RE: Honeytokens and detection

["LAVELLE,MICHAEL \(HP-PaloAlto,ex1\)" <mlavelle () hp com>]

Lance,

In my mind, taking this a step further, there is no reason such information
"should" cross the ISP gateway destined for external addresses, unless it is
pre-arranged. Planting some honeytokens makes a lot of sense, and these
records can be labeled as test records. When the IDS detects these records
transiting toward the ISP gateway, it can ring alarms, or perhaps kill the
tcp session to stop the leak. If the transfer is intentional, then you can
temporarily allow it.

Your idea sounds very interesting...thanks for sharing it.

Cheers,

Mike
-------------------
Mike Lavelle
Network Security Consultant
Hewlett-Packard

-----Original Message-----
From: Lance Spitzner [mailto:lance () honeynet org] 
Sent: Thursday, April 03, 2003 2:45 PM
.
.
.
I was thinking that Honeytokes could be used for detecting
when such data was compromised/stolen.  Inside each
database Honeytoken numbers are inserted.  These tokens
are known to have no value, no one should be using them. Detection
mechanisms such as IDS signatures are then created 
to look for and detect these tokens being access or used.  If 
these tokens are seen, this means someone has captured the 
database, or looking where they shouldn't be.

For example, create bogus social security numbers and store them in your SSN
database.
...