Wisconsin Union DirectorateCybersecurity, Hacking, Privacy

April 28, 2014

Nicholas Davis, CISSP, CISA

Agenda

• Introduction

• Hacking

• Botnets

• Deep Web

• Target Breach

• Ransomware

• Q&A – Anything goes!

Nicholas Davis• Undergraduate degree, UW-

Madison

• Graduate degree UW-Madison

• Been around a few places

• Taught at UW-Madison, MATC, Cardinal Stritch

• Work at DoIT

• CISSP, CISA

Computer Hacking

In the computer security context, a hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, or challenge

Types of Hackers

• White hat• Black hat• Grey hat• Elite hacker• Script kiddie• Neophyte• Blue hat• Hacktivist• Nation state• Organized criminal gangs

Hacking Methods

A typical approach in an attack on Internet-connected system is:

Network enumeration: Discovering information about the intended target.

Vulnerability analysis: Identifying potential ways of attack.

Exploitation: Attempting to compromise the system by employing the vulnerabilities found through the vulnerability analysis.

Security Exploits Used By HackersA security exploit is a prepared application that takes advantage of a known weakness. Common examples of security exploits are SQL injection, Cross Site Scripting and Cross Site Request Forgery which abuse security holes that may result from substandard programming practice. Other exploits would be able to be used through FTP, HTTP, PHP, SSH, Telnet and some web-pages. These are very common in website/domain hacking.

Techniques

Vulnerability scanner

A vulnerability scanner is a tool used to quickly check computers on a network for known weaknesses. Hackers also commonly use port scanners. These check to see which ports on a specified computer are "open" or available to access the computer.

Techniques

Password cracking

Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password.

Brute Force vs Dictionary

Techniques

Packet sniffer

A packet sniffer is an application that captures data packets, which can be used to capture passwords and other data in transit over the network.

Packet Sniffer

Techniques

Spoofing attack (Phishing)

A spoofing attack involves one program, system or website that successfully masquerades as another by falsifying data and is thereby treated as a trusted system by a user or another program—usually to fool programs, systems or users into revealing confidential information, such as user names and passwords.

Phishing

Techniques

Rootkit

A rootkit is a program that uses low-level, hard-to-detect methods to subvert control of an operating system from its legitimate operators. Rootkits usually obscure their installation and attempt to prevent their removal through a subversion of standard system security.

Rootkit – Sick Computer

Techniques – Social EngineeringIntimidation As in the "angry supervisor" technique above, the hacker convinces the person who answers the phone that their job is in danger unless they help them. At this point, many people accept that the hacker is a supervisor and give them the information they seek.

Techniques – Social EngineeringHelpfulness The opposite of intimidation, helpfulness exploits many people's natural instinct to help others solve problems. Rather than acting angry, the hacker acts distressed and concerned. The help desk is the most vulnerable to this type of social engineering, as (a.) its general purpose is to help people; and (b.) it usually has the authority to change or reset passwords, which is exactly what the hacker wants.

Social Engineering Example Technique

Techniques – Social EngineeringName-dropping The hacker uses names of authorized users to convince the person who answers the phone that the hacker is a legitimate users him- or herself. Some of these names, such as those of webpage owners or company officers, can easily be obtained online. Hackers have also been known to obtain names by examining discarded documents

Techniques – Social EngineeringTechnical Using technology is also a way to get information. A hacker can send a fax or email to a legitimate user, seeking a response that contains vital information. The hacker may claim that he or she is involved in law enforcement and needs certain data for an investigation, or for record-keeping purposes.

Social Engineering Works!

Trojan HorseA Trojan horse is a program that seems to be doing one thing but is actually doing another. It can be used to set up a back door in a computer system, enabling the intruder to gain access later.

Virus

A virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. By doing this, it behaves similarly to a biological virus, which spreads by inserting itself into living cells. While some viruses are harmless or mere hoaxes, most are considered malicious.

Computer Worm

Like a virus, a worm is also a self-replicating program. It differs from a virus in that (a.) it propagates through computer networks without user intervention; and (b.) does not need to attach itself to an existing program. Nonetheless, many people use the terms "virus" and "worm" interchangeably to describe any self-propagating program.

Keylogger

A keylogger is a tool designed to record ("log") every keystroke on an affected machine for later retrieval, usually to allow the user of this tool to gain access to confidential information typed on the affected machine.

Can Be Bought at Amazon!

Botnets

A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network. The term is usually used with a negative or malicious connotation.

Legal Botnets

The term botnet is widely used when several IRC bots have been linked and may possibly set channel modes on other bots and users while keeping IRC channels free from unwanted users. A common bot used to set up botnets on IRC is eggdrop.

Illegal Botnets

Botnets sometimes compromise computers whose security defenses have been breached and control conceded to a third party. Each such compromised device, known as a "bot", is created when a computer is penetrated by software from a malware (malicious software) distribution. The controller of a botnet is able to direct the activities of these compromised computers through communication channels formed by standards-based network protocols such as IRC and Hypertext Transfer Protocol

Annoying Botnets

Botnet Recruitment

Computers can be co-opted into a botnet when they execute malicious software. This can be accomplished by luring users into making a drive-by download, exploiting web browser vulnerabilities, or by tricking the user into running a Trojan horse program, which may come from an email attachment. This malware will typically install modules that allow the computer to be commanded and controlled by the botnet's operator. Depending on how it is written, a Trojan may then delete itself, or may remain present to update and maintain the modules.

How A Botnet Works

The Deep Web

The Deep Web (also called the Deepnet, Invisible Web, or Hidden Web is World Wide Web content that is not part of the Surface Web, which is indexed by standard search engines.. Some prosecutors and government agencies think that the Deep Web is a haven for serious criminality.

Deep Resources

Dynamic content: dynamic pages which are returned in response to a submitted query or accessed only through a form, especially if open-domain input elements (such as text fields) are used; such fields are hard to navigate without domain knowledge.

Deep Resources

Unlinked content: pages which are not linked to by other pages, which may prevent Web crawling programs from accessing the content. This content is referred to as pages without backlinks (or inlinks).

Deep Resources

Private Web: sites that require registration and login (password-protected resources).

Silk Road

Deep Resources

Contextual Web: pages with content varying for different access contexts (e.g., ranges of client IP addresses or previous navigation sequence).

Deep Resources

Limited access content: sites that limit access to their pages in a technical way (e.g., using the Robots Exclusion Standard, CAPTCHAs, or no-cache Pragma HTTP headers which prohibit search engines from browsing them and creating cached copies

Deep Resources

Scripted content: pages that are only accessible through links produced by JavaScript as well as content dynamically downloaded from Web servers via Flash or Ajax solutions.

Deep Resources

Non-HTML/text content: textual content encoded in multimedia (image or video) files or specific file formats not handled by search engines.

Steganography

Steganography

Crawling the Deep Web

• Selecting input values for text search inputs that accept keywords,

• Identifying inputs which accept only values of a specific type (e.g., date),

• Selecting a small number of input combinations that generate URLs suitable for inclusion into the Web search index.

TOR (The Onion Router)

• Uses encryption

• Uses randomness to select hosts

• Tor (anonymity network)

Ahmia.fi: Deep Web Search Engine for Tor Hidden Services

https://ahmia.fi/search

The Target Data Breach

How Did it happen?

Why didn’t Target detect it?

What damage was caused?

Could it happen again?

CryptolockerA ransomware trojan which targets computers running Microsoft Windows and first surfaced in September 2013.

A CryptoLocker attack may come from various sources; one such is disguised as a legitimate email attachment.

Cryptolocker

When activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers.

The malware then displays a message which offers to decrypt the data if a payment is made by a stated deadline.

Cryptolocker

Threatens to delete the private key if the deadline passes. If the deadline is not met, the malware offers to decrypt data via an online service provided by the malware's operators, for a significantly higher price in Bitcoin.

Money Paid

In December 2013 ZDNet traced four Bitcoin addresses posted by users who had been infected by CryptoLocker, in an attempt to gauge the operators' takings. The four addresses showed movement of 41,928 BTC between October 15 and December 18, about US$27 million at the time

Money Paid

A survey by researchers at the University of Kent found that 41% of UK respondents who were Cryptolocker victims claimed to have agreed to pay the ransom, a figure much larger than expected; 3% had been conjectured by Symantec, and 0.4% by Dell SecureWorks. The average amount per infection in the U.S. is $300.

Bitcoin Payment Addresses

https://blockchain.info/address/18iEz617DoDp8CNQUyyrjCcC7XCGDf5SVb

https://blockchain.info/address/1KP72fBmh3XBRfuJDMn53APaqM6iMRspCh

What is Bitcoin?

Bitcoin is a peer-to-peer payment system introduced as open source software in 2009 by developer Satoshi Nakamoto.[4] The digital currency created and used in the system is also called bitcoin

How Are Bitcoins Created?

Bitcoins are created as a reward for payment processing work in which users who offer their computing power verify and record payments into a public ledger. Called mining, individuals engage in this activity in exchange for transaction fees and newly minted bitcoins.

Bitcoin Mining Equipment

Bitcoin Anonymity?The public nature of bitcoin means that, while those who use it are not identified by name, linking transactions to individuals and companies can be done. Additionally, many jurisdictions require exchanges, where people can buy and sell bitcoins for cash, to collect personal information

Bitcoin Anonymity

In order to obfuscate the link between individual and transaction, some use a different bitcoin address for each transaction and others rely on so-called mixing services that allow users to trade bitcoins whose transaction history implicates them for coins with different transaction histories

Bitcoin Proof of Ownership

The ownership of bitcoins associated with a certain bitcoin address can be demonstrated with knowledge of the private key belonging to the address. For the owner, it is important to protect the private key from loss or theft. If a private key is lost, the user cannot prove ownership by other means. The coins are then lost and cannot be recovered.

Bitcoin Wallet

Buying and Selling Bitcoins

Bitcoins can be bought and sold with many different currencies from individuals and companies. Perhaps the fastest way to purchase bitcoins is in person or at a bitcoin ATM for cash.

Status of Bitcoin (IRS)

The US Government Accountability Office reviewed virtual currencies upon the request of the Senate Finance Committee and in May 2013 recommended[136] that the IRS formulate tax guidance for bitcoin businesses. On 25 March 2014, in time for 2013 tax filing, the IRS issued guidance that virtual currency is treated as property for US federal tax purposes and that "an individual who 'mines' virtual currency as a trade or business [is] subject to self-employment tax

Q&A Session Anything Goes!

Nicholas Davis

https://www.facebook.com/nicholas.a.davis

Email ndavis1@wisc.edu

Thank you!