Singapore Chapter Status Report For 2008

1. Changes in the structure of your organization.
There were no changes in our organizational structure.
2. List current chapter members and their activities
 
Full Members:

  • Cecil Su: Director, SIG^2
    GTEC Labs
  • Vijay Vikram: MIS Manager, James Cook
    University (Singapore Campus)
  • Alvin Ho: NUS Computing Center Manager,
    SIG^2 GTEC Labs
  • Eugene Teo: Senior Software
    Engineer, Red Hat Asia Pacific Pte Ltd
  • Nicolas Collery: Director, CERT-LEXSI Singapore

 
DEPLOYMENTS

1. List current technologies deployed.
The lab where our rack of equipment is located has a GenIII Honeynet running
off  Roo Version 1.3. Under the
honeywall, four kinds of honeypots are deployed.

  1. Low-Interaction Honeypots:
    Honeyd and Nepenthes
  2. High-Interaction Honeypots: Two
    versions of MS-Windows O.S and 1 version of SUN Solaris
  3. Other Honeypots: HIHAT and
    HoneyBot
  4. Client Honeypot: Capture-HPC

Our honeynet facilities are located at the IT Security Lab, Computing Center of the National University of
Singapore.
2. Activity timeline: Highlight attacks, compromises, and interesting
information collected.
 
The chapter have been focusing on attacks towards Singapore’s
networks and analyzing the activities of attackers targeting this part of the
continent. We have also starting to look at phishing activities targeting
networks in Singapore.
Besides this, based on the data collected by our honeynet in
the past quarter, we have noticed huge surges in terms of probes/attempts to Microsoft
SQL Server and Microsoft Directory Service.
In total, there were close to 600 unique malware binaries that
were collected by the Nepenthes honeypot in the past quarter.
 
RESEARCH AND DEVELOPMENT

·  List any new tools, projects or ideas you are
currently researching or developing.
We are working on enhancing the reporting and analysis of
collected data and enabling tools to be more useful. We are working on options
which generate useful meanings from the collected data and enable us to do
trending more efficiently.
We are currently working with a Japanese counterpart on a
risk management framework for data analysis and collaboration.
We are now actively working with various academic
institutions to deploy country-wide distributed Honeypots/Honeynets to collect
and correlate data.
 
·  List tools you enhanced during the last year
We developed an internal process for analyzing malware and customized
data analysis interfaces.
We experimented different ways to collate data from
heterogenous log sources and import these into our central database.
 
·  Would you like to integrate this with any
other tools, or you looking for help or collaboration with others in testing or
developing the tool?
We would like to actively develop and improve GDH data
analysis capabilities and use capabilities that we have developed.
·  Explain what kind of help or tools or
collaboration you are interested in.
We would like to contribute in the GDH development and
deployment. 
 
 
FINDINGS

1. Highlight any unique findings, attacks, tools, or methods.
In terms of services attack, we observed the Microsoft SQL
Database and Microsoft Directory Service scored the highest number of hits.
In the last quarter we had also noticed that there were a
large number of phishing sites as
well as
sites hosting various strains of malware.
 
2. Any trends seen in the past year?
            Microsoft services seemed
to be a more prevalent target for attackers on this island. There seems to be a
near-repeat on the same types of services being targeted. We had also observed
that there were many automated attacks against web applications and
specifically certain web forums.
 
3. What are you using for data analysis?

  • Walleye
  • Sbk_extract
  • Tcpdump
  • NetDude
  • Wireshark
  • Chaosreader
  • Custom-modified walleye.pl
    scripts to sanitize traffic
  • Custom-created reporting
    scripts to perform incident reporting of external intrusions

4. What is working well, and what is missing, what data analysis
functionality would you like to see developed?
We
would like to see more collaboration between chapters and perhaps
cross-development of tools.
 
 
PAPERS
AND PRESENTATIONS

None for 2008. We hope to be able to publish at least two for 2009.

 
GOALS

1. Which of your goals did you meet for the past year?

  • Tested and deployed the
    latest Honeywall release
  • Evaluated new tools in
    visualizing Honeynet data that will help us in our analysis.
  • Increased awareness on the
    current attack trends and threats to various organizations in Singapore.
  • Collaboration with other
    like-minded organizations.

2. Goals for the next year.
·  Deploy at least one GDH node
·  Deploy HoneySpot (by Spanish Honeynet) to
track and monitor wireless deployment in Singapore
·  Analyzing MMORPG vulnerabilities - trojans
targetting account information

MISC ACTIVITIES
None