CyberlawCyberlaw: Honeypot: HoneypotEditionEdition

Your guide to the legal issues andYour guide to the legal issues andhoneypotshoneypots

Jay RadcliffeJay Radcliffe

My ProfileMy Profile

▶ Jay RadcliffeJay Radcliffe jay.radcliffe@gmail.comjay.radcliffe@gmail.com CISSP, GSECCISSP, GSEC Six years at ISS with the MSS groupSix years at ISS with the MSS group Undergrad Pre-Law/Criminal JusticeUndergrad Pre-Law/Criminal Justice Working on Masters with SANSWorking on Masters with SANS

Legal DisclaimerLegal Disclaimer

▶ I am not your lawyer. I am not a lawyer atI am not your lawyer. I am not a lawyer atall. This is not legal advice.all. This is not legal advice.

Questions AnsweredQuestions Answered

▶What parts/areas of the law should I worryWhat parts/areas of the law should I worryabout?about?

▶ Is it entrapment if I catch a criminal in myIs it entrapment if I catch a criminal in myhoneypot?honeypot?

▶Can I record/log everything that occurs inCan I record/log everything that occurs inmy honeypot?my honeypot?

▶Can I be sued by a hacker if he gets caughtCan I be sued by a hacker if he gets caughtby my honeypot?by my honeypot?

▶What can I do to reduce my legal exposure?What can I do to reduce my legal exposure?

Honeypot BasicsHoneypot Basics

▶A Honeypot is a device that is setup toA Honeypot is a device that is setup torecord the actions as of hackersrecord the actions as of hackers

▶Typically itTypically it’’s setup to look like a s setup to look like a ““normalnormal””server. Example: File server, web serverserver. Example: File server, web server

Honeypot ResourcesHoneypot Resources

▶ Lance Lance SpitznerSpitzner’’ss book Honeypots book Honeypots▶Honeynet.orgHoneynet.org

Legal Issue #1: PrivacyLegal Issue #1: Privacy

▶Honeypots record all transactions that occurHoneypots record all transactions that occurto and from the deviceto and from the device

▶US Federal laws limit the ability to performUS Federal laws limit the ability to performthese recordingsthese recordings

▶This is the primary criminal issue in relationThis is the primary criminal issue in relationto honeypotsto honeypots

EPCAEPCA

▶The primary law that deals with the privacyThe primary law that deals with the privacyissue in relation to computers is 18 USCissue in relation to computers is 18 USC2510 (AKA Electronic Communications2510 (AKA Electronic CommunicationsPrivacy Act)Privacy Act)

▶ It started out life just dealing with telephonyIt started out life just dealing with telephonywiretaps, was extended to include electronicwiretaps, was extended to include electroniccommunicationscommunications

EPCA: Basic DiagramEPCA: Basic Diagram

▶ ““AA”” is the Honeypot is the Honeypot▶ ““BB”” is the user is the user

communicating withcommunicating withthe honeypot,the honeypot,

▶ X is some 3X is some 3rdrd party partythat is not involved inthat is not involved inthe communicationthe communication

▶ ““MethodMethod”” refers to how refers to howthe communicationthe communicationtakes placetakes place

The 1The 1stst Rule of EPCA Rule of EPCA

▶ If you are operating If you are operating ““AA”” then you are a then you are aparty directly involved in the communicationparty directly involved in the communication

▶This gives you the legal authority to recordThis gives you the legal authority to recordand and ““interceptintercept”” communications. communications.

▶This should include if you are not beingThis should include if you are not beingcompletely honest with the content on thecompletely honest with the content on thehoneypothoneypot

22ndnd Rule of the EPCA Rule of the EPCA

▶ If you gain consent from either If you gain consent from either ““AA”” or or ““BB””then you have the legal authority tothen you have the legal authority torecord/record/””interceptintercept”” communications communications This applies to federal law only. There are XThis applies to federal law only. There are X

states that have laws that require the consentstates that have laws that require the consentfrom both from both ““AA”” and and ““BB””

▶This is fairly easy to accomplish:This is fairly easy to accomplish: BannersBanners Acceptable Use /Terms of ServiceAcceptable Use /Terms of Service

33rdrd Rule of EPCA Rule of EPCA

▶The Service Provider ExceptionThe Service Provider Exception LetLet’’s say you own the network, and you provides say you own the network, and you provide

service to others (Example: ISP, University)service to others (Example: ISP, University) You have a right to intercept traffic to verifyYou have a right to intercept traffic to verify

that your network is working properly and thatthat your network is working properly and thatothers are not going to others are not going to ““damagedamage”” your network your network

There are some cases that outline this from aThere are some cases that outline this from atelephony prospectivetelephony prospective

Wireless and the EPCAWireless and the EPCA

▶ LetLet’’s say your honeypot is off on a wirelesss say your honeypot is off on a wirelessnetworknetwork

▶ The EPCA says that communications that areThe EPCA says that communications that are““Generally accessible to the publicGenerally accessible to the public”” and is not and is not““encrypted or scrambledencrypted or scrambled”” then it then it’’s potentiallys potentiallyLEGAL TO INTERCEPTLEGAL TO INTERCEPT

▶ In theory, if you put a wireless network inIn theory, if you put a wireless network inbetween between ““AA”” and and ““BB”” you can legally monitor you can legally monitorwithout consent from either partywithout consent from either party

▶ If no WEP or other encryption/scrambling is usedIf no WEP or other encryption/scrambling is used

Issue #2: EntrapmentIssue #2: Entrapment

▶Very misunderstood legal conceptVery misunderstood legal concept▶ Entrapment is only a defense, and canEntrapment is only a defense, and can’’t bet be

used to criminally charge theused to criminally charge theowner/operator of the honeypotowner/operator of the honeypot

▶ Entrapment can only be used by a criminalEntrapment can only be used by a criminalto to ““excuseexcuse”” him of the criminal charges him of the criminal charges

Entrapment Example #1Entrapment Example #1

▶ Jake goes to his local 2600 meeting and meetsJake goes to his local 2600 meeting and meetsJudy and her friends. Judy is talking about hackingJudy and her friends. Judy is talking about hackinginto Acme into Acme IncInc’’ss webserver and do bad things. webserver and do bad things.Judy offers Jake the opportunity to Judy offers Jake the opportunity to ““prove himselfprove himself””by hacking the server first. Jake declines theby hacking the server first. Jake declines theopportunity. Judy calls into question his opportunity. Judy calls into question his ““skillzskillz””and general masculinity. Jake gives in and hacksand general masculinity. Jake gives in and hacksinto Acmeinto Acme’’s webserver. Jake is arrested by Judy,s webserver. Jake is arrested by Judy,who is an undercover officer.who is an undercover officer.

Entrapment Example #2Entrapment Example #2

▶Matt goes to a security conference andMatt goes to a security conference andmeets Tom. Tom talks about hacking intomeets Tom. Tom talks about hacking intoAcme Acme IncInc’’ss webserver. Tom suggests to webserver. Tom suggests toMatt the he take a try at getting in. MattMatt the he take a try at getting in. Mattdeclines. Tom then pulls out a weapon anddeclines. Tom then pulls out a weapon andthreatens to harm and potentially kill Mattthreatens to harm and potentially kill Mattunless he hacks into Acmeunless he hacks into Acme’’s webserver.s webserver.Matt gives in and hacks into the webserver.Matt gives in and hacks into the webserver.Matt is then arrested by Tom, who is anMatt is then arrested by Tom, who is anundercover agent.undercover agent.

EntrapmentEntrapment’’s Positions Position

▶ The role of presumption is reversed in anThe role of presumption is reversed in anentrapment defenseentrapment defense The court assumes that the accused WAS NOTThe court assumes that the accused WAS NOT

entrappedentrapped The defendant has to prove that some action that theThe defendant has to prove that some action that the

government took made him commit the crime, and thatgovernment took made him commit the crime, and thatthey would not have committed the crime without thatthey would not have committed the crime without thatactionaction

Exceptionally difficult to proveExceptionally difficult to prove Also, the defendant has to admit that they committedAlso, the defendant has to admit that they committed

the crimethe crime

Entrapment and HoneypotsEntrapment and Honeypots

▶WhatWhat’’s all this mean to your ability to deploys all this mean to your ability to deploya honeypot?a honeypot? Avoid contacting the users on your honeypot.Avoid contacting the users on your honeypot. Avoid advertising your honeypots on Avoid advertising your honeypots on IRCsIRCs,,

message boards, etcmessage boards, etc Any communications that are made, need to beAny communications that are made, need to be

very well documentedvery well documented

Entrapment and ResearchEntrapment and Research

▶What if your honeypot is not to catchWhat if your honeypot is not to catchcriminals, but to study them? Do you needcriminals, but to study them? Do you needto worry about entrapment?to worry about entrapment?

▶YES!YES!▶ In some cases you can not control if there isIn some cases you can not control if there is

going to be a criminal casegoing to be a criminal case Child PornographyChild Pornography

Actions you should takeActions you should take

▶Banner all of your bannerable servicesBanner all of your bannerable services This action gains consent, one of the keyThis action gains consent, one of the key

elements in the EPCAelements in the EPCA There are many examples in SANS courseThere are many examples in SANS course

material, and the internetmaterial, and the internet If you have access to legal counsel, have themIf you have access to legal counsel, have them

review the language in your bannerreview the language in your banner

Actions you should takeActions you should take

▶Keep the hacker containedKeep the hacker contained While I didnWhile I didn’’t cover Civil legal issues, there is at cover Civil legal issues, there is a

concern that the hacker might use the honeypotconcern that the hacker might use the honeypotto launch an attackto launch an attack

Limit outbound connectivityLimit outbound connectivity Do what you can, and DOCUMENT it.Do what you can, and DOCUMENT it.

Actions you should takeActions you should take

▶DocumentationDocumentation Have clear build procedures with your banner inHave clear build procedures with your banner in

themthem Make a backup of the honeypotMake a backup of the honeypot There might be a time where you need to proveThere might be a time where you need to prove

you had banners in placeyou had banners in place

DocumentationDocumentation

▶ Documentation checklistDocumentation checklist Banners and list of services that are banneredBanners and list of services that are bannered List of actions taken to limit the outbound connectivityList of actions taken to limit the outbound connectivity

from the honeypotfrom the honeypot▶ Firewall rules, router ACL, etcFirewall rules, router ACL, etc

Permission from managersPermission from managers▶ Be sure to mention reasons for why your putting up aBe sure to mention reasons for why your putting up a

honeypot.honeypot.▶ ““A honeypot is a security tool that we need to assure theA honeypot is a security tool that we need to assure the

services we provide, and enhance our own securityservices we provide, and enhance our own security””

DocumentationDocumentation

Network DiagramNetwork Diagram▶Needed to prove Needed to prove ““methodmethod”” of communications of communications▶Especially important for wirelessEspecially important for wireless

BackupsBackups▶Throw the backup tape/CD/DVD in with theThrow the backup tape/CD/DVD in with the

documentation folderdocumentation folder

Any communication to the Any communication to the ““outsideoutside”” about the about thehoneypothoneypot

DocumentationDocumentation

▶ Put all of the above into a folder/envelopePut all of the above into a folder/envelopeand put it somewhere safeand put it somewhere safe

▶DONDON’’T SKIP THIST SKIP THIS An hour of documentation could save yourAn hour of documentation could save your

job/company.job/company.

SummerySummery

▶ Cover all three of the EPCA basesCover all three of the EPCA bases Consent (Banners, backups, build docs)Consent (Banners, backups, build docs) Prove you are an agentProve you are an agent Provider exception (Purpose Statement, banner)Provider exception (Purpose Statement, banner) Network Diagram (Wireless loophole)Network Diagram (Wireless loophole)

▶ DonDon’’t communicate outside about your honeypott communicate outside about your honeypot If you *must*, document thoseIf you *must*, document those

▶ Limit your honeypot from getting outLimit your honeypot from getting out Have to prove Have to prove ““reasonablereasonable”” security security

Questions?Questions?

▶ GSEC Gold Paper should be done this month,GSEC Gold Paper should be done this month,much more detailed and includes citationsmuch more detailed and includes citations

▶ E-Mail me and IE-Mail me and I’’ll notify when it gets posted onll notify when it gets posted onSANSSANS

▶ Suggestions? Let me know!Suggestions? Let me know! Other things that need to be addressedOther things that need to be addressed Other cyber legal issues you would like to see coveredOther cyber legal issues you would like to see covered

▶ jay.radcliffe@gmail.comjay.radcliffe@gmail.com