1 / 24

Cyber Analytics Project

Cyber Analytics Project. Analyzing collaboration in hacker forums, . edu domain vulnerabilities and cross site scripting attacks. Executive Overview. Overview Research done by University of Arizona, MIS graduate students

tanuja
Télécharger la présentation

Cyber Analytics Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Analytics Project Analyzing collaboration in hacker forums, .edu domain vulnerabilities and cross site scripting attacks

  2. Executive Overview • Overview • Research done by University of Arizona, MIS graduate students • Analysis done on the current cyber security vulnerabilities, potential risks associated with the vulnerabilities and past events of attacks • Scope • Explore cyber security threats across multiple domains (Public, Education) • Basis for the analysis • The priority of a finding is determined by the combination of the worst case impact of the finding’s vulnerability [if exploited] and the likelihood of the finding’s vulnerability being exploited. • Websites and web applications are one of, if not the leading target of cyber-attack • Resources used • Hacker Web • Shodan

  3. Team Members • Akash Agarwal (Hacker Web) • MIS graduate student, University of Arizona • Karan Dhingra (Hacker Web) • MIS graduate student, University of Arizona • Damini Khurana (Shodan) • MIS graduate student, University of Arizona • Krittika Patil (Shodan) • MIS graduate student, University of Arizona

  4. Research Areas • Vulnerabilities in the public domain • Cross site scripting (XSS) • Exposed web and security cameras • Vulnerabilities in the education domain • Trends in susceptible devices in the education domain • Analysis of hacker web • Social hierarchy/Structure

  5. Literature References • Know Your Enemy: The Social Dynamics of Hacking – Holt, Kilger (2012) • Cross-Site Scripting Worms & Viruses - The Impending Threat & the Best Defense - Jeremiah Grossman, Founder and CTO, WhiteHat Security (2012) • Cyber security and universities: managing the risk - Universities UK (2013) • Universities Face a Rising Barrage of Cyberattacks. The New York Times [New York] - PÉREZ-PEÑA, R. (2013, July 16)

  6. Research Question 1 • Background • In the education domain, digital information is critical to the functioning of institutions, as well as to feed research • Education domain requires high levels of interrelated communication, exposing educational servers and data to cyber attacks • Can lead to theft of precious research, identity and even financial data • What are the trends in susceptible devices/servers in the education domain? • Over a period of time, educational institutions of which countries are most vulnerable to this attack? • Extrapolating the trends in volumes of potentially susceptible devices to the near future, can we predict how these volumes will increase/decrease? • Potential benefit of analysis • Understand the concentration of exposed devices worldwide • Future trends indicating volumes of potential vulnerabilities at specific locations that need to be addressed

  7. Research Design • Tools used • Python • Shodan • Tableau • Method: Collection • 2 phase collection with the focus on vulnerable devices hosted on educational domains • Shodan search parameter “hostname:.edu” using Shodan API • Filtering out records that • Return a 400 series (denial) response • where ‘Anonymous Login’ was successful

  8. Analysis • Method: Analysis for sub question 1 • Python API - To export Shodan results to a CSV file to facilitate analysis and visualization • Search parameter - Location information like longitude, latitude, city and country code • The distribution of vulnerabilities across educational centers in cities - analyzed through Tableau using a Filled Map • Method: Analysis for sub question 2 • Python script - Retrieve dates at which these vulnerable devices were picked up by Shodan, using the ‘after’ tag to limit results to recent years, and subsequently exporting results to Excel • The raw data was cleaned and grouped by dates, using Excel Pivot tables • A Regression Analysis was run on the results, using Excel’s Data Analysis ToolPak • The trend was found to be best suited as a polynomial (degree 2) function, instead of a linear function of time. The equation thus generated has been used to predict count of vulnerable devices that would likely be found in the near future • For the prediction analysis, ‘Date’ has been converted to a numerical value, described as the ‘day number’, starting from first day for which data is available

  9. Research Findings (sub question 1)

  10. Research Findings (sub question 1) • The chart depicts a concentration of vulnerabilities in a few prominent educational cities • Taipei, Japan - a city that boasts of 8 universities ranked among the top universities in the world has the highest number of vulnerabilities • Seattle - a celebrated educational center is also high on the list of having an alarmingly large number of susceptible devices • Chicago- A large educational hub housing more than 10 major universities, has seen surprisingly low exposed devices, leading us to conclude that these universities have better protective and preventive measures in place to protect precious research

  11. Research Findings (sub question 2) • Using the data unearthed by an analysis of the volume of exposed devices over a timeline, we observed a clear and sharp increase in devices found over the last month, an increasing trend that has been continuing over from October 2013. The increasing trend was preceded by a low plateau over the last year • Extrapolating the results, we predicted a continuing increase, with more and more devices being unearthed over March and April. Prediction has been limited to a few months in the future to preserve likelihood of accuracy

  12. Research Question 2 • Background • Cross site scripting (XSS): XSS attacks can lead to theft of credit card information, user credentials and even redirect users to malware-hosting domains • Webcams and IP cameras are especially exposed to remote viewing and control, as demonstrated through Shodan. Backdoors are easily installed since passwords are often left on default settings, protective settings are not turned on, and users are not sufficiently aware of these loopholes, leaving them exposed to voyeurism, theft and malicious targeting • What is the correlation between Cross Site Scripting vulnerabilities and the number of internet users of  various countries? • In a more positive context, is the trend of using internet-enabled cameras more prevalent in countries with a high internet-penetration percentage? • How do these parameters discussed above fare when compared to each other? • Potential benefits of analysis • Through this question, we aim to understand the concentration of XSS vulnerable devices as a function of the distribution of internet-enabled devices across the world

  13. Research Design • Tools used • Hacker Web • Rapid Miner • Method: Collection • Querying Hacker web and analyzing the posts through Rapid Miner tool for text mining, it was found that XSS attacks were one of the common tool used by hackers to explore the web application layer vulnerabilities • If a browser has the parameter X-XSS-Protection set to 1 then it is not vulnerable to XSS attacks. This is the default browser setting. However, if this setting is changed to X-XSS-Protection: 0; then the browser can be prone to XSS attacks • In our research, we are analyzing the association between XSS attacks, Internet Penetration and Standard of Living

  14. Analysis • Method: Analysis for sub question 1 • Use Shodan API to extract data using the search string “X-XSS-Protection: 0;.” • Choosing the relevant countries such that there is an equal distribution in the segments based on Internet Penetration and Number of Internet Users along with XSS vulnerable sites • Created a pivot to determine distribution of vulnerable devices by country • Method: Analysis for sub question 2 • Search Shodan through Shodan API with the search string “webcam http 200 ok” • Segregated them based on countries, latitude and longitude • Results populated to a spreadsheet • Create pivot table to determine count of vulnerable webcams

  15. Research Findings • The chart depicts the correlation between the no. of Internet Users, Internet Penetration and XSS vulnerable devices and vulnerable webcams • A correlation matrix was plotted to capture the association between internet penetration and XSS vulnerable devices • From the correlation matrix we can see that there is a maximum positive correlation (0.95) between Internet Penetration and XSS vulnerable devices • It shows that as the Internet penetration in various countries increases there is an equivalent or more increase in vulnerable XSS devices and attacks

  16. Research Findings • Graph depicts correlation between standard of living between various countries and vulnerable webcams (found a positive correlation 0.71) • This shows in countries where there is high standard of living, there is an increase in vulnerable internet enabled cameras • Egypt is an outlier and was excluded from correlation calculations

  17. Research Question 3 • Background • Hackers have traditionally collaborated using strong communities, extending mutual support and building a sense of ‘hacker ethic’ • No longer restricted by geographical location, hacker communities are now online and mostly group themselves by language and area of interest • Hacker Web offers a goldmine of information to study the hierarchal and collaborative structure of these forums • Using Hacker Web analyze • The extent of collaboration between hackers in the different Hacker Web forums • A comparison of the social structures of the forums based on language of the forum • The different kinds of hierarchies seen in hacker forums • Potential benefits of analysis • Such information is vital to improve the understanding of the nature of attackers around the world

  18. Research Design • Tools used • MySQL • Gephi • Hacker Web • Method: Collection • Extracted threads from Hacker Web forums in which multiple users have collaborated using simple SQL queries • Found large number of ‘non-participative’ users in the forums (A non-participative user is defined as one who has made fewer than 5 posts) • These users were excluded from our analysis

  19. Analysis • Method: Analysis • Based on the threads and users, we performed social network analysis on the dataset using Gephi by applying the ‘Force Atlas’ algorithm for visualizing the social network • Gephi uses the authors as ‘nodes’ and builds ‘edges’ between two authors who have posted on the same thread. The thickness of the edge represents the extent of communication between two authors. The resulting graph consisting of all the authors(excluding the non-participative) shows that most forums’ users form a number of small communities. Some users(probably the experienced ones) are part of several such communities. • We grouped the forums based on the language spoken in them. The languages used were English, Russian, Arabic and Chinese(Mandarin).

  20. Analysis Hackhound(English forum): Average Degree 2.18 Xakepok(Russian forum): Average Degree 1.138

  21. Analysis Hackdark(Chinese forum): Average degree- 1.779 Mihandownload(Arabic forum): Average degree 0.979

  22. Research Findings • Hackhound(English forum) • Does not consist of a clear structure • No clear clusters or communities being formed • Indicates highly collaborative environment • Average degree is 2.18, which means that each user on an average, collaborates with 2.18 other users. In comparison with the other forums, this is a very high value • Blue dots indicate the users that have a high out-degree • Xakepok(Russian forum) • Partially structured • 2 major communities • Average degree of is 1.138, indicating a lower level of collaboration • Strict hierarchy in this forum • One user who is extremely influential in the forum (blue dot in the center) could possibly be the moderator of the forum • Each cluster has a central author who is at the top of the hierarchy. The internal points of contact are below the central author, while the other users form the lowest tier

  23. Research Findings • Hackdark(Chinese forum) • Mixed structure, few clear clusters • Average degree is 1.779. Indicates a mix of high collaboration along with clear cluster formation • Clear, dark blue dot with edges going out in all directions. Similar to Xakepok, this person handles a larger number of disparate clusters and individual users. This person could be a moderator • This forum differs from Xakepok based on the absence of a second tier in the hierarchy • The clusters do not have an internal point of contact. The collaboration inside the clusters is mixed with no clear leader • Mihandownload (Arabic forum) • Most distinct clusters of all the forums in Hacker Web • Average degree is only 0.979, indicating a very low degree of collaboration • There is no hierarchy in this forum, as seen from the absence of any central node • Each cluster has a central node around which the collaboration seems to take place. Further, some of the clusters are loosely interconnected, but most have no common members at all • Indicates strict community culture.

  24. References • Cyber security and universities: managing the risk.Retrieved from http://www.universitiesuk.ac.uk/highereducation/Documents/2013/CyberSecurityAndUniversities.pdf • Universities Face a Rising Barrage of Cyberattacks. The New York Times [New York]. Retrieved from http://www.nytimes.com/2013/07/17/education/barrage-of-cyberattacks-challenges-campus-culture.html?pagewanted=all&_r=0 • http://www.numbeo.com/quality-of-life/rankings_by_country.jsp • http://www.itu.int/(aggregated by http://en.wikipedia.org/) • http://resources.infosecinstitute.com/how-to-prevent-cross-site-scripting-attacks/ • http://www.hpenterprisesecurity.com/collateral/report/2011FullYearCyberSecurityRisksReport.pdf • http://www.nowires.org/Papers-PDF/ICGeS_egov.pdf • https://bora.uib.no/bitstream/handle/1956/1901/Paper_7_Moen.pdf?sequence=36 • http://praetorianprefect.com/archives/2010/10/paypal-sender-country-xss/ • http://www.numbeo.com/quality-of-life/rankings_by_country.jsp

More Related