lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0307251326080.12459-100000@tundra.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: morning_wood should stop posting xss

> [snip]
>
> >>Consider then the concept of a 'Honey Token'
> >>http://securityfocus.com/infocus/1713
> >>
> >>
> >
> >
> > Yet, the article states that these are more of a 'insider threat'
> > monitoring tool.  Few if any honeytokens would probably ever be exposed to
> > the internet at large.
> >
>
> Why not?
>
> Example:
>
> tokens for account info in an extranet application, easily catches sql
> injection, brute force attacks, intellectual property theft...
>
> Just some possibilities for this:
>
> portals
> customer accts
> inactive web pages
> fake confidential documents
> ...
>

Alright, I'll grant that in these semi restricted environs one might also
make use of such toys, yet, again, these are not open to to all public
consumption applications, and a variation on the 'insider threat'
scenario.  Additionally, if you create false records in a database, and
monitor and log accesses to those records, the rest of the data is
probably still available for exploit and consumption, nothing has really
been stopped or prevented, though it's attempted access might have been
logged.  Honeypots, in their various forms, are placed for tracking abuse
and logging of activities for later analysis and perhaps replay, they are not
preventive measures, nor are they IDS/IPS kind of systems.  If prevention
is combined within the toy, then you have created something altogether
different.



Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ