Honeytokens: The Other Honeypot

martyros writes "I just read a fascinating article by Lance Spitzner securityfocus.com about a concept he calls honeytokens. The idea is similar to that of a honeypot, which he defines as "an information system resource whose value lies in unauthorized or illicit use of that resource". Rather than having a computer that's designed to be broken into, however, you have say, a record in a database or a file has no legitimate use; ergo, if anyone uses it, it must be illegitimate. An example he gives: adding a record to the hospital database for a guy named "John F. Kennedy". It doesn't correspond to a real person, so no one has any business looking at the file. If someone does access it, you know that they're abusing their privileges somehow. The article has several other clever examples, which I found very thought-provoking."

Just like "ringers"

[vegetablespork]

Folks who rent mailing lists add "ringers," which, if they receive a mailing after the term of the rental is up, yield prima facie evidence of violation of the rental contract.

This is an interesting use of a known technique to help detect the unauthorized use of data, and alert administrators that the barn door is open--and maybe even who opened it.

Re:Or they made a mistake

[wmshub]

If you are a desk clerk at a hospital, then the hospital would have every right to fire you.

Hospital records are supposed to be kept as private as possible. Employees who satisfy their own curiousity without caring whose privacy they compromise should never have be allowed to have jobs where "poking around" in private data is possible.