Network Security and Digital Forensics ( A Survey) By DR T.H. CHOWDARY Director: Center for Telecom Management and Studies Fellow: Tata Consultancy Services.

Network Security and Digital Forensics

( A Survey)

By

DR T.H. CHOWDARY

Director: Center for Telecom Management and StudiesFellow: Tata Consultancy Services

Chairman: Pragna Bharati (intellect India )Former: Chairman & Managing Director

Videsh Sanchar Nigam Limited &Information Technology Advisor, Government of Andhra Pradesh

T: +91(40) 6667-1191(O) 2784-3121®F: +91 (40) 6667-1111

[email protected]@ Siddhartha Eng.Clge: Vijayawada

13 April 2015

What I Cover in this

• 1. Sensational Leaks by Greatest Hackers bring Security Center-Stage

• II.CERT-I : Watches Security Breachesand Helps Recoveries and Suggests Counter Measures

• III. Cryptography• IV. Internet of Things, Compounds Security• V. Infection & Exfiltration• VI. War in Cyber Space• VII. Digital Forensics• VIII. India’s Security Resources

Some Key Playersthc_Ctms 2S728_April2015

I. Sensational Leaks by

Greatest Hackers bring Security Center-Stage

thc_Ctms 3S728_April2015

Largest Source of Information (1)

• Library of Congress of the USA• Encyclopedia Britannica• Library (Hermitage) in St.Petersburg (Russia)• NONE OF THE ABOVE


Largest Source of Information-WIKIPEDIA (2)

• Encyclopedia Britannica had the largest sales in Y2000

• It stopped printing in 2012 after 250 years!• Wikis launched in 1994 by Howard

Cunningham in USA• Wikipedia in Y2001• 6th most popular website (Ref: P28, CSI Jan 2014)


World’s most Sensational Security Breaks

• Wikileaks published secret information (leaked) in 2010• Collateral Murder video(April 2010) • Afghanistan War Logs (July 2010)• Iraq War Logs (Oct 2010)• 2,50,000 Diplomatic Cables (Nov 2010)• Guantanamo Files (April2011)• Accused by Australia’s Prime Minister Julia Gillard• US Vice President Joe Biden called him terrorist


The Sensational Hacker:Asange

• Julian Asange: born 1971• Hacking from age 16,• Son of thrice divorced mother• Married at age 18, in 1989• Separated in 1999• Son, a software designer• Living in the office room of Equador Embassy in London;

watched by policemen waiting to arrest him; cost of watch £ 6.5 mln ( about Rs. 40 cr) for 2 years

• Sweden wants him to be extridited in a sex assault case.• Now under US Criminal Investigation


Asange’s Book…

• In his book, “Cyber Punks” Asange wrote”…the Internet our greatest tool for emancipation has been transformed into the most dangerous facilitator of totalitarianism we have ever seen”.


Supporters & Facilitators of Asange

• Brazil’s Prez Luiz Inacio Lula de Silva• Awards won• Sam Adams Award 2010• Le Monde Readers’ Choice 2010• Sydney Peace Foundation 2011• Gold Medal for Peace with Justice• Amnesty International UK: 2009• (Awardees: Nelson Mandela, Dalai Lama, Daisaku

I-keda) thc_Ctms 9S728_April2015

Edward Snowden(May 20, 2013 flew to Hong Kong)

• June 2013 • Formerly of CIA; worked for DELL; NSA outpost in Japan• Booze Allen Hamilton consulting • 1000s of classified docs• Global surveillance• Hero, wistleblower, dissident, patriot, traitor• Balance between National Security & Information Privacy • Telephone Metadata Release of National Docs• HK, Russia• Bill Snowden follows Assange- Releases thousands of US CIA

Documents


II. CERT-IWatches Security Breaches

andHelps Recoveries

andSuggests Counter Measures


S728_April2015 12

Indian websites defaced during 2013

64%

1%4%

29%

2%

Sales

.in .net .org .com others

.in

Others

.com

.org

.net

thc_Ctms

S728_April2015 13

Year-wise summary of Security Incidents handled

Security incidents

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Phishing 3 101 339 392 604 374 508 674 887 955

Network Scanning/Probing

11 40 177 223 265 303 277 1748 2866 3239

Virus/Malacious Code

5 95 19 358 408 596 2817 2765 3149 4160

Spam - - - - 305 285 181 2480 8150 54677

Website Intrusion & Malware Propagation

- - - - 835 6548 6344 4394 4591 5265

Others 4 18 17 264 148 160 188 1240 2417 3484

Total 23 254 552 1237 2565 8266 10315 13301 22060 71780

(Source: www.cert-in.org.in)thc_Ctms

S728_April2015 14

Botnet Incidents in 2013

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec0

5000000

10000000

15000000

20000000

25000000

Bot infected Systems

(Source: www.cert-in.org.in)thc_Ctms

S728_April2015 15

Cyber Intrusion during October 2014

20.50%

75.30%

2.10% 0.60% 1.10% 0.10% 0.30%

Website defacementSpamSpread of malwarePhishingTech HelpMalicious coden/w Scanning

thc_Ctms

S728_April2015 16

Defacements tracked during May-14 to Oct-14

May/14 Jun/14 Jul/14 Aug/14 Sep/14 Oct/14

1659

1126

1432 1385

819963

thc_Ctms

S728_April2015 17

Domain-wise Defacements tracked during October-14

.com .org .net .in others

306

5213

566

26

thc_Ctms

S728_April2015 18

Spam tracked during May14 to Oct-14


12413

7531 7796 73406141

3543

thc_Ctms

S728_April2015 19

Open Proxy Servers tracked during May14 to Oct-14


261233

299

241

302

251

thc_Ctms

III. Cryptography


Privacy & Security

• Privacy: not to be exposed to others ( pictures, communications)

• Security: None to break-in, to exfiltrate, efface, replace, distort

• Maharashtra village, Shingnapur• No house has doors, only door-frames & window frames• Security taken care of by God, Shani! ( who is believed

to kill any thief)• Privacy: by door & window curtains• ( Ref: CSI Communications: May 2013)


Cryptography (1)

• Hiding information• Message on scalp, shaved head• Hair growth – Shave again to read• Caesar’s Cipher-Shift the alphabet• Germany WWII –cyphers Enigma & LorenZ • Broken by William Thomas Tuttu and his student team at

Waterloo ‘varsity Canada• Cryptography as science • 1975-Diffle& Hellman• Discrete Logarithm problem (DLP)• Diffle & Helman Algorithm thc_Ctms 22S728_April2015

Cryptography (2)

• Non repudiation• Authentication• Private-public key• SSL/TLS was developed by Netscape in1994

standardised by IETF uses steam cipher RC 4 has been attacked

• Indigenous cryptography products by 2020• Foreign ones may have trapdoors


Cryptography (3)

• Muni Kumudendu, a Jain Savant crafted a great epic Siri Bbhuvalaya scripted in numerals about 1000 years ago

• Integers ( range 1 to 64) arranged in 27 X 27 matrix, called Chakra

• 1270 chakras available to yield 600,000 slokas• Scheme to decipher chakras is called Bandhas• (Source CSI Coms May 2013) P 17 A&B


IV. Internet of Things Compounds

Security


S728_April2015 26

Global Internet Device Installed Base Forecast

20042006

20082010

20122014

20162018

0

10000000

20000000

30000000

40000000

50000000

60000000

Wearablessmart TVInternet of ThingsTabletsSmart phonesPersonal computers

(Source: CSI Communications, April 2014)thc_Ctms

S728_April2015 27

The Internet of Tings – How the Next Evolution of the Internet (CISCO)

2003 2010 2015 2020

World Population (Bln) 6.3 6.8 7.2 7.6

Connected Devices 500 mln 12.5 bln 25 bln 50 bln

Connected Devices Per Person

0.08 1.84 3.47 6.58

(Source: Cisco IBSG, April 2011; CSI Communications, April 2014)

(Source: CSI Communications, April 2014)

thc_Ctms

V. Infection&

Exfiltration


NSA (USA) Infects Computers

• Click-jacking (Technique of stealing clicks) (also known as UI-Redressing)• Discovered and mad pubic in Y2008 by

Jeremiah Grossman and Robert Hansen.• Remedy: Virtual (soft) keyboards and strong

antivirus solutions(Ref: CSI Coms Jan 2014; p 38)


How the NSA “Infects” Computers• The NSA and the Pentagon’s Cyber Command have implanted

nearly 100,000 “computer network exploites” around the world.• 1. Tiny transceivers are built into USB plugs and inserted into

target computers. Small circuit boards may be placed in the computers themselves by a third party.

• 2. The transceivers communicate with a briefcase-sized NSA field station up to 13 km away. They can also transmit malware, including the kind used in attacks against Iran’s nuclear facilities.

• 3. The field station communicates back to the NSA • Program in code-named quantum• Russia, China, USA do these • Israeli brain


VI. War inCyber Space


Cyber Weapons

• Viruses, worms, Trojans• In 2010 A computer security firm in Belarus found a self-

replicating program on a clients computer in Iran. • First called W32, later Stux net• Attack on SCADA systems (power, oil…) programmable Logic

Controllers (PLCs) captured and destructively activated • Stux net; DUQU, Wiper, Flame, Gauss, Mini Flame• Jeffry Kar, Analyst proved that INSAT 4B satellite was taken

down by STUXNET to serve China’s businesses !• (CSI Coms Dec 2013)


S728_April2015 33

Geographic Distribution of Stuxnet

Iran Indonesia India Azerbauan USA Pakistan Others0

10

20

30

40

50

6058.85

18.22

8.312.57 1.56 1.28

9.2

Series 1

(Source: CSI Communications, Dec 2013) thc_Ctms

S728_April2015 34

Cyber warfare expense of countriesNATO 2012 Upgrading the cyber defense capabilities and enable the

NATO Computer Incident Response Capabilities to achieve full operational capabilities by the end of 2012

58M€

US 2013-2017

With a cyber budget of $1.54 billion from 2013 to 2017, DARPA will focus increasingly on cyber-offence to meet military needs

1.54b$

UK 2012 Extra Investment to develop deterrents to hostile viruses and hackers

650M £

Israel From 2012

Expense of more than $13 million in the coming years to develop new technologies for cyber defense

13M $

China China do not have very clear accounting transparency, but its estimated by some of the experts that China’s Cyber Security market will expand remarkably in the coming year, from a valuation of $1.8 billion in 2011 to $50 billion by 2020

?

Iran 2012 On December Tehran announced an ambitious plan to improve it s cyber-warfare capabilities developing new technologies and creating new team of cyber experts

1B $

thc_Ctms

Information Warfare

• China, USA, Russia, Iran, Israel, Pakistan, South Korea, India• China’s deadliest Hactivist army• Revelations from:• University of Toronto: Report of Munk School of Global

Affairs• Shadows in the Cloud 06-04-2010• Shadow Server Foundation• Munk discovered Ghost Net in March 2009• China’s Cyber force-50,000• Exfilters information from 1295 computers in 103 countries• 30% had high value content


S728_April2015 36

China: The Cyber Warrior

• Hundreds/thousands are trained in I.W in academies run by the PLA . Eg: Wuhan Varsity

• Raised militia units since Y 2002 drawn from Cos. ( like our TA) and Academia

• HUAWI & ZTE- specialists in wireless technologies• Sichuan & XingJian – Uighur are locales for the

Militias (Source: Jayadev Ranade Indian Express

12.04.2010)

thc_Ctms

S728_April2015 37

China: The Cyber Warrior contd..

• Chengdu capital of China’s Sichwan Province, in league with officially tolerated hacker organisation - NSFOCUS, EVILOCTAL linked to PLA

• University of Science &Technology in Chengdu – hosts hackers• Information Warfare Doctrine in the book-

Unrestricted Warfare by Sr. Colonels of the PLA

thc_Ctms

State Sponsored Actors

• China, Iran, Korea• Advanced Persistent Threat (APT)• - Reconnaissance and investigation of your

network infrastructure & information assets


S728_April2015 39

China- The Foremost Information War (IW) Power contd..

• China’s Haktivist communities

• The Chinese hacker community. They are thousands of web based groups. They are developing malware tools. The community is engaged in large scale politically motivated denial of service attacks, data destruction and web-defacements of foreign networks. They are HACTISTS . They trade attacks with their counter parts in the USA, Japan, Taiwan, Indonesia and South Korea.

thc_Ctms

VII. Digital Forensics


Digital Forensics

• Investigation of artifacts present in one or more digital devices & reconstruction of the sequence of events that must have transpired in generating the artifacts.

• Born in Locard’s exchange principle• “It is impossible for a criminal to act, especially

considering the intensity of the crime, without leaving traces of this presence”

• Trace and determine the set of all events that transpired in the crime in which digital devices are involved

(Ref: P.27, CSI Coms Nov23)


Evidence Identification

• Evidence Acquisition & Preservation• Evidence Examination• Evidence Analysis


Evidence identification

Evidence Acquisition & Preservation

Evidence Examination

Evidence Analysis Documentation

Evidence Presentation

Different stages in the digital forensic process

(Source: CSI Communication, Nov 2013)


S728_April2015 44

Examination of files

Analysis of filesForensic image of Hard disk

drive

Memory dumps

System and application

logs

Source Process Outcome Consolidation

Corroboration of evidence

Examination of memory structures

Examination of log records

Examination of network packets

Analysis of memory structures

Analysis of log records

Analysis of network packets

Reporting

Reporting

Reporting

Reporting

Network packet capture

Traditional method of conducting forensic analysis on different sources

(Source: CSI Communications, Nov 2013)thc_Ctms

VIII. India’s Security ResourcesSome Key Players


S728_April2015 46

India’s Security ResourcesSome key players

• Data Security Council of India is an initiative of NASSOM.DSCI is developing best practices for Data Security and Data Privacy.

• Computer Emergency Response Team monitors computer security incidents as and a when they occur. It also maintains a database of incidents and is supposed to study trends and patterns related to intruder activity.

• National Technical research Organisation is the nodal agency for technical intelligence and surveillance.

thc_Ctms

S728_April2015 47

India’s Security ResourcesSome key players contd..

• Army Cyber Security establishment is supposed to protect and secure the army’s information networks.

• Defence Intelligence Agency is to provide timely, objective and cogent military intelligence to defence planners and defence and national security policy makers.(Source: The New Indian Express 11 April 2010)

thc_Ctms

S728_April2015 48

Further Information

• My website: www.drthchowdary.netClick on:• Crime & Security in Cyber Space• The Noble & Ignoble in Cyber Space• Cyber Times: Cyber Laws• Cyber Fraud & Crime• Militarization of Cyber Space &Weponisation of Softwarethc_Ctms

http://www.drthchowdary.net/

Dhanyawad:Thanks


Network Security and Digital Forensics ( A Survey) By DR T.H. CHOWDARY Director: Center for Telecom Management and Studies Fellow: Tata Consultancy Services.

Documents

april2015 slide

security centerstage

compounds security

network security

terrorist thc

keda thc

largest source of information

indias security resources