For the last few years, I have been participating in a Department of Homeland Security sponsored effort to develop principles and applications for the evaluation of information and communication technology (ICT) research. If you are not familiar with the Menlo Report, you can find a description in Michael Bailey, David Dittrich, Erin Kenneally, and Douglas Maughan. The Menlo Report. Security & Privacy, IEEE, 10(2):71–75, March/April 2012.
I and two of my Menlo colleagues -- Wendy Vischer and Erin Kenneally -- recently taught a didactic course at the PRIM&R Advancing Ethical Research conference in San Diego. (PRIM&R is the conference for Institutional Review Board, or IRB, professionals, with the annual AER conference having thousands of attendees). Our course primarily described the Menlo Report process to date, but we concluded with a mock IRB committee review of a fictional proposed research project in which researchers develop countermeasures to malicious botnets in social network platforms like Facebook using a combination of deception to build a social network of over 1 million users and to then use "good bots" that infiltrate the "bad bots".
Claudio has just released a new version of Cuckoo Sandbox 0.5. The list of new features is very impressive! Check it out at http://cuckoosandbox.org/2012-12-20-to-the-end-of-the-world.html.
In many countries, its the time of the year you can make tax deductible donations to support your favorite charity and non-profit organization. Id like to ask you to consider donating to the Honeynet Project this year. The Honeynet Project is a 501c3 non-profit organization (EIN: 36-4460128) that - over the past decade - learned the tools, tactics and motives involved in computer and network attacks, and shared the lessons learned with the public. Along the way, we have authored and published many open-source tools to capture & analyze attacks. If you would like to support the cause, please donate.
Happy Holidays to all of you.
CEO, The Honeynet Project
Over the last few weeks I've basically rewritten the core of Ghost, our system for USB malware detection. While the new approach promises to be much more effective, it has a drawback: It only works for Windows Vista and later systems. As a consequence, there are now two flavors of Ghost in existence: One supports Windows XP but won't receive much further development, whereas a lot of interesting new features will be implemented for the other one, which is dedicated to Vista and later. In this post, I'm going to explain the reasoning behind the decision, describe the recent technical advances and outline some of our plans for the future.
This is a response to a CSO Online blog post by Jeff Bardin ("Caution: Not Executing Offensive Actions Against Our Adversaries is High Risk," November 2012.), which is a rebuttal to a blog post by Jody Westby on Forbes online (“Caution: Active Response to Cyber Attacks Has High Risk.”) Mr. Bardin is obviously playing on words in the title and I seriously doubt he believes that it is higher risk to not take aggressive actions than is to do so. His post does not contain a reasoned proposal for how to change or work within existing legal and ethical norms to allow aggressive actions directed at computer network attackers. It is instead a strident endorsement of a vaguely defined "new approach" of counter-attack using simplistic arguments based on emotion and a desire for retribution (an unethical position to take), lacking sufficient discussion of appropriate "rules of engagement," principle-based ethical justifications of any type beyond basic "right of self-defense" arguments, and including no oversight mechanisms to minimize the potential for abuse or collateral damage. This response is quite long, including not only Mr. Bardin's own words for context but also many references to materials apropos to the topic that Mr. Bardin does not provide in his post.
Mr. Bardin's blog post illustrates some of the problems with discussion of this topic that I have seen over and over since the first workshops I attended or lead on this topic in Seattle's Agora security group from 2001 to 2004. I have been studying and discussing these issues for over a decade and have seen the same simplistic arguments repeated in nearly every discussion. Useful analogies in this realm are really hard to find and almost always fail. Part of the problem stems from non-technical people trying to discuss extremely technical and complex issues of computer network attack and defense, combined with rushing to simple "self defense" analogies and appeals to emotion, suggesting we have to do something, anything, to get satisfaction. Frequently left out is any meaningful discussion of ethics, "rules of engagement," responsibility, or accountability.
If my response here comes across as vehement opposition, it is not intended that way. If anything, it shares Mr. Bardin's frustration that we have gotten to the point where intrusions are so widespread and pervasive, but we differ in explaining why and in proposing a viable path forward.
- Sébastien Tricaud
- Guillaume Arcas
- Anthony Desnos
- Franck Guénichot
- François-René Hamelin
- Christophe Grenier
We have following technologies deployed:
- Kippo on honeycloud. Goal of this deployment is to provide a centralized instance of Kippo & share findings, logs, collected data.
- HoneyProxy on honeycloud.
RESEARCH AND DEVELOPMENT
* New tools
=> HoneyProxy as part of GSoC 2012.
=> FAUP (formerly furl)
=> A.R.E. / AndroGuard
The UK Chapter's annual status report for 2011/2012 has been published at http://www.ukhoneynet.org/2012/12/04/uk-honeynet-project-chapter-annual-status-report-for-20112012/.
ENISA (The European Network and Information Security Agency) under the leadership of CERT Polska has published report on honeypots. Its a hands-on guide on the various honeypot technologies out there looking at various operational aspects, such as extensibility, reliability, ease of deployment, etc. If you are considering running a honeypot, this is a must read! Check it out at http://www.enisa.europa.eu/media/press-releases/new-report-by-eu-agency-enisa-on-digital-trap-honeypots-to-detect-cyber-attacks. Great job, ENISA!
|THE HONEYNET PROJECT
Contact: Christian Seifert
|1425 Broadway #438
Seattle, WA, 98122
|FOR IMMEDIATE RELEASE
9 A.M. GST, November 26th, 2012
|2013 HONEYNET PROJECT ANNUAL WORKSHOP
10-12 FEBRUARY 2013 IN DUBAI, UAE
|DUBAI, 26 NOV 2012: This three-day event features an exceptional collection of international security professionals presenting the latest research tools and findings in malware analysis. The twelfth annual workshop will be held at The Address Dubai Mall Hotel on the 10th through 12th of February, 2013, with sponsorship and support from the UAE Honeynet Project chapter, United Arab Emirates Computer Emergency Response Team (aeCERT), and the Pakistan Honeynet Project chapter. The workshop includes one full day of briefings and two full days of hands-on tutorial trainings. Founded in 1999, The Honeynet Project is a non-profit international research organization dedicated to improving the security of the Internet at no cost to the public. |
“Cyber security is a critical element for any nation working towards technical advancement,” said H.E. Mohamed Nasser Al Ghanim, Director General of TRA. “I am pleased the TRA and aeCERT are participating in this event; hands-on and knowledge-intensive workshops such as this are invaluable as we work towards reinforcing the nation’s cyber security.”
“Cyber security is not a ‘one-man’ job, it is dependent on the proactive collaboration of groups spanning government, industry and academia,” said Ahmad Alajail, Security Intelligence & Threat Analyst. “ This is why initiatives such as Honeynet, which provide a diverse talent base, are greatly complementary to the nation’s cyber security and to our work at aeCERT.”
The Honeynet Project is composed of 45 regional chapters and is a diverse, talented, and engaged group of hundreds of volunteer security experts who conduct open, cross disciplinary research and development into the evolving threat landscape. Registration and more information available at: http://dubai2013.honeynet.org or by contacting The Honeynet Project CEO Christian Seifert to request a personal interview at: firstname.lastname@example.org.