Cyber Crimes and Internet Security

Cyber Crimes and Internet Security

िशवकुमार G. Sivakumar சிவகுமா

Computer Science and Engineeringभारतीय ूौोिगकी संान म ुबंई (IIT Bombay)

[email protected]

April 29, 2016

• The Good (Web 3.0, 3rd Platform, Emerging Trends)

• The Bad (Security- sine qua non! Threats, Vulnerabilities)

• The Ugly(Tools for Defence, Offence)

िशवकुमार G. Sivakumarசிவகுமா Computer Science and Engineering भारतीय ूौोिगकी संान म ुबंई (IIT Bombay) [email protected] Crimes and Internet Security

Blind men and the Elephant - अ-गज ायः


Takeaways from Talk

• Web 3.0, 3rd platform (SMAC + IoT).• Recent Attacks, Vulnerabilities, Defence Mechanisms.• Different Perspectives

• Researcher (Protocol Security, Formal Methods)• Defender (IITB Case Study: Iptables/Netfiler firewall,

OSSIM)• Attacker (Metasploit Framework)• Investigator (Forensics using Autopsy, Wireshark, SiLK

(netflow))


पवू प (Purva Paksha) for Web 3.0

Web 1.0 may have democratized access to information, but it islike drinking water from a fire hose!Search engines provide partial solutions, but cannot combine,categorize and infer!

Web 2.0 may have allowed right to assembly/collaboartion, but

• Proliferated unreliable, contradictory information.

• Facilitated malicious uses including loss of privacy, security.

What do you want from Web 3.0?What you want to see/hear when you wakeup?I have a dream ...AI meets the web!


Semantic WebThe application layer tapping the hardware (Web 1.0) and OS(Web 2.0)?

RamanaMaharishi author-of

NaanYaar?

Aksharamanamalai

VicharaManiMala

Realityin FortyVerses

contemporaries

KanchiChan-

drasekaraSaraswathi

JidduKrish-

namurti

Place: Tiru-vannamali,Tamil Nadu

Lived30/12/1879

to14/4/1950

Combined, categorized information inferred from various sites,languages. www.dbpedia.org comes close today!


Revival of AI• Statistical Machine Learning (Unsupervised)• Deep learning (structured learning, hierarchical learning or

deep machine learning) models high-level abstractions indata by using multiple processing layers, with complexstructures or otherwise, composed of multiple non-lineartransformations.

• sens.aiConnects to public, premium and proprietary unstructuredand semi-structured data sets so that non-obviouspatterns related to money laundering and relatedsuspicious activities can be identified, analyzed, andreported.

• Bots (not Botnets)Microsoft’s experimental Mandarin-language bot, Xiaolcehuge hit in China! (Whay Bots do professors use?)

• Algorithmic personality detection.Predict financial risk from your facebook, twitter, ...activity.िशवकुमार G. Sivakumarசிவகுமா Computer Science and Engineering भारतीय ूौोिगकी संान म ुबंई (IIT Bombay) [email protected]


3rd platform: SMAC + IoT

3rd Platform

Social

Mobile

Analytics

Cloud

Internetof Things

• Main Frame (1960s ...)

• Client Server (1990s ...)

• Today (Handheld, PervasiveComputing)



3rd Platform

Social

Mobile

Analytics

Cloud

Internetof Things

• What’s App (how manyengineers?)

• Facebook, Twitter,GooglePlus ...

• Web 2.0 (Right toAssembly)

• Crowdsourcing (Wikipedia)

• Crowdfunding (no banks!)



3rd Platform

Social

Mobile

Analytics

Cloud

Internetof Things

• Phone (Smart,Not-so-smart!)

• Wearables! (Google glass,Haptic)

• Internet of “Me” (highlypersonalized) Business (nogeneric products!)

• BYOx: Device security,App/content managementnightmare.

• Data Loss Prevention(Fortress Approach -Firewall, IDS/IPS - won’twork!)



3rd Platform

Social

Mobile

Analytics

Cloud

Internetof Things

• Big Data

• Volume, Variety, Velocity,Veracity

• ACID properties Databasenot needed

• Hadoop, Map Reduce,NoSql

• Knowledge is Power!

• Collect, Analyse, Infer,Predict



3rd Platform

Social

Mobile

Analytics

Cloud

Internetof Things

• Moore’s law

• What could fit in a building.. room ... pocket ... bloodcell!

• Containers Analogy from

Shipping

• VMs separate OS from baremetal (at great cost-Hypervisor, OS image)

• Docker- separates apps fromOS/infra using containers.

• Like IaaS, PaaS, SaaS Haveyou heard of CaaS?



3rd Platform

Social

Mobile

Analytics

Cloud

Internetof Things

• Sensors (Location,Temperature, Motion,Sound, Vibration, Pressure,Current, ....)

• Device Eco System (SmartPhones, Communicate withso many servers!)

• Ambient Services (Maps,Messaging, Trafficmodelling and prediction,...)

• Business Use Cases (OlaCabs, Home Depot, PhilipsHealthcare, ...)

• Impact on wirelessbandwdith, storage,analytics (velocity of BIGdata, not size)


What are Cyber crimes?CybercrimeActivity in which computers or networks are a tool, a target, or aplace of criminal activity. (Categories not exclusive).

• Against People• Cyber Stalking and Harrassment• (Child) Pornography• Phishing, Identity Theft, Nigerian 419

• Against Property• Cracking, Virus and Spam• Software/Entertainment Piracy• Trade secrets, espionage

• Cyber Terrorism!• Hactivism! (in some countries!)• Information Warfare


Some ExamplesFood for thought...

• Recent Examples later ...• Vikram Buddhi, Assange, Snowden, Panama papers• Stuxnet

Stuxnet is a computer worm discovered in June 2010 that isbelieved to have been created by the U nited States and Israelto attack Iran’s nuclear facilities. Stuxnet initially spreads viaMic rosoft Windows, and targets Siemens industrial controlsystems. While it is not the first time th at hackers havetargeted industrial systems, it is the first discovered malwarethat spies on and subverts industrial systems, and the first toinclude a programmable logic controller (PLC) rootkit.

• Flame (Iran Oil terminals, 2012)• DarkSeoul

Check out Wikipedia for more.िशवकुमार G. Sivakumarசிவகுமா Computer Science and Engineering भारतीय ूौोिगकी संान म ुबंई (IIT Bombay) [email protected] Crimes and Internet Security

What’s Bad about Computers and Internet?• “Can’t live with them, can’t live without them!”• Know Your Enemy (threats/Vulnerabilities)

Can cyber/internet crimes cause events like the following?

• July 2006 Mumbai rains• 26/11 attack on Mumbai• Gulf of Mexico oil spill• Mangalore air crash• Stop all Mumbai local trains• Damage BARC nuclear reactor• Disrupt all Mumbai mobile phones? (Prof.

Jhunjhunwala’s example)• How to protect Critical National Infrastructure?

• Passive Defence• Counter Intelligence (Technical side)

• Demo from atlas.arbor.net and cert-in.org.inYour questions/suggestions now will be invaluable!


Operation C-MajorTrend Micro report (Apr 2016) with all details avaialable athttp://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf

The Trend Micro Forward-Looking Threat Research teamrecently uncovered an information theft campaign in India thathas stolen passport scans, photo IDs, and tax information ofhigh- ranking Indian military officers, non-Indian militaryattaché based in the said country, among others.


Major Incidents in 2015From www.wired.com/2015/12/the-years-11-biggest-hacks-from-ashley-madison-to-opm

• Office of Personnel Management. (OPM) - 21 million,including fingerprint files of govt. employees.

• Juniper NetScreen Firewalls - hardcoded backdoor password.and hole in Dual-EC encryption. ( Apple/Fbi now)

• Ashley Madison - online partner site. blackmail.payment/transaction data exposed many.

• Gemalto - Dutch Sim cards manufacturer

• Kaspersky Lab -stole research on how to bypass

• Hacking Team - white hats used to “bug” activists inmorocco, uae, syria.


Major Incidents in 2015 (ctd.)

• CIA Director John Brennan – socially phihsed his personaldetails, hacked AOL email and got sensitive data

• Experian’s T-Mobile Customers - 15 million applicantspersonal info- for credit check..

• LastPass - easy to store passwords with master key= hacked!

• IRS - accessed 1 lakh returns

• Anthem - health care records

Even more recent• Locky (Ransomware),

• Mazar Bot (Android malware),

• Whose side are you on? ... Why?


Big Bong Theory

• Korean Banking malware• Detailed report at www.arbornetworks.com (ASERT)• Patiently wait for opportunity to strike!


Security Concerns

Match the following!Problems Attackers

Highly contagious viruses Unintended blundersDefacing web pages Disgruntled employees or customers

Credit card number theft Organized crimeOn-line scams Foreign espionage agents

Intellectual property theft Hackers driven by technical challengeWiping out data Petty criminalsDenial of service Organized terror groups

Spam E-mails Information warfareReading private files ...

Surveillance ...

• Crackers vs. Hackers• Note how much resources available to attackers.


Atlas.arbor.net


Atlas.arbor.net


Atlas.arbor.net


Atlas.arbor.net


Real-time Intelligence- atlas.arbor.net


Who is scanning?


Who is hosting phising sites?


Malicious Servers


cert-in.org.in


cert-in.org.in


cert-in.org.in


cert-in.org.in


Vulnerabilities• Application Security

• Buggy code• Buffer Overflows

• Host Security• Server side (multi-user/application)• Client side (virus)

• Transmission Security

A B

C

Network Security

Secrecy

Integrity

Availability

A B

C

A B

C

A B

C

(Modification)(Fabrication)

(Denial of Service attack)


What is a Computer Network?

TWO

or MORE

COMPUTERS sharing a LINK!

Point-to-Point

Shared Media (LAN)


So, what’s Internet?• A bottom-up collection (interconnection) of networks

• TCP/IP is the only common factor• Bureaucracy-free, reliable, cheap• Decentralized, democratic, chaotic• Internet Society (www.isoc.org)• Internet Engineering Task Force (www.ietf.org)


Why is Internet Vulnerable?Quick overview of how Internet works.

Connectionless Best-Effort

Datagram Routing through Internet

Analogy with PostCards


Internet Attacks Toolkits (Youtube)


Internet Attacks TimelineFrom training material at http://www.cert-in.org.in/


Internet Attack TrendsFrom training material at http://www.cert-in.org.in/


Security RequirementsInformal statements (formal is much harder)

• Confidentiality Protection from disclosure to unauthorizedpersons

• Integrity Assurance that information has not been modifiedunauthorizedly.

• Authentication Assurance of identity of originator ofinformation.

• Non-Repudiation Originator cannot deny sending themessage.

• Availability Not able to use system or communicate whendesired.

• Anonymity/Pseudonomity For applications like voting,instructor evaluation.

• Traffic Analysis Should not even know who is communicatingwith whom. Why?

• Emerging Applications Online Voting, Auctions (more later)And all this with postcards (IP datagrams)!


Security Landscape


Security Mechanisms

• System Security: “Nothing bad happens to mycomputers and equipment”virus, trojan-horse, logic/time-bombs, ...

• Network Security:• Authentication Mechanisms “you are who you say you

are”• Access Control Firewalls, Proxies “who can do what”

• Data Security: “for your eyes only”• Encryption, Digests, Signatures, ...


Network Security Mechanism Layers

Application

TCP/Socket

IP

Data Comm.

Application

TCP/Socket

IP

Data Comm.

IPv6, AH, ..

SSL, TLS

PGPS-HTTP, S-MIME

Firewalls

Encryption can be done at any level!

Higher-up: more overhead (for each application)

but better control

Cryptograhphic Protocols underly all security mechanisms.Real Challenge to design good ones for key establishment,mutual authentication etc.


Cryptography and Data Security

• sine qua non [without this nothing :-]• Historically who used first? (L & M)• Code Language in joint families!

Confidentiality Data Integrity Authentication Non-Repudiation

EncryptionDigital

SignatureMessage

authenticationUser

Identification

CiphersBlockStream

CiphersHashing Signatures

Pubic-Key

MethodsSecret KeyEstablishment

Key Management


Exchanging Secrets

GoalA and B to agree on a secret number. But, C can listen to alltheir conversation.

Solution?A tells B: I’ll send you 3 numbers. Let’s use their LCM as thekey.


Exchanging Secrets

GoalA and B to agree on a secret number. But, C can listen to alltheir conversation.

Solution?A tells B: I’ll send you 3 numbers. Let’s use their LCM as thekey.


Motivation for Session keysCombine Symmetric (fast) and Asymmetric (very slow)Methods using session (ephemeral) keys for the followingadditional reasons.

• Limit available cipher text (under a fixed key) forcryptanalytic attack;

• Limit exposure with respect to both time period and quantityof data, in the event of (session) key compromise;

• Avoid long-term storage of a large number of distinct secretkeys (in the case where one terminal communicates with alarge number of others), by creating keys only when actuallyrequired;

• Create independence across communications sessions orapplications. No replay attacks.

How to establish session keys over insecure medium whereadversary is listening to everything?Can be done even without any public key! Randomization torescue (like in CSMA/CD of Ethernet).िशवकुमार G. Sivakumarசிவகுமா Computer Science and Engineering भारतीय ूौोिगकी संान म ुबंई (IIT Bombay) [email protected]


Diffie-Hellman Key Establishment Protocol

Alice Bob

Choose N Choose N

Send Send

ComputeCompute

8

13 4

gP,

gNa

mod P gNb mod P

a b

45

4 mod 13

5

8

m a mb

Kab

= mb

Namod P m a

Nbmod P = K ba

3 5mod 13 = 9 = 10 8

mod 13

= 3 = 10mod 13


Man-in-the-middle attackVishwanathan

Anand

Gary

Kasparov

Sivae4

e4

c5 c5

• Authentication was missing!• Can be solved if Kasparov and Anand know each other’s

public key (Needham-Schroeder).• Yes, but different attack possible.


Why Are Security Protocols Often Wrong?

They are trivial programs built from simple primitives, BUT,they are complicated by

• concurrency• a hostile environment

• a bad user controls the network• Concern: active attacks masquerading, replay,

man-in-middle, etc.• vague specifications

• we have to guess what is wanted• Ill-defined concepts

Protocol flaws rather than cryptosystem weaknessesFormal Methods needed!


Zero-Knowledge Proofs

GoalA to prove to B that she knows how to solve the cube.Without actually revealing the solution!

Solution?A tells B: Close your eyes, let me solve it...


Zero-Knowledge Proofs

GoalA to prove to B that she knows how to solve the cube.Without actually revealing the solution!

Solution?A tells B: Close your eyes, let me solve it...


IIT Bombay Case Study (Defender’s Perspective)• Campus Network Infrastructure

• Academic Area• Hostels• Residential• Hardware and Network (the easy part!)

• Gigabit L3 switches• 10 Mbps Internet (4 Links)• 5000+ nodes

• Applications (Complex enough)• Mail• Web Browsing/Hosting

• Users and Management (Nightmare begins)• MisUse (mp3, movie, porn, hacking, fake mails, ...)• CCTeam

• We carry your Bytes• Our T-shirt (cows, dogs, leopards!)


IIT-B’s WAN Links and Firewall


Important LAN Issues

Important Considerations• Virus, Spware• Wrong IP addresses• Wireless Access (guest house, conference halls)• Static MAC-IP mapping• Software Piracy• Illegal Content (pornography,...)• ...

Good LAN design can help a lot with this...


Critical Network Services

• Firewall (Security sine qua non)

• Domain Name Service (DNS) http://cr.yp.to/djbdns/

• Directory Services (LDAP)

• Virus Scanning clamav.elektrapro.com


Critical Network (WAN) Services

• E-mail (www.qmail.org)

• Newsgroups (inn)

• Web Proxy

• WWW Servers (httpd.apache.org)


Firewall

• Inside IIT we have 50+ IP subnets.• Over 5000 nodes.• All Private addresses 10.x.y.z• 4 Different WAN subnets

• 128, 64, 32, 32 address only!• iptables (www.iptables.org) to the rescue.• Selective services/machines opened up

• Incoming ssh to different dept. servers.• Outgoing ssh, Yahoo/MSN chat• Outgoing port for SciFinder• Outgoing ftp from select machines

• Making a good policy is the hardest!


Why Monitor?

िचनीया िह िवपदां आदाववे ूितिबयान कूपखननं यंु ूदी े विना गहृेThe effect of disasters should be thought of beforehand. It isnot appropriate to start digging a well when the house isablaze with fire.Security cannot be an afterthought!There is a tide in the affairs of men, Which taken at the flood,leads on to fortune. Omitted, all the voyage of their life isbound in shallows and in miseries. Shakespeare


Monitoring Network and Services

How to answer the following questions?1 How much traffic in/out? Anything abnormal?2 How many emails came from outside IIT?3 Who are the top 10 senders/receivers/domains?4 Is anyone trying to spam/relay/DoS/break mail servers?5 How much bandwidth is used for browsing? Top domains?6 What are the biggest size downloads?7 Is anyone attacking academic office from hostels?

Where is all this information? How to find out?Reactive, static reports, pro-active, alerts?


Network, Services and User ManagementEternal vigilance is the price of liberty!

• How is network doing?

• Are all services up?• How much email in/out? How many viruses?

• Who’s using Web proxy? For what?• Are User’s happy? www.gnu.org/software/gnats


IIT Bombay WAN Links






Nagios


Nagios (ctd.)


Mail Usage Statistics


Mail Usage Statistics


Mail Server Statistics


Mail Server Statistics


Web Proxy Usage


Web Server Hits


Web Server Hits


Log Archival at IIT Bombay


Squid Logs


Security Information and Event Management(SIEM)

OSSEC and OSSIM tool suite.ELK (Elastic Search, LogStash, Kibana) Framework


SIEM Architecture

Image Reference : Unified Open Source Security- Santiago González Bassett, Alien Vault

www.ossec.net/files/OpenSourceSecurity 2013.pptx


SIEM Use Case

Real-time Reactive (Recall atlas.arbor.net)


Attacking IIT Bombay

Use dnsstuff.com to get some information.


Mail Servers Information

Use dnsstuff.com


Mail Servers Information

Use dnsstuff.com


TraceRoute

Very sophisticated tools (nmap, nessus, metasploit) availableto attackers.


MetaSploit Framework

• Penetration testing• Open source project• Providing exploit code and the infrastructure• Prevents data breaches• Check security control• Ensure security of new application


Metasploit Libraries

Figure: Databases for the Vulnerability and Exploits

Version Exploit Payload Auxiliaries Encoders3.7.0 684 217 355 274.0.0 716 226 361 274.9.2 1303 335 792 354.11.4 1467 432 840 37


Certified Forensic InvestigatorScope of Forensics work

• Define and describe computer investigations• Demonstrate correct methods of evidence gathering• Use and evaluate various operating systems and file

systems• Equip a Forensics Lab with appropriate hardware and

software• Install, configure, and use various command-line and

graphical software forensics tools• Describe and compare various hardware devices employed

by computer forensics experts• Retrieve and analyze data from a suspect’s computer,

tablet, mobile phone.• Summarize the evidence and write investigative reports• Utilize the services of expert witnesses• Recover file images, and categorize the data• Examine and trace email messages• Obtain and control digital evidenceिशवकुमार G. Sivakumarசிவகுமா Computer Science and Engineering भारतीय ूौोिगकी संान म ुबंई (IIT Bombay) [email protected]


forensicswiki.org


cftt.nist.gov

Comprehensive test reports on all forensic tools!िशवकुमार G. Sivakumarசிவகுமா Computer Science and Engineering भारतीय ूौोिगकी संान म ुबंई (IIT Bombay) [email protected] Crimes and Internet Security

cfreds.nist.govComputer Forensics Reference Data Sets


Android Forensics using Autopsy

From: http://www.nist.gov/forensics/upload/6-Mahalik_OSMF.pdfHow to obtain

• Contacts• Messages and Chats• Geolocation Data/Reports• Multimedia files


http://www.nist.gov/forensics/upload/6-Mahalik_OSMF.pdf

http://www.nist.gov/forensics/upload/6-Mahalik_OSMF.pdf

Geolocation Reporting

↓

Network Forensics

From en.wikipedia.org/wiki/NetworkforensicsNetwork forensics is a sub-branch of digital forensics relating to themonitoring and analysis of computer network traffic for thepurposes of information gathering, legal evidence, or intrusiondetection. Unlike other areas of digital forensics, networkinvestigations deal with volatile and dynamic information. Networktraffic is transmitted and then lost, so network forensics is often apro-active investigation.Must have FoSS tools: Wireshark, SiLK. Can analyze packetcaptures, net flows.


ानम प्रमम ्येम ् (Knowledge is Ultimate Goal)

न चोरहाय न च राजहाय न ॅातभृाम न च भारकारीये कृत े वध त एव िनं िवाधनं सव धनूधान ंIt cannot be stolen by thieves, cannot be taken away by theking, cannot be divided among brothers and does not cause aload. If spent, it always multiplies. The wealth of knowledge isthe greatest among all wealths.IIT Bombay’s motto is the title of this slide.Eternal vigilance is the price of liberty!Way Forward: Ramakrishna story!


Documents

Cyber Crimes and Internet Security