Browse archive

Latest news

Fighting cybercrime is on the right track

Google set to upgrade its SSL certs

IT security pros have trouble communicating with executives

Zeus variants are back with a vengeance

Facebook phishers target Fan Pages owners

Is it time to professionalize information security?

Google researcher reveals another Windows 0-day

Twitter finally offers 2-factor authentication

DHS employees' info possibly compromised due to system flaw

Teens are into online sharing, but are also more privacy-aware

The dangers of downloading software from unofficial sites

Microsoft decrypts Skype comms to detect malicious links

Review: Logging and Log Management

Hacking charge stations for electric cars

Know Your Enemy: Sebek2 - A kernel based data capture tool

by The Honeynet Project - Wednesday, 24 September 2003.

To observe intruders using session encryption, researchers needed to find a way to break the session encryption. For many organizations this has proven extremely difficult. In an attempt to circumvent session encryption rather than break it, the Honeynet Project began experimenting with using kernel-based rootkits for the purpose of capturing the data of interest from within the honeypot’s kernel.

These experiments lead to the development of a tool called Sebek. This tool is a piece of code the lives entirely in kernel space and records either some or all data accessed by users on the system. It provides capabilities to: record keystrokes of a session that is using encryption, recover files copied with SCP, capture passwords used to log in to remote system, recover passwords used to enable Burneye protected binaries and accomplish many other forensics related tasks. What follows is a detailed discussion of Sebek, how it works and its value.

Download the paper in PDF format here.