h a l f b a k e r yAssume a hemispherical cow.
add, search, annotate, link, view, overview, recent, by name, random
news, help, about, links, report a problem
browse anonymously,
or get an account
and write.
register,
|
|
|
Please log in.
Before you can vote, you need to register.
Please log in or create an account.
|
In many business networks users are
forced to change their passwords on a
regular basis. Some of these users, to
avoid that embarassing "I've forgotten my
password" call to the IT department,
write their password down, or choose
something very obvious.
The honeypot password, or passwords,
would configurable anti-passwords that,
if used, would alert the IT department
(and/or security) that the account was
being hacked. They would consist of
passwords that the user feels are too
obvious for them to use, previously
compromised passwords and a core list
of frequently used passwords maintained
by the IT department. You could even
write one of them down on a post-it note
and stick it under the keyboard.
Panic PIN
http://www.halfbake...om/idea/Panic_20PIN The unashamed inspiration. [st3f, Oct 05 2004, last modified Oct 17 2004]
Design and Implementation of a Sniffer Detector
http://www.raid-sym...tml#Grundschober_31 By Stephane Grundschober of IBM, presented at RAID 1998. Quoting: "The tool then waits for the intruder to use the information bait. Nobody besides the intruder has knowledge of these accounts and passwords. If someone reuses these pairs, the tool recognizes symptoms of an attack and can trigger an alarm" [krelnik, Oct 05 2004, last modified Oct 21 2004]
(?) Password Filter API on Windows
http://msdn.microso...ters.asp?frame=true This could be used to prevent a user from setting their actual password to one of the honeypot passwords. [krelnik]
LASEC
http://lasecpc13.epfl.ch/ntcrack/ I tried this when they had the password cracker demo up - very fast. [krelnik, Oct 05 2004, last modified Oct 21 2004]
LASEC
http://lasecpc13.epfl.ch/ntcrack/ I tried this when they had the password cracker demo up - very fast. [hippo, Oct 05 2004, last modified Oct 17 2004]
[link]
|
|
Three questions:
Who establishes these passwords?
Where are they established?
How is the user informed the passwords are off limits? |
|
|
phoenix: Oh yes, honeyPOT. Thanks. (idea renamed) |
|
|
The core set of honeypot passwords I'd see as being established by the IT department. Things like 'password', the names of football teams and so on. Users trying to change their password to one of these would be politely told that they can't. |
|
|
The account specific ones could be set up by the user when they change their password:
"Enter one password that gets you into your account and one that sets of the alarm system,"
or by IT:
"You think that they were looking intently at the keyboard when you typed your password, Mr Jones? OK, I've set your old password to go honeypot after one more login. Log in now and you'll be prompted to change your password. The old one will set of the alarms if you use it after that." |
|
|
jutta: The mass crack is probably more common these days, and that should set off the alarm bells by the sheer volume of attempts. This system should trigger when a dictionary was thrown at a remote interface, but it's not really the best tool for that. |
|
|
I saw a paper presented by some folks from IBM Zurich at an intrusion detection conference that was a very elaborate system for doing just this. Once the honeypot passwords were established, they would actually deliberately transmit traffic in protocols that use clear-text passwords (telnet, FTP, HTTP and so on) in an attempt to "lure" an observing hacker to use the passwords. It was all three-tiered stuff with a highly elaborate infrastructure and so on. |
|
|
The funny part was they never once caught a hacker using this system. |
|
|
[edit] Yes, I found the link. It was at the very first Recent Advances in Intrusion Detection (RAID) conference, held in 1998 in Belgium. |
|
|
//How is the user informed the passwords are off limits?//
In Windows there's an API that allows you to 'hook' the password change procedure with your own code in a DLL, you could use that to prevent anyone from setting their "real" password to one of the honeypot passwords. |
|
|
Given that honeypot passwords sort of already exist in the form of the default admin passwords that all too many systems have, you could just reroute those, since those are the first line of attack for hackers. |
|
|
krelnik, you're a star. The depth and breadth of the knowledge of the core (corps?) of halfbakers never ceases to amaze me. |
|
|
DrCurry: I like it. It's a neat first approximation that doesn't require you to create the concept of an 'anti-password' within the operating system. Wouldn't stop a targeted attack on another account, though. |
|
|
Isn't it a bit of a secutity hole that you can actually download the whole password database? Does this have any legitimate purpose that couldn't be met by other means? |
|
|
Well even on systems where a mass download is not feasible, cracking attacks can still be attempted. For instance, Windows logins use a cryptographic hash algorithm on connect, but attacks have been mounted on it. So you just need a way to peek at the connection traffic between the client and the server. This is why having a 'Sniffer' on an attacked network is so useful to a hacker, and why IBM wanted to detect them. |
|
|
That's also why occasionally actually using the passwords in ways that a hacker might detect, would be useful to this scheme. The post-it under the keyboard is a first step in that direction, the IBM paper describes an incredibly elaborate one. |
|
| |