Prathamesh Bhurke Prasad Kodre Kiran Viswanathan Vanitha Venkatnarayanan

Cyber Analytics Project

MIS 510

February 27, 2014

Prathamesh B Prasad K

Kiran V Vanitha V

Agenda

Introduction

Literature and Technical Review

Targeted Social media platform

How secure are the number of Cisco routers?

Are there any Industrial Control Systems connected to internet?

Which are the top 3 Banking Trojans are spoken about on Hacker web?

Impact of the Project

References

Appendix

Introduction

With the increase in reliance on technology many aspects of our lives

depend on the Internet and computers, including communications,

transportation, government, finance and education.

As more and more critical information is stored and handled online

the need for providing a secure way to store all this information rises.

The increasing volume and sophistication of cyber security threats

such as malware attacks, phishing scams, data theft, and other online

vulnerabilities, demand that we remain vigilant about securing our

systems and information.

Literature Review

To understand the impact of cybersecurity we studied the existing documentations and recent news about cybersecurity. There is tremendous amount of growth in the area of cybersecurity. Some of the major research papers/blogs we studied are:

Banking Trojans: Understanding their impact and how to defend

your institution against Trojan- aided fraud.

Trojan.Zbot: Trojan.Zbot, also called Zeus, is a Trojan horse that

attempts to steal confidential information from the compromised

computer.

Carberp: Code Leak Stokes Copycat Fears

Which is the most targeted Social media platform?

Mark Zuckerberg’s account hacked

Evolution – The story line

Mark Zuckerberg’s account hacked by Khalil Shreateh on August 2013.

Hacking of Facebook a rising threat.

Millions of Accounts data at risk.

More than 600,000 Facebook accounts are being compromised every day

Hacked using “Keylogger”

Graphical Analysis Increase in the number of posts and threads regarding

hacking of Facebook.

Increase in number of views of posts and threads which includes the topic of hacking Facebook

Graphical Analysis Provides information about authors talking about hacking Facebook

Y axis is the aggregation of different metrics like reputations score, number of views etc.

Graphical Analysis

Hackhound Anon Elitehack Icode Vctool0

100

200

300

400

500

600

700

37

89

411

48

618

2462

267

25

452

Posts Threads

Facebook is the most talked social media website in different forums

Pseudo Algorithm

THE ALGORITHM:

Create an Empty log file for storing keylogs.

Intercept keys pressed by user using GetAsyncKeyState()

function.

Store these intercepted values in file.

Hide the Running Window Dialog to make it undetectable.

Use while loop to make it running in all conditions.

Add Sleep() function to reduce the CPU usage to 0%.

How secure are the large number of Cisco routers which are currently connected to the internet?

Many of the Cisco routers which are currently connected to the

internet have a web interface to configure the devices. To gain access

to these devices, a username and password might be needed.

Unauthorized access to these devices may lead to unwanted

consequences. Data collected from Shodan for Cisco devices around

the world shows that there are at least 1,616,911 Cisco routers

connected to the internet.

Among these potentially more than 11,419 devices do not require

authentication. This information can be found out by spotting

differences in the banner information of the device.

Percentage of unprotected Cisco routers of total Cisco routers for each country

United States United Kingdom

China Italy Mexico Brazil Russia South Korea India Turkey

0.61%

1.04%

0.66%

0.56%

0.66%

0.99%

0.48%

0.75%

0.55%

0.10%

Countries with maximum Cisco routers under .edu network without authentication

Countries with max Cisco routers under .edu Network which do not require authentication

Countries Total Cisco-IOS devices

under .edu domain

Cisco devices under .edu domain–

Authentication required

Cisco devices under .edu – No authentication

required

Unprotected devices

percentage

United States 6085 5699 32 0.52 %

Taiwan 1849 1413 22 1.19 %

Turkey 530 509 7 1.32 %

Mali 3 0 3 100 %

Argentina 111 57 2 1.80 %

Australia 144 115 2 1.39 %

Colombia 37 33 1 2.70 %

Lebanon 7 4 1 14.28 %

Netherlands 12 4 1 8.33 %

Are there any Industrial Control Systems connected to internet?

Wikipedia defines Industrial Control Systems as ‘a general term that

encompasses several types of control systems used in industrial

production including:

Supervisory control and data acquisition (SCADA) systems

Distributed control systems (DCS) and

Other smaller control system configurations such as

Programmable Logic Controllers (PLC)

How secure are SCADA/ICS equipment which are behind the organizational firewall?

Major Attacks Stuxnet:

Stuxnet (W32.Stuxnet) is a computer virus targeted SCADA systems

manufactured by Siemens.

The intent of Stuxnet was to sabotage the operations of facilities such

as power plants, gas pipelines, etc.

Flame: Flame is large scale cyber espionage attack which mainly targeted

insecure SCADA/ICS devices and industry computers. The objective was to

steal operation critical information from these devices in form of

screenshots, audio recording, etc.

Kaspersky in May 2012 estimated 1000 machines to be infected by Flame,

with victims including industries, governmental organizations and private

individuals.

Country wise distribution of Siemens SCADA/ICS devices

United States Germany Italy France Spain Cyech Republic China Russia Swedan Poland

194

179

80

56 5547

4237 36

30

Shodan statistics for some SCADA products

Product VendorTotal accessible

devices on internet

Country with maximum number of

such devicesBroadwin SCADA Broadwin Technology 12 IrelandISC SCADA System Cloris Controls 14 DenmarkClearSCADA/6.72.4644.1 Control Microsystems &

Trio Datacom45 United States

Proficy HMI/SCADA CIMPLICITY

General Electric Company

253 India

INDAS WEB SCADA Indas 6 RussiaSIMATIC NET CP 343-1 Siemens 94 ChinaSIMATIC S7-300 Siemens 39 United StatesSIMATIC NET SCALANCE X208

Siemens 2 Turkey, Russia

SIMATIC NET SCALANCE S612

Siemens 5 Denmark

Siemens SCALANCE W746-1PRO

Siemens 1 Italy

SCADA – Vielha Socade Engineering Solutions

1 Spain

Which are the top 3 Banking Trojans are spoken about on Hacker web?

Banks need to remain vigilant to the threats posed by criminals. New dangers

are emerging all the time, particularly in areas such as online banking, where

transaction volumes are increasing.

It’s no wonder that threats are on the rise. More people are using electronic

payments, mobile banking and other new technologies, which makes them

more appealing to the criminals – more transactions mean more money.

Banking malware, specifically banking Trojans, are reaching alarming new

levels of sophistication.

Statistics of the most spoken about Trojans in Hacker web forums

Anon

Icode

Vctool

Hackhound

EliteHack

Exploit

1

1

3

7

1

1

0

1

20

13

3

7

4

22

150

19

9

50

Carberp Citadel Zeus

Major Attacks

Zeus: The Trojan.Zbot files allows an attacker a high degree of control over the

functionality of the final executable that is distributed to targeted computers.

Citadel: This Trojan is a variation of Zeus. It emerged, along with a number of

other one-off Trojans, after the Zeus Trojan’s source code leaked in 2011.

Carberp: Win32/Carberp is a family of Trojans that may be delivered via

malicious code, for instance by variants ofExploit: JS/Blacole. The Trojan

downloads other Win32/Carberp components to execute payload code such as

stealing online banking credentials

Impact of Cyber Security Hacks

Cybercriminals are no longer isolated amateurs

Increasingly leveraging malware, bots and other forms of sophisticated

threats to attack organizations

Denial of Service, Botnets, Advanced Persistent Threats, Viruses,

Worms, Trojans, Social Engineering

Too little is done in many countries to prevent cybercrime

References

http://www.shodanhq.com/

https://www.defcon.org/images/defcon-18/dc-18-presentations/Schearer/DEFCON-18-

Schearer-SHODAN.pdf

http://en.wikipedia.org/wiki/Cisco_IOS

http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-technologies/index.html

http://en.wikipedia.org/wiki/Industrial_control_system

http://en.wikipedia.org/wiki/SCADA

http://www.digitalbond.com/blog/2010/11/02/what-you-should-know-about-shodan-and-

scada/

http://en.wikipedia.org/wiki/Flame_(malware)

http://en.wikipedia.org/wiki/Stuxnet

https://www.owasp.org

https://www4.symantec.com/mktginfo/whitepaper/user_authentication

/21195180_WP_GA_BankingTrojansImpactandDefendAgainstTrojanFraud_062611.pdf

Appendix – Shodan Code

Appendix – Queries used in ShodanQuery Purpose

cisco-ios Cisco routerscisco-ios last-modified 200 ok Cisco routers which do not require authentication

cisco-ios web-authenticate Cisco routers which require authenticationcisco-ios hostname:.gov Cisco routers for .gov domaincisco-ios hostname:.edu Cisco routers for .edu domaincisco-ios last-modified 200 ok hostname:.edu Cisco routers for .edu domain which do not require

authenticationcisco-ios last-modified 200 ok hostname:.gov Cisco routers for .gov domain which do not require

authenticationcisco-ios web-authenticate hostname:.edu Cisco routers for .edu domain which require

authenticationcisco-ios web-authenticate hostname:.gov Cisco routers for .gov domain which require

authenticationSiemens, SIMATIC Siemens SCADA devices on internetLocation: ./broadWeb/system/bwviewpg.asp Broadwin SCADAServer: ISC SCADA Service HTTPserv:00001 ISC SCADA SystemServer: ClearSCADA/6.72.4644.1 ClearSCADA/6.72.4644.1 Server: CIMPLICITY-HttpSvr/1.0 Proficy HMI/SCADA CIMPLICITYServer: INDAS WEB SCADA INDAS WEB SCADASiemens, SIMATIC NET, CP 343-1 SIMATIC NET CP 343-1 Siemens, SIMATIC, S7-300 SIMATIC S7-300Siemens, SIMATIC NET, SCALANCE X208 SIMATIC NET SCALANCE X208Siemens, SIMATIC NET, Scalance S612 SIMATIC NET SCALANCE S612SCALANCE W746-1PRO Siemens SCALANCE W746-1PROLocation: /Scada/Default.aspx SCADA – Vielha