UK Honeynet Project 

There’s a new (beta) release of the Honeynet Project’s “Honeywall” CDROM out. This release (1.3b) fixes some bugs but the main change is a move from the no longer supported Fedora Core 6 platform to CentOS 5. This should give us less work keeping the base platform up to date and more time to work on adding cool new features 🙂

We’ve also moving to a more open development model for the CDROM. Although it’s always been GPL’d, the development processes has been closed and it’s been hard for outsiders to add features/hack code. I’m pleased to say that that’s now changed, and there’s a new Trac site with a svn tree, wiki and all the usual stuff. The Honeywall public mailing list is also still available.

Cool stuff that will be coming in the future includes a move to hflow2 for better flow decoding and analysis and changes to the build processes to make it easier to use.

Credits: Earl Sammons, Rob McMillen and myself did the CentOS port. Steve Mumford and Dave Watson did all the work in setting up our new infrastructure to enable more open development.

The Honeynet Project has recently completed a major internal restructuring, which sees the end of the Research Alliance and a move to a new Chapter based membership model (for example, we become the Honeynet Project’s UK Chapter). You can find out more about the new organisation, it’s bylaws and further membership information here.

As part of this restructuring process, active Honeynet Project members have elected a new Board of Directors and assigned various operational positions for the next three years. This includes David Watson from the UK group, who becomes a Honeynet Project Director and it’s Chief Research Officer.

With the restructuring process now complete, we are looking forward to getting back to honeynet research and development. A second, larger phase of our Global Distributed Honeynet (GDH) is already planned for 2008, along with more collaboration with other active security research groups.

A new low interaction honeypot called Amun was released last week, by a German researcher called Jan Göbel at the University of Aachen. Amun takes a similar approach to nepenthes and is also designed to collect samples of autonomous spreading malware by emulating vulnerable network services and then downloading malicious payloads for analysis. It is python and XML based, so should be easy to extend, and can be downloaded here. Worth checking out.

The Honeynet Project holds an annual workshop every year, which is always an excellent opportunity for members from all around the world to get together in person and discuss their research.

For the first time, this year’s event was hosted by members of the Costa Rican Honeynet Project and held outside of the US, in Heredia, Costa Rica. Thirty five members of the Honeynet Project met for four days, including Jamie and David from the UK group. As part of the first day’s shared presentations, David updated the group on the current state of our Global Distributed Honeynet (GDH). The last two days were spent on various R&D tracks, of which the largest was the initial planning session for GDH Phase Two in 2008.

Overall the event was excellent, with many participants feeling that this was the best annual workshop yet, and hopefully we’ll see the fruits of our collective activities next year.

I was the first international speaker at PacSec07 in Tokyo last week, and gave our initial public talk about the first phase of our Global Distributed Honeynet (GDH) research.

The abstract for the talk was:

A review of Phase One of the Honeynet Project’s latest research
initiative, the deployment and operation of a global network of
distributed high interaction research honeypots. An overview of the
architecture, challenges faced, technical tools and new
analysis/reporting procedures developed. Discussion of observed
malicious activity during operation of eleven high interaction research
honeynets around the world for six months (Jan-Jun 2007), including
attacker activity, malware collection summary, etc. Sharing of practical
operational experiences gained to date, unsolved issues and goals for
the future.

GDH was the first (publicly declared) real world distributed high
interaction research honeynet with nodes on most continents, designed
and operated by the Honeynet Project. It enables the rapid deployment of
identical honeypots over wide ranges of IP network space, monitoring of
network activity and analysis of attacks against a range of distributed
systems. The techniques and operational experience should be useful to
many organizations interested in global sensor networks and better
understanding the threats posed to their networks. A “Know Your Enemy:
GDH” white paper and other supporting material will be released in 2008.

Slides will be available online from the both the PacSec07 and Honeynet Project web sites shortly, or they can be downloaded directly from here.

The presentation was an hour long, and hopefully provided an introduction to what GDH Phase One was, why and how we built and operated it, then summarized some of our initial results and plans for the future. The audience questions were of a good standard, as were follow-up discussions at the party afterwards. Any offline feedback or questions are also welcome.

Overall the conference was enjoyable, with good presentations in a number of areas and an interesting mix of both Japanese and international attendees (and the obligatory late night social activities). Hopefully we’ll see some spin off honeynet research in 2008 in a couple of areas. It was also great to have the opportunity to visit Tokyo and meet local security researchers, plus presenting to a Japanese audience with live translation was entertaining. I’d particularly like to thank Ryo Hirosawa and the other translators for all their last minute help with slide translation. Thanks once again guys!

You can find further coverage and some photographs of the event here:

The November edition of Elsevier’s Network Security publication contains the second part of an article on web application attacks written by David Watson of the UK Honeynet Project and can be downloaded as part of their current free online trial (as can a previous article on Honeynets as Counter-intelligence tools).

In his weekly “Dork Talk” column in the Guardian, this week Stephen Fry talks about the Storm worm. He cites the Honeynet Project amongst other sources (in particular, he’s citing the recent fast flux paper though he doesn’t quote it explicitly) and refers to us “the good guys”, thus, as I am a regular Guardian reader, making my day.

The article is not technical and, as you would expect from Fry, very well written. A good one to pass on to relatives, managers and other interested but not techy types.

The Honeynet Project released a new Know Your Enemy: “Behind the Scenes of Malicious Web Servers” white paper today, which follows up on recent publications about malicious web sites and attacks against common web clients.

Abstract:

“In this paper, we increase our understanding of malicious web servers through analysis of several web exploitation kits that have appeared in 2006/07: WebAttacker, MPack, and IcePack. Our discoveries will necessitate adjustments on how we think about malicious web servers and will have direct implications on client honeypot technology and future studies.”

Lots of cross over with recent UKHP activity and well worth a read.