MIS 510: Cyber Analytics
Download
Report
Transcript MIS 510: Cyber Analytics
MIS 510:
Cyber Analytics
TEAM: NEVER OFF GUARD
S U M E E T B H AT I A , A A D I L H U S S A I N I , S N E H A L N AVA L A K H A , M O Z H O U
MARCH 5, 2014
Agenda
Introduction
Hacker Web
Research Questions
Methodology
Results/Discussion
Shodan
Research Questions
Methodology
Results/Discussion
Summary
Introduction
Importance of cyber security research
Computers becoming more ubiquitous
Increasing amount of critical infrastructure relies on computers and information technologies
Easier for hackers to commit cybercrime with advanced technologies
Our research goal: Contribute to existing literature on cyber security by conducting analytics on
data collected from two sources
Hacker Web: Collection of 18 major online hacker forums
Shodan: Search engine for “Internet of Things”
Hacker Web
18 major online hacker forums: multiple languages, variety of topics
Posts, thread, date/time, authorship stored in MySQL database
Our research focus on the four English forums:
Elitehack
Hackhound
iCode
VCTool
Hacker Web - Data Collection
Downloaded and configured HeidiSQL
Connected to Hacker Web database using provided credentials
Run SQL queries (i.e., SELECT * FROM [table] WHERE upper([column]) LIKE “%[KEYWORD]%”)
Converting the results of the queries into CSV files
Used MS Excel and IBM Many Eyes for various analytics
Database tables: “elitehackposts,” “hackhoundposts,” “icodeposts” and “vctoolposts”
Hacker Web – Reseach Question 1
How frequent do posts with either of the two keywords (i.e., “victim(s)” and “target(s)”)
appear on each of the four English forums? How does the frequency vary between the forums
across time?
Data Analysis
Found total number of posts (without any keywords) for each forum
Used the keywords “victim(s)” (SQL: “%VICTIM%”) and “target(s)” (SQL: “%TARGET%”) and
queried all four forums individually to find the total number of posts with either of the two
keywords
Calculated the percentage of total posts that contained either of the keywords
Compared temporal trends for “iCode” and “VCTool”
Hacker Web – Reseach Question 1
Findings/Discussion
Percentage > 1% for all forums
# of Posts With Keywords (As a % of Total # of Posts)
“iCode”: 2.05% (highest)
2.50%
“Hackhound”: 1.02% (lowest)
2.00%
1.50%
1.00%
0.50%
0.00%
elitehackposts
hackhoundposts
icodeposts
vctoolposts
Hacker Web – Reseach Question 1
Findings/Discussion (Cont’d)
“Elitehack” and “Hackhound” not used due to few data for earlier years
“iCode”: Unusually high 2009 percentage
General trend the same for both forums
# of Posts With Keywords (As a % of Total # of Posts)
8.00%
7.00%
6.00%
5.00%
4.00%
3.00%
2.00%
1.00%
0.00%
2009
2010
2011
icodeposts
2012
vctoolposts
2013
Hacker Web – Research Question 2
What are the most frequently mentioned topics within each forum and across all four forums?
Data Analysis
Same query as Question 1 for total number of posts in each forum
IBM Many Eyes: Word Tag Analysis
Calculated percentage of total posts that contained most frequent topics
Hacker Web – Research Question 2
Findings/Discussion
Each forum has own “flavor”
# of Occurences (As a % of # of Total Posts)
1.80%
1.60%
1.40%
1.20%
1.00%
0.80%
0.60%
0.40%
0.20%
0.00%
Elitehack
Hackhound
iCode
VCTools
Hacker Web – Research Question 2
Findings/Discussion (Cont’d)
“Windows” most talked about
# of Occurences (As a % of # of Total Posts)
0.80%
0.70%
0.60%
0.50%
0.40%
0.30%
0.20%
0.10%
0.00%
Windows
Malware
Government
Botnet
Shodan
Search engine for finding open and vulnerable ports and devices (“Internet of Things”)
Interrogates ports, grabs the resulting banners and indexes the banners for searching
Filters available: IP address, hostname, port, latitude and longitude, operating system, city,
country, and device data
Can be exploited by malicious hackers but also very useful for research purposes
Shodan – Research Question 1
Samsung has tried to go “SoLoMo” using its SmartTV. It has tried to integrate internet and Web
2.0 features with television sets. Our first research question on SmartTVs is divided into the
following parts:
How many SmartTVs are publicly-facing and respond to Shodan’s search query? What is the
geographical distribution of these SmartTVs and are all of them exploitable?
What percentage of SmartTVs is publicly visible where the Webkit vulnerability in the device
could be exploited?
Shodan – Research Question 1
Samsung SmartTV: Background Information
Linux device with Webkit-based browser used to load web pages/applications
Webkit: Open-source HTML rendering engine (Google Chrome and Apple Safari browsers)
Value of Research:
SmartTV is a relatively new device in market
Use of Webkit exposes device to range of security exploits such as cross-site scripting attacks,
denial-of-service attacks and unexpected application termination or arbitrary code execution
Shodan – Research Question 1
Data Collection/Analysis
Researched on Shodan search engine (www.shodanhq.com) and found tags in SmartTV banner
Highly prevalent tag: “Content-Length:345 Server:Swift1.0”
Used Python script to run query on Shodan using tag
Retrieved 350,968 records; randomly selected 3,000 as sample
Used sample records for analyze geographic distribution and exploitability (operating ports)
Shodan – Research Question 1
Part 1
Geographic distribution of SmartTV with open access
Top three: Republic of Korea, United States and Chile
Shodan – Research Question 1
Operating ports analysis
Majority on Port 443 (safe)
Total Number of Hosts
Large portion on Port 80 (not safe)
1518
Count
1470
Total
80
443
5
7
8080
8443
Port Number
(BLANK)
Shodan – Research Question 1
Part 2
Approximately 12 million SmartTVs sold as of Q1 2013
350,968 vulnerable devices tracked 2.92% of devices publicly visible
Shodan – Research Question 2
How vulnerable are the traffic signal systems in the United States? Which are the cities that
are most vulnerable to getting their traffic signal systems hacked?
Background Information
Many public communication systems internet-enabled
Lack of security: e.g., Los Angeles’s Traffic Signal System hacked by engineers recently
Important research that impacts public safety and privacy
Shodan – Research Question 2
Data Collection/Analysis
Searched for header keywords in the Shodan Database
Wrote a Java application to extract the data row by row return it to Python
Wrote a loop using Python to input and store the data row by row in MS Excel
Used the results in output for analysis
Shodan – Research Question 2
Findings/Discussion
Tags used: “atz executive” and
“Content-Length: 2861 Cache-Control:
max-age=86400”
216 records found
Top cities: Metairie and New Orleans, LA
Shodan – Research Question 2
Findings/Discussion (Cont’d)
Able to access “PIPS technology”
View live images
License plate recognition
Modify configurations
Summary
Hacker Web
iCode forum: highest percentage of “victim(s)” and/or “target(s)”; Hackhound is lowest
iCode and VCTool both show increasing trend of conversation for the two keywords
Each forum analyzed has its own “flavor”; “Windows” is most talked about across all English
forums
Shodan
Majority of vulnerable SmartTVs appear in Republic of Korea, United States and Chile
Metairie and New Orleans (Louisiana) have the most publicly-accessible Traffic Signal Systems
References
[1] (n.d.). Shodan Introduction [PowerPoint slides]. Retrieved from http://ai.arizona.edu/mis510/
[2] Benjamin, V. (2014). Cybersecurity Research Overview [PowerPoint slides]. Retrieved from
http://ai.arizona.edu/mis510/
[3] Freamon, D. The Darius Freamon Blog. Retrieved from http://dariusfreamon.wordpress.com/tag/trafficmanagement/
[4] Grad, S. (2009, December 1). Engineers who hacked into L.A. traffic signal computer, jamming streets,
sentenced. Retrieved from http://latimesblogs.latimes.com/lanow/2009/12/engineers-who-hacked-in-la-trafficsignal-computers-jamming-traffic-sentenced.html
[5] Roberts, P. (2013, August 1). Samsung Smart TV: Like A Web App Riddled With Vulnerabilities. Retrieved from
https://securityledger.com/2013/08/samsung-smart-tv-like-a-web-app-riddled-with-vulnerabilities/
[6] Segall, L., Fink E., Samsung Smart TV security flaw let hackers turn on built-in cameras. (2013, August 1).
Retrieved from http://www.wptv.com/news/science-tech/samsung-smart-tv-security-flaw-let-hackers-turn-onbuilt-in-cameras
[7] Strategy Analytics. (2013, July 24). Samsung Leads with 26 Percent of Global Smart TV Market Share in Q1
2013. Retrieved from http://www.strategyanalytics.com/default.aspx?mod=pressreleaseviewer&a0=5400