While the quantity of submissions for FC10 was lower than usual - we had expected this because of the amount of work required to submit plus being over the Christmas break - the quality of the solutions was really inspiring.
Of course the hardest part was deciding the winners, and as expected the traditional scoring method was not ideal for this type of challenge because the challenge was about creating and developing ideas, rather than just answering a number of dry questions. Quite a few people people used the challenge not so much to win a prize, but to have fun, develop an idea they've had, practice on some real datasets, learn, and teach. This was exactly the spirit we'd hoped for, so thanks to everyone for putting in a big effort.
The Winners and their solutions:
Fabian Fischer - solution
Chris Horsley - solution
Fraser Scott - solution
Dan Gleebits - solution
Johnathan Tracz - solution
The standout theme in the submissions for me was the use of interactive and flexible tools to analyse the data. As we move further into the big data world, its going to be imperative to get inside the data interactively to understand it. Some of the solutions focused on developing brand new applications/frameworks to interactively data sets - Check out the submissions from Fabian and Chris as really good examples of this. While Fraser put forward the idea of rendering images in 3D - which is not that far-out an idea actually, why not?!.
We hope that this challenge was enjoyable for those who participated, and for those downloading the submissions for inspiration. These challenges have a long legacy, we see people downloading, attempting and referencing these challenges and the solutions for education purposes years afterwards, so they are an important program at the Honeynet Project.
It would be great to see solutions to future forensic challenges use visualization, not only to analyse and detect trends, but also to describe the problem space to the layperson. With that said - the next Forensic challenge, FC11 should be released shortly - so stay tuned.
And lastly, if anyone wants to develop their ideas further, a good way (i.e. get paid if you are accepted!) is to get involved in our upcoming Google Summer of Code program GSOC12
Head on over to the main GSOC blog to see some updates from a project that I've been mentoring through the Honeynet Project Google Summer of Code (GSOC) 2011 program. It is now half way through the program and while there is still lots of work to do, the results are starting to surface. Have a sneak peak (you'll need chrome or Firefox) at the interactive malware globe prototype while it is still on ogzy's site, and here is a snapshot of it.
The Australian Chapter contributed to the workshop by presenting on VOIP security during the public day and a demonstration on creating time animated geographic heatmaps of malicious IP's.
Highlights for me were:
Thanks, and congratulations go to all those Honeynet project members involved in organizing this event, and thanks to the ESIEA Engineering School in Paris for providing the facility.
With the increase in popularity of VOIP telephony, attacks are becoming more prevalent. The compromise of a VOIP system can cost the victim over $100,000 in real cash. For example, an Australian based company suffered $120,000 in toll fraud as a result of a VOIP compromise.
Combining two of our interest areas (VOIP attacks and visualization), through Dataviz Australia I compiled a video which is intended to be a high level (if not stylized) visualization of the early stages of a cyber criminal compromising a VOIP system.
Following is a brief summary of our activity and contributions during 2010:
2010 saw the addition of David Zielezna as a contributor to the Project.
We are now:
- Shaun Vlassis, HP full member, Chapter lead.
- Ben Reardon. HP full member, member of the HP Public relations and membership committees
- David Zielezna. Contributor, and in charge of AHP infrastructure.
2010 Annual Honeynet project workshop, Mexico City
Shaun and Ben attended the 2010 Annual workshop and presented to the group on VOIP attacks and honeypots, development of malware data visualization techniques, and defacement tracking.
Forensic challenge 4
Development of Forensic challenge FC4, which dealt with VOIP attacks.
Participation as a co-admin and mentor for the Honeynet Project's Google funded GSOC 2010 initiative.
We were pleased to see work on VOIP attack analysis referenced in academic paper delivered at the Australian Digital Forensics Conference by Craig Valli "An Analysis of Malfeasant Activity Directed at VoIP Honeypots"
Highlights of 2010
Goals for 2011
Crooks use any communication medium available to them, and SMS is no exception. We've seen malware and phishing attempts using SMS in the past, however it doesn't seem all that common in the last year.
Although last week, I received a couple of these spams via SMS while overseas (to my roaming Australian phone number).
Do you get much SMS spam ? What do you do with it ?
In Australia, you can report SMS spam to ACMA by simply forwarding the SMS to their number. They automatically acknowledge receipt and action them as appropriate. You can find more about this service at the ACMA website.
As an aside I'm wondering if the fact that I was in another country adds to the usual jurisdictional issues that arise in the cybercrime world, i.e assuming that some sort of crime(s) has occurred, where did it occur? Whose law prevails? This normally matters a lot in terms of which jurisdiction should action. Who should investigate?
- The country of the relay (Australia)?
- The country where I received the spam (in Asia) ?
- The country where the sending phone number/email reside (Ghana)?
- The country where the advertised phone number is (UK)?
- The country of the email supplier (AOL) ?
It's time for another quick analysis of a prevalent SIP scanner that has been active for the last 4-5 months. It is particularly interesting because it is spreading like a worm, seems to use multiple scanning techniques (ssh and SIP) and acts like a botnet.
This scanner likely responsible for the uptick in port 5060 (SIP) scanning noted on this SANS Internet Storm Center diary entry. We noticed this scanner first hit our honeypots on July 8, at the same time SANS posted the note about significant increase in UDP port 5060 (SIP) scanning.
First of all, here is a redacted version of the contents of a typical scan:
Datetime: 2010-07-09 hh.mm.ss
OPTIONS sip:100@honeypot_IP_removed SIP/2.0
Via: SIP/2.0/UDP 192.168.1.9:5060;branch=zqwehwebK-0523432245;rport
From: "sipsscuser"<sip:[email protected]>; tag=removed
To: "sipssc"<sip:[email protected]>
Contact: sip:[email protected]:5060
CSeq: 1 OPTIONS
Note the order and layout of the SIP headers is very similar to that of the sipvicious tool, which I described in an earlier blog entry. This suggests that a modified version of sipvicious is being used. It is trivial to modify sipvicious in this way, just by changing the python script.
- "sundayddr" replaces the usual "friendly-scanner" in the User-Agent header
- "sipsscuser" replaces the usual "sipvicious" in the From header
- The source extension is now set to [email protected], changed from [email protected] in original sipvicious tool.
Up till today (this analysis and graphics were done in early in August) we now detected these scans coming from hundreds more IP addresses. This indicates we are dealing with a botnet, not the opportunistic scans from single IP's that we more often see. Of course it is technically possible that UDP spoofing could be the cause of these multiple IP's, but it is reasonable to rule this out in this case, as it would not make any sense to spoof the UDP messages because the attacker would not get a response to the SIP scan.
Although we haven't located the kit responsible for this, here is a theory put forward by a security colleague, and which is fairly strongly supported by our results: The scanning network most likely consists of Unix-like systems that offer ssh login, and that have weak passwords that can easily be brute forced, and the sequence of events may be as follows.
This scanner is still very active today. An IP from China scanned one of our Australian honeypots as I was writing this, on 27 October 2010.
Using a self propogating/botnet-like infrastructure is just another evolution of malicious SIP scanning, and it is evident that more and more development is being put into systems that can automate the discovery of vulnerable SIP servers, for subsequent nefarious use.
Security professionals and system administrators are aware of the well known problems associated with "open mail relays". Spammers actively seek out these poorly configured email servers, and then take advantage by getting the relays to send out vast amounts of SPAM.
However, probably not many know that in the world of VOIP, a very similar concept exists.. Here, crooks scan for VOIP servers that are so poorly configured to accept and re-route (relay) incoming calls without carrying out proper checks on the source, blindly relaying these calls through either the victim's ISP, or through the PSTN (non VOIP) network. The concept is also similar to a "default route", in that if the VOIP server doesn't know the number being called, it will just re-route the call. The crooks then simply sell time/calls on this system on the underground market, and the victim picks up the bill at the next monthly billing cycle, whereupon the amount can be staggering. For example in 2009, a Perth business was left with a phone bill of $120,000 after 11,000 calls were made through their compromised VOIP system, read the story here.
In 2008, open SIP relay scanning activity was noted in Germany, and an excellent write up can be found here.
In the last 4 days, our Australian based SIP honeypot has detected this same activity. It seems that this group(s) are currently scanning Australian IP space in an attempt to find these open relays, to use at a later stage.
The following is an example of activity of a open relay scanner currently doing the rounds in the Australian IP space.
Datetime: 2010-09-16 22:02:52.041018
INVITE sip:001133155xxxxxx@honeypot_ip_removed;transport=udp SIP/2.0
Via: SIP/2.0/UDP 22.214.171.124:2452;branch=1010110111000011111110101111011
CSeq: 1 INVITE
Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER,
REGISTER, SUBSCRIBE, UPDATE, PUBLISH
User-Agent: eyeBeam release 1003s stamp 31159
o=- 16264 18299 IN IP4 honeypot_ip_removed
s=CounterPath eyeBeam 1.5
c=IN IP4 honeypot_ip_removed
m=audio 33478 RTP/AVP 18 0 8 101
Note the following:
This is just another sign that the crooks are actively scanning for vulnerable VOIP servers, and Australia is certainly not escaping their attention. Now may be a good time to conduct a review and/or pentest VOIP systems.
Over the last month, I delivered presentations on the following topics:
- The Honeynet Project
- VOIP security and honeypot deployments and attack results
- VOIP attacker/defender demonstrations
- Examples of data visualization of security datasets
The conferences are summarised below, and since the slide decks were all somewhat similar, I produced a summary set for download here.
The Australian High Tech Crime Conference, HTCC2010 8 September 2010
Presentation: VOIP Honeypots
The High Tech Crime Conference was hosted in Sydney by the High Tech Crime Operations portfolio, within the Australian Federal Police (AFP) in conjunction with the University of Technology Sydney. The HTCC brings together domestic and international experts and thought leaders from the Judiciary, legal fraternity, government, law enforcement agencies, academia and the private sector.
Melbourne Branch: Australian Information Security Association (AISA) 12 August 2010
Presentation: The Honeynet project and Data Visualisation for Security Purposes
Sydney Branch: Australian Information Security Association (AISA) 15 September 2010
Presentation: HiTech Crime and Honeypots
Ballarat Innovation, Communication and Technology Cluster 15 June 2010
Presentation : Honeynet Project
I'd like to thank the AFP, AISA and the ICT for the opportunity to share my research, results and ideas with the Law enforcement, academic and AISA communities.
As readers of this blog would know, VOIP honeypots have been an interest area of mine for some time. Although, the problem was that the honeypot technologies were often standalone scripts that had to be installed and run by themselves, and so couldn't be shared very easily. The notion of building this functionality into the Dionaea honeypot framework made a lot of sense, as this would make deployments and logging easier and more accessible to everybody.
To address this need, we proposed a project as part of our Google Summer of Code (GSOC) 2010 initiative, for which we then received student funding from Google. We then accepted an enthusiastic and talented student in Tobius Wulff from the University of Canterbury in Christchurch, New Zealand to complete the coding. Together with the main author of the Dionaea framework Markus Koetter as a mentor, and myself and Sjur Usken (Norwegian Chapter) as co-mentors, we were all successful in our aim!
Thank you to David Watson, who was the main org admin for GSOC, Markus, Tobi and Sjur for taking on the challenge and coming out of GSOC 2010 with a great result. Amazing what can happen when an Aussie, an Englishman, a Norwegian and a couple of Germans get together..