Honeypots and Hackers
What impact would more open ports have on the ability of your honeypot to attract hackers?
Can hackers tell that you have a honeypot running?
Do they have honeypots for spammers to keep them from harvesting emails from your webpages?
Do you think law enforcement agencies (e.g., CIA, FBI, and NSA) in the United States run honeypots to track criminal behavior?
Honeypots and Hackers
Tracking hackers is one of the organization’s major goals with the rapidly growing technology in the twenty-first century. Information technology proffessions have come up with creative and strict security measures to reduce hacking and other forms of cybercrimes (Baykara, and, Daş, 2015). A honey pot is one of the effective methods to track hackers by attracting attention through important credentials, links and emails. The paper seeks to discuss honeypots and hackers in depth.
Honeypots expose hackers with intentions of attacking vulnerable targets through different methods deployed to unmask internet intruders. Honeypots are used by anyone and anywhere to attract catfish and scammers into revealing personal information such as location. Having open ports makes the scammer or the hacker suspicious of the honey pot (Dahbul, Lim, and Purnama, 2017). Open ports expose the honeypot by broadcasting the intentions of a tracker; therefore, need to be conservative is vital. Hackers attack vulnerable sites and servers such as open ports where hackers can scan the entire internet through the open ports within an hour. ways to attract hackers involve the use of open ports, weak passwords and private key codes. Companies use minimum open ports to secure important information from hackers and cybercriminals.
Attackers fingerprint processes, programs and protocols to identify system vulnerability and scan open ports to identify potential vulnerabilities and exploits. Some port scanners are developed for specific tasks while others available in continuous security monitoring tools, such as honeypots. Vulnerable ports can be left open to attract attackers, a method used to attract most hackers (Baykara, and, Daş, 2015) . Examples of open ports include HTTP, remote desktop protocol (RDP), proxy, MySQL and VNC, while other systems consist of default open ports such as the OSX, Linux and windows. Not all open ports should be open and not all closed ports should be closed, in case of an open port, Google search provides suggestions to close the open port although not all open ports are dangerous (Dahbul, Lim, and Purnama, 2017).
The law enforcement team uses the tactic to attract most hackers into the honeypot environment. According to experts, hackers attack the most vulnerable ports or environment before the secured ones. After attacking the vulnerable ports, the organization can identify the attack and mitigate it earlier before reaching on to other systems. Honeypots can protect both internal and external business environment. Cybercriminals use open ports to access unauthorized places such as sensitive data, where closing the open ports would reduce security risks. Open port affects the integrity, confidentiality and availability of honeypots.
Confidentiality: Open ports expose information about the network architecture of the honeypot leaking the version of the software, the content and the system.
Availability: Services running through the open ports can lead to denial of service attack where ports can process incoming traffic.
Integrity: Open ports enable attacker’s access programs by using the honeypot to attack other network services or information systems.
A hacker can notice a running honeypot if it is a low-interaction honeypot or does not have a honey wall. There are two types of honey pots, a low-interaction and high –interaction honey pot. A low-interaction honey pot collects basic and less information compared to a high-interactive honeypot (Dahbul, Lim, and Purnama, 2017). A low-interaction honeypot uses few resources, and it is easier and quicker to set-up. The information gathered does not involve the complexity of the threat but rather shallow information such as the type of threat. The network services and protocols used by the low-interaction honeypot includes the TCP and the IP. Low-interaction honeypots are easier to detect, especially once the hacker has accessed the system. The honeypot uses a simpler process, basic network services and tools, which makes it easily noticeable by the hacker. Most times, the tools used in a low-interaction honeypot may fail to save the information or block important processes and files, therefore becoming vulnerable and easily detected.
Additionally, when the honeypots are used in minimal systems or fully-fledged systems, the ports can be easily detected by hackers where the systems can be used to attack other systems. High-interaction honeypots are hard to detect due to the use of “added glue” and tools that use more time to deploy and tamper. Nevertheless, high-interaction honey pots can be detected by hackers when not installed with a honey wall. Lack of a honey wall can encourage the hacker to attack other systems and internet hosts (Baykara, and, Daş, 2015). The use of both low and high-interaction honeypot is much effective and easier, especially in creating an intelligence framework to detect security vulnerability or weak points. A honeypot requires more time to deploy and configure where the user should centralize the security system into a logging service accessible to authorized staff in case of an intrusion. The honeypots should react to port scans and system files.
Honey pot for spammers is known as honey pot addresses that protect webpages from harvesting emails. The honeypot addresses are used by organizations where email addresses attract spammers to use harvesting software to collect and send spam. Honeypot addresses are also known as the “seeded addresses.” A honey pot spam trap is set up by backscatter. Org that traps backscatters through sending spam emails into the spam trap. One can block backscatters from accessing the email (Chovancová,et,al.,2017). Once a honeypot address is set up, it waits upon the scraper software to harvest where the scraper software steals the honey pot address, not knowing the kind of address taken. Spammers take the stolen address and adds it up to the spam list or decide to sell the harvested email address. Both the email address and the honey pot are taken to a legitimate buyer as a double opt-in email address.
Additionally, the marketer may conduct an email append or include a shady partner using a co-registration. Since a honeypot address can be used anywhere, it is easy to detect a scammer or a suspicious person through a honeypot address (Chovancová,et,al.,2017). The link would uncover important information such as the location and the address of the scammer. The link entices scammers to unveil information such as keyboard layout, language and settings.
Law enforcement use honeypot to gather forensic information and evidence, especially used to track cybercriminals and protection of forensic internet infrastructure. On the other hand, security researchers use honey pots to acquire information about attackers, types of attacks, and hackers’ methods. Security researchers use the high- interaction honeypot to getting in-depth information. The United States law enforcement priorities privacy and confidentiality when dealing with security cases. The fourth amendment, the federal wiretap act, the electronic communication private act and the trap and trace statue. The laws ensure privacy and confidentiality in communication where the honeypot is under the government’s control. The security team implements honeypot as part of network intrusion, prevention and detection, also known as baiting a suspect (Dahbul, Lim, and Purnama, 2017). The United States law enforcement (CIA, FBI and NSA) uses honeypots to track cybercriminals, also known as honeypot security and protection of forensic information systems from hackers. Security honeypot is used by law enforcement and security researchers such as the FBI.
The law enforcement team uses valuable and important information to entice hackers, such as financial information, confidential emails and credit card information. Additionally, the security agents name the files with attractive names to show the hacker the files consist of the information to attract criminals. Sometimes the security individuals may decide to use open ports to scare hackers away, which is another way to make attackers feel monitored (Holt, 2020). Law enforcement uses the Honeyd to create honeypot security systems that are easier and open to set up. The Honeyd sets up the honeypot as a virtual machine installing more than one hence affordable and easy to maintain. Honeypots are deployed within the DMZ that Help in detecting attacks that are accessible to the public. The big problem comes in if the honeypot is not well deployed. If not properly installed, the honeypot can be used to plan attacks against other security organizations’ through the internet.
Besides, the law enforcement in the United States uses the network monitoring solution honeypots, for instance, the LogRhythm honey pot and security analytics suite. Law enforcement uses the honeypot to protect computer systems compared to catching criminals. Law enforcement uses various approaches to protect infrastructures from hackers, for instance, forensic analysis, reverse engineering and forensic investigation. The forensic analysis occurs after an attack has occurred where the user conducts a system analysis to identify the information compromised by the hacker’s activity (Holt, 2020). On the other hand, reverse forensic engineering involves checking the compromised or the stolen malware to study and identify the need and its operation. The log files studied by most law enforcement agents include the pcap file, which consists of files that contain communication between the attacker and the target. The four principles of honeypot and law enforcement are, know your honeypot, know your network, know your system and lastly know your enemy (Holt, 2020). The FBI uses the honeypot to lure internet criminals in the dark web by capturing website users’ IP addresses. Honeypots are considered the most effective of monitoring illegal activities in the dark web and other crime sites.
Honeypots are part of deception technology commonly used today as part of security technology. Honeypots provide additional security to use of passwords, firewalls, IDS and others. Security researchers and IT professions are still researching honeypots where recently, honeypot technology has improved. Honeypot farms and honeynets are part of the new technology offering protection against malicious motives and activities from the internet. Low-interaction, middle interaction and high interaction can be deployed to offer security according to the organization.
Low-interaction honeypot can be hacked, becoming more vulnerable to other networks and systems. Today, hackers are very intelligent, and it is easy for them to notice when attacking a honeypot or not. High-interaction honeypots are used for forensic purposes, especially when used together with a honey wall. The development of honeypots is done by network security experts to be able to identify new attacks. The main problem lies in the lack of legislation and law supporting the system in most countries. Honeypots are new, not efficient but suitable for cybersecurity.
References
Baykara, M., & Daş, R. (2015). A survey on potential applications of honeypot technology in intrusion detection systems. International Journal of Computer Networks and Applications (IJCNA), 2(5), 203-211.
Chovancová, E., Adám, N., Baláž, A., Pietriková, E., Feciľak, P., Šimoňák, S., & Chovanec, M. (2017). Securing distributed computer systems using an advanced sophisticated hybrid honeypot technology. Computing and Informatics, 36(1), 113-139.
Dahbul, R., Lim, C., & Purnama, J. (2017, January). Enhancing honeypot deception capability through network service fingerprinting. In Journal of physics: conference series. IOP Publishing.
Holt, T. J. (2020). Police and Extralegal Structures to Combat Cybercrime. The Palgrave Handbook of International Cybercrime and Cyberdeviance, 385-402.