Real or Fake robots.txt?

Viewing 12 reply threads
  • Author
    Posts
    • #4251
      ethicalhack3r
      Participant

      I had a look at the number10.gov.uk robots.txt file yesterday and to my surprise they were exposing their Class A private IP address.

      However I also noticed that their robots.txt file was not a file at all and instead was a directory named /robots.txt/. So the contents of that directory when you visit it must be served from another file, i.e. /robots.txt/somefile.php

      Here is the URL:
      http://www.number10.gov.uk/robots.txt/

      Seems they have spent a lot of time on their robots.txt ‘file’. They couldn’t possibly leave the IP there on accident, or could they?

    • #26959
      Jhaddix
      Participant

      looks like a honeypot to me  😉

    • #26960
      UNIX
      Participant

      Thats what came to my mind first as well. 🙂

    • #26961
      ethicalhack3r
      Participant

      I also thought that however from what Ive heard honeypots are illegal in the UK as it is seen as entrapment.

      And a google search of the IP seems to indicate that its the one they use:
      http://wblinks.com/notes/number-10-goes-web-2

    • #26962
      RoleReversal
      Participant

      (Disclaimer: IANAL & UK-based, YMMV)

      @ethicalhack3r wrote:

      I also thought that however from what Ive heard honeypots are illegal in the UK as it is seen as entrapment.

      I hope not, or I’m due a knock on the door from the boys in blue…

      From my understanding entrapment only applies to law enforcement not members of public, plus you need to actively encourage the ‘attacker’ to perform a criminal act on your honeypot. Merely have it sitting there doing nothing to actively promote itself does not constiture entrapment.

    • #26963
      ethicalhack3r
      Participant

      Ahhh… that makes more sense. Damn uni giving me misinformation!

    • #26964
      RoleReversal
      Participant

      Hey I could be wrong, don’t want you (or anyone else) getting arrested on my account….

    • #26965
      Ketchup
      Participant

      I am not sure of the UK laws, and I am not a lawyer.  However, I have always understood that entrapment mainly applies to law enforcement and to criminal cases, where the burden of proof lies with the plaintiff.  I also believe that entrapment does not have any penalty associated with it outside of getting your evidence thrown out of court.

    • #26966
      RoleReversal
      Participant

      Hey Ketchup,

      That fits with my understanding, basically a get out of jail free card if the accused can ‘prove’ entrapment.

    • #26967
      UNIX
      Participant

      Interesting to know, haven’t heard of this before.

      Can therefore be said, that honeypots in UK may only be used for things such as research and analysis, but not for catching a few of the “bad guys”?

    • #26968
      RoleReversal
      Participant

      Awesec,

      as I’ve stated previously IANAL, and I don’t work for law enforcement, but my understanding is that the information collected from a honeypot isn’t in it’s self a form of entrapment. This only becomes an issue if you actively encourage the defendant to attack your server, i.e. you can’t post ‘hack this IP a.b.c.d’ in an irc channel and than try to prosecute those that take you up on the option.

      If a honeypot is just sitting there minding it’s own business I don’t see any reason why the information collected can’t be used to prosecute any less than the logs of a ‘live’ server, the fact a honeypot is specifically designed to record this information shouldn’t, in my opinion, come into the equation.

      Does anyone have any experience with this, or in a better position to prove me wrong? Would be interesting to know exactly where the legal profession sits on this issue?

    • #26969
      Ketchup
      Participant

      Andrew,

      You got me curious about this.  Most people consider honeypots to be enticement and not entrapment based on this definition.  The attacker was looking for the honeypot, he/she would have found another target if not for your honeypot.

      “Entrapment is the conception and
      planning of an offense by an officer, and
      his procurement of its commission by
      one who would not have perpetrated it
      except for the trickery, persuasion, or
      fraud of the officers.”

      I wasn’t able to find any legal precedent in the US that dealt with this subject matter.  I did find some other interesting tidbits though.

      1.  You can be liable for damages if your honeypot gets pwned and is used to cause damage elsewhere. 

      2.  If improperly configured, your honeypot could be violating wiretapping laws.  I am assuming this is a more serious issue in the UK since your privacy laws are much more substantial than ours. 

      3.  Entrapment pertains to law enforcement and not the private sector. 

      My guess is that it’s perfectly legal to use a properly configured honeypot.  I am not sure if the evidence collected from a honeypot will stand up in court.  I would recommend monitoring a honeypot regularly to make sure that it doesn’t become an SSH proxy for an attacker.  I don’t think that anyone wants their case to become the legal precedent in this matter 🙂

    • #26970
      RoleReversal
      Participant

      @Ketchup wrote:

      1.  You can be liable for damages if your honeypot gets pwned and is used to cause damage elsewhere. 

      True, although depending on the type of honeypot this is no worse than any other live system. If it gets 0wned bad people can do bad things with it.

      It’s for this reason that I only run low-interaction honeypots (Nepenthes and a couple of small custom scripts), as low-int honeypots only emulate you vuln rather than actually have the vulnerability then you should, in theory, be safe. (Unless there is an additional vulnerability in your honeypot application)

      High interaction pots scare the bejeesus out of me and I wouldn’t recommend touching them. Although I did once stick an unpatched XP box on a public IP and waited for some action, didn’t even get the kettle boiled before I pulled the power  😮

      @Ketchup wrote:

      2.  If improperly configured, your honeypot could be violating wiretapping laws.  I am assuming this is a more serious issue in the UK since your privacy laws are much more substantial than ours. 

      tbh I’ve not given it any thought until now, but I’m not sure if wiretapping should be an issue with honeypots. As we’re not intercepting traffic meant for another device, only stuff that targetted the honeypot itself (either maliciously or via misconfiguration). From a wiretap perspective I would have thought an IDS or IPS would be at greater risk of violating wiretap laws than a honeypot and these widely considered ‘best-practice’ technologies. (And I wouldn’t get me started on ‘privacy’ within the UK…)

      Personally I think one of the main issues people have with honeypot systems is that they are largely not understood. From my experience I find them to be a very useful addition to aid a sys & network admin to get a better understanding of the threats facing their systems, but as the legal position seems ‘unknown’ I’ll refrain from suggesting anyone gives it a go…

Viewing 12 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?