Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: RE: Honeytokens and detection

RE: Honeytokens and detection

From: Frank Knobbe <fknobbe_at_knobbeits.com>
Date: 13 Apr 2003 22:06:45 -0500

On Tue, 2003-04-08 at 15:57, Pete Herzog wrote:
> I disagree. I think you may not get the illustration in full. If the bogus
> CCs or ID numbers were known and padded into excel sheets, particular DBs,
> etc., especially those with thousands of numbers, the thief would be
> downloading the whole thing at once. It would not be about downloading only
> part of the DB or part of an Excel sheet as long as the dangerous ones don't
> get downloaded.
>
> Since it's downloaded in bulk, the IDS will look for that token somewhere in
> the download (or upload). [...]

Pete,

I almost agreed with you, but then I started to think about some
scenarios.

a) Someone breaks into the database server. He pokes around and looks at
a few records (most likely unencrypted).

b) Someone breaks into the database server. Since the database is very
large, he only samples the top 100 rows of data so he can retrieve a few
numbers to buy himself a new watchamacallit. It's debatable if he could
choose to encrypt the transfer, although chances are better.

c) Someone breaks into the database server. Circumstances (size,
bandwidth, time) are favorable to download the whole database. If the
attacker does not encrypt the transfer, he would most likely compress
the data.

So, if data is bulk harvested, partially or in full, both encryption and
compression would render the honeytokens useless. Casual snooping would
have a higher probability to occur in clear text, but less of a chance
to hit a honey token.

I'm wondering how useful the honeytokens really are for a) professional
thieves (encryption) and b) large datasets (high miss/hit ratio).

Note that we are only talking about detection of data in transit, not of
detection of data in use (as would be the case with copy-bugs etc....
you know, those intentional typos in documents to mark them).

Augusto's reference to the fake administrator/root account would
probably fall into the 'detect on use' category, not into the 'detect in
transit' category. (i.e. administrator account in network packet)

Perhaps we need to define classification structure of honeytokens. Your
thoughts?

Regards,
Frank

Received on Apr 14 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos