Cyber Security: Hacker Web and Shodan MIS 510 Ali Hassan Alenizi, Farah J Jafar, Nikhar Shah, Yirong Zhu Introduction/ Background • • • Hacker Web: o Database of hacking forums o Russian, Chinese, Arabic, English, Persian o Tracks forums and types of hacking communities are interested in Shodan: o APIs for extracting data regarding cyber vulnerability o Huge amount of information on network devices could be accessed through Python methods Research: o Research questions formulated to extract data and analyze it giving meaning to the data from the two databases Research Questions 1. Do cultural differences trickle down to hacking, hacking topics, and hacking techniques? What are the cultural implications found through the research? What is the probability that an Arabic hackers forum and an English hackers forum will discuss the same topics? 2. Given the increasing threat of social media attacks, attackers such as Syrian Electronic Army are increasingly using phishing and spamming attacks on different websites that are against the Syrian Government in the Syrian Civil War. My hypotheses question involves looking at the trend related to phishing attacks compared to other traditional types of security threats such as SQL injection. 3. The recent research posted on github reflects the backdoor of routers on Port 32764. From this Port, hackers would more likely be able to intrude because of the natural vulnerability on this port. So, from the global view, which countries or area are facing this same issue? Which areas suffer the most or have more potential risks and what does the distribution look like? 4. In this question, we would dig deeper into the 3rd question. What are the devices of these IP addresses really accessible for attacking and be able to intrude into right now. What are the locations distributed out there and how many devices for each country could be intrude through Question 1: Excel - Vctool Top 30 ranked threads for Vctool with weighted %. Question 1: Excel - Arhack Top 30 ranked threads for Arhack with weighted %. Question 1: Probabilities VcTool threadID 1170 10290 1141 10102 107 11355 1045 10353 threadID 10016 10286 10591 1125 11409 1121 1148 title How to view Private Facebook Pics Live Jasmin Credit Added, Account Maker, #Free Password List [Source] Rainerstoff Crypter 3.2b [Get] Face Dominator (Cracked) MSN Password Hacker (NEW 2009) Monster Crypter - Private Crypter , 0/37 + Full soruce - OUT !!! MW2 Aimbot and ESP Source Code for Compiling 7-13-12 Crypter numOfView 6723 3905 3367 3280 2382 2271 2173 2088 numOfPosts 22 12 17 10 26 13 9 2 tot in common: Arhack title numOfView numOfPosts اليوم راح اشرحلكم كيفيت اختراق البوكر الفيس بوك من شرحي الخاص 7020 30 برنامج فك باسووردات الــ ***** مع الشرح 4663 72 مقدمه عن عالم اللتشفير- الدرس الاول 4453 0 google كود للختراق300 أكثر من 4199 6 ) [دورة في الهندسة العكسية] كسر البرامج وعمل سيريالات لها صنع كراكات البرامج (ادخل 3886 59 _-_-_ _ نظرة عامة عن اختراق البريد الالكتروني-_-_ : الدرس الاول 9145 208 _-_-__الدرس الثالث من دورة اختراق البريد الكتروني-_-_ 7725 89 tot in common Probability of both occuring: % of views 5.68440277 3.30173923 2.84685172 2.77329185 2.01401865 1.9201664 1.83730585 1.765437 22.1432135 % of views 2.94316176 1.95498053 1.86693723 1.76044676 1.62922031 3.83407611 3.2387357 17.2275584 3.81473503 Question 1: Analysis • Arhack: o Focus on Social Hacking with few Organizational Hacking threads o emails, social networks, sql injections, password hacking … etc ● Vctool: ○ Focus on Organizational Hacking with few Social Hacking threads ○ DDoS, botnet/bots, crypting, software cracks, coding ... etc 3.8% chance that Arhack members and Vctool members will talk about the same hacking conepts. Most of these are crypting, and social hacking. Question 2:Extracted Dataset Some of the extracted using the MySQL query Question 2: Word Schema Word Schema used to find related thread topics Question 2:Mined Dataset Some of the data mined dataset from the extracted dataset Question 2: Analysis 800 700 600 500 400 300 200 100 0 Number of Views Per Post 31-12-2009 29-11-2009 30-10-2009 31-12-2012 30-11-2012 29-10-2012 DATES Number of Posts Phishing Number of Posts SQL Injections Final Analysis: • Increasing Phishing related Threads • Increased Discussion of Phishing related activities • Arab Spring also changing hackers ideologies POST/VIEWS POSTS Moving Trend Based On # of Posts 100 90 80 70 60 50 40 30 20 10 0 31-12-2009 29-11-2009 30-10-2009 31-12-2012 30-11-2012 29-10-2012 DATE Phishing Threads: Views Per Post SQL Injection Threads: Views Per Post Question 3: Data Extraction Question 3: Country Details Question 3: 100 Vul_IPs 100 Vulnerable IP Addresses Due to Port 32764 All Over the World Question 3: Compared to What Shodan Map API Does Shodan Map API Analyzes Port 32764 Based On Thousands of IP and Charges $19 ! Distributions Are Similar !!! Prove Accuracy of Our Analysis! Question 4: Deeper Analysis • • 55 Out Of the 100 Vulnerable IP Addresses of Port 32764 Could be truly attacked Within the 55 IP Addresses, 31 Devices Are Available For Locating Visual Positions Question 4: Core Code 1. Get the Host Of Each Of the 100 Vulnerable IP Addresses 2. Test If the Port == 80 That Is Open To Public 3. Then Get the Host IP 4. At Last, If Able to Locate, Get the Latitude And Longitude Question 4: 31 Target Devices 31 Visual Devices That Could Be Targeted At In 100 Vulnerable IP Addresses Question 3 & 4:Summary • • • Among All Of Vulnerable IP Addresses With Port 32764, About Half Could Be Intruded ⅓ Of the Host Port Could Be Visually Located On The Map The Top Three Areas Exposed To the Vulnerability Are United States, China, European Areas References [1] Peterson, L. (n.d.). Hacking Diversity.Latoya Peterson. Retrieved February 25, 2014, from http://latoyapeterson.com/presentations/hacking-diversity/ [2] Feuer, A. (2011, November 20). Culture Hacking. Adam Feuer. Retrieved February 25, 2014, from http://adamfeuer.com/blog/2011/11/20/culture-hacking/ [3] John Matherly, (2014, February 18). Shodan Blog. Introducing Shodan Maps, from http://shodanio.wordpress.com/2014/02/18/introducing-shodan-maps/ [4] Michael Horowitz (2014, January 24). How and why to check port 32764 on your router, from http://blogs.computerworld.com/network-security/23443/how-and-why-check-port-32764-your-router [5] John Scott-Railton (2013, June 19). A Call to Harm: New Malware Attacks Target the Syrian Opposition, from http://www.academia.edu/4231059/A_Call_to_Harm_New_Malware_Attacks_Target_the_Syrian_Opposition [6] Mohamed N. El-Guindy (2013, December 25). Middle East Cyber Security Threat Report 2014, from http://www.academia.edu/5522905/Middle_East_Cyber_Security_Threat_Report_2014