The Spamhattan Project

11 Jan 2016 Jop van der Lelie

Let’s develop a nextgen spamtrap and create intel feeds for .NL

A rising amount of criminals are spreading cryptoware in order to ‘make money’. Cryptoware is ransomware that secretly encrypts files, like documents and pictures, of innocent users. The criminals make money by selling the decryption key. Most of the cryptoware is spread via email. Virus-scanners and anti-spam solutions have a hard time in defending against those threats and often there are no Indicators of Compromise (IoC) that help detecting infected devices in an early phase.

Improved logging capabilities of dionaea

14 Dec 2015 Stanislav Barta dionaea frontend honeypot

Hello,

recently I made fork of dionaea and DionaeaFR. Changes that I did are related with remote logging to relational database. Dionaea honeypot can now log remotely to postgresql database. In DionaeaFR frontend I had to do some changes, so it could support reading data from postgresql.

Links are github.com/GovCERT-CZ/dionaea and github.com/GovCERT-CZ/DionaeaFR.

I think that some one could use that so I write this post.  

Have a nice day,

Stanislav Bárta

GovCERT.CZ (member of Czech Chapter)

Frontends for shockpot and wordpot

04 Dec 2015 Stanislav Barta frontend honeypot shockpot wordpot

Hello,

recently I published forks of shockpot and wordpot on GitHub. 

These new versions include support for logging to postgresql database. I also created two frontends. One for shockpot with a name Shockpot-Frontend and second for wordpot with a name Wordpot-Frontend. Both frontends are based of great tool Kippo-Graph. You can find them also on GitHub. Links are github.com/GovCERT-CZ/Shockpot-Frontend and github.com/GovCERT-CZ/Wordpot-Frontend.

These frontends require data from honeypots stored in postgresql database and that’s why I made forks of those honeypots.

Revitalizing a Centralised Honeypot Framework

19 Nov 2015 Rogier Spoor framework-honeypot

Bringing the dead back to life

In early 2005 the SURFids Framework, later renamed to SURFcert IDS, was developed (http://ids.surfnet.nl/wiki/doku.php). The unique concept was the centralised detection approach, based on honeypots, with decentralised sensors running OpenVPN. From a marketing perspective ‘IDS’ was chosen in the name, in that age a popular term. Many organisations worldwide have used this open-source framework, however with a last update on the code in 2011, the project slowly died.

Conpot 0.5.0 released

13 Nov 2015 Lukas Rist conpot honeypot ics scada

The Conpot development team is proud to announce the 0.5.0 release. Highlights of this release are the support for two new protocols and one additional device. Peter Soóky did a major contribution with support for the BACnet protocol, which is used for building automation and control networks, and support for IPMI, which is used an interface to a computer subsystem that provides management and monitoring capabilities independently of the host system’s CPU, firmware and operating system (consider the insights you can get from someone exploiting this). As mentioned in an earlier blog post, we also added support to emulate a Guardian AST device. This is based on the research from Kyle Wilhoit and Stephen Hilt.
Another goal of this release was to improve the ease of deployment. Therefore we added a Docker container template. Thanks to our contributors, we also have documentation on how to run Conpot on CentOS.
To avoid some easy fingerprinting, we added the feature to modify the MAC address of the interface Conpot is listening on. So now your hardware address can match the device manufacturer you are intending to emulate.
As with every other release, we tried to improve our test coverage and code quality in order to increase the honeypots stability.

Cuckoo Sandbox meets Mac OS X

10 Nov 2015 Jurriaan Bremer

Posting this blogpost on behalf of Dmitry Rodionov.

Hi there! I’m Dmitry Rodionov and this summer I’ve been working on an OS X analyzer for Cuckoo Sandbox project.

Cuckoo Sandbox

First things first: what is Cuckoo Sandbox? Imagine a box you can put any suspicious program or script into and immediately receive a complete description of what this program is and what it does. Well, that’s Cuckoo!

Cuckoo launches every program in a separate virtual machine (a sandbox), so there is no risk for your own computer to be infected with a virus or to leak private information.

Interview with our new CEO Andre Ludwig

22 Oct 2015 Leon van der Eijk meet-our-new-ceo-andre

1. Hello Andre and congratulations on getting the CEO job ! Can you please tell us a bit more about yourself. What is your background for instance ?

Oh where to start? I have been in the security field for the last 15 or so years, doing various things like running IT/security for small mortgage companies, being a pentester/audit consulting type, doing front line IDS/IR work for large global infrastructure providers, as well as building custom detection systems and analysis tools for large commercial orgs. Beyond my work life I have been heavily involved in the security community as and individual as well as part of non profits in the past. I have had a tremendous amount of fun participating in and instigating (in some case) large botnet/malware interdiction efforts including conficker, koobface, waledec, storm, dnschanger, and others. Those efforts were all exciting and amazing opportunities to work with others to figure out how those threats works and come up with ideas on how to disrupt them while raising awareness of the threat they posed.

Gas Tank Monitoring System Honeypot

09 Sep 2015 Lukas Rist conpot honeypot ics

The Conpot team is following closely the latest developments in Honeypot research and the methods and technologies used. If you look at the topics presented on security conferences, you might have also noticed an increased interest in ICS security and honeypot technologies in the last two years. One presentation from this years Blackhat’15 conference caught my attention also knowing previous research done by Kyle and Stephen: “The little pump gauge that could: Attacks against gas pump monitoring systems” [link] If you are interested in their findings, I recommend their white paper: “The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems“ [link, pdf] by Kyle Wilhoit and Stephen Hilt from Trend Micro’s Forward-Looking Threat Research team.

Low Interaction Honeypots Revisited

06 Aug 2015 David Watson

TL;DR: Low interaction honeypots are designed to emulate vulnerable services and potentially detect attacks without exposing full operating system functionality. Although they have evolved in many ways over the past 15 years, understanding their limitations and sometimes inherent design weaknesses is important when you consider deploying them. Understanding the history of attempted honeypot detection and evasion allows system defenders to improve their continued use of honeypots and hopefully helps makes all of our networks safer.