Honeypots: RE: Honeytokens and detection

["Andrew Hintz \(Drew\)" <drew () overt org>]

I'm fairly certain that I heard some CC companies do this already.  IIRC,
they add fake numbers to various databases and if a purchase is attempted
against one of those honeytoken CCs, then they know someone's being evil.
I'll try to hunt down the source of this info.

I think a large benefit of this at the network level is ensuring encryption
policies.  Hopefully your institution has a policy stating that CCs can only
be accessed over an encrypted channel.  A NIDS could then be used to look
for unencrypted honeytoken CCs floating around on the wire.  It would be
able to catch things such as benevolent admins making backups of sensitive
DBs over unencrypted channels.

Lance Spitzner wrote:
> For example, create bogus social security numbers and store
> them in your SSN database.  If the honeytoken SSN's hit
> your network, someone may have just grabbed your database.  For
> a CC database, insert honeytoken CC's and monitor for
> those to hit your wire.  Once again, if you see someone
> retrieving these numbers, someone is most likely being
> naughty.