Honeypots mailing list archives
RE: Honeytokens and detection
From: "LAVELLE,MICHAEL \(HP-PaloAlto,ex1\)" <mlavelle () hp com>
Date: Fri, 4 Apr 2003 10:10:36 -0500
Lance, In my mind, taking this a step further, there is no reason such information "should" cross the ISP gateway destined for external addresses, unless it is pre-arranged. Planting some honeytokens makes a lot of sense, and these records can be labeled as test records. When the IDS detects these records transiting toward the ISP gateway, it can ring alarms, or perhaps kill the tcp session to stop the leak. If the transfer is intentional, then you can temporarily allow it. Your idea sounds very interesting...thanks for sharing it. Cheers, Mike ------------------- Mike Lavelle Network Security Consultant Hewlett-Packard -----Original Message----- From: Lance Spitzner [mailto:lance () honeynet org] Sent: Thursday, April 03, 2003 2:45 PM . . . I was thinking that Honeytokes could be used for detecting when such data was compromised/stolen. Inside each database Honeytoken numbers are inserted. These tokens are known to have no value, no one should be using them. Detection mechanisms such as IDS signatures are then created to look for and detect these tokens being access or used. If these tokens are seen, this means someone has captured the database, or looking where they shouldn't be. For example, create bogus social security numbers and store them in your SSN database. ...
Current thread:
- Honeytokens and detection Lance Spitzner (Apr 03)
- Re: Honeytokens and detection Bram Matthys (Syzop) (Apr 03)
- Re: Honeytokens and detection Brian Hatch (Apr 03)
- Re: Honeytokens and detection Jeremy Bennett (Apr 03)
- Re: Honeytokens and detection Brian Hatch (Apr 03)
- Re: Honeytokens and detection Jeremy Bennett (Apr 03)
- Re: Honeytokens and detection Bojan Zdrnja (Apr 03)
- RE: Honeytokens and detection Andrew Hintz (Drew) (Apr 04)
- <Possible follow-ups>
- RE: Honeytokens and detection Beau Monday (Apr 03)
- RE: Honeytokens and detection LAVELLE,MICHAEL (HP-PaloAlto,ex1) (Apr 04)
- RE: Honeytokens and detection Glenn_Everhart (Apr 04)
- Re: Honeytokens and detection george chamales (Apr 04)
- Re[2]: Honeytokens and detection Bojan Zdrnja (Apr 05)
- Re: Honeytokens and detection andre (Apr 05)
- Re: Honeytokens and detection george chamales (Apr 05)
- Re[2]: Honeytokens and detection Bojan Zdrnja (Apr 05)
- Re: Honeytokens and detection Jack Whitsitt (jofny) (Apr 05)
- FW: Honeytokens and detection TimTim (Apr 06)