IDS mailing list archives
RE: Honeytokens and detection
From: "Pete Herzog" <lists () isecom org>
Date: Tue, 8 Apr 2003 22:57:51 +0200
David, I disagree. I think you may not get the illustration in full. If the bogus CCs or ID numbers were known and padded into excel sheets, particular DBs, etc., especially those with thousands of numbers, the thief would be downloading the whole thing at once. It would not be about downloading only part of the DB or part of an Excel sheet as long as the dangerous ones don't get downloaded. Since it's downloaded in bulk, the IDS will look for that token somewhere in the download (or upload). If the special tokens became known and signatures were made for them for all IDSes much like EICAR for AntiVirus products does, we would essentially have a way of catching people doing wrongful things from our networks. These tokens could be made to mimic phone numbers, HR info, credit card numbers, and the like. Then we could add them in the places we want to protect and monitor only to know that should it get stolen, we can watch how it moves around and where it may end up. So if my DB gets cracked in some elusive way and 1000 names gets downloaded, my IDS may alarm me once it sees the honeytoken in the mix. Then it's gone. Then your IDS picks it up again in his network because it was an employee of yours grabbing it and that makes your IDS alert you. This can only be done with known honey tokens and collaboration. Sincerely, -pete. Pete Herzog Managing Director ISECOM www.isecom.org www.osstmm.org
-----Original Message----- From: David Zbonski [mailto:dzbonski () hotmail com] Sent: Sunday, April 06, 2003 10:04 PM To: lance () honeynet org; FOCUS-IDS () securityfocus com Subject: Re: Honeytokens and detection I think the idea is great but I think if the numbers (or tokens) were public it would be self-defeating. The would be theif might easily avoid pulling the token like a theif avoids pulling the last bill from a bank drawer to avoid setting off the alarm. Wouldn't it be best for each instiution to create their own? The security would be in detecting and alerting on the movement of the token information. I think it falls into "security by obscurity" but I also feel that this does not mean that it is wrong - it just means that you can't count on it 100%. It is a part of that larger puzzle of keeping data safe and systems useable. Just my two cents. David Zbonski Zbonski Consulting www.zbonski.com
----------------------------------------------------------- ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter Manipulation. http://www.spidynamics.com/mktg/webappsecurity71
Current thread:
- Honeytokens and detection Lance Spitzner (Apr 03)
- Re: Honeytokens and detection Michael Sierchio (Apr 03)
- <Possible follow-ups>
- RE: Honeytokens and detection Grant, Liam (Apr 04)
- Re: Honeytokens and detection David Zbonski (Apr 07)
- RE: Honeytokens and detection Pete Herzog (Apr 11)
- RE: Honeytokens and detection Frank Knobbe (Apr 14)
- RE: Honeytokens and detection Pete Herzog (Apr 11)
- FW: Honeytokens and detection Pete Herzog (Apr 24)
- RE: FW: Honeytokens and detection Pete Herzog (Apr 28)