Why Lie?
People lie to me.
A lot.
The thing is, I’m not entirely sure why.
The scenario goes something like this:
Someone’s computer gets 0wned. It really doesn’t matter how, and in most cases, I actually don’t know exactly how. It just gets 0wned.
The bad guys doin’ the 0wnin’ install some malicious software that uses the 0wned machine (and the 0wned machine’s bandwidth) to start scanning the ‘Net for other 0wnable machines. Eventually, the malicious scanning software finds my honeypot.
The whole point of a honeypot is that it looks incredibly 0wnable. Specifically, my honeypot system looks to be vulnerable to dozens of different kinds of attacks. When malicious scanning software finds my honeypot, the malware’s little digital salivary glands shift into overdrive.
And so… the dance begins.
The attacking software will try, over and over, to 0wn the honeypot. Remember, the honeypot looks vulnerable… but it isn’t. Sometimes the tenacity of attacking malware becomes a little ridiculous. I’ve had attacking systems continuously try to 0wn my honeypot for months on end.
Aside from looking like it can get 0wned six ways to Sunday, a honeypot has one other, very important function: it logs everything.
I look at those logs pretty much every day and dig through the attacks. I research the IP addresses of the attacking systems, and I try to notify the system owners. By far, the bulk of the attacking hosts on the Internet are machines that attackers have already hacked, so rather than tracking down the actual attackers, I’m tracking down their victims. Over the years, this goofy “hobby” has allowed me to notify hundreds (perhaps thousands) of system owners - delivering the bad news that they’ve been hacked.
Tracking down the owners of 0wned systems is something of a black art: IP addresses, for the most part, don’t have usable reverse information (ex. looking up mail.example.com always gets you the IP address 12.34.56.78, but trying to do a reverse lookup on 12.34.56.78 generally won’t get you back to mail.example.com). There are other tools to assist with this (WHOIS, etc…) but they’re all pretty limited. The upshot: tracking down system owners is a hit-or-miss process at best.
So even when I’m able to track down some information that indicates who owns a hacked system, I’m never 100% sure - I get close, but never 100%. My messages to system owners are always in disclaimer-speak: “If this is your system, you should probably…”
That’s where the lying comes in.
It’s happened several times over the course of the past few months. I’ll contact someone and lay out a pretty good case for them being the owner of a hacked system. Sometimes I’ll have used some special toyz (to which I’ve been given access) to actually figure out the DNS name of the box. Sometimes I’ll use some cool trickery to discover what the box believes it is called. No matter how I figure it out, before I contact someone, I’ll be reasonably certain about who owns the system (note: the “owner,” not the “0wner”).
So I contact them.
“Nope. We’ve checked. We’ve had other people check. We’ve asked strangers to check. We’ve asked all our employees. We’ve asked them to ask their friends and neighbors… and THEY’VE all checked. We went straight to the source and asked the horse and even the famous Mr. Ed is ABSOLUTELY certain: IT’S NOT OUR MACHINE.”
But somehow, magically, the hacked machine that’s been blasting my honeypot every day for weeks on end… just stops.
I get it.
It’s embarrassing when your company gets 0wned. Obviously, you did something dumb and a poor unsuspecting computer paid the price and was… well… violated.
But really…
Lie to your stockholders. Lie to government regulators. Don’t lie to me…
Just think of me like your mother: I always know when you’re lying.
-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
July 11, 2016