Monday, August 27, 2007

DLP and honeytokens

Four years has passed since I coined the term "honeytoken". I talked a lot about it at that time, Lance Spitzner and others from the honeypots field too. The subject, however, hasn't been discussed extensively during the last years.Well, not until the DLP - Data Leakage Prevention - fever started. I used to perform some Google queries for "honeytoken" to know how the concept was being used, but I haven't been doing that for some months. It was a great surprise to see the results when I performed the same query today. It is obvious that honeytokens are a good way to perform some DLP functionality. I'm thinking about trying to build some kind of dynamic system to deploy and monitor them. Here is how they would work:Imagine that you want a bunch of Office sensitive files to be monitored by the system. You point the files to the system and it starts to monitor them by integrating itself to the operating system of the server where the files are hosted. When a user requests one of those files the system will dynamically generate a honeytoken and include it in the file. The system will link this honeytoken to that specific user and include it in a list of strings monitored by the main enforcement points, like Proxy servers, firewalls, IDSes and other UTM devices. It can also use some kind of distributed agent on the workstations to verify what users are doing with those files. I know that it seems to be a description of a DRM system, but the aim here is not to control what the user can do, but only to monitor the information flow.I know that there are vulnerabilities on this design, all of them were already discussed when DLP started to gain attention. However, I'd really like to see a DLP using this approach, as it wouldn't have to analyze the information, but only to look for honeytokens. They will probably be easier to deploy and faster. Is there anybody trying to do something like this?

Friday, August 3, 2007

PSI, from Secunia

I believe that the Black Hat/Defcon buzz made this slip away from the attention of the great security minds out there. Secunia has just release their PSI - Personal Security Inspector (free!).PSI acts on a problem that is incredibly dangerous: vulnerabilities on "auxiliary" software. In a certain way, the problem of vulnerabilities in Windows and Office is solved by Microsoft Update. However, almost nobody is acting to solve the vulnerabilities from software like Adobe acrobat and flash, Java virtual machines and several different media players out there. As a lot of vulnerabilities triggered by malformed data files have been disclosed during the last years, all those software pieces bring a lot of risk to the regular user.PSI can verify (using, of course, the very good DB from Secunia) lots of different software and indicate if they are updated. Actually, I regularly update the software on my desktop, and after running the tool for the first time this was the result:
So, if you are running a desktop on Windows, install PSI immediately. It will save you a huge work on keeping everything updated.