UK Honeynet Project 

Jamie and myself from the UK Honeynet Project plus Max Kilger and Thorsten Holz from the UNCC and German Honeynet Project Chapters were in Amsterdam this week for the first workshop held by the European Commission’s 7th Framework WOMBAT project (see previous posts for more details).

The workshop was held at Vrije University south of the city centre and included members of the WOMBAT consortium and invited guests who were active in the fields of honeynet deployments, malware analysis and large scale data collection. Over two days we were introduced to the three year WOMBAT project, its goals and members and a number of short presentations were given by the invited guests from the EU, US, Asia and Australia. David spoke about the Honeynet Project’s various data collection initiatives, including the Global Distributed Honeynet Project (GDH), and Max spoke about attacker profiling models. The proceedings will be published in the journals of IEEE Computer Society later in the year and we’ll post them when we are able to.

Overall an interesting event with lots of opportunity for collaboration and information sharing that will hopefully come to fruition. Of particular interest was the honeyclient work that the Polish CERT NASK were involved in, which was remarkably similar to our own recent activity on Evil Javascript and SpamMonkey that I gave a lightning talk on at CanSecWest08 last month. Like us, they hope to release their code as open source in the coming weeks and months, so we are look forward to seeing it.

We were happy to be informed that both papers submitted by The Honeynet Project to the upcoming WOMBAT honeynet workshop in Amsterdam this month have been accepted. Max Kilger and Tom Holt from the UNCC Honeynet Project Chapter will be presenting a paper on Techcrafters and Makecrafters: A Comparison of Two Populations of Hackers and I will be presenting Honeynet Project: Data Collection and Data Analysis (with Jamie also attending). We’ll post the paper here once it has completed the review and the IEEE pre-publication process.

I was in Vancouver last week as a backup speaker for CanSecWest08 . Once again, this was an good event, with plenty to keep me interested. It was also a great chance to catch up with Honeynet Project members, various friends in the security community and also to meet up with new people and exchange ideas. Kudos to Dragos for another excellent event, and also to Honeynet Project alumni Shane for winning the Pwn20wn contest for the second year in a row. Presentations should be on the web site shortly.

In the end, and for the first time ever, all the speakers made it to the event and I didn’t need to give a repeat performance of my PacSec07 GDH presentation. However, I did give a lightning talk entitled Evil Javascript and SpamMonkey that introduced a couple of projects the UK Honeynet Project team have been working on recently. You can find the slides here and hopefully we’ll be releasing the code and some sample results in the coming months.

After doing a lot of work leading phase one of The Honeynet Project’s Global Distributed Honeynet (GDH) last year, I’m please to announce that internal development has begun on GDH Phase Two today. Initially this will result in new public Honeywall releases (version 1.4 this month integrates a second generation of our Hflow data fusion tool, followed by version 1.5 which will hopefully support attacker source IP to keystroke mapping in all Sebek related tools at last! Hopefully the three month kick start phase will be extended throughout 2008 and we’ll be releasing lots of interesting research data once an expanded global sensor network is operational. GDH Phase Two will include also client honeypots (based on Capture-HPC) and should also see some long overdue improvements to our Honeysnap reporting tool too.

A new release of Capture-HPC has been made available:

“The Honeynet Project (http://www.honeynet.org) and School of Mathematics, Statistics and Computer Science at Victoria University of Wellington (http://www.mcs.vuw.ac.nz/) are excited to announce the release of Capture-HPC v2.1. Capture-HPC is an innovative security product that is able to find and investigate the increasing problem of client-side computer attacks. This new software release increases the features and speeds performance allowing anyone to investigate a larger range and quantity of client-side computer attacks. Capture-HPC is freely available from our web site at: https://projects.honeynet.org/capture-hpc/wiki. It is written and distributed under the GNU General Public License, v2.”

Improvements include better performance, increased data capture and a new client plug-in framework.

The full press release can be found here:

http://www.honeynet.org/press/honeynet-project-press-release-capture-hpc.pdf

The team over at Vrije University in Amsterdam (the location for the upcoming invite-only WOMBAT honeynet data sharing workshop) have released a new version of their Argos honeypot tool:

http://www.few.vu.nl/argos/

This interesting honeypot system uses dynamic taint analysis to track network data and identify unknown malware. So far we’ve only experimented with it, but it looks like a promising project and an ideal companion to Nepenthes based capture of known malware variants.

I was one of the attendees at the fourth ISOI workshop last week, which this time was held in sunny San Jose. Once again, the event had an interesting range of presentations and discussions, mostly focused around what system defenders could do now to make a difference to the continuing tide of cybercrime observed every day. There was also plenty of opportunity to catch up with people in the security community, and put faces to names, so thanks to Gadi and co for the continued invites. I also got a bit of time to hang out with various Honeynet Project people and some of the guys from Shadowserver, and hopefully we’ll see some interesting spin offs in the coming months. Being from the UK, the obligatory Silicon Valley geek tourism was also fun too.

The Honeynet Project have been invited to submit a paper to the upcoming invite-only Worldwide Observatory of Malicious Behaviors and Attack Threats (a href=”http://wombat-project.eu”>WOMBAT) honeynet workshop at Vrije University in Amsterdam on the 21st and 22nd of April. David and Jamie from the UKHP will be organising the Honeynet Project’s submissions, and we hope to have at least one presentation accepted for publication in the journal of the IEEE.

For more details see http://wombat-project.eu/2008/04/wombat-closed-workshop-april-2.html