Re: honeytokens in databases

[Valdis.Kletnieks () vt edu]

On Mon, 18 Sep 2006 15:14:56 -0000, gvij2000 () yahoo com said:
> hi
>   I would like some guidance in creating and deploying honeytokens.
>    
>   1.Coming up with honeytoken data that would interest hackers.

This is very site-specific.  What I might recommend for a honey token for
our student-records crew is probably not a good fit for a hospital...

>   2.How and where do I place the data so that I can monitor hackers.

Well, you basically invent a totally fictitious entry for the database
(be it a student transcript, a medical record, an accounts-payable - something
that makes sense for your organization), and put it in the database along with
all the production data.  You then monitor the database system logs (with
a program of course, this is too tedious to do by actually reading logs), and
if you see somebody make a request for that specific database entry, then
you know you need to start investigating.  The only tough part is that
you need to identify queries like 'SELECT name, ssn FROM student_table WHERE
home_address_state = "VA"' where it's expected to be returned and not
generating a false-positive.  But if you go through the logs and find a
'SELECT * WHERE fullname = "John Q. Honeytoken"', you have a problem :)

Attachment: _bin
Description: