RE: Honeytokens and Detection

On a similar note.. Arent the use of honey tokens the way various government security agencies catch spies?? Making a tainted piece of information available to a select group of people and then watching to see if that piece of information leaks...

-----Original Message-----

From: Bill Royds [mailto:broyds@rogers.com] Sent: 19 July 2003 03:21
To: Augusto Quadros Paes de Barros; focus-ids@securityfocus.com Subject: Re: Honeytokens and Detection

One thing honeytokens are a lot like is auditors test data. When one does an audit of a computerized financial system, an auditor often adds test records of certain types to the input stream and looks to see what comes out the other end. For example, a new employee record with an invalid SSN is sent through a payroll system and checks are made to ensure that that record is kicked out and flagged , etc. Auditors have been putting these test cases in accounting systems for years to detect someone trying to defraud a company, whether using computerized methods or not.

     Comparing honeytokens to such well established techniques (even though they are not exactly the same) can help sell the idea to management, especially if you get the internal auditors on your side. Often computer security people are members of International System Audit and Control Association (ISACA) which defines the CISA certification. Test Case generation is one of the required skills and may help in creating effective honeytokens.

• Original Message ----- From: "Augusto Quadros Paes de Barros" <augusto@paesdebarros.com.br> To: <focus-ids@securityfocus.com> Sent: Friday, July 18, 2003 9:50 AM Subject: RES: Honeytokens and Detection

Lance,

I'm glad to see that there is still interest on this subject. I'm trying to find other uses for it too, and I already elected some of my favourites:

• Admin Rights User: Create an administrator on your domain/computer, use a HUGE/COMPLEX password (so it cannot really be used by someone) and put your eyes on it. Users with admin rights are one of the first targets of black hats. If someone logs in with it, there is problem.
• Files on P2P nets: I already heard that the police here in Brasil is trying to identify people involved with pedophily with honeytokens files in P2P networks.
• Web Server hidden files: .inc, .old or other apparently interesting files in public accessible directories at web servers. As there is no link to them, Any entry in the web server log showing access to these files is quite suspicious and indicate that someone is able to know about files that are not related to the website.
• Renaming a common tool: This on is a bit different. It can be useful when the turnover of the administration team is not very high. You can replace one of the common tools used by administrators (like ipconfig on Windows or Kill or vi on Unix) with a "alarm trigger". All the team know that they must use the renamed tool, but someone who is not part of the team will innocently pull the trigger. The chances of false positives is a bit higher than with other honeytokens, but it's still a fun thing to do.

I believe that the most important thing about honeytokens is to make the people responsible for Intrusion Detection aware of it and how it works. As they know the systems and procedures of the company where they work, they are the best people to define what can be a honeytoken and where it should be placed. Incident history and lessons learned can be a good place to start a planning of honeytokens deployment.

Regards,

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Augusto Paes de Barros, CISSP.

-----Mensagem original-----

De: Lance Spitzner [mailto:lance@honeynet.org] Enviada em: quinta-feira, 17 de julho de 2003 13:33 Para: Focus on Intrusion Detection Systems Assunto: Honeytokens and Detection

Honeytokens are a relatively new tool with many applications to detection, especially for the insider threat. I've made an attempt to define what this tool is, its value, and how it can work.

 Honeytokens: The Other Honeypot
http://www.securityfocus.com/infocus/1713

I would love any input, ideas, or suggestions on this relatively new tool.

Thanks!

-- 
Lance Spitzner
http://www.tracking-hackers.com
------------------------------------------------------------------------

----

---

Is your IDS deployed correctly?
Find out by easily testing it with real-world attacks from CORE IMPACT.
Go to www.coresecurity.com/promos/sf_eids1 to learn more.

------------------------------------------------------------------------

----

---


Augusto Quadros Paes de Barros, CISSP 
http://www.paesdebarros.com.br
------------------------------------------------------------------------

----

---

Is your IDS deployed correctly?
Find out by easily testing it with real-world attacks from CORE IMPACT.
Go to www.coresecurity.com/promos/sf_eids1 to learn more.

------------------------------------------------------------------------

----

---



------------------------------------------------------------------------

-------

Is your IDS deployed correctly?
Find out by easily testing it with real-world attacks from CORE IMPACT.
Go to www.coresecurity.com/promos/sf_eids1 to learn more.


------------------------------------------------------------------------

-------



---------------------------------------------------------------------------


---------------------------------------------------------------------------