RES: Honeytokens and detection

From: Augusto Paes de Barros <augusto(at)paesdebarros.com.br>
Date: Tue Apr 08 2003 - 02:49:24 EDT

David,

You are right. Public known honeytokens wouldn't be of much use. Each company should create its own fake data, to add a random factor and increase the chance of being usable on these cases.

Honeytokens as database rows raises some additional issues that should be remembered. All apps that do things like "SELECT * FROM TRANSACTIONS" can make the alarm sound.

One of my favourite ones is the bogus administrator/root user with null password. Did anyone already try something with these?

Regards,

Augusto.

-----Mensagem original-----

De: David Zbonski [mailto:dzbonski@hotmail.com] Enviada em: domingo, 6 de abril de 2003 17:04 Para: lance@honeynet.org; FOCUS-IDS@SECURITYFOCUS.COM Assunto: Re: Honeytokens and detection

I think the idea is great but I think if the numbers (or tokens) were public it would be self-defeating. The would be theif might easily avoid pulling the token like a theif avoids pulling the last bill from a bank drawer to avoid setting off the alarm. Wouldn't it be best for each instiution to create their own? The security would be in detecting and alerting on the movement of the token information. I think it falls into "security by obscurity" but I also feel that this does not mean that it is wrong - it just means that you can't count on it 100%. It is a part of that larger puzzle of keeping data safe and systems useable.

Just my two cents.

David Zbonski
Zbonski Consulting
www.zbonski.com

--

Augusto Paes de Barros, CISSP
http://www.paesdebarros.com.br
augusto@paesdebarros.com.br

---

ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71 Received on Fri Apr 11 18:03:33 2003