The Honeynet Project

On Friday 26th of June Norwegian newspaper Aftenposten published a two-page article about honeypots. The article expressed concerns about the ethical and legal aspects of the technology. We are happy to see that media is concerned about security and privacy issues on the Internet. Unfortunately the article contained some mistakes and misconceptions which we would like to clarify.

The Honeynet Project is an international, non-profit (501c3) research organization dedicated to improving the security of the Internet at no cost to the public. As mentioned on the Honeynet project web site[1], our vision is: To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.

We raise awareness of the threats and vulnerabilities that exist in the Internet today. Many individuals and organizations do not realize they are a target, nor understand who is attacking them, how, or why. We provide this information so people can better understand they are a target, and understand the basic measures they can take to mitigate these threats. For those who are already aware and concerned, we provide details to better secure and defend your resources. Historically, information about attackers has been limited to the tools they use. We provide critical additional information, such as their motives in attacking, how they communicate, when they attack systems and their actions after compromising a system. And for organizations interested in continuing their own research about cyber threats, we provide the tools and techniques we have developed. As an example, the Honeynet project was involved in reducing the effect of Conficker, which among others attacked the Norwegian Police, by providing tools and information [2].

A honeypot is a computer designed to be attacked. Most honeypots are built the the same way as computers used all over the world. The only difference is with a honeypot, there are no valid users nor any use for the system, no one should be interacting with it. Just like any computer at work or at home, a honeypot will log the IP address of any system that attempts to connect to it. To gain access to the system, an attacker must break into the system. The concept is similar to a locked door on an empty house. No one should be coming in or out. The only way an individual can enter is by breaking the lock.

Jon Bing and Georg Apenes expressed concerns that innocent users would enter the honeypots and thus have their actions logged. The honeypots are however never advertised to users. There is absolutely no process involved in the deployment of our honeypots which actively entices or lures anyone to enter the honeypot. You cannot find them through google or any other service. The only way to find them, is to actively probe and scan for them, and this is exactly what attackers do. In addition, there are no legitimate accounts on the system, the only way an attacker can get access is attack the system, the same way a criminal would have to break a lock on a door.

In the article, Bing compared honeypots to building a new street and setting up surveillance cameras in the whole area, without the visitors knowing that the information is stored and analyzed. This analogy is incorrect. An innocent user can easily walk into the wrong street. But to have their actions logged by a honeypot, the user has to find and attack the honeypot, they have to break the lock. So a better analogy would be that a honeypot was a building with a locked door in a back alley and surveillance cameras inside. If someone found the door, and broke into the building, then they would monitored by these cameras. In addition, the goal was not to arrest the perpetrator, but rather to learn how he broke into the house, and what he did once inside. The intention would be to use the knowledge to build safer homes and design better locks in the future.

Another issue raised by the journalist, was our donations, especially by Telenor and Lyse. Yes, it is correct that those two companies have helped us with both hardware and access to the Internet, and in similar ways, so has other companies as well. But in no cases do these companies receive special treatment or information. All information (as long as it doesn’t compromise ongoing research) are shared with the public at no cost.

In agreement with Aftenposten, we are publishing a translated version of the article.

The Honeynet Project, Norwegian chapter will contact the Norwegian Data Inspectorate and Jon Bing to explain the topic in detail. The Honeynet Project, Norwegian Chapter can of course not operate if we are considered unethical or on the edge of the law.

Notice: We have removed the page “Information in Norwegian” due to possible misunderstandings when English words and expressions had inadequately been translated to Norwegian. It will be replaced with a new fact-sheet about The Honeynet Project.

The Honeynet Project press contact is lance.spitzner@honeynet.org

1. http://www.honeynet.org/

2. http://en.wikipedia.org/wiki/Conficker#Removal_and_detection

Honeypots have been actively used by the security community for over ten years now.  They are used for a variety of purposes, but now a days primarily for information gathering.   When honeypots first were being used they generated a great deal of discussion about the legal issues.  However, through the years this debate has died down, most organizations feeling these issues are minor.  I just wanted to share an update on these thoughts.

This week I completed an important step which is to integrate a parser in Honeybrid. There are now two new files in the source code:

• GSoC Project #6 - Develop Hybrid Honeypot Architecture

This phenomenon is first observed when I tried the NtReadFile test last week, sometimes when the postNtReadFile is called, the handle value, buffer address and buffer size got from the stack is quite different from values got in preNtReadFile. I didn't pay much attention to this problem that time, but, when I tried to debug the NtSecureConnectPort API with WinDBG today, this phenomenon appeared again. So I did a further study on it.

First, I set a break point at nt!NtSecureConnectPort:

• GSoC Project #3 - Qebek: QEMU Based Sebek

Like a lot of people, unfortunately we get a LOT of spam. I thought it would be interesting to sort these into distinct groups and make some wordclouds , or more specifically spamclouds from the content of the spam.

The idea behind these spamclouds is that a quick glance draws your eye to the more dominant words, and also gives a sense of the relative importance of words used in each spam type.

I sorted the spam from around 3-6 months worth of data into 3 distinct groups as follows:

Phishing spam: These are emails claiming to be from a legitimate institution, such as the tax office, bank, ISP or credit union. They attempt to dupe victims into handing over their banking details, and other data that could be used in many forms of identity theft. For the purpose of this exercise I concentrated on emails purporting to be from Australian based institutions. The word Commonwealth stands out due to the fact that the Commonwealth Bank of Australia have been the target of a large amount of phishing attacks recently. Read more about this style of scam at the Scamwatch website here.

(click to enlarge)

Money mule spam: These are emails that attempt to recruit people into become "money mules" for the purpose of laundering stolen funds. Often the victim believes they are partaking in legitimate activity, such as a new job as a transfer agent, where their pay is a small percentage of each 'transfer'. Read more about this style of scam here.
(click to enlarge)

Advance Fee Fraud spam: Also known (quite unfairly) as "Nigerian Scams" or "419" scams. Read more about this style of scam here.
(click to enlarge)

I was initially going to do medication/viagra spam as a category as well. However the words that are typically used in the majority of these emails are just so bizarre and nonsensical, that the spamcloud would probably be quite humorous, but not really useful.

Now, obviously the results will vary with different datasets and time periods, so please don't read too much into this piece of work, it's not overly scientific, but hopefully it is still useful and instructive to the public.

We recommend anyone thinking they (or someone they know) may have fallen for one of these scams to check out the Scamwatch website http://www.scamwatch.gov.au. This is a very useful resource for the public to learn about many types of scam, and is run by the Australian Competition and Consumer Commission (ACCC).

This is supposed to be the first Qebek blog, but unfortunately, it cannot pass the check of mod_security (even today), so I posted here.  

• GSoC Project #3 - Qebek: QEMU Based Sebek

Hi folks,

It took me a long time to work on the data model, the back-end, to setup all my framework
(Tapestry+hibernate+Spring+ACEGI+Maven) but it's done right now.

So I will post once a week I guess about new features I added.

I'd like to speak a bit about how my webapp works. The main goal is to separate every layer of my web.
e.g front-end/business/back-end :

Layers model

This week, you I added

Hello all!

In Last night we had released the newest version of PicViz suite (that contains all PicViz tools). Specifically for the GUI, now we can brush the lines dynamically and apply zoom in graph. To allow line brush has been necessary reimplement some important classes of PyQt used in the GUI. It wasn't easy. But now it works, despite of we must continually improve the line (event) selection.

• GSoC Project #7 - Improving PicViz

We’re pleased to announce a new service; CC2ASN – Country Lookup. This service will provide you with AS-numbers, IPv4 and IPv6 prefixes belonging to a specific country. The data is all based on publicly available information from the five RIRs in the world; ARIN, RIPE NCC, APNIC, LACNIC and AfriNIC. The database is updated once every day.

As input to this service, use ISO-3166-1 alpha-2 country codes (more info). Note that in addition to the ISO defined codes, the following two codes are also used when dealing with multi-regional networks; AP (asia-pacific) and EU (european union).

You may access the data either through the web-interface, or via your command line interface. A standard whois client can be used when the result set is “not too large”. The preferred way is to use a raw socket tool, like netcat. Here are some examples illustrating both ways:

whois -h atari.honeynor.no no
whois -h atari.honeynor.no ipv4 ke
echo "all us" | nc atari.honeynor.no 43

The first will list all AS-numbers registered for Norway, while the second example will list all IPv4 prefixes for Kenya. The last line uses netcat to fetch everything (ASN, IPv4 and IPv6) registered for USA (this query will fail when using a standard whois client).

For more information, please read the documentation (There are some caveats to be aware of, and more alternatives to download this data. It’s all in the docs).

The code is like this:

class unknown_obj(object):

    def __call__(self, *arg): return unknown_obj()

    def __getitem__(self, key): return unknown_obj()

    def __getattr__(self, name): return unknown_obj()

The three methods are: __call__ for function calls (*arg means arg is the argument list), __getitem__ for the visit to members using '[]', such as a[3] and 3 is the key, __getattr__ just like we mentioned, for any visit to members using '.'. So almost every kind of codes is legal to an object like this. For example:

• GSoC Project #2 - Develop and Improve PhoneyC

Hi folks! I'm happy cause the work on Picviz Projetct goes well. Another feature was finish, and was determined on our Porposal we are work to improve the Picviz interface.

Item 2 from our Proposal, that is ready:

• GSoC Project #7 - Improving PicViz

In PCP research, axes reorder is an vital type of analysis. A difficult task is recognize relationships among a small number of variables, specially if those variables were distant in the representation, readjust position of each variable can be interactively explored to improve the graphics and extract more information of them.

You could saw this feature was done and how I haven't posted an effective demonstration for readers of honeynet blog yet. With help of my tutor Sebastien, we was created a gif that represents the axes reorder in action.

• GSoC Project #7 - Improving PicViz

Hi everyone,

I just wanted to share few things with you about my project.

I'm still very excited to work on my project and if anyone is intersted in what I've done, here is a short tutorial I created to setup the project quickly.

If some kind people would like to test it to give me their feedback. It could be the best way for me to improve it.

http://docs.google.com/View?id=dfmnx2fx_74g99bnpgx

• GSoc Project #9 - Managing Honeypot Clients

Last saturday I've finally released a new Glastopf version. There are some new features and many changes under the hood.

• GSoC Project #8 - Web Application Honeypot:

Since the Annual workshop in KL earlier in the year, I've been learning a lot about VOIP from Sjur Usken from the Norwegian Honeynet Chapter, and Sandro Gauci from Enable Security. Both of these guys are expert in the field of VOIP security, and we thank them for their assistance to the Australian Honeynet Project.

We've been testing a couple of different styles of VOIP honeypots (yes, phoneypots..). Presently we have one sensor in operation in the AU IP space, which is piloting. Plans are to increase the number, once techniques are matured and the tools are released by the authors.

We've seen some very interesting scanning of our phoneypot sensor during the pilot and the results will be posted shortly - so stay tuned for the following installments !

VOIP phoneynet : PART 2 "OBSERVATIONS OF THE VOIP PILOT THUS FAR"
VOIP phoneynet : PART 3 "WHAT WOULD CROOKS DO WITH A COMPROMISED VOIP GATEWAY ANYWAY?"
VOIP phoneynet : PART 4 "HOW BEST TO PROTECT AGAINST VOIP THREATS"
VOIP phoneynet : PART 5 "WHAT MIGHT THE FUTURE HOLD WITH VOIP SECURITY"
VOIP phoneynet : PART 6-n "TBA, what do you want ? , I'm taking requests at ben@honeynet.org.au "

This is an interesting area, and increasingly important as VOIP gets more popular, and is targeted by wrong-doers.
We feel that the general level of understanding of VOIP security and more-so malicious activity is relatively low, and that we need to increase this by getting a better view of the sort of malicious VOIP activity out there. This has been the driver behind this project. If you have any experience in VOIP honeynets, or actual incidents (anecdotal, or specific), please feel free to contact us.

When using hooking technology to intercept system calls, there are two different places to collect information: before the original function is called (precall) and after the original function returns (postcall). For example, in Sebek Win32 client, when callback function OnZwReadFile is called, it first calls the original function s_fnZwReadFile, after the original function returns, it checks whether the original call succeeds,  if does, it then calls the data collection function LogIfStdHandle:

• GSoC Project #3 - Qebek: QEMU Based Sebek