UK Honeynet Project 

I’m in London this week for EuSecWest08, the European version of the excellent CanSec and PacSec series of conferences, which is happening tomorrow and Thursday in Leicester Square. A couple of scheduled talks are generating interest on the net already:

• Sebastian Muniz’s “Da IOS Rootkit” talk will review his reverse engineering and kernel hooking approach to building a reliable Cisco IOS rootkit
• Justin Ferguson’s “Advances in attacking interpreted languages” will cover the attack surface and potential vulnerabilities in Google’s recently release App Engine.

Hopefully EuSec will be another interesting and entertaining event, with any honeynet-related news and events to follow.

We were happy to be informed that both papers submitted by The Honeynet Project to the upcoming WOMBAT honeynet workshop in Amsterdam this month have been accepted. Max Kilger and Tom Holt from the UNCC Honeynet Project Chapter will be presenting a paper on Techcrafters and Makecrafters: A Comparison of Two Populations of Hackers and I will be presenting Honeynet Project: Data Collection and Data Analysis (with Jamie also attending). We’ll post the paper here once it has completed the review and the IEEE pre-publication process.

After doing a lot of work leading phase one of The Honeynet Project’s Global Distributed Honeynet (GDH) last year, I’m please to announce that internal development has begun on GDH Phase Two today. Initially this will result in new public Honeywall releases (version 1.4 this month integrates a second generation of our Hflow data fusion tool, followed by version 1.5 which will hopefully support attacker source IP to keystroke mapping in all Sebek related tools at last! Hopefully the three month kick start phase will be extended throughout 2008 and we’ll be releasing lots of interesting research data once an expanded global sensor network is operational. GDH Phase Two will include also client honeypots (based on Capture-HPC) and should also see some long overdue improvements to our Honeysnap reporting tool too.

The Honeynet Project has recently completed a major internal restructuring, which sees the end of the Research Alliance and a move to a new Chapter based membership model (for example, we become the Honeynet Project’s UK Chapter). You can find out more about the new organisation, it’s bylaws and further membership information here.

As part of this restructuring process, active Honeynet Project members have elected a new Board of Directors and assigned various operational positions for the next three years. This includes David Watson from the UK group, who becomes a Honeynet Project Director and it’s Chief Research Officer.

With the restructuring process now complete, we are looking forward to getting back to honeynet research and development. A second, larger phase of our Global Distributed Honeynet (GDH) is already planned for 2008, along with more collaboration with other active security research groups.

The Honeynet Project holds an annual workshop every year, which is always an excellent opportunity for members from all around the world to get together in person and discuss their research.

For the first time, this year’s event was hosted by members of the Costa Rican Honeynet Project and held outside of the US, in Heredia, Costa Rica. Thirty five members of the Honeynet Project met for four days, including Jamie and David from the UK group. As part of the first day’s shared presentations, David updated the group on the current state of our Global Distributed Honeynet (GDH). The last two days were spent on various R&D tracks, of which the largest was the initial planning session for GDH Phase Two in 2008.

Overall the event was excellent, with many participants feeling that this was the best annual workshop yet, and hopefully we’ll see the fruits of our collective activities next year.

In his weekly “Dork Talk” column in the Guardian, this week Stephen Fry talks about the Storm worm. He cites the Honeynet Project amongst other sources (in particular, he’s citing the recent fast flux paper though he doesn’t quote it explicitly) and refers to us “the good guys”, thus, as I am a regular Guardian reader, making my day.

The article is not technical and, as you would expect from Fry, very well written. A good one to pass on to relatives, managers and other interested but not techy types.

The October edition of Elsevier’s Network Security publication contains part one of an article on web application attacks written by David Watson of the UK Honeynet Project, with the second part to follow in November.

David Watson was interviewed this week by BBC News, for piece on identity theft and attacks against Internet users.