Know Your Enemy: Containing Conficker

30 Mar 2009 Lance Spitzner kye conficker
The Honeynet Project is excited to announce the release of Know Your Enemy: Containing Conficker. In this paper we present several potential methods to contain Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotelydetect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented. Finally, the domain name generation mechanism for all three Conficker variants is discussed in detail and anoverview of the potential for upcoming domain collisions in version .

GSoC Applications

27 Mar 2009 Lance Spitzner gsoc
Folks, just a friendly reminder that the Honeynet Project is actively seeking and taking students for the annual Google Summer of Code. If you are interested in information security, open source and learning from some extremely talented developers in this area, then this is the place for you. We currently have eight project ideas, but we are open to any suggestions or ideas you may have. Learn more at our Honeynet Project GSoC Ideas Page.

GSoC Mentoring Organization

19 Mar 2009 Lance Spitzner gsoc
We are excited to announce that the Honeynet Project has been selected by Google to be a mentoring organization for their annual Google Summer of Code project. Our team of volunteers is very excited about this and look forward to working with and helping mentor students around the world about honeypot technologies. To learn more about the different projects you can work with us on, please take a moment to review our IDEAS PAGE.

Data Link Security

14 Mar 2009 Sami Guirguis arp-spoof data-link-layer-attacks dhcp-starvation layer-2 mac-flood stp-manipulation vlan-hopping
Buffer overflow, cross site scripting and sql injection have had their share of the spotlight, I have recently decided to give more attention to layer two issues and share my findings. Some of the reasons that attracted me to layer two security is that there is a high percentage of insiders attacks by employees, the threat is under estimated and what is within the LAN is considered “trusted”. Also more broadband providers deploy network access based exclusively on layer two (for fast recovery, the average convergence time for RSTP is far greater than OSPF and EIGRP ).

Google Summer of Code

13 Mar 2009 Lance Spitzner google
We are very excited to announce the Honeynet Project has applied for the Google Summer of Code for 2009. We find that students are often the best source of new ideas and developing cutting edge new technologies. Having been dedicated to opensource security for over ten years we are strong believers and supports of giving back to the community. We look forward to the opportunity to work with, mentor and help develop some of the most creative minds on the Internet today.

Annual Honeynet Workshop

02 Mar 2009 Lance Spitzner workshop
Once a year the Honeynet Project brings together members from around the world for a one week workshop on honeypot research, development and deployments. This year’s event was hosted and sponsored by the International Multilateral Partnership Against Cyber-Threats (IMPACT), a public-private alliance against cyber threats. The event was held in IMPACT’s facilities based in Cyberjaya, Malaysia. Without a doubt, this was our most successful and productive workshop ever. We had over twenty countries and organizations represented, all dedicated to honeypot development, data collection and analysis.

Mexican Chapter - Annual Report

12 Feb 2009 Miguel Lopez chapter mexican-chapter-annual-report report
=== ORGANIZATION === The Mexican HP Chapter members are: Miguel Hernández y López (miguel_at_honeynet.org.mx) Hugo Gonzalez Robledo (hugo_at_honeynet.org.mx) === DEPLOYMENTS === * Capture HP deployment and a nepenthes sensor in several networks. * Working with different government agencies in Argentina to implement Nepenthes sensors and honeynets Nepenthes within their networks * Implementation of several sensors and catch malware samples of many within the National Network for Electronic Banking === RESEARCH AND DEVELOPMENT ===

Speaking Waledac

27 Jan 2009 Felix Leder botnet-protocols encrypted-traffic encryption waledac
While it seems to be impossible to say whether waledac is the successor of storm or not, what we can do is take a look at the traffic encryption. They guys over at Shadowserver have already blogged some details about this. We at the Giraffe Chapter investigated waledac’s communication protocol further. Here are our results. Waledac uses regular HTTP request to transmit command requests and to retrieve responses. It uses HTTP fast-flux proxies to hide the true origin of the command&control (C&C) server.

Picviz 0.5 out

25 Jan 2009 Sebastien Tricaud picviz visualization
The new release 0.5 of Picviz is out. This version comes with real-time mode enabled (and adds the libevent dependency) among other things, such as new properties and variables. Get it from the usual place. What is Picviz? When considering log files for security, usual applications available today either look for patterns using signature databases or use a behavioral approach. In both cases, information can be missed. The problem becomes