Just a reminder, there is still time to register for The 2011 Honeynet Project Security Workshop.

More information: honeynet.org/node/602
Register: regonline.com/builder/site/Default.aspx?EventID=929631

About the event:

The 2011 Project Honeynet Security Workshop brings together experts in the field of information security from around the world to share the latest advances and threats in information security research. Organized by the not-for-profit Honeynet Project and co-sponsored by the ESIEA Engineering School, this full day workshop creates opportunities for networking, collaboration and lessons-learned featuring a rare, outstanding line-up of international security professionals who will present on the latest research tools and findings in the field.

Not all of you might know it, but The Honeynet Project is well-represented on social media. Apart from this blog, we have:

• An official Project Twitter feed @projecthoneynet
• Facebook group ‘The Honeynet Project’
• LinkedIn group ‘The Honeynet Project’
• “Old school” public mailing list, still at SecurityFocus

Finally, if you consider IRC to be social media (and why not?), we still run these:

#honeynet-project on irc.freenode.net (new, general public enquiries)

#honeynetproject on irc.freenode.net (new, general public enquiries)

Has it really been another year already? Having really enjoyed our experience as a successful mentoring organization in Google Summer of Code 2009 and Google Summer of Code 2010, The Honeynet Project is very pleased to announce that we will once again be applying to be accepted this year as a potential mentoring organization for Google Summer of Code 2011 (note the changed URL for GSoC 2011).

The first GSoC 2011 deadline is Friday March 11th, which is the deadline for interested organizations to submit their org application. Currently we are reviewing our GSoC 2011 project ideas internally and prospective students will soon be able to see our list of proposed project ideas here. If we are accepted this year by Google, as usual all of our GSoC 2011 information will be available at /gsoc on our main public website.

The following are the Top 5 popular blog posts from The Honeynet Project blog this month.

2. “Observing Botnets” talks about tools to observe bot traffic on the network; it is an excerpt from “Know Your Enemy: Tracking Botnets” paper (fun quote: ‘“A botnet is comparable to compulsory military service for windows boxes” – Stromberg’)

3. “The Honeynet Project Releases New Tool: Cuckoo” covers Cuckoo, a binary analysis sandbox, designed and developed with the general purpose of automating the analysis of malware.

Here is another tool release from The Honeynet Project: Cuckoo Box by Claudio Guarnieri. Cuckoo is a binary analysis sandbox, designed and developed with the general purpose of automating the analysis of malware. Read more about the tool here, grab the tool here – but please read detailed setup guide here (make sure to read it!). BTW, this tool is really well-documented, so make use of it before deploying it.

Cuckoo is a lightweight solution that performs automated dynamic analysis of provided Windows binaries. It is able to return comprehensive reports on key API calls and network activity. Current features are:

Here is another new release from the Project: a release of a new tool called PhoneyC, a virtual client honeypot.
PhoneyC is a virtual client honeypot, meaning it is not a real application (that can be compromised by attackers and then monitored for analysis of attacker behavior), but rather an emulated client, implemented in Python. The main thing it does is scour web pages looking for those that attack the browser.
It can be run, for example, as: $ python phoneyc.py -v www.google.com
By using dynamic analysis, PhoneyC is able to remove the obfuscation from many malicious pages. Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector. PhoneyC is a modular framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques.
Download version 0.1 (a contained readme contains installation instructions) here: phoneyc_v0_1_rev1631.tar_.gz
v0.1 feature highlights include:

There is a paper at WOOT 10’ described how to use smudges on the touch sceen of a smartphone to get largely decrease the time an attacker need to guess the right password to unlock the screen. For example, by for 4 passcode based iPhone, one just need to try at most P(4,4) = 4! = 24 times before he get the right one.

But I think this situation had happened on PC and we already have a solution. Long time ago, we have Trojan that steals the password. To combat with it, people invented virtual keyboard (like used by many online bank in China). But the attacker then upgraded their program to record the mouse coordinates so they still know which character you entered. Isn’t this sounds familiar? Yes, these coordinates are just like the smudges you left on your screen! So what happened next? We have randomized virtual keyboard.

It is with great pleasure I announce the first-ever Honeynet Project Public Conference, held alongside with the traditional Honeynet Project Annual Workshop. The event will be held on March 21, 2011 in Paris. For those who just want to register now, go here.

Date:  21 March 2011 (Monday)

8:30AM ~ 18:00PM (GMT+1)

Location:

ESIEA Paris, 9 rue Vesale 75005 Paris

(Nearest subway station: Les Gobelins(line #7))

About the event:

The 2011 Project Honeynet Security Workshop brings together experts in the field of information security from around the world to share the latest advances and threats in information security research. Organized by the not-for-profit Honeynet Project and co-sponsored by the ESIEA Engineering School, this full day workshop creates opportunities for networking, collaboration and lessons-learned featuring a rare, outstanding line-up of international security professionals who will present on the latest research tools and findings in the field. 

Carl Pulley, a loyal follower of our Forensic Challenges, has written up an analysis on how could one determine the Apache version that generated the logs. His analysis can be found at http://acme-labs.org.uk/news/2011/01/20/apache2-version-analysis/ and http://acme-labs.org.uk/news/2011/01/21/apache2-version-analysis-data-visualisation/. Check it out!

Folks, Chengyu Song has been busy the last few weeks and made some upgrades to the honeypot monitoring tool Qebek. He has ported it from QEMU 0.9.1 to QEMU 0.13.0. As a result, Qebek’s performance (boot time) is better and it no longer requires gcc 3.4. You can check it out

svn co https://projects.honeynet.org/svn/sebek/virtualization/qebek/trunk/

If you don’t know what Qebek is or how to use it, take a look at our whitepaper at https://honeynet.org/papers/KYT_qebek.