A new way to catch hackers

**Networker** · April 28th, 2003, 01:32 PM

The honeypot principle is getting the application level. The basic idea is that someone who read an "honeytoken" information that should never been read (because fake & useless) is detected as a hacker...

Honeytokens are pieces of seemingly enticing information that have no useful value. Embedded in ways so that no innocent person should accidentally stumble upon them, honeytokens trigger alarms when viewed, grabbed or downloaded. For example, a bank could insert a fake credit card number into its files and then set up a program called a "sniffer" on the network that would send out an alarm if anyone touched that particular number.

Full article here

***MrLinus*** · April 28th, 2003, 01:42 PM

I remember that thread in BugTraq. Some of the points brought up was the potential of using data that could be related to a real person such as a SIN or Credit Card info. Part of it, I think, was the ethical potential. And if the data didn't look legit, the attacker is less likely to take it. So what do you put up then for the honeytoken?

There seems to be a point missing from the article (unless I missed it): the honeytokens would be in a database. They mention a file but database access would be more likely to have personal data like SINs and CCs in it. I think it's a nice additional layer to an admins whole security system, especially ISPs, financials, HRs, etc.

**Networker** · April 28th, 2003, 01:55 PM

Such a principle could be coupled with heuristic/statistic studies.
One example: In a banking database 30% of account could be faked. Hackers (a black hat presumably) penetrating such a database will surely not restrict ist access to one entry of the base. Statistically by scanning 4 entries, he will be detected for sure.
The data memory counter part is not a big issue.

Another example: At school, the database containing exam results could be faked for each entry. 1 student as 2 entries in the database one fake launch the alarm the other true and access has to be gain thanks authentication.
I think that the idea is just bright because undetecable remotly. I think that a hacker will have to social engineering the database as a unique solution to protect himself.

**UpperCell** · April 28th, 2003, 03:34 PM

yes, it would seem that there would need to be a boolean field to differentiate between real and trapped records, I'm sure a solution to this would be simple, but at it's most basic form, all an attacker would need to find out is the value that means 'trapped' and arrange his querries appropriately, thus rendering the honeypot useless.

**padre** · April 29th, 2003, 04:18 AM

the best way is still cheese, hackers cant resist it.

the best way is still cheese, hackers cant resist it.

the best way is still cheese, hackers cant resist it.

**DigitalSyntax** · April 29th, 2003, 09:51 AM

cheese? what are you on man? share, damn.

**\/IP3R** · April 29th, 2003, 07:39 PM

Pure California Cheese, comes from the happy cows, Happy cows comes from california.

Thread: A new way to catch hackers

Thread Tools

Display

A new way to catch hackers

Posting Permissions