RE: Honeytokens and Detection

["Trey A Mujakporue" <trey.trey () ntlworld com>]

On a similar note.. Arent the use of honey tokens the way various
government security agencies catch spies??
Making a tainted piece of information available to a select group of
people and then watching to see if that piece of information leaks...

-----Original Message-----
From: Bill Royds [mailto:broyds () rogers com] 
Sent: 19 July 2003 03:21
To: Augusto Quadros Paes de Barros; focus-ids () securityfocus com
Subject: Re: Honeytokens and Detection


One thing honeytokens are a lot like is auditors test data. When one
does an audit of a computerized financial system,  an auditor often adds
test records of certain types to the input stream and looks to see what
comes out the other end. For example, a new employee record with an
invalid SSN is sent through a payroll system and checks are made to
ensure that that record is kicked out and flagged , etc. Auditors have
been putting these test cases in accounting systems for years to detect
someone trying to defraud a company, whether using computerized methods
or not.
     Comparing honeytokens to such well established techniques (even
though they are not exactly the same) can help sell the idea to
management, especially if you get the internal auditors on your side.
Often computer security people are members of  International System
Audit and Control Association (ISACA) which defines the CISA
certification. Test Case generation is one of the required skills and
may help in creating effective honeytokens.


----- Original Message ----- 
From: "Augusto Quadros Paes de Barros" <augusto () paesdebarros com br>
To: <focus-ids () securityfocus com>
Sent: Friday, July 18, 2003 9:50 AM
Subject: RES: Honeytokens and Detection


Lance,

I'm glad to see that there is still interest on this subject. I'm trying
to find other uses for it too, and I already elected some of my
favourites:

- Admin Rights User: Create an administrator on your domain/computer,
use a HUGE/COMPLEX password (so it cannot really be used by someone) and
put your eyes on it. Users with admin rights are one of the first
targets of black hats. If someone logs in with it, there is problem.

- Files on P2P nets: I already heard that the police here in Brasil is
trying to identify people involved with pedophily with honeytokens files
in P2P networks.

- Web Server hidden files: .inc, .old or other apparently interesting
files in public accessible directories at web servers. As there is no
link to them, Any entry in the web server log showing access to these
files is quite suspicious and indicate that someone is able to know
about files that are not related to the website.

- Renaming a common tool: This on is a bit different. It can be useful
when the turnover  of the administration team is not very high. You can
replace one of the common tools used by administrators (like ipconfig on
Windows or Kill or vi on Unix) with a "alarm trigger". All the team know
that they must use the renamed tool, but someone who is not part of the
team will innocently pull the trigger. The chances of false positives is
a bit higher than with other honeytokens, but it's still a fun thing to
do.


I believe that the most important thing about honeytokens is to make the
people responsible for Intrusion Detection aware of it and how it works.
As they know the systems and procedures of the company where they work,
they are the best people to define what can be a honeytoken and where it
should be placed. Incident history and lessons learned can be a good
place to start a planning of honeytokens deployment.

Regards,

Augusto Paes de Barros, CISSP.


-----Mensagem original-----
De: Lance Spitzner [mailto:lance () honeynet org]
Enviada em: quinta-feira, 17 de julho de 2003 13:33
Para: Focus on Intrusion Detection Systems
Assunto: Honeytokens and Detection


Honeytokens are a relatively new tool with many applications to
detection, especially for the insider threat.  I've made an attempt to
define what this tool is, its value, and how it can work.

 Honeytokens: The Other Honeypot
http://www.securityfocus.com/infocus/1713

I would love any input, ideas, or suggestions on this relatively new
tool.

Thanks!

-- 
Lance Spitzner
http://www.tracking-hackers.com



------------------------------------------------------------------------
----
---
Is your IDS deployed correctly?
Find out by easily testing it with real-world attacks from CORE IMPACT.
Go to www.coresecurity.com/promos/sf_eids1 to learn more.
------------------------------------------------------------------------
----
---

Augusto Quadros Paes de Barros, CISSP http://www.paesdebarros.com.br


------------------------------------------------------------------------
----
---
Is your IDS deployed correctly?
Find out by easily testing it with real-world attacks from CORE IMPACT.
Go to www.coresecurity.com/promos/sf_eids1 to learn more.
------------------------------------------------------------------------
----
---


------------------------------------------------------------------------
-------
Is your IDS deployed correctly?
Find out by easily testing it with real-world attacks from CORE IMPACT.
Go to www.coresecurity.com/promos/sf_eids1 to learn more.
------------------------------------------------------------------------
-------



---------------------------------------------------------------------------
---------------------------------------------------------------------------