Virtual Honeypots

Tuesday, July 31. 2007
virtual-honeypots
Niels Provos and I have written a book on "Virtual Honeypots: From Botnet Tracking to Intrusion Detection" which was released a couple of days ago. The book deals with high- and low-interaction honeypots and focuses on Honeyd, malware collection, client-side honeypots, botnet tracking, and many more topics. You can order it now in your favorite bookstore, looking forward to your comments :-)


Continue reading "Virtual Honeypots"

Posted by Thorsten Holz in administrativa, virtual-honeypots at 02:41 | Comments (9) | Trackbacks (0)

USENIX Security '07

Wednesday, July 11. 2007
I was a bit busy in the last few weeks, some time passed since my last blog entry :-/ Now some updates, first an advertizement for USENIX Security'07:

"Don't miss the 16th USENIX Security Symposium to be held August 6-10, 2007, in Boston, MA.

The 3-day technical conference will kick off on Wednesday, August 8, and includes:

- Keynote address by Steven Levy, Senior Editor and Columnist, Newsweek, on "How the iPod Shuffled the World as We Know It"

- Invited talks featuring our most impressive slate of speakers to date, including:
-- David Dill, Stanford University, on "Computer Security and Voting"
-- Peter Gutmann, University of Auckland, New Zealand, on "Windows Vista Content Protection"

- 23 refereed papers, 1 panel, Work-in-Progress Reports (WiPs), and a
poster session on the latest research.

More information: http://www.usenix.org/events/sec07/tech/

Register by July 16 and save up to $300!"
Posted by Thorsten Holz in administrativa at 06:01 | Comments (0) | Trackbacks (0)

Call for Paper: 1st USENIX Workshop on Offensive Technologies (WOOT '07)

Wednesday, May 2. 2007
The Call for Paper for the 1st USENIX Workshop on Offensive Technologies (WOOT '07) is now available.

Important dates:
  • Paper submissions due: Thursday, June 7th, 2007, 11:59 p.m. PDT

  • Notification to authors: July 7th, 2007

  • Final papers due: July 31st, 2007

The workshop will be will be co-located with the 16th USENIX Security Symposium (Security '07), which will take place August 6–10, 2007.

About WOOT:
Progress in the field of computer security is driven by a symbiotic relationship between our understanding of attack and of defense. The USENIX Workshop on Offensive Technologies aims to bring together researchers and practitioners in system security to present research advancing the understanding of attacks on operating systems, networks, and applications.

Computer security is unique among systems disciplines in that practical details matter and concrete case studies keep the field grounded in practice. WOOT provides a forum for high-quality peer-reviewed papers for discussing tools and techniques for attack.

Submissions should reflect the state of the art in offensive computer security technology—either surveying previously poorly known areas or presenting entirely new attacks.

We are interested in work that could be presented at more traditional security forums, as well as more applied work that informs the field about the state of security practice in offensive techniques.

A significant goal is producing published artifacts that will inform future work in the field. Submissions will be peer-reviewed and shepherded as appropriate.
Posted by Thorsten Holz in administrativa at 11:21 | Comments (0) | Trackbacks (0)

Call for Paper: 5th ACM Workshop on Recurring Malware (WORM) 2007

Wednesday, April 18. 2007
The Call for Paper for the 5th ACM Workshop on Recurring Malware (WORM) 2007 is now available. I am very proud to be one of the members of the program committee and would love to see many submissions to the workshop.

Important dates:
  • Paper submissions due: Sunday, June 17th, 2007

  • Notification to authors: August 7th, 2007

  • Final papers due: August 22nd, 2007

The workshop will be held at November 2nd, 2007 at George Mason University, VA, USA, in association with the 14th ACM Conference on Computer and Communications Security (CCS).

About WORM:
Internet-wide infectious epidemics have emerged as one of the leading threats to information security and service availability. Self-propagating threats, often termed worms, exploit software weaknesses, hardware limitations, Internet topology, and the open Internet communication model to compromise large numbers of networked systems. Malware is increasingly used as a beachhead to launch further malicious activities, such as installing spyware, deploying phishing servers and spam relays, or performing information espionage. Unfortunately, current operational practices still face significant challenges in containing these threats as evidenced by the rise in automated botnet networks and the continued presence of worms released years ago. The goal of this workshop is to provide a forum for exchanging ideas, increasing understanding, and relating experiences on malicious code from a wide range of communities, including academia, industry, and the government.
Posted by Thorsten Holz in administrativa at 17:08 | Comments (0) | Trackbacks (0)

chmod 777 Apple

Tuesday, April 17. 2007
It's again time for CanSecWest, taking place in Vancouver this week. I teach a course on honeypots today and the conference itself starts tomorrow. The program looks really good, especially looking forward to see Jose's talk on "Reverse Engineering Malicious Javascript", "Post-Mortem RAM Forensics", and Ilja's "Unusual Bugs" talk.

Dragos has announced a contest, in which you can win a Apple MacBook Pro:
We've announced that we will be having a contest "PWN to OWN" where two, pimp, loaded up, Apple Macbook Pro's will be set up on their own AP (with security updates but otherwise default) and attendees will be able to connect to the ethernet or WiFi. The first to exploit it (there are victory conditions, and progressive rules over the three days) gets to go home with it. (Limit one per person, Can't use the same vuln on both.) If they survive the three days in the "jungle," they become prizes for best lightning talk and best speaker. Detailed contest rules to follow shortly.
Posted by Thorsten Holz in administrativa at 16:47 | Comments (0) | Trackbacks (0)

Program for HotBots'07 / Rishi

Thursday, April 5. 2007
The program for the First Workshop on Hot Topics in Understanding Botnets is now online. The program committee accepted 11 papers from 32 submissions. Together with Jan Göbel, I also submitted a paper which was accepted. The paper entitled "Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation", describes a simple, yet effective methods to detect bot-contaminated hosts within a given network. It tries to detect suspicious IRC nicknames and preliminary results show the usefulness. I will upload the paper once the workshop is over.

Abstract:
In this paper, we describe a simple, yet effective method to detect bot-infected machines within a given network that relies on detection of the communication channel between bot and Command & Control server (C&C server). The presented techniques are mainly based on passively monitoring network traffic for unusual or suspicious IRC nicknames, IRC servers, and uncommon server ports. By using n-gram analysis and a scoring system, we are able to detect bots that use uncommon communication channels, which are commonly not detected by classical intrusion detection systems. Upon detection, it is possible to determine the IP address of the C\&C server, as well as, the channels a bot joined and the additional parameters which were set. The software "Rishi" implements the mentioned features and is able to automatically generate warning emails to report infected machines to an administrator. Within the 10 GBit network of RWTH Aachen university, we detected 82 bot-infected machines within two weeks, some of them using communication channels not picked up by other intrusion detection systems.
Posted by Thorsten Holz in administrativa, paper at 08:50 | Comments (0) | Trackbacks (0)

RAID'07 deadline extension

Thursday, March 22. 2007
The deadline for RAID 2007 has been extended to April 8th. So if you plan to submit a paper, you have about one week more time. Looking forward to your submissions :-)
Posted by Thorsten Holz in administrativa at 17:18 | Comments (0) | Trackbacks (0)

Honeypot Classes @EUSec and CanSec

Wednesday, January 17. 2007
I will teach a course on "Advanced Honeypot Tactics" at the upcoming EUSec (February 28) and CanSec (April 16-17) conferences. The course will concentrate on low-interaction honeypots, mainly nepenthes and honeyd. In addition, a large part of the tutorial deals with lessons learned during operation, how to use honeypots to protect a network, bots/botnets, and malware analysis with the help of CWSandbox. You can find more information at the web site of EUSec and CanSec. If you have questions regarding the curriculum, just contact me at thorsten [dot] holz [at] gmail [dot] com
Posted by Thorsten Holz in administrativa at 19:06 | Comments (0) | Trackbacks (0)

Call for Paper: RAID '07

Friday, December 22. 2006
The Call for Papers for the International Symposium on Recent Advances in Intrusion Detection (RAID '07) is now available. I am very proud to be one of the members of the program committee and would love to see many submissions to the conference.

Important dates:
  • Paper submissions due: Saturday, March 31st, 2007

  • Panel proposals due: May 5th, 2007

  • Notification to authors: June 1st, 2007

  • Final papers due: June 16th, 2007

  • Deadline for poster abstract submission: July 7th, 2007

  • Notification for poster acceptance: July 23rd, 2007

The conference will be held from September 5-7, 2007, in Crowne Plaza, Gold Coast, Queensland, Australia.

About RAID:
This symposium, the 10th in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss issues and technologies related to intrusion detection and defense. The Recent Advances in Intrusion Detection (RAID) International Symposium series is intended to further advances in intrusion defense by promoting the exchange of ideas in a broad range of topics. As in previous years, all topics related to intrusion detection, prevention and defense systems and technologies are within scope, including but not limited to the following:

Continue reading "Call for Paper: RAID '07"

Posted by Thorsten Holz in administrativa at 18:18 | Comments (0) | Trackbacks (0)

"My Robot Brain Needs Beer"

Sunday, November 26. 2006
Yesterday I arrived in Tokyo for PacSec, I'll teach a Dojo on honeypots next week. The agenda looks pretty interesting, I'm looking forward to the talk on the malware landscape by some Microsoft guys, and the talks on Vista and IPv6.

The web-decoy honeypot, which is designed to collect information related to attacks against web-applications, has now a web frontend and can draw pretty pictures. The figure below is an example of SQL attacks we monitored against one particular honeypot which runs phpMyAdmin.

We should have a web frontend with statistics for everyone in the next couple of weeks.
Posted by Thorsten Holz in administrativa at 01:53 | Comments (0) | Trackbacks (0)
« previous page   (Page 2 of 3, totaling 30 entries) » next page