Author |
Topic: Ever used database honeypots? (Read 6101 times) |
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender: 
Posts: 309
|
 |
Ever used database honeypots?
« on: Nov 9th, 2005, 10:46am » |
Quote | Modify
|
Last week I talked to customers of Transfer Solutions, my employer, about Oracle database security. In this talk I proposed honeypots as a way to discover if anyone is trying to query tables they're not supposed to query.
For example there could be a table called SALARY or CUSTOMER or something, which is not used by the application. If somebody tries to select that table a mail could be send to a DBA or his/her pager could recieve a message.
Has anyone tried this or seen this before? Or even more sophisticated honeypots?
|
|
 IP Logged |
Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
 |
Re: Ever used database honeypots?
« Reply #1 on: Nov 9th, 2005, 3:12pm » |
Quote | Modify
|
Marcel-jan,
What's the point of having a honeypot? What do you do if you have someone from, let's say, Brasil trying to crack your database?
What would you want to learn from a honeypot?
Anyway you could try Snort. Snort is an IDS that can be con figured to scan for keywords like select, union, etc and send emails when the keyword appears in the networkdata.
Another way is with Oracle auditing: audit to the syslog file and use the countless tools to check the syslog and alert the administrator.
Ivan
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Ever used database honeypots?
« Reply #2 on: Nov 9th, 2005, 7:24pm » |
Quote | Modify
|
Hi Marcel-Jan,
This is an interesting idea on a number of levels, it could be used internally in an organisation if you suspect unauthorised access. There are also many honeypot sites out there already, perhaps they should include databases. Also maybe someone like the Internet Storm Center would be interested.
Also we are not just talking Oracle here, this applies to other databases such as MS SQL or MySQL.
cheers
Pete
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Ever used database honeypots?
« Reply #3 on: Nov 9th, 2005, 11:40pm » |
Quote | Modify
|
My idea was having a honeypot table (or other object) that looks like it's part of the application, but used by none. When a DBA recieves word that a honeypot table is selected anyhow, it's a good indication that someone is looking around. Could be someone using SQL injection or some other kind of intrusion method. Unless it's some kind of general job for example to update statistics, but as DBA you figure that out soon enough.
The advantage the DBA has by knowing someone is looking around, is that investigation can start right away. In Oracle for example you'd query v$ views to pinpoint the session that has executed the query on the honeypot table. You then can look in v$session what user has been used and what application. You could even trace the session and gather evidence for later use. Maybe it's possible to start that SQL trace automatically. I'm handy with a bit of PL/SQL, I might try that out later.
Suppose it's some kid from Brasil breaking in. Even if you can't catch the cracker, you still could kill that session right away of course and you're left with a wealth of data about how you're system can be intruded so you can take countermeasures. Also, because you're alerted in time, you might use Flashback (Oracle9i and later) or other methods to restore the situation.
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Ever used database honeypots?
« Reply #4 on: Nov 11th, 2005, 11:22am » |
Quote | Modify
|
Hi All
The technique is valid, and I have used similar approaches before, but normally within an organisation.
The issue is always going to be how far back you need to trace the connection. If you want to trace the kid back to Brazil, how many tiers does he go through before he gets to your database. Apps servers and generic access accounts are always going to cause an issue, unless you can trace the connection and corrralate the audit information ffrom end to end.
As Pete says, within an organisation this will work, as you assume a captive audience, and only need to trace it back to a local connection. Even then it will need information from each tier of the application the user goes through to trace who it really was. With out the co-operation of each piece of middle ware, this can be very hard to do.
Trust me I've had to do it!!!!!
Regards
Kev
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
Pete Finnigan
PeteFinnigan.com Administrator
Oracle Security is easier if you design for it
View Profile | WWW | Email
Gender:
Posts: 309
|
|
Re: Ever used database honeypots?
« Reply #5 on: Nov 11th, 2005, 1:30pm » |
Quote | Modify
|
on Nov 11th, 2005, 11:22am, NoFools wrote:
...
...
As Pete says, within an organisation this will work, as you assume a captive audience, and only need to trace it back to a local connection. Even then it will need information from each tier of the application the user goes through to trace who it really was. With out the co-operation of each piece of middle ware, this can be very hard to do.
Trust me I've had to do it!!!!!
Regards
Kev |
|
Even within an organisation the value of a honeypot is relative. Without strong authentication people can allways deny they tried to 'hack' a system. I've seen this happen.
And with honeypots you have to be very careful and know exactly what you are doing. I once read that honeypots is like 'mudwrestling with pigs': very soon you realise you are loosing and the pigs are enyoing the fight
Ivan
|
|
IP Logged |
Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
|
|
|
|
PFCLScan
PFCLObfuscate
PFCLCode
PFCLForensics
PFCLReselling
PFCLATK
PFCLCookie
PFCLTraining
PFCLServices
PFCLConsulting
PFCLCustom
PFCLCloud
PFCLUserRights
PFCLSTK
PFCLSFTK
PFCLSEO