Re: honeytokens

[victor calzado <vcalzado () gmail com>]

Hi,

On 5/6/05, Vijayakumar <gvij2000 () yahoo com> wrote:
> hi,
>
> I am relatively new in this area.I had some questions
> and would be thankful if someone could shed some light
> on them.

I'm not sure about light but i'll try to

> I had the idea for honeytokens sometime back.Then only
> found out it  has been already thought off.I did not
> know the keyword  "honeytoken".While i was talking to
> a friend of mine,he said it sounds like a
> honeypot.Then I searched on google for honeypot and
> databases.I have decided to do my thesis on
> honeytokens.

I'm sure you have found Lance's paper: "honeytokens: the other honeypots"

http://www.securityfocus.com/infocus/1713

After reading the paper you  could found partial answers to your
questions. I say partial because Lance paper is mainly focused in
using honeytokens  to deal with internal threads and only suggest
other additional uses in any kind of server, database, mail server,
web server that could be linked to and additional system (IDS or IPS)
to detect honeytoken access in the security monitoring platform. These
honeytokens could be classified using their "secret and unique nature"
that make them real or classical honeytokens.

If you are interesting in external uses of honeytokens you could find
useful information about the so called "Spambots" or "Spambots
honeytokens" or the classical modification or phf.cgi to detect access
to the cgi and redirect the "attacker" to other central server which
logs phf.cgi access all over the world. I've always think about the
phf.cgi like the first  "Distributed token" but it could not be
considered as a distributed honeytoken because it was tiggered anytime
an intruder made a request to the cgi script.

A honeytoken is information and an alert shouldn't be send if this
information is only gathered but not used. So distributed tokens
should contain information and only alert to the central node if this 
information is used.
This kind of distributed tokens could help to detect wide spread
malicious activities in a way completely similar to worms detection
using honeypots. These are tokens but are far away from traditional
honeytokens and maybe it's better think about them as sensors unless
we could find a way to link the sensor to an information leak. So they
need to be public and wide spread so they can be used to identify a
potencial source of activity by simple alert aggregation like IDSs do
but without the need of  "intelligence" to make aggregation.
This tokens need to be unique in such a way  they could not be easily
detected, so we need to make unique tokens which should contain unique
information. Spread sheets with different names containing different
users and password could be a simple example of distributed tokens,
the access to the system with the user/password combination could be
used to send the alert to the central node.
 
The nature of the token, which are mixed with real contents and the
fact that the alert will only be tiggered when the internal token will
be used may help to discart automatic activities that are not related
to data gathering.

A distributed network could be deployed and anyone could join to it
without gain knowledge about the exact nature of the tokens that other
node are using so the tokens could remain secret making  dificult to
guest if they are a real vulnerability, badly coded php page or an
information leak like a nohup.out, java.log present in a web server
root or a distributed token.
If have always think about this kind of sensors to detect "google
hacking"  activities without detecting all of the automatic toolkits
that don't need any human interaction.

They could be used to detect "data mining" activities like competitive
intelligence scouting that looks for information leaks in an
organization. This have been a traditional use of honeytokens but  
using more tokens pointing to different targets could help to find
attackers that a realy interested in an organization or a kind of
information leak very common in differents servers around the world.
Unfortunatelly i never have time to think about it and i'm sure that
there is nothing new in all the mail but i hope i could help you in
the search of new honeytokens deploying strategies.

Regards,
Victor

> 1.What are he key challenges involving honeytokens?
>
> 2.Why has it not been implemented on a large basis?
>
> best
> vijay
>
> Work like you don't need the money
> Dance like no one is watching
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com