Honeytokens: The Other Honeypot

martyros writes "I just read a fascinating article by Lance Spitzner securityfocus.com about a concept he calls honeytokens. The idea is similar to that of a honeypot, which he defines as "an information system resource whose value lies in unauthorized or illicit use of that resource". Rather than having a computer that's designed to be broken into, however, you have say, a record in a database or a file has no legitimate use; ergo, if anyone uses it, it must be illegitimate. An example he gives: adding a record to the hospital database for a guy named "John F. Kennedy". It doesn't correspond to a real person, so no one has any business looking at the file. If someone does access it, you know that they're abusing their privileges somehow. The article has several other clever examples, which I found very thought-provoking."

Or they made a mistake

[buffer-overflowed]

Or there's a flaw in your software.

Or they were poking around bored.

Or you've been hacked in which case you won't have an access record anyway if the hacker did their job right.

Yes, quite superior to a honeypot, in every way.

Re:Or they made a mistake

[in7ane]

I agree, it's just too likely that it will be people from within the organization just 'poking around' with no ill intent.

It's just human nature - same as having to open a box with the sign 'do not open' on it :)

Add to this that authorized workers will likely be told about these and told to keep out - causing a flood of 'I wonder what's in there...'

Re:Or they made a mistake

[captain_craptacular]

I agree, the database example is especially bad.

It's very easy for beginners to write erroneous SQL which will access every record in a table.
There are also lots of situations in SQL in which you legitimately need to access every row in a table, or in which the database does so on your behalf.

For example:
If you have a non-indexed table called Names. and you do select * from names where last_name = 'Smith'. Every row will be looked at. Legitimately.

Re:Or they made a mistake

[highcaffeine]

I was going to mod this down (overrated), but decided I'd rather reply.

No one said that honeytokens are superior in every way to honeypots and should be used in place of the latter. That you pulled out of your hindquarters. Basically, what you said could be expressed similarly in this example: "Seat belts are not absolutely superior in every way to the steel frame of a car, so what's the point in buckling up?"

I would hope that makes it clear how faulty your logic is. Like using seat belts in addition to a protective steel frame, to provide added protection, honeytokens could be used in addition to honeypots. Their ultimate goals are the same: protect your life (frame/seat belts) or your data (honey[pot|token]). If your life/data is that important, why not provide all the layers of security you can?

One advantage that honeytokens do have is in who they can help protect against. Honeypots are typically deployed to detect and help figure out how to protect against external threats. Anyone with a shred of sense about security knows, however, that you also need to protect against internal threats. Deploying honeytokens can help in that vein, by posssibly detecting internal abuse of your systems.

Just because honeytokens won't protect against everything, solve global hunger, and bring about world peace, doesn't mean they shouldn't or can't be used effectively.

Re:Or they made a mistake

[aafiske]

"Or they were poking around bored.

Or you've been hacked in which case you won't have an access record anyway if the hacker did their job right."

Well, for point one, if someone is bored and is poking around a medical database, that's a problem. And someone using a honeytoken credit card number is never okay. It's not something you do because you're bored.

And the hacker might have compromised one system and gotten data, but the point is that you put some fake data in there as well. So then hacker says 'hooray, I've gotten the CFO's password, let me go check out some interesting numbers in their computers' and suddenly they're caught red-handed, because that login doesn't exist in reality, and the computer in question is set up to notify people immediately on a honeytoken login.

These examples are taken from the article. It's a pretty clever idea and is much more versatile than the idea of a honeypot just as a server.

Re:Or they made a mistake

[singularity]

Or they made a mistake

Yeah, no employer would want to know about accidental DB access...

Or there's a flaw in your software.

Yeah, I *definitely* would not want to know about that.

Or they were poking around bored.

Once again, no employer would want to know about curious poking-around by employees.

Or you've been hacked in which case you won't have an access record anyway if the hacker did their job right.

Yeah, not worth it to take 30 seconds to make up a false record, since *every* cracker covers their tracks perfectly.

Yes, quite superior to a honeypot, in every way.

Different tools, different uses.

Re:Or they made a mistake

[dasmegabyte]

Ok -- I think this isn't necessarily a bad idea, so long as you don't expect it to be the end-all, be-all of security. I often perform wierd ad-hoc queries on tables for data mining purposes, or to help our support team do things that their program just won't do (like cross index reports for a list of ids).

Some DBAs LOVE to think that their precious data is only access the way they want it to be accessed. I once had a guy tell me, flat out, "You guys should never be doing ad hoc queries. Write and submit a stored procedure for everything you do." I have never heard a more ivory tower asshole statement in my life, and you better believe I didn't listen for a second. Nor should I have, nor would he really want me to...when the CEO comes over and asks for usage statistics for a potential customer, he doesn't want to be told "Wait until the DBA shmuck reviews this query first." It becomes harder to justify your excessive salary when all you do is prevent us programming peons from doing our job and call it "security."

If I pull up a honeyrecord, and you're my dba, you should ask me about it, but not assume my account has been hacked and lock it down. Which means this is nothing more than yet another check measure. You'll still have to eye your logs and know your system.

You know, this is actually a great way to prove somebody from outside has been data mining, and prosecute them for it. Put bullshit data in your db. If it shows up on somebody's website as fact, you'll know they were grabbing your shit. Producers of maps do similar things...invent dead end streets and place them where nobody will ever try to go. If you look at somebody else's map, and you find your BS street, you know they plagarized. Just make sure you never buy a house on that street. Heh.

Re:Or they made a mistake

[wmshub]

If you are a desk clerk at a hospital, then the hospital would have every right to fire you.

Hospital records are supposed to be kept as private as possible. Employees who satisfy their own curiousity without caring whose privacy they compromise should never have be allowed to have jobs where "poking around" in private data is possible.

Re:Or they made a mistake

[timmyf2371]

The UK's Data Protection Act is designed to stop things even like this.

Employees within an organisation should not be accessing records about a customer/patient without the client's consent - ill intent or no ill intent.

Particularly records such as hospital records - staff should under no circumstances be accessing records for any person, ie John F Kennedy, unless required by the customer/client/patient.

If employees are poking around in files which are designed to trap them, what is to say they're not poking around in your records without your consent - is this breach of privacy acceptable to you?

Re:Or they made a mistake

[questamor]

Producers of maps do similar things...invent dead end streets and place them where nobody will ever try to go.

When I worked in mapping, this is exactly what we did, and we kept a database of the false information and could check quite quickly if another supplier's dataset matched ours, "bug for bug"

The false street is one, and is used in products where an extra nonexistent street wasn't something that could have problems with the use of the map in particular. There are dozens of other methods for different datasets, depending on their use. That's been going on for decades in the mapping industry.

Re:Or they made a mistake

[IWannaBeAnAC]

Maybe, just maybe, in a hospital database I would agree. But there are many fields where you would want people to notice and flag suspicous looking records.

Even in the hospital example, what would you do if the office worker noticed something was wrong? Say, there was an obvious typo or something like that, potentially serious if nobody notices. Do you want the worker to be afraid of reporting it?

While I can see the obvious abuse, poking around stuff that you wern't specifically told to poke is the stuff of legends, it would be a shame if society evolved into a "no permission means no look, no touch" attitude.

Sure, I can see that honeytokens can (and are - after all its just a version of the old 'put a marked note in the safe' trick that has been used in one form or another probably forever) be really useful - but it isn't a replacement for TRUST. I wouldn't want to see this applied universally, especially on public networks.

Re:Or they made a mistake

[IWannaBeAnAC]

Interesting. I would have expected that "national security" is one of the few places where 'random' poking around, following up idle speculations etc. is absolutely worth doing, because you might uncover something important.

I can see this might be a problem in the USA though. In mosts countries, the secret services have nothing to do with law enforcement so a spook coming across a record that showed minor suspicous (in a criminal sense) behaviour, as long as it has no national security implications, would just ignore it. Unfortunately, in the USA, the agency likely to be doing the (illegal) snooping is the one and the only FBI, it means that (1) the national security has its hands tied by being constrained by procedures designed for ordinary criminals, and (2) procedures that ought to be use ONLY for serious national security (eg echelon?, unauthorized wiretaps etc) get misappropriated for urban law enforcement.

Re:Or they made a mistake

[ajs318]

Employees who satisfy their own curiousity without caring whose privacy they compromise should never have be allowed to have jobs where "poking around" in private data is possible.

I can't agree with that. My sense of morbid curiosity makes gerbils look positively ignorant. As long as you never (a) reveal information you shouldn't have accessed, nor (b) base a decision on such information, it is not a problem for me. Possession of information is never wrong {claiming otherwise creates the concept of thoughtcrime}, though it can certainly be misused.

Re:Or they made a mistake

[dasmegabyte]

God, it's assholes admins like this that give IT a bad name...and are probably the reason why so many jobs are getting outsourced. I mean, why keep around people who think it's their job to be a beligerent elitist and in the process stop everybody else from getting their job done? I didn't think Nick Burns was a funny character at all...I thought he was a sick composite.

Listen. Management doesn't mean discouragement. It does not mean banning a person from doing what they need to do because you're too fucking lazy to make it safe. There's a huge difference between indescriminately giving somebody root and letting them run select statements in a database or on a particular set of tables. It's the difference between giving the inventory guy the keys to your warehouse, or letting him run around INSIDE without hassling him every five minutes. I used to work for the records center for the NY Department of Criminal Justice, and they didn't run as tight a ship as some of the UN*X admins I've known. That's because if they denied access to everything like some sysadmins, the "runners" wouldn't be able to pull what they needed, and law enforcement would suffer as a consequence.

Besides, as much as you like to think of it as such, this isn't your system. You may be in charge of it, but chances are you don't use the thing. The customers do -- the customers and the staff who serve them. You may be in charge of it, but you have no ownership over it. You're in charge like the custodial staff is in charge of the toilet.

You can keep the bad guys out of the building with your firewalls and your routers and your proxies. You can keep the idiots in house out of the sensitive shit, back up the data every 17 seconds and dust everybody's keyboards at night for unknown fingerprints. Hell, you can even come up with some cockamamie password policy, like i have to have at least one korean symbol in my password that changes bihourly. Do whatever makes you feel like you actually know dick about security -- just don't keep me from doing my job. If I can't run a query for a troubled customer, we've lost business. If you have to monitor one extra user account for suspicious activity, we haven't lost anything. Not only is creating potholes like this counterproductive, it also doesn't improve security in the least. I've never known an "exploratory hacker" who cared a whit about getting access to a person's read only accounts when it's often just as easy to get root. Why eat hamburger when you can eat steak?

Re:Or they made a mistake

[antirename]

Here's what I've been doing for years. I have folder on my drive with a very suggestive name. Looks like porn... a few really good videos, some nice pic series, a few porn games, the usual stuff but fairly high quality. This folder is sure as hell not in any area that the webserver or anything else connected to the web should be able to touch, it is in a fake user's directory. The last few .exe files on the list are not porn games, though. At least that's not all they are. They've had some rather nasty viral code (not in the GPL sense) wrapped into them. The only way those files will ever be accessed is if the box has been compromised or I really screw up running as root (which would corrupt my logs, but otherwise do nothing since the box is *nix). Those files have been accessed once. I screwed up and didn't apply a patch I should have. The script kiddie, on the other hand, went off the radar a few minutes after those "special" files were downloaded. Yeah, I had to rebuild the machine to be safe (faster then figuring out how much damage the little fucker did and I really didn't care who he/she/it was), but at least I got some satisfaction out of it :) Now, this part is of course purely hypothetical, but maybe something like this could be used to "poison the well" on those PTP networks the RIAA is trying to monitor. There are .exe compression programs out there that do a GREAT job of convincing antivirus software that a piece of software doesn't REALLY contain something like, say, Chernobyl. If you run MS shit on your box (or have a gaming box running MS like I do), give it a try for your own amusement. Then, when you're done, give the hype about "sandboxes" and "heuristics" some thought. Of course, script kiddies don't always run antivirus software, but why not be thorough? Fuck 'em if they can't take a joke.

Re:Or they made a mistake

[digitalsushi]

my friend works at a GIS place. he corrects map coordinates. commercial map vendors will make fake streets to catch people using their data. so they have a policy. if its a commercial source, they need one more commercial source saying the same thing, else its bogus. government maps are always ok, though.

Re:Or they made a mistake

[ahaning]

So, when my shortest-path solutions come out oddly for my GIS labs, can I explain in my report that the problem could be that John F. Kennedy Boulevard doesn't actually exist?

Re:Or they made a mistake

[nexex]

during the elizabeth smart saga, several employees were fired from the health care org my father works for for accessing her health care records, just satisfying your curiosity can get you fired.

Popular anti-spam technique

I seed all my pages with special "token" email addresses that will only be found by a spammer using harvesting software (or a really really bored user). Normal people will never find it and never want to use it. It works amazingly well.

Re:Popular anti-spam technique

[Greedo]

Even better (IMHO) is a system I developed for dynamic pages.

Each page is seeded with a random, unique email address. Also, that address is stored in a database, along with the time it was generated, the page it was displayed on, and info about the viewer (i.e. IP address, UserAgent, etc.).

Then, if that email is ever used, another automatic system reads that data out of the database and can correlate it.

It's interesting to see some things. Like how long after an email is harvested is it being used (as little as 4 hours), and whether the people harvesting are also spamming (usually not). This way, you can fight spam by attacking/blocking the spammers *and* the people doing the harvesting.

Oh, and I claim prior art ... in case Bezos is reading this.

Nothing new here, move along

[ebh]

This sort of thing has been around for decades. I remember as far back as the early 1970s, hobbyist magazines' "Buyer's Guide" issues would have deliberately bogus entries to ensure that their competitors didn't steal the data wholesale for their own buyer's guides.

Re:Nothing new here, move along

[AndroidCat]

Encyclopaedias have done this for ages too. Make up a boring tiny entry for .. Boring Arkansas, and wait for a rival to copy it, then sue them. (Appologies if there is a Boring Arkansas, I am so sorry for you.)

Re:Nothing new here, move along

[throwaway18]

>This sort of thing has been around for decades.
Reputedly this technique has been used for log tables since the seventeenth century.

A few hundred years before the invention of the electronic gadgets slasdotters take for granted people were navigating the world in sailing ships and calculating thier longditude and latitude with a sextant to measure the angle from the ground to the sun or a star, a clock and a book of log tables. Napier produced log tables in the 1600's but an accurate shipboard clock was only invented in 1764.

A book of log tables can be used to multiply integers quickly using A*B=antilog(log A + log B) or to calculate triginometic funcitions like sine, cosine and tan.

Original production of a book of log table took a lot of mathematical work. Publishers reputedly seeded the books with errors in the last digit to catch copiers. Link

Just like "ringers"

[vegetablespork]

Folks who rent mailing lists add "ringers," which, if they receive a mailing after the term of the rental is up, yield prima facie evidence of violation of the rental contract.

This is an interesting use of a known technique to help detect the unauthorized use of data, and alert administrators that the barn door is open--and maybe even who opened it.

Search?

[ajiva]

What happens if someone does a search for that happens to find "John F. Kennedy" and several other patients. Does that mean the person was in the wrong place?

The problem...

[melete]

The problem with this (and with a lesser degree, with honeypots) is that these tokens will get accessed in legitimate ways -- for example, what if your secretarial staff is creating a mailing list, and "JFK" gets sent something? Or you have a browse function in an application that uses the database?

It's a good idea, but not a panacea.

I do this already

[L.+VeGas]

By placing arsenic in your water bottle that you leave in the refrigerator, you can tell who's been pilfering your lunch.

Re:I do this already

[dschl]

I have heard stories of leaving gloves dusted with dye powder (same stuff used in money shipments) in your locker, just for the glove-thief on drilling rig crews. You always know who is stealing your gloves, but the bright red hands of the thief let everyone else know, too. If you are feeling a little bit nastier, you dust the inside of the glove with caustic, and then leave it in your locker for the glove thief. The caustic is a bit more dangerous, because if he rubs his eyes just before his fingers start burning, it could cause severe eye damage.

The lunch thief in my drilling crew was the motorman, who did five years in Kingston pen for armed robbery. Claimed he was "reformed", so I guess he didn't really consider sandwich theft to be much of a crime. I was tempted to add ex-lax or something worse just for him, but never got around to it.

Been around for awhile

[miyako]

...several years in fact, although in a different form.
A while back a bunch of businesses created a website called slashdot to monitor people who were surfing the net instead of doing work.

This is new?

[shamino0]

I seem to remember that phone companies have been doing this for decades in order to catch people illegally copying the phone book.

Phone listings are not proprietary - anyone can publish a phone book. But you can't copy someone else's publication (like the telco's official phone book.)

In order to tell if a third-party phone book is legal or not, the telcos put a bunch of bogus listings in ever one. When third-party books are published, the telco can check to see if the bogus listings are in it. If they are, then they know that the book is an illegal copy of the telco's phone book. A book that doesn't pirate the telco's book (e.g. using listings purchased from the telco or by asking people to contribute contact information) will not have those listings in it.

This sounds like the same concept applied to a new purpose.

Re:This is new?

[Lionel+Hutts]

Right idea, wrong conclusion.

It is perfectly legal to copy all the listings out of a phone book under your own name with no attribution.

The phone book publishers that caught people copying this way discovered that it did them no good.

Or they were poking around....

[autopr0n]

Or they were poking around bored.

Or there's a flaw in your software.

Well, then you'll just end up with a record of an 'intrusion' from localhost. if there is something wrong with your software, you should fix it anyway.

Or they were poking around bored.

The whole point is that they shouldn't be poking around. I certanly wouldn't want hospital employees 'poking around' in medical records. If someone is 'poking around' in sensitive data, then they are a hacker. If it's someone from your organization, you should either bitch at 'em or fire 'em, depending on what kind of work you do.

Or you've been hacked in which case you won't have an access record anyway if the hacker did their job right.

Not if you burn logs straight to a multisession CD...

Web developers have known this trick for a while

[thalakan]

I first saw it mentioned at Black Hat 2002 in Vegas last year. The idea was that you would create fake session tokens for web applications and then monitor them for access by applications trying to brute force the session token values.

I mentioned it to a web developer who said that the idea has actually been implemented in some of the large e-commerce sites he's worked on.

One note on false positives "problem"

[Nemus]

Some people have pointed out that maybe someone just looking through a database on legitimate business sees an interesting patient file, and opens it up, just to look.

One reason this idea would be especially good for hospitals is because such actions have gotten hospitals sued in the past. Simply put, no hospital employee is supposed to view a patient's information unless required. So, if Nurse Betty is looking up "John F. Kennedan's" file, and also sneaks a peek at "John F. Kennedy's", she just broke federal law, and the hospital is going to want to know about that.

As for false positives in other instances, people seem to be just trolling. For example, every single day at a former employer of mine, a cell phone provider, we'd get false positives on customer who may or may not have been using fraudulent information to sign up for service. As such, we would stop and call the verification services we used, and verify that customer. So sure, out of thirty customers a day, it would generate five warnings, four of which were false. But one of them wasn't, and that makes all the difference.

Theres never going to be some "All seeing Eye of God" security system, but every little bit helps. Especially, as noted, in both banking and hospitals, where customer's information is bound to a need-to-know basis by federal law.

Old, old idea.

[DdJ]

People have been doing this for ages, at least out here in the "really real world".

Mapmakers put fake cities on their maps in obscure places, so that they can tell whether another mapmaker just copied their maps (illegal) or whether they went out and compiled their own information.

Folks who put together directories (like phone books) that forbid their use by telemarketers put fake people (with real phone numbers) in there to identify telemarketers that are illegally using the directory as a basis for telemarking calls.

There's even a sort-of-backwards example from cryptography, that I believe Schneier came up with. You are all probably familiar with the basic concept that if you crack someone's crypto, you can't use the info you get from cracking their crypto unless you can plausibly explain how you got that info by another mechanism. There are big chunks of Cryptonomicon dedicated to this idea, and it's a real idea. Well, one way to tell if your crypto has been hacked is to find a really funny joke and to transmit it only by your crypto mechanism. Most folks who'd crack your crypto would have a hard time believing that the cleartext of the joke was never transmitted anywhere, so they see less reason to be anal about the normal procedures. So, you watch to see if the joke "leaks out" into the world. If so, and if you maintained other security, then your crypto has been broken.

You'll find all sorts of examples of this basic idea, going back for centuries.

Re:Old, old idea.

[ralmeida]

Yeah, I have this really, really, really good joke, but I can't tell you because I use it as a honeytoken.

I also have a simple proof of Fermat's Last Theorem, but it's being used as a honeytoken also. Sorry.

Wise detected pilfering info from Installshield

[raaum]

basically because of a honeytoken like entity

someone at installshield had an entry in some internal company data source using her maiden name (and had used her maiden name nowhere else). she recieved solicitations from wise and got suspicious.

now installshield is sueing the hell out of wise, see this article, and this news release

Re:Sorry-ass bosses.

[pla]

When the Boss steals, it's big-time, way more than any of you make in a year at your salaried job.

The big guys don't need to steal to drain the company. The laws (and corporate policies) allow them to do things the rest of us would spend hard time in the federal pen for.

As a trivial (though not unusual) example, at my previous job, the CEO made a bad call about handling a bug in a customer's software. Relatively minor bug, but due to the nature of the software, he and the company might actually have had to endure criminal proceedings if they handled his bad call poorly.

So the solution? He left the company with nearly a ten MILLION dollar parting bonus, sort of vaguely admitted responsibility, regulators considered the matter suitably dealt with, and the problem went away.

Think about that... This guy broke the law, so they gave him millions of dollars.

And some folks wonder why so many of us outright despise corporate America.

As Eric Idle once said, after killing a dozen or so tribesmen in Monty Python's "The Meaning of Life", "Back home they'd hang me, but here they gimme a fuckin medal!".

fake files on kazaa???

[pair-a-noyd]

Aren't all those fake files on the p2p networks honeytokens??

They are lures, if you bite then you are doing something illegal and they get your IP address just for biting the bait???

Bam! Nothing to it...

I've ALWAYS suspect this..

These errors are called salt.

[isdnip]

This is standard process in the database biz, including things like mailing lists and (as others have noted here) maps. The term for it is "salting". Calling them "honeytokens" is applying the wrong seasoning... and treating it as new on /. is also silly.