Slashdot Mirror

← Back to Stories (view on slashdot.org)

Honeytokens: The Other Honeypot

Posted by CmdrTaco on from the something-to-think-about dept.

martyros writes "I just read a fascinating article by Lance Spitzner securityfocus.com about a concept he calls honeytokens. The idea is similar to that of a honeypot, which he defines as "an information system resource whose value lies in unauthorized or illicit use of that resource". Rather than having a computer that's designed to be broken into, however, you have say, a record in a database or a file has no legitimate use; ergo, if anyone uses it, it must be illegitimate. An example he gives: adding a record to the hospital database for a guy named "John F. Kennedy". It doesn't correspond to a real person, so no one has any business looking at the file. If someone does access it, you know that they're abusing their privileges somehow. The article has several other clever examples, which I found very thought-provoking."

2 of 427 comments (clear)

  1. Re:Or they made a mistake by aafiske · · Score: 5, Interesting

    "Or they were poking around bored.

    Or you've been hacked in which case you won't have an access record anyway if the hacker did their job right."

    Well, for point one, if someone is bored and is poking around a medical database, that's a problem. And someone using a honeytoken credit card number is never okay. It's not something you do because you're bored.

    And the hacker might have compromised one system and gotten data, but the point is that you put some fake data in there as well. So then hacker says 'hooray, I've gotten the CFO's password, let me go check out some interesting numbers in their computers' and suddenly they're caught red-handed, because that login doesn't exist in reality, and the computer in question is set up to notify people immediately on a honeytoken login.

    These examples are taken from the article. It's a pretty clever idea and is much more versatile than the idea of a honeypot just as a server.

  2. Re:Popular anti-spam technique by Greedo · · Score: 5, Interesting

    Even better (IMHO) is a system I developed for dynamic pages.

    Each page is seeded with a random, unique email address. Also, that address is stored in a database, along with the time it was generated, the page it was displayed on, and info about the viewer (i.e. IP address, UserAgent, etc.).

    Then, if that email is ever used, another automatic system reads that data out of the database and can correlate it.

    It's interesting to see some things. Like how long after an email is harvested is it being used (as little as 4 hours), and whether the people harvesting are also spamming (usually not). This way, you can fight spam by attacking/blocking the spammers *and* the people doing the harvesting.

    Oh, and I claim prior art ... in case Bezos is reading this.

    --
    Tuus crepidae innexilis sunt.