Phrackster

By: Gamma Cpt R3v3r

This issue of Pharackster will be about a guy that started a really good project called ProjectHoneyPot. ProjectHoneyPot has been used for many years to trackdown spammers. Their technology and blocked IP list has been integrated into many sites and systems. APf is a good example. It uses IP tables and deny hosts and th ips are downloaded from ProjectHoneyPot. This is a short history of it. I highly recommend it. He started it with just himself and one engineer, now as you will read, there are hundreds of people working on making this one of the best tools for any webadmin, or computer user period.

If you can’t install the tools that are need onto your server, there are other tools you can use. It is free to sign up and get the link that you can place anywhere on your site(CAZine has already done this) that is pretty much a hidden e-mail address that harvesters would get. Enjoy

R3V3R: Why did the project start?

Matthew Prince: Project Honey Pot started as a research idea. I was going to give a talk at a conference and was trying to come up with something to talk about. A question I’d always wondered about was how did spammers get your email address in the first place. I knew, anecdotally, that they used web crawlers to “harvest” them, but I had never found anyone who knew the specifics of how that worked. For example, what was the average time between when as email address is harvested and when spammers start sending messages to it, do different types of spammers use different types of crawlers, do they OCR images to pull out email, do they parse Javascript to pull out emails it generates, and so on. I asked a really talented engineer named Lee Holloway if he could build something to get me the data I needed to give a talk on these questions. He worked on it for about a week and then released what we called Project Honey Pot. That was back in late 2003. We announced it at the conference in 2004 and it’s been running ever since.

R3V3R: How many people originally worked on the project?

Matthew Prince: Originally Lee built the back end and I built the website and user interface. It’s a testiment to Lee’s skill as an engineer that it has held up so well over the years running under intense load on very limited resources. On the other hand, it’s a testiment to the lack of my web design skills that the site looks like something from the 1990s. The quaint nature of the website keeps us under the radar to some extent, and hides the real power that is going on behind the scenes. Or, at least, that’s what we tell ourselves.

Today, there are more than 80,000 Project Honey Pot members in more than 165 countries around the world. We have members living on every continent, including as of about six months ago, someone on a research station in Antarctica. The Project is run with an open source mentality and many of its members have contributed code, data, or ideas that have made it a more useful resource.

R3V3R: How does this fit your ‘passion’ in computing?

Matthew Prince: The Internet is powerful because it allows diverse groups to share information. One of the areas where information continues to be “stove piped” is in the fraud and abuse space. Organizations that are attacked rarely share information about those attacks in order to help other organizations. That is a major problem in the security space and allows blackhat hackers with limited resources but strong coordination to often beat whitehat security professionals at big organizations with significant resources but very little coordination. I’m hopeful that Project Honey Pot can set an example on the power of sharing abuse information between organizations.

R3V3R: What are the Future plans for ProjectHoneyPot?

Matthew Prince: We’ve begun tracking threats beyond our original focus on email spam. Lee was very smart when he originally designed the honey pot specification. The scripts that Project Honey Pot members install in order to protect their sites can adapt over time to track additional threats. As a result, we’ve been able to release things like trap forms, which resemble the comment forms on blogs, in order to receive information on comment/blog spammers. Our data set on that space is growing rapidly. We’re also looking at other threat types like web crawlers that ignore robots.txt restrictions, websites that host pages advertised by spam or phishing, and web visitors that engage in cross-site scripting and SQL injection attacks. As we gather this data, we make it available to members of the Project in order for them to be able to protect their own sites.

R3V3R: What are your Ideal goals besides getting rid of all the spammers and harvesters?

Matthew Prince: Primarily, we’d like to encourage more organizations to share the fraud and abuse information they witness. Unless we are able to achieve this, legitimate organizations will always be at a disadvantage to attackers. R3V3R What is the funniest thing that happened during the creation of the project? Matthew Prince: I don’t know the funniest, but we get a lot of crazy stuff people write in to us. A lot of times people will write to us after they’ve done a search on some aspect of a spam message they’ve received. Since we report the characteristics of spam messages captured by Project Honey Pot on our site, our site often comes up. The messages about people wanting to reorder supplies of herbal viagra can be funny. Sometimes the messages can also be pretty depressing. I’m troubled, for example, by how many people fall for the so-called Nigerian 419/Advance Fee scams (“I’ve got a bunch of money, I can’t get it out of the country, I’ll give you some if you just give me your bank account”) and write to us after they’ve lost everything. There’s little we can do other than refer them on to law enforcement.

R3V3R: Why do you think ProjectHoneyPot became so well known that even firewalls download the ip’s in ProjectHoneyPots database?

Matthew Prince: I think that Project Honey Pot speaks to an inherent desire of web administrators to understand who’s coming to their websites and what they’re doing. With a lot of web analytics software packages you miss a significant part of your traffic. For example, if you’re using Google Analytics then you’re not seeing any of the robots — whether search engines or malicious harvesters — that come to your site because they don’t trigger the Javascript beacon. Even if you use analysis that looks at the raw server logs, it’s very difficult to tell if a visitor to your site is doing bad things or not. Project Honey Pot allows a community to come together and share information on the collective knowledge that they’ve seen for mutual benefit.

I think another aspect is that we’ve always been very careful with what we do and what we don’t do. People write to us all the time asking for us to create an RBL like Spamhaus or SORBS. We could do that but it would really introduce a lot of changes to the Project. We’ve always decided that it made more sense to stay focused on our core mission of understanding malicious web traffic. As a result, I think the data that we provide through a service like http:BL is very trustworthy and useful for what it is.

Finally, the architecture of the system has allowed us to scale really well over time. We receive tens of millions of email messages a day. That’s a lot of email. Every one of those messages needs to be received, collated, indexed, and incorporated into a database. That’s a surprisingly tricky problem which our engineering team had the foresight to anticipate when the Project launched in order to allow it to scale to the size it’s grown to today.

R3V3R: Any ideas that made that never made it to the main stream that you think would have been fun

Matthew Prince: We’re working on stuff that may eventually make it into the main stream. I’m particularly interested in how we can make deployment of the protection Project Honey Pot data provides easier. Http:BL is a powerful tool, but it requires a certain level of technical sophistication to use. I’d like to make that something that is extremely easy for anyone with a website. It’s something we’ve been working on. Hopefully we’ll have more details soon.

R3V3R: Any lessons you learned that can help others that might want to help out as well

Matthew Prince: Make sure you have really smart engineers on your team. Be patient — I was stunned how long it took for us to start receiving spam in any significant volume. Have hobbies if for no other reason than sometimes they turn into meaningful projects.

R3V3R: In your opinion, what does it take to become an affiliate of projectHoneyPot?

Matthew Prince: We don’t really have affiliates. We have members. Anyone who owns a domain or administers a website may benefit from being a member. We have members that run websites that get 10 unique visitors a month to some that get 10 million. In addition to members, we have partners who usually provide the Project tangible things it needs. For example, Townsend Networks (www.townsendassets.com) recently donated a bunch of servers to the Project. We like to acknowledge things like that by making the organization a partner and featuring them on the Project Honey Pot pages.

I would like to thank Matthew Prince for his time and answering my short interview. We wish you the best of luck. If there is anything we at CaZine can do for you, please feel free to let us know. Thank you very much!!!

R3V3R

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20