◆ SpookStack

[p20 PM 4/28/2003, Internet Policy News Page 3 of 8 bé -5 b7C -5 snare people seeking unauthorized information on weapons systems. For example, a honeytoken could be designed so that if it were downloaded and then taken to a different system, it would be able to contact its original server each time it was accessed. One way to do this would be to include code in the honeytoken that would automatically try to fetch a tiny image or some other file based on the home server, making the honeytoken “phone home" whenever it is opened. Honeytokens also can be used to track attacks from within a company by people who have passwords to enter the system legitimately. Pete Herzog, managing director of the Institute for Security and Open Methodologies, says that he has used honeytokens to detect when employees illicitly download forbidden material. For example, he has entered corporate memos with particular typos into private databases and then monitored company networks to see where those typos show up. Tracing these honeytokens, he says, often leads to caches of illegal materials stored on the network. No one believes that honeytokens can stop all cybercrime. But they could offer an upgrade in protection. Honeytokens offer another advantage: They help reduce the number of false positives in other cyberdefense systems. Like car alarms, intrusion detection systems can go of f so frequently because of accidental trespassing hat many security administrators ignore the warnings. Honeytokens, if designed correctly, should trigger alarms only if there is a malicious attack. Hackers, however, are not impressed. Adria Lamo, who gained notoriety last year when he claimed to have broken into the systems of a number of companies, including Yahoo, says he is not worried. "It's a form of old-school security," he says. "It will work on the people who have been to he old schools." Mr; Larne says that he only goes after information that he knows other people requently seek access to and that he runs credit checks to ensure that information he uncovers, like Social Security numbers, are real. Mr. Spitzner contends that it should not matter whether a hacker bothers to run acredit check because the alarm should ring any time the decoy record is accessed. b6 -5 b7c -5 Painted fox} 9723/2003 FBI(19-cv-1495)-2163