Piotr Kijewski CERT Polska/NASK The Honeynet Project
17:05 ~ 17:15
Hands-on Tutorial Training Preview
Kara Nance The Honeynet Project
17:15 ~ 17:30
The Honeynet Project / Facebook
17:30 ~ 19:00
Reception sponsored by Norman
The Honeynet Project reserves the right to cancel and reschedule the program agenda.
Security Workshop is in English only.
Accommodation are not covered in registration fee.
Lunch will be provided.
Overview of Recent Honeynet Research and Development, David Watson
A quick high-level introduction to recent honeynet R&D activities over the past years, including GSoC and significant tool and whitepaper releases, plus future research directions for 2012.
David Watson is the Chief Research Officer for the Honeynet Project, a non-profit security organization dedicated to sharing its research and findings on cyber threats, and was a Director between 2007 and 2012. As an active security researcher he regularly presents at international conferences or workshops and has contributed to various publications in the field of IT security.
David has been involved with deploying honeypots since 1999 and is currently the project manager and lead developer for the Honeynet Project's Global Distributed Honeynet (GDH/HonEeeBox) initiative, which focuses on analysing data gathered from networks of internationally distributed honeypots. He also leads the UK Honeynet Project Chapter, is the Honeynet Project's Google Summer of Code organizational admin and co-owns growing UK open source software development company Isotoma."
After decades in research obscurity, honeypots became widely visible in the late 1990s largely through the work of early Honeynet Project members. Now in 2012, honeypots have evolved into a diverse array of standard research tools. This talk will provide a wide overview of the honeypot world, giving insights into their usage, the types of data they provide, and how they can evolve into even more powerful tools for network defenders.
Dr. Jose Nazario is the senior manager of security research at Arbor Networks. In this capacity, he is responsible for analyzing burgeoning Internet security threats, reverse engineering malicious code, software development, and developing security mechanisms that are then distributed to Arbor's platforms via the Active Threat Feed (ATF) and the ATLAS Intelligence Feed (AIF) threat detection services. Dr. Nazario is also heavily involved in the Internet security community, including efforts such as the Conficker Working Group, the FIRST community, and many more efforts. He serves on the boards of the Honeynet Project, the Open Infosec Foundation, and the Cyber Conflict Studies Association.
Dr. Nazario's research interests include large-scale Internet trends such as reachability and topology measurement, Internet-scale events such as DDoS attacks, botnets and worms, source code analysis tools, and data mining. He is the author of the books "Defense and Detection Strategies against Internet Worms" and "Secure Architectures with OpenBSD." He earned a Ph.D. in biochemistry from Case Western Reserve University in 2002. Prior to joining Arbor Networks, he was an independent security consultant.
Feasible Solution for the Web Threat Jigsaw, Lukas Rist
Web sites are today's biggest and most vulnerable attack surface. A single compromised page can give you a lot of bang for your bugs. Learning from expensive breaches was never feasible. We will explain how to use Honeypot, Sandbox and Botnet monitoring technology to gain information about current threats which ultimately helps us to find vulnerabilities before they get exploited, insight into the malware distribution network and the botnets used for mass exploitation.
Lukas Rist is a Internet security enthusiast, member of The Honeynet Project, Math and Physics student, spare time web application and instant messaging honeypot developer and currently knee-deep in data
Thug: a new low-interaction honeyclient, Angelo Dell'Aera
The number of client-side attacks has grown significantly in the past few years shifting focus on poorly protected vulnerable clients. Just as the most known honeypot technologies enable research into server-side attacks, honeyclients allow the study of client-side attacks. A complement to honeypots, a honeyclient is a tool designed to mimic the behavior of a user-driven network client application, such as a web browser, and be exploited by an attacker’s content. The talk will describe the theoretical and practical steps required to design and realize a low-interaction honeyclient. During the talk, a new Honeynet Project low-interaction honeyclient (project name "Thug") aimed at mimicing the behavior of a web browser, will be publicly presented and released. Speaker Bio:
Angelo Dell'Aera is currently employed at Security Reply, a security service provider located in Italy, working in the Early Warning Team as Senior Threat Analyst. Moreover he leads Sysenter Honeynet Project Chapter and his interests are mainly related to botnet tracking, honeyclient technologies and malware analysis. Angelo started working as an independent researcher in networking and security research in 1998 focusing his research both on attack and defense techniques mainly focusing on *NIX platforms. Meanwhile he worked as researcher in Politecnico of Bari until June 2004 where his main research argument was TCP congestion control algorithms. His research led to the design of the TCP Westwood+ algorithm and the implementation of its support in the official Linux kernel.
Countering the removable device threat with USB honeypots (Invited Talk), Sebastian Poeplau
Most honeypots require malware to fulfill certain criteria in order to capture it. An SSH honeypot, for example, targets malware that attacks SSH servers, an HTTP client honeypot aims at malware that is distributed by web servers. However, it is almost always required that the targeted malware somehow spread via computer networks. And here the problem arises. Examples such as Conficker and Stuxnet, among others, have shown that it is possible - in some cases even necessary - for malware to spread via another medium: They propagate on USB sticks, completely independent from any network. Our honeypots are hardly able to detect such malware if it does not use networks as well. So what to do? In the talk we will discuss the concept of a honeypot that focusses on such USB malware - malware that propagates via USB storage devices - and find a way to detect the malware without any further knowledge. We will outline the idea and take a look at its implementation
Popular Internet sites are under attack all the time from phishers, fraudsters, and spammers. They aim to steal user information and expose users to unwanted spam. The attackers have vast resources at their disposal. They are well-funded, with full-time skilled labor, control over compromised and infected accounts, and access to global botnets. Protecting our users is a challenging adversarial learning problem with extreme scale and load requirements. Over the past several years we have built and deployed a coherent, scalable, and extensible realtime system to protect our users and the social graph. This talks outlines the design of the Facebook Immune System, the challenges we have faced and overcome, and the challenges we continue to face. back
Social Authentication, Alex Rice
Passwords suck. Security questions are a joke. Two-factor? Hah. Web authentication is frustratingly broken. Over the past year, Facebook engineers have been experimenting with various attempts to supplement "Something you know" with "Someone you know". A year of iteration and usage by millions of real world users has taught us a great deal about this new approach to authentication. This talk will demonstrate the implementations we've come up with and share much of what we've learned along the way: where it works, where it doesn't, and where it falls apart spectacularly. back
Examining Attacker Behavior On and Off-Line Using Social Science Research, Thomas J. Holt
The range of threats facing computer users and critical infrastructure is complex and continuously evolving. Attacks vary based on the target and skill level of the actor, ranging from publicly accessible malware that can be purchased on the open market to unique zero-day exploits created for a specific attack. Attackers also have varied motivations, including monetary gain to political ideologies. Though technical explorations provide insight into how to defend against these crimes, there is still a great deal that is unknown about the social world of hackers. This talk will provide an exploration of the motives, social structures, and dynamics that facilitate computer attacks around the world using real world examples. The presentation will examine the disparate on-line communities involved in the theft and sale of stolen data and malware, as well as the social networks and organizational composition of the marketplace. We will also discuss unique tools designed to automate the analysis and examination of these communities. In addition, we will present the findings from an international study of the factors that predict participation in politically motivated attacks against critical infrastructure and government targets. The findings will give unique insights into the role of patriotism, technological skill, and hacking in various forms of political attacks. In turn, this presentation will benefit computer security professionals, law enforcement, and the intelligence community by identifying the social dynamics that shape the hacker and attacker community across the globe.
Thomas J. Holt is an Associate Professor in the School of Criminal Justice at Michigan State University. He received his Ph. D. in Criminology and Criminal Justice from the University of Missouri-Saint Louis in 2005. His research focuses on computer hacking, malware, and the role that technology and computer mediated communications play in facilitating all manner of crime and deviance. Dr. Holt has been published in numerous academic journals, including Crime and Delinquency, Deviant Behavior, and the Journal of Criminal Justice, is a co-author of the book Digital Crime and Digital Terror, editor of the text Cybercrime: Causes, Correlates, and Context, and co-editor of the forthcoming book Corporate Hacking and Technology-Driven Crime. He is also the recipient of two grants from the U.S. National Institute of Justice to examine the market for malicious software and the social dynamics of carders and data thieves in on-line markets. Additionally, Dr. Holt is the project lead for the Spartan Devils Chapter of the Honeynet Project, and directs the MSU Open Source Research Laboratory dedicated to exploring the landscape of cyberthreats around the globe through on-line research.
Open Source Intelligence Gathering: Know your enemy without them knowing you, Matt Erasmus
The presentation will cover a couple of freely available tools to gather more information on key data elements we see in the Honeynet Project work. It will focus on finding more information about possible attackers without actually making connections to remote systems. I will show how it's very easy to pull a lot of useful information very quickly that will help with investigations into possibly malicious attackers. back
Matt Erasmus works as a security consultant to one of the Big Four auditing firms. In his spare time he likes to wrangle malware, learn new ways to break computers and networks. He heads up the South African chapter of the Honeynet Project with Barry Irwin.
Android application plagiarism, Anthony Desnos
This talk deals with Android application plagiarism. The Android system is now widespread, and lots of applications are developed each days. These applications are mostly written in Java, though it is now possible to do some calls to binaries or shared libraries. To be executed on the DVM (Dalvik Virtual Machine) the Java source code (.java files) is translated into Java bytecode (.class files) and then a tool named `dx' is used to convert them into the DVM (or Dex) format (these are the .dex files). Due to the nature of the bytecode, its reversing is somewhat easier than machine code. Moreover the licensing or signing system can't stop evil guys to take an application from the official/unofficial market in order to modify it, and to spread this application on different market. Most of the time, the application has been patched to remove security features, to add a malware or simply to add publicity in order to gain money. For android developer, this is a real threat because they have no means to detect such pirated application, and to check what is the difference between their application and the pirated application. We will present opensource tools (that use Normalized Compression Distance) available for android developer (and computer security researcher), which can be used to detect if an application has been pirated by someone else, to evaluate android obfuscators or to extract automatically injected code. Furthermore, it's possible to perform diffing between android applications to see exactly which instructions have been changed.
He was involved in open source security projects like ERESI (Reverse Engineering Software), draugr (Live memory forensics on Linux). Now, he is involved and he is the author and co-author of a number of open source security projects about Android applications, like Androguard (static analysis), DroidBox (dynamic analysis) and ARE (Virtual Machine for Android Reverse Engineering). Moreover he is the maintener of the open source database of android malware (signatures, and engine to detect malware).
He has been speaker in various computer security conferences on different topics, including Blackhat, hack.lu, and He is an active member of Honeynet.
The ZeuS family of banking trojans remains probably one of the most serious threats to the end user in today's Internet. In this talk we will cover some history of the evolution of the trojan, its inner workings and how it looks today. An overview of our experiences in analysing the trojan and ZeuS botnets will be given, with particular focus on ZiTMo and the latest ZeuS P2P variants. We will also show how cooperation between various stakeholders in Poland allowed for a quick and accurate assessment of a ZiTMo outbreak in early 2011, in spite of some histerical media hype surrounding the event. Finally, a comparison will also be made with its great rival – SpyEye.
Piotr Kijewski works for NASK as part of the CERT Polska team since 2002. He became head of the team in April 2010. His main interests in the computer and network security field include intrusion detection, honeypots and network forensics. Apart from heading the CERT operational activity, he also heads a group of people from various teams at NASK that is responsible for the development of novel solutions in the area of network and threat monitoring. This includes work on projects such as ARAKIS, a network early warning system that consists of over 50 sensors that include a honeypot capability across Polish networks and the HoneySpider Network 1 & 2 projects aimed at developing a complete client honeypot solution. Speaker at various international conferences and workshops (FIRST Annual Conference, Honeynet Project Annual Workshop, NATO Cyber Defense, ENISA events, GOVCERT.NL symposium, TF-CSIRT meetings etc). Piotr Kijewski is the leader of the NASK team that was involved in the EU FP7 WOMBAT (Worldwide Observatory of Malicious Behaviour and Attack Threats) project. He has also taken part in other European projects such as eCSIRT.net, SPOTSPAM and ENISA studies (including the Proactive Detection of Network Security Incidents study, co-authoring the ENISA CSIRT Exercise Book, as well as membership in various working groups). Previously he has worked for nearly 10 years as a network administrator at the Warsaw University of Technology and as a network security consultant for many companies in Poland. He holds an MSc degree in Telecommunications from the Warsaw University of Technology.