back to article Give hackers your data, says former RSA man

Former RSA chief scientist Ari Juels has outlined a cunning way to foil crackers: let them think they've busted into a system and then give them fake data to play with. The idea is not entirely novel because Juels last year proposed a scheme he called “Honeywords” in this paper, co-authored with RSA founder Ronald Rivest. …

COMMENTS

This topic is closed for new posts.
Silver badge

what happens when you inadvertently provide that file in response to an NSL

do you get a laugh out of it, or a conviction?

2
1
Gold badge

Re: what happens when you inadvertently provide that file in response to an NSL

That's a good question. I suspect you would get a demand for the unhoneypotted passwords followed by a conviction if you refuse to comply.

1
0
Bronze badge

Social media should do this too!

The likes of Twitter and Facebook need to implement this ASAP. Imagine hacking into somebody's social media account only to be faced with meaningless drivel....

16
0
Anonymous Coward

Re: Social media should do this too!

Isn't it meaningless drivel to start with? This tool might generate something useful!

3
4
Bronze badge

Re: Social media should do this too!

You mean like my publicly available Facebook account where I do charity work, look after sick baby lambs, and go to church twice a week?

3
0
Gold badge

And this is news?

Using deception is not exactly news. Even before Fred Cohen developed his Deception Toolkit we were feeding wannabees whose sole reason for being on IRC was "wanting to learn how to hack" (translated: please let someone else do the learning) some tools to aim at 127.0.0.1. Nothing beats practical experience :).

BTW, all.net has got plenty papers on using deception - worth a read.

0
0
Bronze badge
Facepalm

Re: And this is news?

Real IRC log from back in the day:

* bitchchecker (~java@euirc-a97f9137.dip.t-dialin.net) Quit (Ping timeout#)

* bitchchecker (~java@euirc-61a2169c.dip.t-dialin.net) has joined #stopHipHop

<bitchchecker> why do you kick me

<bitchchecker> can't you discus normally

<bitchchecker> answer!

<Elch> we didn't kick you

<Elch> you had a ping timeout: * bitchchecker (~java@euirc-a97f9137.dip.t-dialin.net) Quit (Ping timeout#)

<bitchchecker> what ping man

<bitchchecker> the timing of my pc is right

<bitchchecker> i even have dst

<bitchchecker> you banned me

<bitchchecker> amit it you son of a bitch

<HopperHunter|afk> LOL

<HopperHunter|afk> shit you're stupid, DST^^

<bitchchecker> shut your mouth WE HAVE DST!

<bitchchecker> for two weaks already

<bitchchecker> when you start your pc there is a message from windows that DST is applied.

<Elch> You're a real computer expert

<bitchchecker> shut up i hack you

<Elch> ok, i'm quiet, hope you don't show us how good a hacker you are ^^

<bitchchecker> tell me your network number man then you're dead

<Elch> Eh, it's 129.0.0.1

<Elch> or maybe 127.0.0.1

<Elch> yes exactly that's it: 127.0.0.1 I'm waiting for you great attack

<bitchchecker> in five minutes your hard drive is deleted

<Elch> Now I'm frightened

<bitchchecker> shut up you'll be gone

<bitchchecker> i have a program where i enter your ip and you're dead

<bitchchecker> say goodbye

<Elch> to whom?

<bitchchecker> to you man

<bitchchecker> buy buy

<Elch> I'm shivering thinking about such great Hack0rs like you

* bitchchecker (~java@euirc-61a2169c.dip.t-dialin.net) Quit (Ping timeout#)

* bitchchecker (~java@euirc-b5cd558e.dip.t-dialin.net) has joined #stopHipHop

<bitchchecker> dude be happy my pc crashed otherwise you'd be gone

<Metanot> lol

<Elch> bitchchecker: Then try hacking me again... I still have the same IP: 127.0.0.1

<bitchchecker> you're so stupid man

<bitchchecker> say buy buy

<Metanot> ah, [Please control your cussing] off

<bitchchecker> buy buy elch

* bitchchecker (~java@euirc-b5cd558e.dip.t-dialin.net) Quit (Ping timeout#)

* bitchchecker (~java@euirc-9ff3c180.dip.t-dialin.net) has joined #stopHipHop

<bitchchecker> elch you son of a bitch

<Metanot> bitchchecker how old are you?

<Elch> What's up bitchchecker?

<bitchchecker> you have a frie wal

<bitchchecker> fire wall

<Elch> maybe, i don't know

<bitchchecker> i'm 26

<Metanot> such behaviour with 26?

<Elch> how did you find out that I have a firewall?

<Metanot> tststs this is not very nice missy

<bitchchecker> because your gay fire wall directed my turn off signal back to me

<bitchchecker> be a man turn that shit off

<Elch> cool, didn't know this was possible.

<bitchchecker> thn my virus destroys your pc man

<Metanot> are you hacking yourselves?

<Elch> yes bitchchecker is trying to hack me

<Metanot> he bitchchecker if you're a hacker you have to get around a firewall even i can do that

<bitchchecker> yes man i hack the elch but the sucker has a fire wall the

<Metanot> what firewall do you have?

<bitchchecker> like a girl

<Metanot> firewall is normal a normal hacker has to be able to get past it...you girl^^

<He> Bitch give yourself a jackson and chill you're letting them provoce you and give those little girls new material all the time

<bitchchecker> turn the firewall off then i send you a virus [Please control your cussing]er

<Elch> Noo

<Metanot> he bitchchecker why turn it off, you should turn it off

<bitchchecker> you're afraid

<bitchchecker> i don't wanna hack like this if he hides like a girl behind a fire wall

<bitchchecker> elch turn off your shit wall!

<Metanot> i wanted to say something about this, do you know the definition of hacking??? if he turns of the firewall that's an invitation and that has nothing to do with hacking

<bitchchecker> shut up

<Metanot> lol

<bitchchecker> my grandma surfs with fire wall

<bitchchecker> and you suckers think you're cool and don't dare going into the internet without a fire wall

<Elch> bitchchecker, a collegue showed me how to turn the firewall off. Now you can try again

<Metanot> bitchhacker can't hack

<Black<TdV>> nice play on words ^^

<bitchchecker> wort man

<Elch> bitchchecker: I'm still waiting for your attack!

<Metanot> how many times again he is no hacker

<bitchchecker> man do you want a virus

<bitchchecker> tell me your ip and it deletes your hard drive

<Metanot> lol ne give it up i'm a hacker myself and i know how hackers behave and i can tell you 100.00% you're no hacker..^^

<Elch> 127.0.0.1

<Elch> it's easy

<bitchchecker> lolololol you so stupid man you'll be gone

<bitchchecker> and are the first files being deleted

<Elch> mom...

<Elch> i'll take a look

<bitchchecker> don't need to rescue you can't son of a bitch

<Elch> that's bad

<bitchchecker> elch you idiout your hard drive g: is deleted

<Elch> yes, there's nothing i can do about it

<bitchchecker> and in 20 seconds f: is gone

<bitchchecker> tupac rules

<bitchchecker> elch you son of a bitch your f: is gone and e: too

<bitchchecker> and d: is at 45% you idiot lolololol

<He> why doesn't meta say anything

<Elch> he's probably rolling on the floor laughing

<Black<TdV>> ^^

<bitchchecker> your d: is gone

<He> go on BITCH

<bitchchecker> elch man you're so stupid never give your ip on the internet

<bitchchecker> i'm already at c: 30 percent

* bitchchecker (~java@euirc-9ff3c180.dip.t-dialin.net) Quit (Ping timeout#)

11
0
Holmes

The Direct Approach to Cyber-Terrorism?

@Fred Flintstone: "BTW, all.net has got plenty papers on using deception - worth a read"

"The direct approach to cyber-terrorism is to use the cyber-infrastructure to directly influence the mind of the victim through the inducement of fear"

This is total cyber-bullshit, there is no correlation between setting a bomb of in a shopping center and "hacking" somebodies computer ..

3
1
Anonymous Coward

Re: The Direct Approach to Cyber-Terrorism?

there is no correlation between setting a bomb of in a shopping center and "hacking" somebodies computer

Which precise bit of the word cyber is unclear to you? There is a direct correlation between people making you scared of any computer use and the willingness of many people to give up their privacy for the apparent protection by governments. Personally, I have found quite a lot of the scaremongering at government level seriously suspicious in itself, because it always leads to call for more money, more "protection" (monitoring and spying under a different name) and the promition of the feeling of helplessness in users. Well, f*ck that. I don't need a government to have more powers than it already has, because it has proven to be worse than the criminals it is alleging to protect me from.

0
0
Anonymous Coward

But you would think this would just cause the malcontents to start improving chaff detectors and filters to help winnow out the honest data. Plus there's the risk of false positive: an honest user slips in a login, gets bogus data as a result, and panics.

0
0
Anonymous Coward

That argument doesn't hold water. The one thing a user and an administrator has over a remote hacker is intrinsic knowledge about their local environment, and their habits. The aim of deception is to become a more difficult prey than the next one - from a study I saw years ago, the amount of fraud is pretty much stable, but it seeks the easiest victims.

Deception is not just wasting the attacker's time, it also significantly increases their chances of being detected.

2
0
Anonymous Coward

Two things.

First, once everyone adopts this form of deception, the advantage of being "easier than the next guy" is lost since "the next guy" is in the same boat as you; back to square one.

Second, the user doesn't necessarily have intimate knowledge of the environment if he is, say, an online user of a website. In this case, a false negative (especially for the unfamiliar) could raise unnecessary alarms. Furthermore, a malcontent may wish to engage in some scouting to get a better feel for the environment, gaining familiarity to reduce the chances of falling for a deception.

0
0
Anonymous Coward

First, once everyone adopts this form of deception, the advantage of being "easier than the next guy" is lost since "the next guy" is in the same boat as you; back to square one.

Maybe you ought to actually read something instead of just talking about the theory. Just in case the meaning of the word "deception" isn't entirely clear to you, you can also pretend to have deception methods deployed but not actually install them. The theoretical case of "everyone haz it" is not even worth discussing.

Second, the user doesn't necessarily have intimate knowledge of the environment if he is, say, an online user of a website. In this case, a false negative (especially for the unfamiliar) could raise unnecessary alarms.

Have you actually ever been near an IT defence strategy? The people running the protection are not usually the end users to start with, they're administrators and technical people, very few end users even have a clue about BASIC countermeasures, let alone the more advanced stuff like APT management.

Deception is beyond that because it requires quite a bit of knowledge to set it up in a way that it is effective (which is why it tends to be omitted in the more regular "let's just tick the ISO 27001 boxes" security strategies).

Furthermore, a malcontent may wish to engage in some scouting to get a better feel for the environment, gaining familiarity to reduce the chances of falling for a deception.

That's exactly where deception comes in. Your arguments just don't make sense.

0
0
Bronze badge

Commercial fake data

Fake data? Do you mean Google advertisements?

1
0

The power of misinformation

On the Internet, no one knows you're a dog, two cats and a goldfish.

1
0
Anonymous Coward

This is based upon the premise that...

they already have one part of the username/password pair and so it would need to be extended so both parts yield rubbish. The difficulty is when a user mistypes something he will need some way of knowing that he is not validated and this indicator would of course be used against the system.

What is needed is obviously some way of being certain that the user can never put the wrong login details into the system so we are really talking about authentication via certificate or handy RSA key fob, I wonder who has the patent upon those things.

So in essence you allow any certificate to login to the system but only valid certs have valid data attached associated with them, all the rest have either a generated datasets (requiring CPU time) or a single precomputed dummy data set. If you go with the precomputed data set then it will be the same for all wrong login attempts so easy to identify the trap. If you go with the generated dataset then you are going to have to take into account the DDOS potential of this security feature as well as the fact that the time required to create to dummy data would be detectable.

I can see that essentially this will just end up as a multistage validation system ( we already have these on banking sites the only difference would be that the security questions would be ones the user would not know the answer for and so start the login process again ) and a login control that will be easy to DDOS.

1
0

Re: This is based upon the premise that...

The way I read it was that if a hacker obtained access to a system and managed to retrieve password table (even if it's just username & hash), the table would contain many instances of the username with different passwords (or hashes of passwords...). The hacker would then have to work through many variations, and using the wrong one could be detected as a deliberate intrusion and appropriate action taken.You'd just need a good hamming distance between the dummy passwords to mitigate against the user mistyping the correct one.

A user mistyping would get the same message he would anyway, but a hacker using the wrong password could be locked out or served up fake data etc. There wouldn't be much additional overhead on the system, it would just have to handle much larger username/password(hash) tables or whatever identification was being used.

0
0
Anonymous Coward

Re: This is based upon the premise that...

An attacker can play savvy, though, and smurf it: space out attempts of the same user so as to fall under the threshold. If they try each username just once and go to the next one if it fails, then it would be harder to figure out if it's just a mistake or an intrusion.

0
0
Silver badge

"yield ten thousand fake-but-plausible numbers"

I love the idea !

Let's get that implemented ASAP, please.

0
0

Old tactic applied in a new way

I work for a large online search provider and we have several sections of fake data on our listings so that we can track and prove where out data has been scraped. It's been going on for years, similar to how an un-released movie script will have slight variations so if one copy does get leaked they can know exactly whos copy it was.

0
0
Vic
Silver badge

Juels' new “Honey Encryption” proposal

... isn't new at all.

The idea of "duress" passwords goes back a very long way...

Vic.

1
0

Not exactly original

The technique is called the "sacrificial lamb" where hackers are allowed to break into a machine with fake data, leaving the real server untouched.

0
0

Can't find this page

BTW, please send my CORRECT password this time...

And the cloud is packed fill of garbage! So much for bitmining data! It's just like the Universe, now we have to start discovering everything all over. Everything you thought you knew was just fake data. Big Bang data....Theory of Relativity subset (data)? perhaps Theory of Relevancy, it's all relative.

0
0
This topic is closed for new posts.

Forums