Prathamesh Bhurke Prasad Kodre Kiran Viswanathan Vanitha Venkatnarayanan
Cyber Analytics Project
MIS 510
February 27, 2014
Prathamesh B Prasad K
Kiran V Vanitha V
Agenda
Introduction
Literature and Technical Review
Targeted Social media platform
How secure are the number of Cisco routers?
Are there any Industrial Control Systems connected to internet?
Which are the top 3 Banking Trojans are spoken about on Hacker web?
Impact of the Project
References
Appendix
Introduction
With the increase in reliance on technology many aspects of our lives
depend on the Internet and computers, including communications,
transportation, government, finance and education.
As more and more critical information is stored and handled online
the need for providing a secure way to store all this information rises.
The increasing volume and sophistication of cyber security threats
such as malware attacks, phishing scams, data theft, and other online
vulnerabilities, demand that we remain vigilant about securing our
systems and information.
Literature Review
To understand the impact of cybersecurity we studied the existing documentations and recent news about cybersecurity. There is tremendous amount of growth in the area of cybersecurity. Some of the major research papers/blogs we studied are:
Banking Trojans: Understanding their impact and how to defend
your institution against Trojan- aided fraud.
Trojan.Zbot: Trojan.Zbot, also called Zeus, is a Trojan horse that
attempts to steal confidential information from the compromised
computer.
Carberp: Code Leak Stokes Copycat Fears
Which is the most targeted Social media platform?
Mark Zuckerberg’s account hacked
Evolution – The story line
Mark Zuckerberg’s account hacked by Khalil Shreateh on August 2013.
Hacking of Facebook a rising threat.
Millions of Accounts data at risk.
More than 600,000 Facebook accounts are being compromised every day
Hacked using “Keylogger”
Graphical Analysis Increase in the number of posts and threads regarding
hacking of Facebook.
Increase in number of views of posts and threads which includes the topic of hacking Facebook
Graphical Analysis Provides information about authors talking about hacking Facebook
Y axis is the aggregation of different metrics like reputations score, number of views etc.
Graphical Analysis
Hackhound Anon Elitehack Icode Vctool0
100
200
300
400
500
600
700
37
89
411
48
618
2462
267
25
452
Posts Threads
Facebook is the most talked social media website in different forums
Pseudo Algorithm
THE ALGORITHM:
Create an Empty log file for storing keylogs.
Intercept keys pressed by user using GetAsyncKeyState()
function.
Store these intercepted values in file.
Hide the Running Window Dialog to make it undetectable.
Use while loop to make it running in all conditions.
Add Sleep() function to reduce the CPU usage to 0%.
How secure are the large number of Cisco routers which are currently connected to the internet?
Many of the Cisco routers which are currently connected to the
internet have a web interface to configure the devices. To gain access
to these devices, a username and password might be needed.
Unauthorized access to these devices may lead to unwanted
consequences. Data collected from Shodan for Cisco devices around
the world shows that there are at least 1,616,911 Cisco routers
connected to the internet.
Among these potentially more than 11,419 devices do not require
authentication. This information can be found out by spotting
differences in the banner information of the device.
Percentage of unprotected Cisco routers of total Cisco routers for each country
United States United Kingdom
China Italy Mexico Brazil Russia South Korea India Turkey
0.61%
1.04%
0.66%
0.56%
0.66%
0.99%
0.48%
0.75%
0.55%
0.10%
Countries with maximum Cisco routers under .edu network without authentication
Countries with max Cisco routers under .edu Network which do not require authentication
Countries Total Cisco-IOS devices
under .edu domain
Cisco devices under .edu domain–
Authentication required
Cisco devices under .edu – No authentication
required
Unprotected devices
percentage
United States 6085 5699 32 0.52 %
Taiwan 1849 1413 22 1.19 %
Turkey 530 509 7 1.32 %
Mali 3 0 3 100 %
Argentina 111 57 2 1.80 %
Australia 144 115 2 1.39 %
Colombia 37 33 1 2.70 %
Lebanon 7 4 1 14.28 %
Netherlands 12 4 1 8.33 %
Are there any Industrial Control Systems connected to internet?
Wikipedia defines Industrial Control Systems as ‘a general term that
encompasses several types of control systems used in industrial
production including:
Supervisory control and data acquisition (SCADA) systems
Distributed control systems (DCS) and
Other smaller control system configurations such as
Programmable Logic Controllers (PLC)
How secure are SCADA/ICS equipment which are behind the organizational firewall?
Major Attacks Stuxnet:
Stuxnet (W32.Stuxnet) is a computer virus targeted SCADA systems
manufactured by Siemens.
The intent of Stuxnet was to sabotage the operations of facilities such
as power plants, gas pipelines, etc.
Flame: Flame is large scale cyber espionage attack which mainly targeted
insecure SCADA/ICS devices and industry computers. The objective was to
steal operation critical information from these devices in form of
screenshots, audio recording, etc.
Kaspersky in May 2012 estimated 1000 machines to be infected by Flame,
with victims including industries, governmental organizations and private
individuals.
Country wise distribution of Siemens SCADA/ICS devices
United States Germany Italy France Spain Cyech Republic China Russia Swedan Poland
194
179
80
56 5547
4237 36
30
Shodan statistics for some SCADA products
Product VendorTotal accessible
devices on internet
Country with maximum number of
such devicesBroadwin SCADA Broadwin Technology 12 IrelandISC SCADA System Cloris Controls 14 DenmarkClearSCADA/6.72.4644.1 Control Microsystems &
Trio Datacom45 United States
Proficy HMI/SCADA CIMPLICITY
General Electric Company
253 India
INDAS WEB SCADA Indas 6 RussiaSIMATIC NET CP 343-1 Siemens 94 ChinaSIMATIC S7-300 Siemens 39 United StatesSIMATIC NET SCALANCE X208
Siemens 2 Turkey, Russia
SIMATIC NET SCALANCE S612
Siemens 5 Denmark
Siemens SCALANCE W746-1PRO
Siemens 1 Italy
SCADA – Vielha Socade Engineering Solutions
1 Spain
Which are the top 3 Banking Trojans are spoken about on Hacker web?
Banks need to remain vigilant to the threats posed by criminals. New dangers
are emerging all the time, particularly in areas such as online banking, where
transaction volumes are increasing.
It’s no wonder that threats are on the rise. More people are using electronic
payments, mobile banking and other new technologies, which makes them
more appealing to the criminals – more transactions mean more money.
Banking malware, specifically banking Trojans, are reaching alarming new
levels of sophistication.
Statistics of the most spoken about Trojans in Hacker web forums
Anon
Icode
Vctool
Hackhound
EliteHack
Exploit
1
1
3
7
1
1
0
1
20
13
3
7
4
22
150
19
9
50
Carberp Citadel Zeus
Major Attacks
Zeus: The Trojan.Zbot files allows an attacker a high degree of control over the
functionality of the final executable that is distributed to targeted computers.
Citadel: This Trojan is a variation of Zeus. It emerged, along with a number of
other one-off Trojans, after the Zeus Trojan’s source code leaked in 2011.
Carberp: Win32/Carberp is a family of Trojans that may be delivered via
malicious code, for instance by variants ofExploit: JS/Blacole. The Trojan
downloads other Win32/Carberp components to execute payload code such as
stealing online banking credentials
Impact of Cyber Security Hacks
Cybercriminals are no longer isolated amateurs
Increasingly leveraging malware, bots and other forms of sophisticated
threats to attack organizations
Denial of Service, Botnets, Advanced Persistent Threats, Viruses,
Worms, Trojans, Social Engineering
Too little is done in many countries to prevent cybercrime
References
http://www.shodanhq.com/
https://www.defcon.org/images/defcon-18/dc-18-presentations/Schearer/DEFCON-18-
Schearer-SHODAN.pdf
http://en.wikipedia.org/wiki/Cisco_IOS
http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-technologies/index.html
http://en.wikipedia.org/wiki/Industrial_control_system
http://en.wikipedia.org/wiki/SCADA
http://www.digitalbond.com/blog/2010/11/02/what-you-should-know-about-shodan-and-
scada/
http://en.wikipedia.org/wiki/Flame_(malware)
http://en.wikipedia.org/wiki/Stuxnet
https://www.owasp.org
https://www4.symantec.com/mktginfo/whitepaper/user_authentication
/21195180_WP_GA_BankingTrojansImpactandDefendAgainstTrojanFraud_062611.pdf
Appendix – Shodan Code
Appendix – Queries used in ShodanQuery Purpose
cisco-ios Cisco routerscisco-ios last-modified 200 ok Cisco routers which do not require authentication
cisco-ios web-authenticate Cisco routers which require authenticationcisco-ios hostname:.gov Cisco routers for .gov domaincisco-ios hostname:.edu Cisco routers for .edu domaincisco-ios last-modified 200 ok hostname:.edu Cisco routers for .edu domain which do not require
authenticationcisco-ios last-modified 200 ok hostname:.gov Cisco routers for .gov domain which do not require
authenticationcisco-ios web-authenticate hostname:.edu Cisco routers for .edu domain which require
authenticationcisco-ios web-authenticate hostname:.gov Cisco routers for .gov domain which require
authenticationSiemens, SIMATIC Siemens SCADA devices on internetLocation: ./broadWeb/system/bwviewpg.asp Broadwin SCADAServer: ISC SCADA Service HTTPserv:00001 ISC SCADA SystemServer: ClearSCADA/6.72.4644.1 ClearSCADA/6.72.4644.1 Server: CIMPLICITY-HttpSvr/1.0 Proficy HMI/SCADA CIMPLICITYServer: INDAS WEB SCADA INDAS WEB SCADASiemens, SIMATIC NET, CP 343-1 SIMATIC NET CP 343-1 Siemens, SIMATIC, S7-300 SIMATIC S7-300Siemens, SIMATIC NET, SCALANCE X208 SIMATIC NET SCALANCE X208Siemens, SIMATIC NET, Scalance S612 SIMATIC NET SCALANCE S612SCALANCE W746-1PRO Siemens SCALANCE W746-1PROLocation: /Scada/Default.aspx SCADA – Vielha