Honeypots mailing list archives
Re: Honeytokens and detection
From: Brian Hatch <honeypots () ifokr org>
Date: Thu, 3 Apr 2003 17:31:05 -0800
In general you should not generate decoy/deception data from real data by filtering it through any reversible algorithm. Imagine if you added 1 to the 8th digit of all credit card numbers in your DB and then used those in your honeypot. Of course your honeypot gets hacked, the CC numbers get stolen and you feel you've learned a lot about the hacker. Then the algorithm you used (adding 1 to the 8th digit) is leaked. Now everyone with that 'bogus' CC DB can convert it back to a real DB. Better to use syntactically valid numbers that are not, and will never be, working. Remember, our attackers have access to the same web sites we do. The smart attacker is going to verify the numbers.
You missed the "add 1 to *one of the middle digts at random*" part. Not the 8th bit each time. Besides, this was in the context of honeytokens - these fake CC numbers would have been put inside the actual database of real CC numbers, so if someone got your honeytoken, they already got a boatload of real CC numbers anyway. -- Brian Hatch "You can never go wrong Systems and with garters. Security Engineer ... Hmm, *you* might." http://www.ifokr.org/bri/ Every message PGP signed
Attachment:
_bin
Description:
Current thread:
- Honeytokens and detection Lance Spitzner (Apr 03)
- Re: Honeytokens and detection Bram Matthys (Syzop) (Apr 03)
- Re: Honeytokens and detection Brian Hatch (Apr 03)
- Re: Honeytokens and detection Jeremy Bennett (Apr 03)
- Re: Honeytokens and detection Brian Hatch (Apr 03)
- Re: Honeytokens and detection Jeremy Bennett (Apr 03)
- Re: Honeytokens and detection Bojan Zdrnja (Apr 03)
- RE: Honeytokens and detection Andrew Hintz (Drew) (Apr 04)
- <Possible follow-ups>
- RE: Honeytokens and detection Beau Monday (Apr 03)
- RE: Honeytokens and detection LAVELLE,MICHAEL (HP-PaloAlto,ex1) (Apr 04)
- RE: Honeytokens and detection Glenn_Everhart (Apr 04)
- Re: Honeytokens and detection george chamales (Apr 04)
- Re[2]: Honeytokens and detection Bojan Zdrnja (Apr 05)
- Re: Honeytokens and detection andre (Apr 05)
- Re: Honeytokens and detection george chamales (Apr 05)
- Re[2]: Honeytokens and detection Bojan Zdrnja (Apr 05)
- Re: Honeytokens and detection Jack Whitsitt (jofny) (Apr 05)