hi,
I am relatively new in this area.I had some questions
and would be thankful if someone could shed some light
on them.
I had the idea for honeytokens sometime back.Then only
found out it has been already thought off.I did not
know the keyword "honeytoken".While i was talking to
a friend of mine,he said it sounds like a
honeypot.Then I searched on google for honeypot and
databases.I have decided to do my thesis on
honeytokens.
1.What are he key challenges involving honeytokens?
2.Why has it not been implemented on a large basis?
best
vijay
Work like you don't need the money
Dance like no one is watching
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Fri, 06 May 2005 12:54:17 PDT, Vijayakumar said:

databases.I have decided to do my thesis on
honeytokens.

1.What are he key challenges involving honeytokens?

2.Why has it not been implemented on a large basis?

What makes you think they *haven't* been implemented on a large basis?

It isn't like the bank or the hospital hangs out a big "WARNING: HNEYTKENS
IN USE" sign. They just *very quietly* insert fictitious information, like
a medical record for Tom Cruise or Paris Hilton, and then just wait and see
if anybody actually accesses the data. If they find a hit, the security incident
is then quietly dealt with in the appropriate manner (you don't want to issue
a press release "A Honeytoken caught this hacker", because that would be admitting
the hacker got far enough into the database to find the honeytoken)

PGP SIGNATURE
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

/Tqkkmj5i8JeLW2joky+f0c=
=nXKB
PGP SIGNATURE

Hi,

5/6/05, Vijayakumar <gvij2000 (AT) yahoo (DOT) comwrote:
hi,

I am relatively new in this area.I had some questions
and would be thankful if someone could shed some light
on them.

I'm not sure about light but i'll try to

I had the idea for honeytokens sometime back.Then only
found out it has been already thought off.I did not
know the keyword "honeytoken".While i was talking to
a friend of mine,he said it sounds like a
honeypot.Then I searched on google for honeypot and
databases.I have decided to do my thesis on
honeytokens.

I'm sure you have found Lance's paper: "honeytokens: the other honeypots"

After reading the paper you could found partial answers to your
questions. I say partial because Lance paper is mainly focused in
using honeytokens to deal with internal threads and only suggest
other additional uses in any kind of server, database, mail server,
web server that could be linked to and additional system (IDS or IPS)
to detect honeytoken access in the security monitoring platform. These
honeytokens could be classified using their "secret and unique nature"
that make them real or classical honeytokens.

If you are interesting in external uses of honeytokens you could find
useful information about the so called "Spambots" or "Spambots
honeytokens" or the classical modification or phf.cgi to detect access
to the cgi and redirect the "attacker" to other central server which
logs phf.cgi access all over the world. I've always think about the
phf.cgi like the first "Distributed token" but it could not be
considered as a distributed honeytoken because it was tiggered anytime
an intruder made a request to the cgi script.

A honeytoken is information and an alert shouldn't be send if this
information is only gathered but not used. So distributed tokens
should contain information and only alert to the central node if this
information is used.
This kind of distributed tokens could help to detect wide spread
malicious activities in a way completely similar to worms detection
using honeypots. These are tokens but are far away from traditional
honeytokens and maybe it's better think about them as sensors unless
we could find a way to link the sensor to an information leak. So they
need to be public and wide spread so they can be used to identify a
potencial source of activity by simple alert aggregation like IDSs do
but without the need of "intelligence" to make aggregation.
This tokens need to be unique in such a way they could not be easily
detected, so we need to make unique tokens which should contain unique
information. Spread sheets with different names containing different
users and password could be a simple example of distributed tokens,
the access to the system with the user/password combination could be
used to send the alert to the central node.

The nature of the token, which are mixed with real contents and the
fact that the alert will only be tiggered when the internal token will
be used may help to discart automatic activities that are not related
to data gathering.

A distributed network could be deployed and anyone could join to it
without gain knowledge about the exact nature of the tokens that other
node are using so the tokens could remain secret making dificult to
guest if they are a real vulnerability, badly coded php page or an
information leak like a nohup.out, java.log present in a web server
root or a distributed token.
If have always think about this kind of sensors to detect "google
hacking" activities without detecting all of the automatic toolkits
that don't need any human interaction.

They could be used to detect "data mining" activities like competitive
intelligence scouting that looks for information leaks in an
organization. This have been a traditional use of honeytokens but
using more tokens pointing to different targets could help to find
attackers that a realy interested in an organization or a kind of
information leak very common in differents servers around the world.
Unfortunatelly i never have time to think about it and i'm sure that
there is nothing new in all the mail but i hope i could help you in
the search of new honeytokens deploying strategies.

Regards,
Victor

1.What are he key challenges involving honeytokens?

2.Why has it not been implemented on a large basis?

best
vijay

Work like you don't need the money
Dance like no one is watching

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com