Chicago Chapter Status Report For 2009 and 2010

ORGANIZATION

  1. Changes in the structure of your organization.
    Lukas Rist joined the chapter end of 2009
  2. List current chapter members and their activities
    • Lance Spitzner, director
    • Paul Neff
    • Michael A. Davis
    • Jose Nazario, director and chairman of the board
    • Ryan McGeehan
    • Lukas Rist

DEPLOYMENTS

  1. List current technologies deployed.
    Various instances of Glastopf to collect mostly automated attacks against web applications. The data gets collected in a central database.
  2. Activity timeline: Highlight attacks, compromises, and interesting information collected.
    Besides of the classic web attacks like RFI, LFI and SQLi we see content management specific attacks, for example XML/PHP injections using POST requests.

RESEARCH AND DEVELOPMENT

  1. List any new tools, projects or ideas you are currently researching or developing.
    • Paul Neff is researching tools and techniques used for corporate account takeover fraud, and related fraud activity.
    • Lukas Rist is working on a “Web Shell Honeypot” as extension to Glastopf.
    • Lukas is working on an automated environment to analyze injected code collected by web application honeypots.
    • Lukas developed a PoC of an APK crawler based on search engine results.
    • Lukas helped Mark Schloesser to develop the HPFeed system.
  2. List tools you enhanced during the last year
    • GSoC 2009, Lukas improved Glastopf a web application honeypot
    • GSoC 2010, Lukas worked on an instant messaging honeypot: IMHoneypot
  3. Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?
  4. Explain what kind of help or tools or collaboration you are interested in.

FINDINGS

  1. Highlight any unique findings, attacks, tools, or methods.
  2. Any trends seen in the past year?
  3. What are you using for data analysis?
    Mostly CALC and endless SQL queries.
  4. What is working well, and what is missing, what data analysis functionality would you like to see developed?

PAPERS AND PRESENTATIONS

  1. Are you working on or did you publish any papers or presentations, such as KYE or academic papers? If yes, please provide a description and link (if possible)
    • "WebPatrol: automated collection and replay of web-based malware scenarios", by Kevin Zhijie Chen, Guofei Gu, Jianwei Zhuge, Jose Nazario and Xinhui Han, in ASIACCS '11 Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security.
    • “Know Your Tools: Glastopf - A dynamic, low-interaction web application honeypot”, by Lukas Rist, Sven Vetsch, Marcel Koßin and Michael Mauer.
  2. Are you looking for any data or people to help with your papers?
  3. Where did you present honeypot-related material? ( selected publications )
    • A Tour of the Threat Landscape : Attacks and scammers at 2011 International Conference on E-Commerce Security in Taipei, Taiwan.
    • Malcode & Threat Analysis training at Hack in the Box Kuala Lumpur 2010.
    • Glastopf: Developing a web application honeypot at inBot'10
    • Glastopf - Looking for trouble at Honeynet Project Security Workshop 2011
    • HPFeeds in cooperation with Mark at Honeynet Project Security Workshop 2011

GOALS

  1. Which of your goals did you meet for the past year?
  2. Goals for the next year.

MISC ACTIVITIES

Jose Nazario is active in the MITRE MAEC working group, and the IDXWG (working to extend and define incident detection formats).

MENTORING

  • GSoC 2010, Jose mentored two students: Huilin Zhang and Neha Jain, working on PhoneyC
  • GSoC 2011, Lukas helps as a GSoC admin.