[ISN] Local researchers offer free security service

From: InfoSec News (alerts@private)
Date: Mon May 07 2007 - 22:18:54 PDT


http://computerworld.co.nz/news.nsf/news/EC25C508910ADEE8CC2572D10014CB81

By Ulrika Hedquist
Auckland
8 May, 2007

New Zealand's Honeynet Alliance is offering a free service for 
webmasters. The local project is part of the global, non-profit Honeynet 
Project, a research organisation dedicated to improving the security of 
the internet at no cost to the public.

"Webmasters are, generally, at risk of having their websites attacked 
and compromised, and they usually don't have the means to monitor their 
page," says Christian Seifert, who runs the local Honeynet Alliance.

Seifert, one of four volunteer researchers involved in the project, is a 
PhD student at Victoria University in Wellington.

Once a website is compromised, the attacker might manipulate it to host 
malicious content, so that when a user visits the site they might be 
attacked, or spyware might be downloaded to the user's machine without 
their consent, says Seifert.

The free web service, PATROL (Periodic Assessment of TReasured Online 
Links), allows webmasters to submit their own URL to the Honeynet 
Project's open-source client honeypot, called Capture. Submitted URLs 
are monitored periodically by the client honeypot. Reports are generated 
on a regular basis and published on the New Zealand Honeynet Alliance 
website, says Seifert.

The Honeynet Project also offers a service called SCOUT (Speedy Complete 
Online URL Test) which is more targeted at end-users, says Seifert. It 
allows them to submit a URL and get immediate feedback, he says.

Christian Seifert"For example, if you get an email with a link that 
looks suspicious to you, you can submit that URL to our site and we will 
immediately tell you whether it is malicious or not," he says.

The service was launched in mid-April and the Honeynet Project has 
identified 15 malicious URLs already, says Seifert.

Capture, developed at Victoria University, identifies malicious servers 
by interacting with potentially malicious servers using a dedicated 
virtual machine and monitoring any state changes on that box, says 
Seifert.

"If a new file appears in the start-up folder we know that that website 
is malicious," he says.

The Honeynet Project's method is not signature-based.

"We are looking at the effects of a successful attack and that allows us 
to detect [attackers] that we don't know anything about yet," he says. 
"So it is really geared towards the future, looking at future exploits — 
zero-day exploits," he says.

Capture can be downloaded from the Honeynet website and is distributed 
under the GNU General Public Licence.

"The latest version of the client honeypot allows you look at attacks on 
various web browsers, not just Internet Explorer, but also Firefox and 
Opera," he says.

It also features kernel level monitoring and is compatible with Vista.

Seifert says he is quite excited about the new version of Capture as it 
brings client honeypot technology into the hands of security people and 
web administrators.

"But we realise that not everybody has the time and resources to install 
the client honeypot," he says. "That is why we have created the web 
service."

Copyright (c) Fairfax Business Media A Division of John Fairfax 
Publications Pty Limited



__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Mon May 07 2007 - 22:25:36 PDT