भारतीय ौोिगकी संान मुंबई (IIT Bombay) siva@iitb.ac.in

.

... Cyber Crime Investigation

िशवकुमार G. Sivakumar _{சிவகுமார்}

Computer Science and Engineering

भारतीय ौोिगकी संान मुंबई (IIT Bombay) siva@iitb.ac.in

September 28, 2013

• The Good (Web 1.0, 2.0, 3.0) 20%

• The Bad (Threats, Vulnerabilities, Attacks) 50%

• The Ugly? (Defence, Offence, Forensics) 30% (How to Learn)

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. The Good side first!

How are you affected?

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Internet (Web 1.0)

Milestones

1 2

3

4 5 6

02 http://www.isc.org/

97 96 95 94 88 93

70s 82

10 1k 80k 1M 4.5M 16M

30M 100M 2k

5 25

90 150

20k 50k 800k

500 200k 1.2M

Academic WWW

(steroids) Java LAN−boom!

(TCP/IP) (DoD funds) Hosts

INTERNET GROWTH

99 Users

Countries Domains WWW sites

Commercial Users

E−commerce 147M

All

Motto: Information AnyTime, AnyWhere, AnyForm, AnyDevice, ...

WebTone like DialTone Basic Hardware (sine qua non!)

Democratized access to information! (Digital Divide)

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Social Networking (Web 2.0)

The OS/system software that empowers users to become producers of knowledge and ensures their right to collaboration/assembly.

Examples: Wikipedia, Flickr, Orkut, Twitter, ....

Mantras: Architecture of participation, Wisdom of crowds, Better as more use - Long tail, Tagging, commenting, blogs, Open access (source/content) for Remix/Mashup

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. ^{पूव प} (Purva Paksha)

.

...

Web 1.0 may have democratized access to information, but it is like drinking water from a fire hose!

Search engines provide partial solutions, but cannot combine, categorize and infer!

.

...

Web 2.0 may have allowed right to assembly/collaboartion, but

• Proliferated unreliable, contradictory information.

• Facilitated malicious uses including loss of privacy, security.

.

...

What do you want from Web 3.0?

What you want to see/hear when you wakeup?

I have a dream ...

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Semantic Web (Web 3.0)

The application layer tapping the hardware (Web 1.0) and OS (Web 2.0)? Giving us right to knowledge!

Ramana Maharishi

.. . .

.

Aksharamanamalai

.

Vichara Mani Mala

.

Reality in Forty Verses

.

contemporaries .

.

Kanchi Chan- drasekara Saraswathi

.

Jiddu Kr- ishnamurti

.

Place: Tiru- vannamali, Tamil Nadu

.

Lived

.

30/12/1879 to 14/4/1950

.

Combined, categorized information inferred from various sites, languages. www.dbpedia.org comes close today!

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. ानम ्परमम ्ेयम ् (Knowledge is Ultimate Goal)

न चोरहाय न च राजहाय न ातृभाम न च भारकारी

ये कृते वधत एव िनं िवाधनं सवधनधानं

It cannot be stolen by thieves, cannot be taken away by the king, cannot be divided among brothers and does not cause a load. If spent, it always multiplies. The wealth of knowledge is the greatest among all wealths.

கற்றது ைக மண் அளவு

கல்லாதது உலகு அளவு

What has been learned is like a fistful of sand, What remains is like the whole earth!

If I have seen further [than others] it is by standing on the shoulders of giants... Issac Newton िवा ददाित िवनयम

IIT Bombay’s motto is the title of this slide.

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. What’s Bad about Computers and Internet?

• “Can’t live with them, can’t live without them!”

• Know Your Enemy (threats/Vulnerabilities)

Can cyber/internet crimes cause events like the following?

• July 2006 Mumbai rains

• 26/11 attack on Mumbai

• Gulf of Mexico oil spill

• Mangalore air crash

• Stop all Mumbai local trains

• Damage BARC nuclear reactor

• Disrupt all Mumbai mobile phones? (Prof. Jhunjhunwala’s example)

• How to protect Critical National Infrastructure?

• Passive Defence

• Counter Intelligence (Technical side)

• Demo from atlas.arbor.net and cert-in.org.in Your questions/suggestions now will be invaluable!

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Security Concerns

Match the following!

Problems Attackers

Highly contagious viruses Unintended blunders Defacing web pages Disgruntled employees or customers Credit card number theft Organized crime

On-line scams Foreign espionage agents Intellectual property theft Hackers driven by technical challenge

Wiping out data Petty criminals

Denial of service Organized terror groups Spam E-mails Information warfare

Reading private files ...

Surveillance ...

• Crackers vs. Hackers

• Note how much resources available to attackers.

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. What are Cyber crimes?

. Cybercrime ..

...

Activity in which computers or networks are a tool, a target, or a place of criminal activity. (Categories not exclusive).

• Against People

• Cyber Stalking and Harrassment

• (Child) Pornography

• Phishing, Identity Theft, Nigerian 419

• Against Property

• Cracking

• Virus and Spam

• Software/Entertainment Piracy

• Trade secrets, espionage

• Cyber Terrorism!

• Hactivism! (in some countries!)

• Information Warfare

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Some Examples

Food for thought...

• Vikram Buddhi, Assange, Snowden

• Stuxnet .

...

Stuxnet is a computer worm discovered in June 2010 that is believed to have been created by the U nited States and Israel to attack Iran’s nuclear facilities. Stuxnet initially spreads via Mic rosoft Windows, and targets Siemens industrial control systems.

While it is not the first time th at hackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit.

• Flame (Iran Oil terminals, 2012)

• DarkSeoul

Check out Wikipedia for more.

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Atlas.arbor.net

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Atlas.arbor.net

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Atlas.arbor.net

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Atlas.arbor.net

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Real-time Intelligence- atlas.arbor.net

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Who is scanning?

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Who is hosting phising sites?

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Malicious Servers

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. 2013 DBIR

2013 Data Breach Investigations Report (Verizon)

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. 2013 DBIR

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Mercenaries for Hire: HiddenLynx

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. 2013 DBIR

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. cert-in.org.in

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. cert-in.org.in

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. cert-in.org.in

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. cert-in.org.in

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Excellent Training Programs

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Internet Attacks Toolkits (Youtube)

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Internet Attacks Timeline

From training material at http://www.cert-in.org.in/

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Internet Attack Trends

From training material at http://www.cert-in.org.in/

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Partial Landscape

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Defending a Critical National Infrastructure

Recent fibre cut.

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Defending a Critical National Infrastructure

Our Solution

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. What is a Computer Network?

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. So, what’s Internet?

• A bottom-up collection (interconnection) of networks

• TCP/IP is the only common factor

• Bureaucracy-free, reliable, cheap

• Decentralized, democratic, chaotic

• Internet Society (www.isoc.org)

• Internet Engineering Task Force (www.ietf.org)

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Why is Internet Vulnerable?

Quick overview of how Internet works.

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Denial of Service

Small shop-owner versus Supermarket

Crossmargs

Anamika

• What can the attacker do?

• What has he gained or compromised?

• What defence mechanisms are possible?

• Screening visitors using guards (who looks respectable?)

• VVIP security, but do you want to be isolated?

• what is the Internet equivalent?

DDOS increasingly the biggest worry on Internet. (Pearl Harbour comparison)

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Yahoo DDoS attack

• A real example of network insecurity.

• Caused traffic to Yahoo to zoom to 100s of Mbps

• Broke the capacity of machines at Yahoo and its ISPs

• Internet Control Message Protocol (ICMP) normally used for good purposes.

• Ping used to check “are you alive?”

Ping

Yes

Typically small packet (64 bytes) a host

Ping a Network

Many replies

Used by system administrators to check local network

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Yahoo DDoS attack

MIT network (5000+)

Stanford

Univ3 P1

P2 P3

P1,P2,P3,... Fake broadcast ping from Victim

How many replies does unsupecting victim get?

From whom? (respectable?)

DDOS (distributed denial of service attack) Freely available for "script kiddies’’ to wreak havoc!

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Vulnerabilities

• Application Security

• Buggy code

• Buffer Overflows

• Host Security

• Server side (multi-user/application)

• Client side (virus)

• Transmission Security

A B

C Network Security Secrecy

Integrity

Availability

A B

C

A B

C

A B

C

(Modification) (Fabrication)

(Denial of Service attack)

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Security Requirements

Informal statements (formal is much harder)

• Confidentiality Protection from disclosure to unauthorized persons

• Integrity Assurance that information has not been modified unauthorizedly.

• Authentication Assurance of identity of originator of information.

• Non-Repudiation Originator cannot deny sending the message.

• Availability Not able to use system or communicate when desired.

• Anonymity/Pseudonomity For applications like voting, instructor evaluation.

• Traffic Analysis Should not even know who is communicating with whom. Why?

• Emerging Applications Online Voting, Auctions (more later)

And all this with postcards (IP datagrams)!

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Cryptography and Data Security

• sine qua non [without this nothing :-]

• Historically who used first? (L & M)

• Code Language in joint families!

Confidentiality Data Integrity Authentication Non-Repudiation

Encryption

Digital Signature Message

authentication User

Identification

Ciphers Block Stream

Ciphers Hashing Signatures

Pubic-Key Methods Secret Key

Establishment

Key Management

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Symmetric/Private-Key Algorithms

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Asymmetric/Public-Key Algorithms

• Keys are duals (lock with one, unlock with other)

• Cannot infer one from other easily

• How to encrypt? How to sign?

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Security Mechanisms

• System Security: “Nothing bad happens to my computers and equipment”

virus, trojan-horse, logic/time-bombs, ...

• Network Security:

• Authentication Mechanisms “you are who you say you are”

• Access Control Firewalls, Proxies “who can do what”

• Data Security: “for your eyes only”

• Encryption, Digests, Signatures, ...

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Network Security Mechanism Layers

Application

TCP/Socket

IP

Data Comm.

Application

TCP/Socket

IP

Data Comm.

IPv6, AH, ..

SSL, TLS PGP

S-HTTP, S-MIME

Firewalls

Encryption can be done at any level!

Higher-up: more overhead (for each application) but better control

.

...

Cryptograhphic Protocols underly all security mechanisms. Real Challenge to design good ones for key establishment, mutual authentication etc.

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Exchanging Secrets

. Goal ..

...

A and B to agree on a secret number. But, C can listen to all their conversation.

. Solution?

..

...A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Exchanging Secrets

. Goal ..

...

A and B to agree on a secret number. But, C can listen to all their conversation.

. Solution?

..

...A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Mutual Authentication

. Goal ..

...

A and B to verify that both know the same secret number. No third party (intruder or umpire!)

. Solution?

..

...A tells B: I’ll tell you first 2 digits, you tell me the last two...

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Mutual Authentication

. Goal ..

...

A and B to verify that both know the same secret number. No third party (intruder or umpire!)

. Solution?

..

...A tells B: I’ll tell you first 2 digits, you tell me the last two...

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Indian IT Act 2000

• Basic Legal Framework

• Electronic documents, signatures as evidence

• Cyber Crimes & Punishments

• Secn 43: Damage to Computers/Network

• Secn 65: Tampering source code

• Secn 66: “Hacking” (cracking)

• Secn 67: Obscenity (bazee.com!)

• Secn 69: Interception

• Several Initiatives (PKI, CERT-IN, Cyber cells, ...)

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Forensics

From www.forensicswiki.org

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Network Forensics

From en.wikipedia.org/wiki/Networkforensics

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Certified Forensic Investigator

What are takeaways from such courses?

• Define and describe computer investigations

• Demonstrate correct methods of evidence gathering

• Use and evaluate various operating systems and file systems

• Equip a Forensics Lab with appropriate hardware and software

• Install, configure, and use various command-line and graphical software forensics tools

• Describe and compare various hardware devices employed by computer forensics experts

• Retrieve and analyze data from a suspect’s computer

• Summarize the evidence and write investigative reports

• Utilize the services of expert witnesses

• Recover file images, and categorize the data

• Examine and trace email messages

• Obtain and control digital evidence

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Forensic Tools Testing by NIST

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Forensic Tools Testing by NIST

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Log Files

Squid (proxy server) and Qmail (mail relay) at IIT Bombay

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Sqid Log Sample

One (funny?) case at IIT Bombay a few years back...

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Nmap

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Nmap

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Wireshark

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Wireshark

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. Offence is Best Defence?

Honeypots - to attract bees. http://www.honeynet.org/

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. War Driving: Google way

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई

.. War Driving: Mumbai Police

िशवकुमार

சிவகுமார்

भारतीय ौोिगकी संान मुंबई