Lecture 2

1. Basic Security Principles

 What are “digital” asset / valuables ?
o Information and Knowledge, Intelligence
 3 Protection Principles
o Confidentiality, Integrity, Availability (CIA)
 Friends
o Authenticity or Non‐repudiation (not to have a dispute with respect to a transaction
because it is digitally signed, or there is evidence to prove its “correctness”.

2. Common Cyber Security Misconceptions

3. Attack Techniques, Wireless Technologies and Security Vulnerabilities:

A vulnerability is a weakness which allows an attacker to reduce a system's information

assurance. Vulnerabilities are the intersection of three elements:
1. a system susceptibility or flaw,
2. attacker access to the flaw, and
3. capability to exploit the flaw.
To exploit, the attacker must have at least one tool/technique that can connect to a system
weakness. This is also known as the attack surface.

What is a zero day?

Never seen before & took you by surprise, hence no anti‐virus signature
Common zero days: Overflow Attacks, web applications (unicode, Cross Site Scripting,
cookie), database server attacks (injection attacks), content reader attacks (pdf, jpeg, video)

Techniques:
a. Password attacks:

4th Jan 2017 (Case Study)

These 2 security flaws allow processor exploits to steal passwords and other sensitive user data
from almost any device made in the past 20 years.

Brute Force Breaking:

In cryptography, a brute-force attack consists of an attacker submitting many passwords or
passphrases with the hope of eventually guessing correctly. The attacker systematically checks
all possible passwords and passphrases until the correct one is found. New discovery in the
technology and usage of Graphic Processing Unit (GPU) in video card and Solid State Disk
(SSD) can enhance the speed of cracking 14 characters password within 5 seconds.
Lecture 2

b. Social Engineering:
 Ruse to get a password and account issued.
 Fire drill exploit.
 Universal pass‐badge trick.
 Others: Acting dumb to get tech support

c. Phishing:
 Phishing attacks use ‘spoofed’ e‐mails and fraudulent websites to fool victims into
divulging personal financial data such as credit card numbers, user‐id and passwords,
and social security numbers. By hijacking the trusted brands of well‐known banks,
online retailers and credit card companies, phishers are able to convince up to 5% of
the recipients.

 Case Studies
Massive Gmail Phishing Attacks hits top U.S officials ‐ June 2011:
Hundreds of personal Gmail accounts were hacked as a result of a massive phishing
scheme. The hijackings were a result of stolen passwords, likely by malware installed on
victims’ computer. The phishing attacks emanated from Jinan, China

Top Federal Lab Hacked in spear‐phishing attack April 2011:

The attacker used an Internet Explorer zero‐day vulnerability that Microsoft patched
on April 12 to breach the lab’s network. The intrusion came in the form of spear‐
phishing email sent to the lab employees. The email included a link to a malicious web
page, where malware exploited IE’s vulnerability to download additional codes to users’
machines.

* Unlike spear-phishing attacks, phishing attacks are not personalized to their victims,
and are usually sent to masses of people at the same time.

Citibank
In Jan 2004, Citibank customers received email asking to logon to the Citibank website
to verify their email address. The URL in the email was a link to a bogus Citibank
website. Users have to key in their real Citibank account number and password to enter
that bogus site. Using the stolen account number and password, the attacker can do
fund transfers and many more on Citibank website!!!

More recently, on 14th June 2007, yet another phishing mail targeting Citi‐bank
customers were found circulating. Requested victims to update their account records by
16th June 2007.

d. Rootkits & (Remote Access) Trojan (RATs) programs: BO2K, Netbus, PoisonIvy
Attack on Target and Home Depot (2013)
Personal and financial info of about 110 million people, comprising 11 GB of data, was
stolen in a successful compromise during the Christmas shopping season 2013. Attackers
were undetected for almost 2 weeks, and is attributed to criminals in the Ukraine.

First they compromised a 3rd party contractor, who provides HVAC services to Target.
Probably used Target’s contractor portal as a point of presence to penetrate the internal
network and compromise an internal Windows file server. Likely that the attacker first
Lecture 2

compromised the Windows server and used it to find and compromise the point‐of‐sale
(POS) systems, where a trojan that finds clear‐text copies of credit card magnetic stripe
information was installed. None of the anti‐virus solutions on the market would have
detected the malware, dubbedTrojan.POSRAM, a variant of BlackPOS.

e. Drive by: browser attacks (infected on access).

f. Identity Theft
A $500,000 credit card fraud:
Two brothers from California were accused of scamming 21 banks and 3 major credit
reporting bureaus. Through thousands of fake identities, they applied for loans and charged
$500,000 on fraudulent credit cards. They worked twith a guy who worked in a dentist’s
office extending loans to patients and then reporting payments to Experian, a credit bureau.
With social security numbers made up to establish false identities, they began reporting
loan information and on-time payment for fictitious dental services to Experian.

g. MAFIA takes over

They will recruit the best brains as their hackers from the universities. If they refuse, they
will be hurt. They will try to silence security researchers or sites that “block” their work.
E.g. DDOS the CERT.

They are specialised. Different cells working collaboratively in an eco‐system: Create

exploits, Weaponise the exploits, Deploy the trojans and collect the data, Sell the stolen
credit cards and IDs, Run the mules, Fence the goods, Money laundering

*A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the
bandwidth or resources of a targeted system, usually one or more web servers. Such an
attack is often the result of multiple compromised systems (for example, a botnet) flooding
the targeted system with traffic.

*A Computer Emergency Response Team (CERT) is an expert group that handles

computer security incidents.

h. Cybercrime Exploits Web 2.0

Data storage facilities and applications “in the clouds” – With data and applications
increasingly being located on remote external servers, criminals can use them to host their
criminal servers and activities.
Online games – Crimes include password theft and theft of virtual property for resale at
significant profit. Great for money laundering.
Online stock‐exchange agencies – This convenient and fast way to respond to stock
market fluctuations creates a very tempting target for criminals because stock market data is
a very liquid asset.
Web 2.0 – Online social networking, blogs, forums, wikis, MySpace, Twitter – all will
improve the efficiency of cyber criminals as well as offering them new pastures.
Crimeware – highly automated toolkit to create advanced malware, with environment
detection coded in.
Many known vulnerabilities available for script kiddies, e.g. Armitage for Metaxploit. Script
kiddie is a person who uses existing computer scripts or codes to hack into computers,
lacking the expertise to write their own.
Wireless Security:
Lecture 2

High security risks in WAP, BlueTooth and 802.11 wireless LAN (WEP – Wired Equivalent
Privacy, WPA ‐ Wi‐Fi Protected Access).

May 2001, 2 hackers accessed email and files from Sun Microsystems at their parking lot. Paul
Henry of Cyberguard described in a past NUS security conference how he discovered
numerous unprotected wireless LANs while travelling from the airport to the city. WPA2, the
most recent security protocol available for WiFi, has some small problems but is generally ok.

Wireless Security Vulnerability

Many Wireless broadband routers have security features but are not fully enabled. Many have
firmware bugs.

WLAN 802.11’s Security (Wireless Equivalent Privacy)

 Key Management
 Confidentiality Issue:
- Flaw in cryptographic design + poor implementation by vendors allows 128‐bit
encrypted packets to be broken within 60 seconds.
 Integrity Issues:
- WEP message authentication based on CRC is useless against traffic injection.
- Malicious modification of data
 Vulnerable to client authentication spoofing.
 MAC Address ACL and SSID are easily circumvented

But why do people use WEP in the first place???, (suspect a lot less now, but some mesh
networks may still have a problem) Even the strongest WPA is not totally safe, due to password
attack and ….krack attack.

*KRACK is a severe replay attack on the Wi-Fi Protected Access protocol that secures Wi-Fi
connections. An attacker within range of a victim can exploit these weaknesses using key
reinstallation attacks (KRACKs).

Bluetooth Vulnerabilities:
a. Bluesnarfing:
Bluesnarfing is attacking the Bluetooth device, usually a phone, to rip out information.
Hackers can obtain phonebooks, calendars and stored SMS messages.

b. Bluetracking:
All Bluetooth devices have a unique address. By using special sensors or antennas you can
see where a particular Bluetooth device pops up and record a person's movement.
BlueSniper “rifle” has a vision scope & a yagi antenna with a cable that runs to a
Bluetooth‐enabled laptop or mobile device. Effective range from 33 feet to a full mile!

c. Blueborne – Sep 2017

BlueBorne can serve any malicious objective, such as cyber espionage, data theft,
ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or
mobile devices as with the recent WireX Botnet

Electronic Pickpocketing (RFID)

Lecture 2

New credit card issuers have begun installing radio frequency identification (RFID) chips in
credit cards and passports because the technology holds more data than magnetic stripes and
can be read quicker.

It doesn't matter if the cards are kept in a wallet or a purse since they can transmit through
them when prompted by a RFID reader. (applies to company cards, unshielded epassports)
The account number and expiration date pop up on the computer screen almost
instantaneously after the reader gets within a few inches of the card.

Mobile Phone Security

Popularity of smart phones or the older PDAs Getting to be more low cost (towards $200) and
very popular. OSes: Blackberry RIM (J2ME), iOS, Android, Windows Phone 7, Windows 10
Phone. Use the most modern OS. Latest will be most secure.

Mobile Phone Security Issues

a. Lost and stolen
- Compromising sensitive data (e.g. email and file, synchronised into smart phone using
Dropbox).
- Data may not be unencrypted

b. Enterprise control at backend (BYOD)

- Adequate access control of Phone OS may not be possible. Security is consumer based.
- Home use and office use – data mixing, apps mixing (games for kids).
- Data leakage cannot be traced.
- High mobility and device changes. Difficult to secure and manage.

c. Phone Malware (can cost you money)

- Become part of a botnet (Angry Birds may be a trojan)
- Bad SMS/MMS to paid sites
- Steal your passwords, data/photos or phone database
- Phishing, fake screens (Android Clickjacking)
- Location may be tracked

d. Cyber espionage
- Eavesdropping
- Device attacks, e.g. wifi, bluetooth
- Misuse of the phone’s camera

ZeuS Trojan : ebanking menace

Zeus attack banking site. Zeus is defeating the second factor because it can "session ride". It can
wait until you've already authenticated, because it can control your browser. (SpyEye is another
famous malware) Man‐in‐the‐browser MITB attack

Zeus could be a very powerful tool for stealing corporate secrets. It lets the criminals remotely
control their victims' computers, scanning files and logging passwords and keystrokes. With
Zeus, hackers can even tunnel through their victim's computer to break into corporate systems.
Lecture 2

Crooks could make money by selling access to computers belonging to employees of certain
companies. It became worse. Now, Zeus attacks smart phones and will do a 2 stage attack and
finally monitoring your phone for the SMS OTP, which it will then forward to the attacker.

4. Evolving Transactions Attacks

Man‐in‐the‐Phone Attacks
Telephone banking customers and banks need to be aware of a new low‐tech, Man‐
in‐the‐Phone (MitP), fraud technique being employed by criminals. MitP also leverages
“social engineering,” by using trickery or deception during a phone conversation to
convince an individual to divulge information.

How it works?
In a typical MitP attack, a fraudster impersonates a bank representative and calls the
banking customer to inform him/her that his/her savings, checking or card account may
have been breached or compromised. The fraudster advises the customer that to remedy
the situation he/she should remain on the line and verify a few account details.

At the same time, the fraudster initiates a call to the customer's bank and connects the
customer with a real bank representative while the fraudster remains muted on the line.
The bank requests authentication information, such as social security number, passwords
and other personal information, which is then provided by the customer. Once the
personal information is provided, the fraudster quickly ends the conference line and
informs the customer that the issue has been resolved. Meanwhile, with the personal
information gathered during the call, the fraudster can take over the customer's phone
banking relationship and transfer money out of the customer's accounts.

Mobile Phone Threats

Latest threat – Mobile Ransomware, Advanced Spyware, Mobile botnets, Ad and Click
fraud, IoT attacks (subvert home automation), Steal eWallet e.g. Bitcoin, Attack your home
PC or corporate servers as a landing pad.

Really powerful mobile attacks

Newly discovered Android adware that is virtually impossible to uninstall. Hijacking
happens after a user has installed a trojanized app that masquerades as an official app
available in Google Play and then is made available in third‐party markets. During the
installation, apps from an adware family known as Shedun try to trick people into granting
the app control over the Android Accessibility Service, which is designed to provide
vision‐impaired users alternative ways to interact with their mobile devices.

Shedun is one of several families of adware that can't easily be uninstalled. That's because
the apps root the device and then embed themselves into the system partition to ensure
they persist even after factory reset. The ability to use social engineering to hijack the
Android Accessibility Service is yet another sign of the creativity and ingenuity put into this
new breed of apps.

Thus, do not use third‐party app markets. 20,000 samples found impersonating apps
from Twitter, Facebook, and others. Many attacks of this kind e.g. fake iOS library in
China. Fake apps can be automatically created & inserted with crimeware kits. Mike can be
Lecture 2

turned on by malware. Bad guy needs just a few secs with your phone. SMS will be stolen,
compromising OTP SMS, gmail, ebanking etc.

5. Computer Forensics
It is a branch of digital forensic science pertaining to legal evidence found in computers and
digital storage media (Wikipedia.com)

The goal of computer forensics is to examine digital media in a forensically sound manner with
the aim of preserving, recovering, analyzing and presenting facts and opinions about the
information. Although it is most often associated with the investigation of a wide variety of
computer crime, computer forensics may also be used in civil proceedings. The discipline
involves similar techniques and principles to data recovery, but with additional guidelines and
practices designed to create a legal audit trail.

Challenges of the Investigator

Atoms vs Bits: Bits can be easily copied and made available to the masses, almost without cost.

How do you know if the crime scene photos are genuine? Or that the video footages were not
been doctored. Examples: some one jumped in front of an MRT train. What really happened,
if there are no witnesses? What is at stake: a “perfect murder? Insurance claim?

IT is so pervasive now, that big or small criminals are using them. Did you get every gadget that
holds some kind of data? How much to store? Very soon, every crime will be a computer
crime. You will surely need computers to make fake passports (all passports will have a smart
chip), “rob a bank” etc. Classic cases: dispute evidence by claiming to be infected by trojan, and
destroy evidence using countermeasures.

Security Roles
Penetration tester, Computer or IT Auditor, Security Architect, Key Manager, IT Forensic
investigator, Security systems developer, System Administrator, Network Administrator,
Firewall Administrator, Security awareness trainer, Cyber Warrior.