Transcript slides

Cyber Analytics Project
MIS 510
Prathamesh Bhurke
Prasad Kodre
Kiran Viswanathan
Vanitha Venkatnarayanan
February 27, 2014
Prathamesh B
Kiran V
Prasad K
Vanitha V
Agenda
Introduction
Literature and Technical Review
Targeted Social media platform
How secure are the number of Cisco routers?
Are there any Industrial Control Systems connected to internet?
Which are the top 3 Banking Trojans are spoken about on Hacker web?
Impact of the Project
References
Appendix
Introduction
 With the increase in reliance on technology many aspects of our lives
depend on the Internet and computers, including communications,
transportation, government, finance and education.
 As more and more critical information is stored and handled online
the need for providing a secure way to store all this information rises.
 The increasing volume and sophistication of cyber security threats
such as malware attacks, phishing scams, data theft, and other online
vulnerabilities, demand that we remain vigilant about securing our
systems and information.
Literature Review
To understand the impact of cybersecurity we studied the existing
documentations and recent news about cybersecurity. There is tremendous
amount of growth in the area of cybersecurity. Some of the major research
papers/blogs we studied are:
 Banking Trojans: Understanding their impact and how to defend
your institution against Trojan- aided fraud.
 Trojan.Zbot: Trojan.Zbot, also called Zeus, is a Trojan horse that
attempts to steal confidential information from the compromised
computer.
 Carberp: Code Leak Stokes Copycat Fears
Which is the most targeted Social media platform?
Mark Zuckerberg’s account hacked
Evolution – The story line
 Mark Zuckerberg’s account hacked by Khalil Shreateh on August 2013.
 Hacking of Facebook a rising threat.
 Millions of Accounts data at risk.
 More than 600,000 Facebook accounts are being compromised every day

Hacked using “Keylogger”
Graphical Analysis
 Increase in the number of posts and threads regarding
hacking of Facebook.
 Increase in number of views of posts and threads which
includes the topic of hacking Facebook
Graphical Analysis
 Provides information about authors talking about hacking Facebook
 Y axis is the aggregation of different metrics like reputations score,
number of views etc.
Graphical Analysis
 Facebook is the most talked social media website in different forums
700
600
618
500
452
400
411
300
267
200
100
0
37
24
Hackhound
89
62
Anon
48
Posts
Threads
Elitehack
25
Icode
Vctool
Pseudo Algorithm
THE ALGORITHM:
 Create an Empty log file for storing keylogs.
 Intercept keys pressed by user using GetAsyncKeyState()
function.
 Store these intercepted values in file.
 Hide the Running Window Dialog to make it undetectable.
 Use while loop to make it running in all conditions.
 Add Sleep() function to reduce the CPU usage to 0%.
How secure are the large number of Cisco routers
which are currently connected to the internet?
 Many of the Cisco routers which are currently connected to the
internet have a web interface to configure the devices. To gain access
to these devices, a username and password might be needed.
 Unauthorized access to these devices may lead to unwanted
consequences. Data collected from Shodan for Cisco devices around
the world shows that there are at least 1,616,911 Cisco routers
connected to the internet.
 Among these potentially more than 11,419 devices do not require
authentication. This information can be found out by spotting
differences in the banner information of the device.
Percentage of unprotected Cisco routers of total
Cisco routers for each country
1.04%
0.99%
0.75%
0.66%
0.66%
0.61%
0.56%
0.55%
0.48%
0.10%
United States United Kingdom
China
Italy
Mexico
Brazil
Russia
South Korea
India
Turkey
Countries with maximum Cisco routers under
.edu network without authentication
Countries with max Cisco routers under .edu
Network which do not require authentication
Countries
United States
6085
Cisco devices
under .edu
domain–
Authentication
required
5699
Taiwan
1849
1413
22
1.19 %
Turkey
530
509
7
1.32 %
3
0
3
100 %
Argentina
111
57
2
1.80 %
Australia
144
115
2
1.39 %
Colombia
37
33
1
2.70 %
Lebanon
7
4
1
14.28 %
Netherlands
12
4
1
8.33 %
Mali
Total Cisco-IOS
devices under
.edu domain
Cisco devices
under .edu – No
authentication
required
Unprotected
devices
percentage
32
0.52 %
Are there any Industrial Control Systems connected
to internet?
How secure are SCADA/ICS equipment which are behind the organizational
firewall?
 Wikipedia defines Industrial Control Systems as ‘a general term that
encompasses several types of control systems used in industrial
production including:
 Supervisory control and data acquisition (SCADA) systems
 Distributed control systems (DCS) and
 Other smaller control system configurations such as
Programmable Logic Controllers (PLC)
Major Attacks
 Stuxnet:
 Stuxnet (W32.Stuxnet) is a computer virus targeted SCADA systems
manufactured by Siemens.
 The intent of Stuxnet was to sabotage the operations of facilities such
as power plants, gas pipelines, etc.
 Flame: Flame is large scale cyber espionage attack which mainly targeted
insecure SCADA/ICS devices and industry computers. The objective was to
steal operation critical information from these devices in form of
screenshots, audio recording, etc.
 Kaspersky in May 2012 estimated 1000 machines to be infected by Flame,
with victims including industries, governmental organizations and private
individuals.
Country wise distribution of Siemens SCADA/ICS
devices
194
179
80
56
55
47
United States
Germany
Italy
France
Spain
Cyech Republic
42
China
37
36
Russia
Swedan
30
Poland
Shodan statistics for some SCADA products
12
14
45
Country with
maximum
number of
such devices
Ireland
Denmark
United States
253
India
6
94
39
2
Russia
China
United States
Turkey, Russia
Siemens
5
Denmark
Siemens
1
Italy
Socade Engineering
Solutions
1
Spain
Product
Broadwin SCADA
ISC SCADA System
ClearSCADA/6.72.4644.1
Proficy HMI/SCADA
CIMPLICITY
INDAS WEB SCADA
SIMATIC NET CP 343-1
SIMATIC S7-300
SIMATIC NET SCALANCE
X208
SIMATIC NET SCALANCE
S612
Siemens SCALANCE W7461PRO
SCADA – Vielha
Vendor
Broadwin Technology
Cloris Controls
Control Microsystems &
Trio Datacom
General Electric
Company
Indas
Siemens
Siemens
Siemens
Total accessible
devices on
internet
Which are the top 3 Banking Trojans are spoken
about on Hacker web?
 Banks need to remain vigilant to the threats posed by criminals. New dangers
are emerging all the time, particularly in areas such as online banking, where
transaction volumes are increasing.
 It’s no wonder that threats are on the rise. More people are using electronic
payments, mobile banking and other new technologies, which makes them
more appealing to the criminals – more transactions mean more money.
 Banking malware, specifically banking Trojans, are reaching alarming new
levels of sophistication.
Statistics of the most spoken about Trojans in
Hacker web forums
Exploit
1
7
EliteHack
1
3
Hackhound
Vctool
Icode
Anon
50
7
3
9
13
19
20
1
150
1
22
1
0
4
Carberp
Citadel
Zeus
Major Attacks
 Zeus: The Trojan.Zbot files allows an attacker a high degree of control over the
functionality of the final executable that is distributed to targeted computers.
 Citadel: This Trojan is a variation of Zeus. It emerged, along with a number of
other one-off Trojans, after the Zeus Trojan’s source code leaked in 2011.
 Carberp: Win32/Carberp is a family of Trojans that may be delivered via
malicious code, for instance by variants ofExploit: JS/Blacole. The Trojan
downloads other Win32/Carberp components to execute payload code such as
stealing online banking credentials
Impact of Cyber Security Hacks
 Cybercriminals are no longer isolated amateurs
 Increasingly leveraging malware, bots and other forms of sophisticated
threats to attack organizations

Denial of Service, Botnets, Advanced Persistent Threats, Viruses,
Worms, Trojans, Social Engineering

Too little is done in many countries to prevent cybercrime
References
 http://www.shodanhq.com/
 https://www.defcon.org/images/defcon-18/dc-18-presentations/Schearer/DEFCON-18Schearer-SHODAN.pdf
 http://en.wikipedia.org/wiki/Cisco_IOS
 http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-technologies/index.html
 http://en.wikipedia.org/wiki/Industrial_control_system
 http://en.wikipedia.org/wiki/SCADA
 http://www.digitalbond.com/blog/2010/11/02/what-you-should-know-about-shodan-andscada/
 http://en.wikipedia.org/wiki/Flame_(malware)
 http://en.wikipedia.org/wiki/Stuxnet
 https://www.owasp.org
 https://www4.symantec.com/mktginfo/whitepaper/user_authentication/21195180_WP_GA_
BankingTrojansImpactandDefendAgainstTrojanFraud_062611.pdf
Appendix – Shodan Code
Appendix – Queries used in Shodan
Query
Purpose
cisco-ios
cisco-ios last-modified 200 ok
Cisco routers
Cisco routers which do not require authentication
cisco-ios web-authenticate
cisco-ios hostname:.gov
cisco-ios hostname:.edu
cisco-ios last-modified 200 ok hostname:.edu
Cisco routers which require authentication
Cisco routers for .gov domain
Cisco routers for .edu domain
Cisco routers for .edu domain which do not require
authentication
Cisco routers for .gov domain which do not require
authentication
Cisco routers for .edu domain which require
authentication
Cisco routers for .gov domain which require
authentication
Siemens SCADA devices on internet
Broadwin SCADA
ISC SCADA System
ClearSCADA/6.72.4644.1
Proficy HMI/SCADA CIMPLICITY
INDAS WEB SCADA
SIMATIC NET CP 343-1
SIMATIC S7-300
SIMATIC NET SCALANCE X208
SIMATIC NET SCALANCE S612
Siemens SCALANCE W746-1PRO
SCADA – Vielha
cisco-ios last-modified 200 ok hostname:.gov
cisco-ios web-authenticate hostname:.edu
cisco-ios web-authenticate hostname:.gov
Siemens, SIMATIC
Location: ./broadWeb/system/bwviewpg.asp
Server: ISC SCADA Service HTTPserv:00001
Server: ClearSCADA/6.72.4644.1
Server: CIMPLICITY-HttpSvr/1.0
Server: INDAS WEB SCADA
Siemens, SIMATIC NET, CP 343-1
Siemens, SIMATIC, S7-300
Siemens, SIMATIC NET, SCALANCE X208
Siemens, SIMATIC NET, Scalance S612
SCALANCE W746-1PRO
Location: /Scada/Default.aspx