LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Honeytokens

[Posted July 23, 2003 by corbet]

A "honeypot" is a digital system whose purpose is to attract and identify illegal activity. Traditionally, honeypots are sacrificial computers placed on a network. The honeypot system serves no useful purpose; no legitimate user will have any reason to access it. As a result, any accesses which actually happen are likely to be somebody attempting something nasty. The honeypot can thus serve as a sort of early warning system, as well as a laboratory in which cracker techniques can be studied in real time.

A new paper by Lance Spitzner points out that the honeypot concept can be applied in other contexts. One such application is "honeytokens," a bit of information which should never be accessed. An example might be login information placed in a message in a senior manager's mail spool; anybody attempting to actually log in using that information is almost guaranteed to be an attacker. A properly setup system could initiate a trace and catch the attacker before he gets into something truly useful.

This idea is not particularly new; direct (physical) mail companies have long embedded special addresses in their lists to track the use of those lists, for example. The security community has not, until now, made much use of this technique, however. Properly used, honeytokens could become a valuable part of intrusion detection and other security-related systems. Stolen information may not bite, but it may yet manage to strike back at thieves anyway.

(Log in to post comments)

Honeytokens

Posted Jul 24, 2003 7:58 UTC (Thu) by ymmv (subscriber, #4375) [Link]

That reminds me some Tom Clancy writing in the Jack Ryan series. Internal CIA memos would be carefully written to be slightly different (as to form, which could be changed, but also to content), as a mean to identify the source of the information leak.

I don't know if that is in practice either in the US (where I've never been) or in Europe, but there's no reason it could'nt be.

And that is obviously a sort of (paper) honeytoken.

Honeytokens

Posted Jul 31, 2003 16:58 UTC (Thu) by Baylink (subscriber, #755) [Link]

Yep; it was called the "Canary Trap" -- specifically, the summary paragraphs of each section were different in each copy of the paper, 4 our of 64 versions, IIRC -- they were intended to be quote-fodder, and if they *did* get quoted, you knew who leaked the paper.

Quite ingenious, and the CIA probably *still* isn't using it.

Honeytokens in mapmaking

Posted Jul 24, 2003 13:36 UTC (Thu) by tcabot (subscriber, #6656) [Link]

My understanding is that the mapmaking industry does this as well. Since the underlying data that they use (i.e. the earth) can't be copyrighted, they invent small features that don't exist and put them on their maps. If the feature shows up on someone else's map then it's very likely to be an illegal copy.

Sounds like spamtraps

Posted Jul 29, 2003 13:14 UTC (Tue) by dion (subscriber, #2764) [Link]

This sounds exactly like spreading an otherwise unused address in places where spammers (or their robots) will find it, to be able to identify spammers (whoever mails a spam trap address is a spammer).

Honeytokens

Posted Jul 31, 2003 17:00 UTC (Thu) by jimwelch (guest, #178) [Link]

The first I heard of this idea was decades ago when a Junk Mail hater fought the resell of his info by using different First and Middle names (initials) for each subscription (smail) then he would sue them when this set of info showed up on a piece of junk mail. Still works!

Honeytokens

Posted Aug 2, 2003 2:31 UTC (Sat) by jmason (guest, #13586) [Link]

BTW, this is common in the anti-spam world as well; create "spamtrap" aliases, seed likely areas with those addresses -- such as embedding
them in HTML comments on webpages -- then wait for the spam to arrive.

Any mail to those addresses is virtually guaranteed to be either spam or a virus, since no human being should know they exist. Any direct marketing mail to those addresses is especially likely to be spam, since they would never have "signed up" to a list.

Honeytokens

Posted Aug 2, 2003 23:53 UTC (Sat) by simonl (subscriber, #13603) [Link]

So this is what you mean: ?

- Set up a few spam target emails, and spread them around.
- Make the SMTP server calculate MD5 sums of all messages to these spam atrgets, probably removing all instances of username and domain first.
- The SMTP server can now safely ignore/delete any message to valid users which matches the MD5 sum of a known spam message.

This would probably be the most reliable spam killer. Are any spam filters using this yet?

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds