Slashdot Mirror

← Back to Stories (view on slashdot.org)

Honeytokens: The Other Honeypot

Posted by CmdrTaco on from the something-to-think-about dept.

martyros writes "I just read a fascinating article by Lance Spitzner securityfocus.com about a concept he calls honeytokens. The idea is similar to that of a honeypot, which he defines as "an information system resource whose value lies in unauthorized or illicit use of that resource". Rather than having a computer that's designed to be broken into, however, you have say, a record in a database or a file has no legitimate use; ergo, if anyone uses it, it must be illegitimate. An example he gives: adding a record to the hospital database for a guy named "John F. Kennedy". It doesn't correspond to a real person, so no one has any business looking at the file. If someone does access it, you know that they're abusing their privileges somehow. The article has several other clever examples, which I found very thought-provoking."

9 of 427 comments (clear)

  1. Nothing new here, move along by ebh · · Score: 4, Informative

    This sort of thing has been around for decades. I remember as far back as the early 1970s, hobbyist magazines' "Buyer's Guide" issues would have deliberately bogus entries to ensure that their competitors didn't steal the data wholesale for their own buyer's guides.

    1. Re:Nothing new here, move along by throwaway18 · · Score: 4, Informative
      >This sort of thing has been around for decades.
      Reputedly this technique has been used for log tables since the seventeenth century.

      A few hundred years before the invention of the electronic gadgets slasdotters take for granted people were navigating the world in sailing ships and calculating thier longditude and latitude with a sextant to measure the angle from the ground to the sun or a star, a clock and a book of log tables. Napier produced log tables in the 1600's but an accurate shipboard clock was only invented in 1764.

      A book of log tables can be used to multiply integers quickly using A*B=antilog(log A + log B) or to calculate triginometic funcitions like sine, cosine and tan.

      Original production of a book of log table took a lot of mathematical work. Publishers reputedly seeded the books with errors in the last digit to catch copiers. Link

  2. Just like "ringers" by vegetablespork · · Score: 5, Informative
    Folks who rent mailing lists add "ringers," which, if they receive a mailing after the term of the rental is up, yield prima facie evidence of violation of the rental contract.

    This is an interesting use of a known technique to help detect the unauthorized use of data, and alert administrators that the barn door is open--and maybe even who opened it.

    --

    Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.

  3. Re:Or they made a mistake by wmshub · · Score: 5, Informative

    If you are a desk clerk at a hospital, then the hospital would have every right to fire you.

    Hospital records are supposed to be kept as private as possible. Employees who satisfy their own curiousity without caring whose privacy they compromise should never have be allowed to have jobs where "poking around" in private data is possible.

  4. Re:This is new? by Lionel+Hutts · · Score: 4, Informative

    Right idea, wrong conclusion.

    It is perfectly legal to copy all the listings out of a phone book under your own name with no attribution.

    The phone book publishers that caught people copying this way discovered that it did them no good.

    --
    I Can't Believe It's A Law Firm, LLP does not necessarily endorse the contents of this message.
  5. Old, old idea. by DdJ · · Score: 4, Informative

    People have been doing this for ages, at least out here in the "really real world".

    Mapmakers put fake cities on their maps in obscure places, so that they can tell whether another mapmaker just copied their maps (illegal) or whether they went out and compiled their own information.

    Folks who put together directories (like phone books) that forbid their use by telemarketers put fake people (with real phone numbers) in there to identify telemarketers that are illegally using the directory as a basis for telemarking calls.

    There's even a sort-of-backwards example from cryptography, that I believe Schneier came up with. You are all probably familiar with the basic concept that if you crack someone's crypto, you can't use the info you get from cracking their crypto unless you can plausibly explain how you got that info by another mechanism. There are big chunks of Cryptonomicon dedicated to this idea, and it's a real idea. Well, one way to tell if your crypto has been hacked is to find a really funny joke and to transmit it only by your crypto mechanism. Most folks who'd crack your crypto would have a hard time believing that the cleartext of the joke was never transmitted anywhere, so they see less reason to be anal about the normal procedures. So, you watch to see if the joke "leaks out" into the world. If so, and if you maintained other security, then your crypto has been broken.

    You'll find all sorts of examples of this basic idea, going back for centuries.

  6. Re:Or they made a mistake by timmyf2371 · · Score: 4, Informative

    The UK's Data Protection Act is designed to stop things even like this.

    Employees within an organisation should not be accessing records about a customer/patient without the client's consent - ill intent or no ill intent.

    Particularly records such as hospital records - staff should under no circumstances be accessing records for any person, ie John F Kennedy, unless required by the customer/client/patient.

    If employees are poking around in files which are designed to trap them, what is to say they're not poking around in your records without your consent - is this breach of privacy acceptable to you?

    --

    Backup not found: (A)bort (R)etry (P)anic
  7. Re:Or they made a mistake by questamor · · Score: 4, Informative

    Producers of maps do similar things...invent dead end streets and place them where nobody will ever try to go.

    When I worked in mapping, this is exactly what we did, and we kept a database of the false information and could check quite quickly if another supplier's dataset matched ours, "bug for bug"

    The false street is one, and is used in products where an extra nonexistent street wasn't something that could have problems with the use of the map in particular. There are dozens of other methods for different datasets, depending on their use. That's been going on for decades in the mapping industry.

  8. fake files on kazaa??? by pair-a-noyd · · Score: 4, Informative

    Aren't all those fake files on the p2p networks honeytokens??

    They are lures, if you bite then you are doing something illegal and they get your IP address just for biting the bait???

    Bam! Nothing to it...

    I've ALWAYS suspect this..