Slashdot Mirror
Honeytokens: The Other Honeypot
martyros writes "I just read a fascinating article
by Lance Spitzner securityfocus.com about a concept he calls
honeytokens. The idea is similar to that of a
honeypot, which he defines as "an information system resource whose value lies in unauthorized or illicit use of that resource". Rather than having a computer that's designed to be broken into, however, you have say, a record in a database or a file has no legitimate use; ergo, if anyone uses it, it must be illegitimate. An example he gives: adding a record to the hospital database for a guy named "John F. Kennedy". It doesn't correspond to a real person, so no one has any business looking at the file. If someone does access it, you know that they're abusing their privileges somehow.
The article has several other clever examples, which I found very thought-provoking."
Or there's a flaw in your software.
Or they were poking around bored.
Or you've been hacked in which case you won't have an access record anyway if the hacker did their job right.
Yes, quite superior to a honeypot, in every way.
The key to the enjoyment of pop music is to replace any instance of "love" with "C.H.U.D."
I seed all my pages with special "token" email addresses that will only be found by a spammer using harvesting software (or a really really bored user). Normal people will never find it and never want to use it. It works amazingly well.
This sort of thing has been around for decades. I remember as far back as the early 1970s, hobbyist magazines' "Buyer's Guide" issues would have deliberately bogus entries to ensure that their competitors didn't steal the data wholesale for their own buyer's guides.
I've used the same concept before on my work computer. I plant suspiciously named files on my desktop or (usually) less obvious places so if someone tries to search my computer and comes across this file, reports its contents, and I hear about it, I know it's time to change my password ;)
KappaStone
This is an interesting use of a known technique to help detect the unauthorized use of data, and alert administrators that the barn door is open--and maybe even who opened it.
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
What happens if someone does a search for that happens to find "John F. Kennedy" and several other patients. Does that mean the person was in the wrong place?
The problem with this (and with a lesser degree, with honeypots) is that these tokens will get accessed in legitimate ways -- for example, what if your secretarial staff is creating a mailing list, and "JFK" gets sent something? Or you have a browse function in an application that uses the database?
It's a good idea, but not a panacea.
Yahoo (and presumably other search engines follow suit) keeps some bogus entries in the DB so they can detect someone stealing their whole DB.
Some print newspapers run bogus classified ads so they can detect a competitor trying to bulk up their own classified section.
Some anti-spam companies post to newsgroups specifically to get addresses harvested; any email to those addresses is the sign of a spammer.
Handy, but hardly breaking news. Might as well run an article about a researcher discovering the usefulness of packet switched networks.
Cheers
-b
Another good example would be the RIAA putting bogus music files on P2P networks. For example, if you query and download a file that is named "Metallica - Enter Sandman.mp3" then chances are you have other files that are of dubious lineage.
The sword here cuts both ways, unfortunately.
----
Like listening to music? Then use Fission, the MP3 player with a brain!
By placing arsenic in your water bottle that you leave in the refrigerator, you can tell who's been pilfering your lunch.
Best Windows Freeware
...several years in fact, although in a different form.
A while back a bunch of businesses created a website called slashdot to monitor people who were surfing the net instead of doing work.
Famous Last Words: "hmm...wikipedia says it's edible"
Phone listings are not proprietary - anyone can publish a phone book. But you can't copy someone else's publication (like the telco's official phone book.)
In order to tell if a third-party phone book is legal or not, the telcos put a bunch of bogus listings in ever one. When third-party books are published, the telco can check to see if the bogus listings are in it. If they are, then they know that the book is an illegal copy of the telco's phone book. A book that doesn't pirate the telco's book (e.g. using listings purchased from the telco or by asking people to contribute contact information) will not have those listings in it.
This sounds like the same concept applied to a new purpose.
I'm pretty sure you can leave access to that thing wide open and it'll still be as safe and untouched as if it were translated to Navajo and encrypted with 3DES.
the major advances in civilization are processes which all but wreck the societies in which they occur - A.N. White
Or they were poking around bored.
Or there's a flaw in your software.
Well, then you'll just end up with a record of an 'intrusion' from localhost. if there is something wrong with your software, you should fix it anyway.
Or they were poking around bored.
The whole point is that they shouldn't be poking around. I certanly wouldn't want hospital employees 'poking around' in medical records. If someone is 'poking around' in sensitive data, then they are a hacker. If it's someone from your organization, you should either bitch at 'em or fire 'em, depending on what kind of work you do.
Or you've been hacked in which case you won't have an access record anyway if the hacker did their job right.
Not if you burn logs straight to a multisession CD...
autopr0n is like, down and stuff.
I first saw it mentioned at Black Hat 2002 in Vegas last year. The idea was that you would create fake session tokens for web applications and then monitor them for access by applications trying to brute force the session token values.
I mentioned it to a web developer who said that the idea has actually been implemented in some of the large e-commerce sites he's worked on.
-- thalakan
One reason this idea would be especially good for hospitals is because such actions have gotten hospitals sued in the past. Simply put, no hospital employee is supposed to view a patient's information unless required. So, if Nurse Betty is looking up "John F. Kennedan's" file, and also sneaks a peek at "John F. Kennedy's", she just broke federal law, and the hospital is going to want to know about that.
As for false positives in other instances, people seem to be just trolling. For example, every single day at a former employer of mine, a cell phone provider, we'd get false positives on customer who may or may not have been using fraudulent information to sign up for service. As such, we would stop and call the verification services we used, and verify that customer. So sure, out of thirty customers a day, it would generate five warnings, four of which were false. But one of them wasn't, and that makes all the difference.
Theres never going to be some "All seeing Eye of God" security system, but every little bit helps. Especially, as noted, in both banking and hospitals, where customer's information is bound to a need-to-know basis by federal law.
Mod Points: Helping you keep your opinion to yourself.
People have been doing this for ages, at least out here in the "really real world".
Mapmakers put fake cities on their maps in obscure places, so that they can tell whether another mapmaker just copied their maps (illegal) or whether they went out and compiled their own information.
Folks who put together directories (like phone books) that forbid their use by telemarketers put fake people (with real phone numbers) in there to identify telemarketers that are illegally using the directory as a basis for telemarking calls.
There's even a sort-of-backwards example from cryptography, that I believe Schneier came up with. You are all probably familiar with the basic concept that if you crack someone's crypto, you can't use the info you get from cracking their crypto unless you can plausibly explain how you got that info by another mechanism. There are big chunks of Cryptonomicon dedicated to this idea, and it's a real idea. Well, one way to tell if your crypto has been hacked is to find a really funny joke and to transmit it only by your crypto mechanism. Most folks who'd crack your crypto would have a hard time believing that the cleartext of the joke was never transmitted anywhere, so they see less reason to be anal about the normal procedures. So, you watch to see if the joke "leaks out" into the world. If so, and if you maintained other security, then your crypto has been broken.
You'll find all sorts of examples of this basic idea, going back for centuries.
> Dictionaries contain false entries intended to serve as markers and preserve the collection copyright.
That must be where that word 'nukyuler' comes from that I keep hearing W use, right?
basically because of a honeytoken like entity
someone at installshield had an entry in some internal company data source using her maiden name (and had used her maiden name nowhere else). she recieved solicitations from wise and got suspicious.
now installshield is sueing the hell out of wise, see this article, and this news release
No.
Cliff Stoll did something like this when he was tracking down hackers at LBL.
The article probably wouldn't have mentioned Cliff for using this technique if he hadn't. :-)
When I worked for a mail order company for songbooks, we rented a list of all the youth groups and churches in the U.S. for a one time mailing. Those who responded got put on our real list and we threw away the rest.
Real SUV's don't have cupholders
It's 5:42 A.M., do you know where your stack pointer is?
One place I worked at had 'root' as a honeytoken on all their production servers, there was a separate administrator account [they never would tell me what its name was...] and if anyone logged in as root it set off all sorts of alarms. I thought that was cool.
When the Boss steals, it's big-time, way more than any of you make in a year at your salaried job.
The big guys don't need to steal to drain the company. The laws (and corporate policies) allow them to do things the rest of us would spend hard time in the federal pen for.
As a trivial (though not unusual) example, at my previous job, the CEO made a bad call about handling a bug in a customer's software. Relatively minor bug, but due to the nature of the software, he and the company might actually have had to endure criminal proceedings if they handled his bad call poorly.
So the solution? He left the company with nearly a ten MILLION dollar parting bonus, sort of vaguely admitted responsibility, regulators considered the matter suitably dealt with, and the problem went away.
Think about that... This guy broke the law, so they gave him millions of dollars.
And some folks wonder why so many of us outright despise corporate America.
As Eric Idle once said, after killing a dozen or so tribesmen in Monty Python's "The Meaning of Life", "Back home they'd hang me, but here they gimme a fuckin medal!".
Honeytokens sounds similar to the map publisher's trick of adding fake towns to maps. If a competitor copies the map, the original author/copyright holder can catch the copier by looking for the fake town.
Two wrongs don't make a right, but three lefts do.
Well, I don't know about the rest of the world, but in Australia I don't think hospital staff in general know SQL! Besides, if someone can use SQL to access the hospital database you have a problem anyway. If you think about it, a hospital would have some kind of built interface to the database, wouldn't it?
Aren't all those fake files on the p2p networks honeytokens??
They are lures, if you bite then you are doing something illegal and they get your IP address just for biting the bait???
Bam! Nothing to it...
I've ALWAYS suspect this..
Not exactly revolutionary... This is just list seeding.
You shove in one-time known fake name into a mailing list (postal or e-mail) that you sell and then if any mail arrives at that address sent by someone you didn't sell the list to, then you know that they've been abusing their terms for use of the list. I do the same thing with websites... I register for websites I write with sitename_seed@mydomain.com and if any of the 'seed' addresses get mail, then I know that someone's been harvesting addresses from that site. Thankfully this has never happened (yet!).
Our company uses this trick. There are 'honey-addresses' in our database. (a correct address belonging to an employee, with a completely wrong name) As soon as anything arrives at one of those adresses we know someone has made illegal use of an address from our database. Whatever gets send tells us who. Legal action follows ....
If you go making up honeytoken credit card numbers and social security numbers, you'd better be sure they *are* bogus, not real numbers that belong to someone you don't know. Otherwise, your honeytoken might be someone's real data....
Oops wouldn't cover it in that case. <wry grin>
Catherine
This reminds me of the cddb being stolen by Gracenote. Last time I checked, they were still claiming to own the database of audio discs (they may have changed their tune by now), despite the fact that it was built mostly from submissions by people like me. Gracenote basically took our diligent work, and started restricting access to it in order to make money. How do we know that they didn't build their own database? Because it contains entries for unpublished CDs that don't exist outside the homes of a few specific people; effectively honeytokens.
(Fortunately, an alternative now exists.)
So, whenever a careless engineer trips something, he merely writes in the log "deliberately tripped such and such safety to demonstrate it to so-and-so", and no one is the wiser...
So the JFK record would have to be corrupted, because if it emulated a correct record, then when the senior ward supervisor (nurse) was rostering staff to look after patients, JFK would be selected and allocated automatically. You'd have to fake all the way up to the top, ie ward, doctor, everything. And then the staff would recognise it as fake. Hospital patient databases are mostly for making sure patients get the right treatment, and a legal record of that treatement, and a financial record of the cost of that treatment, so a fake record would still have to be accessible to people responsible for these.
It doesn't make sense to say that nobody should be looking at the JFK record. It would make more sense to see the ward staff go nuts trying to find where he nicked off to (like an altzheimer's patient). He's in the computer so he should be in the hospital. If it is merely a historical record, the same problem would apply to the accounting staff (why hasn't he paid his bill?).
And mostly when you go into a hospital or medical facility they get you to sign something that says vaguely that you consent to have your details available to anyone they deem appropriate. They're not going to come back and try to get your permission separately to give details to the cardiac doctor if you happen to have a heart attack while staying with them!
I understand the concept, but I think the example is fairly poor. Perhaps it would be more accurate to say something like "access to this record should be limited". And I think the concept may be fairly old, eg in WWII examples of feeding the enemy false data, rather than actually imprisoning the detected spy.
-- it must be true, it's on the internet.
This is standard process in the database biz, including things like mailing lists and (as others have noted here) maps. The term for it is "salting". Calling them "honeytokens" is applying the wrong seasoning... and treating it as new on /. is also silly.
When I got my ATM card, I wrote three 4-digit numbers on the back of the card, and showed it to my friends.
Friend: "Oh, I see! You hid the pass code among some fake passcodes!"
Me: "No, ALL of them are fake. I keep the real one in my head. I figure that a thief will think what you are thinking, and try all three numbers. Then the machine will eat the card."
If so what's the point of storing those records in hospitals? Hospitals aren't storages for peoples various papers, let patients store their own damn records.
Preserve old classics: copy your collection onto all hard drives.
In civilized countries you are not only not allowed to set traps for burglars, it has now been established that you owe a duty of care to anyone who breaks into your premises and trespasses on your land. If you know that kids might climb through your fence to hide in the long grass and get stoned, then KEEP OUT notices are not enough and if you have any hazards (deep wells, wires hidden in the grass) they must be made safe.
The logical correlative of this is that if you provide files with the intention that they should be downloaded by people who break into your system, and those files are engineered to cause damage, you will be (possibly criminally) liable for any damage you cause. "I didn't expect anyone to come this way" would be no defence when the only conceivable purpose of these files is to cause harm.