honeytokens in databases Sep 18 2006 03:14PM
gvij2000 yahoo com (2 replies)
Re: honeytokens in databases Oct 06 2006 10:37PM
Felix Groebert (felix groebert org)
Re: honeytokens in databases Sep 18 2006 06:35PM
Valdis Kletnieks vt edu
On Mon, 18 Sep 2006 15:14:56 -0000, gvij2000 (at) yahoo (dot) com [email concealed] said:
> hi
> I would like some guidance in creating and deploying honeytokens.
> 1.Coming up with honeytoken data that would interest hackers.

This is very site-specific. What I might recommend for a honey token for
our student-records crew is probably not a good fit for a hospital...

> 2.How and where do I place the data so that I can monitor hackers.

Well, you basically invent a totally fictitious entry for the database
(be it a student transcript, a medical record, an accounts-payable - something
that makes sense for your organization), and put it in the database along with
all the production data. You then monitor the database system logs (with
a program of course, this is too tedious to do by actually reading logs), and
if you see somebody make a request for that specific database entry, then
you know you need to start investigating. The only tough part is that
you need to identify queries like 'SELECT name, ssn FROM student_table WHERE
home_address_state = "VA"' where it's expected to be returned and not
generating a false-positive. But if you go through the logs and find a
'SELECT * WHERE fullname = "John Q. Honeytoken"', you have a problem :)

Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus