Lance Spitzner is a geek who constantly plays with computers, especially network security.
His passion is researching honeypot technologies and using them to learn more about the enemy.
He is the founder of the Honeynet Project, moderator of the honeypot mailing list, co-author of “Know Your Enemy”, author of “Honeypots: Tracking Hackers” and also author of several whitepapers. He works as a senior security architect for Sun Microsystems, Inc.
How did you gain interest in honeypots?
My lack of understanding about badguys. I had no idea how they broke into computers, what they did afterwards, or even ‘who’ they were. Honeypots were a great way to learn. Also, honeypots are very exciting because its a new field. I don’t deal well with having to follow lots of rules. With honeypots, I get to make things up as I go, which I find to be lots of fun.
What was it like writing “Honeypots: Tracking Hackers”? Any major difficulties?
The book was actually alot of fun to write. It was something I really wanted to do, as it is the very first book out on honeypots. It also gave me the opportunity to put all my thoughts together. I learned a great deal from that book. The hardest part was making sure I was technically correct with all the different honeypots. The technology is changing so fast, such as with ManTrap and Honeyd, that I was having to learn some of the new features as I wrote the book.
What security tools do you use on a daily basis?
Firewalls and virus scanners. I have both network and host based firewalls, and everything is virus scanned on my PC’s. Also, I REALLY like the automatic patching facilities that come with WindowsXP and RedHat Linux. Keeps systems current. Last, I’m always attempting to minimize and harden my systems.
In your opinion what are the most important things an administrator has to do in order to keep a network secure?
If you don’t need it, remote it. If you do need it, patch it. Vast majority of attacks are for known vulnerable services. If the service is not there, they can’t hack it. If the service is patched, they will have a damn hard time hacking it.
What’s the most amusing thing you ever saw someone do on a honeypot?
Oh, good grief, there’s so many. Not knowing the tools they are using (4 times to figure out how to untar a file). Accidently DoSing themselves, getting excited about Ping of Death, prefering to launch DoS attacks from Windows, announcing they like to smoke weed, etc. However, I have also learned some very useful Unix commands from watching them, such as grepping for specific network connections.
What’s the longest an attacker has been on one of your honeypots?
Three weeks. After that amount of time, there is little you can learn, with only increased risk of something going wrong.
Recently the Honeypot Best Practices security conference took place, are you satisfied with the outcome?
It was a great start, as it was the first honeypot conference. However, I would like to see one that is more technical, covering a great spectrum of technologies (similar to my book). I’m currently teaching 3 day honeypot class that is very similar to this. You may also see some more exciting events next year 🙂
What books, whitepapers, websites would you recommend to people that are starting to learn about computer security?
Oh boy, that depends. Beginner worrying about securing their XP box at home, security engineer securing their network at work? For the common user, I just recommend getting a firewall and a virus scanner, that works for most. For the security professional, start with the basics. For me, that was Stevens TCP/IP Illustrated Volume I. That has become my networking bible. The other most valuable thing for me has been a home lab. Build yourself a network of computers (old 486 systems are fine), and test everything you are learning in that environment (minimization, network sniffing, firewalls, attacks, etc). That hands on experience has proven invaluable to me.
What are your future plans? Any exciting new projects?
One of the most exciting things the Honeynet Projectis now working on is a bootable CDROM. We want to take our newly developed GenII technologies and build them into a bootable CDROM. This way if any organizations want to deploy a Honeynet (or multiple Honeynets), they simply boot off a CDROM and they have their Honeynet. All that is left is populating the network with target victims.