UK Honeynet Project 

A lot of current computer security threat research activity today occurs in the client space, with honeyclients such as Capture-HPC and PhoneyC regularly being used to study attacks against web browsers. Often these attacks occur through malicious obfuscated javascript and exploitation of vulnerable plugins or media extensions to allow fully automated ‘drive by download’ infections. The Honeynet Project have published a number of Know Your Enemy whitepapers in this area over the past year, and continue to actively research in this area. We have also previously blogged about some of the ideas the UK Honeynet Project have been experimenting with in this area.

One of the biggest challenges with client based threats is assessing the real world scale of the potential problem. For traditional server based threats, it was fair simple to survey the entire IPv4 space and determine what versions of a particular application or operating system were in active use at a particular time. However, for client threats, you need a client application to come to you and interact with a service before any assessment of potential client vulnerabilities can be performed. This is a significant challenge for both attackers and researchers (hence the continued use of indiscriminate spamming and malicious advert serving at the same time as more targeted attacks are also being developed).

As the world’s most popular search engine, Google record the user agent client version data from the billions of web searches made by an estimated 75% of Internet users, and is therefore one of the organisations most likely to be able to provide an assessment of the current state of web browser security (Microsoft’s MSRT also has excellent data, but only for the ~450 million users regularly running Windows Automatic Updates). However, for obvious privacy reasons, this data has not been made available to the public.

An interesting survey was released yesterday by Google Switzerland, IBM ISS and the Computer Engineering and Networks Laboratory of the University of Zurich, which provides the first systematic study of the browser data from around 1.4 billion Google users during the first half of 2008. They analysed Google’s client version data and correlated this with vulnerability data from sources such as Secunia’s PSI, in an attempt to assess how many vulnerable browsers were in circulation at a particular time.

The results are very interesting, with Internet Explorer taking 78% (1.1 billion) of the browser share and Firefox getting 16% (227 million). Drilling down deeper into the IE market share shows roughly half of IE users have now moved to IE7, whilst most FF users run the latest release. More worryingly, less that 50% of IE uses had the most secure version of their browser (rising to 83% in FF). For the month of June 2008, the authors suggest that over 45% web surfers (roughly some 637 million people) accessed Google with a browser that contained unpatched security vulnerabilities. There is also some interesting analysis of the exposure to plugged in as well as inbuilt vulnerabilities, plus some good recommendations for potential improvements to web browser security. In particular, the concept of web sites checking a browser’s agent strings and displaying a highly visible “expiry date” warning on every page (in an attempt to enforce a maximum shelf life) is worth further investigation.

The very welcome paper is definitely worth a read, but is unlikely to cause too much immediate worry to the cyber criminals who are actively targeting web users through the thousands of mass compromised web servers, phishing emails and instant message spam we encounter each day.

The November edition of Elsevier’s Network Security publication contains the second part of an article on web application attacks written by David Watson of the UK Honeynet Project and can be downloaded as part of their current free online trial (as can a previous article on Honeynets as Counter-intelligence tools).

The Honeynet Project released a new Know Your Enemy: “Behind the Scenes of Malicious Web Servers” white paper today, which follows up on recent publications about malicious web sites and attacks against common web clients.

Abstract:

“In this paper, we increase our understanding of malicious web servers through analysis of several web exploitation kits that have appeared in 2006/07: WebAttacker, MPack, and IcePack. Our discoveries will necessitate adjustments on how we think about malicious web servers and will have direct implications on client honeypot technology and future studies.”

Lots of cross over with recent UKHP activity and well worth a read.

The October edition of Elsevier’s Network Security publication contains part one of an article on web application attacks written by David Watson of the UK Honeynet Project, with the second part to follow in November.

The Honeynet Project has released a new Know Your Enemy white paper on malicious websites and attacks against web browsers: “In this paper, we take an in-depth look at malicious web servers that attack web browsers, and we evaluate several defensive strategies that can be employed to counter this threat of client-side attacks. All the malicious web servers identified in this study were found with our client honeypot Capture-HPC”. This paper contains lots of interesting web attack related material.

http://www.honeynet.org/papers/mws/

The Honeynet Project have released a new KYE white paper. KYE: Fast-Flux Service Networks describes how attackers are developing more robust and scalable networks for delivering cyber-crime, based on networks of compromises hosts with rapidly changing DNS records and layers of proxy server redirection.

‘Honeynets: a tool for counterintelligence’ published by Elsevier’s Network Security magazine (David Watson – item #4).

Camouflaging Honeyd: A method for camouflaging honeyd has been released by Bryan Graham and Xinwen Fu: http://students.cs.tamu.edu/xinwenfu/honeyd_tamu/