chmod 777 Apple

Tuesday, April 17. 2007
It's again time for CanSecWest, taking place in Vancouver this week. I teach a course on honeypots today and the conference itself starts tomorrow. The program looks really good, especially looking forward to see Jose's talk on "Reverse Engineering Malicious Javascript", "Post-Mortem RAM Forensics", and Ilja's "Unusual Bugs" talk.

Dragos has announced a contest, in which you can win a Apple MacBook Pro:
We've announced that we will be having a contest "PWN to OWN" where two, pimp, loaded up, Apple Macbook Pro's will be set up on their own AP (with security updates but otherwise default) and attendees will be able to connect to the ethernet or WiFi. The first to exploit it (there are victory conditions, and progressive rules over the three days) gets to go home with it. (Limit one per person, Can't use the same vuln on both.) If they survive the three days in the "jungle," they become prizes for best lightning talk and best speaker. Detailed contest rules to follow shortly.
Posted by Thorsten Holz in administrativa at 16:47 | Comments (0) | Trackbacks (0)

Program for HotBots'07 / Rishi

Thursday, April 5. 2007
The program for the First Workshop on Hot Topics in Understanding Botnets is now online. The program committee accepted 11 papers from 32 submissions. Together with Jan Göbel, I also submitted a paper which was accepted. The paper entitled "Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation", describes a simple, yet effective methods to detect bot-contaminated hosts within a given network. It tries to detect suspicious IRC nicknames and preliminary results show the usefulness. I will upload the paper once the workshop is over.

Abstract:
In this paper, we describe a simple, yet effective method to detect bot-infected machines within a given network that relies on detection of the communication channel between bot and Command & Control server (C&C server). The presented techniques are mainly based on passively monitoring network traffic for unusual or suspicious IRC nicknames, IRC servers, and uncommon server ports. By using n-gram analysis and a scoring system, we are able to detect bots that use uncommon communication channels, which are commonly not detected by classical intrusion detection systems. Upon detection, it is possible to determine the IP address of the C\&C server, as well as, the channels a bot joined and the additional parameters which were set. The software "Rishi" implements the mentioned features and is able to automatically generate warning emails to report infected machines to an administrator. Within the 10 GBit network of RWTH Aachen university, we detected 82 bot-infected machines within two weeks, some of them using communication channels not picked up by other intrusion detection systems.
Posted by Thorsten Holz in administrativa, paper at 08:50 | Comments (0) | Trackbacks (0)

RAID'07 deadline extension

Thursday, March 22. 2007
The deadline for RAID 2007 has been extended to April 8th. So if you plan to submit a paper, you have about one week more time. Looking forward to your submissions :-)
Posted by Thorsten Holz in administrativa at 17:18 | Comments (0) | Trackbacks (0)

Honeypot Classes @EUSec and CanSec

Wednesday, January 17. 2007
I will teach a course on "Advanced Honeypot Tactics" at the upcoming EUSec (February 28) and CanSec (April 16-17) conferences. The course will concentrate on low-interaction honeypots, mainly nepenthes and honeyd. In addition, a large part of the tutorial deals with lessons learned during operation, how to use honeypots to protect a network, bots/botnets, and malware analysis with the help of CWSandbox. You can find more information at the web site of EUSec and CanSec. If you have questions regarding the curriculum, just contact me at thorsten [dot] holz [at] gmail [dot] com
Posted by Thorsten Holz in administrativa at 19:06 | Comments (0) | Trackbacks (0)

Call for Paper: RAID '07

Friday, December 22. 2006
The Call for Papers for the International Symposium on Recent Advances in Intrusion Detection (RAID '07) is now available. I am very proud to be one of the members of the program committee and would love to see many submissions to the conference.

Important dates:
  • Paper submissions due: Saturday, March 31st, 2007

  • Panel proposals due: May 5th, 2007

  • Notification to authors: June 1st, 2007

  • Final papers due: June 16th, 2007

  • Deadline for poster abstract submission: July 7th, 2007

  • Notification for poster acceptance: July 23rd, 2007

The conference will be held from September 5-7, 2007, in Crowne Plaza, Gold Coast, Queensland, Australia.

About RAID:
This symposium, the 10th in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss issues and technologies related to intrusion detection and defense. The Recent Advances in Intrusion Detection (RAID) International Symposium series is intended to further advances in intrusion defense by promoting the exchange of ideas in a broad range of topics. As in previous years, all topics related to intrusion detection, prevention and defense systems and technologies are within scope, including but not limited to the following:

Continue reading "Call for Paper: RAID '07"

Posted by Thorsten Holz in administrativa at 18:18 | Comments (0) | Trackbacks (0)
« previous page   (Page 4 of 7, totaling 31 entries) » next page