Honeynor 2013 - The Norwegian Chapter status report for 2013

Norwegian Honeynet Chapter - Status Report For 2013

ORGANIZATION:

Existing members:
Sjur Eivind Usken - Chapter Lead
Einar Oftedal
Lukas Rist
Johnny Vestergaard
Phani Vadrevu
Erlend Oftedal

New members:
Daniel Haslinger - Security researcher from Austria
Aniket Panse - Successful GSoC student

Alumni:
Tor Inge Skaar - Busy changing diapers

DEPLOYMENTS:

A list of tools deployed by the Norwegian Honeynet Chapter:
Glastopf - Web application honeypot
Conpot - ICS/SCADA honeypot

RESEARCH AND DEVELOPMENT:

Lukas, Johnny and Daniel started working on Conpot, an ICS honeypot in March 2013. Since then we managed to have a working tool and a productive team. More infos in our GitHub repository: https://github.com/glastopf/conpot

The Glastopf project https://github.com/glastopf/glastopf got extended with libinjection (https://github.com/client9/libinjection) which is incredible good and efficient at detecting SQL injections.

Sjur has been busy with the honeycloud, a server park across several hosting sites which servers the whole Honeynet Project. Members can get a free virtual servers.

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS:

List items related and relevant to The Honeynet Project. If someone from your chapter attended the 2013 workshop in Dubai please list them.No entry without link to PDF, slides or video.

Sjur presented the Honeynet Project (1 hour presentation) in a closed security group in Rogaland, Norway. Sjur used David Watsons mega presentation with all tools, but did not go into details on all of the 500 slides.

Daniel presented Conpot at the ITSeCX (“IT Security Community Exchange”), a security conference in Austria. He also ran a project desk (“Assembly”) presenting conpot and offering workshops at the 30th Chaos Communication Congress (a congress with >9000 visitors held by the Chaos Computer Club) in Germany.
ITSeCX Slides: http://itsecx.fhstp.ac.at/wp-content/uploads/2013/11/power_plant.pdf
30c3 Assembly: https://events.ccc.de/congress/2013/wiki/Assembly:Cypherpunk.at
Lukas presented Conpot at Congreso Seguridad en Cómputo 2013 in Mexico City including a 4h training.

GOALS:

Honeycloud: We expanded the Honeycloud drastically and added more redundancy on key elements of the virtualization platform. Continue running it…
Conpot: Add more supported protocols and PLC CPU emulation. Instance templates covering a wide range of ICS vendors. Update system for existing deployments. Continue working on STIX and TAXII support which could integrate with the MANTIS Threat Intelligence Management Framework. Investigate the possibilities to distribute Conpot as a Raspberry Pi appliance.
Bumblebee: A project initiated by Daniel, providing a way of deploying “thin” sensors on ultra cheap instances targeting a range from novice users to professionals. Will probably be released MID 2014.
Glastopf: Better support for custom templates. Investigating the detection of XSS using the libinjection library.

MISC:

Chapter web page: http://www.honeynor.no/