Bitter harvest: Systematically fingerprinting low- and medium-interaction honeypots at internet scale

The current generation of low- and medium interaction honeypots uses off-the-shelf libraries to provide the transport layer. We show that this architecture is fatally flawed because the protocols are implemented subtly differently from the systems being impersonated. We present a generic technique for systematically fingerprinting low- and medium interaction honeypots at Internet scale with just one packet and an ERR (Equal Error Rate) of 0.0183. We conduct Internet-wide scans and identify 7,605 honeypot instances across nine different honeypot implementations for the most important network protocols SSH, Telnet, and HTTP. For SSH honeypots we also determined their patch level and find that they are poorly maintained -- 27% of the honeypots have not been updated within the last 31 months and only 39% incorporate improvements from 7 months ago. We believe our findings to be a 'class break' in that trivial patches cannot address the issue

Honeypots in the age of universal attacks and the Internet of Things

Today's Internet connects billions of physical devices. These devices are often immature and insecure, and share common vulnerabilities. The predominant form of attacks relies on recent advances in Internet-wide scanning and device discovery. The speed at which (vulnerable) devices can be discovered, and the device monoculture, mean that a single exploit, potentially trivial, can affect millions of devices across brands and continents. In an attempt to detect and profile the growing threat of autonomous and Internet-scale attacks against the Internet of Things, we revisit honeypots, resources that appear to be legitimate systems. We show that this endeavour was previously limited by a fundamentally flawed generation of honeypots and associated misconceptions. We show with two one-year-long studies that the display of warning messages has no deterrent effect in an attacked computer system. Previous research assumed that they would measure individual behaviour, but we find that the number of human attackers is orders of magnitude lower than previously assumed. Turning to the current generation of low- and medium-interaction honeypots, we demonstrate that their architecture is fatally flawed. The use of off-the-shelf libraries to provide the transport layer means that the protocols are implemented subtly differently from the systems being impersonated. We developed a generic technique which can find any such honeypot at Internet scale with just one packet for an established TCP connection. We then applied our technique and conducted several Internet-wide scans over a one-year period. By logging in to two SSH honeypots and sending specific commands, we not only revealed their configuration and patch status, but also found that many of them were not up to date. As we were the first to knowingly authenticate to honeypots, we provide a detailed legal analysis and an extended ethical justification for our research to show why we did not infringe computer-misuse laws. Lastly, we present honware, a honeypot framework for rapid implementation and deployment of high-interaction honeypots. Honware automatically processes a standard firmware image and can emulate a wide range of devices without any access to the manufacturers' hardware. We believe that honware is a major contribution towards re-balancing the economics of attackers and defenders by reducing the period in which attackers can exploit vulnerabilities at Internet scale in a world of ubiquitous networked `things'.Premium Research Studentship, Department of Computer Science and Technology, University of Cambridg

Honware: A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days

Existing solutions are ineffective in detecting zero day exploits targeting Customer Premise Equipment (CPE) and Internet of Things (IoT) devices. We present honware, a high-interaction honeypot framework which can emulate a wide range of devices without any access to the manufacturers' hardware. Honware automatically processes a standard firmware image (as is commonly provided for updates), customises the filesystem and runs the system with a special pre-built Linux kernel. It then logs attacker traffic and records which of their actions led to a compromise. We provide an extensive evaluation and show that our framework improves upon existing emulation strategies which are limited in their scalability, and that it is significantly better both in providing network functionality and in emulating the devices' firmware applications - a crucial aspect as vulnerabilities are frequently exploited by attackers in front-end functionalities such as web interfaces. Honware's design precludes most honeypot fingerprinting attacks, and as its performance is comparable to that of real devices, fingerprinting with timing attacks can be made far from trivial. We provide four case studies in which we demonstrate that honware is capable of rapid deployment to capture the exact details of attacks along with malware samples. In particular we identified a previously unknown attack in which the default DNS for an ipTIME N604R wireless router was changed. We believe that honware is a major contribution towards re-balancing the economics of attackers and defenders by reducing the period in which attackers can exploit zero days at Internet scale

Optické metody studia adsorpce fibrinogenu a oligodeoxynukleotidů na povrchu titanu a titanových slitin.

Adsorpce fibrinogenu na povrch titanu hraje významnou roli při oseointehraci titanových implantátů. Adsorpce je ovlivněna fyzikálními vlastnostmi povrchu titanu.Adsorpce fibrinogenu na povrch titanu hraje významnou roli při oseointehraci titanových implantátů. Adsorpce je ovlivněna fyzikálními vlastnostmi povrchu titanu.Adsorption of fibrogen at the titanium surface is important for the oseointegration of titanium implants. Adsorption of fibrinogen at the titanium depends on the physical properties of the titanium surface

Laser patterning of amorphous silicon thin films deposited on flexible and rigid substrates

The possibility of direct writing thin semiconductive channels and structures on insulating substrates in a clean room-free process is attractive for its simplicity, cost effectiveness, and possibility of a wide choice of substrates. A broad range of applications, such as large-area electronic devices (touch screens, flexible displays), sensors, or optical wave guides could benefit from such a process. In this work, we directly write on doped hydrogenated amorphous silicon (a-Si:H), with thickness in the range 10 nm–1 μm, using a Nd-YAG laser operating at 532 nm that is part of a Witec Raman confocal system. The contrast in conductivity between the exposed and unexposed areas is so high that the a-Si:H matrix needs not to be removed after exposure. B- and P-doped films were deposited on plastic, glass, and oxidized silicon wafers. The laser power threshold for crystallization was studied. The highest conductivity (886 Ω−1 cm−1) was obtained on wafer. On hard substrates, it is possible to tune the mesoscopic electrical conductivity in a very broad range of values (∼10−4–103) by design of the pattern to be transferred. Patterned films are piezoresistive with gauge factors as high as +18 and −29 for p- and n-type patterns, respectively. SEM image of laser written lines on a 10 nm thick a-Si:H film deposited on a Si/SiO2 substrate. Four regions are clearly distinguishable: the metal contact on the top area; the laser eroded area (lines); the crystallized areas adjacent to lines; the amorphous region at the bottom right.CNPqThe authors acknowledge Witec GmbH for collaboration in disclosing the set of instructions needed to communicate with Witec Four software

Counting outdated honeypots: Legal and useful

Honeypots are intended to be covert and so little is known about how many are deployed or who is using them. We used protocol deviations at the SSH transport layer to fingerprint Kippo and Cowrie, the two most popular medium interaction SSH honeypots. Several Internet-wide scans over a one year period revealed the presence of thousands of these honeypots. Sending specific commands revealed their patch status and showed that many systems were not up to date: a quarter or more were not fully updated and by the time of our last scan 20% of honeypots were still running Kippo, which had last been updated several years earlier. However, our paper reporting these results was rejected from a major conference on the basis that our interactions with the honeypots were illegal and hence the research was unethical. We later published a much redacted account of our research which described the fingerprinting but omitted the results we had gained from the issuing of commands to check the patch status. In the present work we provide the missing results, but start with an extended ethical justification for our research and a detailed legal analysis to show why we did not infringe cybersecurity laws

Structural Determination of Nanocrystalline Si Films Using Ellipsometry and Raman Spectroscopy

Single phase nano and micro crystalline silicon films deposited using SiF4/H2 plasma at different H2 dilution levels were studied at initial and terminal stages of film growth with spectroscopic ellipsometry (SE), Raman scattering (RS) and atomic force microscopy (AFM). The analysis of data obtained from SE elucidates the microstructural evolution with film growth in terms of the changes in crystallite sizes and their volume fractions, crystallite conglomeration and film morphology. The effect of H2 dilution on film microstructure and morphology, and the corroborative findings from AFM studies are discussed. Our SE results evince two distinct mean sizes of crystallites in the material after a certain stage of film growth. The analysis of Raman scattering data for such films has been done using a bimodal size distribution of crystallite grains, which yields more accurate and physically rational microstructural picture of the material.Comment: 5 pages, 4 figures, 1 tabl

High-frequency conductivity of optically excited charge carriers in hydrogenated nanocrystalline silicon investigated by spectroscopic femtosecond pump-probe reflectivity measurements

We report an investigation into the high-frequency conductivity of optically excited charge carriers far from equilibrium with the lattice. The investigated samples consist of hydrogenated nanocrystalline silicon films grown on a thin film of silicon oxide on top of a silicon substrate. For the investigation, we used an optical femtosecond pump-probe setup to measure the reflectance change of a probe beam. The pump beam ranged between 580 and 820nm, whereas the probe wavelength spanned 770 to 810nm. The pump fluence was fixed at 0.6mJ/cm2. We show that at a fixed delay time of 300fs, the conductivity of the excited electron-hole plasma is described well by a classical conductivity model of a hot charge carrier gas found at Maxwell-Boltzmann distribution, while Fermi-Dirac statics is not suitable. This is corroborated by values retrieved from pump-probe reflectance measurements of the conductivity and its dependence on the excitation wavelength and carrier temperature. The conductivity decreases monotonically as a function of the excitation wavelength, as expected for a nondegenerate charge carrier gas