Re: Honeytokens and Detection

From: Stephen P. Berry (
Date: 07/19/03

  • Next message: Bill Royds: "Re: Honeytokens and Detection"
    To: Lance Spitzner <>
    Date: Fri, 18 Jul 2003 18:21:37 -0700

    Hash: SHA1

    Lance Spitzner writes:

    >Honeytokens are a relatively new tool with many applications to
    >detection, especially for the insider threat. I've made an attempt
    >to define what this tool is, its value, and how it can work.
    > Honeytokens: The Other Honeypot
    >I would love any input, ideas, or suggestions on this
    >relatively new tool.

    I think it's cool that people are becoming more aware of techniques like
    those mentioned in you paper, but I really have trouble conceding that
    they're `new'.

    The ONI (U.S. Office of Naval Intelligence) was using similar methods to
    locate leaks and spys at least as early as the Spanish-American War,
    and British Intelligence made extensive use of such methods throughout
    the Second World War. Indeed, although I can't think of specific
    instances to prove the point, I suspect that what you call `honeytokens'
    are effectively as old as counterintelligence itself.

    Further, I know that at least as far back as the '80s there were numerous
    examples of analogous technologies in use in network and information
    systems security---from binary wrappers[0], to renamed UID 0[1] (or equivalent)
    accounts, to early CGI scripts that fed bogus information to would-be
    attackers[2]. And that doesn't even include many of the esoteric roll-your-own
    solutions implemented by those of us protecting peculiar assets and services
    (like BBS door games and various flavours of MUD security).

    Don't get me wrong---it's a very Good Thing that more and more security
    goons are thinking about things like `honeytokens'. But every time I hear
    someone call the idea `new', I have to ask, `Where've you been for
    the past couple years?'

    - -spb

    - -----
    0 I.e., rename vi(1) to `foo', and replace it with a wrapper that
            execs foo and sends an alert whenever it's invoked.
    1 I.e., UID 0 becomes `toor' and `root' becomes the local equivalent of
            `nobody'. Probably depreciated due to the `toor' convention of
            some modern BSDs.
    2 I.e., if an exploit tries to grab /etc/passwd, return a bogus
            copy with a crack(1)-able passwd or two, and send an alert whenever
            anyone tries to use one of the bogus passwd/account pairs

    Version: GnuPG v1.2.1 (OpenBSD)

    -----END PGP SIGNATURE-----

    Is your IDS deployed correctly?
    Find out by easily testing it with real-world attacks from CORE IMPACT.
    Go to to learn more.

  • Next message: Bill Royds: "Re: Honeytokens and Detection"