1 / 24

MIS 510: Cyber Analytics

MIS 510: Cyber Analytics. Team: Never off guard Sumeet Bhatia, aadil hussaini , snehal navalakha , mo zhou March 5, 2014. Agenda. Introduction Hacker Web Research Questions Methodology Results/Discussion Shodan Research Questions Methodology Results/Discussion Summary.

oralee
Download Presentation

MIS 510: Cyber Analytics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MIS 510: Cyber Analytics Team: Never off guard Sumeet Bhatia, aadilhussaini, snehalnavalakha, mozhou March 5, 2014

  2. Agenda • Introduction • Hacker Web • Research Questions • Methodology • Results/Discussion • Shodan • Research Questions • Methodology • Results/Discussion • Summary

  3. Introduction Importance of cyber security research • Computers becoming more ubiquitous • Increasing amount of critical infrastructure relies on computers and information technologies • Easier for hackers to commit cybercrime with advanced technologies Our research goal: Contribute to existing literature on cyber security by conducting analytics on data collected from two sources • Hacker Web: Collection of 18 major online hacker forums • Shodan: Search engine for “Internet of Things”

  4. Hacker Web • 18 major online hacker forums: multiple languages, variety of topics • Posts, thread, date/time, authorship stored in MySQL database Our research focus on the four English forums: • Elitehack • Hackhound • iCode • VCTool

  5. Hacker Web - Data Collection • Downloaded and configured HeidiSQL • Connected to Hacker Web database using provided credentials • Run SQL queries (i.e., SELECT * FROM [table] WHERE upper([column]) LIKE “%[KEYWORD]%”) • Converting the results of the queries into CSV files • Used MS Excel and IBM Many Eyes for various analytics Database tables: “elitehackposts,” “hackhoundposts,” “icodeposts” and “vctoolposts”

  6. Hacker Web – Reseach Question 1 • How frequent do posts with either of the two keywords (i.e., “victim(s)” and “target(s)”) appear on each of the four English forums? How does the frequency vary between the forums across time? • Data Analysis • Found total number of posts (without any keywords) for each forum • Used the keywords “victim(s)” (SQL: “%VICTIM%”) and “target(s)” (SQL: “%TARGET%”) and queried all four forums individually to find the total number of posts with either of the two keywords • Calculated the percentage of total posts that contained either of the keywords • Compared temporal trends for “iCode” and “VCTool”

  7. Hacker Web – Reseach Question 1 • Findings/Discussion • Percentage > 1% for all forums • “iCode”: 2.05% (highest) • “Hackhound”: 1.02% (lowest)

  8. Hacker Web – Reseach Question 1 • Findings/Discussion (Cont’d) • “Elitehack” and “Hackhound” not used due to few data for earlier years • “iCode”: Unusually high 2009 percentage • General trend the same for both forums

  9. Hacker Web – Research Question 2 • What are the most frequently mentioned topics within each forum and across all four forums? • Data Analysis • Same query as Question 1 for total number of posts in each forum • IBM Many Eyes: Word Tag Analysis • Calculated percentage of total posts that contained most frequent topics

  10. Hacker Web – Research Question 2 • Findings/Discussion • Each forum has own “flavor” Elitehack VCTools Hackhound iCode

  11. Hacker Web – Research Question 2 • Findings/Discussion (Cont’d) • “Windows” most talked about

  12. Shodan • Search engine for finding open and vulnerable ports and devices (“Internet of Things”) • Interrogates ports, grabs the resulting banners and indexes the banners for searching • Filters available: IP address, hostname, port, latitude and longitude, operating system, city, country, and device data • Can be exploited by malicious hackers but also very useful for research purposes

  13. Shodan – Research Question 1 • Samsung has tried to go “SoLoMo” using its SmartTV. It has tried to integrate internet and Web 2.0 features with television sets. Our first research question on SmartTVs is divided into the following parts: • How many SmartTVs are publicly-facing and respond to Shodan’s search query? What is the geographical distribution of these SmartTVs and are all of them exploitable? • What percentage of SmartTVs is publicly visible where the Webkit vulnerability in the device could be exploited?

  14. Shodan – Research Question 1 • Samsung SmartTV: Background Information • Linux device with Webkit-based browser used to load web pages/applications • Webkit: Open-source HTML rendering engine (Google Chrome and Apple Safari browsers) Value of Research: • SmartTV is a relatively new device in market • Use of Webkit exposes device to range of security exploits such as cross-site scripting attacks, denial-of-service attacks and unexpected application termination or arbitrary code execution

  15. Shodan – Research Question 1 • Data Collection/Analysis • Researched on Shodan search engine (www.shodanhq.com) and found tags in SmartTV banner • Highly prevalent tag: “Content-Length:345 Server:Swift1.0” • Used Python script to run query on Shodan using tag • Retrieved 350,968 records; randomly selected 3,000 as sample • Used sample records for analyze geographic distribution and exploitability (operating ports)

  16. Shodan – Research Question 1 • Part 1 • Geographic distribution of SmartTV with open access • Top three: Republic of Korea, United States and Chile

  17. Shodan – Research Question 1 • Operating ports analysis • Majority on Port 443 (safe) • Large portion on Port 80 (not safe)

  18. Shodan – Research Question 1 • Part 2 • Approximately 12 million SmartTVs sold as of Q1 2013 • 350,968 vulnerable devices tracked  2.92% of devices publicly visible

  19. Shodan – Research Question 2 • How vulnerable are the traffic signal systems in the United States? Which are the cities that are most vulnerable to getting their traffic signal systems hacked? • Background Information • Many public communication systems internet-enabled • Lack of security: e.g., Los Angeles’s Traffic Signal System hacked by engineers recently • Important research that impacts public safety and privacy

  20. Shodan – Research Question 2 Data Collection/Analysis • Searched for header keywords in the Shodan Database • Wrote a Java application to extract the data row by row return it to Python • Wrote a loop using Python to input and store the data row by row in MS Excel • Used the results in output for analysis

  21. Shodan – Research Question 2 • Findings/Discussion • Tags used: “atz executive” and “Content-Length: 2861 Cache-Control: max-age=86400” • 216 records found • Top cities: Metairie and New Orleans, LA

  22. Shodan – Research Question 2 • Findings/Discussion (Cont’d) • Able to access “PIPS technology” • View live images • License plate recognition • Modify configurations

  23. Summary Hacker Web • iCode forum: highest percentage of “victim(s)” and/or “target(s)”; Hackhound is lowest • iCode and VCTool both show increasing trend of conversation for the two keywords • Each forum analyzed has its own “flavor”; “Windows” is most talked about across all English forums Shodan • Majority of vulnerable SmartTVs appear in Republic of Korea, United States and Chile • Metairie and New Orleans (Louisiana) have the most publicly-accessible Traffic Signal Systems

  24. References • [1] (n.d.). Shodan Introduction [PowerPoint slides]. Retrieved from http://ai.arizona.edu/mis510/ • [2] Benjamin, V. (2014). Cybersecurity Research Overview[PowerPoint slides]. Retrieved from http://ai.arizona.edu/mis510/ • [3] Freamon, D. The Darius Freamon Blog. Retrieved from http://dariusfreamon.wordpress.com/tag/traffic-management/ • [4] Grad, S. (2009, December 1). Engineers who hacked into L.A. traffic signal computer, jamming streets, sentenced. Retrieved from http://latimesblogs.latimes.com/lanow/2009/12/engineers-who-hacked-in-la-traffic-signal-computers-jamming-traffic-sentenced.html • [5] Roberts, P. (2013, August 1). Samsung Smart TV: Like A Web App Riddled With Vulnerabilities. Retrieved from https://securityledger.com/2013/08/samsung-smart-tv-like-a-web-app-riddled-with-vulnerabilities/ • [6] Segall, L., Fink E., Samsung Smart TV security flaw let hackers turn on built-in cameras. (2013, August 1). Retrieved from http://www.wptv.com/news/science-tech/samsung-smart-tv-security-flaw-let-hackers-turn-on-built-in-cameras • [7] Strategy Analytics. (2013, July 24). Samsung Leads with 26 Percent of Global Smart TV Market Share in Q1 2013. Retrieved from http://www.strategyanalytics.com/default.aspx?mod=pressreleaseviewer&a0=5400

More Related