Slashdot Mirror

← Back to Stories (view on slashdot.org)

Honeytokens: The Other Honeypot

Posted by CmdrTaco on from the something-to-think-about dept.

martyros writes "I just read a fascinating article by Lance Spitzner securityfocus.com about a concept he calls honeytokens. The idea is similar to that of a honeypot, which he defines as "an information system resource whose value lies in unauthorized or illicit use of that resource". Rather than having a computer that's designed to be broken into, however, you have say, a record in a database or a file has no legitimate use; ergo, if anyone uses it, it must be illegitimate. An example he gives: adding a record to the hospital database for a guy named "John F. Kennedy". It doesn't correspond to a real person, so no one has any business looking at the file. If someone does access it, you know that they're abusing their privileges somehow. The article has several other clever examples, which I found very thought-provoking."

22 of 427 comments (clear)

  1. Or they made a mistake by buffer-overflowed · · Score: 3, Insightful

    Or there's a flaw in your software.

    Or they were poking around bored.

    Or you've been hacked in which case you won't have an access record anyway if the hacker did their job right.

    Yes, quite superior to a honeypot, in every way.

    --
    The key to the enjoyment of pop music is to replace any instance of "love" with "C.H.U.D."
    1. Re:Or they made a mistake by in7ane · · Score: 5, Insightful

      I agree, it's just too likely that it will be people from within the organization just 'poking around' with no ill intent.

      It's just human nature - same as having to open a box with the sign 'do not open' on it :)

      Add to this that authorized workers will likely be told about these and told to keep out - causing a flood of 'I wonder what's in there...'

    2. Re:Or they made a mistake by highcaffeine · · Score: 5, Insightful

      I was going to mod this down (overrated), but decided I'd rather reply.

      No one said that honeytokens are superior in every way to honeypots and should be used in place of the latter. That you pulled out of your hindquarters. Basically, what you said could be expressed similarly in this example: "Seat belts are not absolutely superior in every way to the steel frame of a car, so what's the point in buckling up?"

      I would hope that makes it clear how faulty your logic is. Like using seat belts in addition to a protective steel frame, to provide added protection, honeytokens could be used in addition to honeypots. Their ultimate goals are the same: protect your life (frame/seat belts) or your data (honey[pot|token]). If your life/data is that important, why not provide all the layers of security you can?

      One advantage that honeytokens do have is in who they can help protect against. Honeypots are typically deployed to detect and help figure out how to protect against external threats. Anyone with a shred of sense about security knows, however, that you also need to protect against internal threats. Deploying honeytokens can help in that vein, by posssibly detecting internal abuse of your systems.

      Just because honeytokens won't protect against everything, solve global hunger, and bring about world peace, doesn't mean they shouldn't or can't be used effectively.

    3. Re:Or they made a mistake by dasmegabyte · · Score: 5, Insightful

      Ok -- I think this isn't necessarily a bad idea, so long as you don't expect it to be the end-all, be-all of security. I often perform wierd ad-hoc queries on tables for data mining purposes, or to help our support team do things that their program just won't do (like cross index reports for a list of ids).

      Some DBAs LOVE to think that their precious data is only access the way they want it to be accessed. I once had a guy tell me, flat out, "You guys should never be doing ad hoc queries. Write and submit a stored procedure for everything you do." I have never heard a more ivory tower asshole statement in my life, and you better believe I didn't listen for a second. Nor should I have, nor would he really want me to...when the CEO comes over and asks for usage statistics for a potential customer, he doesn't want to be told "Wait until the DBA shmuck reviews this query first." It becomes harder to justify your excessive salary when all you do is prevent us programming peons from doing our job and call it "security."

      If I pull up a honeyrecord, and you're my dba, you should ask me about it, but not assume my account has been hacked and lock it down. Which means this is nothing more than yet another check measure. You'll still have to eye your logs and know your system.

      You know, this is actually a great way to prove somebody from outside has been data mining, and prosecute them for it. Put bullshit data in your db. If it shows up on somebody's website as fact, you'll know they were grabbing your shit. Producers of maps do similar things...invent dead end streets and place them where nobody will ever try to go. If you look at somebody else's map, and you find your BS street, you know they plagarized. Just make sure you never buy a house on that street. Heh.

      --
      Hey freaks: now you're ju
    4. Re:Or they made a mistake by SewersOfRivendell · · Score: 2, Insightful
      Or they were poking around bored.

      If so, they deserve to be fired. Boredom is not an excuse for violating patient privacy.

    5. Re:Or they made a mistake by buffer-overflowed · · Score: 2, Insightful

      And a red flag should be triggered regardless of the legitimacy of the data.

      Therefore, having illegitimate data serves almost no purpose except to make it arguably more easy to detect.

      You should be able to detect behaviors of this type without resorting to this method.

      --
      The key to the enjoyment of pop music is to replace any instance of "love" with "C.H.U.D."
    6. Re:Or they made a mistake by IWannaBeAnAC · · Score: 4, Insightful
      Maybe, just maybe, in a hospital database I would agree. But there are many fields where you would want people to notice and flag suspicous looking records.

      Even in the hospital example, what would you do if the office worker noticed something was wrong? Say, there was an obvious typo or something like that, potentially serious if nobody notices. Do you want the worker to be afraid of reporting it?

      While I can see the obvious abuse, poking around stuff that you wern't specifically told to poke is the stuff of legends, it would be a shame if society evolved into a "no permission means no look, no touch" attitude.

      Sure, I can see that honeytokens can (and are - after all its just a version of the old 'put a marked note in the safe' trick that has been used in one form or another probably forever) be really useful - but it isn't a replacement for TRUST. I wouldn't want to see this applied universally, especially on public networks.

    7. Re:Or they made a mistake by feepness · · Score: 2, Insightful

      Or there's a flaw in your software.

      Or they were poking around bored.

      Or you've been hacked in which case you won't have an access record anyway if the hacker did their job right.

      Yes, quite superior to a honeypot, in every way.

      It's not superior it's a tool. You wouldn't want to ignore any tool, would you? Any of the above things are REASONABLE flags for you to have a look-see... maybe not get crazy, but at least look around.

      Would you NOT want to know about flaw in your software?

      Would you NOT want to know about the nosy employees and whether they had a legitimate reason or a pattern of snoopiness?

      Would you NOT want to know about hackers if they don't "do their job right"?

      Oh I see, you'd prefer to setup a honeypot and congratulate yourself on how clever you are.

    8. Re:Or they made a mistake by dasmegabyte · · Score: 3, Insightful

      God, it's assholes admins like this that give IT a bad name...and are probably the reason why so many jobs are getting outsourced. I mean, why keep around people who think it's their job to be a beligerent elitist and in the process stop everybody else from getting their job done? I didn't think Nick Burns was a funny character at all...I thought he was a sick composite.

      Listen. Management doesn't mean discouragement. It does not mean banning a person from doing what they need to do because you're too fucking lazy to make it safe. There's a huge difference between indescriminately giving somebody root and letting them run select statements in a database or on a particular set of tables. It's the difference between giving the inventory guy the keys to your warehouse, or letting him run around INSIDE without hassling him every five minutes. I used to work for the records center for the NY Department of Criminal Justice, and they didn't run as tight a ship as some of the UN*X admins I've known. That's because if they denied access to everything like some sysadmins, the "runners" wouldn't be able to pull what they needed, and law enforcement would suffer as a consequence.

      Besides, as much as you like to think of it as such, this isn't your system. You may be in charge of it, but chances are you don't use the thing. The customers do -- the customers and the staff who serve them. You may be in charge of it, but you have no ownership over it. You're in charge like the custodial staff is in charge of the toilet.

      You can keep the bad guys out of the building with your firewalls and your routers and your proxies. You can keep the idiots in house out of the sensitive shit, back up the data every 17 seconds and dust everybody's keyboards at night for unknown fingerprints. Hell, you can even come up with some cockamamie password policy, like i have to have at least one korean symbol in my password that changes bihourly. Do whatever makes you feel like you actually know dick about security -- just don't keep me from doing my job. If I can't run a query for a troubled customer, we've lost business. If you have to monitor one extra user account for suspicious activity, we haven't lost anything. Not only is creating potholes like this counterproductive, it also doesn't improve security in the least. I've never known an "exploratory hacker" who cared a whit about getting access to a person's read only accounts when it's often just as easy to get root. Why eat hamburger when you can eat steak?

      --
      Hey freaks: now you're ju
    9. Re:Or they made a mistake by ill_mango · · Score: 2, Insightful

      I dont think people are getting the main idea here. The honeytoken concept shouldnt be used as a way to identify EXACTLY who is illegally accessing your data. It should be used as a way to show who MIGHT be illegally accessing your data. Each incident should be investigated, but not every incident will yield some internal leak or security hole. Sure there are lots of ways your honeytoken could be accessed, but if you catch even 1 breach for every 20 or so accesses, isnt that worth it?

    10. Re:Or they made a mistake by SatanicPuppy · · Score: 2, Insightful

      I do a lot of database work. I guarantee I'd trip some of these record-bombs just doing my job.

      I mean, most times I'm supposed to be looking for weird stuff. I mean, right now I have access to info on people that I KNOW would be appalled to find out someone is privy to everything about some private part of their life. I don't get my jollies off it or anything, but there is no way I can fix some of these problems without ever taking a look at the actual data.

      Now, I could hack together some access controls, or just a little snoop program that tells some administrator who's been browsing his files without having to hide a bunch of stupid fake entries. Seems like that would be a better solution, and that's old, proven tech.

      Just my opinion.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    11. Re:Or they made a mistake by shilly · · Score: 2, Insightful

      I don't want you peering in my bedroom window and watching me. Your innocent intentions and the fact you haven't got a video camera in your hand make bugger all difference. I want my medical records treated in the same way.

    12. Re:Or they made a mistake by arkanes · · Score: 2, Insightful

      It's like this: A clerk needs to have access to all employee records, because he might have a legitimate need to access any given employees records. He access lots every day, and it's not worth the layer of beurocracy to have him fill out forms for every access. On the other hand, he shouldn't be going browsing, because thats a violation of privacy. So you add records that he would NEVER legitimatly be asked to look at, and if those are accessed then you know he's been doing something he's not supposed to.

  2. The problem... by melete · · Score: 5, Insightful


    The problem with this (and with a lesser degree, with honeypots) is that these tokens will get accessed in legitimate ways -- for example, what if your secretarial staff is creating a mailing list, and "JFK" gets sent something? Or you have a browse function in an application that uses the database?

    It's a good idea, but not a panacea.

  3. Re:Sorry-ass bosses. by pla · · Score: 4, Insightful

    When the Boss steals, it's big-time, way more than any of you make in a year at your salaried job.

    The big guys don't need to steal to drain the company. The laws (and corporate policies) allow them to do things the rest of us would spend hard time in the federal pen for.

    As a trivial (though not unusual) example, at my previous job, the CEO made a bad call about handling a bug in a customer's software. Relatively minor bug, but due to the nature of the software, he and the company might actually have had to endure criminal proceedings if they handled his bad call poorly.

    So the solution? He left the company with nearly a ten MILLION dollar parting bonus, sort of vaguely admitted responsibility, regulators considered the matter suitably dealt with, and the problem went away.

    Think about that... This guy broke the law, so they gave him millions of dollars.

    And some folks wonder why so many of us outright despise corporate America.

    As Eric Idle once said, after killing a dozen or so tribesmen in Monty Python's "The Meaning of Life", "Back home they'd hang me, but here they gimme a fuckin medal!".

  4. Re:Nothing new here, move along by ADOT+Troll · · Score: 2, Insightful

    Some people have pointed out that maybe someone just looking through a database on legitimate business sees an interesting patient file, and opens it up, just to look.

    One reason this idea would be especially good for hospitals is because such actions have gotten hospitals sued in the past. Simply put, no hospital employee is supposed to view a patient's information unless required. So, if Nurse Betty is looking up "John F. Kennedan's" file, and also sneaks a peek at "John F. Kennedy's", she just broke federal law, and the hospital is going to want to know about that.

    As for false positives in other instances, people seem to be just trolling. For example, every single day at a former employer of mine, a cell phone provider, we'd get false positives on customer who may or may not have been using fraudulent information to sign up for service. As such, we would stop and call the verification services we used, and verify that customer. So sure, out of thirty customers a day, it would generate five warnings, four of which were false. But one of them wasn't, and that makes all the difference.

  5. Not exactly revolutionary... by nmg196 · · Score: 2, Insightful

    Not exactly revolutionary... This is just list seeding.

    You shove in one-time known fake name into a mailing list (postal or e-mail) that you sell and then if any mail arrives at that address sent by someone you didn't sell the list to, then you know that they've been abusing their terms for use of the list. I do the same thing with websites... I register for websites I write with sitename_seed@mydomain.com and if any of the 'seed' addresses get mail, then I know that someone's been harvesting addresses from that site. Thankfully this has never happened (yet!).

  6. done by louisfreeman · · Score: 2, Insightful

    Our company uses this trick. There are 'honey-addresses' in our database. (a correct address belonging to an employee, with a completely wrong name) As soon as anything arrives at one of those adresses we know someone has made illegal use of an address from our database. Whatever gets send tells us who. Legal action follows ....

  7. Credit cards and SSNs? by sakeneko · · Score: 2, Insightful

    If you go making up honeytoken credit card numbers and social security numbers, you'd better be sure they *are* bogus, not real numbers that belong to someone you don't know. Otherwise, your honeytoken might be someone's real data....

    Oops wouldn't cover it in that case. <wry grin>

    --

    Catherine

  8. Shouldn't Cliff Stoll's girlfriend by Anonymous Coward · · Score: 1, Insightful

    get credit for this. She was the one who said something to the effect of "if the hacker wants data, then give it to them." They did, and the hacker was connected long enough for them to track him down. Greed is the downfall of most criminals, preceded only by stupidity.

  9. patients aren't in the hospital until in DB by wadiwood · · Score: 2, Insightful

    So the JFK record would have to be corrupted, because if it emulated a correct record, then when the senior ward supervisor (nurse) was rostering staff to look after patients, JFK would be selected and allocated automatically. You'd have to fake all the way up to the top, ie ward, doctor, everything. And then the staff would recognise it as fake. Hospital patient databases are mostly for making sure patients get the right treatment, and a legal record of that treatement, and a financial record of the cost of that treatment, so a fake record would still have to be accessible to people responsible for these.

    It doesn't make sense to say that nobody should be looking at the JFK record. It would make more sense to see the ward staff go nuts trying to find where he nicked off to (like an altzheimer's patient). He's in the computer so he should be in the hospital. If it is merely a historical record, the same problem would apply to the accounting staff (why hasn't he paid his bill?).

    And mostly when you go into a hospital or medical facility they get you to sign something that says vaguely that you consent to have your details available to anyone they deem appropriate. They're not going to come back and try to get your permission separately to give details to the cardiac doctor if you happen to have a heart attack while staying with them!

    I understand the concept, but I think the example is fairly poor. Perhaps it would be more accurate to say something like "access to this record should be limited". And I think the concept may be fairly old, eg in WWII examples of feeding the enemy false data, rather than actually imprisoning the detected spy.

    --

    -- it must be true, it's on the internet.
  10. Re:Nothing new here, move along by jazman · · Score: 2, Insightful

    Yes, but don't forget according to the USPTO anything obvious, well known for decades etc, when augmented with the text "with a computer" makes an entirely new invention that is worthy of a patent and not at all obvious to anybody. I'm surprised they haven't already got a patent on it.