Australian Honeynet Project

Over the last month, I delivered presentations on the following topics:
- The Honeynet Project
- VOIP security and honeypot deployments and attack results
- VOIP attacker/defender demonstrations
- Examples of data visualization of security datasets
The conferences are summarised below, and since the slide decks were all somewhat similar, I produced a summary set for download here.

The Australian High Tech Crime Conference, HTCC2010 8 September 2010
Presentation: VOIP Honeypots
The High Tech Crime Conference was hosted in Sydney by the High Tech Crime Operations portfolio, within the Australian Federal Police (AFP) in conjunction with the University of Technology Sydney. The HTCC brings together domestic and international experts and thought leaders from the Judiciary, legal fraternity, government, law enforcement agencies, academia and the private sector.

Melbourne Branch: Australian Information Security Association (AISA) 12 August 2010
Presentation: The Honeynet project and Data Visualisation for Security Purposes

Sydney Branch: Australian Information Security Association (AISA) 15 September 2010
Presentation: HiTech Crime and Honeypots

Ballarat Innovation, Communication and Technology Cluster 15 June 2010
Presentation : Honeynet Project

I'd like to thank the AFP, AISA and the ICT for the opportunity to share my research, results and ideas with the Law enforcement, academic and AISA communities.

@benreardon

As readers of this blog would know, VOIP honeypots have been an interest area of mine for some time. Although, the problem was that the honeypot technologies were often standalone scripts that had to be installed and run by themselves, and so couldn't be shared very easily. The notion of building this functionality into the Dionaea honeypot framework made a lot of sense, as this would make deployments and logging easier and more accessible to everybody.

To address this need, we proposed a project as part of our Google Summer of Code (GSOC) 2010 initiative, for which we then received student funding from Google. We then accepted an enthusiastic and talented student in Tobius Wulff from the University of Canterbury in Christchurch, New Zealand to complete the coding. Together with the main author of the Dionaea framework Markus Koetter as a mentor, and myself and Sjur Usken (Norwegian Chapter) as co-mentors, we were all successful in our aim!

Tobi blogged updates all the way through the project, and the final source code for the GSOC project is here.

Thank you to David Watson, who was the main org admin for GSOC, Markus, Tobi and Sjur for taking on the challenge and coming out of GSOC 2010 with a great result. Amazing what can happen when an Aussie, an Englishman, a Norwegian and a couple of Germans get together..

@benreardon

Late in July 2010, we assessed over 21 solutions that were submitted to the Forensic Challenge on VOIP.

The solutions were exceptionally high quality. It is fair to say that we all learnt a lot about this emerging threat in the process of preparing this challenge.

Congratulations to the winners:
- Franck Guenichot (France)
- Fabio Panigatti (Italy)
- Shaun Zinck (USA)
You can download these solutions, here on the main challenge webpage.

Even though the official challenge is over, you are free to download the challenge and try it yourself at any time. Feel free to send your solution in for review also.

I really enjoyed the process of the Challenge, it was an awesome global team effort to prepare, translate, mark and generally organise FC4.

Some of you seem hooked on the challenges, and it is fantastic to start seeing the same names appearing on successive challenges, so watch out for FC5 which is due out soon!

@benreardon

We are pleased to announce that the next Honeynet Project Forensic Challenge has been released: "Forensic Challenge 4 - VOIP". If you've been following my VOIP blog series here, you might be interested in taking up the challenge.

Designing the challenge was a joint project with Sjur Usken from the Norwegian chapter. I've been working with Sjur on VOIP honeynet research since last year's annual workshop in KL. For the forensic challenge, we had assistance from several other chapters who provided some valuable feedback, so it was a great all round team effort.

Also of note is that for the first time, we've had the challenge translated into Chinese (both Simplified and Traditional versions). This was carried out by Julia Cheng from the Taiwan chapter, Jianwei Zhuge from the China chapter and Roland Cheung from the Hong Kong chapter. The translation was not a trivial task, so a special 谢谢 (thank you - Traditional CN) and 謝謝 (thank you - Simplified CN) to those involved.

Best of luck, and enjoy the challenge!
"謝謝，請多多指教"

@benreardon

Our Annual workshop was held last week at UNAM University in Mexico City, which is an inspiring venue.

The workshop enables chapters from all over the globe to meet, discuss ideas, share experiences and develop our toolsets for data collection and data analysis. It is an extremely valuable and unique event, where chapters from around 20 countries find the time to attend the 4 day workshop. The type of collaboration that is fostered during these workshops just cannot occur to the same extent online, so the workshop is the highlight of the year for us.

The Australian Chapter contributed to the workshop by presenting on our work over the last year in the following areas:
- Visualization
- VOIP honeypots, and how they react to VOIP scanning/cracking tools
- Sandbox tools
- Defacement monitoring

This year, we were also lucky to get advice on blogging from renowned security journalist Brian Krebs and also learnt some presentation tips from our own Lance Spitzner.

A big "Muchos Gracias" goes to our hosts from the UNAM Chapter. They really went our of their way to make sure we were all looked after, and this made the whole experience so much more valuable and enjoyable.

@benreardon

We are happy to report that on March 18, Google accepted the Honeynet Project's GSOC 2010 application. We are now one of the 152 Mentor organizations working busily on project ideas and chatting to prospective students in preparation.

View our current project ideas here, remember that these ideas can come from anyone, so if you have a good idea - please don't be afraid to put it up for consideration (nothing ventured, nothing gained!) We also highlight this is a global effort, students from many countries (including Australia) can participate. Visit the google GSOC FAQ's here, which includes the eligibility requirements.

The next phase of the project is the student application period, which extends through to April 9. View the full timeline here.

Please also drop in our IRC channel #gsoc-honeynet on irc.freenode.net if you have any questions, or are interested in getting involved. We have honeynet chapter members in a good spread of timezones, so there will always be one us to help with queries.

ben

Backing up from our successful debut in Google's "Summer Of Code" initiative GSOC 2009, The Honeynet project have applied to be part of the upcoming GSOC 2010 program.
For details of our submission (and a summary of last year's program) refer to our main GSOC site.

We will find out if our application is successful on March 18th, when hopefully we will begin refining the project ideas, and chatting to prospective students.

Feel free to drop in our IRC channel #gsoc-honeynet on irc.freenode.net if you have any questions.

ben

There are quite a few ways that a criminal can make use of a compromised VOIP server. Its important to realize that the criminal mind is very imaginative, and there will be many motives and scams that we have not even imagined yet, much less experienced.
When looking at these types of questions, I think it helps to have the notion of motive in the back of your mind. This may sound obvious, but I find this helps answer the question 'what would a person or group with this motivation want with a compromised VOIP system?'.

Here are some potential motives. While I won't go into every possible scenario, it's really not hard to imagine that the full control of target's phone system would be handy for people with any of these motives.

I got some great local and international feedback on incidents from readers of Part 1 and Part 2 of this blog series (Thank you everyone). Most of these incidents seem to fall into the 'Financial gain' motive group, so I'll give two examples of a common attacks which are currently seen in AU and overseas, and a possible future threat.

Cheap overseas calls / calling cards.
One of the most common uses for hacked VOIP servers is to simply make unauthorized calls, and there have been incidents of hacked VOIP servers being used in relation to calling card scams to do just this. This is not to say that all cheap calling cards operations are scams, most I'm sure are legitimate.
Here is a brief overview of a simple version of the scam:

The important thing is that the calling card holder just got an overseas call for the cost of a local call, plus the crooks margin, so they are not really the victim. The owner of the hacked VOIP server however may (or may not depending the size of a normal bill) realize that something is amiss when they get their next phone bill, as it was their system that made the calls. We have heard a few stories of this occurring (in Australia and abroad), where the victim's telephone bill inexplicably sky-rocketed by over $20,000 in one case here in Australia!

Premium rate number calling
This attack predates VOIP by many years, first being used on standard corporate PABX systems. VOIP has made this much more lucrative for the crooks due to the call volumes it allows.

The scam is fairly simple.

In this case, the victim may not realise they have been hacked until they receive the bill at the end of the month, by which time the crook has made off with potentially hundreds of thousands of dollars over at least 2 weekly collection periods.
Note also that there is a money trail here, so the crook must also engage in other crime types such as identity theft, money laundering etc to actually get cash out.

Future threat – Denial of Service
The motive behind this attack could probably be any of the ones listed above.
I've not heard of any instances of this, but it's worthwhile considering how we would deal with the threat of Denial of Service on Voice systems. This could be as simple as an attacker using a hacked VOIP system to dial multiple concurrent calls into a target's phone numbers (VOIP, or PSTN for that matter) which would exhaust all of the available connections, even ISDN/PSTN indials??. Remember that SIP, the predominant VOIP protocol is UDP (connectionless) and being an Internet protocol could be emulated/faked, so perhaps a hacked VOIP system wouldn't even be required to effect a DOS.
This area needs much more research and consideration from authorities much better funded and capable than us, and yes we are more than happy to brainstorm ideas on threat scenarios and mitigations with the appropriate agencies/researchers, just contact us.

Given the importance of voice systems both for commerce and its use in emergency situations, it's imperative that threat scenarios are identified and risks are mitigated to within acceptable tolerances. I hope this blog gives some background info to organizations who are starting to consider the threats they face, and put in place appropriate controls and response plans.

Next in the blog series is PART 4 "HOW BEST TO PROTECT AGAINST VOIP THREATS". Feel free to contact me at [email protected] with any feedback, or input into the next one.

Shown below is a visual of a time series analysis representing malicious activity reported by our 6 most active and reliable SensorNET honeypots. These honeypots have been deployed for between 9 months and 2 years in the Australian IP space. our honeypots are designed to detect malicious network activity in a passive and safe manner, you can read more about the background of our SensorNET here.

CLICK to enlarge.

Each one of these blue dots represents a group of other people's compromised computers attempting to compromise our honeypots in an effort to get it to join a botnet. All of this happens in the background, and does not require any action by the owner of the computer, or even for them to be sitting at the compromised computer.
Some of these attacks come from computers in Australia, and many come from other countries as well. We have done some visual analysis on the location of these attackers in past blogs using geographric heatmaps here and with a tool called Circos here.

While there are a lot of factors involved in malicious activity on the internet. I tried to keep it simple, and this visual does a reasonable job of helping us understand when malicious network activity peaks.

Relatively little activity is seen in the early hours between 3am and 7am. Then we see a substantial, and consistent uptick in activity on every day between 8am and 9am. This may be caused by people turning on infected PC's, which then go and scan for new victims at this time. Throughout the day, activity generally increases, peaking around the middle of the night. The old adage 'beware the midnight hour' seems to be applicable even on the internet (Hence the spooky green bar graph, just for fun).

From our results, it appears just after midnight on Friday and Thursday nights would probably be the most dangerous time for an unattended, insecure computer to be on the Australian internet. Of course there is actually no 'safe' time for such a computer to exist on the Internet, but it is interesting to do this analysis.

Each one of these attacks is preventable by using a proper firewall, good practice, antivirus, and security patches. To avoid contributing to the blue dots on this visual, read AusCERT's advice here on how to best to protect your computers.

If you have a similar dataset that you are interested in studying in this manner, send me an email at [email protected]

In a previous blog, we showed off some heatmaps that were supposed to help answer the question "Where does SPAM come from?". The problem with these maps, is that they are the combination of months of data without any respect to time.

So I set out to show the same information in a video to help answer a broader question "When and Where does SPAM come from?". Each red flash represents a moment in time that a point on the earth sent us some spam.

Without further ado, here is a video of about a week's worth of SPAM on the planet Earth:

When zooming in on Europe, notice the 'Blue Banana', which is a discontinuous corridor of urbanisation in Western Europe is once again evident, as it was with the European heatmap. From North West England to Milan, 90 million people live in this corridor, and evidently a fair few of them have computers that send us SPAM. They call it a banana because of it's curvature but I've no idea why its blue.

We were hoping to see a 'follow the sun' aspect emerge, thinking that as people turn their computers off and go to bed, less spam will come from infected hosts in that timezone. This sounds reasonable, but it really only shows up to a fairly small degree in the video. It seems people don't turn infected hosts off at night. SPAM it seems, is 24x7.

We've also done the same technique for the location of network borne malware (worms) seen by our Australian SensorNET, in fact dataset with an IP and a timestamp - we can create a video of now. Feel free to contact us if you have an interesting dataset.
I used a product called 'logster' to do these videos, it is designed to read weblog files so that you can get an idea of who and when people visited your website. However you can use any dataset with an IP and timetamp, and parse it to make it look like an apache weblog file easily enough. This is what we (Thanks DavidZ) did with our nepenthes and SPAM data sets. Logster is another good analysis tool to have in the kit.

If you have a SPAM feed you would like to provide to the project, please email us at [email protected]