At the last BruCON conference in Ghent last year I had the pleasure to talk to Soraya (Iggi), Bsides London co-organizer. She convinced me into submitting a workshop proposal for the Bsides London 2013.

And guess what, it got accepted.

So I will be doing a workshop on setting up a basic kippo SSH honeypot from Upi Tamminen (http://code.google.com/p/kippo/) and if time permits, using Ioannis Koniaris (Ion) kippo visualization tool kippo-graph (http://bruteforce.gr/kippo-graph).
Bsides London will be held on April 24th 2013 at Kensington and Chelsea Town Hall

For the last few years, I have been participating in a Department of Homeland Security sponsored effort to develop principles and applications for the evaluation of information and communication technology (ICT) research. If you are not familiar with the Menlo Report, you can find a description in Michael Bailey, David Dittrich, Erin Kenneally, and Douglas Maughan. The Menlo Report. Security & Privacy, IEEE, 10(2):71–75, March/April 2012.

I and two of my Menlo colleagues – Wendy Vischer and Erin Kenneally – recently taught a didactic course at the PRIM&R Advancing Ethical Research conference in San Diego. (PRIM&R is the conference for Institutional Review Board, or IRB, professionals, with the annual AER conference having thousands of attendees). Our course primarily described the Menlo Report process to date, but we concluded with a mock IRB committee review of a fictional proposed research project in which researchers develop countermeasures to malicious botnets in social network platforms like Facebook using a combination of deception to build a social network of over 1 million users and to then use “good bots” that infiltrate the “bad bots”. (Just so you know, I have been an affiliated scientist full member on one of the University of Washington’s IRB committees since 2009. I lend my expertise in data security to investigators in designing their research protocols and in committee discussions of research studies associated with the UW. I highly encourage other computer security researchers to do the same for their local research institutions with IRBs.)

ENISA (The European Network and Information Security Agency) under the leadership of CERT Polska has published report on honeypots. Its a hands-on guide on the various honeypot technologies out there looking at various operational aspects, such as extensibility, reliability, ease of deployment, etc. If you are considering running a honeypot, this is a must read! Check it out at http://www.enisa.europa.eu/media/press-releases/new-report-by-eu-agency-enisa-on-digital-trap-honeypots-to-detect-cyber-attacks. Great job, ENISA!

6Guard is a honeypot-based IPv6 attack detector aiming at detecting the link-local level attacks, especially when the port-mirror feature of switch is unavailable.

Intallation

1. 1. Download and install Scapy in your machine. (apt-get install python-scapy)
2. 1. Download the v1.0 tarball directly or the latest code from Github Repository, then extract it into a directory.

Usage

1. 1. Enter the directory of 6Guard.
2. 1. Run $ sudo ./conf_generator.py to generate the configuration files.
3. 1. Run $ sudo ./6guard.py.

Note: The ./conf directory stores the configuration files of the honeypots and the globalpot. The ./log directory stores the operation logs and the attacking records. The ./pcap directory stores the message-related packets that can be reviewed in Wireshark.

I’m very pleased to announce that we have released the first public version of the Ghost USB honeypot.

Ghost is a honeypot for malware that uses USB storage devices for propagation. It is able to capture such malware without any further knowledge - especially, it doesn’t need signatures or the like to accomplish its task.

Detection is achieved by emulating a USB flash drive on Windows systems and observing the emulated device. The assumption is that on an infected machine the malware will eventually copy itself to the removable device.

Project Description:
Proposed Capture-HPC Description

Capture-HPC is a high-interaction client honeypot that is capable of seeking out and identifying client-side attacks. It identifies these attacks by driving a vulnerable client to open a file or interact with a potentially malicious server. As it processes the data, Capture-HPC monitors the system for unauthorized state changes that indicate a successful attack has occurred. It is regularly used in surveys of malicious websites that launch drive-by-download attacks.

Folks, Chengyu Song has been busy the last few weeks and made some upgrades to the honeypot monitoring tool Qebek. He has ported it from QEMU 0.9.1 to QEMU 0.13.0. As a result, Qebek’s performance (boot time) is better and it no longer requires gcc 3.4. You can check it out

svn co https://projects.honeynet.org/svn/sebek/virtualization/qebek/trunk/

If you don’t know what Qebek is or how to use it, take a look at our whitepaper at https://honeynet.org/papers/KYT_qebek.

Folks, I am very pleased to announce the publication of our Know Your Tools paper: Glastopf - A dynamic, low-interaction web application honeypot authored by Lukas Rist of the Chicago Honeynet Project Chaper and Sven Vetsch, Marcel Kossin, and Michael Mauer.

The paper is available from https://honeynet.org/papers/KYT_glastopf.

Paper abstract

Currently, attacks against web applications make up more than 60% of the total number of attempted attacks on the Internet. Organizations cannot afford to allow their websites be compromised, as this can result in serving malicious content to customers, or leaking customer’s data. Whether the particular web application is part of a company’s website, or a personal web page, there are certain characteristics common to all web applications. Most people trust in the reliability of web applications and they are often hosted on powerful servers with high bandwidth connections to the Internet. Considering the large number of attacks and knowing the potential consequences of successful break-ins, we decided to put a bit more effort into the development of honeypots to better understand these attacks.

Honeypots have been actively used by the security community for over ten years now.  They are used for a variety of purposes, but now a days primarily for information gathering.   When honeypots first were being used they generated a great deal of discussion about the legal issues.  However, through the years this debate has died down, most organizations feeling these issues are minor.  I just wanted to share an update on these thoughts.

The goal of this post is to introduce myself and my project: my name is Robin Berthier and I just got my PhD from the University of Maryland. I’ll be working this summer on improving Honeybrid, a hybrid honeypot architecture. I’ve been working with honeypot technologies for the past 4 years, and Honeybrid represents a central part of my dissertation. 

Honeypots are usually divided into two categories according to the level of interaction they provide to attackers. First, we have low interaction honeypots that emulates network services and collect the beginning of attack processes. And then we have high interaction honeypots that are identical to production machines and collect detailed information about attacks. These two types of honeypot offer complementary advantages and limitations. The goal of honeybrid is to combine the best of both world. As such, Honeybrid is a hybrid honeypot solution.