Honeybird- Hong Kong Honeynet Project Chapter Status Report For 2008

ORGANIZATION
This Project is a co-ordination project of Professional Information Security Association (PISA), City University of Hong Kong (CityU) and Institute of Vocation Education (IVE).
 
PISA have changed from organization to a limited.
 
We hope to use the Honeynet to collect hackers’ data for research and countermeasure development.
This project was begun since 2006 but has been offline for 10 months. It was re-kickoff in 2007 and more members are joined in 2008.
 
 
DEPLOYMENTS
Build a GEN2 honeywall and direct access to internet.
Building roo alert is send to a dedicated gmail a/c. (Thanks to Google)
No firewall to filter the inbound and outbound traffic content. 1(** ISP have certain content filtering to some website **)
Two honeypots are setup with Linux CentOS 5.0 and window XP SP2.
Build 2 servers in remote site for webhosting, data collecting and data analysis.
 
 
RESEARCH AND DEVELOPMENT
 
We are in the beginning stage and collect data only. No research and tool development carried out.
 
 
PAPERS AND PRESENTATIONS
No paper and presentation in last 12 months.
 
 
FINDINGS
Our honeypot are being hacked 2 times.
The first case is hacker intruded the CentOS honeypot and installed Rootkit.
The second case, hacker setup a web server and hosted a fake page in the window XP honeypot. The intrusive method is thru password brute force attack to FTP service and then use Microsoft Remote desktop to control the system and upload the malicious tools.
 
 
(Details case study reports will be released later.)
 
Here are the lesion learned in the past.
 
What new positive things can you share with the community, so they can replicate your success?
Learn the technique and tools used by the hacker from real situation and provide the attacking trend to the public.
 
Build up relationship with education institute to share our finding and technology.
 
What new mistakes can you share with the community, so they do not make the same mistakes?
Limit the size of honeypot machine, e.g. 10GB , it is necessary to save the time to clone the compromised image and storing the image for post forensic.
 
Document the image backup and restore procedure in order to record the compromised image and resume the honeypot machine timely.
 
Are there any research ideas you would like to see developed?
A monitoring tool for different operating system platform to help us to identify the honeypot machine is compromised even if the attackers generate a little volume of network traffic.
 
An analysis framework to check network traffic and honeypot machine after compromised
 
A centralized database to collect malicious/phishing URL from honeyclient of Honeynet community.
 
 
GOALS
Which of your goals did you meet for the last six months?
- Setup a honeypot with internet point of presence and successfully attract malicious intrusion.
- Build a relationship with local education institute and supply resource (e.g. compromised environment) for their teaching.
- Quarantine the hacked environment for behavior study, in a cloned disk image.
- Based on the quarantined environment, learn how the hacker is intruded to the honeypot (referring to objective)
 
Which of your goals did you not meet for the last six months?
- .Crossover with other PISA project such as malware analysis and prelude.
 
Goals for the next six months
- Implement the honeypot enhancement mentioned in section 3.3
- More integration & crossover with other PISA projects (e.g. malware analysis and prelude network-based IDS integration).
- More integration & crossover with other research projects (e.g. checking DNS running in Hong Kong against Dan Kaminsky's DNS attack)
 
MISC ACTIVITIES