MIS 510: Cyber Analytics Project

Similar documents
Cyber Security Analytics. Su Zhao Yuan-Jen Lee Ching-Tang Lin Yufeng Mao

A Study on IP Exposure Notification System for IoT Devices Using IP Search Engine Shodan

Course Content: Session 1. Ethics & Hacking

Introduction: 1. Daily 360 Website Scanning for Malware

Network Security Testing using MMT: A case study in IDOLE project

Network Monitoring using MMT:

WEB ATTACKS AND COUNTERMEASURES

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

McAfee Web Reporter Turning volumes of data into actionable intelligence

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Networks and Security Lab. Network Forensics

Application security testing: Protecting your application and data

Common Security Vulnerabilities in Online Payment Systems

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Cyber Security Workshop Ethical Web Hacking

INFORMATION SECURITY REVIEW

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

Enterprise-Grade Security from the Cloud

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

SHODAN for Penetration Testers. Michael theprez98 Schearer

Don t Spill Your Candy in the Lobby

EyjafjallajöKull Framework (aka: Exploit Kits Krawler Framework)

Report on Cyber Security Alerts Processed by CERT-RO in 2014

Protecting Your Organisation from Targeted Cyber Intrusion

Information Security for Modern Enterprises

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

WEB APPLICATION VULNERABILITY STATISTICS (2013)

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Ethical Hacking as a Professional Penetration Testing Technique

The Application Usage and Threat Report

We all need to be able to capture our profit generating keywords and understand what it is that is adding the most value to our business in 2014.

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Christos Douligeris cdoulig at unipi dot gr. Department of Informatics University of Piraeus

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Exploiting Fundamental Weaknesses in Command and Control (C&C) Panels

SANS Top 20 Critical Controls for Effective Cyber Defense

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Marble & MobileIron Mobile App Risk Mitigation

Cyber Security Presentation Cyber Security Month Curtis McNay, Director of IT Security

Testing the OWASP Top 10 Security Issues

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

Penetration Testing Scope Factors

Rational AppScan & Ounce Products

CYBERSECURITY INESTIGATION AND ANALYSIS

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Connecting to your Database!... 3

Capturing Barracuda Web Filter Activity in Reports

CS 558 Internet Systems and Technologies

DEVELOP ROBOTS DEVELOPROBOTS. We Innovate Your Business

Sophos XG Firewall v Release Notes. Sophos XG Firewall Reports Guide v

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

Targeted attacks: Tools and techniques

THE OPEN UNIVERSITY OF TANZANIA

Inspection of Encrypted HTTPS Traffic

Web-Application Security

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

The Top Web Application Attacks: Are you vulnerable?

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

McAfee Certified Assessment Specialist Network

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

WEB& WEBSITE DESIGN TRAINING

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

TDAQ Analytics Dashboard

STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

CS5008: Internet Computing

ONLINE RECONNAISSANCE

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Pwning Intranets with HTML5

INDUSTRY OVERVIEW: FINANCIAL

Cyan Networks Secure Web vs. Websense Security Gateway Battle card

Enterprise Application Security Workshop Series

Security Intelligence Services. Cybersecurity training.

STABLE & SECURE BANK lab writeup. Page 1 of 21

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

Integrating Web Application Security into the IT Curriculum

Web Application Security

Detecting Botnets with NetFlow

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

What is Web Security? Motivation

Streamlining Web and Security

Protect Your Business and Customers from Online Fraud

Security features of ZK Framework

Understanding Web Application Security Issues

Evaluation of Google Hacking

Transcription:

MIS 510: Cyber Analytics Project Team: Never Off Guard SUMEET BHATIA AADIL HUSSAINI SNEHAL NAVALAKHA MO ZHOU

1 Table of Contents Introduction... 2 Hacker Web... 3 Data Collection... 3 Research Question 1... 3 Data Analysis... 3 Findings/Discussion... 4 Research Question 2... 5 Data Analysis... 5 Findings/Discussion... 5 Shodan... 7 Research Question 1... 7 Background Information... 7 Data Collection/Analysis... 7 Findings/Discussion... 8 Research Question 2... 9 Background Information... 9 Data Collection/Analysis... 9 Findings/Discussion... 10 References... 11

2 Introduction As computers become more ubiquitous throughout society, the security of networks and information systems is a growing concern. There is an increasing amount of critical infrastructure that relies on computers and information technologies, and advanced technologies have enabled hackers to commit cybercrime much more easily now than in the past. Thus, it has become important for researchers to look into cyber security issues, such as botnet activity, digital forensics and malware analysis. Our research seeks to contribute to the existing literature on cyber security by conducting analytics on data collected from two sources Hacker Web and Shodan: Hacker Web: A collection of 18 major online forums where a community of international hacking enthusiasts participate in various kinds of discussions regarding cyber security topics. Shodan: A search engine for finding open and vulnerable ports and devices on the internet ( Internet of Things ) We have looked at two main research questions for each of the aforementioned data sources. We present our data collection and analysis methods, before discussing our results and findings.

3 Hacker Web Hacker Web is a collection of 18 major online forums where a community of international hacking enthusiasts participate in various kinds of discussions regarding cyber security topics. The individual posts on each of these forums, along with post date/time and authorship information, have been stored in a MySQL database. Hacker Web has been used in various research contexts and has proven to be a reliable source of cyber security-related data. For our research purposes, we have chosen the four English forums to extract data from: Elitehack, Hackhound, icode and VCTool. Data Collection We followed the following steps to collect our data from the four English forums via the Hacker Web MySQL database: 1. Downloaded and configured HeidiSQL 2. Connected to Hacker Web database using provided credentials 3. Run SQL queries (i.e., SELECT * FROM [table] WHERE upper([column]) LIKE %[KEYWORD]% ) 4. Converting the results of the queries into CSV files 5. Used MS Excel and IBM Many Eyes for various analytics For the scope of our research, we chose to only look at the forum posts (i.e., elitehackposts, hackhoundposts, icodeposts and vctoolposts ), since they were more likely to contain the keywords that we were looking for. Research Question 1 Through browsing many cyber security-related literature, we found that there were two words that appeared very often: victim(s) and target(s). Thus, we wanted to analyze data collected from Hacker Web using these two keywords. So our first research question is the following: How frequent do posts with either of the two keywords (i.e., victim(s) and target(s) ) appear on each of the four English forums? How does the frequency vary between the forums across time? Data Analysis We first queried the four English forums individually to find the total number of posts (without any keywords) for each forum. Then we used the keywords victim(s) (SQL: %VICTIM% ) and target(s) (SQL: %TARGET% ) and queried all four forums individually to find the total number of posts with either of the two keywords. Finally, we calculated the percentage of total posts that contained either of the keywords. Next, we wanted to look at how this percentage has changed over time, specifically over the most recent five-year period of 2009-2013. Because Elitehack and Hackhound are relatively new forums, there was

4 little to no data for years prior to 2012. Thus, we only compared the temporal trends for icode and VCTool. Findings/Discussion The following chart depicts a comparison of this percentage for each of the four forums: 2.50% # of Posts With Keywords (As a % of Total # of Posts) 2.00% 1.50% 1.00% 0.50% 0.00% elitehackposts hackhoundposts icodeposts vctoolposts As we can see, the percentage of posts with either the keyword victim(s) or target(s) is above 1% for every forum, with icode having the highest at 2.05% and Hackhound at 1.02%. It is likely that the reason icode and VCTool have higher percentages than Elitehack and Hackhound because the former two forums were started earlier, so our queries resulted in a larger amount of data for calculating these statistics. The following graph shows a comparison of these trends: # of Posts With Keywords (As a % of Total # of Posts) 8.00% 7.00% 6.00% 5.00% 4.00% 3.00% 2.00% 1.00% 0.00% 2009 2010 2011 2012 2013 icodeposts vctoolposts

5 From the graph above, we see that there was an unusually high percentage with the two keywords in the icode forum in 2009. Then, it dropped to a similar level as VCTool. In both forums, the percentage has generally grown over time, suggesting an increase in postings that mention victim(s) and/or target(s). Research Question 2 What are the most frequently mentioned topics within each forum and across all four forums? Data Analysis Again, for this question, we used the same query in Question 1 to find the total number of posts in each English forum. What is different is that we then used IBM Many Eyes to conduct a Word Tag analysis to find the most frequently mentioned topics on each forum. Finally, we calculated the percentage of total posts that contained each of these topics. Findings/Discussion The chart below shows the most frequent topics that are mentioned on each of the four English forums: 1.80% 1.60% 1.40% 1.20% 1.00% 0.80% 0.60% 0.40% 0.20% 0.00% # of Occurences (As a % of # of Total Posts) Elitehack Hackhound d icode VCTools It is apparent from our analysis that each of these forums has its own flavor. Elitehack seems the most suitable for hackers who are more interested in social media hacking (e.g., Facebook), while icode tends to serve the more traditional crowd who are more interested in malware and viruses. Those who enjoy talking about specific technologies and hacking techniques are most likely to visit Hackhound, but those who like to target the government or phish for personal information from individuals may like VCTools better. Then, we aggregated the data from all four forums and found the most popular topics:

6 # of Occurences (As a % of # of Total Posts) 0.80% 0.70% 0.60% 0.50% 0.40% 0.30% 0.20% 0.10% 0.00% Windows Malware Government Botnet The results show that unsurprisingly, Windows is the most talked about, at 0.7%. The other hot topics are government (0.45%), malware (0.39%) and botnet (0.32%).

7 Shodan Shodan is a powerful source for finding open and vulnerable ports and devices on the internet ( Internet of Things ). It interrogates ports, grabs the resulting banners and indexes the banners for searching. The different filters available for searching include: IP address, hostname, port, latitude and longitude, operating system, city, country, and device data. When used maliciously, Shodan can be used to exploit unprotected servers or devices. For research purposes, however, it can be a very useful tool to find potentially vulnerabilities in certain systems that are connected to the internet. Research Question 1 Samsung has tried to go SoLoMo using its SmartTV. It has tried to integrate internet and Web 2.0 features with television sets. Our first research question on SmartTVs is divided into the following parts: 1. How many SmartTVs are publicly-facing and respond to Shodan s search query? What is the geographical distribution of these SmartTVs and are all of them exploitable? 2. What percentage of SmartTVs is publicly visible where the Webkit vulnerability in the device could be exploited? Background Information Samsung SmartTV is essentially a Linux device configured with a Webkit-based browser used to load web pages and applications. Webkit is an open-source HTML rendering engine that has a significant presence in Google Chrome and Apple Safari browsers. We chose Samsung SmartTV as our research device because it is a relatively new device in the market and it is not a big enough platform for a lot of people to contribute to its development. However, it uses a browser based on the Webkit technology, which exposes the device to a range of security exploits such as cross-site scripting attacks, denial-of-service attacks and unexpected application termination or arbitrary code execution. Thus, we feel it is important to research SmartTV s vulnerability on the web. Data Collection/Analysis To get the Samsung SmartTV results, we first researched on Shodan s website (http://www.shodanhq.com/) regarding various types of banner information the Samsung SmartTV gives us. We found that the tag Content- Length:345 Server:Swift1.0 was highly prevalent in the SmartTV banner. Then, we ran a query on Shodan using a Python

8 script (as seen in the figure), we retrieved 350,968 records. These were the number of SmartTV that responded to the Shodan query. For our research purpose, we limited our search to 3,000 devices. We assume that the 3,000 records is a random sample, giving us an approximate look and feel of the entire dataset. Finally, we used these records to analyze the geographical distribution of the devices and their exploitability (based on the operating port). Findings/Discussion Research Question 1 Part 1 Our analysis shows that not surprisngly, the Republic of Korea (where Samsung is based) dominates the list of countries. It is followed by United States and Chile is ranked #3 as seen in the figures below. Other countries where the number of devices exceeds 100 are Ukraine, Germany, Russia, Poland and Finland. Digging a level deeper, we found that although the majority of the SmartTVs work on Port 443, which greatly enhances security, a large number of them gave access on Port 80, which makes them quite vulnerable. The figure below shows the breakdown of the ports given access to out of the 3,000 search results.

Count 9 Total Number of Hosts 1470 1518 5 7 Total 80 443 8080 8443 (BLANK) Port Number Research Question 1 Part 2 We analyzed Samsung s financial data for its SmartTV sales. Statistics show that Samsung has sold around 12 million SmartTVs as of Q1 2013. As mentioned earlier, we tracked down 350,968 devices from our Shodan query. This implies that there at least 2.92% of the devices are publicly visible. The Samsung SmartTV has features such as built-in webcams, web-based applications and browsers. The Webkit vulnerability exposes hundreds of thousands of SmartTVs, potentially giving hackers access to multiple ways to get sensitive information from the users with a single hack. Research Question 2 How vulnerable are the traffic signal systems in the United States? Which are the cities that are most vulnerable to getting their traffic signal systems hacked? Background Information While the internet has enabled many of the public communication systems to be accessed digitally, there are growing concerns about their lack of security. Engineers recently hacked into the Traffic Signal System in Los Angeles. The engineers programmed the signals so that red lights for several days would be extremely long on the most congested approaches to the intersections, causing heavy gridlock. Such incidents raise the following security concerns: 1. Traffic Signal Systems can be hacked, which will affect the normal flow of traffic 2. The traffic cameras used for monitoring traffic can be hacked, which is a privacy and security risk Our objective is to find out how vulnerable the Traffic Signal Systems are in the United States, specifically in which cities. Data Collection/Analysis We searched the Shodan database to find information about servers for Traffic Signal Systems. We used two tags that were most prevalent in the header information such servers. Below is our detailed process: 1. Searched for header keywords in the Shodan Database 2. Wrote a Java application to extract the data row by row return it to Python 3. Wrote a loop using Python to input and store the data row by row in MS Excel 4. Used the results in output for analysis

10 Findings/Discussion First, we used the tag atz executive to get information about all the systems on Port 23 (i.e., FTP). This gave us information of all ATZ Traffic Signal Systems using the Operating systems C Executive. We were able to get access into the system and see live images. We found 216 records and then we sorted them by city and state. The analysis showed that Louisiana had the most number of vulnerable systems, and the cities of Metairie and New Orleans in that state ranked in the top 2 across the country. Then, we used the tag Content-Length: 2861 Cache-Control: max-age=86400 to get information on Port 8080. We found that Content-Length: 2861 corresponds to PIPS technology, which provides automatic license plate recognition. These devices offer a telnet connection for management that does not require authentication. We were able to observe the number plate information and live images. We were also able to modify the configuration settings. Again, we found that the city of Metairie in Louisiana had the most vulnerable Traffic Signal Systems.

11 References (n.d.). Shodan Introduction [PowerPoint slides]. Retrieved from http://ai.arizona.edu/mis510/ Benjamin, V. (2014). Cybersecurity Research Overview [PowerPoint slides]. Retrieved from http://ai.arizona.edu/mis510/ Freamon, D. The Darius Freamon Blog. Retrieved from http://dariusfreamon.wordpress.com/tag/trafficmanagement/ Grad, S. (2009, December 1). Engineers who hacked into L.A. traffic signal computer, jamming streets, sentenced. Retrieved from http://latimesblogs.latimes.com/lanow/2009/12/engineers-who-hacked-in-latraffic-signal-computers-jamming-traffic-sentenced.html Roberts, P. (2013, August 1). Samsung Smart TV: Like A Web App Riddled With Vulnerabilities. Retrieved from https://securityledger.com/2013/08/samsung-smart-tv-like-a-web-app-riddled-with-vulnerabilities/ Segall, L., Fink E., Samsung Smart TV security flaw let hackers turn on built-in cameras. (2013, August 1). Retrieved from http://www.wptv.com/news/science-tech/samsung-smart-tv-security-flaw-let-hackersturn-on-built-in-cameras Strategy Analytics. (2013, July 24). Samsung Leads with 26 Percent of Global Smart TV Market Share in Q1 2013. Retrieved from http://www.strategyanalytics.com/default.aspx?mod=pressreleaseviewer&a0=5400

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information