What Scanners do at L7? Exploring Horizontal Honeypots for Security Monitoring

Honeypots are a common means to collect data useful for threat intelligence. Most efforts in this area rely on vertical systems and target a specific scenario or service to analyse data collected in such deployment. We here extend the analysis of the visibility of honeypots, by revisiting the problem from a horizontal perspective. We deploy a flexible honeypot system hosting multiple services, relying on the T-Pot project. We collect data for 5 months, recording millions of application requests from tens of thousands of sources. We compare if and how the attackers interact with multiple services. We observe attackers that always focus on one or few services, and others that target tens of services simultaneously. We dig further into the dataset, providing an initial horizontal analysis of brute-force attacks against multiple services. We show, for example, clear groups of attackers that rely on different password lists on different services. All in all, this work is our initial effort to build a horizontal system that can provide insights on attacks

Enlightening the Darknets: Augmenting Darknet Visibility with Active Probes

Darknets collect unsolicited traffic reaching unused address spaces. They provide insights into malicious activities, such as the rise of botnets and DDoS attacks. However, darknets provide a shallow view, as traffic is never responded. Here we quantify how their visibility increases by responding to traffic with interactive responders with increasing levels of interaction. We consider four deployments: Darknets, simple, vertical bound to specific ports, and, a honeypot that responds to all protocols on any port. We contrast these alternatives by analyzing the traffic attracted by each deployment and characterizing how traffic changes throughout the responder lifecycle on the darknet. We show that the deployment of responders increases the value of darknet data by revealing patterns that would otherwise be unobservable. We measure Side-Scan phenomena where once a host starts responding, it attracts traffic to other ports and neighboring addresses. uncovers attacks that darknets and would not observe, e.g. large-scale activity on non-standard ports. And we observe how quickly senders can identify and attack new responders. The “enlightened” part of a darknet brings several benefits and offers opportunities to increase the visibility of sender patterns. This information gain is worth taking advantage of, and we, therefore, recommend that organizations consider this option

Playing in the dark with online games for girls

Pregnant Rapunzel Emergency is part of a series of online free games aimed at young girls (forhergames.com or babygirlgames.com), where dozens of characters from fairy tales, children’s toys and media feature in recovery settings, such as ‘Barbie flu’. The range of games available to choose from includes not only dressing, varnishing nails or tidying messy rooms, but also rather more troubling options such as extreme makeovers, losing weight, or a plethora of baby showers, cravings, hospital pregnancy checks, births (including caesarean), postnatal ironing, washing and baby care. Taking the online game Pregnant Rapunzel Emergency as an exemplar of a current digital trend, the authors explore the workings of ‘dark digital play’ from a number of perspectives – one by each named author. The game selected has (what may appear to adults) several disturbing features in that the player is invited to treat wounds of the kind of harm that might usually be associated with domestic violence towards women

Playing in the dark with online games for girls

Pregnant Rapunzel Emergency is part of a series of online free games aimed at young girls (forhergames.com or babygirlgames.com), where dozens of characters from fairy tales, children’s toys and media feature in recovery settings, such as ‘Barbie flu’. The range of games available to choose from includes not only dressing, varnishing nails or tidying messy rooms, but also rather more troubling options such as extreme makeovers, losing weight, or a plethora of baby showers, cravings, hospital pregnancy checks, births (including caesarean), postnatal ironing, washing and baby care. Taking the online game Pregnant Rapunzel Emergency as an exemplar of a current digital trend, the authors explore the workings of ‘dark digital play’ from a number of perspectives – one by each named author. The game selected has (what may appear to adults) several disturbing features in that the player is invited to treat wounds of the kind of harm that might usually be associated with domestic violence towards women

Honeypots in the age of universal attacks and the Internet of Things

Today's Internet connects billions of physical devices. These devices are often immature and insecure, and share common vulnerabilities. The predominant form of attacks relies on recent advances in Internet-wide scanning and device discovery. The speed at which (vulnerable) devices can be discovered, and the device monoculture, mean that a single exploit, potentially trivial, can affect millions of devices across brands and continents. In an attempt to detect and profile the growing threat of autonomous and Internet-scale attacks against the Internet of Things, we revisit honeypots, resources that appear to be legitimate systems. We show that this endeavour was previously limited by a fundamentally flawed generation of honeypots and associated misconceptions. We show with two one-year-long studies that the display of warning messages has no deterrent effect in an attacked computer system. Previous research assumed that they would measure individual behaviour, but we find that the number of human attackers is orders of magnitude lower than previously assumed. Turning to the current generation of low- and medium-interaction honeypots, we demonstrate that their architecture is fatally flawed. The use of off-the-shelf libraries to provide the transport layer means that the protocols are implemented subtly differently from the systems being impersonated. We developed a generic technique which can find any such honeypot at Internet scale with just one packet for an established TCP connection. We then applied our technique and conducted several Internet-wide scans over a one-year period. By logging in to two SSH honeypots and sending specific commands, we not only revealed their configuration and patch status, but also found that many of them were not up to date. As we were the first to knowingly authenticate to honeypots, we provide a detailed legal analysis and an extended ethical justification for our research to show why we did not infringe computer-misuse laws. Lastly, we present honware, a honeypot framework for rapid implementation and deployment of high-interaction honeypots. Honware automatically processes a standard firmware image and can emulate a wide range of devices without any access to the manufacturers' hardware. We believe that honware is a major contribution towards re-balancing the economics of attackers and defenders by reducing the period in which attackers can exploit vulnerabilities at Internet scale in a world of ubiquitous networked `things'.Premium Research Studentship, Department of Computer Science and Technology, University of Cambridg

Computer Deception : Back to Basics

In today's modern society, the increasing demands for connectivity and accessibility place computers in ever larger internetworks. As more and more computers become globally accessible, the number of threats from random and targeted attacks rise rapidly. To counter known and unknown threats, various technologies and concepts are employed as defensive measures. One concept that is in rising popularity is computer deception, the subject of this thesis. The field of computer deception is characterized by fragmentation and is lacking unified definitions and methods. This thesis has reviewed five deception paradigms, in order to build a descriptive theory that is used for understanding the concept of computer deception. The border between human deception and computer deception is investigated. The thesis concludes that computer deception for defense rarely can be seen as a field unrelated to human deception. When attacker tools are targeted for deception, they are only intermediary steps on the way to a human attacker. This makes the core issues of computer deception a matter of psychology, not technology. Computer specialists without knowledge of psychology do not have the expertise necessary for estimating the consequences of deceptions on human attackers

Playing in the dark with online games for girls

Pregnant Rapunzel Emergency is part of a series of online free games aimed at young girls (forhergames.com or babygirlgames.com), where dozens of characters from fairy tales, children’s toys and media feature in recovery settings, such as ‘Barbie flu’. The range of games available to choose from includes not only dressing, varnishing nails or tidying messy rooms, but also rather more troubling options such as extreme makeovers, losing weight, or a plethora of baby showers, cravings, hospital pregnancy checks, births (including caesarean), postnatal ironing, washing and baby care. Taking the online game Pregnant Rapunzel Emergency as an exemplar of a current digital trend, the authors explore the workings of ‘dark digital play’ from a number of perspectives – one by each named author. The game selected has (what may appear to adults) several disturbing features in that the player is invited to treat wounds of the kind of harm that might usually be associated with domestic violence towards women

Strengthening Privacy and Cybersecurity through Anonymization and Big Data

L'abstract è presente nell'allegato / the abstract is in the attachmen

Honeypot for Wireless Sensor Networks

People have understood that computer systems need safeguarding and require knowledge of security principles for their protection. While this has led to solutions for system components such as malware-protection, firewalls and intrusion detection systems, the ubiquitous usage of tiny microcomputers appeared at the same time. A new interconnectivity is on the rise in our lives. Things become “smart” and increasingly build new networks of devices. In this context the wireless sensor networks here interact with users and also, vice versa as well; unprivileged users able to interact with the wireless sensor network may harm the privileged user as a result. The problem that needs to be solved consists of possible harm that may be caused by an unprivileged user interacting with the wireless sensor network of a privileged user and may come via an attack vector targeting a vul- nerability that may take as long as it is needed and the detection of such mal-behaviour can only be done if a sensing component is implemented as a kind of tool detecting the status of the attacked wireless sensor network component and monitors this problem happening as an event that needs to be researched further on. Innovation in attack detection comprehension is the key aspect of this work, because it was found to be a set of hitherto not combined aspects, mechanisms, drafts and sketches, lacking a central combined outcome. Therefore the contribution of this thesis consists in a span of topics starting with a summary of attacks, possible countermeasures and a sketch of the outcome to the design and implementation of a viable product, concluding in an outlook at possible further work. The chosen path for the work in this research was experimental prototype construction following an established research method that first highlights the analysis of attack vectors to the system component and then evaluates the possibilities in order to im- prove said method. This led to a concept well known in common large-scale computer science systems, called a honeypot. Its common definitions and setups were analy- sed and the concept translation to the wireless sensor network domain was evaluated. Then the prototype was designed and implemented. This was done by following the ap- proach set by the science of cybersecurity, which states that the results of experiments and prototypes lead to improving knowledge intentionally for re-use