Slashdot Mirror
Honeytokens: The Other Honeypot
martyros writes "I just read a fascinating article
by Lance Spitzner securityfocus.com about a concept he calls
honeytokens. The idea is similar to that of a
honeypot, which he defines as "an information system resource whose value lies in unauthorized or illicit use of that resource". Rather than having a computer that's designed to be broken into, however, you have say, a record in a database or a file has no legitimate use; ergo, if anyone uses it, it must be illegitimate. An example he gives: adding a record to the hospital database for a guy named "John F. Kennedy". It doesn't correspond to a real person, so no one has any business looking at the file. If someone does access it, you know that they're abusing their privileges somehow.
The article has several other clever examples, which I found very thought-provoking."
This sort of thing has been around for decades. I remember as far back as the early 1970s, hobbyist magazines' "Buyer's Guide" issues would have deliberately bogus entries to ensure that their competitors didn't steal the data wholesale for their own buyer's guides.
This is an interesting use of a known technique to help detect the unauthorized use of data, and alert administrators that the barn door is open--and maybe even who opened it.
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
actually, if i found a record named "john f. kennedy", i'd definitely look it up, just because i am curious and i would want to know why it is in there...
Me too. especially email. I have an address in my address book with the name of
"This mail was send by virus"
something like that, and I expect the email to bounce back at which point I know I have been infected.
also people have been hiding email addresses in web pages to test spammers for a while now.
If you are a desk clerk at a hospital, then the hospital would have every right to fire you.
Hospital records are supposed to be kept as private as possible. Employees who satisfy their own curiousity without caring whose privacy they compromise should never have be allowed to have jobs where "poking around" in private data is possible.
Right idea, wrong conclusion.
It is perfectly legal to copy all the listings out of a phone book under your own name with no attribution.
The phone book publishers that caught people copying this way discovered that it did them no good.
I Can't Believe It's A Law Firm, LLP does not necessarily endorse the contents of this message.
Unfortunately, the hospital example isn't the greatest but the idea is to add such a record with contradictory information such that known/legitimate uses of the database will not extract it. In this case that might be setting both the "is a patient" and the "deceased" indicators to true or "discharged on" and "in room number" fields or showing the patient as being in a non-existant room. This approach works best when designed into the data from the start since checking multiple, supposedly redundant fields can be specified as a requirement for all systems accessing the data.
A variantion on this in the non-digital world is using either different middle initials, different first names, adding a mail-stop, etc. to the address you use for signing up for a magazine subscription, etc. When you start getting junk mail with that address, you know they sold your address to someone else. People have been doing this for a long time.
They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
Ben
People have been doing this for ages, at least out here in the "really real world".
Mapmakers put fake cities on their maps in obscure places, so that they can tell whether another mapmaker just copied their maps (illegal) or whether they went out and compiled their own information.
Folks who put together directories (like phone books) that forbid their use by telemarketers put fake people (with real phone numbers) in there to identify telemarketers that are illegally using the directory as a basis for telemarking calls.
There's even a sort-of-backwards example from cryptography, that I believe Schneier came up with. You are all probably familiar with the basic concept that if you crack someone's crypto, you can't use the info you get from cracking their crypto unless you can plausibly explain how you got that info by another mechanism. There are big chunks of Cryptonomicon dedicated to this idea, and it's a real idea. Well, one way to tell if your crypto has been hacked is to find a really funny joke and to transmit it only by your crypto mechanism. Most folks who'd crack your crypto would have a hard time believing that the cleartext of the joke was never transmitted anywhere, so they see less reason to be anal about the normal procedures. So, you watch to see if the joke "leaks out" into the world. If so, and if you maintained other security, then your crypto has been broken.
You'll find all sorts of examples of this basic idea, going back for centuries.
The UK's Data Protection Act is designed to stop things even like this.
Employees within an organisation should not be accessing records about a customer/patient without the client's consent - ill intent or no ill intent.
Particularly records such as hospital records - staff should under no circumstances be accessing records for any person, ie John F Kennedy, unless required by the customer/client/patient.
If employees are poking around in files which are designed to trap them, what is to say they're not poking around in your records without your consent - is this breach of privacy acceptable to you?
Backup not found: (A)bort (R)etry (P)anic
Producers of maps do similar things...invent dead end streets and place them where nobody will ever try to go.
When I worked in mapping, this is exactly what we did, and we kept a database of the false information and could check quite quickly if another supplier's dataset matched ours, "bug for bug"
The false street is one, and is used in products where an extra nonexistent street wasn't something that could have problems with the use of the map in particular. There are dozens of other methods for different datasets, depending on their use. That's been going on for decades in the mapping industry.
basically because of a honeytoken like entity
someone at installshield had an entry in some internal company data source using her maiden name (and had used her maiden name nowhere else). she recieved solicitations from wise and got suspicious.
now installshield is sueing the hell out of wise, see this article, and this news release
When I worked for a mail order company for songbooks, we rented a list of all the youth groups and churches in the U.S. for a one time mailing. Those who responded got put on our real list and we threw away the rest.
Real SUV's don't have cupholders
It's 5:42 A.M., do you know where your stack pointer is?
Aren't all those fake files on the p2p networks honeytokens??
They are lures, if you bite then you are doing something illegal and they get your IP address just for biting the bait???
Bam! Nothing to it...
I've ALWAYS suspect this..
I don't quite remember which novel it was (maybe "Hunt for Red October"?) but in one of his novels, Clancy tells that Jack Ryan rose to prominence within the CIA because he proposed / developed a method of traversing confidential internal documents and replacing insignificant words with similar words (that retained the meaning of the sentence). The different versions of the document were then handed out to people that were entitled to a copy. If there was an internal leak, you knew who compromised security by comparing the leaked document with the documents distributed to individuals. This idea is going back 15 years.
I think the concept of honeytokens has much merit, and the author does emphasise that they are inexpensive to implement (for all those who think they offer little benefit).
Winter 2010: With Glowing Hearts
This is standard process in the database biz, including things like mailing lists and (as others have noted here) maps. The term for it is "salting". Calling them "honeytokens" is applying the wrong seasoning... and treating it as new on /. is also silly.
Well I have something of the same on my server. I get tires of seeing all the script kiddies doing a "get default.ida" buffer overflow in the off chance that I was using IIS, so I decided to accomodate them. I touched a file called default.ida in the webroot directory, and entered this text: Funny, I never get a repeat customer any more...
Accck ok code is [html] [form] [input type crash] [/form] [/html] Use the correct brackets >
If so what's the point of storing those records in hospitals? Hospitals aren't storages for peoples various papers, let patients store their own damn records.
Preserve old classics: copy your collection onto all hard drives.
In civilized countries you are not only not allowed to set traps for burglars, it has now been established that you owe a duty of care to anyone who breaks into your premises and trespasses on your land. If you know that kids might climb through your fence to hide in the long grass and get stoned, then KEEP OUT notices are not enough and if you have any hazards (deep wells, wires hidden in the grass) they must be made safe.
The logical correlative of this is that if you provide files with the intention that they should be downloaded by people who break into your system, and those files are engineered to cause damage, you will be (possibly criminally) liable for any damage you cause. "I didn't expect anyone to come this way" would be no defence when the only conceivable purpose of these files is to cause harm.