.

Real or Fake robots.txt?

<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Fri Sep 11, 2009 7:27 am

Real or Fake robots.txt?

I had a look at the number10.gov.uk robots.txt file yesterday and to my surprise they were exposing their Class A private IP address.

However I also noticed that their robots.txt file was not a file at all and instead was a directory named /robots.txt/. So the contents of that directory when you visit it must be served from another file, i.e. /robots.txt/somefile.php

Here is the URL:
http://www.number10.gov.uk/robots.txt/

Seems they have spent a lot of time on their robots.txt 'file'. They couldn't possibly leave the IP there on accident, or could they?
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Fri Sep 11, 2009 9:07 am

Re: Real or Fake robots.txt?

looks like a honeypot to me  ;)
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1251

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Sep 11, 2009 10:50 am

Re: Real or Fake robots.txt?

Thats what came to my mind first as well. :)
<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Fri Sep 11, 2009 1:45 pm

Re: Real or Fake robots.txt?

I also thought that however from what Ive heard honeypots are illegal in the UK as it is seen as entrapment.

And a google search of the IP seems to indicate that its the one they use:
http://wblinks.com/notes/number-10-goes-web-2
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 929

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Sat Sep 12, 2009 8:20 am

Re: Real or Fake robots.txt?

(Disclaimer: IANAL & UK-based, YMMV)

ethicalhack3r wrote:I also thought that however from what Ive heard honeypots are illegal in the UK as it is seen as entrapment.


I hope not, or I'm due a knock on the door from the boys in blue...

From my understanding entrapment only applies to law enforcement not members of public, plus you need to actively encourage the 'attacker' to perform a criminal act on your honeypot. Merely have it sitting there doing nothing to actively promote itself does not constiture entrapment.
<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Sat Sep 12, 2009 9:33 am

Re: Real or Fake robots.txt?

Ahhh... that makes more sense. Damn uni giving me misinformation!
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 929

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Sat Sep 12, 2009 11:36 am

Re: Real or Fake robots.txt?

Hey I could be wrong, don't want you (or anyone else) getting arrested on my account....
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat Sep 12, 2009 12:34 pm

Re: Real or Fake robots.txt?

I am not sure of the UK laws, and I am not a lawyer.  However, I have always understood that entrapment mainly applies to law enforcement and to criminal cases, where the burden of proof lies with the plaintiff.  I also believe that entrapment does not have any penalty associated with it outside of getting your evidence thrown out of court.
~~~~~~~~~~~~~~
Ketchup
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 929

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Sat Sep 12, 2009 12:46 pm

Re: Real or Fake robots.txt?

Hey Ketchup,

That fits with my understanding, basically a get out of jail free card if the accused can 'prove' entrapment.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1251

Joined: Mon Apr 28, 2008 9:20 am

Post Mon Sep 14, 2009 4:58 am

Re: Real or Fake robots.txt?

Interesting to know, haven't heard of this before.

Can therefore be said, that honeypots in UK may only be used for things such as research and analysis, but not for catching a few of the "bad guys"?
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 929

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Mon Sep 14, 2009 7:17 am

Re: Real or Fake robots.txt?

Awesec,

as I've stated previously IANAL, and I don't work for law enforcement, but my understanding is that the information collected from a honeypot isn't in it's self a form of entrapment. This only becomes an issue if you actively encourage the defendant to attack your server, i.e. you can't post 'hack this IP a.b.c.d' in an irc channel and than try to prosecute those that take you up on the option.

If a honeypot is just sitting there minding it's own business I don't see any reason why the information collected can't be used to prosecute any less than the logs of a 'live' server, the fact a honeypot is specifically designed to record this information shouldn't, in my opinion, come into the equation.

Does anyone have any experience with this, or in a better position to prove me wrong? Would be interesting to know exactly where the legal profession sits on this issue?
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Sep 14, 2009 11:12 am

Re: Real or Fake robots.txt?

Andrew,

You got me curious about this.  Most people consider honeypots to be enticement and not entrapment based on this definition.  The attacker was looking for the honeypot, he/she would have found another target if not for your honeypot.

“Entrapment is the conception and
planning of an offense by an officer, and
his procurement of its commission by
one who would not have perpetrated it
except for the trickery, persuasion, or
fraud of the officers.”


I wasn't able to find any legal precedent in the US that dealt with this subject matter.  I did find some other interesting tidbits though.

1.  You can be liable for damages if your honeypot gets pwned and is used to cause damage elsewhere. 

2.  If improperly configured, your honeypot could be violating wiretapping laws.  I am assuming this is a more serious issue in the UK since your privacy laws are much more substantial than ours. 

3.  Entrapment pertains to law enforcement and not the private sector. 

My guess is that it's perfectly legal to use a properly configured honeypot.  I am not sure if the evidence collected from a honeypot will stand up in court.  I would recommend monitoring a honeypot regularly to make sure that it doesn't become an SSH proxy for an attacker.  I don't think that anyone wants their case to become the legal precedent in this matter :)
~~~~~~~~~~~~~~
Ketchup
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 929

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Tue Sep 15, 2009 3:12 am

Re: Real or Fake robots.txt?

Ketchup wrote:1.  You can be liable for damages if your honeypot gets pwned and is used to cause damage elsewhere. 

True, although depending on the type of honeypot this is no worse than any other live system. If it gets 0wned bad people can do bad things with it.

It's for this reason that I only run low-interaction honeypots (Nepenthes and a couple of small custom scripts), as low-int honeypots only emulate you vuln rather than actually have the vulnerability then you should, in theory, be safe. (Unless there is an additional vulnerability in your honeypot application)

High interaction pots scare the bejeesus out of me and I wouldn't recommend touching them. Although I did once stick an unpatched XP box on a public IP and waited for some action, didn't even get the kettle boiled before I pulled the power  :o

Ketchup wrote:2.  If improperly configured, your honeypot could be violating wiretapping laws.  I am assuming this is a more serious issue in the UK since your privacy laws are much more substantial than ours. 

tbh I've not given it any thought until now, but I'm not sure if wiretapping should be an issue with honeypots. As we're not intercepting traffic meant for another device, only stuff that targetted the honeypot itself (either maliciously or via misconfiguration). From a wiretap perspective I would have thought an IDS or IPS would be at greater risk of violating wiretap laws than a honeypot and these widely considered 'best-practice' technologies. (And I wouldn't get me started on 'privacy' within the UK...)

Personally I think one of the main issues people have with honeypot systems is that they are largely not understood. From my experience I find them to be a very useful addition to aid a sys & network admin to get a better understanding of the threats facing their systems, but as the legal position seems 'unknown' I'll refrain from suggesting anyone gives it a go...

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software