[Dshield] DShield Newsletter - November 2008

Johannes B. Ullrich jullrich at sans.edu
Tue Nov 11 16:28:19 GMT 2008 

/* I am going to send this to all DShield users later today, so sorry if you get it
   multiple times */


  It has been a while since I sent out an update like this. However, there have been a 
few developments I would like you all to be aware off:

 Now collecting weblogs!

  we recently released a first version of a web-honeypot. It is a bit more complex 
then our standard log collector. However, if you run a web server and would like to 
participate, please log in to your DShield account to download it. At this point,
we only accept authenticated submissions. The software works, but we are rapidly
adding features and will need to contact you if we release new versions. The software
requires Apache and PHP, but IIS and PHP may work too with some changes. If you are
willing to translate this to ASP or other web development frameworks: Please let me
know. (it is just one PHP file that needs to be ported).

 Mailing list meltdown :(

  The server running the DShield mailing list (list.dshield.org) recently "melted down".
It was recovered from backups, but most users got unsubscribed due to a bad configuration.
If you are interested in subscribing to a mailing list, please check if you are still
subscribed. There are currently two active lists:
   
    - dshield "list": General security and DShield discussions.
    - "announce": This list is for announcements only. Please sign up if you submit data
      to DShield.

  For details, see http://lists.dshield.org  (the "current" list is still listed, but no
longer used)
 
 SSL Certificates

  The DShield website is available via SSL under "https://secure.dshield.org", not
"https://www.dshield.org". While 'www.dshield.org' is the same site, the certificate only
works for 'secure.dshield.org' and you will get a certificate error if you go to
'https://www.dshield.org'.

 Delayed Imports / Server Status

  DShield currently uses 3 database servers. Two of them are used to drive the website and
import new data. The third is a "slave only" and used for longer queries, like daily 
summaries. Sadly, the third server wasn't able to keep up with the load of some special
research queries lately and daily reports have been incomplete. Feel free to contact
info at dshield.org if you see problems. There is also a public status page at
http://www.dshield.org/status.html (a fourth database server is actually already online
but still running in "test mode" for now).

 Research Projects

  In addition to the weblogs project mentioned above, we got a few different research
projects going on. For example, SRI International developped its "Highly Predictive 
Blacklist" algorithm using DShield data, and a paper written about this was recently
awarded "Best Paper" at the Usenix Security Conference. If you have a research project
that could use some real world data, see http://www.dshield.org/research.html for our
data sharing guidelines. I am also working on an API to allow easier automated data
access. 

 Threatstop and DShield

  Another research project we participated in was Threatstop. DShield users have been
able to download DShield blacklists via Threatstop in the past. Threatstop was recently
acquired by Brightcloud, and it looks like the feeds may go away. Please contact them
directly if you have any issues. 

 IPV6/DNSSEC

  I always like to experiment with new technologies. DShield.org is accessible for a while
now using IPv6. Recently, I also started to sign the DSheidl.org zone using DNSSEC. As
usual, let info at dshield.org know if there is a problem.

 Misc. events

  I am traveling quite a bit these days, mostly to SANS conferences. I am always open
to have an im-promptu users meeting at these occasions. Upcoming trips are:
 - SANS London (first week of December)
 - CDI 2008, Washington DC (second week of December)

  As you probably know, DShield is written in PHP, I put some of the DShield experience
into a PHP security course. If you are interested, see www.dshield.org/phpsecurity . The
course is currently offered by SANS. I also created a quick Google Video with a talk I
recently gave at a local Linux users group meeting. The talk is a bit more "philosophical"
and inspired by coding DShield. http://video.google.com/videoplay?docid=5577290413664485177




-- 
Cyber Defense Initiative, Washington DC, December 10-16, 2008;  
http://www.sans.org/info/32873

More information about the Dshield mailing list