Cyber Security Project
2014
MIS 510-WEB COMPUTING AND ANALYTICS
TEAM MEMBERS
KIRAN VISWANATHAN PRATHAMESH BHURKE
PRASAD KODRE VANITHA VENKATANARAYANAN
Cyber Security Project
1
Introduction With the increase in reliance on technology many aspects of our lives depend on the Internet and computers, including communications, transportation, government, finance and education. As more and more critical information is stored and handled online the need for providing a secure way to store all this information rises. With the advancement in technology the accessibility to this data has become easier and hence the systems are more vulnerable to cyber threats. The increasing volume and sophistication of cyber security threats such as malware attacks, phishing
scams, data theft, and other online vulnerabilities, demand that we remain vigilant about securing our
systems and information. Systems can be easily compromised if unprotected and a lot of sensitive
information can be obtained and misused. Thousands of infected web pages are being discovered every
day. Hundreds of millions of records have been involved in data breaches. Companies have lost millions
of dollars due to cyber-attacks and the law suits that follow the attacks. New attack methods are
launched continuously. We would like to highlight the importance of information security and
vulnerabilities in various industries such as communication, government, banking domain and social
media through our research.
The communication industry that connects millions of users together faces cyber threats on a day to day
basis. The security levels of Cisco routers were analyzed and statistics and analytics have been discussed
in our research. Next we analyze the kind of attacks that are launched on Industrial systems and the
SCADA devices affected by Stuxnet and the countries that faced the maximum impact. We then look into
the world of Trojans and discuss the most popular Trojans and their impact on the Banking domain.
Another area where huge amounts of personal information is under threat is social media sites. By
analysis of the hacker web forums we deducted that Facebook is the most targeted site.
Cybersecurity Research Questions
How secure are the large number of Cisco routers which are currently connected to the
internet?
Are there any Industrial Control Systems connected to internet? How secure are SCADA/ICS
equipment which are behind the organizational firewall?
Which are the top 3 Banking Trojans spoken about on Hacker web?
Which is the most targeted Social media platform?
Literature Review To understand the impact of cybersecurity we studied the existing documentations and recent news
about cybersecurity. There is tremendous amount of growth in the area of cybersecurity. Some of the
major research papers/blogs we studied are:
1. Banking Trojans: Understanding their impact and how to defend your institution against Trojan-
aided fraud.
Reference:https://www4.symantec.com/mktginfo/whitepaper/user_authentication/21195180_WP
_GA_BankingTrojansImpactandDefendAgainstTrojanFraud_062611.pdf
This paper talks about the different banking malwares and their impact on the market. The papers
gives good statistical analysis of the affected areas and the impact of the malware. The author also
talks about preventive measures can be taken to prevent from future attacks and also how the
current attacks can be mitigated.
Cyber Security Project
2
2. Trojan.Zbot: Trojan.Zbot, also called Zeus, is a Trojan horse that attempts to steal confidential
information from the compromised computer.
References: http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-
99
This paper talks about the Trojan.Zbot. It gives a detail analysis of a the Trojan, its functionality,
infection, geographical distribution and a detail summary
3. Carberp Code Leak Stokes Copycat Fears:
References: http://krebsonsecurity.com/2013/06/carberp-code-leak-stokes-copycat-fears/
This blog talks about the Carberp Trojan. The article gives details about the Trojan and its growth.
4. Some other important References:
http://en.wikipedia.org/wiki/Industrial_control_system
http://en.wikipedia.org/wiki/SCADA
http://www.digitalbond.com/blog/2010/11/02/what-you-should-know-about-shodan-and-
scada/
http://en.wikipedia.org/wiki/Flame_(malware)
http://en.wikipedia.org/wiki/Stuxnet
https://www.owasp.org
Research Design Shodan data retrieval technique
Shodan Python API was used as the primary method for data retrieval from Shodan. An API key is
required to use this API which can be obtained by registering at http://www.shodanhq.com/
This API has two important functions:
search() method returns a dictionary of result information
count() method returns the total number of results that matched the query and any facet
information that was requested
Both the above function accept two parameters:
query – a string which is used to search the database of banners in Shodan
facet – a comma-separated list of properties to get summary information
As most of the questions in this report required statistical data, count () function was used for fetching the data. The python program fetched following data from Shodan Total results
1. Result count for each of the top 10 organizations for the query 2. Result count for each of the top 10 domains for the query 3. Result count for each of the top 200 countries for the query
Data visualization tools
Tableau: Tableau was used to build graphs and other visualizations. The data for these graphs were obtained from Hacker Web forums and Shodan. For the question regarding social media attacks, a graph is plotted which show the increase in the number of posts which talked about hacking Facebook from the year 2010 to 2013. It also shows the number of views to these respective posts and threads. This was plotted with the help of Tableau. The data was obtained from the ‘Anon’ forum in Hacker Web
Cyber Security Project
3
Spotfire: Spotfire is another tool for analyzing data and building charts. There are different kind of charts that can be built with the help of Spotfire. For this project, we make use of Spotfire in the analyzing phase for posts related to Facebook. Here we make use of bar chart which shows the author name on X-axis and integrates his reputation score, number of posts, number of views to the post and the post rank. This gives you an overall view of ‘Anon’ forum. Also the result is filtered to only show the posts which has the term ‘hack Facebook’. Excel: Many of the graphs are obtained with the help of excel. The data from the forums were exported to excel and then the graph was built. Graphs are plotted based on the required metrics.
Content analysis tool
RapidMiner: RapidMiner is a very powerful analyzing tool. It has a great graphical interface and provides
ways to refine your mining. Rapid miner allows you to build charts, perform statistical analysis,
predictive analysis and text analysis. The analysis performed in this project, was to mine text ‘hack
Facebook’ or ‘Hacking Facebook’ in order to count the number of occurrences these terms were
specified in the posts and threads of the forum ‘Anon’. It was also used to mine the word ‘Carberp’ a
virus on which one of our question is based on.
Findings and Discussion 1. How secure are the large number of Cisco routers which are currently connected to the internet?
Many of the Cisco routers which are currently connected to the internet have a web interface to
configure the devices. To gain access to these devices, a username and password might be needed.
Unauthorized access to these devices may lead to unwanted consequences. Data collected from Shodan
for Cisco devices around the world shows that there are at least 1,616,911 Cisco routers connected to
the internet. Among these potentially more than 11,419 devices do not require authentication. This
information can be found out by spotting differences in the banner information of the device. Banners
which have string “200 OK” status code and “Last-modified” line do not require authentication. A “www-
authenticate” line indicates that a username and password is required.
Countries Total Cisco-IOS devices
Cisco devices – Authentication
required
Cisco devices – No
authentication required
Unprotected devices
percentage
United States 380771 261169 2334 0.61 %
United Kingdom 59607 47885 618 1.04 %
China 84871 63656 564 0.66 %
Italy 82087 42820 462 0.56 %
Mexico 60032 51442 395 0.66 %
Brazil 39047 21668 378 0.99 %
Russia 77413 47684 373 0.48 %
South Korea 42673 26399 322 0.75 %
India 45197 29059 247 0.55 %
Turkey 69135 66930 68 0.10 %
Table 1.0 Countries with maximum Cisco routers which do not require authentication
Cyber Security Project
4
United States has the maximum number of unprotected by Cisco routers followed by UK and China.
Figure 1.0 Percentage of unprotected Cisco routers of total Cisco routers for each country
1. telecomitalia.it 247
2. codetel.net.do 244
3. wanadoo.fr 135
4. mundivox.com 127
5. t-ipconnect.de 116
Table 2.0 List of top domains with maximum number of unprotected Cisco routers
Now, let’s take a look at Cisco routers which fall under the .edu domain network. Out of the total 9248
Cisco routers under the .edu domain network which can be found on Shodan, 71 devices can be
accessed without any login or password. United States has the maximum number of unprotected Cisco
routers under the .edu domain network.
Countries Total Cisco-IOS devices under .edu domain
Cisco devices under .edu domain–
Authentication required
Cisco devices under .edu – No authentication
required
Unprotected devices
percentage
United States 6085 5699 32 0.52 %
Taiwan 1849 1413 22 1.19 %
Turkey 530 509 7 1.32 %
Mali 3 0 3 100 %
Argentina 111 57 2 1.80 %
Australia 144 115 2 1.39 %
Colombia 37 33 1 2.70 %
Lebanon 7 4 1 14.28 %
Netherlands 12 4 1 8.33 %
Table 3.0 Countries with maximum Cisco routers under .edu network which do not require
authentication
0.61%
1.04%
0.66% 0.56%
0.66%
0.99%
0.48%
0.75%
0.55%
0.10% 0.00%
0.20%
0.40%
0.60%
0.80%
1.00%
1.20%
6. prod-infinitum.com.mx 100
7. uninet-ide.com.mx 90
8. cantv.net 80
9. btopenworld.com 42
10. tpnet.pl 37
Cyber Security Project
5
Following is a list of top domains under .edu domain network with maximum number of unprotected
Cisco routers. Among these top 10 domains, 4 .edu domains belong to Taiwan.
1. mcu.edu.tw 10
2. hargrave.edu 9
3. olemiss.edu 7
4. deu.edu.tr 5
5. ilc.edu.tw 4
Table 4.0 Similar to .edu domain networks, data for unprotected Cisco devices can also be collected for .gov
domain networks. Out of the total 949 Cisco routers under the .gov domain network which can be found
on Shodan, 5 devices can be accessed without any login or password.
Countries Total Cisco-IOS devices under .gov domain
Cisco devices under .gov domain–
Authentication required
Cisco devices under .gov – No authentication
required
Unprotected devices
percentage
Canada 353 339 4 1.33 %
Brazil 42 23 1 2.38 %
Argentina 40 32 0 0 %
Australia 19 16 0 0 %
Table 5.0 Countries with maximum Cisco routers under .gov network which do not require
authentication
2. Are there any Industrial Control Systems connected to internet? How secure are SCADA/ICS
equipment which are behind the organizational firewall?
Wikipedia defines Industrial Control Systems as ‘a general term that encompasses several types of
control systems used in industrial production, including supervisory control and data acquisition
(SCADA) systems, distributed control systems (DCS), and other smaller control system configurations
such as programmable logic controllers (PLC) often found in the industrial sectors and critical
infrastructures’. To make it simpler; ICS are devices that control various industrial operations
electronically. Ideally, ICS equipment should not be directly connected to internet and should be placed
behind the organizational firewall, accessible only on a private network by authorized personnel only.
However, this does not happen and you can practically find a large number of these devices directly
accessible from internet.
So how do these internet connected ICS equipment pose a threat? ICS control major industrial
machineries or operations. These equipment can typically be found at manufacturing industries, oil and
gas refineries, power generation plants, nuclear enrichment plants, etc. So not only do these devices
handle large scale operations but also control life-critical systems. Cyber criminals who are able to gain
unauthorized access to these systems might disrupt the operations of these facilities or worse may
sabotage their operations. Let’s take a look at few examples of recent large scale ICS attacks.
Stuxnet
6. univ-bamako.edu.ml 3
7. ntust.edu.tw 3
8. vnu.edu.tw 2
9. kent.edu 2
10. wisc.edu 1
Cyber Security Project
6
Stuxnet (W32.Stuxnet) is a computer virus targeted at SCADA systems manufactured by Siemens. The intent of Stuxnet was to sabotage the operations of facilities such as power plants, gas pipelines, etc. where these systems are used. The attack is carried out by reprogramming the PLC thus modifying the behavior of intended control systems. The virus was discovered in June 2012 and till date has affected power plants, traffic control systems and factories all around the world. There are speculations that Stuxnet was designed to sabotage nuclear enrichment facilities in Iran. According to a Symantec report, about 60% of the systems infected by the virus were in Iran. Flame Flame is large scale cyber espionage attack which mainly targeted insecure SCADA/ICS devices and industry computers. The objective was to steal operation critical information from these devices in form of screenshots, audio recording, etc. Kaspersky in May 2012, estimated 1000 machines to be infected by Flame, with victims including industries, governmental organizations and private individuals. Flame has many similarities to Stuxnet. It was distributed using removable media and local networks which had a code structure similar to Stuxnet. However, the purpose of designing these viruses was different. Stuxnet was designed to sabotage operations primarily of nuclear enrichment facilities while Flame’s objective was to collect and relay intelligence data and its targets also included thousands of industry computers.
In case of both Stuxnet and Flame, the systems were hacked even though they were not directly connected to internet. If so, how secure are the ICS devices which are directly connected to the internet? A simple search by string 'Siemens SIMATIC' on Shodan reveals that there are at least 1141 Siemens SCADA/ICS devices connected to internet which should have been behind the firewall. This number is just a tip of the iceberg as we are not considering devices from other manufacturers. And there are currently more than 250 manufacturers for these devices. Looking at a country-wise distribution for Siemens SCADA/ICS devices from Shodan search, tells us that US has the maximum number of insecure devices, immediately followed by Germany and Italy.
Figure 2.0 Country-wise distribution of Siemens SCADA/ICS devices connected to internet derived from Shodan search
Below is a list of some SCADA products and the number of these devices accessible from internet. The
device list was obtained from ‘SCADA detection cheat sheet’ available on www.owasp.org. Shodan was
used to collect statistics for these devices.
194 179
80 56 55 47 42 37 36 30
0
50
100
150
200
250
UnitedStates
Germany Italy France Spain CyechRepublic
China Russia Swedan Poland
Cyber Security Project
7
Product Vendor Total accessible devices on
internet
Country with maximum
number of such devices
Broadwin SCADA Broadwin Technology 12 Ireland
ISC SCADA System Cloris Controls 14 Denmark
ClearSCADA/6.72.4644.1 Control Microsystems & Trio Datacom
45 United States
Proficy HMI/SCADA CIMPLICITY General Electric Company 253 India
SIMATIC NET CP 343-1 Siemens 94 China
SIMATIC S7-300 Siemens 39 United States
Table 6.0 Shodan statistics for some SCADA products
3. Which are the top 3 Banking Trojans are spoken about on Hacker web forums?
Banks need to remain vigilant to the threats posed by criminals. New
dangers are emerging in areas such as online banking, where
transaction volumes are increasing and hence threats are on the rise.
More people are using electronic payments, mobile banking and other
new technologies, which makes them more appealing to the criminals
– more transactions mean more money. Banking malware, specifically
banking Trojans, are reaching alarming new levels of sophistication.
New variations are constantly being introduced to thwart detection by
antivirus software on the victim’s PC. And real-time capabilities built into the Trojans make it difficult for
banks and account holders to spot fraud attempts as they occur.
Based on our observations from Hacker Web forums we have observed that Zeus is still the most spoken
about Trojan despite the fact that it first came into the market in 2007 and had maximum impact in
2009:
Figure 3.0 Statistics of the most spoken about Trojans in Hacker web forums
Zeus
1
1
3
7
1
1
0
1
20
13
3
7
4
22
150
19
9
50
Anon
Icode
Vctool
Hackhound
EliteHack
Exploit
Carberp Citadel Zeus
Cyber Security Project
8
The Trojan.Zbot files allows an attacker a high degree of control over the functionality of the final
executable that is distributed to targeted computers. The Trojan itself is primarily distributed through
spam campaigns and drive-by downloads, though given its versatility, other vectors may also be utilized.
The user may receive an email message purporting to be from organizations such as the FDIC, IRS,
Myspace, Facebook, or Microsoft. The message body warns the user of a problem with their financial
information, online account, or software and suggests they visit a link provided in the email. The
computer is compromised if the user visits the link, if it is not protected. Upon execution the Trojan
automatically gathers any Internet Explorer, FTP, or POP3 passwords that are contained within
Protected Storage (PStore).
Citadel:
This Trojan is a variation of Zeus which emerged in 2011. Citadel’s initial noteworthiness lies with its
creator’s novel adoption of the open-source development model that lets anyone review its code and
improve upon it. Some of the most fascinating capabilities included AES encryption of configuration files
and communications with the C&C server, an ability to evade tracking sites, the capacity to block access
to security sites on victim machines, and a functionality that could record videos of victim activities.
Carberp:
Win32/Carberp is a family of Trojans that may be delivered via malicious code, for instance by variants
ofExploit: JS/Blacole. The Trojan downloads other Win32/Carberp components to execute payload code
such as stealing online banking credentials and log on data from numerous other software applications,
downloading and executing arbitrary files, exporting installed certificates, capturing screen shots and
logging keystrokes. Carberp relays the information it steals back to a C&C server under its creator’s
control. The tricky component was the complicated rootkit functionality, allowing the Trojan to remain
unnoticed on the victim’s system. The next generation of Carberp added plug-ins: one that removed
anti-malware software from infected machines. It has the ability to encrypt stolen data as it passes
between affected machines and their C&C
server.
4. Social media that is being targeted in 2013 - 2014?
Analyzing the forums available in Hacker web, we come to the conclusion that ‘Facebook’ is being targeted most by the attackers. Performing text mining to figure out how many posts are talking about hacking Facebook, we find that there are large number of threads and posts who are talking about the same. A Palestinian hacker names Khalil Shreateh hacked into Mark Zuckerberg’s account on August 2013. He had initially reported a bug. But since the Facebook employees where not taking him seriously, he hacked into Mark Zuckerberg’s account to prove the bug. Hacking into Facebook has become a serious issue since 2013. Millions of Facebook accounts are being hacked. More than 600,000 Facebook accounts are being compromised
Cyber Security Project
9
every day. For some people Facebook is everything. Hence a huge amount confidential information is under threat. Using the facts and data collected in hacker web, most of the Facebook accounts have been hacked using “Keylogger”. The algorithm for Keylogger is as follows:
1. Create an Empty log file for storing keylogs.
2. Intercept keys pressed by user using GetAsyncKeyState () function.
3. Store these intercepted values in file.
4. Hide the Running Window Dialog to make it undetectable.
5. Use while loop to make it running in all conditions.
6. Add Sleep () function to reduce the CPU usage to 0%.
Figure 4.0 the above graph provides information about the posts and threads which are talking about
Facebook in different forums.
Figure 5.0 The above graph displays the rise in Number of Posts and Number of views that talk about
hacking Facebook.
37 89
411
48
618
24 62
267
25
452
0
100
200
300
400
500
600
700
Hackhound Anon Elitehack Icode Vctool
Posts Threads
Cyber Security Project
10
References
http://www.shodanhq.com/ https://www.defcon.org/images/defcon-18/dc-18-presentations/Schearer/DEFCON-18-Schearer-SHODAN.pdf http://en.wikipedia.org/wiki/Cisco_IOS http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-technologies/index.html http://en.wikipedia.org/wiki/Industrial_control_system http://en.wikipedia.org/wiki/SCADA http://www.digitalbond.com/blog/2010/11/02/what-you-should-know-about-shodan-and-scada/ http://en.wikipedia.org/wiki/Flame_(malware) http://en.wikipedia.org/wiki/Stuxnet https://www.owasp.org https://www4.symantec.com/mktginfo/whitepaper/user_authentication/21195180_WP_GA_BankingTrojansImpactandDefendAgainstTrojanFraud_062611.pdf http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99
Appendix
Shodan data retrieval technique
Following are the queries used to fetch data from Shodan.
Query Purpose
cisco-ios Cisco routers
cisco-ios last-modified 200 ok Cisco routers which do not require authentication
cisco-ios web-authenticate Cisco routers which require authentication
cisco-ios hostname:.gov Cisco routers for .gov domain
cisco-ios hostname:.edu Cisco routers for .edu domain
cisco-ios last-modified 200 ok hostname:.edu Cisco routers for .edu domain which do not require authentication
cisco-ios last-modified 200 ok hostname:.gov Cisco routers for .gov domain which do not require authentication
cisco-ios web-authenticate hostname:.edu Cisco routers for .edu domain which require authentication
cisco-ios web-authenticate hostname:.gov Cisco routers for .gov domain which require authentication
Siemens, SIMATIC Siemens SCADA devices on internet
Location: ./broadWeb/system/bwviewpg.asp Broadwin SCADA
Server: ISC SCADA Service HTTPserv:00001 ISC SCADA System
Server: ClearSCADA/6.72.4644.1 ClearSCADA/6.72.4644.1
Server: CIMPLICITY-HttpSvr/1.0 Proficy HMI/SCADA CIMPLICITY
Server: INDAS WEB SCADA INDAS WEB SCADA
Siemens, SIMATIC NET, CP 343-1 SIMATIC NET CP 343-1
Siemens, SIMATIC, S7-300 SIMATIC S7-300
Siemens, SIMATIC NET, SCALANCE X208 SIMATIC NET SCALANCE X208
Siemens, SIMATIC NET, Scalance S612 SIMATIC NET SCALANCE S612
SCALANCE W746-1PRO Siemens SCALANCE W746-1PRO