Transcript MIS 510: Cyber Analytics

MIS 510:
Cyber Analytics
TEAM: NEVER OFF GUARD
S U M E E T B H AT I A , A A D I L H U S S A I N I , S N E H A L N AVA L A K H A , M O Z H O U
MARCH 5, 2014
Agenda
 Introduction
 Hacker Web
 Research Questions
 Methodology
Results/Discussion
 Shodan
 Research Questions
 Methodology
Results/Discussion
 Summary
Introduction
Importance of cyber security research
Computers becoming more ubiquitous
 Increasing amount of critical infrastructure relies on computers and information technologies
 Easier for hackers to commit cybercrime with advanced technologies
Our research goal: Contribute to existing literature on cyber security by conducting analytics on
data collected from two sources
 Hacker Web: Collection of 18 major online hacker forums
 Shodan: Search engine for “Internet of Things”
Hacker Web
 18 major online hacker forums: multiple languages, variety of topics
 Posts, thread, date/time, authorship stored in MySQL database
Our research focus on the four English forums:
 Elitehack
 Hackhound
 iCode
 VCTool
Hacker Web - Data Collection
 Downloaded and configured HeidiSQL
 Connected to Hacker Web database using provided credentials
 Run SQL queries (i.e., SELECT * FROM [table] WHERE upper([column]) LIKE “%[KEYWORD]%”)
 Converting the results of the queries into CSV files
 Used MS Excel and IBM Many Eyes for various analytics
Database tables: “elitehackposts,” “hackhoundposts,” “icodeposts” and “vctoolposts”
Hacker Web – Reseach Question 1
How frequent do posts with either of the two keywords (i.e., “victim(s)” and “target(s)”)
appear on each of the four English forums? How does the frequency vary between the forums
across time?
Data Analysis
 Found total number of posts (without any keywords) for each forum
 Used the keywords “victim(s)” (SQL: “%VICTIM%”) and “target(s)” (SQL: “%TARGET%”) and
queried all four forums individually to find the total number of posts with either of the two
keywords
 Calculated the percentage of total posts that contained either of the keywords
 Compared temporal trends for “iCode” and “VCTool”
Hacker Web – Reseach Question 1
Findings/Discussion
 Percentage > 1% for all forums
# of Posts With Keywords (As a % of Total # of Posts)
 “iCode”: 2.05% (highest)
2.50%
 “Hackhound”: 1.02% (lowest)
2.00%
1.50%
1.00%
0.50%
0.00%
elitehackposts
hackhoundposts
icodeposts
vctoolposts
Hacker Web – Reseach Question 1
Findings/Discussion (Cont’d)
 “Elitehack” and “Hackhound” not used due to few data for earlier years
“iCode”: Unusually high 2009 percentage
 General trend the same for both forums
# of Posts With Keywords (As a % of Total # of Posts)
8.00%
7.00%
6.00%
5.00%
4.00%
3.00%
2.00%
1.00%
0.00%
2009
2010
2011
icodeposts
2012
vctoolposts
2013
Hacker Web – Research Question 2
What are the most frequently mentioned topics within each forum and across all four forums?
Data Analysis
 Same query as Question 1 for total number of posts in each forum
 IBM Many Eyes: Word Tag Analysis
Calculated percentage of total posts that contained most frequent topics
Hacker Web – Research Question 2
Findings/Discussion
 Each forum has own “flavor”
# of Occurences (As a % of # of Total Posts)
1.80%
1.60%
1.40%
1.20%
1.00%
0.80%
0.60%
0.40%
0.20%
0.00%
Elitehack
Hackhound
iCode
VCTools
Hacker Web – Research Question 2
Findings/Discussion (Cont’d)
 “Windows” most talked about
# of Occurences (As a % of # of Total Posts)
0.80%
0.70%
0.60%
0.50%
0.40%
0.30%
0.20%
0.10%
0.00%
Windows
Malware
Government
Botnet
Shodan
 Search engine for finding open and vulnerable ports and devices (“Internet of Things”)
 Interrogates ports, grabs the resulting banners and indexes the banners for searching
 Filters available: IP address, hostname, port, latitude and longitude, operating system, city,
country, and device data
 Can be exploited by malicious hackers but also very useful for research purposes
Shodan – Research Question 1
Samsung has tried to go “SoLoMo” using its SmartTV. It has tried to integrate internet and Web
2.0 features with television sets. Our first research question on SmartTVs is divided into the
following parts:
 How many SmartTVs are publicly-facing and respond to Shodan’s search query? What is the
geographical distribution of these SmartTVs and are all of them exploitable?
 What percentage of SmartTVs is publicly visible where the Webkit vulnerability in the device
could be exploited?
Shodan – Research Question 1
Samsung SmartTV: Background Information
 Linux device with Webkit-based browser used to load web pages/applications
 Webkit: Open-source HTML rendering engine (Google Chrome and Apple Safari browsers)
Value of Research:
 SmartTV is a relatively new device in market
 Use of Webkit exposes device to range of security exploits such as cross-site scripting attacks,
denial-of-service attacks and unexpected application termination or arbitrary code execution
Shodan – Research Question 1
Data Collection/Analysis
 Researched on Shodan search engine (www.shodanhq.com) and found tags in SmartTV banner
 Highly prevalent tag: “Content-Length:345 Server:Swift1.0”
 Used Python script to run query on Shodan using tag
 Retrieved 350,968 records; randomly selected 3,000 as sample
 Used sample records for analyze geographic distribution and exploitability (operating ports)
Shodan – Research Question 1
Part 1
Geographic distribution of SmartTV with open access
 Top three: Republic of Korea, United States and Chile
Shodan – Research Question 1
Operating ports analysis
 Majority on Port 443 (safe)
Total Number of Hosts
 Large portion on Port 80 (not safe)
1518
Count
1470
Total
80
443
5
7
8080
8443
Port Number
(BLANK)
Shodan – Research Question 1
Part 2
 Approximately 12 million SmartTVs sold as of Q1 2013
 350,968 vulnerable devices tracked  2.92% of devices publicly visible
Shodan – Research Question 2
How vulnerable are the traffic signal systems in the United States? Which are the cities that
are most vulnerable to getting their traffic signal systems hacked?
Background Information
 Many public communication systems internet-enabled
 Lack of security: e.g., Los Angeles’s Traffic Signal System hacked by engineers recently
 Important research that impacts public safety and privacy
Shodan – Research Question 2
Data Collection/Analysis
 Searched for header keywords in the Shodan Database
 Wrote a Java application to extract the data row by row return it to Python
 Wrote a loop using Python to input and store the data row by row in MS Excel
 Used the results in output for analysis
Shodan – Research Question 2
Findings/Discussion
 Tags used: “atz executive” and
“Content-Length: 2861 Cache-Control:
max-age=86400”
 216 records found
 Top cities: Metairie and New Orleans, LA
Shodan – Research Question 2
Findings/Discussion (Cont’d)
 Able to access “PIPS technology”
 View live images
 License plate recognition
 Modify configurations
Summary
Hacker Web
 iCode forum: highest percentage of “victim(s)” and/or “target(s)”; Hackhound is lowest
 iCode and VCTool both show increasing trend of conversation for the two keywords
 Each forum analyzed has its own “flavor”; “Windows” is most talked about across all English
forums
Shodan
 Majority of vulnerable SmartTVs appear in Republic of Korea, United States and Chile
 Metairie and New Orleans (Louisiana) have the most publicly-accessible Traffic Signal Systems
References
[1] (n.d.). Shodan Introduction [PowerPoint slides]. Retrieved from http://ai.arizona.edu/mis510/
[2] Benjamin, V. (2014). Cybersecurity Research Overview [PowerPoint slides]. Retrieved from
http://ai.arizona.edu/mis510/
[3] Freamon, D. The Darius Freamon Blog. Retrieved from http://dariusfreamon.wordpress.com/tag/trafficmanagement/
[4] Grad, S. (2009, December 1). Engineers who hacked into L.A. traffic signal computer, jamming streets,
sentenced. Retrieved from http://latimesblogs.latimes.com/lanow/2009/12/engineers-who-hacked-in-la-trafficsignal-computers-jamming-traffic-sentenced.html
[5] Roberts, P. (2013, August 1). Samsung Smart TV: Like A Web App Riddled With Vulnerabilities. Retrieved from
https://securityledger.com/2013/08/samsung-smart-tv-like-a-web-app-riddled-with-vulnerabilities/
[6] Segall, L., Fink E., Samsung Smart TV security flaw let hackers turn on built-in cameras. (2013, August 1).
Retrieved from http://www.wptv.com/news/science-tech/samsung-smart-tv-security-flaw-let-hackers-turn-onbuilt-in-cameras
[7] Strategy Analytics. (2013, July 24). Samsung Leads with 26 Percent of Global Smart TV Market Share in Q1
2013. Retrieved from http://www.strategyanalytics.com/default.aspx?mod=pressreleaseviewer&a0=5400