honeyblog - administrativa

SPRING 3

nospam@example.com (Thorsten Holz) — Sat, 31 May 2008 09:55:00 +0200

This is a Call for Abstracts for a German workshop for young researchers, thus the following text is in German only.

---------------------------------------------------------------
Arbeitest Du auf dem Gebiet der Reaktiven Sicherheit?

Willst Du Dich mit anderen fachlich austauschen?

Dann haben wir etwas für Dich: Die Fachgruppe SIDAR ("Security - Intrusion Detection and Response") der Gesellschaft für Informatik e.V. veranstaltet die dritte SPRING. SPRING bietet Nachwuchswissenschaftlern auf dem Gebiet der Reaktiven Sicherheit eine Plattform, um themenbezogen Kontakte über die eigene Universität hinaus zu knüpfen. In diesem Jahr findet SPRING am 8. August an der Universität Mannheim statt.

Wir laden Diplomanden und Doktoranden ein, ihre Beiträge zu präsentieren. Die Vorträge können ein breites Spektrum abdecken, von noch laufenden Projekten, die ggf. erstmals einem breiteren Publikum vorgestellt werden, bis zu abgeschlossenen Forschungsarbeiten, die zeitnah auch auf Konferenzen präsentiert wurden bzw. werden sollen oder einen Schwerpunkt der eigenen Diplomarbeit oder Dissertation bilden.

Das Themenspektrum der Reaktiven Sicherheit beinhaltet:

Verwundbarkeitsanalyse
Intrusion Detection
Malware
Incident Management
Forensik

Mehr Informationen: SPRING 3 Webseite.
---------------------------------------------------------------

CanSecWest PWN2OWN 2008

nospam@example.com (Thorsten Holz) — Tue, 18 Mar 2008 09:18:19 +0100

Announcing CanSecWest PWN2OWN 2008.
===================================

Three targets, all patched. All in typical client configurations with typical user configurations. You hack it, you get to keep it.

Each has a file on them and it contains the instructions and how to claim the prize.

Targets (typical road-warrior clients):

VAIO VGN-TZ37CN running Ubuntu 7.10
Fujitsu U810 running Vista Ultimate SP1
MacBook Air running OSX 10.5.2

This year's contest will begin on March 26th, and go during the presentation hours and breaks of the conference until March 28th. The main purpose of this contest is to present new vulnerabilities in these systems so that the affected vendor(s) can address them. Participation is open to any registered attendee of CanSecWest 2008.

Program for LEET'08 & Storm Paper

nospam@example.com (Thorsten Holz) — Tue, 18 Mar 2008 01:29:53 +0100

The tentative program for the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08) is now available.

We also have a paper accepted: "Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm"
We still need to revise the paper based on the reviewer's feedback, as a teaser the preliminary abstract:

"Botnets, i.e., networks of compromised machines under a common control infrastructure, are commonly controlled by an attacker with the help of a central server: all compromised machines connect to the central server and wait for commands.
However, the first botnets that use peer-to-peer (P2P) networks for remote control of the compromised machines appeared in the wild recently. In this paper, we introduce a methodology to analyze and mitigate P2P botnets. In a case study, we examine in detail the Storm Worm botnet, the most wide-spread P2P botnet currently propagating in the wild. We were able to infiltrate and analyze in-depth the botnet, which allows us to estimate the total number of compromised machines. Furthermore, we present two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet and evaluate the effectiveness of these mechanisms."

Call for Paper: EuroSec 2008

nospam@example.com (Thorsten Holz) — Fri, 1 Feb 2008 14:23:40 +0100

EuroSec is a new workshop associated with the Annual ACM SIGOPS EuroSys conference. The workshop aims to bring together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. The focus of the workshop is on novel, practical, systems-oriented work.

EuroSec explicitly encourages members of the systems community to explore leading-edge topics and ideas before they are presented at a major conference. All submissions will be reviewed by the Program Committee. Only original, novel work will be considered for publication. Accepted papers will be published in the proceedings of EuroSec in the ACM Digital Library

You are hereby invited to submit papers of 6-8 single-spaced pages (including figures, tables and references). Font size should be 10pt.

Important Dates:
Deadline for paper submission: February 4th, 2008 (firm deadline)
Notification of acceptance or rejection: March 1st, 2008
Final paper camera ready copy: March 14th, 2008
Workshop dates: March 31st, 2008

You can find more information at http://www.cs.vu.nl/eurosec08/

UCSB iCTF Results

nospam@example.com (Thorsten Holz) — Sat, 8 Dec 2007 02:28:56 +0100

The 2007 UCSB International Capture The Flag contest finished a few minutes ago. The guys from the UCSB had organized an awesome contest with seven different services and many interesting challenges. The team from our lab had much fun and at the end, we scored second place - just the team from Milano (Chocolate Makers) beat us. Looking forward to next year's contest :-)

Info:
The UCSB International Capture The Flag (also known as the iCTF) is a distributed, wide-area security exercise, whose goal is to test the security skills of the participants from both the attack and defense viewpoints.

The Capture The Flag contest is a multi-site, multi-team hacking contest in which a number of teams compete independently against each other.

Each team is given a virtualized network installation (for example, a Linux host and/or a Windows host). The hosts provide a number of services. The services have a number of undisclosed vulnerabilities, which have been included in the servers' software by the contest organizers.

The goal of each team is to maintain the set of services available and uncompromised throughout the contest phase. Each team can (and should) attempt to compromise other teams' services. Since all the teams receive an identical copy of the virtual network, the task of each team is to find vulnerabilities in their copy of the hosts and possibly fix the vulnerabilities without disrupting the services. At the same time, the teams have to leverage their knowledge about the vulnerabilities they found to compromise the servers run by other teams. Compromising a service will allow a team to bypass the service's security mechanisms and to "capture the flag" associated with the service.

During the contest a scoring system keeps track, for each team, of which services are available, and which services have been compromised.

More info: http://www.cs.ucsb.edu/~vigna/CTF/

Call for Paper: Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'08)

nospam@example.com (Thorsten Holz) — Sun, 2 Dec 2007 11:53:00 +0100

The Call for Papers for the 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'08) is available since a couple of days. Since I am a member of the program committee, I would love to see some submission from the readers of my blog.

About the conference:
The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. Each year DIMVA brings together international experts from academia, industry and government to present and discuss novel research in these areas. DIMVA is organized by the special interest group Security - Intrusion Detection and Response of the German Informatics Society (GI). In 2008, the conference takes place July 10-11th, 2008 in Paris, France.

DIMVA solicits submission of high-quality, original scientific work. This year we invite two types of paper submissions:

Full papers, presenting novel and mature research results. Full papers are limited to 20 pages, prepared according to the instructions provided below. They will be reviewed by the program committee, and papers accepted for presentation at the conference will be included in the proceedings.

Short papers (extended abstracts), presenting original, still ongoing work that has not yet reached the maturity required for a full paper. Short papers are limited to 10 pages, prepared according to the instructions provided below. They will also be reviewed by the program committee, and papers accepted for presentation at the conference will be included in the proceedings (containing Extended Abstract in the title).

Important Dates:
Deadline for paper submission: February 4th, 2008 (firm deadline)
Notification of acceptance or rejection: April 8th, 2008
Final paper camera ready copy: April 25th, 2008
Conference dates: July 10-11th, 2008

Full Call for Papers is available at http://www.dimva2008.org/cfp2008.html

Network Visualization

nospam@example.com (Thorsten Holz) — Fri, 30 Nov 2007 11:26:57 +0100

Best comic of the year related to my previous post and worm visualization in general: http://xkcd.com/350/

Call for Paper: 1st Workshop on Large-scale Exploits and Emergent Threats (LEET '08)

nospam@example.com (Thorsten Holz) — Mon, 5 Nov 2007 14:39:54 +0100

The Call for Papers for the First USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '08) is available since a couple of days. I am very proud to be one of the members of the program committee and hope that some readers of this blog also submit a paper to the workshop. LEET '08 will focus on the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, and the social and economic networks driving these threats.

Important dates:

Paper submissions due: February 11, 2008, 11:59 p.m. EST

Notification to authors: March 24, 2008

Final papers due: April 4, 2008

Workshop: April 15, 2008 - San Francisco, CA, USA

The workshop will be will be co-located with the 5th USENIX Symposium on Networked Systems Design & Implementation (NSDI '08), which will take place April 16–18, 2008, and Usability, Psychology, and Security 2008, which will take place on April 14, 2008.

Overview:
As the Internet has become a universal mechanism for commerce and communication, it has also become an attractive medium for online criminal enterprise. Today, widespread vulnerabilities in both software and user behavior allow miscreants to compromise millions of hosts (worms, viruses, drive-by exploits, etc.), conceal their activities with sophisticated system software (rootkits), and manage these resources via a distributed command and control framework (botnets). This platform in turn provides economics of scale for a wide range of criminal activities including spam, phishing, DDoS, click fraud, and so on.

Continue reading "Call for Paper: 1st Workshop on Large-scale Exploits and Emergent Threats (LEET '08)"

New KYE paper: Malicious Web Servers

nospam@example.com (Thorsten Holz) — Tue, 14 Aug 2007 20:04:14 +0200

The Honeynet Project & Research Alliance are excited to announce the release of a new paper in our Know Your Enemy series, "KYE: Malicious Web Servers". In this paper, we take an in-depth look at malicious web servers that attack web browsers, and we evaluate several defensive strategies that can be employed to counter this threat of client-side attacks. All the malicious web servers identified in this study were found with our client honeypot Capture-HPC.

Besides providing the information of this paper, we also publish the complete data set. We hope that Capture-HPC and the data enable the security community to easily become involved in studying the phenomenon of malicious servers.

ArsGeek Review of "Virtual Honeypots"

nospam@example.com (Thorsten Holz) — Tue, 7 Aug 2007 14:41:09 +0200

ArsGeek posted yesterday a review of the book by Niels and me:

Title: Virtual Honeypots: From Botnet Tracking to Intrusion Detection
Author(s): Niels Provos & Thorsten Holz
ISBN10: 0-321-33632-1
ISBN13: 978-0-321-33632-1
Publisher: Addison-Wesley
Cost: $49.99
Format: Paperback, 440 pages.
Published: July 16, 2007

Here is a concise, step by step guide to creating virtual honeypots. Honeypots are sweetened servers or services made available to the public where those seeking to compromise systems (either bots, malware or actual human beings taking a gander) can find vulnerabilities and then exploit them. Honeypots serve to either track and collect information about such attacks or serve as literal traps, netting the bad guys and tracing back to their origins.

Topics in the book range from full fledged virtual OS instances to attract malware and wrongdoers, creating low interaction honeypots to simulate single instances of vulnerabilities (rather than an entire system to compromise) to using various pre-packed tools to attract and trap malware, bots and hackers.

Continue reading "ArsGeek Review of "Virtual Honeypots""

WOOT'07

nospam@example.com (Thorsten Holz) — Mon, 6 Aug 2007 19:58:08 +0200

The First USENIX Workshop on Offensive Technologies (WOOT '07) takes place today and the workshop has a really nice schedule.This is the first workshop I am aware of that deals with mostly offensive techniques - good to see that also this field now has its own workshop :)

Virtual Honeypots

nospam@example.com (Thorsten Holz) — Tue, 31 Jul 2007 02:41:13 +0200

Niels Provos and I have written a book on "Virtual Honeypots: From Botnet Tracking to Intrusion Detection" which was released a couple of days ago. The book deals with high- and low-interaction honeypots and focuses on Honeyd, malware collection, client-side honeypots, botnet tracking, and many more topics. You can order it now in your favorite bookstore, looking forward to your comments :-)

Continue reading "Virtual Honeypots"

USENIX Security '07

nospam@example.com (Thorsten Holz) — Wed, 11 Jul 2007 06:01:32 +0200

I was a bit busy in the last few weeks, some time passed since my last blog entry :-/ Now some updates, first an advertizement for USENIX Security'07:

"Don't miss the 16th USENIX Security Symposium to be held August 6-10, 2007, in Boston, MA.

The 3-day technical conference will kick off on Wednesday, August 8, and includes:

- Keynote address by Steven Levy, Senior Editor and Columnist, Newsweek, on "How the iPod Shuffled the World as We Know It"

- Invited talks featuring our most impressive slate of speakers to date, including:
-- David Dill, Stanford University, on "Computer Security and Voting"
-- Peter Gutmann, University of Auckland, New Zealand, on "Windows Vista Content Protection"

- 23 refereed papers, 1 panel, Work-in-Progress Reports (WiPs), and a
poster session on the latest research.

More information: http://www.usenix.org/events/sec07/tech/

Register by July 16 and save up to $300!"

Call for Paper: 1st USENIX Workshop on Offensive Technologies (WOOT '07)

nospam@example.com (Thorsten Holz) — Wed, 2 May 2007 11:21:00 +0200

The Call for Paper for the 1st USENIX Workshop on Offensive Technologies (WOOT '07) is now available.

Important dates:

Paper submissions due: Thursday, June 7th, 2007, 11:59 p.m. PDT

Notification to authors: July 7th, 2007

Final papers due: July 31st, 2007

The workshop will be will be co-located with the 16th USENIX Security Symposium (Security '07), which will take place August 6–10, 2007.

About WOOT:
Progress in the field of computer security is driven by a symbiotic relationship between our understanding of attack and of defense. The USENIX Workshop on Offensive Technologies aims to bring together researchers and practitioners in system security to present research advancing the understanding of attacks on operating systems, networks, and applications.

Computer security is unique among systems disciplines in that practical details matter and concrete case studies keep the field grounded in practice. WOOT provides a forum for high-quality peer-reviewed papers for discussing tools and techniques for attack.

Submissions should reflect the state of the art in offensive computer security technology—either surveying previously poorly known areas or presenting entirely new attacks.

We are interested in work that could be presented at more traditional security forums, as well as more applied work that informs the field about the state of security practice in offensive techniques.

A significant goal is producing published artifacts that will inform future work in the field. Submissions will be peer-reviewed and shepherded as appropriate.

Call for Paper: 5th ACM Workshop on Recurring Malware (WORM) 2007

nospam@example.com (Thorsten Holz) — Wed, 18 Apr 2007 17:08:00 +0200

The Call for Paper for the 5th ACM Workshop on Recurring Malware (WORM) 2007 is now available. I am very proud to be one of the members of the program committee and would love to see many submissions to the workshop.

Important dates:

Paper submissions due: Sunday, June 17th, 2007

Notification to authors: August 7th, 2007

Final papers due: August 22nd, 2007

The workshop will be held at November 2nd, 2007 at George Mason University, VA, USA, in association with the 14th ACM Conference on Computer and Communications Security (CCS).

About WORM:
Internet-wide infectious epidemics have emerged as one of the leading threats to information security and service availability. Self-propagating threats, often termed worms, exploit software weaknesses, hardware limitations, Internet topology, and the open Internet communication model to compromise large numbers of networked systems. Malware is increasingly used as a beachhead to launch further malicious activities, such as installing spyware, deploying phishing servers and spam relays, or performing information espionage. Unfortunately, current operational practices still face significant challenges in containing these threats as evidenced by the rise in automated botnet networks and the continued presence of worms released years ago. The goal of this workshop is to provide a forum for exchanging ideas, increasing understanding, and relating experiences on malicious code from a wide range of communities, including academia, industry, and the government.