Archive for the ‘Uncategorized’ Category

GSOC 2012 project

Monday, November 12th, 2012

As part of the Google Summer of Code, the UK Honynet project ran a project working with Gyöergy Kohut from the University of Dortmund to produce a web front end for Honeeebox. it went well: Gyöergy produced a Java backend which took events and stored them in a PostgreSQL database plus a web front end based on Django and Javascript.

The GSOC project has now finished, but we’re continuing to work on the project.

The Sad State of IT Security

Monday, July 14th, 2008

On Friday I found out that my credit card had been used, by nefarious persons unknown, to buy £500 worth of goods online. Bad enough, but this is the second time this has happened in four years.

At this point I can hear the reader’s thoughts: stupid bugger, he’s been p0wned, got malware on his machine. Well, it’s possible. Like nearly everyone out there, my machine might have been 0wn3d by someone really good. Unless your name is H.D.Moore, there’s always someone out there better than you. But it’s unlikely. I know exactly what should be running on my machine, I know what programs can talk to the outside world, I look at tcpdumps and use a browser + OS combination that’s not currently targetted in the wild. I think I can be reasonably confident that the only malware on my machine is the stuff that’s put there by me so I can study it.

So if my machine is clean (with high probability), I haven’t lost my card (100% certain as I have it with me now) and I shred all my bank statements, bills and till receipts (yup), how come I’ve still been defrauded?

I use my card online a lot. I don’t gamble online, buy porn, dodgy pills, email my card details around or send my details to nice gentlemen in Nigeria but I do buy stuff from a range of shops, small and big.

So my best guess is that my card has been taken from a merchant. What could I do to stop this happening?

Two options:

1) Never spend money online. Very limiting and not going to happen. Even if I was willing to live with the inconvience, it doesn’t give 100% protection anyway: my card could still be stolen if I use it at a bricks and mortar store (e.g. anyone who shopped at a store in the TJX group had their card placed at risk after card details were stolen). I’m certainly not going to stop using my card totally.

2) Only ever spend money with the biggest online shops: ones that are big enough to have their own security teams, do code audits etc etc. Stick with and Not foolproof, but a reasonable reduction in risk. The problem with this is that a lot of stuff I want to buy online is only available from smaller shops. Worse, it’s only available from mid-sized retailers. Ones that are too big to just use Paypal, big enough to have their own in house ASP or PHP developers, but not big enough to do it right.

You might think I’ve missed an option there: ‘3) Only buy from trusted retailers’. The trouble is that as a consumer, even one much more knowledgeable about security than most, there is no way I can make any valid judgement about a retailers security or lack thereof. I don’t have access to any information that will let me evaluate a retailers security, and without that information being available, there’s also no competitive pressure on stores. Instead we have to rely on the banking groups dragging standards upwards via things like the PCI DSS standards. These are good, but it’s a long slow grind.

Conclusions? My card has been stolen, it’s quite possible it’ll happen again, and there’s nothing I can do about it except to never use my card. Worse, because online crime is now a low priority for UK Police, I don’t even get to report this to the police, only to my bank, and I can be pretty confident that no-one will ever be charged for this (they weren’t last time even though I did report that incident to the police as it predated the new reporting arragements).

This is not a happy state of affairs. If the definition of distributed computing is the failure of a machine whose existence you don’t know about breaking something you are doing, then this is the security version: being compromised by systems you don’t know about and can’t influence.


submit-http for nepenthes

Tuesday, June 3rd, 2008

A hideously simplistic PHP handler for the nepenthes submit-http module. It Works For Me ™.


$log= "timestamp=$ts";

foreach ($_POST as $key => $value)
        switch ($key)

        case "url":
        case "trigger":
        case "md5":
        case "sha512":
        case "filetype":
        case "source_host":
        case "target_host":
        case "filename":
          $$key = $value;

          $log .= ",$key=$value" ;
$myFile = "/tmp/submit-log";
$fh = fopen($myFile, 'a');
fwrite($fh, $log);


You’ll want your config file /etc/nepenthes/submit-http.conf to give this script as the URL, e.g. “” and enable the submit-http module in /etc/nepenthes/nepenthes.conf. After that, you probably want to figure out how to collect the binaries that nepenthes has just captured.

OpenWrt Nepenthes on VMWare x86 and Routerboard 532a

Tuesday, May 20th, 2008

Experimentation with running Nepenthes malware collectors on the OpenWrt emebedded platform continues, so I’ve updated the Nepenthes on OpenWrt HOWTO with information on building x86 ports to run under VMWare and also added build instructions for the Mikrotic Routerboard 532a embedded device.