|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RES: Honeytokens and detection
Date: Tue Apr 15 2003 - 08:20:59 EDT
I think that we cannot forget that honeytokens were already here for a long
time, and that they aren't the final solution for tracking malicious
activity. They are just one more tool. A tool that has serious limitations
when we deal with encryption and compression.
As for the fake administrator, you can use it as a real valid user, with a random password with maximum size. Whenever you detect someone trying to use it (you can do it detecting the traffic or watching logs), the alarm rings.
I see honeytokens, as well as honeypots, being used as part of a intrusion detection and prevention strategy. It's wise to not overestimate its possibilities.
Regards,
Augusto.
-----Mensagem original-----
De: Frank Knobbe [mailto:fknobbe@knobbeits.com]
Enviada em: segunda-feira, 14 de abril de 2003 0:07
Para: lists@isecom.org
Cc: david@zbonski.com; lance@honeynet.org; FOCUS-IDS@securityfocus.com
Assunto: RE: Honeytokens and detection
On Tue, 2003-04-08 at 15:57, Pete Herzog wrote:
> I disagree. I think you may not get the illustration in full. If the
bogus
> CCs or ID numbers were known and padded into excel sheets, particular DBs,
only
> part of the DB or part of an Excel sheet as long as the dangerous ones
don't
> get downloaded.
in
> the download (or upload). [...]
Pete,
I almost agreed with you, but then I started to think about some scenarios.
- Someone breaks into the database server. He pokes around and looks at a few records (most likely unencrypted).
- Someone breaks into the database server. Since the database is very large, he only samples the top 100 rows of data so he can retrieve a few numbers to buy himself a new watchamacallit. It's debatable if he could choose to encrypt the transfer, although chances are better.
- Someone breaks into the database server. Circumstances (size, bandwidth, time) are favorable to download the whole database. If the attacker does not encrypt the transfer, he would most likely compress the data.
So, if data is bulk harvested, partially or in full, both encryption and compression would render the honeytokens useless. Casual snooping would have a higher probability to occur in clear text, but less of a chance to hit a honey token.
I'm wondering how useful the honeytokens really are for a) professional thieves (encryption) and b) large datasets (high miss/hit ratio).
Note that we are only talking about detection of data in transit, not of detection of data in use (as would be the case with copy-bugs etc.... you know, those intentional typos in documents to mark them).
Augusto's reference to the fake administrator/root account would probably fall into the 'detect on use' category, not into the 'detect in transit' category. (i.e. administrator account in network packet)
Perhaps we need to define classification structure of honeytokens. Your thoughts?
Regards,
Frank
-- Augusto Paes de Barros, CISSP http://www.paesdebarros.com.br augusto@paesdebarros.com.br ------------------------------------------------------------------------------ INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-idsReceived on Tue Apr 15 16:50:03 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:11 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |