What is a Honey Pot?

In computing a “honey pot” is simply a security mechanism used to detect and/or monitor users. According to Wikipedia:Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site, but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, who are then blocked. This is similar to police sting operations, colloquially known as “baiting,” a suspect.

There are several different types and methods in which honeypots can be deployed. However, for simplicity sake and for what we are going to talk about, think of a honey pot as an otherwise private appearing web service but unbeknownst to the user the web service is actually being run and administered by government agents who are using the web service as a “front” to secretly gather user data on people who use the service.

Example of Government Use

In 2014 The FBI began to investigate a tip regarding a website, intended to be accessible only through TOR, which was trafficking in child pornography.  The individual(s) involved in creating this nauseating site obviously did not have a strong knowledge on how to properly configure an “onion” web service. Consequently, the onion site’s real internet protocol (IP) address was being leaked. The FBI had no trouble tracking down the location and server which was hosting this site.  According to, United States v. Horton, The FBI managed to relocate this website to a secure government facility and thus The FBI was able to assumed full administrative control.

However there still posed a challenge. As the site was intended to only be accessed through TOR, this meant all the users who accessed the site could not readily be identified by their IP address.

Unmasking TOR Anonymity

According to various open source government documents (here, here and here), The FBI sought and received a search warrant that allowed them to deploy malware which they dubbed: Network Investigative Technique (NIT).  NIT, at that time, took advantage of a security flaw in the Mozilla’s Firefox web browser. It is no coincidence the TOR web browser is based on Mozilla Firefox and NIT exploited a security flaw in the underlying technology.  Though official information in the public domain is lacking, but based on the information I have read, I would make an educated guess that NIT probably took advantage of some weakness in JavaScript.

Since The FBI had full operational control of the website and armed with a legal mandate they included NIT into the website code. So from that point anyone who visited the site would likely become infected with NIT.

How NIT Worked

Once NIT secretly installed itself and it’s dependencies onto the end-user’s (target’s) machine it then sent back to a government server the infected machine’s “…Internet Protocol (IP) address, operating system information, operating system username, and its Media Access Control (MAC) address…” (United States v. Horton).  Because IP and MAC address can be masked / spoof, also included was a unique NIT generated identifier that the government server would use to ensure the data they were getting was coming from the same computer.  Agents very likely could later use this unique identifier during physical forensic examination of a suspect’s computer to undoubtedly tie the physical computer to the data which they had earlier received.

Most security / privacy minded people know their IP address can be easily tracked and therefore VPNs, TOR, public internet access point can provide a means to mask one’s identity. However, it is often overlooked that a MAC address is perhaps more identifying than an IP address. IP address get reused from connection to connection. However, MAC address (for simplicity sake) are “burned” into the chip which is usually physically built into a machine.  Though there are ways, in some cases, to spoof a MAC address, if one fails to do this, and your machine is seized having a MAC address match a suspect MAC address is ALMOST as damning as your fingerprints being on a murder weapon.  Great public attention is placed on masking IP address and very little attention is paid to MAC addresses. It is an easy and common oversight to make.

The FBI now armed with specific identifying information that tied website users names and access time stamps it was easy for The FBI to track down, seize the end user’s computers and forensically analysis them.  Many arrests were made.

Conclusion

I doubt any rational people will have any qualms with what The FBI did in this case; I know I sure don’t. This case provides an interesting studying on how government turns “black” and “grey” hat “hacking” around and uses those skills for a greater good. I also believe there is a legitimate concern about what would stop a government from using these same techniques for other “issues.”  For example there is nothing, technologically speaking, that would prevent a government from taking control of an onion site used by political dissidents and using these same techniques to potentially suppress members ability to communicate and dissent.  In in the post-Snowden area it also makes one wonder what other government honeypots exist out there.