◆ SpookStack

: Page 2 014 server. When intruders started downloading the records, and then someone i sent a letter to Mr. Stoll about the phony organization, he and federal investigators traced the intruders to East German and Soviet intelligence agencies. Today, the use of honeytokens is not uncommon. For example, ForeScout Technologies, based in San Mateo, Calif., has built a commercial software program that tracks incidents of surreptitious reconnaissance, like port scans ? the computer equivalent of someone turning your doorknob to’'see if it is unlocked. The program will announce a false message of vulnerability to the scanner in the form of a honeytoken. It then breaks the connection if the hacker follows up with an attack. Honeytokens, like their cousins the honeypots, are based on the notion that if you build it, they will come. Mr. Spitzner became intrigued by the idea of honeypots after putting a new computer online at home and watching it get attacked within 15 minutes by an automatic program scanning the internet for vulnerable prey. Many computer criminals break into systems simply for the fun and challenge. Others are looking to take over vulnerable systems in order to use them as safe houses for setting off further, more serious, attacks. Others want to mine credit card addresses or steal corporate secrets. According to a 2002 report by the Computer Security Institute, 90 percent of the 500 corporations, government agencies, financial institutions, medical institutions and universities surveyed detected security breaches during the previous year. Honeytokens could also be useful for national security purposes. Michael Vatis, director of the Institute for Security Technology Studies at Dartmouth University, said that the Defense Department could use them to snare people seeking unauthorized information on weapons systems. For example, a honeytoken could be designed so that if it were downloaded and then taken to a different system, it would be able to contact its original server each time it was accessed. One way to do this would be to include code-in the honeytoken that would automatically try to fetch a tiny image or some other file based on the home server, making the honeytcken “phone home" whenever it is opened. Honeytokens also can be used to track attacks from within a company by people who have passwords to enter the system legitimately. Pete Herzog, managing ; director of the Institute for Security and Open Methodologies, says that he pee 1 A Printed for Sa[ 5/7/2003 FBI(19-cv-1495)-1780 ee i ee a