Title:	HoneyNet: A platform for studying Hacker Behaviors and Computer Forensics
Date:	24th July 2003
Time:	16:30 - 18:00
Venue:	Hong Kong Monetary Authority 31/F, 3 Garden Road, Hong Kong
Speaker:	Alan S. H. Lam

Abstract:
A Honeypot is an Internet-attached server designed to detect and monitor the activities of computer hackers. HoneyNet is a network of these honeypots with high interaction design. CUHK has launched the HoneyNet project since June 2002. This seminar reviews some findings from this HoneyNet project, which include hacking techniques, hackers's activities after break-ins, and some general hackers' behaviors. Some hackers' activities will be described and illustrated with live demonstrations through scene reconstruction. Forensic techniques used to examine the data obtained from the HoneyNet will also be discussed.

Seminar Outline:

Objectives of our Honeynet
What is a Honeynet and how it works
Hackers' Activities (with live demo)
Forensic Tools
How Honeynet May Help E-banking
Future Development
Q & A

Presentation Slides ([PPT|PDF])

Examples

Some hacking patterns from captured packets

Hackers' keystroke

A hacker keystroke record
- sneak in by a backdoor account
- Get root access by sudo
- Check around the honeypot environment
- Download a root kit and intsall it
- Disable the honeypot anonymous ftp so as to keep out other hackers.
A hacker started up a IRC bot
A hacker killed other hacker backdoor daemon
A hacker checked out other hackers' IRC bot and backdoors, and then kill them
A hacker wiped out log entries
A hacker mass openssl scanned to other network and try to attack
A hacker launch a DoS attack
A hacker installed rootkit which check for other rootkit

Some hackers' startup scripts

Hacker conversation from IRC data capture

References