Be Breaking the Law - TechRepublic
22/6/2014 Lock IT Down: If you're using a honeypot, you may be breaking the law - TechRepublic
http://www.techrepublic.com/article/lock-it-down-if-youre-using-a-honeypot-you-may-be-breaking-the-law/ 1/6
Explore legal ramifications of a honeypot
Whether you are trying to deflect attacks against your systems or just trying to learn more about the latest hacker
techniques, a honeypot or honeynet (a network of honeypots) may strike you as the perfect way to start. In the past,
the technique has yielded considerable information for network administrators.
A honeypot is simply a dedicated server connected to the Internet that contains tempting, but fake, data and
software and that's lightly defended. In fact, a honeypot is connected to the Internet for the sole purpose of tricking
hackers into trying to penetrate the system—and that's where there may be a legal problem.
Why IT pros love honeypots
A major advantage of using a honeypot to study hackers is that all traffic on a honeypot (with the exception of simple
search engine bots) can be presumed to be unauthorized and probably hostile. This means that you don’t have to
sort out the few hacker attacks from all legitimate network traffic on normal systems to analyze what hackers are
doing. You can generate a great deal of useful information from the attacks made on a honeypot, especially if it’s
configured the same way your working network is.
Wiretapping laws
Richard Salgado, senior counsel for the Department of Justice's computer crime unit, has warned IT professionals
and security researchers that using honeypots may be in violation of civil and criminal statutes. In a September 20,
2002 message (http://cert.uni-stuttgart.de/archive/honeypots/2002/09/msg00161.html) on the Security Focus Honeypots' mailing
list, Salgado said, “A honeypot operator should be careful about [the] monitoring of communications, even of
intruders… The federal Wiretap Act and similar state statutes generally forbid the interception of communications
unless one of the statutory exceptions applies. It is true that as a constitutional matter, an intruder has no
reasonable expectation of privacy while he/she is trespassing on your network. This does not, however, answer the
question of whether the Wiretap Act (or state statute) forbids the monitoring.”
More recently, Salgado reminded attendees at April’s RSA Conference that there exist very real legal issues here
that aren’t easy to understand, and it may not be easy to avoid the potential negative consequences.
The problem lies in 18 U.S.C. 2511(1) (http://www4.law.cornell.edu/uscode/18/2511.html), better known as the federal Wiretap
Act. Here's a sampling of the language in this document: “Any person who intentionally intercepts, endeavors to
intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic
communication…intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral,
or electronic communication, knowing or having reason to know that the information was obtained through the
interception of a wire, oral, or electronic communication in violation of this subsection; intentionally uses, or
endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that
the information was obtained through the interception of a wire, oral, or electronic communication in violation of this
SOCIAL ENTERPRISE
Lock IT Down: If you're using a honeypot, you may be
breaking the lawBy John McCormick May 12, 2003, 12:00 AM PST
22/6/2014 Lock IT Down: If you're using a honeypot, you may be breaking the law - TechRepublic
http://www.techrepublic.com/article/lock-it-down-if-youre-using-a-honeypot-you-may-be-breaking-the-law/ 2/6
subsection…”
The text of the statute goes on and on, making it pretty clear that it applies to almost anything a prosecutor wants it
to fit. It may all boil down to this: if you intercept any electronic data not intended for you, you may need a warrant.
The act includes paragraph after paragraph of exceptions following the general definition of what constitutes a wiretap
violation, but even a nonlawyer can easily grasp enough of the meaning to see that it’s impossible to determine
precisely what is and what isn’t legal in a specific instance, especially when talking about something such as a
honeypot, which is built with the intention of intercepting "wire" communications.
You probably think that this is a really stupid idea—the concept that you could be violating the law merely by
monitoring what a trespasser does on a system you own. But that’s just your common sense speaking, and any
lawyer will tell you that the law has little or nothing to do with common sense. (After all, consider laws that say you
can’t necessarily throw someone off your land unless you have posted “no trespassing” signs.)
Even though it’s unlikely that a federal or even state prosecutor would really want to go on record prosecuting a
legitimate IT professional for trying to track down vandals, there's still the civil side of the wiretap laws. Remember,
you can sue someone over almost anything and, since there exists a wiretappng law that apparently makes
monitoring hackers illegal in some circumstances, what’s to stop some high school student’s bright lawyer from
suing you and your company when the kid gets in trouble for hacking? Sure, they probably won't win, but that’s not
the point; it costs a lot of money just to defend yourself, whether you win or lose.
Working within the law
There are exceptions in the wiretap law that make it clear that you can monitor a system to prevent damage and
misuse. But does that apply to a honeypot, which is specifically built to be attacked? Salgado says the exceptions
may not apply, and that this has yet to be tested in a court case.
Certainly, you can consent to be monitored and that makes everything legal. Consider a message left on an
answering machine. You know you’re being recorded so that doesn’t constitute a wiretap.
Salgado suggests that, “One way an operator may be able to get consent is to banner the system telling would-be
users that by using the system they are consenting to monitoring. Of course, this assumes that the intruder is
coming through a port that you can, as a technical matter, banner. There is also an argument that when an intruder
communicates with the honeypot (say by FTP upload), the honeypot itself is a party to the communication and can
give consent to monitoring. As with all things honeypot, there is no case law directly on point.”
In the most obvious case for legal monitoring, the government, but not individuals, can monitor server traffic during
the course of an investigation under what’s known as the Computer Trespasser exception, part of the USA Patriot
Act.
Final word
I’m not a lawyer and certainly am not trying to give any legal advice here. But the fact that a senior Department of
Justice counsel has taken the extraordinary step of speaking out on this subject repeatedly and, most recently, in a
major public forum attended by many IT security professionals, leads me to believe that companies should take
Salgado’s warning very seriously indeed.
Honeypots are effective and useful tools. Even Salgado says so. But until some case law has been established that
lawyers can use to gauge the potential for legal action and that judges can use to guide them on applying the new
laws, I wouldn’t recommend using a honeypot other than as a decoy system where you do not monitor the traffic.
22/6/2014 Lock IT Down: If you're using a honeypot, you may be breaking the law - TechRepublic
http://www.techrepublic.com/article/lock-it-down-if-youre-using-a-honeypot-you-may-be-breaking-the-law/ 3/6
Monitoring hacker activity on a honeypot may turn out to be perfectly legal, but do you want to have your name or
your company’s name on the Supreme Court case that determines this?
You May Also Like
Recommended by
Add your Comment
4 reasons why your customershate you(Gigya's Blog)
Two 34-Year-Old Aussies AreLatest Techies To BecomeBillionaires…(Forbes)
3 unexpected reasons yourcustomers abandon cart(Gigya)
Starting a Website? 5 Tips toMake it Stand Out(Weebly)
Why Atlassian is to Software asApple is to Design(Forbes)
The 5 IT Skills Companies areLooking For Today(Work Intelligently)
