Honeypots mailing list archives
RE: Honeytokens and detection
From: Beau Monday <bmonday () scc mobilephone net>
Date: Thu, 3 Apr 2003 16:34:48 -0800
The goal is to set a tripwire, to alert the admin that the database has been compromised (or is in the process of being compromised). It doesn't matter if the data is public, by the time the hacker can view the data and realizes it has a token in it, it has already crossed the wire and set off the alarm, has it not? Even if the hackers wrote algorithms to specifically skip records that had the bogus information, chances are the method used would also contain the token strings, and still set off the alarm. It's not foolproof, but I think this is a worthwhile venture. Reminds me of a doctor friend of mine: He works at a hospital that plants bogus medical records under names like "John F. Kennedy" and watches who goes snooping into them. Beau -----Original Message----- From: Bojan Zdrnja [mailto:Bojan.Zdrnja () LSS hr] Sent: Thursday, April 03, 2003 4:07 PM To: Lance Spitzner Cc: honeypots () securityfocus com Subject: Re: Honeytokens and detection
Original message:
From: Lance Spitzner <lance () honeynet org> To: honeypots () securityfocus com <honeypots () securityfocus com> Date: Friday, April 4, 2003, 10:45:24 AM Subject: Honeytokens and detection
The advantage with this detection method is its both very simple and should dramatically reduce false positives. What would be even better is if the IRS or some credit card companies could post or distribute such honeytoken numbers, so we within the security community are certain we are not implanting valid numbers.
Either way, a thought to consider :)
The idea, by itself, is IMHO pretty nice. But, the problem is that if once those honeytokens (or fake social numbers or whatever we use) get public - whole project is lost. This means we have to keep those numbers extremely confidential (so only the good guys know which numbers are fake). If those numbers get public, crackers won't use them, so you'll never be able to see if they were leaked or not. On the other hand, if you keep them extremely confidential, you will limit possible companies which can use that tehnique (you will probably have a list of companies which you trust). As I said, the idea is cool, but I'm not sure how feasible it is in the real life. Best regards, Bojan Zdrnja
Current thread:
- Honeytokens and detection Lance Spitzner (Apr 03)
- Re: Honeytokens and detection Bram Matthys (Syzop) (Apr 03)
- Re: Honeytokens and detection Brian Hatch (Apr 03)
- Re: Honeytokens and detection Jeremy Bennett (Apr 03)
- Re: Honeytokens and detection Brian Hatch (Apr 03)
- Re: Honeytokens and detection Jeremy Bennett (Apr 03)
- Re: Honeytokens and detection Bojan Zdrnja (Apr 03)
- RE: Honeytokens and detection Andrew Hintz (Drew) (Apr 04)
- <Possible follow-ups>
- RE: Honeytokens and detection Beau Monday (Apr 03)
- RE: Honeytokens and detection LAVELLE,MICHAEL (HP-PaloAlto,ex1) (Apr 04)
- RE: Honeytokens and detection Glenn_Everhart (Apr 04)
- Re: Honeytokens and detection george chamales (Apr 04)
- Re[2]: Honeytokens and detection Bojan Zdrnja (Apr 05)
- Re: Honeytokens and detection andre (Apr 05)
- Re: Honeytokens and detection george chamales (Apr 05)
- Re[2]: Honeytokens and detection Bojan Zdrnja (Apr 05)
- Re: Honeytokens and detection Jack Whitsitt (jofny) (Apr 05)
- FW: Honeytokens and detection TimTim (Apr 06)