Computing and Information Security Final Year Project – Simon Davies

Application to Help Identify Cyber Criminals

Abstract

This project explores the issue of cybercrime and results in the creation of an application to identify cyber criminals using anonymising services such as the Tor network to mask their genuine IP address online. The project deliverable is a fully functioning application designed to run on the Windows operating system.

Acknowledgements

Dr David Day – Thank you for all the support and advice you gave me throughout this project 

Alex Murray – Thank you for all your support 

Jake Beet, Ellery Hardie and Declan Williams – Thanks for being such great friends 

Contents

Abstract

Acknowledgements

1.0 Introduction

1.1 Overview

1.2 Motivation

1.3 Aims and Objectives

Aim 1:

Objective 1.1

Objective 1.2

Objective 1.3

Aim 2:

Objective 2.1

Objective 2.2

Objective 2.3

2.0 Background

2.1 The Effects of Cybercrime and How It Can Be Combatted

2.1.1 The Cost of Cyber Crime

2.1.2 Combatting Cybercrime

2.1.3 Preventing Intrusion

Hardened Operating Systems

Firewall

Intrusion Detection System (IDS)

Intrusion Prevention System (IPS) / Intrusion Detection and Prevention System (IDPS)

Antivirus

Anti - Distributed Denial of Service (DDoS)

Honeypot

2.1.4 The Technological “Arms Race”

2.1.5 Policies to mitigate the effects of intrusion

Use of encryption

Use of Hashing

2.2 Staying Anonymous Online

Proxy Servers

Virtual Private Networks (VPNs)

Tor

How Tor Works - Diagrams

I2P

Freenet

2.3 Penetrating Networks And Computer Systems

Metasploit Framework

Nmap Security Scanner

Nessus Vulnerability Scanner

THC Hydra

Maltego

2.4 Previous Work Carried Out By Other People In The Project Subject Area

2.5 Methods Employed By Government Agencies To Identify Cyber Criminals

3.0 Methodology

3.1 Data Collection

3.2 Defining Research

Originality

Tools, Techniques, Procedures And Methods

Exploring The Unknown

Exploring The Unanticipated

The Use Of Data

Gaining

Knowledge And Understanding

Data

Information

Knowledge

Wisdom

3.3 Research Methods

Survey

Design And Creation

Experiment

Case Study

Action Research

Ethnography

3.4 Research Method Employed

4.0 Design / Development chapters

4.1 Software Development

The Software Development Life Cycle (SDLC)

Requirements Capture

Design

Build

Test

Implement

4.2 Development Models

Build-And-Fix

Issues With This Approach:

Stage-Wise And Classic Waterfall Models

Issues With The Classic Waterfall Model:

Incremental Model

Advantages Of The Incremental Model

Disadvantages Of The Incremental Model

Prototyping Models

Throw-Away Prototyping

Advantages Of Throw-Away Prototyping:

Disadvantages Of Throw-Away Prototyping:

Evolutionary Prototyping Model

4.3 Development Approach Taken

5.0 Explanation of design(s)

5.1 Research Into Designing The Application

5.2 Developing The Application

5.3 Final Application Testing Process

Testing The Application Against Tor

6.0 Putting The Application On A Honeypot

Researching Into Honeypots

7.0 Evaluation Of Application - Practical Implications And Further Development

8.0 Conclusion

References

Bibliography

Appendices

Appendix A

Appendix B

Appendix C

Appendix D

Appendix E

Appendix F

Appendix G

1.0 Introduction

1.1 Overview

Firstly an explanation will be provided into the motivation behind this project and the aims and objectives involved will be set out. A background into the problem of cybercrime within the UK will then be given and finally the development of an application to identify cyber criminals will be documented.

1.2 Motivation

With the various technologies a cybercriminal can use to help themselves stay anonymous online i.e. VPNs, Tor, I2P etc. it makes the job of identifying them that much harder as their genuine external IP address is masked and so not recorded in logs.

Attempting to use a honeypot to log the genuine external IP address of a cybercriminal using Tor will result in the external IP address of a Tor exit node being obtained. It is important that the application can circumvent this. This project focuses on creating an application that once executed by cyber criminals will identify them via their genuine external IP address and hardware information pulled from their system. The application will query an external service i.e. to obtain their genuine external IP address. The fact that the application will be executed directly on the cyber criminals machine allows it to obtain greater information than can be obtained by honeypots logging malicious activity.

The functional concepts incorporated in the application could be used to help aid law enforcement in the complex task of identifying cyber criminals that will go on to commit further malicious activity online unless they are caught.

The application will be disguised as important Intellectual Property (IP) to lure cyber criminals into stealing it.

1.3 Aims and Objectives

Aim 1:

Create a cross-platform application to identify cyber criminals.

Objective 1.1

Research which programming languages could be used to code the application in.

Objective 1.2

Experiment with the identified programming languages to see which can be used to create prototypes in of the key application functionality - Obtaining the hardware information required i.e. Bios and Disk, external IP address and MAC address.

Objective 1.3

Decide on a programming language to complete coding the application in based on which is most suited for the final application and the level of programming possessed.

Aim 2:

Evaluate the usefulness of the created application.

Objective 2.1

Test the application on a number of willing participants systems to make sure it functions properly.

Objective 2.2

Test the application on a system with Tor installed to verify the application is able to bypass Tor and provide the genuine external IP address.

Objective 2.3

Place the application on a honey pot (Intentionally insecure server) and wait for the honey pot to be compromised by cyber criminals and the application to be stolen and executed on their systems.

2.0 Background

For the literature review in this project secondary research has been used from books and online journals that have been found via the Sheffield Hallam Library Gateway. Credible online sources have also been used.

2.1 The Effects of Cybercrime and How It Can Be Combatted

2.1.1 The Cost of Cyber Crime

One of the leading reasons to identify and prosecute malicious online parties committing cybercrime is the cost their actions have on UK businesses and the UK economy as a whole.

(Detica Ltd 2011) - a company that "delivers information intelligence solutions to government and commercial customers," estimates that the cost to the UK economy of cybercrime committed with the intention of financial gain is "£27bn per annum." The majority of this cost is believed to derive from the theft of IP, this is estimated "at £9.2bn per annum." Although cybercrime has a substantial financial impact on both UK citizens and the Government, it is businesses that are worst affected with "a total estimated cost of £21bn."

According to (Symantec 2013) the "total global direct cost of cybercrime…” had increased from US$110 billion in 2012 to $113 billion.

2.1.2 Combatting Cybercrime

In order to cut the cost of cybercrime on UK businesses the first step is to make companies aware of why it is so important to invest in technology to do so. Companies are organisations that are set up in order to make a profit and spending large amounts of money on technology to protect their infrastructure from security breaches does not make them profit. Unless companies are shown how much money they could potentially lose in the case of a security breach, it is unlikely they will invest in the technology to prevent this.

2.1.3 Preventing Intrusion

Hardened Operating Systems

Hardening the Windows operating system by disabling all unrequired services, deleting all unrequired executables and registry entries and applying suitable restrictive permissions to files, services, end points and registry entries will help with the prevention of intrusion by cyber criminals.

The Linux operating system offers numerous distributions that users can choose from. Pre-hardened distributions exist such as Tails and Lightweight Portable Security (LPS) created by the Software Protection Initiative (SPI) under instruction by the Air Force Research Laboratory and the US Department Of Defense. Both Tails and LPS are live systems designed to run from removable media such as USB sticks and only save by default to memory instead of hard disks to avoid leaving any trace of themselves after system shutdown.

The Active Defense Harbinger Distribution (ADHD) Linux distribution based on Ubuntu 12.04 LTS takes defence one step further by providing “tools whose functions range from interfering with the attackers' reconnaissance to compromising the attackers' systems… the active defense mechanisms are triggered by malicious activity such as network scanning or connecting to restricted services.” (Robish, Johnson and Strand)

Firewall

Firewalls can be either software solutions installed on OS’s or dedicated hardware placed on the perimeter of the network to control incoming and outgoing traffic. Firewalls refer to a set of rules which dictate the traffic that is allowed to pass through them. For instance a firewall rule set may only allow incoming traffic on certain ports and/or only allow traffic from certain IP addresses to enter the internal network. .

Intrusion Detection System (IDS)

An IDS is a hardware device or software application that monitors traffic on a network and logs maliciously crafted packets or breaches of security policies set up by the network administrator. An IDS can be set up to notify the network administrator of potential security breaches.

Intrusion Prevention System (IPS) / Intrusion Detection and Prevention System (IDPS)

An IPS / IDPS extends on the functionality of an IDS in that it performs the same functionality but also attempts to stop malicious traffic from entering the internal network. (Boyles 2010) states that the IPS does this in various ways: sending an alarm "to a syslog server or a centralized management interface," dropping packets it deems malicious, resetting the connection - "sending a TCP reset to the end or source host and terminating any malicious TCP connections”, blocking traffic "from the source IP address of the attacker for a specified amount of time". The IPS can also block connections it identifies attack signatures on.

Antivirus

Antivirus software is crucial to prevent system hard drives being infected with malware such as Viruses, Worms, Trojans and Rootkits. Malware has the potential to not only destroy critical business systems but could also lead to IP being stolen by malicious parties that have inserted backdoors. With the majority of the cost associated with cybercrime deriving from IP theft Antivirus software is a key security technology that must be implemented by businesses. Most current antivirus solutions integrate cloud technology to help faster identify threats. Where referring to their antivirus solution (Kaspersky Lab) state that "Cloud systems pool intelligence from millions of computers in the field to spot suspicious trends. That vast trove of information means they can detect threats earlier, and block those threats before they become a problem." Most modern antivirus solutions also incorporate heuristics in order to identify newly developed or modified threats that do not yet have signatures associated with them. Heuristic functionality works by identifying behaviour carried out by applications that is typical of that carried out by viruses, Trojans etc. i.e. using certain code methods to keylog the system, dropping into System folders and adding autostart entries to the registry.

Anti - Distributed Denial of Service (DDoS)

With DDos being a critical threat to large UK businesses it is vital to implement some form of protection against it. DDoS attacks can last for weeks causing substantial loses in business revenue due to systems operating at a crawl or total outages.

Products such as Fortinet's FortiDDoS-300A DDoS appliance are specialised hardware to deal with modern DDoS attacks. As stated by (Fortinet Inc) the purpose of these products is to "detect, and block reconnaissance and Distributed Denial of Service (DDoS) attacks while leaving legitimate traffic untouched." Whereas conventional systems get overwhelmed by all the traffic targeted at them in the case of a DDoS attack, Anti - DDoS products use a mixture of specific hardware and software to deal with this effectively.

UK Businesses also have the choice to outsource DDoS protection to third party Anti DDoS services. Prominent companies offering this service are GigeNET, Incapsula Inc, BlockDos, Black Lotus etc. These companies also use a mixture of specific hardware and software to deal with DDoS attacks, but due to their whole businesses being focused on providing this service, they can afford to spend larger amounts of money on the hardware and software allowing them to more effectively prevent the attacks.

Honeypot

Honeypots are essentially a trap used in the attempt to trick cyber criminals into attacking them by emulating known vulnerabilities. They are generally set up to monitor cyber criminals or steal their malicious payloads in order for analysis to be carried out on them. Two types of honeypot exist: Production honeypots and Research honeypots. These types can be broken down into three classifications based on the design criteria employed: pure honeypots, high-interaction honeypots and low-interaction honeypots.

Pure honeypots are fully functioning production systems with a tap installed on the honeypots link to the network. This tap is used to monitor the activity of cyber criminals. High-interaction honeypots are decoys which are made to look like critical production systems by imitating the activities they carry out whilst hosting multiple services. Low-interaction honeypots only provide the services that are normally requested by cyber criminals. As explained by the developers of (Honeyd) “they are useful to gather information at a higher level, e.g., learn about network probes or worm activity.”

Honeypots are interesting security technologies that are used by antivirus vendors companies and in research environments. Antivirus vendors use honeypots to catch and analyse new / variants of malware, companies deploy them in their production networks in order to protect critical system by attracting cyber criminals to attack the honeypot instead, whereas researchers use them to identify the latest methods used by cyber criminals to thwart security solutions.

(Kumar and Pant 2009) decided to take the use of research honeypots a step further and experiment with using “honeypots for generating and broadcasting instant cures for new and unknown malware in the network.” They proposed that these cures would “be in the form of on-the-fly anti-malware signatures” spreading “in a fashion that is similar to the way malware spreads across networks.”

2.1.4 The Technological “Arms Race”

Due to the introduction of advanced security solutions, cyber criminals have developed more sophisticated attacks in order to bypass them. (Roschke, Cheng and Meinel 2011) explain that these attacks incorporate methods such as “advanced cryptography, self-modified code, and integrated attack frameworks.” Using cryptography to encrypt malicious code or embed backdoors in cryptographic functions is known as Cryptovirology and writing code that is able to modify itself is known as polymorphism. The battle between cyber criminals and security vendors is a technological “arms race” with both sides having to constantly innovate in order to thwart or bypass the other.

2.1.5 Policies to mitigate the effects of intrusion

Use of encryption

Encrypting critical information stored on business server hard drives or in databases such as IP or customer card details is fundamental to mitigating the effects of an intrusion. If a cybercriminal is able to bypass all of the technology in place to prevent their attack, it is important that no critical information is stored in plain text. A secure encryption algorithm such as AES-256 should be used.

Use of Hashing

Hashing is another very useful practise to mitigate the effects of an intrusion. As hashes are one way algorithms that can’t not be feasibly reversed. It is important to use a cryptographically secure hashing function such as SHA-2 as earlier hashing functions such as SHA-1 have been cryptographically broken – As (Schneier 2005) said on his website blog “three Chinese cryptographers showed that SHA-1 is not collision-free. That is, they developed an algorithm for finding collisions faster than brute force.”

Hashing could be used for passwords and usernames of customers stored in business server databases, to stop cyber criminals using these details if they are able to break in.

2.2 Staying Anonymous Online

Proxy Servers

Proxy servers are used by a wide variety of people in order to help maintain anonymity whilst online by masking their Internet Protocol (IP) address. As stated by (Proxy.org) they work by acting “as an intermediary, routing communications between your computer and the Internet. A proxy specializing in anonymous surfing, however, uses its own IP address in place of yours in every outgoing request.”

There are various approaches to proxies: web-based proxies, open proxies, anonymity networks (Freenet, I2P, JAP and TOR) and proxy and VPN software)

Web-based proxies include services such as Hide My Ass - use software such as CGIProxy, PHProxy, Glype, and custom proxy scripts running on the server. The user does not have to download and install software or reconfigure the proxy settings in their web browser. All these services require of the user is to input the URL aka website address they wish to visit into a web form.

Open proxies are HTTP or SOCKS type proxy servers that are either accidentally or maliciously left open. They require the user to reconfigure their browser’s proxy settings. Cyber criminals who exploit and compromise machines will sometimes install proxies to utilise these machines and hide their own IP address when they go on to attack further machines.

The problem with Open proxies is that they do not provide privacy or security as all of the web activity you are carrying out whilst using them could potentially be being logged. Many Open proxies are in fact honey pots used for the very purpose of logging and tracking illegal activity. Using Open proxies could potentially mix the activity you are carrying out whilst browsing the internet with the activity of criminal gangs leading to implication that you are also involved in said activity, as data is not encrypted when using Open Proxies.

Virtual Private Networks (VPNs)

VPNs are popular amongst both businesses and individuals. The technology allows for businesses employees to securely log into their company’s intranet utilising the public internet. Due to the high cost association with leased lines VPNs provide a favourable alternative.