Weak honeypots means unimportant security intel

Dec 14, 2015 11:20 GMT  ·  By
Honeypot servers, improperly set up with default credentials left intact
2 photos
   Honeypot servers, improperly set up with default credentials left intact

There are a few honeypot servers available online that are incredibly easy to spot just by looking at their credentials, all easy to find via Shodan, as Darren Martyn from Xiphos Research reveals.

If you're unfamiliar with the term "honeypot," this is a technique where security specialists set up a server, make it broadcast fake identification details, leave it open to the Internet, and then record who logs in and what they are doing.

The honeypot data will allow security researchers to gather crucial information on what new techniques hackers are using, or what information they might be after. For this reason, a honeypot must not look like a trap, otherwise, attackers will avoid it.

Hundreds of honeypots broadcasting the same serial number

According to a study into the security of honeypot servers, which are meant to be insecure by design, Mr. Martyn discovered that most security companies that set up such servers are making their honeypots a little bit too insecure, allowing skilled attackers to easily detect these fake systems.

Mr. Martyn identified the root of the problem as being ConPot, an open source toolkit that allows infosec researchers to quickly install an ICS/SCADA honeypot on their servers.

Apparently, the tool comes with default identification details, that most security researchers forget to change. With a quick Shodan search, at the time of this article, we found 106 default ConPot honeypots that used the same serial number.

It would also be a good idea not to name a honeypot server as "HoneyTrap," another term for honeypot, or set up 438 honeypot servers in the same country, with the same serial number.

Honeypots showing error messages from random data generation functions

Additional research into the topic also showed that the security researchers that do change these default credentials are also doing a bad job at it.

Some of them don't even notice that the code function they used to generate random data is actually showing an error instead (screenshot below, Shodan query).

If the randomly generated data is inserted successfully, Mr. Martyn also pointed out that some of it is unrealistic, with serial numbers that significantly differ from what the manufacturers of those products are actually using.

"What this means, is that the only attackers you are actually gathering threat intelligence on, are idiots. The script kiddies. Low hanging fruit who most likely won’t be doing anything interesting anyway to your boxes if they do get in," says Mr. Martyn. "You will gather precisely no valuable intelligence whatsoever on any attacker that is remotely relevant to your interests. All the intel you do get, is useless noise and chaff, which simply makes seeing the important stuff going on out there a hell of a lot harder."

UPDATE: We changed the term "hardcoded" with "default" at the request of the ConPot team. "We deliberately use default values (not hard-coded) to encourage users who care to change it," Lukas Rist, ConPot developer, told Softpedia.

Honeypot servers with errors in their identification details
Honeypot servers with errors in their identification details

Photo Gallery (2 Images)

Honeypot servers, improperly set up with default credentials left intact
Honeypot servers with errors in their identification details
Open gallery