Re: Honeytokens and detection

["Bram Matthys \(Syzop\)" <syz () dds nl>]

[I usually don't give out information about my
 quite original honeypot kernel modules, but let's make
 an exception today ;)]

Hi,

Lance Spitzner wrote:
> I was thinking that Honeytokes could be used for detecting
> when such data was compromised/stolen.  Inside each
> database Honeytoken numbers are inserted.  These tokens
> are known to have no value, no one should be using them.
> Detection mechanisms such as IDS signatures are then created 
> to look for and detect these tokens being access or used. 

it's not exactly the same, but...

I once created a kernel module which monitored unlink()'s.
I then created ~10 useless files all over the filesystem
and if a unlink() was called for one of them, the system
would halt[*].
The idea is/was to use these "traps" against "rm -rf /" alike things.
Of course this doesnt defend against dd if=/dev/zero of=/dev/hda,
but it can have some use. It also doesn't rely on a special /bin/rm
binary since it could have been replaced by the attacker.

I think such "traps" can be quite usefull at host level, at network
level it wouldn't get detected if the hacker uses ssh/scp/sftp[**]/etc.
Of course you can just use both.

        Bram Matthys (Syzop).

[*]: I don't recommend such an action at a production machine ;).
[**]: with own (host)key.