|
||
Title: Ever used database honeypots? Post by Pete Finnigan on Nov 9th, 2005, 10:46am Last week I talked to customers of Transfer Solutions, my employer, about Oracle database security. In this talk I proposed honeypots as a way to discover if anyone is trying to query tables they're not supposed to query. For example there could be a table called SALARY or CUSTOMER or something, which is not used by the application. If somebody tries to select that table a mail could be send to a DBA or his/her pager could recieve a message. Has anyone tried this or seen this before? Or even more sophisticated honeypots? |
||
Title: Re: Ever used database honeypots? Post by Pete Finnigan on Nov 9th, 2005, 3:12pm Marcel-jan, What's the point of having a honeypot? What do you do if you have someone from, let's say, Brasil trying to crack your database? What would you want to learn from a honeypot? Anyway you could try Snort. Snort is an IDS that can be con figured to scan for keywords like select, union, etc and send emails when the keyword appears in the networkdata. Another way is with Oracle auditing: audit to the syslog file and use the countless tools to check the syslog and alert the administrator. Ivan |
||
Title: Re: Ever used database honeypots? Post by Pete Finnigan on Nov 9th, 2005, 7:24pm Hi Marcel-Jan, This is an interesting idea on a number of levels, it could be used internally in an organisation if you suspect unauthorised access. There are also many honeypot sites out there already, perhaps they should include databases. Also maybe someone like the Internet Storm Center would be interested. Also we are not just talking Oracle here, this applies to other databases such as MS SQL or MySQL. cheers Pete |
||
Title: Re: Ever used database honeypots? Post by Pete Finnigan on Nov 9th, 2005, 11:40pm My idea was having a honeypot table (or other object) that looks like it's part of the application, but used by none. When a DBA recieves word that a honeypot table is selected anyhow, it's a good indication that someone is looking around. Could be someone using SQL injection or some other kind of intrusion method. Unless it's some kind of general job for example to update statistics, but as DBA you figure that out soon enough. The advantage the DBA has by knowing someone is looking around, is that investigation can start right away. In Oracle for example you'd query v$ views to pinpoint the session that has executed the query on the honeypot table. You then can look in v$session what user has been used and what application. You could even trace the session and gather evidence for later use. Maybe it's possible to start that SQL trace automatically. I'm handy with a bit of PL/SQL, I might try that out later. Suppose it's some kid from Brasil breaking in. Even if you can't catch the cracker, you still could kill that session right away of course and you're left with a wealth of data about how you're system can be intruded so you can take countermeasures. Also, because you're alerted in time, you might use Flashback (Oracle9i and later) or other methods to restore the situation. |
||
Title: Re: Ever used database honeypots? Post by Pete Finnigan on Nov 11th, 2005, 11:22am Hi All The technique is valid, and I have used similar approaches before, but normally within an organisation. The issue is always going to be how far back you need to trace the connection. If you want to trace the kid back to Brazil, how many tiers does he go through before he gets to your database. Apps servers and generic access accounts are always going to cause an issue, unless you can trace the connection and corrralate the audit information ffrom end to end. As Pete says, within an organisation this will work, as you assume a captive audience, and only need to trace it back to a local connection. Even then it will need information from each tier of the application the user goes through to trace who it really was. With out the co-operation of each piece of middle ware, this can be very hard to do. Trust me I've had to do it!!!!! Regards Kev |
||
Title: Re: Ever used database honeypots? Post by Pete Finnigan on Nov 11th, 2005, 1:30pm on 11/11/05 at 11:22:17, NoFools wrote:
Even within an organisation the value of a honeypot is relative. Without strong authentication people can allways deny they tried to 'hack' a system. I've seen this happen. And with honeypots you have to be very careful and know exactly what you are doing. I once read that honeypots is like 'mudwrestling with pigs': very soon you realise you are loosing and the pigs are enyoing the fight:-) Ivan |
||
Title: Re: Ever used database honeypots? Post by Pete Finnigan on Nov 15th, 2005, 1:39pm I take you point. An audit trail is only as good as the authentication. No good knowing whats been done if you can't be cerain of who did it. I people wonder why they shouldn't share user/pwd's !!! :P Kevin. |
||
Title: Re: Ever used database honeypots? Post by Pete Finnigan on Jul 6th, 2006, 7:29pm Hi, I have just started working on HoneyPots in database...Could you please suggest ..from where can I get some help regarding this .. Thanks :) |
||
Powered by YaBB 1 Gold - SP 1.4! Forum software copyright © 2000-2004 Yet another Bulletin Board |