UK Honeynet Project 

We were happy to be informed that both papers submitted by The Honeynet Project to the upcoming WOMBAT honeynet workshop in Amsterdam this month have been accepted. Max Kilger and Tom Holt from the UNCC Honeynet Project Chapter will be presenting a paper on Techcrafters and Makecrafters: A Comparison of Two Populations of Hackers and I will be presenting Honeynet Project: Data Collection and Data Analysis (with Jamie also attending). We’ll post the paper here once it has completed the review and the IEEE pre-publication process.

After doing a lot of work leading phase one of The Honeynet Project’s Global Distributed Honeynet (GDH) last year, I’m please to announce that internal development has begun on GDH Phase Two today. Initially this will result in new public Honeywall releases (version 1.4 this month integrates a second generation of our Hflow data fusion tool, followed by version 1.5 which will hopefully support attacker source IP to keystroke mapping in all Sebek related tools at last! Hopefully the three month kick start phase will be extended throughout 2008 and we’ll be releasing lots of interesting research data once an expanded global sensor network is operational. GDH Phase Two will include also client honeypots (based on Capture-HPC) and should also see some long overdue improvements to our Honeysnap reporting tool too.

I was one of the attendees at the fourth ISOI workshop last week, which this time was held in sunny San Jose. Once again, the event had an interesting range of presentations and discussions, mostly focused around what system defenders could do now to make a difference to the continuing tide of cybercrime observed every day. There was also plenty of opportunity to catch up with people in the security community, and put faces to names, so thanks to Gadi and co for the continued invites. I also got a bit of time to hang out with various Honeynet Project people and some of the guys from Shadowserver, and hopefully we’ll see some interesting spin offs in the coming months. Being from the UK, the obligatory Silicon Valley geek tourism was also fun too.

The Honeynet Project have been invited to submit a paper to the upcoming invite-only Worldwide Observatory of Malicious Behaviors and Attack Threats (a href=”http://wombat-project.eu”>WOMBAT) honeynet workshop at Vrije University in Amsterdam on the 21st and 22nd of April. David and Jamie from the UKHP will be organising the Honeynet Project’s submissions, and we hope to have at least one presentation accepted for publication in the journal of the IEEE.

For more details see http://wombat-project.eu/2008/04/wombat-closed-workshop-april-2.html

There’s a new (beta) release of the Honeynet Project’s “Honeywall” CDROM out. This release (1.3b) fixes some bugs but the main change is a move from the no longer supported Fedora Core 6 platform to CentOS 5. This should give us less work keeping the base platform up to date and more time to work on adding cool new features

We’ve also moving to a more open development model for the CDROM. Although it’s always been GPL’d, the development processes has been closed and it’s been hard for outsiders to add features/hack code. I’m pleased to say that that’s now changed, and there’s a new Trac site with a svn tree, wiki and all the usual stuff. The Honeywall public mailing list is also still available.

Cool stuff that will be coming in the future includes a move to hflow2 for better flow decoding and analysis and changes to the build processes to make it easier to use.

Credits: Earl Sammons, Rob McMillen and myself did the CentOS port. Steve Mumford and Dave Watson did all the work in setting up our new infrastructure to enable more open development.

The Honeynet Project has recently completed a major internal restructuring, which sees the end of the Research Alliance and a move to a new Chapter based membership model (for example, we become the Honeynet Project’s UK Chapter). You can find out more about the new organisation, it’s bylaws and further membership information here.

As part of this restructuring process, active Honeynet Project members have elected a new Board of Directors and assigned various operational positions for the next three years. This includes David Watson from the UK group, who becomes a Honeynet Project Director and it’s Chief Research Officer.

With the restructuring process now complete, we are looking forward to getting back to honeynet research and development. A second, larger phase of our Global Distributed Honeynet (GDH) is already planned for 2008, along with more collaboration with other active security research groups.

The Honeynet Project published it’s annual status report today, which includes a round up the R&D activity undertaken by members during the previous year. Details of some UK Honeynet Project are also included.

Lance Spitzner was one of the keynote speakers at Hack-In-The-Box 2007 in Malaysia this week, and talked about some of the research we have been involved in recently (including the Honeynet Project’s Global Distributed Honeynet initiative - GDH, which David led). More details can be found at the conference web site.