STATUS REPORT Philippine Honeynet Project 1.0 DEPLOYEMENTS ================= 1.1 Current technologies deployed. Describe anything that you have deployed that is collecting information, including honeynets, client honeypots, honeyd, mwcollect, or anything else honeypot related. We are using a virtual (VMWare) honeynet deployment with Windows 2000 as the base OS. 1.2 Activity timeline: Highlight attacks, compromises, and interesting information collected. Some notable honeynet analysis for the past quarter Mambo File Inclusion Attacks 2006-01-07 http://www.philippinehoneynet.org/dataarchive.php?date=2006-01-07 Messenger Spamming at 1026 2006-01-15 http://www.philippinehoneynet.org/dataarchive.php?date=2006-01-15 Defacing Tool 2.0 by r3v3ng4ns 2006-01-20 http://www.philippinehoneynet.org/dataarchive.php?date=2006-01-20 IIS NTLM Authentication 2006-01-27 http://www.philippinehoneynet.org/dataarchive.php?date=2006-01-27 Increase in MS-SQL Probes 2006-02-07 http://www.philippinehoneynet.org/dataarchive.php?date=2006-02-07 Surge in Proxy Scanning Activities 2006-02-14 http://www.philippinehoneynet.org/dataarchive.php?date=2006-02-14 Detecting Cisco IOS probes 2006-02-16 http://www.philippinehoneynet.org/dataarchive.php?date=2006-02-16 Web attacks, phpBB mass-hack and the PHP Honeypot Project 2006-03-09 http://www.philippinehoneynet.org/dataarchive.php?date=2006-03-09 PNphpBB (phpBB for Post Nuke), WebCalendar and Others 2006-03-16 http://www.philippinehoneynet.org/dataarchive.php?date=2006-03-16 2.0 FINDINGS ============= 2.1 Highlight any unique findings, attacks, tools, or methods. Some interesting findings that we have collected: Defacing Tool 2.0 by r3v3ng4ns - is a suite of php based scripts that allows the attacker to send commands to the server primarily with the intent to deface websites. see http://www.philippinehoneynet.org/dataarchive.php?date=2006-01-20 Detecting Cisco IOS probes - see SANS (http://isc.sans.org/diary.php?storyid=1170) 2.2 Any trends seen in the past six months. - Attacks went down to an average of 36 attacks from about 50 last quarter. - Wednesdays at around 6PM - 9PM Philippine time seems to be the time when most attacks occur - Attacks from the US (16%) and China (13%) are still the most predominant - Web application attacks/activity (over 40%) and Miscellaneous activity (34%) like Warez and Spam are the top malicious activities in our honeynet - There has been very active ICMP worm recon activity - Highest TCP activity point to port 80 followed by 42 and 1900 - php Code injection attempts are the most predominant type of web application attacks (xmlrpc.php, awstats, phpbb etc.) 2.3 What are you using for data analysis? What is working well, and what is missing, what data analysis functionality would you like to see developed? - We are using the Honeynet Activity Monitor (http://www.philippinehoneynet.org/data.php) and HoneyTrends (http://www.philippinehoneynet.org/datahistory.php), our inhouse honeynet visualization tools which uses polar charts to represent activity. Ethreal has also been a staple in our analysis. 3.0 LESSONS LEARNED =================== 3.1 What new positive things can you share with the community, so they can replicate your success? - A large part of mitigating threats is proper security awareness. We are helping the community by making them aware. This could be in the form of university appearances, columns in newspapers, recruitment of members through mailing lists, etc. 3.2 What new mistakes can you share with the community, so they don't make the same mistakes? - Probably the biggest mistake that we made this quarter is not having enough people and the corresponding skill sets to take over the myriad of research projects that we have planned. We are doing a push towards getting more university students involved though and we hope that it will be fruitful. 3.3 Are there any research ideas you would like to see developed? - Yes, we would like to pursue further research on Honeymonkeys. I don't know if it fits in the research agenda of the Honeynet Research Alliance but we would very much like to start research on this. We would also like to pursue further research on the use of Honeynets in education particularly honeynet-based learning modules. We're also working with Laurent on the "Web Decoy Project" but it's still in the groundwork. 4.0 NEW TOOLS ======================= 4.1 What new tools or technology are you working on? - We have plans to upgrade our Honeynet Activity Monitor to have more visualizations on more port specific data. We are also planning a more robust compiled console form of the Honeynet Activity Monitor. 4.2 Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool? - Yes, we would like to. 5.0 PAPERS AND PRESENTATIONS ============================ 5.1 Are you working any papers to be published, such as KYE or academic papers? We have released four reports/papers/presentations this quarter: - "Internet Security Threat Data Collection and Analysis using the Philippine Honeynet Project Infrastructure" - "Collaborative Research using Distributed Honeynets" - "Honeynet Learning: Discovering IT Security" - "Philippine Internet Security Monitor 4Q 2005" 5.2 Are you looking for any data or people to help with your papers? - We are particularly interested in collecting all the cases (and writeups) of the Honeynet Research Alliance and compile them in one central database to be used as a central library/reference for students and other professionals interested in more in-depth learning. 5.3 Where did you publish/present honeypot-related material? - Internet Security Threat Data Collection and Analysis using the Philippine Honeynet Project Infrastructure 6th Philippine Computing Science Congress http://www.math.admu.edu.ph/~raf/pcsc06/program.htm - Collaborative Research using Distributed Honeynets 1st ENGAGE European Union - Southeast Asia ICT Research Collaboration Conference, http://www.engage-ist.org/index.php?id=6087 - Honeynet Learning: Discovering IT Security ACM Inroads For June 2006 publication - Philippine Internet Security Monitor 4Q 2005 INQ7 (The Philippine Daily Inquirer) http://news.inq7.net/infotech/index.php?index=1&story_id=61983 6.0 ORGANIZATIONAL ================== 6.1 Changes in the structure of your organization. - No major changes, but we have 3 new members to the group. Mr. Ernesot Boydon, Mr. Aldwin Mamiit, and Ms. Jen Cu. 6.2 Your feedback on Alliance activities. - It's been great. Would love to come to the annual get together. Would need a formal invite (3 months before the event) though since VISA regulations here in the Philippines are quite strict. 6.3 Any suggestions for improving the Alliance? - More emails and responses to the Alliance mailing list would be great. 7.0 GOALS ========= 7.1 Which of your goals did you meet for the last six months? - Our main goal was to become full members of the Alliance this quarter. =) 7.2 Which of your goals did you not meet for the last six months? - No honeynet learning modules yet and no central security case database. 7.3 Goals for the next six months We're plannning to do more of the following: - Honeymonkey research - Web Decoy Project (with French Honeynet Project) - Honeynet Learning Modules - Central case repository/Library (collect all cases of Alliance and put them all in a central DB and categorize them, hopefully with everyone) - and of course, more security awareness programs and presentations here in the Philippines 8.0 MISC ACTIVITIES ==================== 8.1 Anything else not covered you would like to share. - We will be involved with the Asia-Pacific Incident Response Drill in collaboration with our country's CERT organization this April. Some guys from Malaysia and Hong Kong have asked us about the possibility of setting up their honeynets in their respective countries.