We have a web application honeynet deployed with approximately eight nodes, running the Google Hack Honeypot. We are currently involved in the Global Distributed Honeynet with a Chicago based node.
We are observing the use of search engines as a propagation method in worms and as a discovery tool for exploits. We have retrieved worms using multiple search engines, including Yahoo, Google, and Altavista, with the intent of expanding botnets. Typical outcomes from these compromises include defacements, spam, botnet recruitment, and phishing.
We have released and open sourced new versions of the Google Hack Honeypot to the public, which increases the functionality in honeynetting with XML-RPC based logging, with SSL support. We also released a KYE paper titled "Web Application Threats" in February.
Nothing significant enough to report. Although, we can say with total certainty that public computer labs are not a good location for a server.
Scanning tools for web applications are still primitive or not readily available. Tools like nmap are definitive when searching for vulnerable services, but the abstraction layer provided by web servers makes it nearly impossible to simply scan for available services that operate over HTTP. Information sources for these web based services are diverse, and should be centralized and automated through a tool for penetration testing.
Data analysis against hosts using proxy services is non-existent. We are leading an effort to help solve this issue, for example: An attacker using the tor service attacks a honeypot. The logs are reviewed months or years later. When reviewing the logs, there is no record of what proxies existed during the time of the attack, therefore it isn't reported that the attacker used an anonymizing service.
Yes, we intend to investigate the usefulness of this service with tools similar to honeysnap.
We are back to research, and are collecting data for future publications. KYE light papers are being contemplated in the meantime, when time is available.
We will likely ask to use data from the Global Distributed Honeynet for publication or similar.
Through the Honeynet Project, in a Know Your Enemy paper.
We have aquired interest among local information security professionals from the release of the latest KYE paper, as well as interest from students at DePaul University in search of school credit in an information security related field.
As long as strong networking exists, the research and technology will follow. This has been the theme since we've joined, as long as these opportunities remain then we are content with Alliance work.
Communication between active members is strong on the mailing list, however, a social networking service may benefit networking. Past and current members affiliations, credentials, skillsets, and locations is a information to progress research, and isn't readily available by observing email conversations over lists. A social network would make a quick "who's who" very simple and effective for collaboration
We succesfully gathered data from our first honeynet.
We succesfully created a simple data analysis frontend for our data.
We deployed an updated and expanded honeynet for future research.
We wrote the first KYE paper in two years of Honeynet regarding our research.
We created a process at DePaul University to earn credit researching with us.
We did not win the best poster contest at the June workshop in Chicago.
To research and develop new honeynet technology and diversify our research techniques to allow for better correlation in our data. This will specifically include the “archive” project, as well as a high interaction honeypot image for the Global Distributed Honeynet.