Nabble - Honeypots

nullcon Goa 2010 Call For Papers

2009-09-27T05:24:52Z

Calling all greyhats, whitehats, blackhats, rainbowhats, nohats,
underground, aboveground, in-the-sky, on-the-moon, Grannies, Grandpas,
martians, Doodhwalas, Kaamwalis, Bais, Bhais, Chuck norris Fans,
Mithun Da Fans, Himesh Reshamiya wannabees……..

Call For Paper is officially open for nullcon Goa 2010. It is time for
you to polish your paper, stick up an abstract and send it across. A
live demo/exploit/0day with the presentation might win you some extra
brownies.

---------------
WEBSITE
---------------
http://nullcon.net

---------------
About null
---------------
null – The open security community (http://null.co.in) , a non-profit
initiative, is a community of security professionals who have passion
for security research and contribute towards research and development,
knowledge sharing in the field of computer security.

nullcon Goa 2010 is our First effort towards organizing an
International Hacker Fest and is totally a community driven effort by
the members of null community.

--------------
TRACKS
--------------
The conference will run on the following two serial tracks:
1) Gurukul Track – 1 hr sessions
2) Turbo Track – 10/15/20 min sessions

Don’t have a full fledged 1 hr paper ??? Don’t be disheartened, we
have the Turbo Track with 10-20 minute talks.
If you have a neat hack/0day/idea/attack|malware analysis/Research in
Progress, simply submit to the turbo track.

-------------
TOPICS
-------------
Topic could be anything from Auto meter crooking, hacking cars to
hacking mobile networks, anything that would make people standup and
take notice.

A subset of topics we would be interested in (but not limited to):
Application security, Web security, social engineering, Mobile
Networks GSM/CDMA/3G, Bluetooth, OS/Kernel, Virtualization, cloud
security/hacking, protocol vulnerabilities, hardware security, cyber
warfare, cyber forensics, cryptography, spam, malware, L2-L4 hacking.

-----------------------
SUBMISSIONS
-----------------------
Initially an abstract will be required with your details.
Send an email to (cfp _at_ nullcon.net) in the following format:
Subject should be: nullcon Goa 2010 CFP <Paper Title>

Track: [Gurukul / Turbo]
Name:
Handle:
Nationality:
Organization:
Email:
Contact no:
Short Biography:
Paper Title:
Paper Abstract: (Max 6000 words)
Have You Presented this paper at any another conference? If Yes, Where?
Why do you think your work is innovative or different?

NOTE: It is mandatory for the participants, whose papers are selected,
to send us the final presentation (ppt, odp format) and the full paper
(doc, pdf format) containing the detailed explanation of presentation,
within the stipulated time (as mentioned below). The abstract should
clearly define your findings in detail with factual information. Just
stating that ‘it works’ may not help us understand your work
correctly.

--------------------------------------
IMPORTANT DEADLINES
--------------------------------------
CFP Closes – 15th Dec 2009
Selection Notification – 25th Dec 2009
Submission of final Paper and presentation material – 5th Jan 2010.

-------------------------------------------------------------------------
SPEAKER PRIVILEGES FOR GURUKUL TRACK
-------------------------------------------------------------------------
Free accommodation.
Fixed amount of reimbursement for travel (TBD).
Invitation to the post conference party.
Free access to the conference.

---------------------------------------------------------------------
SPEAKER PRIVILEGES FOR TURBO TRACK
---------------------------------------------------------------------
Free access to the conference.
Invitation to the post conference party.

Sebek issues with windows XP/Vista

2009-09-24T22:24:54Z

Hello ,
Did anybody tried running sebek on windows vista as a
honeypot ? i am trying to install sebek on windows XP /Vista
environment and getting DOB screen error. Any ideas would be
appreciated .
Thanks

Workshop on the Analysis of System Logs - Oct 14 - Call for Participation

2009-08-31T23:59:28Z

Workshop on the Analysis of System Logs (WASL) 2009
http://www.systemloganalysis.com
Call for Participation

===============================
October 14, 2009
Big Sky, MT
(at SOSP)
===============================

--------------------------------------------------------------------------

System logs contain a wide variety of information about system status
and health,
including events from various applications, daemons and drivers, as well
as sampled
information such as resource utilization statistics. As such, these logs
represent a
rich source of information for the analysis and diagnosis of system
problems and
prediction of future system events. However, their lack of organization
and the general
lack of semantic consistency between information from various software
and hardware
vendors means that most of this information content is wasted. Indeed,
today's
most popular log analysis technique is to use regular expressions to
either detect
events of interest or to filter the log so that a human operator can
examine it manually.
Clearly, this captures only a fraction of the information available in
these logs and
does not scale to the large systems common in business and
supercomputing environments.
This workshop will focus on novel techniques for extracting
operationally useful
information from existing logs and methods to improve the information
content of future
logs.

Workshop Program

Session 1: Log Analysis Tools
- "Extracting Message Types from BlueGene/L's Logs", A. Makanju, A.
Zincir-Heywood, and E. Milios
- "Incremental Learning of System Log Formats", K. Zhu, K. Fisher,
and D. Walker
- "Visual and Algorithmic Tooling for System Trace Analysis: A Case
Study", W. De Pauw and S. Heisig

Session 2: Analyzing System Logs
- "Mining Dependency in Distributed Systems through Unstructured
Logs Analysis", J. Lou, Q. Fu, Y. Wang, and J. Li
- "A Bayesian Network Approach to Modeling IT Service Availability
using System Logs", R. Zhang, E. Cope, L. Huesler, and F. Cheng
- "Endpoint Identification Using System Logs", S. Melvin

Session 3: Group Discussion on Current State of the Art
- Tips and tricks in current use.
- Gaps and challenges in current techniques.
- Vision and steps for the future.

Session 4: Panel on Future Research Agenda
- What are the most difficult problems with logging, in the real world?
- How to make academia-industry interactions more productive?
- How to extract meaningful information from logs?
- How to improve system management?

Workshop Chair:
Greg Bronevetsky (Lawrence Livermore National Laboratory)
greg@...

Program Committee:
Jon Stearley, Sandia National Laboratory
Bianca Schroeder, University of Toronto
Sébastien Tricaud, INL
Sapan Bhatia, Princeton University
Risto Vaarandi, CCD CoE
Jim Jansen, Penn State University
Wei Xu, University of California, Berkeley
Anton Chuvakin, Qualys
Kara Nance, University of Alaska, Fairbanks
Raffael Marty, PixlCloud

Re: Send strace output through syslog-ng

2009-08-05T07:08:32Z

Well I did not think about this, but it seems to be a great idea. Thanks a lot.

However, I decided to open a new port and to send syslog data through it so that it is really easy to administrate. It works great.

Thanks for your help,

Regards,

BB@umd wrote:

Good afternoon.

I have a honeypot which syslog-ng running. I configured it so that it can send all the log files to a remote web server. (So that mean I have already configured syslog-ng on this web server too) No matter with that, it works great.

Then, on my honeypot, I have a strace command attached to my ssh server. It gathers strace outputs in a strace.log file. Here is this command :
strace -f -q -p `cat /var/run/sshd.pid` -o /var/log/strace.log &

Now, I would like to send the strace output (/var/log/strace.log) to my server through syslog-ng. So, on my honeypot, I added the following in my syslog-ng.conf in the source section:
file ("/var/log/strace.log").

However, now, on the server side, I do not know how to configure syslog-ng in order to retrieve this strace output only. Is there a special filter for strace in syslog-ng ? (Usually, for example, I am using "filter { facility(auth);};" to filter auth.log : so is there something similar with strace ?)

Regards,
BB

Re: Send strace output through syslog-ng

2009-08-05T05:52:44Z

Hi,

First of all there is no filter for strace. My first idea for your
problem was to open a new port on the server just for strace, but it's
understandable if you don't want to do it. Also the idea of Chris
sounds good as well if you don't use the facility field generally. But
a third solution that I've found is the following:

You should create a separate log path for the strace output which
should read the logs from the file and replace the PROGRAM field of
the log message with the 'strace' string. That is why you need the
separate logpath, to make sure that only the strace output gets the
'strace' string. And then you can send these messages to your server
where you can filter the logs by the PROGRAM field. For these you will
need something like this in your config:

=Client=
#
# Sets the PROGRAM field to 'strace'
#
rewrite r_rewrite_set{set("strace", value("PROGRAM"));};

#
# Source to read from file
#
source s_strace {
file ("/var/log/strace.log");
};

#
#Destination to your server
#
destination d_tcp { tcp("127.0.0.1" port(1999) );};

#
# Logpath to read the file, set the
# program name and send it to the server
#
log {
source(s_strace);
rewrite(r_rewrite_set);
destination(d_tcp);
};

= Server =
#
# Filter for the messages generated by strace
#
filter strace_filter{match("strace" value("PROGRAM"));};

#
# Template to see the PROGRAM field
#
template t_filetemplate {
template("$ISODATE $HOST $PROGRAM $MSG\n");
template_escape(no); };

#
# This one just opens a port
#
source s_net {
tcp(ip(127.0.0.1) port(1999) max-connections(10));
};

#
# Destination to write messages to file
#
destination d_strace {file("/var/log/test" template(t_filetemplate));};

#
# Logpath for filtering the strace messages out
#
log {
source(s_net);
filter(strace_filter);
destination(d_strace);
};

I also would like to warn you to use tcp() as I did instead of
syslog() because there might be a bug in sending the APP-NAME field
through network. Also if you don't have it you should download the
admin guide which is realy handy:

http://www.balabit.hu/dl/guides/syslog-ng-v3.0-guide-admin-en.pdf

I hope I could help.

Good luck :)

Geri

2009/8/4 BB@umd <bbenard@...>:

>
> Good afternoon.
>
> I have a honeypot which syslog-ng running. I configured it so that it can
> send all the log files to a remote web server. (So that mean I have already
> configured syslog-ng on this web server too) No matter with that, it works
> great.
>
> Then, on my honeypot, I have a strace command attached to my ssh server. It
> gathers strace outputs in a strace.log file. Here is this command :
> strace -f -q -p `cat /var/run/sshd.pid` -o /var/log/strace.log &
>
> Now, I would like to send the strace output (/var/log/strace.log) to my
> server through syslog-ng. So, on my honeypot, I added the following in my
> syslog-ng.conf in the source section:
> file ("/var/log/strace.log").
>
> However, now, on the server side, I do not know how to configure syslog-ng
> in order to retrieve this strace output only. Is there a special filter for
> strace in syslog-ng ? (Usually, for example, I am using "filter {
> facility(auth);};" to filter auth.log : so is there something similar with
> strace ?)
>
> Regards,
> BB
>
> --
> View this message in context: http://www.nabble.com/Send-strace-output-through-syslog-ng-tp24814871p24814871.html
> Sent from the Honeypots mailing list archive at Nabble.com.
>
>

Re: Send strace output through syslog-ng

2009-08-04T17:33:20Z

Hey man,

On Tue, 2009-08-04 at 12:38 -0700, BB@umd wrote:
>
> Then, on my honeypot, I have a strace command attached to my ssh server. It
> gathers strace outputs in a strace.log file. Here is this command :
> strace -f -q -p `cat /var/run/sshd.pid` -o /var/log/strace.log &
>
> Now, I would like to send the strace output (/var/log/strace.log) to my
> server through syslog-ng.

What about something like:
tail -f /var/log/strace.log | logger -p <facility> &

> However, now, on the server side, I do not know how to configure syslog-ng
> in order to retrieve this strace output only.

In the above command you need to specify an unused facility. Then on the
server simply tell syslog-ng which file it should use for storing log
entries with the above specified facility (this can be a new unique
file).

You are suppose to use one of the "local use" facilities for stuff like
this, but I run into conflicts far too often. Instead I like to use the
facilities "news", "uucp" or similar that I know will never get run on
my network. Potential conflict solved. ;-)

HTH,
C
---
www.chrisbrenton.org

Send strace output through syslog-ng

2009-08-04T12:38:08Z

Good afternoon.

I have a honeypot which syslog-ng running. I configured it so that it can send all the log files to a remote web server. (So that mean I have already configured syslog-ng on this web server too) No matter with that, it works great.

Then, on my honeypot, I have a strace command attached to my ssh server. It gathers strace outputs in a strace.log file. Here is this command :
strace -f -q -p `cat /var/run/sshd.pid` -o /var/log/strace.log &

Now, I would like to send the strace output (/var/log/strace.log) to my server through syslog-ng. So, on my honeypot, I added the following in my syslog-ng.conf in the source section:
file ("/var/log/strace.log").

However, now, on the server side, I do not know how to configure syslog-ng in order to retrieve this strace output only. Is there a special filter for strace in syslog-ng ? (Usually, for example, I am using "filter { facility(auth);};" to filter auth.log : so is there something similar with strace ?)

Regards,
BB

Running Honeyd on interface IP

2009-07-22T02:10:50Z

Hello,

I have a question concerning the configuration of Honeyd IP address.

I want to make my honeypot visible by the IP address of host computer interface.
I have the following setup, within the same physical host:

1.1.1.1 (interface IP)-> 2.2.2.2 (honeyd IP)

So if I ssh to the honeyd, I want to ssh to 1.1.1.1.

I guess this is something that can be done with iptables, for example like this:

iptables -A FORWARD -s 1.1.1.1 -p tcp --dport 22 -d 2.2.2.2 -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -j ACCEPT

I also add a route for 2.2.2.2 to be accessible from loopback:
route add -host 2.2.2.2 lo

Then I enable IP forwarding in /etc/sysctl.conf:
net.ipv4.ip_forward = 1

And in the configuration for Honeyd I say:
add sshhost tcp port 22 "./ssh.sh"
bind 2.2.2.2 sshhost

Finally, I run my Honeyd like this, binding it to my Loopback:
honeyd -d -l /tmp/honeypot/packet.log -f smtp.conf -i lo

But I am still unable to access port 22 of my honeypot. What can be missing?

I am running honeyd-1.5b. This is what I get by running Honeyd in the
debug mode:

honeyd[3388]: listening on lo: ip
honeyd[3388]: Demoting process privileges to uid 99, gid 99
honeyd[3388]: rrdtool returning errors - restarting.
honeyd[3388]: Respawing rrdtool too quickly
honeyd[3388]: Connection request: tcp (1.1.1.1:40805 - 1.1.1.1:22)
honeyd[3388]: Killing attempted connection: tcp (1.1.1.1:22 - 1.1.1.1:40805)
honeyd[3388]: Connection dropped by reset: tcp (1.1.1.1:40805 - 1.1.1.1:22)
honeyd[3388]: rrdtool returning errors - restarting.
honeyd[3388]: Respawing rrdtool too quickly

Thank you!

Regards,
Evgeniy

Extended deadline: Monday, July 6th. Workshop on the Analysis of System Logs (WASL) 2009

2009-07-01T11:40:34Z

Due to multiple requests, the paper submission deadline for the Workshop
on the
Analysis of System Logs has been moved to Monday, July 6th.

Workshop on the Analysis of System Logs (WASL) 2009
http://www.systemloganalysis.com Call for Papers

===============================
October 14, 2009
Big Sky, MT
(at SOSP)
===============================

FULL PAPER SUBMISSION: Monday, July 6th, 2009
AUTHOR NOTIFICATION: Monday, August 3rd, 2009
FINAL PAPERS DUE: Monday, September 14, 2009
--------------------------------------------------------------------------

System logs contain a wide variety of information about system status
and health,
including events from various applications, daemons and drivers, as well
as sampled
information such as resource utilization statistics. As such, these logs
represent a
rich source of information for the analysis and diagnosis of system
problems and
prediction of future system events. However, their lack of organization
and the general
lack of semantic consistency between information from various software
and hardware
vendors means that most of this information content is wasted. Indeed,
today's
most popular log analysis technique is to use regular expressions to
either detect
events of interest or to filter the log so that a human operator can
examine it manually.
Clearly, this captures only a fraction of the information available in
these logs and
does not scale to the large systems common in business and
supercomputing environments.

This workshop will focus on novel techniques for extracting
operationally useful
information from existing logs and methods to improve the information
content of future
logs. Topics include but are not limited to:
o Reports on publicly available sources of sample log data.
o Log anonymization
o Log feature detection and extraction
o Prediction of malfunction or misuse based on log data
o Statistical techniques to characterize log data
o Applications of Natural-Language Processing (NLP) to logs
o Scalable log compression
o Log comparison techniques
o Methods to enhance astandardize log semantics
o System diagnostic techniques
o Log visualization
o Analysis of services (problem ticket) logs
o Applications of log analysis to system administration

Papers limited to 6 2-column pages using >=10pt font.

Workshop Chair:
Greg Bronevetsky (Lawrence Livermore National Laboratory)
greg@...

Program Committee:
Jon Stearley, Sandia National Laboratory
Bianca Schroeder, University of Toronto
Sébastien Tricaud, INL
Sapan Bhatia, Princeton University
Risto Vaarandi, CCD CoE
Jim Jansen, Penn State University
Wei Xu, University of California, Berkeley
Anton Chuvakin, Qualys
Hugh Njemanze, ArcSight
Kara Nance, University of Alaska, Fairbanks
Raffael Marty, PixlCloud

Workshop on the Analysis of System Logs (WASL) 2009

2009-06-16T08:42:33Z

Workshop on the Analysis of System Logs (WASL) 2009
http://www.systemloganalysis.com Call for Papers

===============================
October 14, 2009
Big Sky, MT
(at SOSP)
===============================

FULL PAPER SUBMISSION: Monday, June 29th, 2009
AUTHOR NOTIFICATION: Monday, July 27, 2009
FINAL PAPERS DUE: Monday, September 14, 2009
--------------------------------------------------------------------------

System logs contain a wide variety of information about system status
and health,
including events from various applications, daemons and drivers, as well
as sampled
information such as resource utilization statistics. As such, these logs
represent a
rich source of information for the analysis and diagnosis of system
problems and
prediction of future system events. However, their lack of organization
and the general
lack of semantic consistency between information from various software
and hardware
vendors means that most of this information content is wasted. Indeed,
today's
most popular log analysis technique is to use regular expressions to
either detect
events of interest or to filter the log so that a human operator can
examine it manually.
Clearly, this captures only a fraction of the information available in
these logs and
does not scale to the large systems common in business and
supercomputing environments.

This workshop will focus on novel techniques for extracting
operationally useful
information from existing logs and methods to improve the information
content of future
logs. Topics include but are not limited to:
o Reports on publicly available sources of sample log data.
o Log anonymization
o Log feature detection and extraction
o Prediction of malfunction or misuse based on log data
o Statistical techniques to characterize log data
o Applications of Natural-Language Processing (NLP) to logs
o Scalable log compression
o Log comparison techniques
o Methods to enhance astandardize log semantics
o System diagnostic techniques
o Log visualization
o Analysis of services (problem ticket) logs
o Applications of log analysis to system administration

Papers limited to 6 2-column pages using >=10pt font.

Workshop Chair:
Greg Bronevetsky (Lawrence Livermore National Laboratory)
greg@...

Program Committee:
Jon Stearley, Sandia National Laboratory
Bianca Schroeder, University of Toronto
Sébastien Tricaud, INL
Sapan Bhatia, Princeton University
Risto Vaarandi, CCD CoE
Jim Jansen, Penn State University
Wei Xu, University of California, Berkeley
Anton Chuvakin, Qualys
Hugh Njemanze, ArcSight
Kara Nance, University of Alaska, Fairbanks
Raffael Marty, PixlCloudWorkshop on the Analysis of System Logs
(WASL) 2009

Call for Participation - DIMVA 2009

2009-05-26T03:59:20Z

(We apologize if you receive multiple copies of this message.)
----------------------------------------------------------------------
C A L L F O R P A R T I C I P A T I O N
======================================================================

DIMVA 2009

Sixth International Conference on
Detection of Intrusions and Malware & Vulnerability Assessment

Organized by GI SIG SIDAR

Como, Italy
July 9-10, 2009

http://www.dimva.org/dimva2009
mailto:info@...
======================================================================

The annual DIMVA conference serves as a premier forum for advancing
the state of the art in intrusion detection, malware detection, and
vulnerability assessment. Each year DIMVA brings together
international experts from academia, industry and government to
present and discuss novel research in these areas. DIMVA is organized
by the special interest group Security - Intrusion Detection and
Response (SIDAR) of the German Informatics Society (GI) and takes
place 9/10-07-2009 in Como, Italy.

This year's program features a single technical track with 13 papers
DIMVA 2009 will also feature two invited talks by renowned experts:

* Henry Stern, Ironport / Cisco:
A New Era in Security Collaboration: Turning the Tables on Botnets

* Richard Kemmerer, University of California Santa Barbara
How to Steal a Botnet and What Can Happen When You Do

The conference program will be complemented by

* a Rump Session: a series of short and entertaining talks where
attendees can present recent research results, work in progress,
or other topics of interest to the community.

Please contact the Rump Session Chair, Sven Dietrich, at
rump-chair@... for submission questions.

* CIPHER 5: a "Capture The Flag"-style contest in IT security for
teams of students from universities around the world. CIPHER is
co-arranged by the Special Interest Group SIDAR (Security - Intrusion
Detection and Response) of the German Informatics Society (GI).
(More information on http://www.cipher-ctf.org)

Registration and Travel
=======================

The DIMVA 2009 conference will be held in Como (Italy). The
registration is now open. Please check the DIMVA web site for
information on the rates, registration, travel and accommodation:

!!!Early Bird Rates available now!!!

http://www.dimva.org/dimva2009

Conference Program (preliminary)
================================

Thursday, July 9th
------------------

Welcome Opening Remarks

Session 1: Malware and SPAM

A Case Study on Asprox Infection Dynamics

How good are malware detectors at remediating infected systems?

Towards Proactive Spam Filtering

Session 2: Emulation-based Detection

Shepherding Loadable Kernel Module through On-demand
Emulation

Yataglass: Network-level Code Emulation for Analyzing
Memory-scanning Attacks

Defending Browsers against Drive-by Downloads: Mitigating
Heap-spraying Code Injection Attacks

Keynote

How to Steal a Botnet and What Can Happen When You Do
Richard Kemmerer, University of California Santa Barbara

Session 3: Software Diversity

Polymorphing Software by Randomizing Data Structure Layout

On the Effectiveness of Software Diversity: A Systematic
Study on Real-World Vulnerabilities

SIG SIDAR Open Meeting

Friday, July 10th
-----------------

Keynote

A New Era in Security Collaboration: Turning the Tables on
Botnets
Henry Stern, Ironport / Cisco

Session 4: Harnessing Context

Using Contextual Information for IDS Alarm Classification

Browser Fingerprinting from Coarse Traffic Summaries:
Techniques and Implications

A Service Dependency Modeling Framework for Policy-based
Response Enforcement

Rump Session

Session 5: Anomaly Detection

Learning SQL for Database Intrusion Detection using
Context-Sensitive Modelling

Selecting and Improving System Call Models for Anomaly
Detection

CIPHER 5 Capture the Flag

Farewell - Concluding Remarks

Corporate Sponsors
==================
We solicit interested organizations to serve as sponsors for DIMVA
2009, particularly in sponsorship of student travel and other expenses
for DIMVA. Please contact the Sponsorship Chair for information
regarding corporate sponsorship of DIMVA 2009.

Organizing Committee
====================
General Chair: Danilo M. Bruschi,
Università degli Studi di Milano,
Italy (info@...)
Program Chair: Ulrich Flegel, SAP Research CEC Karlsruhe,
Germany (pc-chair@...)
Rump Session Chair: Sven Dietrich,
Stevens Institute of Technology,
U.S.A. (rump-chair@...)
Sponsorship Chair: Thorsten Holz, University of Mannheim,
Germany (sponsor-chair@...)
Publicity Chair: Sebastian Schmerl,
Technical University of Cottbus,
Germany (publicity-chair@...)

Program Committee
=================
Thomas Biege, Novell, Germany
Gunter Bitz, SAP AG, Germany
Herbert Bos, Vrije Universiteit Amsterdam, Netherlands
Danilo Bruschi, Università degli Studi di Milano, Italy
Roland Büschkes, RWE, Germany
Marc Dacier, Symantec Research, France
Hervé Debar, France Télécom, France
Sven Dietrich, Stevens Institute of Technology, U.S.A.
Toralv Dirro, McAfee, Germany
Thomas Dullien, Zynamics, Germany
Ulrich Flegel, SAP Research, Germany
Bernhard Hämmerli, Acris GmbH & HSLU Lucerne, Switzerland
Marc Heuse, Baseline Security, Germany
Thorsten Holz, University of Mannheim, Germany
Erland Jonsson, Chalmers University, Sweden
Klaus Julisch, IBM Zurich Research Laboratory, Switzerland
Engin Kirda, Eurecom, France
Christian Kreibich, International Computer Science Institute,
U.S.A.
Christopher Kruegel, University of California in Santa Barbara,
U.S.A
Pavel Laskov, University of Tuebingen, Germany
Wenke Lee, Georgia Institute of Technology, U.S.A.
Javier Lopez, University of Malaga, Spain
John McHugh, University of North Carolina and Dalhousie
University Halifax, Canada
Michael Meier, Technical University of Dortmund, Germany
George Mohay, Queensland University of Technology, Australia
Martin Rehák, Czech Technical University, Czech
Konrad Rieck, Technical University of Berlin, Germany
Sebastian Schmerl, Technical University of Cottbus, Germany
Robin Sommer, ICSI/LBNL, U.S.A.
Salvatore Stolfo, Columbia University, U.S.A
Peter Szor, Symantec, U.S.A.
Bernhard Thurm, SAP Research, Germany
Al Valdes, SRI International, U.S.A.

Steering Committee
==================
Chairs:
* Ulrich Flegel, SAP Research CEC Karlsruhe
* Michael Meier, Technical University of Dortmund

Members:
* Roland Büschkes, RWE
* Hervé Debar, France Telecom R&D
* Bernhard Hämmerli, Acris GmbH, HSLU
* Marc Heuse, Baseline Security Consulting
* Klaus Julisch, IBM Zurich Research Lab
* Christopher Kruegel, UC Santa Barbara
* Pavel Laskov, University of Tuebingen
* Robin Sommer, ICSI/LBNL
* Diego Zamboni, IBM Zurich Research Lab

--
_____________________________________________________________________
Sebastian Schmerl Tel: +49 (0) 355 69 20 29
sbs@... Fax: +49 (0) 355 69 21 27
BTU Cottbus

Computer Networks and Communication System
P.O.Box 10 13 44, 03013 Cottbus, Germany
http://www-rnks.informatik.tu-cottbus.de
_____________________________________________________________________

smime.p7s (9K) Download Attachment

SETOP 2009 - Call for Papers, Deadline June 1st

2009-05-26T03:07:10Z

[Apologies for multiple copies of this announcement]

CALL FOR PAPERS

SETOP 2009
Second International Workshop on Autonomous and Spontaneous Security

Co-located with ESORICS 2009
September 24-25, 2009, Saint Malo, Britany, France.

http://conferences.telecom-bretagne.eu/setop-2009

With the need for evolution, if not revolution, of current network
architectures and the Internet, autonomous and spontaneous management
will be a key feature of future networks and information systems. In
this context, security is an essential property that must be thought
at the early stage of conception of these systems and designed to be
also autonomous and spontaneous.

Future networks and systems must be able to automatically configure
themselves with respect to their security policies. The security policy
specification must be dynamic and adapt itself to the changing
environment. Those networks and systems must be able to interoperate
securely when their respective security policies are heterogeneous and
possibly conflicting. They must be able to autonomously evaluate the
impact of an intrusion in order to spontaneously select the appropriate
and relevant response when a given intrusion is detected.

Autonomous and spontaneous security is a major requirement of future
networks and systems. Of course, it is a key issue to address in
different wireless and mobile technologies available today such as
RFID, Wifi, Wimax, 3G, etc. Other technologies such as ad hoc or
sensor networks are also very interesting for new type of services,
and security in these networks needs to be managed in an autonomous
and spontaneous way.

The SETOP Workshop seeks submissions that present research results
on all aspects related to spontaneous and autonomous security.
Submissions by PhD students are encouraged. Topics of interest
include, but are not limited to the following:

* Security policy deployment
* Self evaluation of risk and impact
* Distributed intrusion detection
* Autonomous and spontaneous response
* Trust establishment
* Security in ad hoc networks
* Security in sensor/RFID networks
* Security of Next Generation Network
* Security of Service Oriented Architecture
* Security of opportunistic Networks
* Privacy in self-organized networks
* Secure localization
* Secure context aware computing
* Secure interoperability and negotiation
* Secure routing
* Identity management

Submission guidelines

Submissions must be in English. Maximum length for submissions is
15 pages in LNCS style, including figures, bibliography and
appendices. The SETOP papers will be published after the conference
in Springer Verlag's Lecture Notes in Computer Science series in
order to give the authors an opportunity to revise their papers upon
presentation at the meeting in the light of the feedback received
from the audience. A selection of the best papers will be invited
to submit an extended version of their paper for publication in an
international journal.

Participation

Authors of accepted papers are required to ensure that at least one
will be present at the symposium. Papers that do not adhere to this
policy will be removed from the LNCS post-proceedings.

Important dates:

* Submission deadline: June 1st, 2009
* Acceptance Notification: July 7th, 2009
* Camera ready: August 15th, 2009

Program Committee Chairs:

* Nora Cuppens-Boulahia (TELECOM Bretagne, Rennes)
* Yves Roudier (EURECOM, Sophia-Antipolis)

Organization Chair:

* Frédéric Cuppens (TELECOM Bretagne, Rennes)

Program Committee (to be completed):

* Michel Barbeau (Carleton University, Ottawa)
* Christophe Bidan (Supélec, Rennes)
* Levente Buttyan (Budapest University of Technology and
Economics, Budapest)
* Claude Castelluccia (INRIA, Sophia-Antipolis)
* Ana Cavalli (TELECOM SudParis, Evry)
* Hakima Chaouchi (TELECOM SudParis, Evry)
* Claude Chaudet (TELECOM ParisTech, Paris)
* Yves Correc (DGA/CELAR, Bruz)
* Frédéric Cuppens (TELECOM Bretagne, Rennes)
* Hervé Debar (France Télécom R&D, Caen)
* Alban Gabillon (UPF, université de la Polynésie Française)
* Joaquin Garcia-Alfaro (Carleton University, Ottawa)
* Loukas Lazos (University of Arizona, Tucson)
* Jean Leneutre (TELECOM ParisTech, Paris)
* Maryline Maknavicius (TELECOM SudParis, Evry)
* Refik Molva (EURECOM, Sophia-Antipolis)
* Radha Poovendran (University of Washington, Seattle)
* Juan Carlos Ruiz (UPV, Valencia)
* Thierry Sans (Carnegie Mellon, Doha)

HoneyD Data Visualization Scripts

2009-05-07T16:11:10Z

I have been doing a little work on updating my HoneyD data
visualization scripts and the web interface to be a little bit more
appealing.

More information at my blog:

http://itsecops.blogspot.com/

--
Thx
Joshua Gimer

EUSecWest 2009 (May27/28) London Agenda and PacSec 2009 (Nov 4/5) Tokyo CFP deadline: June 1 2009

2009-05-06T15:24:04Z

EUSecWest 2009 Speakers

Efficient UAK Recovery attacks against DECT
- Ralf-Philipp Weinmann, University of Luxembourg
A year in the life of an Adobe Flash security researcher
- Peleus Uhley, Adobe
Pwning your grandmother's iPhone
- Charley Miller, Independent Security Evaluators
Post exploitation techniques on OSX and Iphone and other TBA matters.
- Vincent Iozzo,Zynamics
STOP!! Objective-C Run-TIME.
- nemo
Exploiting Delphi/Pascal
- Ilja Van Sprundel, IOActive
PCI bus based operating system attack and protections
- Christophe Devine & Guillaume Vissian, Thales
Thoughts about Trusted Computing
- Joanna Rutkowska, Invisible Things Lab
Nice NIC you got there... does it come with an SSH daemon?
- Arrigo Trulzi
Evolving Microsoft Exploit Mitigations
- Tim Burrell & Peter Beck, Microsoft
Malware Case Study: the ZeuS evolution
- Vicente Diaz, S21Sec
Writing better XSS payloads
- Alex Kouzemtchenko, SIFT
Exploiting Firefox Extensions
-Roberto Suggi Liverani & Nick Freeman, Security-Assessment.com
Stored Value Gift Cards, Magstripes Revisited
- Adrian Pastor, Gnucitizen, Corsaire
Advanced SQL Injection to operating system control
- Bernardo Damele Assumpcao Guimaraes, Portcullis
Cloning Mifare Classic
- Nicolas Courtois, University of London
Rootkits on Windows Mobile/Embedded
- Petr Matousek, Coseinc

PacSec 2009 CALL FOR PAPERS

World Security Pros To Converge on Japan

TOKYO, Japan -- To address the increasing importance of information
security in Japan, the best known figures in the international
security industry will get together with leading Japanese researchers
to share best practices and technology. The most significant new
discoveries about computer network hack attacks will be presented at
the seventh annual PacSec conference to be discussed.

The PacSec meeting provides an opportunity for foreign specialists to
be exposed to Japanese innovation and markets and collaborate on
practical solutions to computer security issues. In an informal
setting with a mixture of material bilingually translated in both
English and Japanese the eminent technologists can socialize and
attend training sessions.

Announcing the opportunity to submit papers for the PacSec 2009
network security training conference. The conference will be held
November 4/5th in Tokyo. The conference focuses on emerging
information security tutorials - it is a bridge between the
international and Japanese information security technology communities..

Please make your paper proposal submissions before June 1st, 2009.
Slides for the papers must be submitted for translation by October 1,
2009 (Which, oh so rarely, happens we are going to start asking for
them earlier :-P --dr).

A some invited papers have been confirmed, but a limited number of
speaking slots are still available. The conference is responsible for
travel and accomodations for the speakers. If you have a proposal for
a tutorial session then please email a synopsis of the material and
your biography, papers and, speaking background to . Tutorials are
one hour in length, but with simultaneous translation should be
approximately 45 minutes in English, or Japanese. Only slides will be
needed for the October paper deadline, full text does not have to be
submitted.

The PacSec conference consists of tutorials on technical details about
current issues, innovative techniques and best practices in the
information security realm. The audiences are a multi-national mix of
professionals involved on a daily basis with security work: security
product vendors, programmers, security officers, and network
administrators. We give preference to technical details and education
for a technical audience.

The conference itself is a single track series of presentations in a
lecture theater environment. The presentations offer speakers the
opportunity to showcase on-going research and collaborate with peers
while educating and highlighting advancements in security products and
techniques. The focus is on innovation, tutorials, and education
instead of product pitches. Some commercial content is tolerated, but
it needs to be backed up by a technical presenter - either giving a
valuable tutorial and best practices instruction or detailing
significant new technology in the products.

Paper proposals should consist of the following information:
o
1) Presenter, and geographical location (country of origin/passport)
and contact info (e-mail, postal address, phone, fax).
2) Employer and/or affiliations.
3) Brief biography, list of publications and papers.
4) Any significant presentation and educational experience/background.
5) Topic synopsis, Proposed paper title, and a one paragraph
description.
6) Reason why this material is innovative or significant or an
important tutorial.
7. Optionally, any samples of prepared material or outlines ready.
8. Will you have full text available or only slides?
9. Language of preference for submission.
10. Please list any other publications or conferences where this
material has been or will be published/submitted.

Please include the plain text version of this information in your
email as well as any file, pdf, sxw, ppt, or html attachments.

Please forward the above information to to be considered for
placement on the speaker roster.

cheers,
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
London, U.K. May 27/28 2009 http://eusecwest.com
Tokyo, Japan November 4/5 2009 http://pacsec.jp
Vancouver, Canada March 22-26 2010 http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp

Call for Papers Hack.lu 2009

2009-04-30T05:42:46Z

Call for Papers Hack.lu 2009
============================

The purpose of the hack.lu convention is to give an open and free
playground where people can discuss the implication of new technologies
in society. hack.lu is a balanced mix convention where technical and
non-technical people can meet each other and share freely all kind of
information. The convention will be held in the Grand-Duchy of
Luxembourg in October 2009 (28-30.10.2008). The conference is three days
of active discussions, presentations and workshops for sharing
experience around new attacks, defensive techniques and information
security (including funky experiments). We would like to announce the
opportunity to submit papers, and/or lightning talk proposals for
selection by the hack.lu technical review committee. This year we will
be doing one hour talks, and some shorter talk sessions.

Scope:
------

Topics of interest include, but are not limited to:
- Software Engineering and Security
- Honeypots/Honeynets
- Spyware, Phishing and Botnets (Distributed attacks)
- Newly discovered vulnerabilities in software and hardware
- Electronic/Digital Privacy
- Wireless Network and Security
- Attacks on Information Systems and/or Digital Information Storage
- Electronic Voting
- Free Software and Security
- Assessment of Computer, Electronic Devices and Information Systems
- Standards for Information Security
- Legal and Social Aspect of Information Security
- Software Engineering and Security
- Security in Information Retrieval
- Network security
- Forensics and Anti-Forensics
- Mobile communications security and vulnerabilities

Deadlines:
----------

The following dates are important if you want to participate in the CfP

Abstract submission: no later than 15 June 2009
Full paper submission: no later than 1st August 2009
Notification date: mid/end of August

Submission guideline:
---------------------

Authors should submit a paper in English up to 5.000 words, using a
non-proprietary and open electronic format. The program committee will
review all papers and the author of each paper will be notified of the
result, by electronic means. Abstract is up to 400 words. Submissions
must be sent using the following interface: http://2009.hack.lu/papers/

Submissions should also include the following:
1. Presenter, and geographical location (country of origin/passport)and
contact info.
2. Employer and/or affiliations.
3. Brief biography, list of publications or papers.
4. Any significant presentation and/or educational experience/background.
5. Reason why this material is innovative or significant or an important
tutorial.
6. Optionally, any samples of prepared material or outlines ready.
7. Information about if yes or no the submission has already been
presented and where.

The information will be used only for the sole purpose of the hack.lu
convention including the information on the public website. If you want
to remain anonymous, you have the right to use a nickname.

Speakers' Privileges:
---------------------

- Accommodation will be provided (3 nights).
- Travel expenses will be covered up to a max amount.
- Conference speakers night.

Publication and rights:
-----------------------

Authors keep the full rights on their publication/papers but give an
unrestricted right to redistribute their papers for the hack.lu
convention and its related electronic/paper publication.

Sponsoring:
-----------

If you want to support the initiative and gain visibility by sponsoring,
please contact us by writing an e-mail to info(AT)hack.lu

Web site and wiki:
------------------

http://2009.hack.lu/

RE: Mail Honeypot Thesis

2009-04-22T14:18:15Z

I would have thought that botnets are a much greater problem than an open
relay, which is just a couple of pcs / servers and can easily be knocked
offline by an ISP etc.

Also, be careful where you run your relay ... whatever ISP your using will
be none too happy at being blacklisted; especially since they are trying to
provide a commercial service rather than be someone's toy. It's worth noting
that sending SPAM is probably not legal in your country legal and definitely
not moral, and your proposing to send a load.

I would have thought there is enough SPAM data in the public domain ...
http://www.projecthoneypot.org/ /
http://www.projecthoneypot.org/statistics.php ... provide a lot for example,
and if you drop them a nice mail and explain what you're doing etc, you may
find a handy contact and them willing to give you more information. Much
better than creating yet another SPAM source and feeling the wrath of your
ISP / College / Uni / Other sys admins imho.

I.

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of dotcompex
Sent: 22 April 2009 14:55
To: honeypots@...
Subject: Mail Honeypot Thesis

I'm doing mail honeypot project for my thesis. Having a little bit problem
in writing good report. I hope u all can comment it so I can edit before
submit it. For the start, I attach my abstract.

Electronic mail or in short can be called email is an important
communication method since internet were propagated in the early 1980s.
People have change their way of communication since the used of email
arising. However the efficacy of email is being endangered by spam problems
when the Internet was opened up to the public. As defined by Spamhaus
Project, spam applied to Unsolicited Bulk Email. Unsolicited means that the
recipient has not approved for the message to be sent. Bulk means that the
message is sent in large quantities and indistinguishable content. Mail
servers that run Simple Mail Transfer Protocol (SMTP) service which are open
relay are exposed to be abused by spam. An open relay mail server will
relay any messages through it. This project will help to determine the spam
source of origin and their contents. Methodology used in this project is
experimental approach. This project will be run on Qmail mail server which
is an open relay and tcpdump for data capturing. The open relay mail server
will be act as mail honeypot to attract spammers. Hopefully this project
can benefit others by contributing spam source of origin to be inserted in
spam block list.
--
View this message in context:
http://www.nabble.com/Mail-Honeypot-Thesis-tp23175462p23175462.html
Sent from the Honeypots mailing list archive at Nabble.com.

RE: Mail Honeypot Thesis

2009-04-22T14:15:14Z

Hi dotcompex.

Make sure you don't actually relay the emails!
Only emulate an open relay, and then accept the emails for relay, without actually relaying them.

If you relay then you become part of the problem, and not part of the solution.

There should be no need to use TCPdump to capture the email traffic originator, any normal STMP program should put the originating IP-address in the logfile.

You should add a spam filter based on originating IPS to your solution so that you don't accept emails from known spammers, this way you will focus on discovering the unknown Originating IPs. If you don't then you will just be using your bandwidth on known spammers without the benefit you are seeking.

Honestly I don't see the research value in you discovering a few more originating IPs using known detection methods. Most of these IPs will only be spamming for a few days any way.

You could change the focus of your report to have several Open relays on different servers and try to determine if spammers prefer one kind of mail server over another.

You could also try and measure how many spammer are using SMTP over TLS(SSL) compared to unencrypted SMTP

This would make your thesis much more interesting to read.

If you are done with the experiment part, then this advise comes a bit late but I hope it helps anyway.

Jesper Jurcenoks

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of dotcompex
Sent: Wednesday, April 22, 2009 6:55 AM
To: honeypots@...
Subject: Mail Honeypot Thesis

I'm doing mail honeypot project for my thesis. Having a little bit problem
in writing good report. I hope u all can comment it so I can edit before
submit it. For the start, I attach my abstract.

Electronic mail or in short can be called email is an important
communication method since internet were propagated in the early 1980s.
People have change their way of communication since the used of email
arising. However the efficacy of email is being endangered by spam problems
when the Internet was opened up to the public. As defined by Spamhaus
Project, spam applied to Unsolicited Bulk Email. Unsolicited means that the
recipient has not approved for the message to be sent. Bulk means that the
message is sent in large quantities and indistinguishable content. Mail
servers that run Simple Mail Transfer Protocol (SMTP) service which are open
relay are exposed to be abused by spam. An open relay mail server will
relay any messages through it. This project will help to determine the spam
source of origin and their contents. Methodology used in this project is
experimental approach. This project will be run on Qmail mail server which
is an open relay and tcpdump for data capturing. The open relay mail server
will be act as mail honeypot to attract spammers. Hopefully this project
can benefit others by contributing spam source of origin to be inserted in
spam block list.
--
View this message in context: http://www.nabble.com/Mail-Honeypot-Thesis-tp23175462p23175462.html
Sent from the Honeypots mailing list archive at Nabble.com.

Mail Honeypot Thesis

2009-04-22T06:54:51Z

I'm doing mail honeypot project for my thesis. Having a little bit problem in writing good report. I hope u all can comment it so I can edit before submit it. For the start, I attach my abstract.

Electronic mail or in short can be called email is an important communication method since internet were propagated in the early 1980s. People have change their way of communication since the used of email arising. However the efficacy of email is being endangered by spam problems when the Internet was opened up to the public. As defined by Spamhaus Project, spam applied to Unsolicited Bulk Email. Unsolicited means that the recipient has not approved for the message to be sent. Bulk means that the message is sent in large quantities and indistinguishable content. Mail servers that run Simple Mail Transfer Protocol (SMTP) service which are open relay are exposed to be abused by spam. An open relay mail server will relay any messages through it. This project will help to determine the spam source of origin and their contents. Methodology used in this project is experimental approach. This project will be run on Qmail mail server which is an open relay and tcpdump for data capturing. The open relay mail server will be act as mail honeypot to attract spammers. Hopefully this project can benefit others by contributing spam source of origin to be inserted in spam block list.

Re: nepenthes for multiple ip addresses

2009-04-19T11:56:45Z

Thanks for all the answers, i have profited a lot from them! Let me
answer for each reply in one mail.

Kashyap Timmaraju wrote:
> The reason you need arpd is because you have to bind the unused IP
> addresses to a MAC address in this case it will be your MAC
> address(how else can u get read those packets?) which arpd does for
> you. You will have to run arpd, so all the best with your experiment!
I have tryed farpd to get all unused IPs, but since i'm in a /24 subnet,
i could only bind IPs from my subnet (i have forgot to mention that i'm
e.g 192.168.1.1/24, but i'm having traffic redirected from
192.168.0.1-192.168.255.255). It's a great package btw (thanks again Mr
Provos :))

Gergely Révay wrote:

> If there is no address translation in the routing process then you
> should have alias interfaces for those IPs which you want to listen
> on.
>
> For instance if the 192.168.1.0/24 network is redirected to your
> computer then you should use a command like this:
>
> $ for i in `seq 2 254`; do sudo ip addr add 192.168.1.$i/24 brd + dev eth0; done
>
> (or something :) )
>
> In this case when nepenthes listens on 0.0.0.0 then it means it listen
> on the alias IPs as well.
>

Unfortunately it's a bit more complex. My box got traffic addressed to
currently unused IPs, but the IPs are changing every time (if someone
get one of the IPs by DHCP, than i won't get any more traffic redirected
to me), and i think it would cause network conflict if i would add all
255*255 IPs to my interface (also it's a big number :)).
> If there is address translation in the routing then those packet
> should have your IP as their destination IP and then it should work.
> If you don't know you can check it with tcpdump
I'm not getting traffic by NAT, all traffic are simply redirected to my
IP. But after reading your reply, i tryed to NAT all traffic locally at
my computer, and it worked! I set iptables' nat to translate the
destination ip of all packets, which destination ip wasn't mine
originally, to my ip. Now nepenthes having it's log incremented by
0.5MB/min :))).

The only problem, that now i lost all information about who received the
malicious packet originally, since in the log all dest ip is mine :(. Do
you think is that possible to write such a script that can delay the
packets, add the originaly dest ip to my interface, move the packet
(nepenthes scans it), than after a short delay remove the IP from my
interface? Or if there is any simpler solution, i'm open to all
suggestion :)

Viktor

Re: nepenthes for multiple ip addresses

2009-04-19T08:11:38Z

Hi,

If there is no address translation in the routing process then you
should have alias interfaces for those IPs which you want to listen
on.

For instance if the 192.168.1.0/24 network is redirected to your
computer then you should use a command like this:

$ for i in `seq 2 254`; do sudo ip addr add 192.168.1.$i/24 brd + dev eth0; done

(or something :) )

In this case when nepenthes listens on 0.0.0.0 then it means it listen
on the alias IPs as well.
If there is address translation in the routing then those packet
should have your IP as their destination IP and then it should work.
If you don't know you can check it with tcpdump.

I hope I helped.

Good luck!

Geri

2009/4/18 Viktor <gecko003@...>:

> Hello!
>
> I'm running nepenthes on a debian OS at an universiry network with a fix IP. I managed to get a high number of unused IP addresses from the university network administrator, all traffic from these are routed to my computer. Now i'm having 200 packet/s income rate, but nepenthes only looks for the traffic addressed to my own IP. Is there a way to make nepenthes listening for all incoming packets despite the packet destination IP is not mine?
> I have a lot of IPs, and they are random, changing every time, so it's not an option to give alternate IPs to my interface.
>
> Thanks in advance!
>
> Viktor
>
>

Re: nepenthes for multiple ip addresses

2009-04-18T08:37:29Z

Did you try arpd to get packets to your box?

-sushant.

On Sat, 2009-04-18 at 17:17 +0200, Viktor wrote:

nepenthes for multiple ip addresses

2009-04-18T08:17:32Z

Hello!

I'm running nepenthes on a debian OS at an universiry network with a fix IP. I managed to get a high number of unused IP addresses from the university network administrator, all traffic from these are routed to my computer. Now i'm having 200 packet/s income rate, but nepenthes only looks for the traffic addressed to my own IP. Is there a way to make nepenthes listening for all incoming packets despite the packet destination IP is not mine?
I have a lot of IPs, and they are random, changing every time, so it's not an option to give alternate IPs to my interface.

Thanks in advance!

Viktor

HITBSecConf2009 - Malaysia: Call for Papers

2009-04-14T21:12:17Z

The Call for Papers for HITB Security Conference 2009 Malaysia is now open!

Talks that are more technical or that discuss new and never before seen
attack methods are of more interest than a subject that has been covered
several times before. Summaries not exceeding 1250 words should be
submitted (in plain text format) to cfp -at- hackinthebox.org for review
and possible inclusion in the programme.

Submissions are due no later than 31st July 2009

TOPICS

Topics of interest include, but are not limited to the following:

# 3G/4G Cellular Networks
# Apple / OS X security vulnerabilities
# SS7/Backbone telephony networks
# VoIP security
# Firewall technologies
# Intrusion detection
# Data Recovery, Forensics and Incident Response
# HSDPA and CDMA Security
# WIMAX Security
# Identification and Entity Authentication
# Network Protocol and Analysis
# Smart Card and Physical Security
# Virus and Worms
# WLAN, GPS, HAM Radio, Satellite, RFID and Bluetooth Security
# Analysis of malicious code
# Applications of cryptographic techniques
# Analysis of attacks against networks and machines
# File system security
# Security of Embedded Devices
# Side Channel Analysis of Hardware Devices

PLEASE NOTE:

We do not accept product or vendor related pitches. If your talk
involves an advertisement for a new product or service your company is
offering, please do not submit.

Your submission should include:

# Name, title, address, email and phone/contact number
# Short biography, qualification, occupation (limit 250 words)
# Summary or abstract for your presentation (limit 1250 words)
# Technical requirements (video, internet, wireless, audio, etc.)

Each non-resident speaker will receive accommodation for 2 nights/3
days. For each non-resident speaker, HITB will cover travel expenses up
to USD 1,200.00.

HITBSecConf2009 - Malaysia
http://conference.hackinthebox.org/hitbsecconf2009kl/

In need of LOTS of "sanitized' Sebek Keystrokes

2009-04-11T11:47:08Z

Hey All,

I am trying to write a college paper on various hacker methods and I would like to know if anyone has any sanitized sebek keystroke logs I could use in my paper. All I need is the actual command inputs and any associated process information. Everything else is not required (or better sanitized for privacy sake).

I have to finish my paper by the end of May for school, so anything would be deeply appreciated. I would also be willing to list your organization as a reference source for the use of the keystrokes if so desired.

Thanks,

Seamus

Reminder: RAID 2009 CFP

2009-04-09T12:13:46Z

(We apologize if you receive multiple copies of this message)

================================================================

CALL FOR PAPERS
RAID 2009

12th International Symposium on
Recent Advances in Intrusion Detection 2009

September 23-25, 2009

Saint Malo, Brittany, France

http://www.rennes.supelec.fr/RAID2009/

================================================================

Topics:
-------
This symposium, the 12th in an annual series, brings together leading
researchers and practitioners from academia, government, and industry
to discuss issues and technologies related to intrusion detection and
defense. The Recent Advances in Intrusion Detection (RAID)
International Symposium series furthers advances in intrusion defense
by promoting the exchange of ideas in a broad range of topics. As in
previous years, all topics related to intrusion detection, prevention
and defense systems and technologies are within scope, including but
not limited to the following:

* Network and host intrusion detection and prevention
* Anomaly and specification-based approaches
* IDS cooperation and event correlation
* Malware prevention, detection, analysis and containment
* Web application security
* Insider attack detection
* Intrusion response, tolerance, and self protection
* Operational experience and limitations of current approaches
* Intrusion detection assessment and benchmarking
* Attacks against IDS including DoS, evasion, and IDS discovery
* Formal models, analysis, and standards
* Deception systems and honeypots
* Vulnerability analysis, risk assessment, and forensics
* Adversarial machine learning for security
* Visualization techniques
* Special environments, including mobile and sensor networks
* High-performance intrusion detection
* Legal, social, and privacy issues
* Network exfiltration detection
* Botnet analysis, detection, and mitigation

Important Dates:
----------------
Paper submission deadline: April 5, 2009 (Extended until: April
12, 2009, 23.59 PST)
Paper acceptance or rejection: June 8, 2009
Final paper camera ready copy: June 18, 2009
Poster abstract submission deadline: June 20, 2009
Poster acceptance or rejection: June 28, 2009

Submissions:
------------
RAID 2009 invites two types of submissions:

1. Full papers presenting mature research results or summarizing
operational experience protecting or monitoring large real-world
networks. Papers can be 10-20 pages long and, if accepted, they will
be presented and included in the RAID 2009 proceedings published by
Springer Verlag in its Lecture Notes in Computer Science
(http://www.springer.de/comp/lncs/index.html) series. Papers must be
formatted according to the instructions provided by Springer Verlag
(http://www.springer.de/comp/lncs/authors.html), and include an
abstract and a list of keywords.

2. Posters describing innovative ideas not mature enough for a full
paper and works in progress. A two-page poster abstract formatted as
a full paper with an abstract must be submitted. If accepted, it
will be published in the proceedings and the poster will be presented.

All submissions (papers and poster abstracts) must be submitted
electronically; details will be provided on the conference
web site. Papers should list all authors and their affiliations; in case
of multiple authors, the contact author must be indicated (RAID does not
require anonymized submissions). For accepted papers, it is required
that at least one of the authors attends the conference to present the
paper. Further questions on the submission process may be sent to the
program chair. Submissions must not substantially duplicate work that
any of the authors has published elsewhere or has submitted in parallel
to a journal or to any other conference or workshop with proceedings.
Simultaneous submission of the same work to multiple venues, submission
of previously published work, and plagiarism constitute dishonesty or
fraud. RAID, like other scientific and technical conferences and journals,
prohibits these practices and may, on the recommendation of the program
chair, take action against authors who have committed them.

Organizing Committee:
---------------------
General Chair: Ludovic Me (Supelec, France, Ludovic.Me@...)
Program Chair: Engin Kirda (Eurecom, France, kirda@...)
Program Co-Chair: Somesh Jha (University of Wisconsin, USA, jha@...)
Publication Chair: Davide Balzarotti (Eurecom, France,
balzarotti@...)
Publicity Chair: Corrado Leita (Symantec Research Europe,
Corrado_Leita@...)
Sponsorship Chair: Christophe Bidan (Supelec, France)

Steering Committee:
-------------------
Chair: Marc Dacier (Symantec Research Europe)
Herve Debar (France Telecom R&D)
Deborah Frincke (Pacific Northwest National Lab, USA)
Ming-Yuh Huang (The Boeing Company, USA)
Erland Jonsson (Chalmers)
Wenke Lee (Georgia Institute of Technology)
Ludovic Me (Supelec)
Alfonso Valdes (SRI International)
Giovanni Vigna (University of California, Santa Barbara)
Andreas Wespi (IBM Research, Switzerland)
S. Felix Wu (University of California, Davis)
Diego Zamboni (IBM Research, Switzerland)
Christopher Kruegel (University of California, Santa Barbara)

Program Committee:
-------------------

Anil Somayaji, Carleton University, Canada
Benjamin Morin, Central Directorate for Information System Security (DCSSI),
France
Christopher Kruegel, University of California, Santa Barbara, USA
Collin Jackson, Stanford University, USA
Corrado Leita, Symantec Research Europe, France
David Brumley, Carnegie Mellon University, USA
Davide Balzarotti, Eurecom, France
Dongyan Xu, Purdue University, USA
Engin Kirda, Eurecom, France
Giovanni Vigna, University of California, Santa Barbara, USA
Guevara Noubir, North Eastern University, USA
Guofei Gu, Texas A & M University, USA
Jaeyeon Jung, Intel Research, USA
John Viega, Stonewall Software, USA
Jonathan Giffin, Georgia Institute of Technology, USA
Jouni Viinikka, Orange Labs, France
Kathy Wang, MITRE
Manuel Costa, Microsoft Research, Cambridge, UK
Michael Bailey, University of Michigan, USA
Mihai Christodorescu, IBM T.J. Watson, USA
R. Sekar, Stoney Brook University, USA
Radu State, University of Luxembourg, Luxembourg
Robert Cunningham, MIT Lincoln Labs
Robin Sommer, International Computer Science Institute, USA
Somesh Jha, University of Wisconsin, USA
Sotiris Ioannidis, FORTH, Greece
Thorsten Holz, University of Mannheim, Germany
Olivier Festor, INRIA Nancy, France
Xuxian Jiang, North Carolina State University, USA

Student Scholarships:
---------------------

RAID 2009 is planning to offer student scholarships to reduce
symposium attendance costs. Students should visit the web site
(http://www.rennes.supelec.fr/RAID2009/) to learn about the possible
availability of scholarships and application deadlines.

Re: Stealth VM

2009-04-06T02:44:40Z

2008/10/6 Stuart Gilchrist-Thomas <stuartpaulthomas@...>:

> Hi,
>
> Does anyone have any pointers to evidence or advice on hiding or reducing the detection of VM honey pots. I know of temporal issues e.g. Timing metrics can give away a VM, and that you can manually alter peripheral identities e.g. virtual network cards etc.
> I've also created a company to purchase ip and hosting space to ensure a form of identity in depth. But I still lack experience in preventing detection. Can you help? Are you my only hope? ;)
>
> Many thanks.
>
> ---
> Sent whilst mobile.
>
> -original message-
> Subject: Re: Honeypot VMs
> From: pinowudi <pinowudi@...>
> Date: 06/10/2008 00:13
>
> HPC
>
> http://www.honeyclient.org/trac
>
> Jason Lewis wrote:
>> Are there any honeypot VM resources? I've seen the SPARSA one, but the
>> link is dead.
>>
>> jas
>>
>
>

Hi Stuart,

last year I wrote on my blog an article about VM detection. It's in
spanish... but shell commands are an universal language ;-)

http://danteslab.blogspot.com/2008/03/deteccin-de-mquinas-virtuales.html

I hope you like it.

Regards,

--
Dante
(http://danteslab.blogspot.com/)

EUSecWest 2009 CFP (May 27/28, Deadline April 7 2009)

2009-04-01T14:40:49Z

Call For Papers

The EUSecWest 2009 CFP is now open.

Deadline is April 7th, 2009.

EUSecWest CALL FOR PAPERS

LONDON, U.K. -- The third annual EUSecWest applied
technical security conference - where the eminent figures
in the international security industry will get together
share best practices and technology - will be held in
downtown London at the Sound Club in Leicester Square
on May 27/28, 2009. The most significant new discoveries
about computer network hack attacks and defenses,
commercial security solutions, and pragmatic real world
security experience will be presented in a series of
informative tutorials.

The EUSecWest meeting provides international researchers
a relaxed, comfortable environment to learn from
informative tutorials on key developments in security
technology, and collaborate and socialize with their peers
in one of the world's most most important technology
hubs and scenic cities. The timing of the conference
allows international travelers to travel to Berlin for
FX's Ph-Neutral on the weekend, and Rennes the
following week for SSTIC.

We would like to announce the opportunity to submit
papers, and/or lightning talk proposals for selection by
the EUSecWest technical review committee. This year we
will be doing one hour talks, and some shorter talk
sessions.

Please make your paper proposal submissions before
April 7th, 2009.

Some invited papers have been confirmed, but a limited
number of speaking slots are still available. The
conference is responsible for travel and accommodations for
the speaker (one speaker airfare and one room). If you
have a proposal for a tutorial session then please email
a synopsis of the material and your biography, papers
and, speaking background to secwest09 [at] eusecwest.com .
Only slides will be needed for the paper deadline, full text
does not have to be submitted - but will be accepted if
available.

The EUSecWest 2009 conference consists of tutorials on
technical details about current issues, innovative
techniques and best practices in the information security
realm. The audiences are a multi-national mix of
professionals involved on a daily basis with security
work: security product vendors, programmers, security
officers, and network administrators. We give preference
to technical details and new education for a technical
audience.

The conference itself is a single track series of
presentations in a lecture theater environment. The
presentations offer speakers the opportunity to showcase
on-going research and collaborate with peers while
educating and highlighting advancements in security
products and techniques. The focus is on innovation,
tutorials, and education instead of product pitches. Some
commercial content is tolerated, but it needs to be backed
up by a technical presenter - either giving a valuable
tutorial and best practices instruction or detailing
significant new technology in the products.

Paper proposals should consist of the following
information:
1. Presenter, and geographical location (country of
origin/passport) and contact info (e-mail, postal
address, phone, fax).
2. Employer and/or affiliations.
3. Brief biography, list of publications and papers.
4. Any significant presentation and educational
experience/background.
5. Topic synopsis, Proposed paper title, and a one
paragraph description.
6. Reason why this material is innovative or significant
or an important tutorial.
7. Optionally, any samples of prepared material or
outlines ready.
8. Will you have full text available or only slides?
9. Language of preference for submission.
10. Please list any other publications or conferences
where this material has been or will be
published/submitted.

Please include the plain text version of this information
in your email as well as any file, pdf, sxw, ppt, or html
attachments.

Please forward the above information to secwest09 [at]
eusecwest.com to be considered for placement on the
speaker roster, or have your lightning talk scheduled. If
you contact anyone else at our organization please ensure
you also cc the submission address with your proposal or
it may be omitted from the review process.

cheers,
--dr
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
London, U.K. May 27/28 2009 http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp

CFP RAID 2009 - extended deadline

2009-04-01T01:50:07Z

(We apologize if you receive multiple copies of this message)

EXTENDED DEADLINE FOR PAPER SUBMISSION: April 12, 2009

================================================================

CALL FOR PAPERS
RAID 2009

12th International Symposium on
Recent Advances in Intrusion Detection 2009

September 23-25, 2009

Saint Malo, Brittany, France

http://www.rennes.supelec.fr/RAID2009/

================================================================

Topics:
-------
This symposium, the 12th in an annual series, brings together leading
researchers and practitioners from academia, government, and industry
to discuss issues and technologies related to intrusion detection and
defense. The Recent Advances in Intrusion Detection (RAID)
International Symposium series furthers advances in intrusion defense
by promoting the exchange of ideas in a broad range of topics. As in
previous years, all topics related to intrusion detection, prevention
and defense systems and technologies are within scope, including but
not limited to the following:

* Network and host intrusion detection and prevention
* Anomaly and specification-based approaches
* IDS cooperation and event correlation
* Malware prevention, detection, analysis and containment
* Web application security
* Insider attack detection
* Intrusion response, tolerance, and self protection
* Operational experience and limitations of current approaches
* Intrusion detection assessment and benchmarking
* Attacks against IDS including DoS, evasion, and IDS discovery
* Formal models, analysis, and standards
* Deception systems and honeypots
* Vulnerability analysis, risk assessment, and forensics
* Adversarial machine learning for security
* Visualization techniques
* Special environments, including mobile and sensor networks
* High-performance intrusion detection
* Legal, social, and privacy issues
* Network exfiltration detection
* Botnet analysis, detection, and mitigation

Important Dates:
----------------
Paper submission deadline: April 5, 2009 (Extended until: April
12, 2009, 23.59 PST)
Paper acceptance or rejection: June 8, 2009
Final paper camera ready copy: June 18, 2009
Poster abstract submission deadline: June 20, 2009
Poster acceptance or rejection: June 28, 2009

Submissions:
------------
RAID 2009 invites two types of submissions:

1. Full papers presenting mature research results or summarizing
operational experience protecting or monitoring large real-world
networks. Papers can be 10-20 pages long and, if accepted, they will
be presented and included in the RAID 2009 proceedings published by
Springer Verlag in its Lecture Notes in Computer Science
(http://www.springer.de/comp/lncs/index.html) series. Papers must be
formatted according to the instructions provided by Springer Verlag
(http://www.springer.de/comp/lncs/authors.html), and include an
abstract and a list of keywords.

2. Posters describing innovative ideas not mature enough for a full
paper and works in progress. A two-page poster abstract formatted as
a full paper with an abstract must be submitted. If accepted, it
will be published in the proceedings and the poster will be presented.

All submissions (papers and poster abstracts) must be submitted
electronically; details will be provided on the conference
web site. Papers should list all authors and their affiliations; in case
of multiple authors, the contact author must be indicated (RAID does not
require anonymized submissions). For accepted papers, it is required
that at least one of the authors attends the conference to present the
paper. Further questions on the submission process may be sent to the
program chair. Submissions must not substantially duplicate work that
any of the authors has published elsewhere or has submitted in parallel
to a journal or to any other conference or workshop with proceedings.
Simultaneous submission of the same work to multiple venues, submission
of previously published work, and plagiarism constitute dishonesty or
fraud. RAID, like other scientific and technical conferences and journals,
prohibits these practices and may, on the recommendation of the program
chair, take action against authors who have committed them.

Organizing Committee:
---------------------
General Chair: Ludovic Me (Supelec, France, Ludovic.Me@...)
Program Chair: Engin Kirda (Eurecom, France, kirda@...)
Program Co-Chair: Somesh Jha (University of Wisconsin, USA, jha@...)
Publication Chair: Davide Balzarotti (Eurecom, France,
balzarotti@...)
Publicity Chair: Corrado Leita (Symantec Research Europe,
Corrado_Leita@...)
Sponsorship Chair: Christophe Bidan (Supelec, France)

Steering Committee:
-------------------
Chair: Marc Dacier (Symantec Research Europe)
Herve Debar (France Telecom R&D)
Deborah Frincke (Pacific Northwest National Lab, USA)
Ming-Yuh Huang (The Boeing Company, USA)
Erland Jonsson (Chalmers)
Wenke Lee (Georgia Institute of Technology)
Ludovic Me (Supelec)
Alfonso Valdes (SRI International)
Giovanni Vigna (University of California, Santa Barbara)
Andreas Wespi (IBM Research, Switzerland)
S. Felix Wu (University of California, Davis)
Diego Zamboni (IBM Research, Switzerland)
Christopher Kruegel (University of California, Santa Barbara)

Program Committee:
-------------------

Anil Somayaji, Carleton University, Canada
Benjamin Morin, Central Directorate for Information System Security (DCSSI),
France
Christopher Kruegel, University of California, Santa Barbara, USA
Collin Jackson, Stanford University, USA
Corrado Leita, Symantec Research Europe, France
David Brumley, Carnegie Mellon University, USA
Davide Balzarotti, Eurecom, France
Dongyan Xu, Purdue University, USA
Engin Kirda, Eurecom, France
Giovanni Vigna, University of California, Santa Barbara, USA
Guevara Noubir, North Eastern University, USA
Guofei Gu, Texas A & M University, USA
Jaeyeon Jung, Intel Research, USA
John Viega, Stonewall Software, USA
Jonathan Giffin, Georgia Institute of Technology, USA
Jouni Viinikka, Orange Labs, France
Kathy Wang, MITRE
Manuel Costa, Microsoft Research, Cambridge, UK
Michael Bailey, University of Michigan, USA
Mihai Christodorescu, IBM T.J. Watson, USA
R. Sekar, Stoney Brook University, USA
Radu State, University of Luxembourg, Luxembourg
Robert Cunningham, MIT Lincoln Labs
Robin Sommer, International Computer Science Institute, USA
Somesh Jha, University of Wisconsin, USA
Sotiris Ioannidis, FORTH, Greece
Thorsten Holz, University of Mannheim, Germany
Olivier Festor, INRIA Nancy, France
Xuxian Jiang, North Carolina State University, USA

Student Scholarships:
---------------------

RAID 2009 is planning to offer student scholarships to reduce
symposium attendance costs. Students should visit the web site
(http://www.rennes.supelec.fr/RAID2009/) to learn about the possible
availability of scholarships and application deadlines.

CFP RAID 2009

2009-03-24T07:18:20Z

CALL FOR PAPERS
RAID 2009

12th International Symposium on
Recent Advances in Intrusion Detection 2009

September 23-25, 2009

Saint Malo, Brittany, France

http://www.rennes.supelec.fr/RAID2009/

================================================================

Topics:
-------
This symposium, the 12th in an annual series, brings together leading
researchers and practitioners from academia, government, and industry
to discuss issues and technologies related to intrusion detection and
defense. The Recent Advances in Intrusion Detection (RAID)
International Symposium series furthers advances in intrusion defense
by promoting the exchange of ideas in a broad range of topics. As in
previous years, all topics related to intrusion detection, prevention
and defense systems and technologies are within scope, including but
not limited to the following:

* Network and host intrusion detection and prevention
* Anomaly and specification-based approaches
* IDS cooperation and event correlation
* Malware prevention, detection, analysis and containment
* Web application security
* Insider attack detection
* Intrusion response, tolerance, and self protection
* Operational experience and limitations of current approaches
* Intrusion detection assessment and benchmarking
* Attacks against IDS including DoS, evasion, and IDS discovery
* Formal models, analysis, and standards
* Deception systems and honeypots
* Vulnerability analysis, risk assessment, and forensics
* Adversarial machine learning for security
* Visualization techniques
* Special environments, including mobile and sensor networks
* High-performance intrusion detection
* Legal, social, and privacy issues
* Network exfiltration detection
* Botnet analysis, detection, and mitigation

Important Dates:
----------------
Paper submission deadline: April 5, 2009
Paper acceptance or rejection: June 8, 2009
Final paper camera ready copy: June 18, 2009
Poster abstract submission deadline: June 20, 2009
Poster acceptance or rejection: June 28, 2009

Submissions:
------------
RAID 2009 invites two types of submissions:

1. Full papers presenting mature research results or summarizing
operational experience protecting or monitoring large real-world
networks. Papers can be 10-20 pages long and, if accepted, they will
be presented and included in the RAID 2009 proceedings published by
Springer Verlag in its Lecture Notes in Computer Science
(http://www.springer.de/comp/lncs/index.html) series. Papers must be
formatted according to the instructions provided by Springer Verlag
(http://www.springer.de/comp/lncs/authors.html), and include an
abstract and a list of keywords.

2. Posters describing innovative ideas not mature enough for a full
paper and works in progress. A two-page poster abstract formatted as
a full paper with an abstract must be submitted. If accepted, it
will be published in the proceedings and the poster will be presented.

All submissions (papers and poster abstracts) must be submitted
electronically; details will be provided on the conference
web site. Papers should list all authors and their affiliations; in case
of multiple authors, the contact author must be indicated (RAID does not
require anonymized submissions). For accepted papers, it is required
that at least one of the authors attends the conference to present the
paper. Further questions on the submission process may be sent to the
program chair. Submissions must not substantially duplicate work that
any of the authors has published elsewhere or has submitted in parallel
to a journal or to any other conference or workshop with proceedings.
Simultaneous submission of the same work to multiple venues, submission
of previously published work, and plagiarism constitute dishonesty or
fraud. RAID, like other scientific and technical conferences and journals,
prohibits these practices and may, on the recommendation of the program
chair, take action against authors who have committed them.

Organizing Committee:
---------------------
General Chair: Ludovic Me (Supelec, France, Ludovic.Me@...)
Program Chair: Engin Kirda (Eurecom, France, kirda@...)
Program Co-Chair: Somesh Jha (University of Wisconsin, USA, jha@...)
Publication Chair: Davide Balzarotti (Eurecom, France,
balzarotti@...)
Publicity Chair: Corrado Leita (Symantec Research Europe,
Corrado_Leita@...)
Sponsorship Chair: Christophe Bidan (Supelec, France)

Steering Committee:
-------------------
Chair: Marc Dacier (Symantec Research Europe)
Herve Debar (France Telecom R&D)
Deborah Frincke (Pacific Northwest National Lab, USA)
Ming-Yuh Huang (The Boeing Company, USA)
Erland Jonsson (Chalmers)
Wenke Lee (Georgia Institute of Technology)
Ludovic Me (Supelec)
Alfonso Valdes (SRI International)
Giovanni Vigna (University of California, Santa Barbara)
Andreas Wespi (IBM Research, Switzerland)
S. Felix Wu (University of California, Davis)
Diego Zamboni (IBM Research, Switzerland)
Christopher Kruegel (University of California, Santa Barbara)

Program Committee:
-------------------

Anil Somayaji, Carleton University, Canada
Benjamin Morin, Central Directorate for Information System Security (DCSSI),
France
Christopher Kruegel, University of California, Santa Barbara, USA
Collin Jackson, Stanford University, USA
Corrado Leita, Symantec Research Europe, France
David Brumley, Carnegie Mellon University, USA
Davide Balzarotti, Eurecom, France
Dongyan Xu, Purdue University, USA
Engin Kirda, Eurecom, France
Giovanni Vigna, University of California, Santa Barbara, USA
Guevara Noubir, North Eastern University, USA
Guofei Gu, Texas A & M University, USA
Jaeyeon Jung, Intel Research, USA
John Viega, Stonewall Software, USA
Jonathan Giffin, Georgia Institute of Technology, USA
Jouni Viinikka, Orange Labs, France
Kathy Wang, MITRE
Manuel Costa, Microsoft Research, Cambridge, UK
Michael Bailey, University of Michigan, USA
Mihai Christodorescu, IBM T.J. Watson, USA
R. Sekar, Stoney Brook University, USA
Radu State, University of Luxembourg, Luxembourg
Robert Cunningham, MIT Lincoln Labs
Robin Sommer, International Computer Science Institute, USA
Somesh Jha, University of Wisconsin, USA
Sotiris Ioannidis, FORTH, Greece
Thorsten Holz, University of Mannheim, Germany
Olivier Festor, INRIA Nancy, France
Xuxian Jiang, North Carolina State University, USA

Student Scholarships:
---------------------

RAID 2009 is planning to offer student scholarships to reduce
symposium attendance costs. Students should visit the web site
(http://www.rennes.supelec.fr/RAID2009/) to learn about the possible
availability of scholarships and application deadlines.

Workshop on the Analysis of System Logs (WASL) Oct 14, 2009

2009-03-23T11:52:08Z

Workshop on the Analysis of System Logs (WASL) 2009
http://www.systemloganalysis.com
Call for Papers

===============================
October 14, 2009
Big Sky, MT
(at SOSP)
===============================

FULL PAPER SUBMISSION: Monday, June 29th, 2009
AUTHOR NOTIFICATION: Monday, July 27, 2009
FINAL PAPERS DUE: Monday, September 14, 2009
--------------------------------------------------------------------------

System logs contain a wide variety of information about system status
and health,
including events from various applications, daemons and drivers, as well
as sampled
information such as resource utilization statistics. As such, these logs
represent a
rich source of information for the analysis and diagnosis of system
problems and
prediction of future system events. However, their lack of organization
and the general
lack of semantic consistency between information from various software
and hardware
vendors means that most of this information content is wasted. Indeed,
today's
most popular log analysis technique is to use regular expressions to
either detect
events of interest or to filter the log so that a human operator can
examine it manually.
Clearly, this captures only a fraction of the information available in
these logs and
does not scale to the large systems common in business and
supercomputing environments.

This workshop will focus on novel techniques for extracting
operationally useful
information from existing logs and methods to improve the information
content of future
logs. Topics include but are not limited to:
o Reports on publicly available sources of sample log data.
o Log anonymization
o Log feature detection and extraction
o Prediction of malfunction or misuse based on log data
o Statistical techniques to characterize log data
o Applications of Natural-Language Processing (NLP) to logs
o Scalable log compression
o Log comparison techniques
o Methods to enhance and standardize log semantics
o System diagnostic techniques
o Log visualization
o Analysis of services (problem ticket) logs
o Applications of log analysis to system administration

Papers limited to 6 2-column pages using >=10pt font.

Workshop Chair:
Greg Bronevetsky (Lawrence Livermore National Laboratory)
greg@...

Program Committee:
Jon Stearley, Sandia National Laboratory
Bianca Schroeder, University of Toronto
Sébastien Tricaud, INL
Sapan Bhatia, Princeton University

Honeynet Project GSoC - Looking For Students

2009-03-23T05:45:01Z

Folks,

As some of you may already know, the Honeynet Project was selected as
a mentoring organization for Google's annual Summer of Code event[1].
This event, sponsored by Google, funds students to develop and share
opensource code with the community. If you are interested in such an
event, and being funded by Google, we suggest you consider one of the
many research and development projects sponsored by the Honeynet
Project. All of these projects are honeypot related and mentored by
some of the top leaders in honeypot research. Learn more at

http://www.honeynet.org/gsoc

Applications start Monday, 23 March through Google.

Thanks!

lance

[1] http://socghop.appspot.com/

HITB2009 - Dubai: Conference Agenda & Noteworthy Presentations

2009-03-13T17:47:57Z

The agenda for HITBSecConf2009 - Dubai is now online along with details
on both the conference keynote sessions. There are still another 4 more
weeks to grab your seats to the GCC's premier network security event!

Keynote 1 - Philippe Langlois (Founder, Qualys / Intrinsec / TSTF)
"From Hacking, Startups to HackLabs: Global Perspective and New Fields"

Keynote 2 - Mark Curphey (Director CISG, Microsoft Corp)
"Security Cogs and Levers"

Other noteworthy papers:

# Cross Domain Leakiness: Divulging Sensitive Information and Attacking
SSL Sessions - Chris Evans and Billy Rios

# VBootKit 2.0 - Attacking Windows 7 via Boot Sectors - Vipin & Nitin Kumar

# The Reverse Engineering Intermediate Language REIL and its
Applications - Sebastian Porst

# Pickpocketing mWallets: A Guide to Looting Mobile Financial Services -
The Grugq

# Psychotronica: Exposure, Control, and Deceit - Nitesh Dhanjani

# NKill - The Internet Killboard - Anthony 'kugutsumen' Zboralski

This is a new tool which gives attackers the ability to discover
interesting relationships between seemingly unrelated hosts and
companies and to pull vulnerable hosts for a specific domain, company or
even an entire country!

===

Conference Agenda:
http://conference.hackinthebox.org/hitbsecconf2009dubai/agenda.htm

===

On a related note, the conference videos from HITB2007 Malaysia that
were previously available only through Bit Torrent are now available for
streaming direct from Google Video:

http://video.google.com/videosearch?q=HITBSecConf2007&emb=0&aq=f#q=HITBSecConf2007+Malaysia

High interaction honeypot

2009-03-06T04:10:08Z

Hi everyone

I need to setup a high interaction honeypot running ssh/ftp/telnet etc services and log probes/attacks. so far all i have read involves Honeynet ROO cd but due to lack of equipments, i wont be able to use that cd. so i was wondering if anyone knew of set of software that i could use to set up my own high interaction honeypot. a set of tools to monitor ports, log keystrokes and typed commands etc..

any help is highly appreciated.

p.s im planning to setup a Linux honeypot.

Workshop on the Analysis of System Logs (WASL) Oct 14, 2009

2009-03-01T13:30:16Z

Workshop on the Analysis of System Logs (WASL) 2009

Call for Papers

===============================
October 14, 2009
Big Sky, MT
(at SOSP)
===============================

FULL PAPER SUBMISSION: Monday, June 29th, 2009
AUTHOR NOTIFICATION: Monday, July 27, 2009
FINAL PAPERS DUE: Monday, September 14, 2009
--------------------------------------------------------------------------

System logs contain a wide variety of information about system status
and health,
including events from various applications, daemons and drivers, as well
as sampled
information such as resource utilization statistics. As such, these logs
represent a
rich source of information for the analysis and diagnosis of system
problems and
prediction of future system events. However, their lack of organization
and the general
lack of semantic consistency between information from various software
and hardware
vendors means that most of this information content is wasted. Indeed,
today's
most popular log analysis technique is to use regular expressions to
either detect
events of interest or to filter the log so that a human operator can
examine it manually.
Clearly, this captures only a fraction of the information available in
these logs and
does not scale to the large systems common in business and
supercomputing environments.

This workshop will focus on novel techniques for extracting
operationally useful
information from existing logs and methods to improve the information
content of future
logs. Topics include but are not limited to:
o Reports on publicly available sources of sample log data.
o Log anonymization
o Log feature detection and extraction
o Prediction of malfunction or misuse based on log data
o Statistical techniques to characterize log data
o Applications of Natural-Language Processing (NLP) to logs
o Scalable log compression
o Log comparison techniques
o Methods to enhance and standardize log semantics
o System diagnostic techniques
o Log visualization
o Analysis of services (problem ticket) logs
o Applications of log analysis to system administration

Papers limited to 6 2-column pages using >=10pt font.

Workshop Chair:
Greg Bronevetsky (Lawrence Livermore National Laboratory)
greg@...

Program Committee:
Jon Stearley, Sandia National Laboratory
Bianca Schroeder, University of Toronto
Sébastien Tricaud, INL
Sapan Bhatia, Princeton University

CanSecWest 2009 Speakers and Dojo courses (Mar 14-20)

2009-02-15T18:54:24Z

Final Speaker Lineup for CanSecWest 2009 (March 18-20):
===============================================

The Smart-Phones Nightmare - Sergio 'shadown' Alvarez

Getting into the SMRAM: SMM Reloaded - Loíc Duflot

Network design for effective HTTP traffic filtering - Jeff "rfp"
Forristal, Zscaler

Ninja Scanning - Fyodor, Insecure.org

On Approaches and Tools for Automated Vulnerability Analysis - Tanmay
Ganacharya & Nikola Livic & Abhishek Singh & Swapnil Bhalode & Scott
Lambert, Microsoft

Kicking It Old School: No DNS Packets Were Harmed In The Making Of
This Presentation - Dan Kaminski, IOActive

Binary Clone Wars: Software Whitelisting for Malware Prevention and
Coordinated Incident Response. - Shane Macaulay, Sean Comeau, and
Derek Callaway, Security Objectives

.NET Rootkits - Erez Metula

The Evolution of Microsoft's Exploit Mitigations - Matt Miller and Tim
Burrell, Microsoft

An overview of the state of videogame console security. - Victor Muñoz

A Look at a Modern Mobile Security Model: Google's Android - Jon
Oberheide

Bug classes we have found in *BSD, OS X and Solaris kernels - Christer
Oberg and Neil Kettle, Convergent Network Solutions

Multiplatform Iphone/Android Shellcode, and other smart phone
insecurities - Alfredo Ortega and Nico Economou, Core

Platform-independent static binary code analysis using a meta-assembly
language - Sebastian Porst & Thomas "halvar" Dullien, zynamics

Persistent BIOS Infection - Anibal Sacco & Alfredo Ortega, Core

Decompiling Dalvik and other JavaFX - Marc Schoenefeld

Automated Real-time and Post Mortem Security Crash Analysis and
Categorization - Jason Shirk & Dave Weinstein, Microsoft

SSL, The Sequel: MD5 collisions and EV certificates - Alexander
Sotirov & Mike Zusman

Exploiting Unicode-enabled software - Chris Weber

Chinese Infosec & Malware Overview - Wei "icbm" Zhao, 365menshen

Hacking Macs for Fun and Profit - Dino Dai Zovi & Charlie Miller

...and a variety of lightning talks...

Security Masters Dojo courses (March 14-17):
====================================

Metasploit: Asymmetric Warfare - H D Moore, BreakingPoint Systems

Advanced Honeypots - Thorsten Holz

IPv6 Network Security - Nico Fishbach & Guillaume Valadon, COLT & CNRS

Ultimate Web Hacking (One Day Edition) - Mike Andrews, Foundstone

TCP/IP Network Security In Depth - Andrea Barisani, inverse path

Effective Fuzzing using the Peach Fuzzing Platform - Michael
Eddington, Leviathan Security

Secure Java Programming and Auditing - Marc Schoenefeld

Practical 802.11 WiFi (In)Security - Cédric Blancher, EADS

Q/SSE Qualified/ Software Security Expert Certification Bootcamp -
Security University

Q/SA Qualified Security Analyst Penetration Tester - Security University

Advanced Linux Hardening - Andrea Barisani & Jay Beale, inverse path &
Intelguardians

Physical Security and Lock Technology - Deviant Ollam

The Exploit Laboratory - Advanced Edition - Saumil Shah, Net-Square

Mastering the Network with Scapy - Phillipe Biondi, EADS

Pwn2Own Contests:
================

There will be TWO Pwn2Own contests this year.
Generous cash prize(s) for exploits will be sponsored by Tipping Point,
and a Sony VAIO P fresh from Japan and a new loaded Apple Macbook
will be amongst the prizes.

The targets this year will be mobile smart-phones, and browsers.

Mobile targets:
iPhone
Android
Symbian
RIM/BlackBerry
Windows Mobile

Browser Targets:
IE8
FF3
Safari
Opera

The contest will like in previous years feature a progressively
expanding attack surface over the three day duration of the
conference. Final prizes and rules will be announced shortly.

Post-Conference Whistler Expedition:
=============================

We have secured some rooms at good rates at the Westin in Whistler
and reserved a cluster of four, 3-5 bedroom, cabins for the weekend
after the conference. Contact dr@... if you wish to be included
in the planning, final accommodation rates will be announced shortly.

Conference Hotel Block:
===================

The room rates at the Sheraton Wall Center hotel where the conference
is being held have been reduced from $183 to $169, and still includes
a waived $15/day free internet access in the rate.

Tenth Anniversary Gala Event:
========================

Since this is our tenth anniversary for the conference, we will
be having a party on Thursday night. Venue TBD. We're pretty
sure there will be a cake. No word yet on whether there will
be dancers inside it. ;-)

Day-Care Facilities will be available:
=============================

As a nod to the shifting demographic of early gen. security
researchers we will be trying a new experiment this year
and we will be providing day-care facilities for those
traveling with kids. We will try to arrange some group
discounts with our provider once we know how many
kids and what ages and times will have to be
accommodated. If you are interested in this service
please send a note to yuriko@... and let
her know ages and times.

We will try to get them started on exploit writing
courses for pre-schoolers :-). Does this mean
we are all grown up now?

It promises to be another fun conference again this
year. See you all there.

cheers,
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada March 16-20 2009 http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp