IDS mailing list archives
Re: Honeytokens and detection
From: "David Zbonski" <dzbonski () hotmail com>
Date: Sun, 06 Apr 2003 15:04:28 -0500
I think the idea is great but I think if the numbers (or tokens) were public it would be self-defeating. The would be theif might easily avoid pulling the token like a theif avoids pulling the last bill from a bank drawer to avoid setting off the alarm. Wouldn't it be best for each instiution to create their own? The security would be in detecting and alerting on the movement of the token information. I think it falls into "security by obscurity" but I also feel that this does not mean that it is wrong - it just means that you can't count on it 100%. It is a part of that larger puzzle of keeping data safe and systems useable.
Just my two cents. David Zbonski Zbonski Consulting www.zbonski.com
From: Lance Spitzner <lance () honeynet org> To: Focus on Intrusion Detection Systems <FOCUS-IDS () SECURITYFOCUS COM> Subject: Honeytokens and detection Date: Thu, 3 Apr 2003 16:45:06 -0600 (CST) MIME-Version: 1.0Received: from outgoing3.securityfocus.com ([205.206.231.27]) by mc8-f26.law1.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Thu, 3 Apr 2003 15:42:20 -0800 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid E6C97A30B9; Thu, 3 Apr 2003 16:00:56 -0700 (MST)Received: (qmail 30028 invoked from network); 3 Apr 2003 22:30:21 -0000 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP Mailing-List: contact focus-ids-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <focus-ids.list-id.securityfocus.com> List-Post: <mailto:focus-ids () securityfocus com> List-Help: <mailto:focus-ids-help () securityfocus com> List-Unsubscribe: <mailto:focus-ids-unsubscribe () securityfocus com> List-Subscribe: <mailto:focus-ids-subscribe () securityfocus com> Delivered-To: mailing list focus-ids () securityfocus com Delivered-To: moderator for focus-ids () securityfocus com X-X-Sender: lance () marge spitzner net Message-ID: <Pine.LNX.4.44.0304031634380.6130-100000 () marge spitzner net> Return-Path: focus-ids-return-3308-dzbonski=hotmail.com () securityfocus comX-OriginalArrivalTime: 03 Apr 2003 23:42:20.0617 (UTC) FILETIME=[AB24FB90:01C2FA3A]I've been playing with the concept of Honeytokens, thinking of ways that they could apply to intrusion detection. Based on recent events, had some ideas. There have been reports of databases broken into, with thousands of social security numbers or millions of credit cards stolen. One of the problems is in some of these cases, it was not known for days, weeks, or even months that the data had been compromised. I was thinking that Honeytokes could be used for detecting when such data was compromised/stolen. Inside each database Honeytoken numbers are inserted. These tokens are known to have no value, no one should be using them. Detection mechanisms such as IDS signatures are then created to look for and detect these tokens being access or used. If these tokens are seen, this means someone has captured the database, or looking where they shouldn't be. For example, create bogus social security numbers and store them in your SSN database. If the honeytoken SSN's hit your network, someone may have just grabbed your database. For a CC database, insert honeytoken CC's and monitor for those to hit your wire. Once again, if you see someone retrieving these numbers, someone is most likely being naughty. The advantage with this detection method is its both very simple and should dramatically reduce false positives. What would be even better is if the IRS or some credit card companies could post or distribute such honeytoken numbers, so we within the security community are certain we are not implanting valid numbers. Either way, a thought to consider :) -- Lance Spitzner http://www.tracking-hackers.com ----------------------------------------------------------- ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter Manipulation. http://www.spidynamics.com/mktg/webappsecurity71
_________________________________________________________________Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
----------------------------------------------------------- ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Applicationattacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71
Current thread:
- Honeytokens and detection Lance Spitzner (Apr 03)
- Re: Honeytokens and detection Michael Sierchio (Apr 03)
- <Possible follow-ups>
- RE: Honeytokens and detection Grant, Liam (Apr 04)
- Re: Honeytokens and detection David Zbonski (Apr 07)
- RE: Honeytokens and detection Pete Herzog (Apr 11)
- RE: Honeytokens and detection Frank Knobbe (Apr 14)
- RE: Honeytokens and detection Pete Herzog (Apr 11)
- FW: Honeytokens and detection Pete Herzog (Apr 24)
- RE: FW: Honeytokens and detection Pete Herzog (Apr 28)