No announcement yet.

Honeypot idea - planning stages

This topic is closed.
  • Filter
  • Time
  • Show
Clear All
new posts

  • Honeypot idea - planning stages

    I'm actually considering a bring a barebones laptop with intent to lock it down as best possible; create some secure (to the best of my ability) areas with one-time electronic gift certificates as 'prizes'.

    Part of the access to the machine will be a social-engineering test; I will give a synopsis of a archetypal user, who may or may not give socially engineerable clues about himself in a dummy myspace, yahoo or facebook account. He/she will be user who thinks themselves secure and discrete, but who would typically give away inadvertant details by mainstream means.

    I would ask that anyone that gets in signs a logbook I'll leave, and with a brief synopsis, mention the exploit, tactic or social engineering trail of clues that got them in. Nothing tedious or detailed, but if a clue was easily guessable based on the knowledge of the user, please mention what made the answer "easy".

    Obviously the exploiter/signer may use a false name or pseudonym and I will attempt to make certain the certificates don't require any personal registration. Participants need not compromise their own personal security to participate.

    The end-goal of my experiment is *not* to have the tightest fort-knox box on the planet, but to be about average.Chiefly, this will be to demonstrate that social engineering, human fallibility and true information security weakness must be addressed in tandem with hardware and network security, even for the individual end-user. Yes this is obvious to most of *us*...but this lesson is still slow to saturate many folks we know.

    I plan on doing a demonstration back at a client's worksite regarding social-engineering for law-enforcement and the local community; stressing wi-fi security, physical access security, and *personal* information security for everyday end users in our community.

    Your aunt, your grandma, your less tech-savvy friends are hitting broadband and are vulnerable to more malicious folks now more than ever. Odds are good most users have standard forms of protection, but what they state about themselves online and how visible they are to confidence tricksters is the purpose of this demostration. I have no need to log or trace participants other than ask their voluntary description of what means they used to work their way in.

    Also, just as a statement: I do NOT plan to vilify hackers, white hat, black hat or otherwise to my clients; my point of view is that confidence tricksters are centuries old, and that technology is just a new vehicle; I wish to emphasize prudence and due diligence to the end users in their daily transactions both socially and online. There's no need for "fear" of digital exploitation either, my demonstration will include current method for users to validate transactions online, and and emphasis of common-sense tactics for laypersons without the hype of sensationalistic "News-at-Eleven!"- style hysteria.

    The end goal is for users to be prudent with their personal information security as much if not moreso than their machines' and home network security.

    No, exploiters do not get to keep my machine.

    This is an entirely voluntary exercise for fun and personal edification.

    Physical security to the device will be tighter than hell ;)

    -- Uncorq

  • #2
    Re: Honeypot idea - planning stages

    PS: For those interested in following up on this project, I will gladly send my powerpoints and handouts for use in educating your community once assembled. My target audience at this point are Seniors, Mom-and-Pop consumers and more casual internet users who aren't typically on the bleeding edge of technology news, with the focus of security and common sense without all the hype.


    • #3
      Re: Honeypot idea - planning stages

      Why not just bring an entrant in "0wn the box? Own the box!"? As long as you meet the requirements for the entry, there's nothing to keep you from doing all the things with the data ex post facto that you're describing.

      And we will gladly give your gift certificates out. :)
      "Raise a toast to ... I think he might have been our only decent ."