Mar. 19, 2012 -- Workshop Program Agenda
| Time | Presentation Topic | Speaker |
|---|---|---|
| 8:30 ~ 9:00 | Registration | |
| 9:00 ~ 9:15 | Welcome Remarks | The Honeynet Project / |
| 9:15 ~ 9:30 | The Honeynet Project Introduction | Christian Seifert CEO, The Honeynet Project |
| 9:30 ~ 10:00 | Overview of Recent Honeynet Research and Development | David Watson CRO, The Honeynet Project |
| 10:00 ~ 10:30 | The Future of Honeypots | Jose Nazario Chairman of the Board The Honeynet Project |
| 10:30 ~ 10:45 | Refreshment | |
| 10:45 ~ 11:15 | Feasible Solution for the Web Threat Jigsaw | Lukas Rist The Honeynet Project |
| 11:15 ~ 11:45 | Thug: a new low-interaction honeyclient | Angelo Dell'Aera The Honeynet Project |
| 11:45 ~ 12:15 | Countering the removable device threat with USB honeypots (Invited Talk) | Sebastian Poeplau |
| 12:15 ~ 13:30 | Lunch | |
| 13:30 ~ 14:00 | Protecting the Social Graph | Roger Chen |
| 14:00 ~ 14:30 | Social Authentication | Alex Rice |
| 14:30 ~ 15:00 | Open Source Intelligence Gathering: Know your enemy without them knowing you | Matt Erasmus The Honeynet Project |
| 15:00 ~ 15:15 | Refreshment | |
| 15:15 ~ 15:45 | Examining Attacker Behavior On and Off-Line Using Social Science Research | Thomas J. Holt The Honeynet Project |
| 15:45 ~ 16:15 | Android application plagiarism | Anthony Desnos |
| 16:15 ~ 16:45 | Android: The Most Secure Mobile Platform | Ryan Smith Praetorian |
| 16:45 ~ 17:10 | 2011 GSOC Projects Demonstration | GSoC Mentors |
| 17:10 ~ 17:20 | Hands-on Tutorial Training Preview | Kara Nance The Honeynet Project |
| 17:20 ~ 17:30 | Close Remarks | The Honeynet Project / Facebook |
| 17:30 ~ 19:00 | Reception sponsored by Norman | Norman |
- The Honeynet Project reserves the right to cancel and reschedule the program agenda.
- Security Workshop is in English only.
- Accommodation are not covered in registration fee.
- Lunch will be provided.
Presentation Abstract:
Overview of Recent Honeynet Research and Development, David Watson
A quick high-level introduction to recent honeynet R&D activities over the past years, including GSoC and significant tool and whitepaper releases, plus future research directions for 2012.
back
back
The Future of Honeypots, Jose Nazario
After decades in research obscurity, honeypots became widely visible in the late 1990s largely through the work of early Honeynet Project members. Now in 2012, honeypots have evolved into a diverse array of standard research tools. This talk will provide a wide overview of the honeypot world, giving insights into their usage, the types of data they provide, and how they can evolve into even more powerful tools for network defenders.
Speaker Bio:
Dr. Jose Nazario is the senior manager of security research at Arbor Networks. In this capacity, he is responsible for analyzing burgeoning Internet security threats, reverse engineering malicious code, software development, and developing security mechanisms that are then distributed to Arbor's platforms via the Active Threat Feed (ATF) and the ATLAS Intelligence Feed (AIF) threat detection services. Dr. Nazario is also heavily involved in the Internet security community, including efforts such as the Conficker Working Group, the FIRST community, and many more efforts. He serves on the boards of the Honeynet Project, the Open Infosec Foundation, and the Cyber Conflict Studies Association.
Dr. Nazario's research interests include large-scale Internet trends such as reachability and topology measurement, Internet-scale events such as DDoS attacks, botnets and worms, source code analysis tools, and data mining. He is the author of the books "Defense and Detection Strategies against Internet Worms" and "Secure Architectures with OpenBSD." He earned a Ph.D. in biochemistry from Case Western Reserve University in 2002. Prior to joining Arbor Networks, he was an independent security consultant.
back
Speaker Bio:
Dr. Jose Nazario is the senior manager of security research at Arbor Networks. In this capacity, he is responsible for analyzing burgeoning Internet security threats, reverse engineering malicious code, software development, and developing security mechanisms that are then distributed to Arbor's platforms via the Active Threat Feed (ATF) and the ATLAS Intelligence Feed (AIF) threat detection services. Dr. Nazario is also heavily involved in the Internet security community, including efforts such as the Conficker Working Group, the FIRST community, and many more efforts. He serves on the boards of the Honeynet Project, the Open Infosec Foundation, and the Cyber Conflict Studies Association.
Dr. Nazario's research interests include large-scale Internet trends such as reachability and topology measurement, Internet-scale events such as DDoS attacks, botnets and worms, source code analysis tools, and data mining. He is the author of the books "Defense and Detection Strategies against Internet Worms" and "Secure Architectures with OpenBSD." He earned a Ph.D. in biochemistry from Case Western Reserve University in 2002. Prior to joining Arbor Networks, he was an independent security consultant.
back
Feasible Solution for the Web Threat Jigsaw, Lukas Rist
Web sites are today's biggest and most vulnerable attack surface. A single compromised page can give you a lot of bang for your bugs. Learning from expensive breaches was never feasible. We will explain how to use Honeypot, Sandbox and Botnet monitoring technology to gain information about current threats which ultimately helps us to find vulnerabilities before they get exploited, insight into the malware distribution network and the botnets used for mass exploitation.
Speaker Bio:
Lukas Rist is a Internet security enthusiast, member of The Honeynet Project, Math and Physics student, spare time web application and instant messaging honeypot developer and currently knee-deep in data
fragment classification.
back
Speaker Bio:
Lukas Rist is a Internet security enthusiast, member of The Honeynet Project, Math and Physics student, spare time web application and instant messaging honeypot developer and currently knee-deep in data
fragment classification.
back
Thug: a new low-interaction honeyclient, Angelo Dell'Aera
The number of client-side attacks has grown significantly in the past few years shifting focus on poorly protected vulnerable clients. Just as the most known honeypot technologies enable research into server-side attacks, honeyclients allow the study of client-side attacks. A complement to honeypots, a honeyclient is a tool designed to mimic the behavior of a user-driven network client application, such as a web browser, and be exploited by an attacker’s content. The talk will describe the theoretical and practical steps required to design and realize a low-interaction honeyclient. During the talk, a new Honeynet Project low-interaction honeyclient (project name "Thug") aimed at mimicing the behavior of a web browser, will be publicly presented and released.
Speaker Bio:
Angelo Dell'Aera is currently employed at Security Reply, a security service provider located in Italy, working in the Early Warning Team as Senior Threat Analyst. Moreover he leads Sysenter Honeynet Project Chapter and his interests are mainly related to botnet tracking, honeyclient technologies and malware analysis. Angelo started working as an independent researcher in networking and security research in 1998 focusing his research both on attack and defense techniques mainly focusing on *NIX platforms. Meanwhile he worked as researcher in Politecnico of Bari until June 2004 where his main research argument was TCP congestion control algorithms. His research led to the design of the TCP Westwood+ algorithm and the implementation of its support in the official Linux kernel.
back
Speaker Bio:
Angelo Dell'Aera is currently employed at Security Reply, a security service provider located in Italy, working in the Early Warning Team as Senior Threat Analyst. Moreover he leads Sysenter Honeynet Project Chapter and his interests are mainly related to botnet tracking, honeyclient technologies and malware analysis. Angelo started working as an independent researcher in networking and security research in 1998 focusing his research both on attack and defense techniques mainly focusing on *NIX platforms. Meanwhile he worked as researcher in Politecnico of Bari until June 2004 where his main research argument was TCP congestion control algorithms. His research led to the design of the TCP Westwood+ algorithm and the implementation of its support in the official Linux kernel.
back
Countering the removable device threat with USB honeypots (Invited Talk), Sebastian Poeplau
Most honeypots require malware to fulfill certain criteria in order to capture it. An SSH honeypot, for example, targets malware that attacks SSH servers, an HTTP client honeypot aims at malware that is distributed by web servers. However, it is almost always required that the targeted malware somehow spread via computer networks. And here the problem arises. Examples such as Conficker and Stuxnet, among others, have shown that it is possible - in some cases even necessary - for malware to spread via another medium: They propagate on USB sticks, completely independent from any network. Our honeypots are hardly able to detect such malware if it does not use networks as well. So what to do? In the talk we will discuss the concept of a honeypot that focusses on such USB malware - malware that propagates via USB storage devices - and find a way to detect the malware without any further knowledge. We will outline the idea and take a look at its implementation
back
back
Protecting the Social Graph, Roger Chen
Popular Internet sites are under attack all the time from phishers, fraudsters, and spammers. They aim to steal user information and expose users to unwanted spam. The attackers have vast resources at their disposal. They are well-funded, with full-time skilled labor, control over compromised and infected accounts, and access to global botnets. Protecting our users is a challenging adversarial learning problem with extreme scale and load requirements. Over the past several years we have built and deployed a coherent, scalable, and extensible realtime system to protect our users and the social graph. This talks outlines the design of the Facebook Immune System, the challenges we have faced and overcome, and the challenges we continue to face.
back
back
Social Authentication, Alex Rice
Passwords suck. Security questions are a joke. Two-factor? Hah. Web authentication is frustratingly broken. Over the past year, Facebook engineers have been experimenting with various attempts to supplement "Something you know" with "Someone you know". A year of iteration and usage by millions of real world users has taught us a great deal about this new approach to authentication. This talk will demonstrate the implementations we've come up with and share much of what we've learned along the way: where it works, where it doesn't, and where it falls apart spectacularly.
back
back
Examining Attacker Behavior On and Off-Line Using Social Science Research, Thomas J. Holt
The range of threats facing computer users and critical infrastructure is complex and continuously evolving. Attacks vary based on the target and skill level of the actor, ranging from publicly accessible malware that can be purchased on the open market to unique zero-day exploits created for a specific attack. Attackers also have varied motivations, including monetary gain to political ideologies. Though technical explorations provide insight into how to defend against these crimes, there is still a great deal that is unknown about the social world of hackers. This talk will provide an exploration of the motives, social structures, and dynamics that facilitate computer attacks around the world using real world examples. The presentation will examine the disparate on-line communities involved in the theft and sale of stolen data and malware, as well as the social networks and organizational composition of the marketplace. We will also discuss unique tools designed to automate the analysis and examination of these communities. In addition, we will present the findings from an international study of the factors that predict participation in politically motivated attacks against critical infrastructure and government targets. The findings will give unique insights into the role of patriotism, technological skill, and hacking in various forms of political attacks. In turn, this presentation will benefit computer security professionals, law enforcement, and the intelligence community by identifying the social dynamics that shape the hacker and attacker community across the globe.
Speaker bio:
Thomas J. Holt is an Associate Professor in the School of Criminal Justice at Michigan State University. He received his Ph. D. in Criminology and Criminal Justice from the University of Missouri-Saint Louis in 2005. His research focuses on computer hacking, malware, and the role that technology and computer mediated communications play in facilitating all manner of crime and deviance. Dr. Holt has been published in numerous academic journals, including Crime and Delinquency, Deviant Behavior, and the Journal of Criminal Justice, is a co-author of the book Digital Crime and Digital Terror, editor of the text Cybercrime: Causes, Correlates, and Context, and co-editor of the forthcoming book Corporate Hacking and Technology-Driven Crime. He is also the recipient of two grants from the U.S. National Institute of Justice to examine the market for malicious software and the social dynamics of carders and data thieves in on-line markets. Additionally, Dr. Holt is the project lead for the Spartan Devils Chapter of the Honeynet Project, and directs the MSU Open Source Research Laboratory dedicated to exploring the landscape of cyberthreats around the globe through on-line research.
back
Speaker bio:
Thomas J. Holt is an Associate Professor in the School of Criminal Justice at Michigan State University. He received his Ph. D. in Criminology and Criminal Justice from the University of Missouri-Saint Louis in 2005. His research focuses on computer hacking, malware, and the role that technology and computer mediated communications play in facilitating all manner of crime and deviance. Dr. Holt has been published in numerous academic journals, including Crime and Delinquency, Deviant Behavior, and the Journal of Criminal Justice, is a co-author of the book Digital Crime and Digital Terror, editor of the text Cybercrime: Causes, Correlates, and Context, and co-editor of the forthcoming book Corporate Hacking and Technology-Driven Crime. He is also the recipient of two grants from the U.S. National Institute of Justice to examine the market for malicious software and the social dynamics of carders and data thieves in on-line markets. Additionally, Dr. Holt is the project lead for the Spartan Devils Chapter of the Honeynet Project, and directs the MSU Open Source Research Laboratory dedicated to exploring the landscape of cyberthreats around the globe through on-line research.
back
Open Source Intelligence Gathering: Know your enemy without them knowing you, Matt Erasmus
The presentation will cover a couple of freely available tools to gather more information on key data elements we see in the Honeynet Project work. It will focus on finding more information about possible attackers without actually making connections to remote systems. I will show how it's very easy to pull a lot of useful information very quickly that will help with investigations into possibly malicious attackers.
back
back
Speaker Bio:
Matt Erasmus works as a security consultant to one of the Big Four auditing firms. In his spare time he likes to wrangle malware, learn new ways to break computers and networks. He heads up the South African chapter of the Honeynet Project with Barry Irwin.
Android application plagiarism, Anthony Desnos
This talk deals with Android application plagiarism. The Android system is now widespread, and lots of applications are developed each days. These applications are mostly written in Java, though it is now possible to do some calls to binaries or shared libraries. To be executed on the DVM (Dalvik Virtual Machine) the Java source code (.java files) is translated into Java bytecode (.class files) and then a tool named `dx' is used to convert them into the DVM (or Dex) format (these are the .dex files). Due to the nature of the bytecode, its reversing is somewhat easier than machine code. Moreover the licensing or signing system can't stop evil guys to take an application from the official/unofficial market in order to modify it, and to spread this application on different market. Most of the time, the application has been patched to remove security features, to add a malware or simply to add publicity in order to gain money. For android developer, this is a real threat because they have no means to detect such pirated application, and to check what is the difference between their application and the pirated application. We will present opensource tools (that use Normalized Compression Distance) available for android developer (and computer security researcher), which can be used to detect if an application has been pirated by someone else, to evaluate android obfuscators or to extract automatically injected code. Furthermore, it's possible to perform diffing between android applications to see exactly which instructions have been changed.
Speaker Bio:
He was involved in open source security projects like ERESI (Reverse Engineering Software), draugr (Live memory forensics on Linux). Now, he is involved and he is the author and co-author of a number of open source security projects about Android applications, like Androguard (static analysis), DroidBox (dynamic analysis) and ARE (Virtual Machine for Android Reverse Engineering). Moreover he is the maintener of the open source database of android malware (signatures, and engine to detect malware).
Speaker Bio:
He was involved in open source security projects like ERESI (Reverse Engineering Software), draugr (Live memory forensics on Linux). Now, he is involved and he is the author and co-author of a number of open source security projects about Android applications, like Androguard (static analysis), DroidBox (dynamic analysis) and ARE (Virtual Machine for Android Reverse Engineering). Moreover he is the maintener of the open source database of android malware (signatures, and engine to detect malware).
He has been speaker in various computer security conferences on different topics, including Blackhat, hack.lu, and He is an active member of Honeynet.
back
Android: The Most Secure Mobile Platform, Ryan Smith
Android has enjoyed a rapid rise to the top of the mobile platform leaders, and anyone worth their hash salt knows that malware authors have taken full advantage of the popularity and openness of the platform. It is the presenter’s belief that these security issues with the Android platform and applications are opportunities rather than weaknesses, and that the security community is more than capable of rising to the challenge. Openness provides opportunities for attackers and defenders alike, and it’s time for defenders to regain the upper ground by leveraging this openness. This talk will present the current state of affairs in Android security, the nature and scope of the challenges, and highlight successful Android security projects that have addressed some of these concerns. Finally, this presentation will conclude with a “call-to-action” to make Android the most secure mobile platform, as well as the most popular.
back
back
The 2012 Honeynet Project Security Workshop is sponsored by:
 |
 |
 |
 |
We are a 501c3 non-profit, all volunteer organization. Consider donating to support our forensic challenges, tools development, and research.