The Honeynet Project

Last week it was announced that Angelo Dell'Aera is elected as our new CEO. Here is a brief description about Angelo.

On July 31, 2013, Jason Geffner of CrowdStrike discussed a new tool called "Tortilla" that allows incident responders and computer security researchers to hide behind the Tor network as they poke and prod malicious software infrastructure. Were I there, I would have asked Jason this question: What things should I not do while using Tortilla, and why shouldn't I do them? I know Jason and respect his technical skills, but if he and CrowdStrike don't have a good answer, that will say a lot about our field's collective ability to reason about actions along the Active Response Continuum. [D. Dittrich and K. E. Himma. Active Response to Computer Intrusions. Chapter 182 in Vol. III, Handbook of Information Security, 2005. http://ssrn.com/abstract=790585.]

MalwareZ is a visualization project that is started as a YakindanEgitim (YE) project. YE is a startup that me and some collegues mentor young people on specific projects, remotely. It is announced as a local fork of Google Summer of Code, except neither mentors nor mentees are paid.

Gürcan Gerçek was the main developer for the MalwareZ project and my role was mentoring him.

To have a better visibility of this years GSoC projects we have created a blog for the students and their mentors. This blog is the place where students should post weekly updates about their progress. It is also the place where students and mentors can share their findings and experiences about and during the GSoC projects as they happen. The first updates have already started to drip in and it is getting interesting.

A hot summer, cool drinks and happy coding to all the participants.

http://gsoc2013.honeynet.org

Two years are passed from the first commit and taking a look at the number of committed patches I realized that right now the patch number 1000 was committed. Let me say it's really impressive realizing it. In the last two years I had a lot of fun thinking and designing the future of this project and I'm really proud of what Thug turned to be. I have to thank a lot of persons who contributed with their suggestions, ideas, bug reports and sometimes patches. You know who you are. Really thanks!

Howdy all,
I've the pleasure to *finally* unveil the second version of Dorothy: a malware/botnet analysis framework written in Ruby.

Dorothy2 is a framework created for mass malware analysis. Currently, it is mainly based on analyzing the network behavior of a virtual machine where a suspicious executable was executed. However, static binary analysis and system behavior analysis will be shortly introduced in further versions.

After a pretty hectic few weeks of student application review, setting and scoring coding challenges, and assessing proposals, mentoring organizations participating in GSoC 2013 had to confirm their student slot allocations and final short list of preferred candidates by Friday May 24th at 19:00 UTC.

[This post expresses the personal opinion of the author and is not an official statement representing the Honeynet Project.]

At the AusCERT 2013 conference, Dmitri Alperovich called for debate about, "the kinds of actions that infosec professionals are allowed to take against attackers." I agree with Dmitri, and in fact I made the same call, at the same conference on May 23, 2005! (AusCERT invited me to speak on an emerging topic and I chose to speak for the first time publicly at AusCERT 2005 about the Active Response Continuum research I had been doing with funding from Cisco.) As one of the world's foremost experts on this topic, with over two decades of security operations experience, I welcome Dmitri to the debate. :)

What follows is adapted from the forthcoming book, "The Active Response Continuum: Ethical and Legal Issues
of Aggressive Computer Network Defense," by David Dittrich. I welcome any comments, suggested modifications and/or additions.

There are many challenges facing those who are victimized by computer crimes, who are frustrated with what they perceive to be a lack of effective law enforcement action to protect them, and who want to unilaterally take some aggressive action to directly counter the threats to their information and information systems. This has been called active defense, aggressive [network] self-defense, counter-attack, and even hacking back. Regardless of the reasons why someone would want to take such actions, it is necessary to discuss the options, acknowledge the risk and benefit tradeoffs, and identify how aggressive actions can be taken in a manner that is safe, controlled, and justifiable (as best this can be accomplished). This cannot be accomplished, however, if everyone comes at the subject with their own individual frame of reference and language. (This was pointed out by more than one person at this year's Suits & Spooks DC 2013 conference.)

We proudly announce the first release of our Industrial Control System honeypot named Conpot.

Until now setting up an ICS honeypot required substantial manual work, real systems which are usually either inaccessible or expensive and lecture of quite tedious protocol specifications. With implementing a master server for a larger set of common industrial communication protocols and virtual slaves which are easy to configure, we provide an easy entry into the analysis of threats against industrial infrastructures and control systems.