RES: Honeytokens and detection

["Augusto Paes de Barros" <augusto () paesdebarros com br>]

David,

You are right. Public known honeytokens wouldn't be of much use. Each
company should create its own fake data, to add a random factor and increase
the chance of being usable on these cases.

Honeytokens as database rows raises some additional issues that should be
remembered. All apps that do things like "SELECT * FROM TRANSACTIONS" can
make the alarm sound.

One of my favourite ones is the bogus administrator/root user with null
password. Did anyone already try something with these?

Regards,


Augusto.

-----Mensagem original-----
De: David Zbonski [mailto:dzbonski () hotmail com]
Enviada em: domingo, 6 de abril de 2003 17:04
Para: lance () honeynet org; FOCUS-IDS () SECURITYFOCUS COM
Assunto: Re: Honeytokens and detection


I think the idea is great but I think if the numbers (or tokens) were public
it would be self-defeating.  The would be theif might easily avoid pulling
the token like a theif avoids pulling the last bill from a bank drawer to
avoid setting off the alarm.   Wouldn't it be best for each instiution to
create their own? The security would be in detecting and alerting on the
movement of the token information.  I think it falls into "security by
obscurity" but I also feel that this does not mean that it is wrong - it
just means that you can't count on it 100%.  It is a part of that larger
puzzle of keeping data safe and systems useable.

Just my two cents.

David Zbonski
Zbonski Consulting
www.zbonski.com

--
Augusto Paes de Barros, CISSP
http://www.paesdebarros.com.br
augusto () paesdebarros com br


-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter 
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71