Abstract to help... · Web viewThis project explores the issue of cybercrime and results in the creation of an application to identify cyber criminals using anonymising services such

Computing and Information Security Final Year Project – Simon Davies

Application to Help Identify Cyber Criminals

1


Abstract This project explores the issue of cybercrime and results in the creation of an application to identify cyber criminals using anonymising services such as the Tor network to mask their genuine IP address online. The project deliverable is a fully functioning application designed to run on the Windows operating system.

2


Acknowledgements

Dr David Day – Thank you for all the support and advice you gave me throughout this project Alex Murray – Thank you for all your support Jake Beet, Ellery Hardie and Declan Williams – Thanks for being such great friends

3


ContentsAbstract................................................................................................................................................. 2

Acknowledgements................................................................................................................................ 3

1.0 Introduction...................................................................................................................................... 7

1.1 Overview...................................................................................................................................... 7

1.2 Motivation................................................................................................................................ 7

1.3 Aims and Objectives................................................................................................................7

Aim 1:.......................................................................................................................................... 7

Objective 1.1........................................................................................................................... 7

Objective 1.2........................................................................................................................... 8

Objective 1.3........................................................................................................................... 8

Aim 2:.......................................................................................................................................... 8

Objective 2.1........................................................................................................................... 8

Objective 2.2........................................................................................................................... 8

Objective 2.3........................................................................................................................... 8

2.0 Background...................................................................................................................................... 9

2.1 The Effects of Cybercrime and How It Can Be Combatted..........................................................9

2.1.1 The Cost of Cyber Crime......................................................................................................9

2.1.2 Combatting Cybercrime........................................................................................................9

2.1.3 Preventing Intrusion............................................................................................................10

Hardened Operating Systems...................................................................................................10

Firewall...................................................................................................................................... 10

Intrusion Detection System (IDS)..............................................................................................10

Intrusion Prevention System (IPS) / Intrusion Detection and Prevention System (IDPS)..........11

Antivirus.................................................................................................................................... 11

Anti - Distributed Denial of Service (DDoS)...............................................................................11

Honeypot................................................................................................................................... 12

2.1.4 The Technological “Arms Race”..........................................................................................12

2.1.5 Policies to mitigate the effects of intrusion..........................................................................13

Use of encryption...................................................................................................................... 13

Use of Hashing.........................................................................................................................13

2.2 Staying Anonymous Online....................................................................................................13

Proxy Servers........................................................................................................................... 13

Virtual Private Networks (VPNs)...............................................................................................14

Tor............................................................................................................................................ 14

How Tor Works - Diagrams...................................................................................................15

I2P............................................................................................................................................ 17

Freenet...................................................................................................................................... 17

2.3 Penetrating Networks And Computer Systems......................................................................18

Metasploit Framework...............................................................................................................18

4


Nmap Security Scanner............................................................................................................19

Nessus Vulnerability Scanner...................................................................................................19

THC Hydra................................................................................................................................ 19

Maltego..................................................................................................................................... 20

2.4 Previous Work Carried Out By Other People In The Project Subject Area............................20

2.5 Methods Employed By Government Agencies To Identify Cyber Criminals...........................21

3.0 Methodology.................................................................................................................................. 22

3.1 Data Collection..........................................................................................................................22

3.2 Defining Research..................................................................................................................... 22

Originality..................................................................................................................................... 22

Tools, Techniques, Procedures And Methods..........................................................................22

Exploring The Unknown............................................................................................................22

Exploring The Unanticipated.....................................................................................................23

The Use Of Data....................................................................................................................... 23

Gaining........................................................................................................................................ 23

Knowledge And Understanding...................................................................................................23

Data.......................................................................................................................................... 23

Information................................................................................................................................ 23

Knowledge................................................................................................................................ 24

Wisdom..................................................................................................................................... 24

3.3 Research Methods..................................................................................................................... 24

Survey.......................................................................................................................................... 24

Design And Creation....................................................................................................................24

Experiment................................................................................................................................... 24

Case Study.................................................................................................................................. 25

Action Research..........................................................................................................................25

Ethnography................................................................................................................................ 25

3.4 Research Method Employed......................................................................................................25

4.0 Design / Development chapters.....................................................................................................26

4.1 Software Development...............................................................................................................26

The Software Development Life Cycle (SDLC)............................................................................26

Requirements Capture..............................................................................................................26

Design....................................................................................................................................... 26

Build.......................................................................................................................................... 26

Test........................................................................................................................................... 27

Implement................................................................................................................................. 27

4.2 Development Models................................................................................................................. 27

Build-And-Fix............................................................................................................................... 27

Issues With This Approach:......................................................................................................27

Stage-Wise And Classic Waterfall Models...................................................................................27

5


Issues With The Classic Waterfall Model:.................................................................................28

Incremental Model.......................................................................................................................28

Advantages Of The Incremental Model.....................................................................................28

Disadvantages Of The Incremental Model................................................................................29

Prototyping Models...................................................................................................................... 29

Throw-Away Prototyping...........................................................................................................29

Advantages Of Throw-Away Prototyping:..............................................................................29

Disadvantages Of Throw-Away Prototyping:.........................................................................30

Evolutionary Prototyping Model................................................................................................30

4.3 Development Approach Taken..................................................................................................31

5.0 Explanation of design(s)............................................................................................................31

5.1 Research Into Designing The Application..............................................................................31

5.2 Developing The Application...................................................................................................33

5.3 Final Application Testing Process..........................................................................................36

Testing The Application Against Tor.........................................................................................41

6.0 Putting The Application On A Honeypot.................................................................................43

Researching Into Honeypots.................................................................................................43

7.0 Evaluation Of Application - Practical Implications And Further Development................................44

8.0 Conclusion..................................................................................................................................... 45

References.......................................................................................................................................... 46

Bibliography......................................................................................................................................... 47

Appendices.......................................................................................................................................... 48

Appendix A...................................................................................................................................... 48

Appendix B...................................................................................................................................... 54

Appendix C...................................................................................................................................... 57

Appendix D...................................................................................................................................... 58

Appendix E...................................................................................................................................... 58

Appendix F....................................................................................................................................... 60

Appendix G...................................................................................................................................... 61

6


1.0 Introduction

1.1 OverviewFirstly an explanation will be provided into the motivation behind this project and the aims and objectives involved will be set out. A background into the problem of cybercrime within the UK will then be given and finally the development of an application to identify cyber criminals will be documented.

1.2 Motivation

With the various technologies a cybercriminal can use to help themselves stay anonymous online i.e. VPNs, Tor, I2P etc. it makes the job of identifying them that much harder as their genuine external IP address is masked and so not recorded in logs.

Attempting to use a honeypot to log the genuine external IP address of a cybercriminal using Tor will result in the external IP address of a Tor exit node being obtained. It is important that the application can circumvent this. This project focuses on creating an application that once executed by cyber criminals will identify them via their genuine external IP address and hardware information pulled from their system. The application will query an external service i.e. http://canhazip.com/ to obtain their genuine external IP address. The fact that the application will be executed directly on the cyber criminals machine allows it to obtain greater information than can be obtained by honeypots logging malicious activity.

The functional concepts incorporated in the application could be used to help aid law enforcement in the complex task of identifying cyber criminals that will go on to commit further malicious activity online unless they are caught.

The application will be disguised as important Intellectual Property (IP) to lure cyber criminals into stealing it.

1.3 Aims and Objectives

Aim 1:

Create a cross-platform application to identify cyber criminals.

Objective 1.1

7


Research which programming languages could be used to code the application in.

Objective 1.2

Experiment with the identified programming languages to see which can be used to create prototypes in of the key application functionality - Obtaining the hardware information required i.e. Bios and Disk, external IP address and MAC address.

Objective 1.3

Decide on a programming language to complete coding the application in based on which is most suited for the final application and the level of programming possessed.

Aim 2:

Evaluate the usefulness of the created application.

Objective 2.1

Test the application on a number of willing participants systems to make sure it functions properly.

Objective 2.2

Test the application on a system with Tor installed to verify the application is able to bypass Tor and provide the genuine external IP address.

Objective 2.3

Place the application on a honey pot (Intentionally insecure server) and wait for the honey pot to be compromised by cyber criminals and the application to be stolen and executed on their systems.

8


2.0 Background

For the literature review in this project secondary research has been used from books and online journals that have been found via the Sheffield Hallam Library Gateway. Credible online sources have also been used.

2.1 The Effects of Cybercrime and How It Can Be Combatted

2.1.1 The Cost of Cyber Crime

One of the leading reasons to identify and prosecute malicious online parties committing cybercrime is the cost their actions have on UK businesses and the UK economy as a whole.

(Detica Ltd 2011) - a company that "delivers information intelligence solutions to government and commercial customers," estimates that the cost to the UK economy of cybercrime committed with the intention of financial gain is "£27bn per annum." The majority of this cost is believed to derive from the theft of IP, this is estimated "at £9.2bn per annum." Although cybercrime has a substantial financial impact on both UK citizens and the Government, it is businesses that are worst affected with "a total estimated cost of £21bn."

According to (Symantec 2013) the "total global direct cost of cybercrime…” had increased from US$110 billion in 2012 to $113 billion.

2.1.2 Combatting CybercrimeIn order to cut the cost of cybercrime on UK businesses the first step is to make companies aware of why it is so important to invest in technology to do so. Companies are organisations that are set up in order to make a profit and spending large amounts of money on technology to protect their infrastructure from security breaches does not make them profit. Unless companies are shown how much money they could potentially lose in the case of a security breach, it is unlikely they will invest in the technology to prevent this.

9


2.1.3 Preventing Intrusion

Hardened Operating Systems

Hardening the Windows operating system by disabling all unrequired services, deleting all unrequired executables and registry entries and applying suitable restrictive permissions to files, services, end points and registry entries will help with the prevention of intrusion by cyber criminals.

The Linux operating system offers numerous distributions that users can choose from. Pre-hardened distributions exist such as Tails and Lightweight Portable Security (LPS) created by the Software Protection Initiative (SPI) under instruction by the Air Force Research Laboratory and the US Department Of Defense. Both Tails and LPS are live systems designed to run from removable media such as USB sticks and only save by default to memory instead of hard disks to avoid leaving any trace of themselves after system shutdown.

The Active Defense Harbinger Distribution (ADHD) Linux distribution based on Ubuntu 12.04 LTS takes defence one step further by providing “tools whose functions range from interfering with the attackers' reconnaissance to compromising the attackers' systems… the active defense mechanisms are triggered by malicious activity such as network scanning or connecting to restricted services.” (Robish, Johnson and Strand)

Firewall

Firewalls can be either software solutions installed on OS’s or dedicated hardware placed on the perimeter of the network to control incoming and outgoing traffic. Firewalls refer to a set of rules which dictate the traffic that is allowed to pass through them. For instance a firewall rule set may only allow incoming traffic on certain ports and/or only allow traffic from certain IP addresses to enter the internal network. .

Intrusion Detection System (IDS)

An IDS is a hardware device or software application that monitors traffic on a network and logs maliciously crafted packets or breaches of security policies set up by the network administrator. An IDS can be set up to notify the network administrator of potential security breaches.

10


Intrusion Prevention System (IPS) / Intrusion Detection and Prevention System (IDPS)

An IPS / IDPS extends on the functionality of an IDS in that it performs the same functionality but also attempts to stop malicious traffic from entering the internal network. (Boyles 2010) states that the IPS does this in various ways: sending an alarm "to a syslog server or a centralized management interface," dropping packets it deems malicious, resetting the connection - "sending a TCP reset to the end or source host and terminating any malicious TCP connections”, blocking traffic "from the source IP address of the attacker for a specified amount of time". The IPS can also block connections it identifies attack signatures on.

Antivirus Antivirus software is crucial to prevent system hard drives being infected with malware such as Viruses, Worms, Trojans and Rootkits. Malware has the potential to not only destroy critical business systems but could also lead to IP being stolen by malicious parties that have inserted backdoors. With the majority of the cost associated with cybercrime deriving from IP theft Antivirus software is a key security technology that must be implemented by businesses. Most current antivirus solutions integrate cloud technology to help faster identify threats. Where referring to their antivirus solution (Kaspersky Lab) state that "Cloud systems pool intelligence from millions of computers in the field to spot suspicious trends. That vast trove of information means they can detect threats earlier, and block those threats before they become a problem." Most modern antivirus solutions also incorporate heuristics in order to identify newly developed or modified threats that do not yet have signatures associated with them. Heuristic functionality works by identifying behaviour carried out by applications that is typical of that carried out by viruses, Trojans etc. i.e. using certain code methods to keylog the system, dropping into System folders and adding autostart entries to the registry.

Anti - Distributed Denial of Service (DDoS)

With DDos being a critical threat to large UK businesses it is vital to implement some form of protection against it. DDoS attacks can last for weeks causing substantial loses in business revenue due to systems operating at a crawl or total outages.

Products such as Fortinet's FortiDDoS-300A DDoS appliance are specialised hardware to deal with modern DDoS attacks. As stated by (Fortinet Inc) the purpose of these products is to "detect, and block reconnaissance and Distributed Denial of Service (DDoS) attacks while leaving legitimate traffic untouched." Whereas conventional systems get overwhelmed by all the traffic targeted at them in the case of a DDoS attack, Anti - DDoS products use a mixture of specific hardware and software to deal with this effectively.

UK Businesses also have the choice to outsource DDoS protection to third party Anti DDoS services. Prominent companies offering this service are GigeNET, Incapsula Inc, BlockDos, Black Lotus etc. These companies also use a mixture of specific hardware and software to deal with DDoS attacks, but due to their whole businesses being focused on providing this service, they can afford to spend larger amounts of money on the hardware and software allowing them to more effectively prevent the attacks.

11


Honeypot

Honeypots are essentially a trap used in the attempt to trick cyber criminals into attacking them by emulating known vulnerabilities. They are generally set up to monitor cyber criminals or steal their malicious payloads in order for analysis to be carried out on them. Two types of honeypot exist: Production honeypots and Research honeypots. These types can be broken down into three classifications based on the design criteria employed: pure honeypots, high-interaction honeypots and low-interaction honeypots.

Pure honeypots are fully functioning production systems with a tap installed on the honeypots link to the network. This tap is used to monitor the activity of cyber criminals. High-interaction honeypots are decoys which are made to look like critical production systems by imitating the activities they carry out whilst hosting multiple services. Low-interaction honeypots only provide the services that are normally requested by cyber criminals. As explained by the developers of (Honeyd) “they are useful to gather information at a higher level, e.g., learn about network probes or worm activity.”

Honeypots are interesting security technologies that are used by antivirus vendors companies and in research environments. Antivirus vendors use honeypots to catch and analyse new / variants of malware, companies deploy them in their production networks in order to protect critical system by attracting cyber criminals to attack the honeypot instead, whereas researchers use them to identify the latest methods used by cyber criminals to thwart security solutions.

(Kumar and Pant 2009) decided to take the use of research honeypots a step further and experiment with using “honeypots for generating and broadcasting instant cures for new and unknown malware in the network.” They proposed that these cures would “be in the form of on-the-fly anti-malware signatures” spreading “in a fashion that is similar to the way malware spreads across networks.”

2.1.4 The Technological “Arms Race”Due to the introduction of advanced security solutions, cyber criminals have developed more sophisticated attacks in order to bypass them. (Roschke, Cheng and Meinel 2011) explain that these attacks incorporate methods such as “advanced cryptography, self-modified code, and integrated attack frameworks.” Using cryptography to encrypt malicious code or embed backdoors in cryptographic functions is known as Cryptovirology and writing code that is able to modify itself is known as polymorphism. The battle between cyber criminals and security vendors is a technological “arms race” with both sides having to constantly innovate in order to thwart or bypass the other.

12


2.1.5 Policies to mitigate the effects of intrusion

Use of encryption

Encrypting critical information stored on business server hard drives or in databases such as IP or customer card details is fundamental to mitigating the effects of an intrusion. If a cybercriminal is able to bypass all of the technology in place to prevent their attack, it is important that no critical information is stored in plain text. A secure encryption algorithm such as AES-256 should be used.

Use of Hashing

Hashing is another very useful practise to mitigate the effects of an intrusion. As hashes are one way algorithms that can’t not be feasibly reversed. It is important to use a cryptographically secure hashing function such as SHA-2 as earlier hashing functions such as SHA-1 have been cryptographically broken – As (Schneier 2005) said on his website blog “three Chinese cryptographers showed that SHA-1 is not collision-free. That is, they developed an algorithm for finding collisions faster than brute force.”

Hashing could be used for passwords and usernames of customers stored in business server databases, to stop cyber criminals using these details if they are able to break in.

2.2 Staying Anonymous Online

Proxy Servers

Proxy servers are used by a wide variety of people in order to help maintain anonymity whilst online by masking their Internet Protocol (IP) address. As stated by (Proxy.org) they work by acting “as an intermediary, routing communications between your computer and the Internet. A proxy specializing in anonymous surfing, however, uses its own IP address in place of yours in every outgoing request.”

There are various approaches to proxies: web-based proxies, open proxies, anonymity networks (Freenet, I2P, JAP and TOR) and proxy and VPN software)

Web-based proxies include services such as Hide My Ass - http://hidemyass.com/ use software such as CGIProxy, PHProxy, Glype, and custom proxy scripts running on the server. The user does not have to download and install software or reconfigure the proxy settings in their web browser. All these services require of the user is to input the URL aka website address they wish to visit into a web form.

13


Open proxies are HTTP or SOCKS type proxy servers that are either accidentally or maliciously left open. They require the user to reconfigure their browser’s proxy settings. Cyber criminals who exploit and compromise machines will sometimes install proxies to utilise these machines and hide their own IP address when they go on to attack further machines.

The problem with Open proxies is that they do not provide privacy or security as all of the web activity you are carrying out whilst using them could potentially be being logged. Many Open proxies are in fact honey pots used for the very purpose of logging and tracking illegal activity. Using Open proxies could potentially mix the activity you are carrying out whilst browsing the internet with the activity of criminal gangs leading to implication that you are also involved in said activity, as data is not encrypted when using Open Proxies.

Virtual Private Networks (VPNs)

VPNs are popular amongst both businesses and individuals. The technology allows for businesses employees to securely log into their company’s intranet utilising the public internet. Due to the high cost association with leased lines VPNs provide a favourable alternative.

Although the technology is implemented as a business solution, it can also be used by individuals in the pursuit of online anonymity. VPNs allows individuals to mask their IP address as external servers on the internet will see The IP of the VPN and not their own. As the VPN tunnelling protocols PPTP, L2TP and IPsec support encryption, this provides data security as it stops data being sent down a VPN tunnel being sniffed with applications such as Wireshark.

If an individual decides to use a VPN solution in the attempt to stay anonymous, they should do some research into which providers store logs. If a VPN is used for illegal activity and logs are stored by the provider, they will be forced to hand over the offending user’s original IP Address if law enforcement agencies demand this information through a court order. (Torrent Freak) tells us that some VPN solutions further improve anonymity by using “shared IP addresses rather than dynamic or static IPs, so it is not possible to match a user to an external IP.”

Tor

The Tor network is used by various people in the attempt to stay anonymous whilst online. As identified by the (Tor Project) “Tor was originally designed, implemented, and deployed as a third-generation onion routing project of the U.S. Naval Research Laboratory… Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet.”

Tor protects its users against conventional methods which can be used by cyber criminals or governments to determine who is communicating over the internet. Users of the internet can be identified by their IP Address, but Tor masks this as each user of the Tor network will be using the IP address of another node in the Tor network. Tor uses a technique called Onion Routing to help anonymise its users - Traffic cannot be traced through the Tor network back to its original destination IP Address as the traffic travels through an encrypted connection of relays which only know the relay from which they received data and the relay to which they must send data. Individual relays do not

14


hold information on the full path the data is taking. A new set of encryption keys is generated for each hop along the Tor circuit ensuring that data can’t be traced by individual hops.

How Tor Works - Diagrams

(Tor Project)

(Tor Project)

15


(Tor Project)

The Tor client has been written to work on the most commonly used operating systems: Windows, Mac OS X, Linux/BSD/Unix.

When using Tor users must be aware of potential DNS leaks as by default DNS requests are not routed through the Tor network. If someone trying to identify a Tor user is monitoring their computer or DNS server, they can see the domain lookups being carried out and where they are originating from. The (Tor Project) tells us that the best way to mitigate this threat it to use something called Torsocks. “Torsocks can prevent DNS leakage due to things like DNS prefetching or binary plugins that generate their own network traffic, whereas HTTP or SOCKS proxies cannot prevent these kinds of leaks.”

It must be noted that there is never a perfect solution to anonymity online. Due to the popularity of Tor, many researchers have spent countless hours testing the security of the network to see if they can find ways to identify its users. (Ling et al. 2012) “introduced a novel cell-counting-based attack against Tor. This attack is difficult to detect and is able to quickly and accurately confirm the anonymous communication relationship among users on Tor.”

The team explains that this attack works by one person setting up a malicious exit onion router and slightly manipulating “the transmission of cells from a target TCP stream” and embedding “a secret signal (a series of binary bits) into the cell counter variation of the TCP stream.” An accomplice then monitors the entry onion router and “recognizes the embedded signal using” the teams “developed recovery algorithms and links the communication relationship among users.” (Ling et al. 2012) The scariest thing about this particular attack is that due to the Tor network’s design it is extremely hard to defend against it.

Of course when vulnerabilities are found in Tor other researchers will try to develop methods to defend against them.

16


I2P

The I2P network is an alternative to Tor which is used by various people to attempt to stay anonymous whilst online.

I2P uses a technique called Garlic Routing to help anonymise its users. This could be seen as the evolution of Onion Routing as Garlic Routing also uses layered encryption but differs in that it bundles multiple messages, has a unidirectional path – as stated by the (I2P Project) the algorithm used "allows for more flexible and reliable delivery” and uses ElGamal/AES Encryption.

In a comparison between Tor and I2P, the (I2P Project) tells us that unlike Tor I2P provides anonymity for all parties in the network, “both sender and recipient are unidentifiable to each other as well as to third parties…there are both in-I2P web sites (allowing anonymous publishing / hosting) as well as HTTP proxies to the normal web (allowing anonymous web browsing)”

I2P disadvantages over Tor:

a smaller user base

Less developers working on the project

Less efficient memory usage

Does not receive the significant amount of funding Tor does

I2P advantages over Tor:

Designed with hidden services in mind and so they function faster than those in Tor

Designed for peer-to-peer use

The tunnels in I2P are active for a much shorter time period than the circuits in Tor making I2P more secure against attack in this sense.

“I2P APIs are designed specifically for anonymity and security, while SOCKS is designed for functionality.” (I2P Project)

Freenet

Like both TOR and I2P, Freenet is another network which can be used to help stay anonymous online. As described by the (Freenet Project) it “is decentralised to make it less vulnerable to attack, and if used in "darknet" mode, where users only connect to their friends, is very difficult to detect.”14 Due to the incorporation of the “darknet,” users are able to create a proxy/trust chain through their friends' friends' friends out of the Freenet network to the internet and do not have to rely on tunnelling

17


like in Tor and I2P. This makes it very hard for oppressive Governments to block Freenet. Like Tor and I2P data sent across the Freenet network is encrypted as it passes across nodes.

Resources required for the Freenet network to function are provided by the users, a portion of both bandwidth and hard disk space are contributed. The hard drive space provided by each user is termed the “data store.” Data stored here is encrypted in order to provide privacy and security. Encrypting the data also ensures that the person hosting it on their machine should not be able to be held responsible for it as they do not have to means to decrypt it and therefore do not know what it is.

Chat forums, websites and search functionality all exist on the distributed data store provided by Freenet users.

2.3 Penetrating Networks And Computer Systems

Metasploit FrameworkThe Metasploit Framework is free/open source software coded in Ruby and used by various individuals including security professionals as well as cyber criminals. The framework aids in the development and execution of exploits against remote machines. Security professionals use the framework for penetration testing to ensure systems are secure whereas cyber criminals use it to breach systems.

The beauty of the framework is that it allows people to use existing payloads (code that will be executed on the target system upon successful entry) with existing or newly created exploits (code that takes advantage of a security flaw / security flaws in a piece of software in order to perform unintended operations). This approach stops people having to reinvent the wheel - it allows them to focus on exploit development without having to create payloads as well.

Existing payloads present in the framework include code to spawn a remote shell, VNC server etc. To avoid signature based detection by IPSs or Antivirus software installed on the target machine, payloads can be encoded. This of course is not fool proof though as Antivirus companies and the vendors of IPSs know that this practice goes on and signature databases are updated for encoded versions of what they deem as malware.

One of the most commonly used tools in the framework is the msfconsole. The msfconsole is an interface for the framework that can be launched from the command line by typing: msfconsole after browsing to the framework directory. As recognised by (Kennedy et al. 2011) “You can use msfconsole to do everything, including launching an exploit, loading auxiliary modules, performing enumeration, creating listeners, or running mass exploitation against an entire network.”

18


Nmap Security Scanner

Nmap is a free/open source command line application used by security professionals and cyber criminals alike. Nmap is compatible with all the commonly used operating systems: Windows, Mac OS X and Linux.

The developers explain that by using raw IP packets in unusual ways, Nmap is able to figure out “what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics." (Nmap)

Nmap is useful because if a security professional or cybercriminal knows the OS and patch level of a system, or the version of an application running based on the services Nmap fingerprints, they are able to look up exploits which can successfully target these.

Included in the Nmap suite are a variety of other tools: Zenmap – An advanced GUI and results viewer for Nmap, Ncat – a tool which can be used for flexible data transfer, redirection, and debugging, Ndiff – a tool which can be used to compare can results, and Nping – a utility which can be used to generate packets and analyse response.

Nessus Vulnerability Scanner

Like Nmap, Nessus is another potential vulnerability scanner which can be pointed at machines that a security professional or cybercriminal wishes to target by simply providing the IP addresses of the machines. Unlike Nmap, Nessus is a commercial product.

Nessus improves on Nmap in that it identifies potential vulnerabilities for the user, saving them the time of having to work out what potential exploits a system they have scanned is vulnerable to.

THC Hydra

THC Hydra is a network password brute forcing tool that as stated on the developers website is compatible with a large number of services: “Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, S7-300, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.” (THC-Hydra)

19


Maltego

Maltego is a useful tool used for reconnaissance of a website or organisation. “Maltego is a program that can be used to determine the relationships and real world links between:

People Groups of people (social networks) Companies Organizations Web sites Internet infrastructure such as:

Domains DNS names Netblocks IP addresses

Phrases Affiliations Documents and files” (Paterva)

As Maltego is programmed in Java it is able to run on Windows, Mac and Linux.

2.4 Previous Work Carried Out By Other People In The Project Subject Area

Research honeypots have been taken into the ethically grey realm of counterattacking security measures. Designing such a honeypot is not legal under UK law but in some countries with more relaxed computing laws they are able to be set up without the fear of prosecution. Alexey Sintsov a security researcher and co-founder of DefCon Russia developed an experimental honeypot with the ability to counter-attack cyber criminals. The honeypot installed a backdoor on the cyber criminals system capable of stealing the following sensitive data: Files on the hard disk, a list of the nearby wireless hotspots - Basic Service Set Identifiers (BBSIDs), network configuration information, the output from running trace route and nslookup, mic / video recording performed by the backdoor.

Alexey Sintsov points out that the backdoor can be installed onto the cyber criminals system by various means. One of the more obvious methods is to use a browser / browser plug-in exploit. The cybercriminal can also be tricked into executing the backdoor which is a more long term solution as exploits can get patched. “The files can be self-extracting archives, software version with “Unlimited license” or some client for custom software. In any case, it should motivate him to run these files on his own workstation.” (Sintsov)

20


2.5 Methods Employed By Government Agencies To Identify Cyber Criminals

Cybercrime costs the UK economy a lot of money, but in reality there is no silver bullet to identify cyber criminals.

Exploits are one of the common methods government agencies will utilise to break into an endpoint system. Exploits are effective in that they help automate the process of intrusion, but social engineering is still required to make a cybercriminal visit a particular URL from where the exploit will be triggered.

Exploits are specific to particular software, for instance an exploit for the Firefox web browser will unlikely work against the Google Chrome web browser. This means that there is no guarantee the exploit will even work against the cyber criminal’s system. There is also the cost factor of purchasing zero-day exploits (exploits unknown to the developer of the software they target). Zero-day browser exploits cost thousands of pounds. This would be a lot of money to an individual, but to a government agency such as the NSA (National Security Agency) with such a huge budget it would not really be a factor.

It is public knowledge that the NSA paid the private security firm Vupen for zero-day exploits in order to carry out surveillance.A copy of the contract can be found at the website link included in the bibliography. The amount of money the NSA paid for the 12 month subscription to a binary analysis and exploits service has been redacted in the released document; which is pretty good proof that it cost them a substantial amount.

Due to the fact that there is no silver bullet the NSA actually takes multiple approaches which surely other Agencies like the FBI also employ. (Schneier) writing for the guardian tells us that after reading “hundreds of top-secret NSA documents provided by whistleblower Edward Snowden” he has learned that the “NSA gets access to the communications trunks that move internet traffic. In cases where it doesn't have that sort of friendly access, it does its best to surreptitiously monitor communications channels: tapping undersea cables, intercepting satellite communications, and so on.” Bruce Schneier goes on to tell us that the NSA also attacks Networking devices such as: Switches, Routers, Firewalls etc. directly. A lot of these devices have surveillance code written into the shipped firmware, and if the NSA needs to carry out surveillance they simply activate this code. The “NSA also works with security product vendors to ensure that commercial encryption products are broken in secret ways that only it knows about.” (Schneier) Two well-known public examples of this are CryptoAG and Lotus Notes.

Due to the leaked NSA documents provided by Edward Snowden it is also public knowledge that the NSA attacks the Tor network in the attempt to identify Tor users. In a top secret document titled Tor Stinks the following is revealed: “With manual analysis we can de-anonymize a very small fraction of Tor users, however, no success de-anonymizing a user in response to a TOPI request/ on demand.” (NSA 2012)

21


3.0 Methodology

3.1 Data CollectionDue to legality issues primary data will not be collected using the application. The application will only be used in a controlled test environment set up on Virtual Machines (VMs)

3.2 Defining ResearchResearch is the process of performing an original investigation with the intention of gaining knowledge and understanding.

Originality

Originality is the first key factor of research as there is no point repeating what someone has already done. Originality can be achieved by either using a different technique to perform a task that has been done before or producing something entirely new. Projects can be original in the following ways:

Tools, Techniques, Procedures And Methods

Taking existing problems and using new tools or techniques to solve them or utilising “new procedures and methods in contexts where they have not been applied before.” (Dawson 2009) The importance is not on the success of the investigation but on the discovery of whether chosen techniques work in certain situations or not.

Exploring The Unknown

Carrying out an investigation in a field that no one has though to explore before. New discoveries in scientific fields may present new, unexplored avenues of research

22


Exploring The Unanticipated

An investigation being carried out into a research filed that has been explored many times before may produce “unexpected results or exciting new directions as yet unexplored.” (Dawson 2009) Contribution to scientific fields can also be achieved by developing upon original work in order for improvement or to make further discoveries.

The Use Of DataData can be interpreted or used in new ways. It can also be used in “alternative areas that have not yet been investigated.” (Dawson 2009)

Gaining

Gaining is the next key factor of research but it must be noted that this refers to not only the conductor of the investigation gaining. The investigation should make a contribution to existing knowledge in the scientific field and so it is important that it successfully passes on the gained knowledge to others.

Knowledge And Understanding

The term knowledge can be explained by breaking its meaning down into a hierarchy consisting of data, information, knowledge and wisdom.

Data

“Data are the factual elements that describe objects or events.” (Dawson 2009) Raw numbers and text are gathered in investigations.

Information

Information is the product of processing. Processing of data is required in order to give it meaning and for it to be presented to the reader in an understandable format.

23


Knowledge

The acquisition of knowledge signifies a higher-level of understanding. “Knowledge is your person interpretation of what you gain from information as rules, patterns, decisions, models, ideas and so on.” (Dawson 2009)

Wisdom

Wisdom is the process of putting knowledge into practice. It is the ability to form “new knowledge and adapt to different situation” (Dawson 2009) by utilising your skills and experiences.

3.3 Research Methods There are various methods for performing research in the field of Information Systems and Computing. The six main strategies are: Survey, Design and creation, Experiment, Case study, Action research and Ethnography.

Survey

Surveys are used to target a large group of people / events and obtain the same kinds of data from each person / event. This data is then analysed using statistics in the attempt to identify patterns. Establishing patterns allows the conductor of the survey to argue that the data gathered applies to a larger population than the group that has participated in the survey.

Design And Creation

Design and creation is used in the process of developing new IT products (artefacts). As stated by (Oates 2006) these IT Products are usually computer-based systems but “can also be some element of the development process such as a new construct, model or method.”18 The design and creation strategy encompasses the following five steps: awareness, suggestion, development, evaluation and conclusion.

Experiment

Experiments are used to investigate cause and effect relationships. Hypotheses are formed by the conductor of the experiment and tested in the attempt “to prove or disprove a causal link between a factor and an observed outcome.” (Oates 2006) Measurements are made before and after carrying

24


out the experiment. All of the factors except for the one that is thought to cause the after result are carefully excluded from the study.

Case Study

Case studies are used when focusing on a single instance of the entity that is being investigated. This entity could be: an organisation, “a department, an information system, a discussion forum, a systems developer, a development project, a decision and so on.” (Oates 2006) Focusing on a single instance allows the conductor of the case study to obtain detailed information about it - complex relationships and processes can be identified.

Action Research

Action research is used in cases where “researchers plan to do something in a real-world situation...” (Oates 2006) Action is then taken by the researchers and the outcome of this is reflected upon in order to establish what has been learnt. Another cycle on plan-act-reflect is then begun.

Ethnography

Ethnography is used in cases where researchers wish to understand the culture and the way in which a particular group of people see things. The researcher will be actively involved in the lives of the group of people they are researching. This involvement helps in gathering more accurate and detailed data than could be achieved as a detached observer.

3.4 Research Method EmployedDue to the nature of the project the design and creation research strategy will be taken. The project will demonstrate a research project “where the IT application is a vehicle for something else.” (Oates 2006) Due to the level of programming knowledge possessed, the application that is created will be a prototype to demonstrate one way in which cyber criminals can be identified. The prototype will demonstrate a concept that can be improved upon in order to achieve cross platform inter-operability and therefore increase identification rates. Inductive reasoning will be used in order to gain knowledge and deductive reasoning will be used in order to apply wisdom to the process of building the application.

25


4.0 Design / Development chapters

4.1 Software Development

The Software Development Life Cycle (SDLC)

The software development life cycle consists of the following stages: requirements capture, design, build, test and implement.

Requirements CaptureThe requirements capture stage consists of gathering information and producing documentation on all of the requirements the user of the application wishes to be met.

Once the requirements have been gathered, a Requirements Definition is written up using the user’s terms. This document will usually contain inconsistencies as a user rarely has a full understanding of the problem they wish to be addressed.

After this has been created an analyst will review it and write an unambiguous version which is known as a Requirements Specification. This documents serves as the basis for a legal contract between the user and the software developer.

The final stage of the process if for the analyst to decide on a system that can adequately meet the requirement specification. This is known as the Functional Specification and as stated by (Dawson 2009) the “document usually contains an introduction, a rationale for the system, project objectives, functional requirements and non-functional requirements.”

DesignThe Design stage consists of producing a plan on what functionality will be present in the application based on the user’s requirements.

The design process can include producing flowcharts and writing Program Design Language (PDL) or Unified Modelling Language (UML) in the case of object-oriented applications.

BuildThe build stage consists of developing/coding the application based on the plan drawn out.

26


TestThe test stage consists of running the functioning application in an environment that mimics that of the users’ and checking for logic flaws/bugs in the application.

ImplementThe implement stage consists of the final, accepted application being put into production in the user’s environment.

In reality there is often some overlap, and some of the stages have to be repeated as applications are usually built up in stages, and changed upon receiving user feedback.

4.2 Development Models

Build-And-Fix Before there were recognised models for developing software, programmers would build applications by trying to understand a problem in which they had to solve, and then writing code to address this. There was no requirements capture or design process and application were simply hacked together. Once code functioned, it would be run and any bugs found would be corrected.

Issues With This Approach: Due to the lack of structuring, after several updates to the code the software becomes hard to

maintain.

Due to the lack of planning, the software does not usually end up meeting the user’s requirements and so cannot be implemented or requires a lot of recoding

The software can end up costing a lot to maintain due to the absence of good structure and the inability to easily test different parts of it

Stage-Wise And Classic Waterfall Models Due to all of the problems associated with the build-and-fix approach, various more structured methods for software development were thought out. The first of these methods was called the stage-wise model, developed in 1956 by Benington. This method involved a unidirectional, sequential approach to programming – “once a stage has been completed, the results of that stage become a

27


fixed baseline from which the following stages develop.” (Dawson 2009) The major flaw is that it didn’t allow for programmers to go back and make changes to a stage if need be.

As the sequential approach of the stage-wise method was causing a problem, the classic waterfall method was developed which “allowed some limited interaction between stages…” (Dawson 2009)

Issues With The Classic Waterfall Model: Due to the fact that the user’s problem will be constantly evolving over time in the case of a

business client, the software delivered will be obsolete due to it no longer meeting the user’s requirements

Due to a user’s understanding of the problem they need to be solved rarely being clear at the start of a project, the software delivered is likely to not fully meet their requirements

Incremental ModelThe incremental model differs from other models in that it focuses on numerous releases of working sub-systems instead of having one release of the final application. Extra functionality is added at each release. Within the first release, the programmer must create a kernel – “overall software structure…” (Dawson 2009) for the subsequent releases to build upon. Due to the development of the kernel, the design stage of the initial release will take the longest.

Releases will not add the same amount of functionality as each other and some may be harder to produce – The time spent designing, building, test and implementing will vary amongst releases. Releases are rolled out until a fully functioning system is delivered to the user.

With an incremental approach to programming it is important to have a plan for the project as a whole before development starts. If a plan is not in place the programmer/s may find that an early release causes problem with a subsequent release resulting in them having to recode parts of the application.

To decide what functionality should be included in each release, a value to cost ratio table should be drawn up. Value is defined as the usefulness of a feature measured on a scale of 1-10 and cost is defined as the time it will take to code that feature also measured on a scale of 1-10. “By dividing the value of the increment by its estimated cost (the value to cost ratio) you can determine the added value that increment will provide to your system and draw up a priority list…” (Dawson 2009)

Advantages Of The Incremental Model Due to the numerous releases of working sub-systems the user can get an early

understanding on what the application is capable or and the competency of the programmer/s. The user is able to give feedback on the system and suggest changes if their understanding of the problem at the start of the project was not clear

By breaking the application down into various releases it allows for better planning and allows the programmer/s to set manageable time frames for the inclusion of different functionality. It

28


is a lot easier to see if a project is falling behind schedule and put measures into place to prevent this if need be.

The breaking down of an application provides an easier learning curve for the user as they are able to learn the functionality over a period of time.

Disadvantages Of The Incremental Model Unless the final application that will be delivered to the client is a large project, it might be

hard to split it up into various releases which show significant improvement upon each other to the user

Although it can be seen as positive to have regular meetings with a client, in the meetings they may come up with too many potential improvements. This is detrimental to the project if there is not the time to complete all of the thought up improvements.

Prototyping ModelsPrototyping models are useful in cases where there is not a clear understanding of the requirements or the technical issues that will be faced when creating an application. In these cases, in order to complete the requirements capture stage of development it can be useful to create a prototype. Prototyping also allows for a trail run of the design on an application as the user is able to give feedback on the user interface.

Experimental prototyping can be used to determine the best programming language to develop an application in and whether the programmer/s has/have the technical ability to use the language. There are two types of experimental prototyping: throw-away prototyping and evolutionary prototyping.

Throw-Away Prototyping Throw-away prototyping allows the programmer/s to develop an incomplete test version of the application in able to demo this to the user. The prototype can be developed in a different programming language to speed up development and then be thrown away and re-coded in the chosen programming language at a later date, or could simple demo the user interface without the underlying code included.

Advantages Of Throw-Away Prototyping: A demo is quickly produced allowing the user to give early feedback on the application

29


As the demo is not set in stone it allows the user to clarify and make changes to their requirements if need be

“Misunderstandings, error and omissions in the requirements can be sorted out” (Dawson 2009)

Communicating with the user is improved as it is easier to review something physical then a document that describes it

The prototype allows the user to test how useful the application will be to them

Various prototypes encompassing different approaches can be compared against each other

Disadvantages Of Throw-Away Prototyping: Due to the lack of time spent refining the prototype it may not look that professional and it

could contain bugs which would give a bad impression of the programmer/s competency.

If the user really likes the prototype the developer may be forced to build upon poorly structured code to produce the final product

If the prototype is developed on a different system to the target system or in an alternate programming language technical issues could be missed. This would make the programmer/s job harder when developing the application on the correct system.

More time than originally thought might be spent developing the prototype which will eventually be thrown away

Evolutionary Prototyping Model

Evolutionary prototyping is different to throw-away prototyping in that code is not thrown away but developed upon until a final application is produced. This approach could be mistaken as resembling the archaic and flawed build-and-fix approach, but is in fact “much more defined… An initial specification for the system must be investigated and produced, and the process must follow a planned series of releases (evolutions).” (Dawson 2009) Due to being aware that the application will evolve over time between each release, it must have a structured design with adequate comments, suitable variable names, data structures etc. and avoid the use of spaghetti code.

Evolutionary prototyping shares many of the advantages and disadvantages of throw-away prototyping. One advantage evolutionary prototyping has over throw-away prototyping is that the code developed is not thrown away and so time is not lost. The quality of the code produced in evolutionary prototyping must be superior to that produced in throw-away prototyping though - code must be well structured and commented. The reason for this is that it will end up making its way into the final application.

30


Evolutionary Prototyping Diagram:

Phase 1

Phase 2

Phase 3

4.3 Development Approach TakenDue to being unsure of which programming language is best to code the application in, the agile development method will be adopted firstly: throw-away prototyping. This will allow them to test developing the core of the application in various programming languages in the attempt to achieve cross platform inter-operability.

Once they have decided on the language in which they will use, they will adopt the agile development method called evolutionary prototyping to complete the application.

5.0 Explanation of design(s)

5.1 Research Into Designing The Application

Whilst programming the application to help identify cyber criminals using anonymising technology, various issues were faced.

At first C++ was thought to be the best programming language to develop the application in. The application was going to be programmed to gather hardware information from the Linux OS to identify cyber criminals as most tend to favour this OS due to its open source nature and security improvements over the Windows OS.

The problem with this approach is that gathering and processing the required information is tricky and the compiled application would not be OS independent. If I programmed a Linux application in C++ it would be hard to get a cyber-criminal to run it as it would not execute automatically and may look suspicious as most software companies run Windows software as it is easier for their employees to

31

Requirements

Design Build Test ImplementSystem

Version 1

Requirements

Design Build Test ImplementSystem

Version 2

Requirements

Design Build Test Implement System version 3


use. If a company was to use Linux applications it would have to train all the staff needing to use the software on how to operate Linux as it is a foreign operating system to most computer users.

Another issue with programming a Linux application is that the programmer cannot be sure if certain binaries are already installed. For instance the binary hwinfo could be utilised to help retrieve hardware information but will not be included in bare bone installations (link in Bibliography). The hwinfo binary could be bundled with the application, and dropped into the directory where it needs to reside in the Linux operating system, but this would make the programming a lot more difficult. There could also be permission issues when trying to write to the directory. Due to hwinfo being open source the parts of its source code used to gather the hardware information they wish to retrieve from the system could be used. The problem with this approach is that it would require a higher level of programming than currently possessed in order to understand the low level code, and it would take a lot of time searching through the code to find the bits required. Due to the time constraints of the project it is not felt the steep learning curve involved in this route would be viable.

The application could have potentially been programmed in Java in order to make it OS independent but due to Java needing to be run in a Java Virtual Machine (JVM) it is unable to obtain the hardware information required i.e. CPU, Bios, Motherboard Serial/ID. After performing an internet search an Application Programming Interface (API) called Hyperic SIGAR was discovered which could obtain the hardware information and pass it to a Java application (link in Bibliography). The viability of incorporating this into the application was then assessed, but due to it relying on a native library (e.g. hyperic-sigar-x86.dll) this was not viable. The external .dll could alert cyber criminals and stop them from running the application as they will be able to look up the functionality the .dll file provides online and wonder why the application requires it. After further research another API called OSHI was discovered which has the advantage of not relying on a native library (link in Bibliography). The problem with OSHI is that it is still in the early stages of development and does not provide functionality to obtain the specific hardware information required i.e. serial numbers.

In the end it was decided to program the application to run on the Windows operating system and C# was chosen as a programming language as it is created by Microsoft and is a lot easier to program in than C++. Hardware information i.e. Bios, Disk and Network as well as the external IP address was gathered in order to identify the computers of cyber criminals. The advantage of using C# is that it allows the required hardware information to be obtained easily but the disadvantages are that the application will only run on the Windows operating system and the .NET Framework is required to be installed on the computer on which it is executed. There is also the issue that the cybercriminal may be running Linux and so the application will not be effective against them. Despite this fact, there is no silver bullet against cybercrime and a lot of cyber criminals will be running Windows and therefore will be successfully identified.

Disguising the application as an important word document by changing the executable’s icon and adding .doc to the end of the filename was considered. This would have been a good method to trick users into executing the application but the major problem is that some cyber criminals will have the option to show the file extension of known file types enabled. This would make the application disguised as a word document show up as: document.exe.doc alerting the cybercriminal that it is not in fact a word document but an executable.

It was decided to disguise the application as a custom executable crypter/packer used by a software company to protect their Windows applications from reverse engineering. This would lure cyber criminals into stealing the application and running it on their own systems as they could use it on Trojans/viruses in their possession to make them undetectable to signature based virus detection by antivirus vendors.

32


5.2 Developing The Application

Development of the application will be broken down into five stages:

1. Obtaining the hardware information i.e. Bios and Disk

2. Obtaining the hostname and external IP address

3. Obtaining the MAC address

4. Writing this information to a file stored in the Temp directory

5. Sending the file to an FTP server for analysis,

6. Performing system clean-up and disguising the application

Due to the level of programming possessed and the time the project needs to be completed in, it was decided to use code that is freely available on the internet and modify it in order to create the application. This seemed the most logical approach to development due to the fact that there is no point recreating the wheel and the learning curve involved in doing so would be steep.

The development of the application was started by searching the internet for C# code to identify a computer system and the class in Appendix B that is designed for software licensing purposes was found. Although the application does not require software licensing functionality, the code within the class to obtain hardware information is the part that is useful to the application. Due to the application being programmed to run on Windows, it made sense to utilise the Windows Management Instrumentation (WMI) in order to make it programmatically easier to gather hardware information i.e. Bios, Disk and Network from the system. After experimenting with the code found, the bits needed were took out and modified in order to complete the first stage of development. To format the obtained information an internet search was performed on how to create Arrays in C# and examples were found on MSDN (link in Bibliography). The use of the arrays made the information obtained easily readable by splitting it up.

To test the code was functioning properly the below debugging code was used to print the contents of each string array to the console:

//Replace the word array with your array name

for (int i = 0; i < array.Length; i++)

{

Console.WriteLine(array[i]);

}

33


Example:

For the second stage of development an internet search was performed to find C# code to obtain the hostname and external IP address of a system. A function was found to easily obtain the system’s hostname; the code for this is in Appendix C. Due to most systems being behind a router that uses Network Address Translation (NAT), they are unable to determine the external (public) IP address. To programmatically obtain the external IP address of a system an external server must be queried. Due to this the code in Appendix B was used to complete the second stage of development. Initially another method was found that queries http://checkip.dyndns.org but it was chosen not to use it as a member on Stack Overflow complained that the service would lock out if the code was ran repeatedly.

For the third stage of development an internet search was performed to find C# code to obtain the MAC address of the system. As a system could potentially contain more than one network adapter, code that obtains the MAC of the interface the lowest metric was used as Windows prefers this route. The code found also used WMI. After testing the code in Appendix D it was slightly modified for use in the application.

For the fourth stage of development an internet search was performed to find a method to create a randomly named file in C# that is placed in the Temp directory of the machine the application is ran on. The answer was found on Stack Overflow and the GetTempFileName() method was implemented. A random file name was used to prevent symbolic link attacks. An internet search was performed to find out how to write to files in C# and examples were found on MSDN (link in Bibliography). In order to add more information to the file created the internet was searched for a solution and the answer was found on Stack Overflow (link in Bibliography).

To test the code was functioning properly the below debugging code was used to print the name and location of the Temp file created:

Console.WriteLine(result);

34


Example:

For the fifth stage of development an internet search was performed to find C# code to upload a file to an FTP server and came across the class in Appendix E that was written for this exact purpose. The code is written to upload a file with the name myfile.txt to the FTP server but the application needs to be able to upload multiple files with random names. To fix this an internet search was performed to find out how to create a randomly named string in C#. Various answers were found on Stack Overflow but it was decided upon to use the GetRandomFileName() method as it is cryptographically secure (link in Bibliography). As cyber criminals could possibly be running network traffic monitoring software an internet search was performed to find out how to use FTP will SSL to prevent the plaintext file being recovered in transit. The code in Appendix D allows for SSL to be used with the FtpWebRequest class included in the .NET Framework. It was decided that SSL Certificate errors should be ignored as they would prevent the sending of log files if they happened to occur. The code to ignore errors is also in Appendix E.

For the final stage of development a clean-up process had to be performed on the system the application was executed on. To delete the temporary file created by the application the C# File.Delete() method could have been used. The problem with this method is that the file is not securely deleted. The operating system marks the space the file occupied on the hard drive as free and available for writing but the file’s data remains and can be easily recovered with data recovery tools.

To avoid this problem an internet search was performed to find C# code to securely delete files. The code in Appendix F was discovered and utilised for this purpose.

To disguise the application its icon was changed and an internet search was performed to find C# code to display an error message upon executing the application.

35


Examples were found (link in Bibliography) and modified to display the following error message:

5.3 Final Application Testing Process

To test the final application was functioning properly an FTP server was set up on another system running Windows 8.1. FileZilla Server was used to achieve this (link in Bibliography).

1. FileZilla Server Graphical User Interface (GUI) Home screen

36


2. In order to ensure the data was sent encrypted to the FTP server SSL had to be set up in the GUI.

37


3. A group named admin was created and a user named ben with the password front2011 was added to the admin group.

38


4. The Documents folder of the system running the FTP server was shared to the admin group and set as the home directory. The Write permission was ticked under the Files section to allow files to be uploaded to the shared directory.

5. The application’s code was edited with ben’s credentials and the executable was then ran on another system to make sure a connection was successfully established and the log file was transferred to the system running the FTP server.

39


6. As can be seen below the log file was created in the Documents folder as expected.

7. The application was executed several times to make sure multiple randomly named log files were transferred.

40


8. As can be seen below multiple randomly named log files have been created in the Documents folder.

9. Below shows the information recorded in each log file

41


Testing The Application Against Tor

The next stage of testing was to install the Tor client on a system and see if this affected the functionality of the application. After installing Tor by default network applications do not route their traffic through it. For instance, unless the Tor Browser Bundle is installed which is preconfigured to use Tor, the default browser on the system in which Tor has been installed upon will not automatically start routing its traffic through it. In order to configure the default browser to use Tor its Socks proxy settings must be changed to 127.0.0.1:9050.

See below for Tor setup:

In the case of the application which does not support Socks or HTTP proxies an application such as Proxifier has to be installed in order to add Socks functionality and force its network traffic through Tor. This product was used as another free alternative called FreeCap did not function properly on Windows 8.1 x64.

42


As can be seen from the screenshots Proxifier actually causes the application to crash. The reason for this is that the code trying to establish the FTP connection to 192.168.1.7 is unable to do so as the applications network traffic is being forced to route down 127.0.0.1. Even if the application had successfully ran, the code to obtain the genuine external IP address is being routed through the proxy as can be seen by the successful connection to icanhazip.com and so the external IP address of the Tor node would be obtained. This confirms that if applications are forced to route through Tor by application such as Proxifier, there is no way of programmatically bypassing this in the code of the application.

Luckily a lot of cyber criminals will carry out attacks using the Tor Browser Bundle and so when they steal and execute the application it will function properly obtaining their genuine IP address.

It is unlikely that cyber criminals will constantly want to route all of their network traffic through Tor due to the fact that the Tor network itself is not very fast. Due to the fact that Proxifier and its alternatives can be set up to allow only certain applications to be socksified, it is possible that they will be left running constantly by cyber criminals.

To ensure the success of the application it was decided the best course of action was to research into how to kill processes in C#. This way the process names of known socksifying programs i.e. Proxifier, FreeCap, WideCap and ProxyCap can be killed before any networking functionality in the application is carried out. After looking through various code examples it was decided to use the code in Appendix G and modify it to kill the correct processes. This process killing code has effectively allowed Tor to be bypassed.

As one of the processes was a system service the program had to be given Admin privileges in order to kill it. To do this an Application Manifest File was added to the project and changed to read:

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

This change causes the Windows User Account Control (UAC) prompt to pop up on the system on which the application is run on in order to grant it Admin privileges.

43


6.0 Putting The Application On A Honeypot

One of the objectives for this project was to place the application on a honey pot (Intentionally insecure server) and wait for the honeypot to be compromised by cyber criminals and the application to be stolen and executed on their systems.

Researching Into Honeypots

After researching into honeypot technology various high-interaction and low-interaction honeypots were found on The Honeynet Project’s website (link in Bibliography)

One method of creating a honeypot would be to use an unpatched Windows XP system but internet worms would probably destroy the system before any cyber criminals even had the chance to break into it.

Another method would be to patch a Linux system to stop internet worms destroying it, but install out of date, vulnerable packages to set up a web server. The application could then be placed on this vulnerable web server. This would allow cyber criminals to compromise the web server, steal the application and execute it on their systems. This could not be done on a Windows system as the user does not have control over what version of the Internet Information Services (IIS) is installed and so it would not be possible to install an out dated vulnerable version.

Due to legal issues in the UK regarding counter attacking honeypots it was decided to not place the developed application on a public facing honeypot.

7.0 Evaluation Of Application - Practical Implications And Further DevelopmentAt present the application is programmed in C# and will only run on the Windows operating system. The application could potentially be made cross platform by porting it to Mono. This would allow it to run on Windows, Mac OS X and Linux. As stated on the Mono website: “Mono is a cross-platform implementation of the pieces that make up the .Net framework, like the CLR, C#/VB.Net compilers, and the base class libraries.” (Mono) The only problem with using Mono is that certain namespaces are not supported due to the lack of a Linux equivalent. These namespaces are: EnterpriseServices, System.Management, and System.Messaging. System.Management is currently used in the C# application that has been developed but there may be a way of removing it and preserving the

44


functionality it provides by coding it in a different way. It must also be noted that Linux requires certain binaries to be installed on the system in which the mono application is executed on.

The major problem with using the application to obtain hardware information from cyber criminal’s computers is that they are could possible run it in a Virtual Machine (VM) software such as VMware or VirtualBox. If the application is run in a VM the hardware information it obtains will be spoofed information provided by the VM. As a VM is a sandbox you are unable to manipulate the host machine unless you have an exploit that allows you to break out of it.

An alternative method to obtain the network information of a cybercriminal’s system would be to use a script executed automatically by the browser, but for this a browser exploit would be required. The script would also have to be obfuscated in order to make the source code harder to read.

The application is also limited in that if a VPN is used by the cybercriminal who executes the application on his/her system the external IP address of the VPN will be returned if they have their system set up to use the VPN as the default gateway - forcing all traffic to route through it. There is no way of programmatically bypassing a VPN that uses this setup.

If the application was to be used in a real world scenario it would been to be protected against reverse engineering as C# application are very easy to reverse engineer. Reverse engineering poses a problem as it would allow cyber criminals to read the source code – Discover the application’s functionality and obtain the FTP login details. In order to make reverse engineering a lot harder the code would have to be obfuscated with a program such as Dotfuscator. Third-party packers such as Themida could also be used to stop cyber criminals reflecting the application in .NET Reflector. Packers also make it hard for cyber criminals to unpack the application to perform reverse engineering.

As the application is a prototype it could be extended upon by adding geolocation functionality. The Google Maps Geolocation API could be integrated into the application in order to obtain “a location and accuracy radius based on information about cell towers and WiFi nodes that the mobile client can detect” (Google) The problem with this geolocation service is that it is paid and only allows a maximum of 100 free requests to be made to it in a 24 hour period. In order to use these free requests a Google account is required to generate an API unique key and billing must also be set up.

The Windows.Devices.Geolocation namespace was also considered for use to add geolocation functionality to the application. The problem with this approach is that the minimum supported client is Windows 8.

If geolocation functionality was added it would subvert the problem caused by cyber criminals using VPNs as the application could generate a location based on surrounding Wireless access points instead of relying on the external IP address for location detection purposes. This also has its limitations though as the system would require a wireless network adapter which desktop machines do not always possess.

Although the application could be further developed upon in its current state it does successfully bypass Tor and it is programmed to ignore system wide proxy settings set up in Internet Explorer allowing it bypass proxies.

45


8.0 Conclusion

This project has explored the issue of cybercrime and resulted in the creation of an application to identify cyber criminals using anonymising services such as the Tor network to mask their genuine IP address online. The initial aims set out at the start of the project in the Aims And Objectives section have successfully been achieved. A fully functioning application has been created this is capable of bypassing Tor and gaining the genuine external IP address of cyber criminals.

References46


BOYLES, Tim (2010). In: CCNA Security Study Guide: Exam 640-553. John Wiley and Sons, p.249.

DAWSON, Christian (2009). In: Projects in Computing and Information Systems A Student’s Guide. 16-127.

DETICA LTD (2011). The Cost Of Cyber Crime. [online]. Last accessed 4 February 2014 at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60943/the-cost-of-cyber-crime-full-report.pdf

[online]. Last accessed 11 March 2014 at: http://forti-net.co.uk/fortinet-network-security/fortinet-infrastructure-security/fortinet-ddos-attack-mitigation-appliance

[online]. Last accessed 9 February 2014 at: https://freenetproject.org/whatis.html

[online]. Last accessed 17 03 2014 at: https://developers.google.com/maps/documentation/business/geolocation/

[online]. Last accessed 6 February 2014 at: http://www.honeyd.org/background.php

[online]. Last accessed 7 February 2014 at: http://geti2p.net/en/docs/how/intro

[online]. Last accessed 7 February 2014 at: https://geti2p.net/en/docs/how/garlic-routing

[online]. Last accessed 7 February 2014 at: https://geti2p.net/en/comparison/tor

[online]. Last accessed 6 February 2014 at: http://www.kaspersky.co.uk/internet-security-center/internet-safety/choose-the-right-cloud-antivirus

KENNEDY, David, et al. (2011). In: Metasploit The Penetration Tester’s Guide. p.9.

KUMAR, Shishir and PANT, Durgesh (2009). Detection and Prevention of New and Unknown Malware using Honeypots. [online]. International journal on computer science and engineering, 1 (2), 56-61. Article from Engineering Journals last accessed 09 March 2014 at: http://www.enggjournals.com/ijcse/doc/IJCSE09-01-02-04.pdf

LING, Zhen, et al. (2012). A New Cell-Counting-Based Attack Against Tor. [online]. Networking, IEEE/ACM Transactions on, 20 (4), 1245-1261. Article from IEEEXplore last accessed 09 March 2014 at: http://ieeexplore.ieee.org.lcproxy.shu.ac.uk/xpls/icp.jsp?arnumber=6132443

[online]. Last accessed 10 February 2014 at: http://nmap.org/

NSA (2012). Tor Stinks. [online]. Last accessed 31 March 2014 at: http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document

OATES, Briony (2006). In: Researching Information Systems and Computing. p.35.

[online]. Last accessed 12 March 2014 at: https://www.paterva.com/web6/products/maltego.php

[online]. Last accessed 7 February 2014 at: http://proxy.org/

[online]. Last accessed 31 March 2014 at: http://sourceforge.net/projects/adhd/

ROSCHKE, Sebastian, CHENG, Feng and MEINEL, Christoph (2011). BALG: Bypassing Application Layer Gateways using multi-staged encrypted shellcodes. [online]. Integrated Network Management (IM), 2011 IFIP/IEEE International Symposium on, 399-406. Article from IEEEXplore last accessed 10 March 2014 at: http://ieeexplore.ieee.org.lcproxy.shu.ac.uk/xpls/icp.jsp?arnumber=5990539

SCHNEIER, Bruce (2005). Cryptanalysis of SHA-1. [online]. Last accessed 6 February 2014 at: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

[online]. Last accessed 10 February 2014 at: http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

47

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60943/the-cost-of-cyber-crime-full-report.pdf

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60943/the-cost-of-cyber-crime-full-report.pdf

http://forti-net.co.uk/fortinet-network-security/fortinet-infrastructure-security/fortinet-ddos-attack-mitigation-appliance

http://forti-net.co.uk/fortinet-network-security/fortinet-infrastructure-security/fortinet-ddos-attack-mitigation-appliance

https://freenetproject.org/whatis.html

https://developers.google.com/maps/documentation/business/geolocation/

http://www.honeyd.org/background.php

http://geti2p.net/en/docs/how/intro

https://geti2p.net/en/docs/how/garlic-routing

https://geti2p.net/en/comparison/tor

http://www.kaspersky.co.uk/internet-security-center/internet-safety/choose-the-right-cloud-antivirus

http://www.enggjournals.com/ijcse/doc/IJCSE09-01-02-04.pdf

http://ieeexplore.ieee.org.lcproxy.shu.ac.uk/xpls/icp.jsp?arnumber=6132443

http://nmap.org/

http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document

https://www.paterva.com/web6/products/maltego.php

http://proxy.org/

http://ieeexplore.ieee.org.lcproxy.shu.ac.uk/xpls/icp.jsp?arnumber=5990539

https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

http://sourceforge.net/projects/adhd/


SINTSOV, Alexey Honeypot that can bite: Reverse penetration. [online]. In: Russian Defcon Group #7812, at: https://media.blackhat.com/eu-13/briefings/Sintsov/bh-eu-13-honeypot-sintsov-wp.pdf

SYMANTEC (2013). Norton Report. [online]. Last accessed 6 February 2014 at: http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=norton-report-2013

[online]. Last accessed 13 March 2014 at: https://www.thc.org/thc-hydra/

[online]. Last accessed 7 February 2014 at: https://trac.torproject.org/projects/tor/wiki/doc/Preventing_Tor_DNS_Leaks

[online]. Last accessed 7 February 2014 at: https://www.torproject.org/about/overview.html.en

[online]. Last accessed 7 February 2014 at: http://torrentfreak.com/vpn-services-that-take-your-anonymity-seriously-2013-edition/

Bibliography[online]. Last accessed 14 February 2014 at: http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/

[online]. Last accessed 14 February 2014 at: http://thehackernews.com/2013/09/nsa-bought-hacking-tools-from-vupen.html

[online]. Last accessed 14 February 2014 at: https://www.muckrock.com/foi/united-states-of-america-10/vupen-contracts-with-nsa-6593/#815069-appeal-acknowledgement

[online]. Last accessed 14 February 2014 at: http://stackoverflow.com/questions/1727608/how-do-i-get-hardware-information-on-linux-unix

[online]. Last accessed 14 February 2014 at: http://stackoverflow.com/questions/1727608/how-do-i-get-hardware-information-on-linux-unix

[online]. Last accessed 14 February 2014 at: http://taufanlubis.wordpress.com/2007/10/09/check-your-hardware-information-using-hwinfo-in-ubuntu/

[online]. Last accessed 14 February 2014 at: http://curl.haxx.se/libcurl/c/example.html

[online]. Last accessed 14 February 2014 at: http://stackoverflow.com/questions/4704073/how-can-i-get-system-hardware-info-via-java

[online]. Last accessed 14 February 2014 at: http://www.hyperic.com/products/sigar

[online]. Last accessed 14 February 2014 at: http://code.dblock.org/introducing-oshi-operating-system-and-hardware-information-java

[online]. Last accessed 14 February 2014 at: http://stackoverflow.com/questions/3253701/c-sharp-get-public-external-ip-address

[online]. Last accessed 14 February 2014 at: http://msdn.microsoft.com/en-us/library/aa288453(v=vs.71).aspx

48

https://media.blackhat.com/eu-13/briefings/Sintsov/bh-eu-13-honeypot-sintsov-wp.pdf

http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=norton-report-2013

https://www.thc.org/thc-hydra/

https://trac.torproject.org/projects/tor/wiki/doc/Preventing_Tor_DNS_Leaks

https://www.torproject.org/about/overview.html.en

http://torrentfreak.com/vpn-services-that-take-your-anonymity-seriously-2013-edition/

http://torrentfreak.com/vpn-services-that-take-your-anonymity-seriously-2013-edition/

http://msdn.microsoft.com/en-us/library/aa288453(v=vs.71).aspx

http://stackoverflow.com/questions/3253701/c-sharp-get-public-external-ip-address

http://stackoverflow.com/questions/3253701/c-sharp-get-public-external-ip-address

http://code.dblock.org/introducing-oshi-operating-system-and-hardware-information-java

http://code.dblock.org/introducing-oshi-operating-system-and-hardware-information-java

http://www.hyperic.com/products/sigar

http://stackoverflow.com/questions/4704073/how-can-i-get-system-hardware-info-via-java

http://stackoverflow.com/questions/4704073/how-can-i-get-system-hardware-info-via-java

http://curl.haxx.se/libcurl/c/example.html

http://taufanlubis.wordpress.com/2007/10/09/check-your-hardware-information-using-hwinfo-in-ubuntu/

http://taufanlubis.wordpress.com/2007/10/09/check-your-hardware-information-using-hwinfo-in-ubuntu/

http://stackoverflow.com/questions/1727608/how-do-i-get-hardware-information-on-linux-unix




https://www.muckrock.com/foi/united-states-of-america-10/vupen-contracts-with-nsa-6593/%23815069-appeal-acknowledgement

https://www.muckrock.com/foi/united-states-of-america-10/vupen-contracts-with-nsa-6593/%23815069-appeal-acknowledgement

http://thehackernews.com/2013/09/nsa-bought-hacking-tools-from-vupen.html

http://thehackernews.com/2013/09/nsa-bought-hacking-tools-from-vupen.html

http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/

http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/


[online]. Last accessed 14 February 2014 at: http://msdn.microsoft.com/en-us/library/8bh11f1k.aspx

[online]. Last accessed 14 February 2014 at: http://stackoverflow.com/questions/8255533/how-to-add-new-line-into-txt-file

[online]. Last accessed 27 February 2014 at: http://stackoverflow.com/questions/1270584/how-to-generate-a-random-named-text-file-in-c

[online]. Last accessed 27 February 2014 at: https://filezilla-project.org/

[online]. Last accessed 27 February 2014 at: https://www.honeynet.org/project

[online]. Last accessed 27 February 2014 at: https://www.torproject.org/docs/tor-doc-windows

[online]. Last accessed 27 February 2014 at: http://www.proxifier.com/

[online]. Last accessed 27 March 2014 at: http://www.functionx.com/vcsharp/topics/msgboxes.htm

Appendices

Appendix A

Project Specification

SHEFFIELD HALLAM UNIVERSITYDEPARTMENT OF COMPUTINGBsc Computer and Information Security (Final Year)

PROJECT DEFINITION

Student: Simon DaviesDate: 22/10/2013Supervisor: Dr David DayLevel of Project: BSc Computer and Information SecurityTitle of Project: Windows Application to help identify malicious internet usersType of Project: Application based

ELABORATION

One of the hardest tasks faced by a computer security professional dealing with an attempted/successful break in to a company’s computer infrastructure is tracing the malicious party in order to identify them.

Due to the existence of anonymising services such as proxy servers, VPNs (Virtual Private Networks), Tor and I2P, when reading through a company’s firewall logs that has fell victim to an attempted/successfully break in, it is highly likely that a computer security professional will only obtain the IP Addresses of machines used as cover by the malicious party.

49

http://www.functionx.com/vcsharp/topics/msgboxes.htm

http://www.proxifier.com/

https://www.torproject.org/docs/tor-doc-windows

https://www.honeynet.org/project

https://filezilla-project.org/

http://stackoverflow.com/questions/1270584/how-to-generate-a-random-named-text-file-in-c

http://stackoverflow.com/questions/1270584/how-to-generate-a-random-named-text-file-in-c

http://stackoverflow.com/questions/8255533/how-to-add-new-line-into-txt-file

http://stackoverflow.com/questions/8255533/how-to-add-new-line-into-txt-file

http://msdn.microsoft.com/en-us/library/8bh11f1k.aspx


In order for a computer security professional to successfully identify the malicious party the MAC Address, Windows hostname and External IP Address of the machine where the attack is being orchestrated from must be obtained.

My project makes the assumption that a honeypot is already set up disguised as a legitimate company server. The honeypot will be intentionally insecure luring malicious parties to break in to it.

I will program a small application which will obtain the Mac Address, Windows hostname and External IP address of the machine it is run on, store this data in a text file and then finally send the file back to the honeypot. The application will be disguised as something of value to the malicious party in order for them to download it to their own machine and execute it. Once ran the application will circumvent any anonymising services and allow successful identification.

Successfully identifying malicious parties is very important in my area of study as it allows a computer security professional to stop the person orchestrating attacks, instead of constantly patching new holes the attacker finds in a company’s computer infrastructure.

PROJECT ETHICS

Due to the laws which govern computing in the UK, I will be carrying out my project using virtual non-public facing machines in order to test the functionality of my application. I will not be creating a real life scenario as running code unauthorised on someone else’s machine is illegal under UK law.

PROJECT OBJECTIVES

The student is required to:

Carry out research into which programming languages could be used to create the Windows application. Explain the pros and cons of using each language that has been researched into.

Design the Windows application.

Build the Windows application.

Test the Windows application.

Evaluate the Windows application.

Explain the potential use of the Windows application to a computer security professional contracted by a company.

Produce a report.

PROJECT DELIVERABLE

50


The deliverable of this project will be a Windows application which can be used by computer security professional contracted by companies to identify malicious parties that have attempted/successfully broken into their computer infrastructure.

TASK PLAN

Task Description Milestone Date1 Research into whether it is best to program the application in

C++, C# or VB1st Nov

2 Break the application down into steps of completion:1: Obtain the Mac, Windows hostname and External IP Address2. Write the acquired information to a file3. Send the file back to the honeypot

10th Nov

3 Program the Windows application using Visual Studio 10th Jan4 Make sure the Windows application successfully gathers all of

the information needed to identify the malicious party by setting up a virtual non-public facing environment

10th Feb

5 Explain how a computer security professional could utilise the Windows application by placing it on a honeypot to trick malicious parties into downloading and executing it on their machine

20th Feb

6 Suggest ways in which the Windows application could be improved upon to target a larger number of maliciousparties i.e. those using Linux to orchestrate the attack from

1st Mar

7 Produce the report upon project completion 10th Mar

ETHICS CHECKLIST

Human participantsQuestion Yes/No1. Does the project involve human participants? This includes surveys,

questionnaires, observing behaviour, testing etc.If YES, then please answer questions 2 to 5.If NO, please go to question 6.

No

2.Note

Will any of the participants be vulnerable?‘Vulnerable’ means those who may not fully understand the research, or the consequences of taking part. They include:

children (i.e. under 18) people with learning disabilities people with physical disabilities (visible or not) people who may be limited by age or illness

If YES, then please answer question 2aIf NO, please go to question 32a Will you ever be alone (i.e. not overseen) with any vulnerable

participants during the course of the research?If YES, then please answer question 2bIf NO, please go to question 2c.

51


2b

Note

If you will be alone (i.e. not overseen) with any vulnerable participants during the course of the research, do you need to apply for a Disclosure and Barring Service (DBS) check (previously known as a Criminal Records Bureau (CRB) check)?If you need a DBS check, you may be liable for the cost of the application. More details regarding DBS checks can be found at https://www.gov.uk/disclosure-barring-service-check/overview.

2c

Note

If you will NOT be alone (i.e. you will be overseen) with any vulnerable participants during the course of the research, does your overseer have a DBS Check?If your overseer does NOT have a DBS check, you may need to apply for a DBS check yourself. You may be liable for the cost of the DBS application. More details regarding DBS checks can be found at https://www.gov.uk/disclosure-barring-service-check/overview.

3.

Note

Will any participants be at risk of any physical or emotional harm by taking part in your project?Harm may be caused by:

distressing or intrusive interview questions uncomfortable procedures involving the participant, invasion of privacy, topics relating to highly personal information, topics relating to illegal activity, etc.

4. Will anyone be taking part without giving their informed consent? (e.g. research involving covert study, coercion of subjects, or where subjects have not fully understood the research etc.)

5. Will any part of the project allow the identification of any individual who has not given their express consent to be identified?

Note If you answered YES to any of questions 2 – 5, then you MUST address these ethical issues in your Project Specification, ensure that you take all reasonable steps to avoid/mitigate these issues during the execution of your project, and explain your actions in your Critical Reflection.

OTHER participantsQuestion Yes/No6. Does the project involve the use of live animals?Note If you answered YES to question 6, then the project proposal must be submitted

to the FREC for approval unless it falls into a category/ programme of research that has already received category approval.

No

7.Note

Does the project involve the NHS?For NHS research, this includes:

any service evaluation work work concerning NHS patients (tissues, organs, personal information or

data) NHS staff, volunteers, or carers NHS premises or facilities

No

If you answered YES to question 7, then your project proposal MUST be submitted Project Module Ethics Committee for review, and may be referred to the Faculty Research Ethics Committee and/or to an NHS Research Ethics Committee. For further details on NHS National Research Ethics Service, please refer to http://www.nres.nhs.uk/applications/faq/before-applying/#FAQsBeforeApplyingStudent

8. Does the project require approval from any other external ethics committee?Note If you answered YES to question 8, then the project proposal must be submitted

to the relevant external body. For further advice, please contact the Faculty Research Ethics Committee

No

52

http://www.nres.nhs.uk/applications/faq/before-applying/#FAQsBeforeApplyingStudent

https://www.gov.uk/disclosure-barring-service-check/overview

https://www.gov.uk/disclosure-barring-service-check/overview


Organisations Question Yes/No9. Will the project involve working with or within an organisation?

'Organisation' includes (but is not limited to): business charity museum government department international agency sports/social club volunteer organisation

No

10.

Note

If you answered YES to question 9, do you have granted access (permission) to conduct the project?If YES, please show evidence to your supervisor and include this evidence in the Appendix of your Final Report.

N/A

11. If you answered NO to question 10, is it because:A. you have not yet askedB. you have asked and not yet received and answerC. you have asked and been refused access.

N/A

Note You will only be able to start this aspect of the project when you have been granted access/permission.

12.Note

Will covert research be part of the project?‘Covert research’ refers to research that is conducted without the knowledge of participants.If you answered YES to question 12, then your project proposal MUST be submitted Project Module Ethics Committee for review, and may be referred to the Faculty Research Ethics Committee

No

Products and artefactsQuestion Yes/No13

Note

Will the project involve using (e.g. citing / quoting / copying) copyrighted materials?Copyrighted materials includes (but is not limited to):

books / e-books journals websites newspaper/magazine articles films / broadcasts photographs, artworks, images, diagrams designs, products computer programmes, code, databases networks processes

If YES, please go to question 14If NO, please read the declaration at the end of the checklist

Yes

53


Question Yes/No14.

Note

Are the copyrighted materials you intend to use (citing / quoting / copying) in the public domain?‘In the public domain’ does not mean the same thing as ‘publicly accessible’.

Information which is 'in the public domain' is no longer protected by copyright (i.e. copyright has either expired or been waived) and can be used without permission.

Information which is 'publicly accessible' (e.g. TV broadcasts, websites, artworks, newspapers) is available for anyone to consult/view. It is still protected by copyright even if there is no copyright notice. In UK law, copyright protection is automatic and does not require a copyright statement, although it is always good practice to provide one. It is necessary to check the terms and conditions of use to find out exactly how the material may be reused etc.

If YES, please read the declaration at the end of the checklist.If NO, please go to question 15.

Yes

15.Note

Will the project involve copying/reproducing copyrighted materials?'Copying/reproducing' includes making physical copies (i.e. photocopies) and electronic copies (i.e. cutting-and-pasting, scanning, saving as separate files). It does not include citations and quotes with appropriate references.If YES, please go to question 15a.If NO, please go to question 16.

No

15a

Note

Will you be copying more than 5% (or one chapter) of an individual source?You are allowed to copy/reproduce up to 5% of a source (or one chapter) for your own personal research usage without explicit permission. Please see "Copyright - guidance for SHU Staff and Students" for further information.

16.

Note

Do you have permission to use the copyrighted materials under the "Exam Defence"?If you are copying less than 5% (or one chapter) or citing/quoting the copyrighted material, you have permission to use the copyrighted material under the "Exam Defence". Please see "Copyright - guidance for SHU Staff and Students" for further information.If YES, please read the declaration at the end of the checklist.If NO, please go to question 17.

Yes

Question Yes/No17. Do you have explicit permission to use the copyrighted materials?

If YES, please show any explicit evidence to your supervisor and include in the Appendix of your Final Report. Please read the declaration at the end of the checklist.If NO, please go to question 18.

18. If you do not have explicit permission, is it because:A. you have not yet asked permissionB. you have asked and not yet received and answerC. you have asked and been refused access.

Note You will not be allowed to use the copyrighted material until you have been granted permission to use it.

Adherence to SHU policy & proceduresDeclaration

54

http://catalogue.shu.ac.uk/record=b1568097~S2a





I can confirm that: I have read the Sheffield Hallam University Research Ethics Policy (available at

https://staff.shu.ac.uk/enterprise/research/Documents/Research%20Ethics%20Policy.pdf I agree to abide by its principles.

Appendix B

[online]. Last accessed 14 February 2014 at: http://www.codeproject.com/Articles/28678/Generating-Unique-Key-Finger-Print-for-a-Computer

Code:

using System;using System.Management;using System.Security.Cryptography;using System.Security;using System.Collections;using System.Text;namespace Security{ /// <summary> /// Generates a 16 byte Unique Identification code of a computer /// Example: 4876-8DB5-EE85-69D3-FE52-8CF7-395D-2EA9 /// </summary> public class FingerPrint { private static string fingerPrint = string.Empty; public static string Value() { if (string.IsNullOrEmpty(fingerPrint)) { fingerPrint = GetHash("CPU >> " + cpuId() + "\nBIOS >> " +

biosId() + "\nBASE >> " + baseId() //+"\nDISK >> "+ diskId() + "\nVIDEO >> " +

videoId() +"\nMAC >> "+ macId() ); } return fingerPrint; } private static string GetHash(string s) { MD5 sec = new MD5CryptoServiceProvider(); ASCIIEncoding enc = new ASCIIEncoding(); byte[] bt = enc.GetBytes(s); return GetHexString(sec.ComputeHash(bt)); }

55

http://www.codeproject.com/Articles/28678/Generating-Unique-Key-Finger-Print-for-a-Computer

http://www.codeproject.com/Articles/28678/Generating-Unique-Key-Finger-Print-for-a-Computer

https://staff.shu.ac.uk/enterprise/research/Documents/Research%20Ethics%20Policy.pdf


private static string GetHexString(byte[] bt) { string s = string.Empty; for (int i = 0; i < bt.Length; i++) { byte b = bt[i]; int n, n1, n2; n = (int)b; n1 = n & 15; n2 = (n >> 4) & 15; if (n2 > 9) s += ((char)(n2 - 10 + (int)'A')).ToString(); else s += n2.ToString(); if (n1 > 9) s += ((char)(n1 - 10 + (int)'A')).ToString(); else s += n1.ToString(); if ((i + 1) != bt.Length && (i + 1) % 2 == 0) s += "-"; } return s; } #region Original Device ID Getting Code //Return a hardware identifier private static string identifier

(string wmiClass, string wmiProperty, string wmiMustBeTrue) { string result = ""; System.Management.ManagementClass mc =

new System.Management.ManagementClass(wmiClass); System.Management.ManagementObjectCollection moc = mc.GetInstances(); foreach (System.Management.ManagementObject mo in moc) { if (mo[wmiMustBeTrue].ToString() == "True") { //Only get the first one if (result == "") { try { result = mo[wmiProperty].ToString(); break; } catch { } } } } return result; } //Return a hardware identifier private static string identifier(string wmiClass, string wmiProperty)

56


{ string result = ""; System.Management.ManagementClass mc =

new System.Management.ManagementClass(wmiClass); System.Management.ManagementObjectCollection moc = mc.GetInstances(); foreach (System.Management.ManagementObject mo in moc) { //Only get the first one if (result == "") { try { result = mo[wmiProperty].ToString(); break; } catch { } } } return result; } private static string cpuId() { //Uses first CPU identifier available in order of preference //Don't get all identifiers, as it is very time consuming string retVal = identifier("Win32_Processor", "UniqueId"); if (retVal == "") //If no UniqueID, use ProcessorID { retVal = identifier("Win32_Processor", "ProcessorId"); if (retVal == "") //If no ProcessorId, use Name { retVal = identifier("Win32_Processor", "Name"); if (retVal == "") //If no Name, use Manufacturer { retVal = identifier("Win32_Processor", "Manufacturer"); } //Add clock speed for extra security retVal += identifier("Win32_Processor", "MaxClockSpeed"); } } return retVal; } //BIOS Identifier private static string biosId() { return identifier("Win32_BIOS", "Manufacturer") + identifier("Win32_BIOS", "SMBIOSBIOSVersion") + identifier("Win32_BIOS", "IdentificationCode") + identifier("Win32_BIOS", "SerialNumber") + identifier("Win32_BIOS", "ReleaseDate") + identifier("Win32_BIOS", "Version"); }

57


//Main physical hard drive ID private static string diskId() { return identifier("Win32_DiskDrive", "Model") + identifier("Win32_DiskDrive", "Manufacturer") + identifier("Win32_DiskDrive", "Signature") + identifier("Win32_DiskDrive", "TotalHeads"); } //Motherboard ID private static string baseId() { return identifier("Win32_BaseBoard", "Model") + identifier("Win32_BaseBoard", "Manufacturer") + identifier("Win32_BaseBoard", "Name") + identifier("Win32_BaseBoard", "SerialNumber"); } //Primary video controller ID private static string videoId() { return identifier("Win32_VideoController", "DriverVersion") + identifier("Win32_VideoController", "Name"); } //First enabled network card ID private static string macId() { return identifier("Win32_NetworkAdapterConfiguration",

"MACAddress", "IPEnabled"); } #endregion }}

Appendix C[online]. Last accessed 14 February 2014 at: http://stackoverflow.com/questions/662282/how-do-i-get-the-local-machine-name

Code:

string name = System.Net.Dns.GetHostName();

[online]. Last accessed 14 February 2014 at: http://stackoverflow.com/questions/1069103/how-to-get-my-own-ip-address-in-c

58

http://stackoverflow.com/questions/1069103/how-to-get-my-own-ip-address-in-c

http://stackoverflow.com/questions/1069103/how-to-get-my-own-ip-address-in-c

http://stackoverflow.com/questions/662282/how-do-i-get-the-local-machine-name

http://stackoverflow.com/questions/662282/how-do-i-get-the-local-machine-name


Code:

string ipAddress = new WebClient().DownloadString("http://icanhazip.com");

Appendix D

[online]. Last accessed 14 February 2014 at: http://stackoverflow.com/questions/850650/reliable-method-to-get-machines-mac-address-in-c-sharp

Code:

public static string GetMACAddress(){ ManagementObjectSearcher searcher = new ManagementObjectSearcher("SELECT * FROM Win32_NetworkAdapterConfiguration where IPEnabled=true"); IEnumerable<ManagementObject> objects = searcher.Get().Cast<ManagementObject>(); string mac = (from o in objects orderby o["IPConnectionMetric"] select o["MACAddress"].ToString()).FirstOrDefault(); return mac;}

Appendix E

[online]. Last accessed 27 February 2014 at: http://danashurst.com/uploading-a-file-via-ftp-c/

Code:

using System;using System.IO;using System.Net;using System.Text;

/// <summary>/// Simple static class for uploading a file to an FTP server./// </summary>public static class fileUpload{ public static string uploadFile(string file)

59

http://danashurst.com/uploading-a-file-via-ftp-c/

http://stackoverflow.com/questions/850650/reliable-method-to-get-machines-mac-address-in-c-sharp

http://stackoverflow.com/questions/850650/reliable-method-to-get-machines-mac-address-in-c-sharp


{ // Get the object used to communicate with the server. FtpWebRequest request = (FtpWebRequest)WebRequest.Create("ftp://www.mywebserver.com/myfile.txt"); request.Method = WebRequestMethods.Ftp.UploadFile;

// This example assumes the FTP site uses anonymous logon. request.Credentials = new NetworkCredential("username", "password");

// Copy the entire contents of the file to the request stream. StreamReader sourceStream = new StreamReader(file); byte[] fileContents = Encoding.UTF8.GetBytes(sourceStream.ReadToEnd()); sourceStream.Close(); request.ContentLength = fileContents.Length;

// Upload the file stream to the server. Stream requestStream = request.GetRequestStream(); requestStream.Write(fileContents, 0, fileContents.Length); requestStream.Close();

// Get the response from the FTP server. FtpWebResponse response = (FtpWebResponse)request.GetResponse();

// Close the connection = Happy a FTP server. response.Close();

// Return the status of the upload. return response.StatusDescription;

}}

Basic Usage:

fileUpload.uploadFile(myfile.txt);

[online]. Last accessed 26 March 2014 at: http://msdn.microsoft.com/en-us/library/system.net.ftpwebrequest.enablessl%28v=vs.110%29.aspx

Code:

request.EnableSsl = true;

[online]. Last accessed 26 March 2014 at: http://weblog.west-wind.com/posts/2011/Feb/11/HttpWebRequest-and-Ignoring-SSL-Certificate-Errors

60

http://weblog.west-wind.com/posts/2011/Feb/11/HttpWebRequest-and-Ignoring-SSL-Certificate-Errors

http://msdn.microsoft.com/en-us/library/system.net.ftpwebrequest.enablessl(v=vs.110).aspx


Code:

System.Net.ServicePointManager.ServerCertificateValidationCallback += delegate(object sender, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors) { return true; // **** Always accept };

Appendix F[online]. Last accessed 26 March 2014 at: http://kyrathaba.dcmembers.com/flatpress/index.php/2011/08/16/c-tutorial-securely-wipe-a-file-using-c/

Code:

private void secureFileWipe(string origFile) { if (File.Exists(origFile)) { try { File.SetAttributes(origFile, FileAttributes.Normal); double sectors = Math.Ceiling(new FileInfo(origFile).Length / 512.0); byte[] dummyBuffer = new byte[512]; RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); FileStream inputStream = new FileStream(origFile, FileMode.Open); inputStream.Position = 0; for (int sectorsWritten = 0; sectorsWritten < sectors; sectorsWritten++) { rng.GetBytes(dummyBuffer); inputStream.Write(dummyBuffer, 0, dummyBuffer.Length); } inputStream.SetLength(0); inputStream.Close(); DateTime dt = new DateTime(2037, 1, 1, 0, 0, 0); File.SetCreationTime(origFile, dt); File.SetLastAccessTime(origFile, dt); File.SetLastWriteTime(origFile, dt); File.SetCreationTimeUtc(origFile, dt); File.SetLastAccessTimeUtc(origFile, dt); File.SetLastWriteTimeUtc(origFile, dt); File.Delete(origFile); // Finally, delete the file Debug.WriteLine("Successfully securely deleted file '" + Path.GetFileName(origFile) + "'"); } catch (Exception ex) { Debug.WriteLine(ex.Message, "Error securely deleting file"); } }

61

http://kyrathaba.dcmembers.com/flatpress/index.php/2011/08/16/c-tutorial-securely-wipe-a-file-using-c/

http://kyrathaba.dcmembers.com/flatpress/index.php/2011/08/16/c-tutorial-securely-wipe-a-file-using-c/


}

Appendix G

[online]. Last accessed 02 March 2014 at: http://www.mindstick.com/Articles/5417e13e-b0c5-424b-9495-b0a436baf5bb/?Kill%20a%20Process%20in%20C

Code:

using System.Diagnostics; namespace AllreadyRunningProcess{ class Program { static void Main(string[] args) { // Store all running process in the system Process[] runingProcess = Process.GetProcesses(); for (int i = 0; i < runingProcess.Length; i++) { // compare equivalent process by their name if(runingProcess[i].ProcessName=="mspaint") { // kill running process runingProcess[i].Kill(); } } } }}

62

http://www.mindstick.com/Articles/5417e13e-b0c5-424b-9495-b0a436baf5bb/?Kill%20a%20Process%20in%20C

http://www.mindstick.com/Articles/5417e13e-b0c5-424b-9495-b0a436baf5bb/?Kill%20a%20Process%20in%20C