Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Honeytokens and detection

From: Brian Hatch <honeypots () ifokr org>
Date: Thu, 3 Apr 2003 17:31:05 -0800



In general you should not generate decoy/deception data from real data
by filtering it through any reversible algorithm. Imagine if you added
1 to the 8th digit of all credit card numbers in your DB and then used
those in your honeypot. Of course your honeypot gets hacked, the CC
numbers get stolen and you feel you've learned a lot about the hacker.
Then the algorithm you used (adding 1 to the 8th digit) is leaked. Now
everyone with that 'bogus' CC DB can convert it back to a real DB.

Better to use syntactically valid numbers that are not, and will never
be, working. Remember, our attackers have access to the same web sites
we do. The smart attacker is going to verify the numbers.


You missed the "add 1 to *one of the middle digts at random*" part.
Not the 8th bit each time.

Besides, this was in the context of honeytokens - these fake
CC numbers would have been put inside the actual database of
real CC numbers, so if someone got your honeytoken, they
already got a boatload of real CC numbers anyway.



--
Brian Hatch                  "You can never go wrong
   Systems and                with garters.
   Security Engineer          ... Hmm, *you* might."
http://www.ifokr.org/bri/

Every message PGP signed

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: