lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F21BDE8.5060706@brvenik.com>
From: security at brvenik.com (Jason)
Subject: HoneyTokens - WAS - morning_wood should stop
 posting xss

> 
> Alright, I'll grant that in these semi restricted environs one might
> also make use of such toys, yet, again, these are not open to to all 
> public consumption applications, and a variation on the 'insider threat'
> scenario. Additionally, if you create false records in a database,
> and monitor and log accesses to those records, the rest of the data
> is probably still available for exploit and consumption, nothing
> has really been stopped or prevented, though it's attempted access
> might have been logged. Honeypots, in their various forms, are
> placed for tracking abuse and logging of activities for later
> analysis and perhaps replay, they are not preventive measures, nor
> are they IDS/IPS kind of systems. If prevention is combined within the
> toy, then you have created something altogether different.
> 

Limiting the scope to the definition provided above lets examine.

"Honeypots, in their various forms, are placed for tracking abuse and 
logging of activities for later analysis and perhaps replay"

Given this would the following definition be disagreeable?

Honeytokens, in their various forms, are placed for tracking abuse and 
logging of activities for later analysis and perhaps replay with or 
without the use of a dedicated honeypot.

Seems to me that it is easy enough to place honeytokens in any public 
service to identify and track any number of activities not within the 
normal usage of said service.

There is no requirement that there be an insider, customer, partner, or 
any other known entity to achieve the stated goal of tracking, 
identifying, and analyzing abuse and activities at a later time.

In fact, you could use a HoneyToken

* with a honetpot to make the identification easier.
* with an IDS to identify attempted intrusions.
* with a log analyzer to identify theft of data.
* with a packet logger to flag important sessions.
* with an access control technology to block further communications.
* ...

This is not a variation of an insider threat management case. This is 
another layer of defense in depth. It is a practical use of the tools 
available for a security purpose.

I myself have been using snort for this for a long time. I have 
implemented this for my customers and different employers over the 
years. In each implementation different tools have been used, one 
implementation changed the DB used for the session to that of a complete 
honeypot DB if the first record in any table was ever used, I think this 
could qualify as a honeytoken although it better qualifies as bait and 
switch in conjunction with a honeypot.

I implemented another system that used common default accounts to flag 
people attempting to circumvent authentication and closed down access 
for that remote system for 30 sec.

I used no toys to do this and these were public consumption systems.

There was an interest by the people making risk management decisions to 
actively manage that risk by attempting to identify threats as soon as 
possible instead of when it was absolutely too late.

---- OT message ----

To all those out there that like to get personal:

I would like to pass on something stated to me once, in person, that I 
still have a problem remembering from time to time. Usually after too 
much external influence. :-)

"Your content is not the problem, it is your delivery"

Simply put, you could be the most correct and accurate person in the 
world but with all of this other noise you get yourself ignored. This 
ultimately frustrates you and causes you to become more inflammatory in 
the hopes of getting noticed. Listen carefully. IT DOES NOT WORK! See a 
shrink, get laid, take the blue pill, whatever it takes. Your message is 
lost on the vast majority of people because of your delivery.

Please think of this before you post...

- Jason.

morning_wood wrote:
>   you are...
[snip useless words]
> wood
> 
> Ron DuFresne wrote:
[snip quoted above]
>>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ