UNAM Chapter Status Report For 2012

published by mbautista on Tue, 11/06/2012 - 17:43

ORGANIZATION

The UNAM Chapter is part of UNAM-CERT, an organization established within the National Autonomous University of Mexico (UNAM).
 
Current chapter members:
  • Roberto Sánchez - Chapter lead.
  • Miguel Bautista - Chapter member.
  • Javier Santillán - Chapter member.
  • Rubén Aquino - Chapter member.

DEPLOYMENTS

We're using the following infrastructure as an early warning and intrusion detection system to feed into our incident response process, and also to identify emerging threats in the Internet and share this knowledge with the community.
 
We're currently running 12 low interaction honeypots for malware capture with 1060 public IP addresses distributed along them. All of them are running several instances of dionaea and sharing data directly to HPFeeds. Also have deployed 3 honeeboxes sensors and submitted to HPFeeds as well.
 
We have one honeypot running kippo and glastopf using 1000 public IP addresses. Glastopf is currently sharing data to hpfeeds.

Also we're running a Darknet with over 20,000 public IP addresses using an staggered architecture for network monitoring based on sguil, snort, argus, tcpflow and several other tools for data capture and analysis.

We have a central system called Security Telescope to process all the information gathered by our honeypots and the darknet.
 
This year we are no longer using high interaction honeypots due to several reasons, such as maintenance and physical resources issues.

RESEARCH AND DEVELOPMENT

We are working on the development of a spampot tool for collect and analysis of spam content like URL, attachments, source IP address, as well a Botnet tracking tool, for logging the activities of malware infected machines analyzing the commands sent by the C&C via IRC protocol.

FINDINGS

None at this time.

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS

As part of UNAM-CERT one of our main activities is incident detection and handling within our University and Mexico, that’s why we are in close contact with CSIRTs of the main ISPs of Mexico, and sharing them information about security incidents coming from their networks that we are detecting on the University network.

GOALS

Identify trends in Mexico about attacks through statistics and charts generated by the data collected by our honeypots.
 
Increase the number of our deployments within our University and if possible Mexican networks.
Deployment and improvement of our spampot and botnet tracking tools.

MISC ACTIVITIES

Every year we organize a Computer Security Congress. It's a balanced meeting which includes technical and non-technical talks. Main purposes are: to share experiences, to discuss trends and to give attendees a better perspective of computer security around mexican networks and around the world.

MENTORING

Not at this time.