Archive for the ‘UK News’ Category

UK Honeynet Project Chapter Annual Status Report For 2011/2012

Tuesday, December 4th, 2012

As part of membership requirements, each year, all chapters of the Honeynet Project must post annual reports that detail what their chapter members have been working on during that period. The reporting period got a bit mixed up recently, so this is the UK Chapter’s annual report for both 2011 and 2012. You can find the status reports for other Chapters on the main Honeynet Project website.

ORGANIZATION

Current UK Chapter members are:

David Watson – Full member, Chapter Lead, Honeynet Project Chief Research Officer
Arthur Clune – Full member
Jamie Riden – Full member
Steve Mumford – Alumni member

As you may have noticed from the lack of recent updates to our UK Chapter blog, during this period our members have either mostly been involved in activities under the core Honeynet Project, rather than UK-specific chapter activities, or have been busy with personal/professional lives so have had limited time to contribute here. That has unfortunately reduced public facing UK Chapter activity to lowest point in many years.

We have had a number of membership inquiries during this period, and potentially could increase our chapter membership, but to be honest, we have avoided bringing in new UK Chapter members whilst UK activity levels were low and no-one had the time to adequately support new members. Hopefully that situation will improve in 2013 and we’ll see increased UK Chapter output once again.

DEPLOYMENTS

During this period we have had a mix of honeynet technologies deployed. Some have been part of long term data collection efforts, whilst others have been shorter term deployments – often for testing of new tools.

Long term deployments:

1) [David] Our version 1 HonEeeBox pre-packaged (Nepenthes) low interaction sensor project was active at the start of this reporting period, but has since switched over to the version 2 HonEeeBox system. Although the version 1 system is no longer being maintained, Just for reference purposes, two of the original HonEeeBox v1 sensors are still running and the total amount of data collected to date by the old system is:

Sensors: 43

Total Attacks: 2,401,582

Total Attacker IPs: 36,632

Total Victim IPs: 214

Total MD5sums: 4,665

Total malicious binary size: 559 Mbytes

2) [David] Like the v1 Nepenthes based HonEeeBoxes, the first releases of the Dionaea powered HonEeeBox v2 system still initially submitted data to a submit_http backend, which was developed during GSoC 2011. We have run a honey cloud hosted instance of that old backend, plus a couple of sensors for most of this period. The data has only been retained for historical purposes.

3) [David] Later v2 Dionaea based HonEeeBoxes were HPFeeds-enabled, and we have been submitting data to the Honeynet Project’s shared HPFeeds system from multiple physical and virtual sensors since it went live. These are a mix of Asus EeePC based physical HonEeeBoxes on domestic ADSL/FTTC lines, or cloud provider hosted VM instances. Current rough volumes of Dionaea events captured through HPFeedsvto date are:

Sensors: 44

Total Attacks: 14,552,708

Total Attacker IPs: 300,451

Total Victim IPs: 2,410

Total MD5sums: 7,865

Total malicious binary size: 2.6 Gbytes

Data and binary samples collected from each of the above systems were shared with the Shadowserver Foundation and VirusTotal, for automated AV and sandbox analysis, and hopefully eventual remediation of infected hosts. Enriched data has has also been logged locally in an instance of the GSoC 2012 HonEeeBox backend project, that we hope to continue developing with the student Gyoergy in 2013. Longer term we hope to be able to expand the number of sensors to 100+ and release public visualizations of these attacks.

4) Jamie has recently deployed a couple of local HPFeeds-enabled Dionaea sensors too, which are also feeding the main Honeynet Project shared HPFeeds instance.

5) During the start of this period David was still running a legacy Global Distributed Honeynet (GDH2) high interaction sensor node on a domestic DSL connection (since disabled). That included a Honeywall plus a mix of low and high interaction honeypots, mostly on Linux.

6) At points during this period, David ran a mix of Capture-HPC high interaction client honeypots, HoneySpiderNetwork low/high interaction client honeypots, and PhoneyC and Thug low interaction client honeypots.

7) David has helped provide the infrastructure used by other Project members in various botnet related studies and takedown activities. More information about these activities will hopefully eventually be made public.

RESEARCH AND DEVELOPMENT

During this period we built or worked on the following tools:

1) [David] HonEeeBox pre-packaged low interaction honeypot sensor system and associated back/front ends. We hope to continue this development work in 2013, increasing the number of sensors, adding low interaction SSH honeypot capabilities through Kippo, adding options for centralized monitoring and management, and perhaps including proxy/client honeypot elements too.

2) David and Arthur were mentors for GSoC 2011/2012 on HonEeeBox backend and front end development, which we also hope to continue in the future, eventually releasing a public Django/JS based user interface to replace the previous private ExtJS based HonEeeBox v1 prototype interface.

3) Minor support for our Honeysnap tool, when end user requests or bug reports were received.

4) We have tried to provide suggestions for improving some existing tolls or adding new features to new projects, such as the excellent Cuckoo Sandbox or aging Honeywall system.

For our current R&D activities:

1) David built a number of data visualization tools based on Processing.org, but didn’t get around to publicly releasing them. He very much hopes to rectify this failing in 2013 😉

2) Arthur is currently working on a pastebin scraping system, which will hopefully generate some interesting data for future analysis.

3) David has recently been working on spam pots with CERT.BR and the Shadowserver Foundation, which will become part of a larger scale distributed honeypot effort in 2013.

4) David has some ideas for next generation honeynet data capture systems and is currently exploring them. Will eventually share concepts and prototypes with members then the public at a suitable point.

5) Earlier in 2012 David ported the HonEeeBox system to the Raspberry Pi platform, to potentially provide another very low cost means of potentially distributing low interaction honeypot sensor systems. He will attempt to blog this information and release a disk image here in the next few days. Apologies to anyone waiting to use it for the delay! 😉

In general, we are still interested in large scale distributed honeynet sensor deployments and the tools necessary to store/manage/automate/visualize collected data. We would also like to see the ongoing development of high interaction honeypot technologies, or next generation alternatives for gathering such data. We’d like to continue to collaborate with anyone interested in the same goals, and to perhaps also run some more UK-focused future activities too.

FINDINGS

Unfortunately nothing to be shared with the public at this time except the observation that running public internet facing low interaction honeypots to detect network spreading malware generally only results in a lot of Conficker samples!

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS

Since last chapter status report, recent speaking engagements for David were:

September 2010 – Hands-on honeynet training classes for CNCERT/CC and FIRST TC, Beijing CN
September 2010 – Whats New In Honeynets presentation CNCERT/CC and FIRST TC, Beijing CN
November 2010GovCERT.NL security symposium, Rotterdam NL
December 2010 – 2 weeks of teaching hands-on honeynet classes, giving presentations, attending meetings, etc in Tokyo for NTT CERT, NTT, Hitachi, Nippon CSIRT Association (NCA), SECOND group, JP CERT, various national ISPs, etc.
January 2011 – BBC NewsNight Cyber Attacks
March 2011Honeynet Project annual workshop Paris FR. Public R&D overview presentation, private P1 research, GSoC, HonEeeBox and Shadowserver presentations/sessions.
March 2011 – October 2011 – Organisational administrator for Honeynet Project Google Summer of Code 2011 and student project mentor.
June 2011 –  CERT.EE Security Symposium, Tallin, EE.
October 2011 –  Google Summer of Code Mentor’s Summit, Google CA.
February 2012 –  Shadowserver Foundation annual workshop, San Jose, CA. Presentation on Honeynet R&D and GSoC.
March 2012Honeynet Project annual workshop Facebook, CA. Public hands-on honeynet training class, public R&D overview presentation, private P1 research, GSoC and HonEeeBox presentations/sessions.
March 2012 – October 2012 – Organisational administrator for Honeynet Project Google Summer of Code 2012 and student project mentor
June 2012 –   CERT.EE Security Symposium, Tallinn, EE. Presentation on recent honeynet R&D.
September 2012 – conference at Interpol, Lyon, FR.
October 2012 –  Google Summer of Code Mentor’s Summit, Google CA.

David will be teaching a 2 days hands-on honeynets class at the Honeynet Project’s next annual workshop in Dubai (which should be another great international event if you are interested in the cutting edge of honeynet R&D, so please check it out!), along with hopefully leading discussions again during private workshop events on honeynet R&D, GSoC and HonEeeBox, amongst others.

UK Chapter members have also attended UK-specific industry events such as Infosec UK and JANET meetings. Jamie presented at OWASP Birmingham in September and OWASP Edinburgh in November.

We continue to be active on both internal and external IRC and email, although UK-specific blogging activity has been poor. Chapter members have been involved in various Honeynet Project committee mailing lists, such as annual workshop organization, membership committee and infrastructure support. Members also individually participate in various other open or closed info-sec vetted communities too.

GOALS

Since most activity by UK Chapter members was general Honeynet Project activity, we would like to continue to remain active members but also try to increase UK-specific activity.

We would like to see the recent GSoC work on HonEeeBox sensor back/front ends result in a public UI release.

We would like to release some interesting visualisations of existing data sets, then try and engage the wider infosec and data visualisation communities on how best to improve them. We may try and run a series of public Data Visualisation challenges in 2013.

MISC ACTIVITIES

Other activities that our Chapter members have been involved in during this period:

David was a Director of the Honeynet Project in 2011 and remains the Chief Research Officer (CRO). Involvement with various fund raising efforts and proposals (some under NDA), some of which resulted in additional financial support for the Honeynet Project‘s annual workshops in 2012 and 2013, and some of which are ongoing.

David collaborated on a EPSRC network proposal with Queens University Belfast Information Security Centre.

MENTORING

David was a GSoC student project mentor in 2011 and 2012 (and GSoC Org admin), Jamie was a student project mentor in 2010 and 2012. Arthur was a GSoC student project mentor in 2012 and helped with student selection in 2011.

EuSecWest08

Tuesday, May 20th, 2008

I’m in London this week for EuSecWest08, the European version of the excellent CanSec and PacSec series of conferences, which is happening tomorrow and Thursday in Leicester Square. A couple of scheduled talks are generating interest on the net already:

  • Sebastian Muniz’s “Da IOS Rootkit” talk will review his reverse engineering and kernel hooking approach to building a reliable Cisco IOS rootkit
  • Justin Ferguson’s “Advances in attacking interpreted languages” will cover the attack surface and potential vulnerabilities in Google’s recently release App Engine.

Hopefully EuSec will be another interesting and entertaining event, with any honeynet-related news and events to follow.

WOMBAT 2008 papers accepted

Friday, April 4th, 2008

We were happy to be informed that both papers submitted by The Honeynet Project to the upcoming WOMBAT honeynet workshop in Amsterdam this month have been accepted. Max Kilger and Tom Holt from the UNCC Honeynet Project Chapter will be presenting a paper on Techcrafters and Makecrafters: A Comparison of Two Populations of Hackers and I will be presenting Honeynet Project: Data Collection and Data Analysis (with Jamie also attending). We’ll post the paper here once it has completed the review and the IEEE pre-publication process.

Global Distributed Honeynet (GDH) Phase Two starting

Wednesday, April 2nd, 2008

After doing a lot of work leading phase one of The Honeynet Project’s Global Distributed Honeynet (GDH) last year, I’m please to announce that internal development has begun on GDH Phase Two today. Initially this will result in new public Honeywall releases (version 1.4 this month integrates a second generation of our Hflow data fusion tool, followed by version 1.5 which will hopefully support attacker source IP to keystroke mapping in all Sebek related tools at last! Hopefully the three month kick start phase will be extended throughout 2008 and we’ll be releasing lots of interesting research data once an expanded global sensor network is operational. GDH Phase Two will include also client honeypots (based on Capture-HPC) and should also see some long overdue improvements to our Honeysnap reporting tool too.

Honeynet Project restructuring and elections

Friday, January 4th, 2008

The Honeynet Project has recently completed a major internal restructuring, which sees the end of the Research Alliance and a move to a new Chapter based membership model (for example, we become the Honeynet Project’s UK Chapter). You can find out more about the new organisation, it’s bylaws and further membership information here.

As part of this restructuring process, active Honeynet Project members have elected a new Board of Directors and assigned various operational positions for the next three years. This includes David Watson from the UK group, who becomes a Honeynet Project Director and it’s Chief Research Officer.

With the restructuring process now complete, we are looking forward to getting back to honeynet research and development. A second, larger phase of our Global Distributed Honeynet (GDH) is already planned for 2008, along with more collaboration with other active security research groups.

Honeynet Project annual workshop

Monday, December 10th, 2007

The Honeynet Project holds an annual workshop every year, which is always an excellent opportunity for members from all around the world to get together in person and discuss their research.

For the first time, this year’s event was hosted by members of the Costa Rican Honeynet Project and held outside of the US, in Heredia, Costa Rica. Thirty five members of the Honeynet Project met for four days, including Jamie and David from the UK group. As part of the first day’s shared presentations, David updated the group on the current state of our Global Distributed Honeynet (GDH). The last two days were spent on various R&D tracks, of which the largest was the initial planning session for GDH Phase Two in 2008.

Overall the event was excellent, with many participants feeling that this was the best annual workshop yet, and hopefully we’ll see the fruits of our collective activities next year.

Honeynet Project mentioned in UK Guardian

Monday, November 19th, 2007

In his weekly “Dork Talk” column in the Guardian, this week Stephen Fry talks about the Storm worm. He cites the Honeynet Project amongst other sources (in particular, he’s citing the recent fast flux paper though he doesn’t quote it explicitly) and refers to us “the good guys”, thus, as I am a regular Guardian reader, making my day.

The article is not technical and, as you would expect from Fry, very well written. A good one to pass on to relatives, managers and other interested but not techy types.

“Web application attacks” article published in Network Security (Part 1)

Tuesday, October 23rd, 2007

The October edition of Elsevier’s Network Security publication contains part one of an article on web application attacks written by David Watson of the UK Honeynet Project, with the second part to follow in November.