network security and digital forensics ( a survey) by dr t.h. chowdary director: center for telecom...
TRANSCRIPT
Network Security and Digital Forensics
( A Survey)
By
DR T.H. CHOWDARY
Director: Center for Telecom Management and StudiesFellow: Tata Consultancy Services
Chairman: Pragna Bharati (intellect India )Former: Chairman & Managing Director
Videsh Sanchar Nigam Limited &Information Technology Advisor, Government of Andhra Pradesh
T: +91(40) 6667-1191(O) 2784-3121®F: +91 (40) 6667-1111
[email protected]@ Siddhartha Eng.Clge: Vijayawada
13 April 2015
What I Cover in this
• 1. Sensational Leaks by Greatest Hackers bring Security Center-Stage
• II.CERT-I : Watches Security Breachesand Helps Recoveries and Suggests Counter Measures
• III. Cryptography• IV. Internet of Things, Compounds Security• V. Infection & Exfiltration• VI. War in Cyber Space• VII. Digital Forensics• VIII. India’s Security Resources
Some Key Playersthc_Ctms 2S728_April2015
I. Sensational Leaks by
Greatest Hackers bring Security Center-Stage
thc_Ctms 3S728_April2015
Largest Source of Information (1)
• Library of Congress of the USA• Encyclopedia Britannica• Library (Hermitage) in St.Petersburg (Russia)• NONE OF THE ABOVE
thc_Ctms 4S728_April2015
Largest Source of Information-WIKIPEDIA (2)
• Encyclopedia Britannica had the largest sales in Y2000
• It stopped printing in 2012 after 250 years!• Wikis launched in 1994 by Howard
Cunningham in USA• Wikipedia in Y2001• 6th most popular website (Ref: P28, CSI Jan 2014)
thc_Ctms 5S728_April2015
World’s most Sensational Security Breaks
• Wikileaks published secret information (leaked) in 2010• Collateral Murder video(April 2010) • Afghanistan War Logs (July 2010)• Iraq War Logs (Oct 2010)• 2,50,000 Diplomatic Cables (Nov 2010)• Guantanamo Files (April2011)• Accused by Australia’s Prime Minister Julia Gillard• US Vice President Joe Biden called him terrorist
thc_Ctms 6S728_April2015
The Sensational Hacker:Asange
• Julian Asange: born 1971• Hacking from age 16,• Son of thrice divorced mother• Married at age 18, in 1989• Separated in 1999• Son, a software designer• Living in the office room of Equador Embassy in London;
watched by policemen waiting to arrest him; cost of watch £ 6.5 mln ( about Rs. 40 cr) for 2 years
• Sweden wants him to be extridited in a sex assault case.• Now under US Criminal Investigation
thc_Ctms 7S728_April2015
Asange’s Book…
• In his book, “Cyber Punks” Asange wrote”…the Internet our greatest tool for emancipation has been transformed into the most dangerous facilitator of totalitarianism we have ever seen”.
thc_Ctms 8S728_April2015
Supporters & Facilitators of Asange
• Brazil’s Prez Luiz Inacio Lula de Silva• Awards won• Sam Adams Award 2010• Le Monde Readers’ Choice 2010• Sydney Peace Foundation 2011• Gold Medal for Peace with Justice• Amnesty International UK: 2009• (Awardees: Nelson Mandela, Dalai Lama, Daisaku
I-keda) thc_Ctms 9S728_April2015
Edward Snowden(May 20, 2013 flew to Hong Kong)
• June 2013 • Formerly of CIA; worked for DELL; NSA outpost in Japan• Booze Allen Hamilton consulting • 1000s of classified docs• Global surveillance• Hero, wistleblower, dissident, patriot, traitor• Balance between National Security & Information Privacy • Telephone Metadata Release of National Docs• HK, Russia• Bill Snowden follows Assange- Releases thousands of US CIA
Documents
thc_Ctms 10S728_April2015
II. CERT-IWatches Security Breaches
andHelps Recoveries
andSuggests Counter Measures
thc_Ctms 11S728_April2015
S728_April2015 12
Indian websites defaced during 2013
64%
1%4%
29%
2%
Sales
.in .net .org .com others
.in
Others
.com
.org
.net
thc_Ctms
S728_April2015 13
Year-wise summary of Security Incidents handled
Security incidents
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Phishing 3 101 339 392 604 374 508 674 887 955
Network Scanning/Probing
11 40 177 223 265 303 277 1748 2866 3239
Virus/Malacious Code
5 95 19 358 408 596 2817 2765 3149 4160
Spam - - - - 305 285 181 2480 8150 54677
Website Intrusion & Malware Propagation
- - - - 835 6548 6344 4394 4591 5265
Others 4 18 17 264 148 160 188 1240 2417 3484
Total 23 254 552 1237 2565 8266 10315 13301 22060 71780
(Source: www.cert-in.org.in)thc_Ctms
S728_April2015 14
Botnet Incidents in 2013
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec0
5000000
10000000
15000000
20000000
25000000
Bot infected Systems
(Source: www.cert-in.org.in)thc_Ctms
S728_April2015 15
Cyber Intrusion during October 2014
20.50%
75.30%
2.10% 0.60% 1.10% 0.10% 0.30%
Website defacementSpamSpread of malwarePhishingTech HelpMalicious coden/w Scanning
thc_Ctms
S728_April2015 16
Defacements tracked during May-14 to Oct-14
May/14 Jun/14 Jul/14 Aug/14 Sep/14 Oct/14
1659
1126
1432 1385
819963
thc_Ctms
S728_April2015 17
Domain-wise Defacements tracked during October-14
.com .org .net .in others
306
5213
566
26
thc_Ctms
S728_April2015 18
Spam tracked during May14 to Oct-14
May/14 Jun/14 Jul/14 Aug/14 Sep/14 Oct/14
12413
7531 7796 73406141
3543
thc_Ctms
S728_April2015 19
Open Proxy Servers tracked during May14 to Oct-14
May/14 Jun/14 Jul/14 Aug/14 Sep/14 Oct/14
261233
299
241
302
251
thc_Ctms
III. Cryptography
thc_Ctms 20S728_April2015
Privacy & Security
• Privacy: not to be exposed to others ( pictures, communications)
• Security: None to break-in, to exfiltrate, efface, replace, distort
• Maharashtra village, Shingnapur• No house has doors, only door-frames & window frames• Security taken care of by God, Shani! ( who is believed
to kill any thief)• Privacy: by door & window curtains• ( Ref: CSI Communications: May 2013)
thc_Ctms 21S728_April2015
Cryptography (1)
• Hiding information• Message on scalp, shaved head• Hair growth – Shave again to read• Caesar’s Cipher-Shift the alphabet• Germany WWII –cyphers Enigma & LorenZ • Broken by William Thomas Tuttu and his student team at
Waterloo ‘varsity Canada• Cryptography as science • 1975-Diffle& Hellman• Discrete Logarithm problem (DLP)• Diffle & Helman Algorithm thc_Ctms 22S728_April2015
Cryptography (2)
• Non repudiation• Authentication• Private-public key• SSL/TLS was developed by Netscape in1994
standardised by IETF uses steam cipher RC 4 has been attacked
• Indigenous cryptography products by 2020• Foreign ones may have trapdoors
thc_Ctms 23S728_April2015
Cryptography (3)
• Muni Kumudendu, a Jain Savant crafted a great epic Siri Bbhuvalaya scripted in numerals about 1000 years ago
• Integers ( range 1 to 64) arranged in 27 X 27 matrix, called Chakra
• 1270 chakras available to yield 600,000 slokas• Scheme to decipher chakras is called Bandhas• (Source CSI Coms May 2013) P 17 A&B
thc_Ctms 24S728_April2015
IV. Internet of Things Compounds
Security
thc_Ctms 25S728_April2015
S728_April2015 26
Global Internet Device Installed Base Forecast
20042006
20082010
20122014
20162018
0
10000000
20000000
30000000
40000000
50000000
60000000
Wearablessmart TVInternet of ThingsTabletsSmart phonesPersonal computers
(Source: CSI Communications, April 2014)thc_Ctms
S728_April2015 27
The Internet of Tings – How the Next Evolution of the Internet (CISCO)
2003 2010 2015 2020
World Population (Bln) 6.3 6.8 7.2 7.6
Connected Devices 500 mln 12.5 bln 25 bln 50 bln
Connected Devices Per Person
0.08 1.84 3.47 6.58
(Source: Cisco IBSG, April 2011; CSI Communications, April 2014)
(Source: CSI Communications, April 2014)
thc_Ctms
V. Infection&
Exfiltration
thc_Ctms 28S728_April2015
NSA (USA) Infects Computers
• Click-jacking (Technique of stealing clicks) (also known as UI-Redressing)• Discovered and mad pubic in Y2008 by
Jeremiah Grossman and Robert Hansen.• Remedy: Virtual (soft) keyboards and strong
antivirus solutions(Ref: CSI Coms Jan 2014; p 38)
thc_Ctms 29S728_April2015
How the NSA “Infects” Computers• The NSA and the Pentagon’s Cyber Command have implanted
nearly 100,000 “computer network exploites” around the world.• 1. Tiny transceivers are built into USB plugs and inserted into
target computers. Small circuit boards may be placed in the computers themselves by a third party.
• 2. The transceivers communicate with a briefcase-sized NSA field station up to 13 km away. They can also transmit malware, including the kind used in attacks against Iran’s nuclear facilities.
• 3. The field station communicates back to the NSA • Program in code-named quantum• Russia, China, USA do these • Israeli brain
thc_Ctms 30S728_April2015
VI. War inCyber Space
thc_Ctms 31S728_April2015
Cyber Weapons
• Viruses, worms, Trojans• In 2010 A computer security firm in Belarus found a self-
replicating program on a clients computer in Iran. • First called W32, later Stux net• Attack on SCADA systems (power, oil…) programmable Logic
Controllers (PLCs) captured and destructively activated • Stux net; DUQU, Wiper, Flame, Gauss, Mini Flame• Jeffry Kar, Analyst proved that INSAT 4B satellite was taken
down by STUXNET to serve China’s businesses !• (CSI Coms Dec 2013)
thc_Ctms 32S728_April2015
S728_April2015 33
Geographic Distribution of Stuxnet
Iran Indonesia India Azerbauan USA Pakistan Others0
10
20
30
40
50
6058.85
18.22
8.312.57 1.56 1.28
9.2
Series 1
(Source: CSI Communications, Dec 2013) thc_Ctms
S728_April2015 34
Cyber warfare expense of countriesNATO 2012 Upgrading the cyber defense capabilities and enable the
NATO Computer Incident Response Capabilities to achieve full operational capabilities by the end of 2012
58M€
US 2013-2017
With a cyber budget of $1.54 billion from 2013 to 2017, DARPA will focus increasingly on cyber-offence to meet military needs
1.54b$
UK 2012 Extra Investment to develop deterrents to hostile viruses and hackers
650M £
Israel From 2012
Expense of more than $13 million in the coming years to develop new technologies for cyber defense
13M $
China China do not have very clear accounting transparency, but its estimated by some of the experts that China’s Cyber Security market will expand remarkably in the coming year, from a valuation of $1.8 billion in 2011 to $50 billion by 2020
?
Iran 2012 On December Tehran announced an ambitious plan to improve it s cyber-warfare capabilities developing new technologies and creating new team of cyber experts
1B $
thc_Ctms
Information Warfare
• China, USA, Russia, Iran, Israel, Pakistan, South Korea, India• China’s deadliest Hactivist army• Revelations from:• University of Toronto: Report of Munk School of Global
Affairs• Shadows in the Cloud 06-04-2010• Shadow Server Foundation• Munk discovered Ghost Net in March 2009• China’s Cyber force-50,000• Exfilters information from 1295 computers in 103 countries• 30% had high value content
thc_Ctms 35S728_April2015
S728_April2015 36
China: The Cyber Warrior
• Hundreds/thousands are trained in I.W in academies run by the PLA . Eg: Wuhan Varsity
• Raised militia units since Y 2002 drawn from Cos. ( like our TA) and Academia
• HUAWI & ZTE- specialists in wireless technologies• Sichuan & XingJian – Uighur are locales for the
Militias (Source: Jayadev Ranade Indian Express
12.04.2010)
thc_Ctms
S728_April2015 37
China: The Cyber Warrior contd..
• Chengdu capital of China’s Sichwan Province, in league with officially tolerated hacker organisation - NSFOCUS, EVILOCTAL linked to PLA
• University of Science &Technology in Chengdu – hosts hackers• Information Warfare Doctrine in the book-
Unrestricted Warfare by Sr. Colonels of the PLA
thc_Ctms
State Sponsored Actors
• China, Iran, Korea• Advanced Persistent Threat (APT)• - Reconnaissance and investigation of your
network infrastructure & information assets
thc_Ctms 38S728_April2015
S728_April2015 39
China- The Foremost Information War (IW) Power contd..
• China’s Haktivist communities
• The Chinese hacker community. They are thousands of web based groups. They are developing malware tools. The community is engaged in large scale politically motivated denial of service attacks, data destruction and web-defacements of foreign networks. They are HACTISTS . They trade attacks with their counter parts in the USA, Japan, Taiwan, Indonesia and South Korea.
thc_Ctms
VII. Digital Forensics
thc_Ctms 40S728_April2015
Digital Forensics
• Investigation of artifacts present in one or more digital devices & reconstruction of the sequence of events that must have transpired in generating the artifacts.
• Born in Locard’s exchange principle• “It is impossible for a criminal to act, especially
considering the intensity of the crime, without leaving traces of this presence”
• Trace and determine the set of all events that transpired in the crime in which digital devices are involved
(Ref: P.27, CSI Coms Nov23)
thc_Ctms 41S728_April2015
Evidence Identification
• Evidence Acquisition & Preservation• Evidence Examination• Evidence Analysis
thc_Ctms 42S728_April2015
Evidence identification
Evidence Acquisition & Preservation
Evidence Examination
Evidence Analysis Documentation
Evidence Presentation
Different stages in the digital forensic process
(Source: CSI Communication, Nov 2013)
thc_Ctms 43S728_April2015
S728_April2015 44
Examination of files
Analysis of filesForensic image of Hard disk
drive
Memory dumps
System and application
logs
Source Process Outcome Consolidation
Corroboration of evidence
Examination of memory structures
Examination of log records
Examination of network packets
Analysis of memory structures
Analysis of log records
Analysis of network packets
Reporting
Reporting
Reporting
Reporting
Network packet capture
Traditional method of conducting forensic analysis on different sources
(Source: CSI Communications, Nov 2013)thc_Ctms
VIII. India’s Security ResourcesSome Key Players
thc_Ctms 45S728_April2015
S728_April2015 46
India’s Security ResourcesSome key players
• Data Security Council of India is an initiative of NASSOM.DSCI is developing best practices for Data Security and Data Privacy.
• Computer Emergency Response Team monitors computer security incidents as and a when they occur. It also maintains a database of incidents and is supposed to study trends and patterns related to intruder activity.
• National Technical research Organisation is the nodal agency for technical intelligence and surveillance.
thc_Ctms
S728_April2015 47
India’s Security ResourcesSome key players contd..
• Army Cyber Security establishment is supposed to protect and secure the army’s information networks.
• Defence Intelligence Agency is to provide timely, objective and cogent military intelligence to defence planners and defence and national security policy makers.(Source: The New Indian Express 11 April 2010)
thc_Ctms
S728_April2015 48
Further Information
• My website: www.drthchowdary.netClick on:• Crime & Security in Cyber Space• The Noble & Ignoble in Cyber Space• Cyber Times: Cyber Laws• Cyber Fraud & Crime• Militarization of Cyber Space &Weponisation of Softwarethc_Ctms
Dhanyawad:Thanks
thc_Ctms 49S728_April2015