Whether you are trying to deflect attacks against your systems or just trying to learn more about the latest hacker techniques, a honeypot or honeynet (a network of honeypots) may strike you as the perfect way to start. In the past, the technique has yielded considerable information for network administrators.
A honeypot is simply a dedicated server connected to the Internet that contains tempting, but fake, data and software and that's lightly defended. In fact, a honeypot is connected to the Internet for the sole purpose of tricking hackers into trying to penetrate the system—and that's where there may be a legal problem.
Why IT pros love honeypots
A major advantage of using a honeypot to study hackers is that all traffic on a honeypot (with the exception of simple search engine bots) can be presumed to be unauthorized and probably hostile. This means that you don’t have to sort out the few hacker attacks from all legitimate network traffic on normal systems to analyze what hackers are doing. You can generate a great deal of useful information from the attacks made on a honeypot, especially if it’s configured the same way your working network is.
Richard Salgado, senior counsel for the Department of Justice's computer crime unit, has warned IT professionals and security researchers that using honeypots may be in violation of civil and criminal statutes. In a September 20, 2002 message on the Security Focus Honeypots' mailing list, Salgado said, “A honeypot operator should be careful about [the] monitoring of communications, even of intruders… The federal Wiretap Act and similar state statutes generally forbid the interception of communications unless one of the statutory exceptions applies. It is true that as a constitutional matter, an intruder has no reasonable expectation of privacy while he/she is trespassing on your network. This does not, however, answer the question of whether the Wiretap Act (or state statute) forbids the monitoring.”
More recently, Salgado reminded attendees at April’s RSA Conference that there exist very real legal issues here that aren’t easy to understand, and it may not be easy to avoid the potential negative consequences.
The problem lies in 18 U.S.C. 2511(1), better known as the federal Wiretap Act. Here's a sampling of the language in this document: “Any person who intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication…intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection; intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection…”
The text of the statute goes on and on, making it pretty clear that it applies to almost anything a prosecutor wants it to fit. It may all boil down to this: if you intercept any electronic data not intended for you, you may need a warrant. The act includes paragraph after paragraph of exceptions following the general definition of what constitutes a wiretap violation, but even a nonlawyer can easily grasp enough of the meaning to see that it’s impossible to determine precisely what is and what isn’t legal in a specific instance, especially when talking about something such as a honeypot, which is built with the intention of intercepting "wire" communications.
You probably think that this is a really stupid idea—the concept that you could be violating the law merely by monitoring what a trespasser does on a system you own. But that’s just your common sense speaking, and any lawyer will tell you that the law has little or nothing to do with common sense. (After all, consider laws that say you can’t necessarily throw someone off your land unless you have posted “no trespassing” signs.)
Even though it’s unlikely that a federal or even state prosecutor would really want to go on record prosecuting a legitimate IT professional for trying to track down vandals, there's still the civil side of the wiretap laws. Remember, you can sue someone over almost anything and, since there exists a wiretappng law that apparently makes monitoring hackers illegal in some circumstances, what’s to stop some high school student’s bright lawyer from suing you and your company when the kid gets in trouble for hacking? Sure, they probably won't win, but that’s not the point; it costs a lot of money just to defend yourself, whether you win or lose.
Working within the law
There are exceptions in the wiretap law that make it clear that you can monitor a system to prevent damage and misuse. But does that apply to a honeypot, which is specifically built to be attacked? Salgado says the exceptions may not apply, and that this has yet to be tested in a court case.
Certainly, you can consent to be monitored and that makes everything legal. Consider a message left on an answering machine. You know you’re being recorded so that doesn’t constitute a wiretap.
Salgado suggests that, “One way an operator may be able to get consent is to banner the system telling would-be users that by using the system they are consenting to monitoring. Of course, this assumes that the intruder is coming through a port that you can, as a technical matter, banner. There is also an argument that when an intruder communicates with the honeypot (say by FTP upload), the honeypot itself is a party to the communication and can give consent to monitoring. As with all things honeypot, there is no case law directly on point.”
In the most obvious case for legal monitoring, the government, but not individuals, can monitor server traffic during the course of an investigation under what’s known as the Computer Trespasser exception, part of the USA Patriot Act.
I’m not a lawyer and certainly am not trying to give any legal advice here. But the fact that a senior Department of Justice counsel has taken the extraordinary step of speaking out on this subject repeatedly and, most recently, in a major public forum attended by many IT security professionals, leads me to believe that companies should take Salgado’s warning very seriously indeed.
Honeypots are effective and useful tools. Even Salgado says so. But until some case law has been established that lawyers can use to gauge the potential for legal action and that judges can use to guide them on applying the new laws, I wouldn’t recommend using a honeypot other than as a decoy system where you do not monitor the traffic.
Monitoring hacker activity on a honeypot may turn out to be perfectly legal, but do you want to have your name or your company’s name on the Supreme Court case that determines this?