Archive for April, 2008

First WOMBAT workshop

Friday, April 25th, 2008

Jamie and myself from the UK Honeynet Project plus Max Kilger and Thorsten Holz from the UNCC and German Honeynet Project Chapters were in Amsterdam this week for the first workshop held by the European Commission’s 7th Framework WOMBAT project (see previous posts for more details).

The workshop was held at Vrije University south of the city centre and included members of the WOMBAT consortium and invited guests who were active in the fields of honeynet deployments, malware analysis and large scale data collection. Over two days we were introduced to the three year WOMBAT project, its goals and members and a number of short presentations were given by the invited guests from the EU, US, Asia and Australia. David spoke about the Honeynet Project’s various data collection initiatives, including the Global Distributed Honeynet Project (GDH), and Max spoke about attacker profiling models. The proceedings will be published in the journals of IEEE Computer Society later in the year and we’ll post them when we are able to.

Overall an interesting event with lots of opportunity for collaboration and information sharing that will hopefully come to fruition. Of particular interest was the honeyclient work that the Polish CERT NASK were involved in, which was remarkably similar to our own recent activity on Evil Javascript and SpamMonkey that I gave a lightning talk on at CanSecWest08 last month. Like us, they hope to release their code as open source in the coming weeks and months, so we are look forward to seeing it.

WOMBAT 2008 papers accepted

Friday, April 4th, 2008

We were happy to be informed that both papers submitted by The Honeynet Project to the upcoming WOMBAT honeynet workshop in Amsterdam this month have been accepted. Max Kilger and Tom Holt from the UNCC Honeynet Project Chapter will be presenting a paper on Techcrafters and Makecrafters: A Comparison of Two Populations of Hackers and I will be presenting Honeynet Project: Data Collection and Data Analysis (with Jamie also attending). We’ll post the paper here once it has completed the review and the IEEE pre-publication process.


Thursday, April 3rd, 2008

I was in Vancouver last week as a backup speaker for CanSecWest08 . Once again, this was an good event, with plenty to keep me interested. It was also a great chance to catch up with Honeynet Project members, various friends in the security community and also to meet up with new people and exchange ideas. Kudos to Dragos for another excellent event, and also to Honeynet Project alumni Shane for winning the Pwn20wn contest for the second year in a row. Presentations should be on the web site shortly.

In the end, and for the first time ever, all the speakers made it to the event and I didn’t need to give a repeat performance of my PacSec07 GDH presentation. However, I did give a lightning talk entitled Evil Javascript and SpamMonkey that introduced a couple of projects the UK Honeynet Project team have been working on recently. You can find the slides here and hopefully we’ll be releasing the code and some sample results in the coming months.

Global Distributed Honeynet (GDH) Phase Two starting

Wednesday, April 2nd, 2008

After doing a lot of work leading phase one of The Honeynet Project’s Global Distributed Honeynet (GDH) last year, I’m please to announce that internal development has begun on GDH Phase Two today. Initially this will result in new public Honeywall releases (version 1.4 this month integrates a second generation of our Hflow data fusion tool, followed by version 1.5 which will hopefully support attacker source IP to keystroke mapping in all Sebek related tools at last! Hopefully the three month kick start phase will be extended throughout 2008 and we’ll be releasing lots of interesting research data once an expanded global sensor network is operational. GDH Phase Two will include also client honeypots (based on Capture-HPC) and should also see some long overdue improvements to our Honeysnap reporting tool too.