1. An introduction to the basic mechanics of fast flux (David Watson, UKHP)
2. Current ATLAS fast flux statistics (Jose Nazario, Arbor)
3. Detection and mitigation (Christian Gorecki, University of Mannheim)

The NM-SG session was open to FIRST members only, so the slides are not publicly available, but we hope to have a public release of similar material shortly. We had a number of questions, and feedback from the attendees seems to have been positive.

There were three additional short demos:

1. Florian Weimer of RUS-CERT showed some new passive DNS tracking information
2. Tillmann Werner from the German Giraffe Honeynet Project Chapter demonstrated how Honeytrap, LibEmu and Nebula can be used to analyze unknown attacks, which is looking very promising as a long term replacement for Nepenthes
3. Piotr Kijewski of the Polish CERT/NASK gave a brief demonstration of their still under development HoneySpider web interface, which shares many of the features of client honeypot systems that we are currently working on but instead uses Java and Rhino instead of Python and SpiderMonkey

Overall it was an interesting event, with some good talks and lot of opportunities to meet up with a different group of people very active in the security operations and incident response fields. Quiet a few Honeynet Project members were also present, which always encourages a little extra R&D discussion. Hopefully we’ll see some spin off activity in the coming weeks.

Many thanks to Carol Overes from GovCERT in Holland for the invite.

The standard of presentations and content was generally good, with a number of interesting topics and useful new tools being released. Highlights for me were:

• Saumil Shah’s Teflon browser extension, which hooks javascript system calls such as document.write and replaces evil Javascript with harmless divs. This fits well with some of the recent evil JS research we have been doing, and we are going to do some collaboration here in the coming months.
• Alberto Revelli gave an excellent talk on taking SQL Injection vulnerabilities on Windows platform to the next level and using SQLNinja to establish a working remote graphical desktop. Good to see old techniques like building executables from ASCII HTTP requests plus debug.exe coming back into fashion, and an excellent example of how to escalate control from an initial foothold.
• Martyn Ruk’s review of IBM’s MQ middleware and identication of some surprisingly simple potential vulnerabilities in a number of areas. Good to see someone looking at MQ security and building tools for auditing MQ systems.

Hot topics for the press were Justin Ferguson’s talk on exploiting interpreted languages like Python and PERL, resulting in potentially remotely exploitable vulnerabilities in services like the recently released Google App Engine, and Sebastian Muniz’s talk on developing the first public Cisco IOS rootkit. Both were impressive and it will be interesting to see what happens in this space over the next few months.

I gave another lightning talk on Evil Javascript and SpamMonkey, which we hope to start making public soon. You can find the slides here.

As always, one of the best things about the event was the opportunity to meet up with interesting people in a relaxed environment and discuss what they were working on. It was also good to get a chance to catch up with friends and various industry people. Lots of interesting contacts and discussions, and hopefully we’ll release some research in the coming months that will have benefited from them. All in all, another interesting and enjoyable (sleep deprived) SecWest event.

• Sebastian Muniz’s “Da IOS Rootkit” talk will review his reverse engineering and kernel hooking approach to building a reliable Cisco IOS rootkit
• Justin Ferguson’s “Advances in attacking interpreted languages” will cover the attack surface and potential vulnerabilities in Google’s recently release App Engine.

Hopefully EuSec will be another interesting and entertaining event, with any honeynet-related news and events to follow.

The workshop was held at Vrije University south of the city centre and included members of the WOMBAT consortium and invited guests who were active in the fields of honeynet deployments, malware analysis and large scale data collection. Over two days we were introduced to the three year WOMBAT project, its goals and members and a number of short presentations were given by the invited guests from the EU, US, Asia and Australia. David spoke about the Honeynet Project’s various data collection initiatives, including the Global Distributed Honeynet Project (GDH), and Max spoke about attacker profiling models. The proceedings will be published in the journals of IEEE Computer Society later in the year and we’ll post them when we are able to.

Overall an interesting event with lots of opportunity for collaboration and information sharing that will hopefully come to fruition. Of particular interest was the honeyclient work that the Polish CERT NASK were involved in, which was remarkably similar to our own recent activity on Evil Javascript and SpamMonkey that I gave a lightning talk on at CanSecWest08 last month. Like us, they hope to release their code as open source in the coming weeks and months, so we are look forward to seeing it.

In the end, and for the first time ever, all the speakers made it to the event and I didn’t need to give a repeat performance of my PacSec07 GDH presentation. However, I did give a lightning talk entitled Evil Javascript and SpamMonkey that introduced a couple of projects the UK Honeynet Project team have been working on recently. You can find the slides here and hopefully we’ll be releasing the code and some sample results in the coming months.

For the first time, this year’s event was hosted by members of the Costa Rican Honeynet Project and held outside of the US, in Heredia, Costa Rica. Thirty five members of the Honeynet Project met for four days, including Jamie and David from the UK group. As part of the first day’s shared presentations, David updated the group on the current state of our Global Distributed Honeynet (GDH). The last two days were spent on various R&D tracks, of which the largest was the initial planning session for GDH Phase Two in 2008.

Overall the event was excellent, with many participants feeling that this was the best annual workshop yet, and hopefully we’ll see the fruits of our collective activities next year.

The abstract for the talk was:

A review of Phase One of the Honeynet Project’s latest research
initiative, the deployment and operation of a global network of
distributed high interaction research honeypots. An overview of the
architecture, challenges faced, technical tools and new
analysis/reporting procedures developed. Discussion of observed
malicious activity during operation of eleven high interaction research
honeynets around the world for six months (Jan-Jun 2007), including
attacker activity, malware collection summary, etc. Sharing of practical
operational experiences gained to date, unsolved issues and goals for
the future.

GDH was the first (publicly declared) real world distributed high
interaction research honeynet with nodes on most continents, designed
and operated by the Honeynet Project. It enables the rapid deployment of
identical honeypots over wide ranges of IP network space, monitoring of
network activity and analysis of attacks against a range of distributed
systems. The techniques and operational experience should be useful to
many organizations interested in global sensor networks and better
understanding the threats posed to their networks. A “Know Your Enemy:
GDH” white paper and other supporting material will be released in 2008.

Slides will be available online from the both the PacSec07 and Honeynet Project web sites shortly, or they can be downloaded directly from here.

The presentation was an hour long, and hopefully provided an introduction to what GDH Phase One was, why and how we built and operated it, then summarized some of our initial results and plans for the future. The audience questions were of a good standard, as were follow-up discussions at the party afterwards. Any offline feedback or questions are also welcome.

Overall the conference was enjoyable, with good presentations in a number of areas and an interesting mix of both Japanese and international attendees (and the obligatory late night social activities). Hopefully we’ll see some spin off honeynet research in 2008 in a couple of areas. It was also great to have the opportunity to visit Tokyo and meet local security researchers, plus presenting to a Japanese audience with live translation was entertaining. I’d particularly like to thank Ryo Hirosawa and the other translators for all their last minute help with slide translation. Thanks once again guys!

You can find further coverage and some photographs of the event here: