Honeypots mailing list archives
Re: honeytokens
From: victor calzado <vcalzado () gmail com>
Date: Sat, 7 May 2005 00:51:02 +0200
Hi, On 5/6/05, Vijayakumar <gvij2000 () yahoo com> wrote:
hi, I am relatively new in this area.I had some questions and would be thankful if someone could shed some light on them.
I'm not sure about light but i'll try to
I had the idea for honeytokens sometime back.Then only found out it has been already thought off.I did not know the keyword "honeytoken".While i was talking to a friend of mine,he said it sounds like a honeypot.Then I searched on google for honeypot and databases.I have decided to do my thesis on honeytokens.
I'm sure you have found Lance's paper: "honeytokens: the other honeypots" http://www.securityfocus.com/infocus/1713 After reading the paper you could found partial answers to your questions. I say partial because Lance paper is mainly focused in using honeytokens to deal with internal threads and only suggest other additional uses in any kind of server, database, mail server, web server that could be linked to and additional system (IDS or IPS) to detect honeytoken access in the security monitoring platform. These honeytokens could be classified using their "secret and unique nature" that make them real or classical honeytokens. If you are interesting in external uses of honeytokens you could find useful information about the so called "Spambots" or "Spambots honeytokens" or the classical modification or phf.cgi to detect access to the cgi and redirect the "attacker" to other central server which logs phf.cgi access all over the world. I've always think about the phf.cgi like the first "Distributed token" but it could not be considered as a distributed honeytoken because it was tiggered anytime an intruder made a request to the cgi script. A honeytoken is information and an alert shouldn't be send if this information is only gathered but not used. So distributed tokens should contain information and only alert to the central node if this information is used. This kind of distributed tokens could help to detect wide spread malicious activities in a way completely similar to worms detection using honeypots. These are tokens but are far away from traditional honeytokens and maybe it's better think about them as sensors unless we could find a way to link the sensor to an information leak. So they need to be public and wide spread so they can be used to identify a potencial source of activity by simple alert aggregation like IDSs do but without the need of "intelligence" to make aggregation. This tokens need to be unique in such a way they could not be easily detected, so we need to make unique tokens which should contain unique information. Spread sheets with different names containing different users and password could be a simple example of distributed tokens, the access to the system with the user/password combination could be used to send the alert to the central node. The nature of the token, which are mixed with real contents and the fact that the alert will only be tiggered when the internal token will be used may help to discart automatic activities that are not related to data gathering. A distributed network could be deployed and anyone could join to it without gain knowledge about the exact nature of the tokens that other node are using so the tokens could remain secret making dificult to guest if they are a real vulnerability, badly coded php page or an information leak like a nohup.out, java.log present in a web server root or a distributed token. If have always think about this kind of sensors to detect "google hacking" activities without detecting all of the automatic toolkits that don't need any human interaction. They could be used to detect "data mining" activities like competitive intelligence scouting that looks for information leaks in an organization. This have been a traditional use of honeytokens but using more tokens pointing to different targets could help to find attackers that a realy interested in an organization or a kind of information leak very common in differents servers around the world. Unfortunatelly i never have time to think about it and i'm sure that there is nothing new in all the mail but i hope i could help you in the search of new honeytokens deploying strategies. Regards, Victor
1.What are he key challenges involving honeytokens? 2.Why has it not been implemented on a large basis? best vijay Work like you don't need the money Dance like no one is watching __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- honeytokens Vijayakumar (May 06)
- Re: honeytokens Valdis . Kletnieks (May 06)
- Re: honeytokens victor calzado (May 08)
- RE: honeytokens Aditya Deshmukh (May 12)
- <Possible follow-ups>
- RE: honeytokens Stejerean, Cosmin (May 06)