Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







IDS: RE: RES: Protocol Anomaly Detection IDS - Honeypots

RE: RES: Protocol Anomaly Detection IDS - Honeypots

From: Augusto Paes de Barros <augusto_at_paesdebarros.com.br>
Date: Fri, 21 Feb 2003 15:27:09 -0000

I was thinking about tracking info too. Encryption and the compression are
very serious limitations. However, it is easy to implement through Office
macros and styles, or even e-mail servers, adding an information after
internal use only messages. In this case it would be very helpful to avoid
those cases of internal memos going outside accidentally.

I'll try to code some examples, but I would like to see people of the list
trying something like that too. Time and Skill here are very limited things
:-)

See ya, 

--
Augusto Paes de Barros, CISSP
http://www.paesdebarros.com.br
augusto_at_paesdebarros.com.br
--------- Mensagem Original --------
De: Pete Herzog <lists_at_isecom.org>
Para: Lance Spitzner <lance_at_honeynet.org>, Augusto Paes de Barros
<augusto_at_paesdebarros.com.br>
Cópia: focus-ids_at_securityfocus.com
Assunto: RE: RES: Protocol Anomaly Detection IDS - Honeypots
Data: 21/02/03 17:06
>
> Hi,
>
> this is something we have helped implement using webbugs in MS docs,
> presentations, and other openable items for an internal honeypot.  When
> opened, they call an image off a small, private webserver which in logging
> gives us the local IP address of the machine and the time so we can be
> fairly certain who accessed it.  It's used mainly for
&quot;warnings&quot;.  We know
> it's not perfect but it works.  Next we would like to use MP3s and AVIs to
> do the same thing when opened.
>
> With the idea of honey tokens, I think this really could go to the next
> level-- even so far as tracking internal reports which get e-mailed or
> somehow transferred (even with tunnelling) outside the company (as long as
> no encryption is involved). It adds a whole new paradigm to maintaining
> internal security and order.
>
> Sincerely,
> -pete.
>
> Managing Director
> Institute of Security and Open Methodologies
> www.isecom.org
>
> &gt; -----Original Message-----
> &gt; From: Lance Spitzner [mailto:lance_at_honeynet.org]
> &gt; Sent: Friday, February 21, 2003 5:37 PM
> &gt; To: Augusto Paes de Barros
> &gt; Cc: focus-ids_at_securityfocus.com
> &gt; Subject: Re: RES: Protocol Anomaly Detection IDS - Honeypots
> &gt;
> &gt;
> &gt; On Fri, 21 Feb 2003, Augusto Paes de Barros wrote:
> &gt;
> &gt; &gt; Lance's point can be expanded in very interesting views. Why use
only
> &gt; &gt; honeypots &quot;hosts&quot; or &quot;nets&quot;, when whe can
use accounts, documents, info,
> &gt; &gt; etc? I was developing an idea that I call
&quot;honeytokens&quot;, to use
> &gt; on Windows
> &gt; &gt; networks. Basically, information that shouldn't be flowing over
> &gt; the network
> &gt; &gt; and, if you can detect it, something wrong is happening.
> &gt;
> &gt; Ohh, ooh!  Very cool suggestion Augusto!  This is something I never
> &gt; thought of.  Create documents, webpages, or resources that no one
should
> &gt; be accessing.  You create these resources with specific, obvious
> &gt; signatures
> &gt; so your detections mechanisms (logs, IDS sensors, etc) can easily
pick
> &gt; them up.  If you detect these resources being moved around your
network,
> &gt; you know something is up!
> &gt;
> &gt; For example, you create a word document that has the title of payroll
> &gt; or 'research and development'.  You put whatever fluff you want in
the
> &gt; document, and give it a &quot;tracking number&quot;, such as
14A8478bG98734T90AAZ.
> &gt; Now, you simply create a signature looking for that &quot;tracking
number&quot;.
> &gt; The concept would be to create resources that no one should be
accessing
> &gt; (the honeytoken) but is easily detectable if they do.  You would have
to
> &gt; ensure the signature, as in this case the tracking number, is
> &gt; unique enough
> &gt; that it minizimes, if not eliminate, false positives.
> &gt;
> &gt; This potentially opens a whole new world to honeypot concepts :)
> &gt;
> &gt; very cool :)
> &gt;
> &gt; lance
> &gt;
> &gt;
> &gt; -----------------------------------------------------------
> &gt; Does your IDS have Intelligent Attack Profiling?
> &gt; If not, see what you're missing.
> &gt; Download a free 15-day trial of StillSecure Border Guard.
> &gt; http://www.securityfocus.com/stillsecure
>
>
> -----------------------------------------------------------
> Does your IDS have Intelligent Attack Profiling?
> If not, see what you're missing.
> Download a free 15-day trial of StillSecure Border Guard.
> http://www.securityfocus.com/stillsecure
>
>
>
>
>
>
>
-----------------------------------------------------------
Does your IDS have Intelligent Attack Profiling?
If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard.
http://www.securityfocus.com/stillsecure
Received on Feb 21 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]