Over the last few weeks I’ve basically rewritten the core of Ghost, our system for USB malware detection. While the new approach promises to be much more effective, it has a drawback: It only works for Windows Vista and later systems. As a consequence, there are now two flavors of Ghost in existence: One supports Windows XP but won’t receive much further development, whereas a lot of interesting new features will be implemented for the other one, which is dedicated to Vista and later. In this post, I’m going to explain the reasoning behind the decision, describe the recent technical advances and outline some of our plans for the future.

This is a response to a CSO Online blog post by Jeff Bardin ("Caution: Not Executing Offensive Actions Against Our Adversaries is High Risk," November 2012.), which is a rebuttal to a blog post by Jody Westby on Forbes online (“Caution: Active Response to Cyber Attacks Has High Risk.”) Mr. Bardin is obviously playing on words in the title and I seriously doubt he believes that it is higher risk to not take aggressive actions than is to do so. His post does not contain a reasoned proposal for how to change or work within existing legal and ethical norms to allow aggressive actions directed at computer network attackers. It is instead a strident endorsement of a vaguely defined “new approach” of counter-attack using simplistic arguments based on emotion and a desire for retribution (an unethical position to take), lacking sufficient discussion of appropriate “rules of engagement,” principle-based ethical justifications of any type beyond basic “right of self-defense” arguments, and including no oversight mechanisms to minimize the potential for abuse or collateral damage. This response is quite long, including not only Mr. Bardin’s own words for context but also many references to materials apropos to the topic that Mr. Bardin does not provide in his post.

ORGANIZATION

Active members: - Sébastien Tricaud - Guillaume Arcas - Anthony Desnos - Franck Guénichot - François-René Hamelin - Christophe Grenier

DEPLOYMENTS We have following technologies deployed:

- Kippo on honeycloud. Goal of this deployment is to provide a centralized instance of Kippo & share findings, logs, collected data. - HoneyProxy on honeycloud. - Honeeebox

RESEARCH AND DEVELOPMENT

* New tools => HoneyProxy as part of GSoC 2012. => FAUP (formerly furl) => OpenNormalizer => PhotoRec/TestDisk => A.R.E. / AndroGuard

The UK Chapter’s annual status report for 2011/2012 has been published at http://www.ukhoneynet.org/2012/12/04/uk-honeynet-project-chapter-annual-status-report-for-20112012/.

ENISA (The European Network and Information Security Agency) under the leadership of CERT Polska has published report on honeypots. Its a hands-on guide on the various honeypot technologies out there looking at various operational aspects, such as extensibility, reliability, ease of deployment, etc. If you are considering running a honeypot, this is a must read! Check it out at http://www.enisa.europa.eu/media/press-releases/new-report-by-eu-agency-enisa-on-digital-trap-honeypots-to-detect-cyber-attacks. Great job, ENISA!

2013 HONEYNET PROJECT ANNUAL WORKSHOP
10-12 FEBRUARY 2013 IN DUBAI, UAE

DUBAI, 26 NOV 2012: This three-day event features an exceptional collection of international security professionals presenting the latest research tools and findings in malware analysis. The twelfth annual workshop will be held at The Address Dubai Mall Hotel on the 10th through 12th of February, 2013, with sponsorship and support from the UAE Honeynet Project chapter, United Arab Emirates Computer Emergency Response Team (aeCERT), and the Pakistan Honeynet Project chapter. The workshop includes one full day of briefings and two full days of hands-on tutorial trainings. Founded in 1999, The Honeynet Project is a non-profit international research organization dedicated to improving the security of the Internet at no cost to the public.

ORGANIZATION

• Faiz Ahmad Shuja is founder and chapter lead of Pakistan Chapter and an active member since 2003. He is responsible for the management and maintenance of HP infrastructure as Chief Infrastructure Officer.

• Muhammad Omar Khan is an active member and assists in various Honeynet deployment efforts.

• Rehan Ahmed is our active member. He assists in the management of Pakistan chapter and HP infrastructure.

• Omar Khan has been involved in attacks analyses and reporting.

ORGANIZATION
• Brian Hay (Chapter Lead, Full Member)
• Kara Nance (BoD Member, Full Member)
• Chris Hecker
• Clark Harshbarger
• Matt Bishop
• Wesley McGrew
• Lucas McDaniel

DEPLOYMENTS
• 1 Honeeebox in Alaska
• Purchased multiple other Honeeeboxes available for third party deployments
• Periodic Dionaea deployments in both public and private clouds for student and demonstration use.

RESEARCH AND DEVELOPMENT

1. Ongoing development of hypervisor-based honeypot monitoring using virtual machine introspection (VMI) on Xen and KVM platforms.
2. Tools for deployment and management of virtual machines

ORGANIZATION
Ahmad Alajail – Chapter Lead
Ahmad Hassan – Member
Anastasios Monachos - New Member
Andrew Marrington – New Member
Majid Al Ali - Member

DEPLOYMENTS
we have successfully change all of our distributed Honeypots from Nepenthes to Dionaea and upgrade our honeypharm with reporting mechanism and the additional information received from Dionaea.

RESEARCH AND DEVELOPMENT
As we reached end of 2012 we managed to upgrade our research lab with new hardware’s that can be used for the new projects. Currently we are looking into Glastop and Spampot and the changes that might be required to utilize the output result/findings.

ORGANIZATION Last year our chapter membership has gone through several changes: some members moved to new places and new positions and are no longer a part of the honeynet chapter, while others (Natalia Stakhanova) came back.

Our current members include Ali Ghorbani, Natalia Stakhanova, Hadi Shiravi (Unversity of New Brunswick) and Sami Guirguis (Toronto).

DEPLOYMENTS

We currently have deployed a cluster of server honeypots and SGNET sensor. Both are primarily used for capturing botnet network traffic.