Honeypots mailing list archives

Re: Birthday of terms honeypot and honeynet

From: "Ian Baker" <ibaker () codecutters org>
Date: Fri, 23 Jan 2004 11:34:49 -0000

Aleksey,
    (Assuming that it's details on the honeypot implementation that you are
looking for).

Quick synopsis - users dialled-in to a series of modem banks fronting a
VAXcluster containing a newpaper story database. After a hacking event (and
you had to be hacker-class to get in, back in those largely pre-Internet
days..), Ops got together with a couple of developers to develop what they
termed a "honeypot". To be honest, it was more of a Trojan in my view at the
time (an apparently not-very-secure VAX with external links to much more
interesting things than old newspaper stories).

Since legitimate users would never break the menu and attempt to access the
(IIRC) "set host" command, it was considered a 100% indication of hack/crack
activity.

Access would immediately shut-down on all other connections in that
particular modem bank (investigations from the previous attack indicated
that a lot of activity involved trying phone numbers in sequence) and take
the bank off-line. Too many attempts on different banks would shutdown the
site & divert to backup links.

Ops would be automatically paged by the honeypot, and could manually request
a phone trace (while watching the actions of the intruder in real-time).

I can't talk much about the specific implementation (too long ago) - the
discussion had really centred around this Trojan concept that was just
starting to become prevalent (I'd looked at something similar while at
college in '85, on a CDC mainframe, and had later duplicated some of the
functions on a uVAX at a secure establishment).

Knowing the people involved, I would not be in the least surprised if the
term came up on either an international BBS or something internal to British
Telecom (we worked with many of their VAX-based services).

I think the main "thrill" was the idea of turning a cracking exploit against
the crackers themselves.

Can't/won't go into details, but it was used "in anger" and resulted a
prosecution during my time with the company.

Regards,

Ian Baker
Webmaster, codecutters.org

Current thread:

Birthday of terms honeypot and honeynet Aleksey V. Lukatsky (Jan 22)
- <Possible follow-ups>
- Re: Birthday of terms honeypot and honeynet Ian Baker (Jan 23)
  - RE: Birthday of terms honeypot and honeynet David Gillett (Jan 23)