The document provides an overview of cybersecurity topics, including hacking methods, types of hackers, and various security exploits like trojan horses, viruses, and botnets. It discusses ransomware, specifically the Cryptolocker attack, and the implications of Bitcoin in cybercrime. Additionally, it delves into the deep web and social engineering techniques utilized by cybercriminals.

1. Wisconsin Union Directorate
Cybersecurity, Hacking, Privacy
April 28, 2014
Nicholas Davis,
CISSP, CISA

2. Agenda
• Introduction
• Hacking
• Botnets
• Deep Web
• Target Breach
• Ransomware
• Q&A – Anything goes!

3. Nicholas Davis
• Undergraduate degree, UW-
Madison
• Graduate degree UW-Madison
• Been around a few places
• Taught at UW-Madison, MATC,
Cardinal Stritch
• Work at DoIT
• CISSP, CISA

4. Computer Hacking
In the computer security context, a
hacker is someone who seeks and
exploits weaknesses in a computer
system or computer network. Hackers
may be motivated by a multitude of
reasons, such as profit, protest, or
challenge

5. Types of Hackers
• White hat
• Black hat
• Grey hat
• Elite hacker
• Script kiddie
• Neophyte
• Blue hat
• Hacktivist
• Nation state
• Organized criminal gangs

6. Hacking Methods
A typical approach in an attack on
Internet-connected system is:
Network enumeration: Discovering
information about the intended target.
Vulnerability analysis: Identifying
potential ways of attack.
Exploitation: Attempting to
compromise the system by employing
the vulnerabilities found through the
vulnerability analysis.

7. Security Exploits Used By
Hackers
A security exploit is a prepared application
that takes advantage of a known weakness.
Common examples of security exploits are
SQL injection, Cross Site Scripting and
Cross Site Request Forgery which abuse
security holes that may result from
substandard programming practice. Other
exploits would be able to be used through
FTP, HTTP, PHP, SSH, Telnet and some
web-pages. These are very common in
website/domain hacking.

8. Techniques
Vulnerability scanner
A vulnerability scanner is a tool used
to quickly check computers on a
network for known weaknesses.
Hackers also commonly use port
scanners. These check to see which
ports on a specified computer are
"open" or available to access the
computer.

10. Techniques
Password cracking
Password cracking is the process of
recovering passwords from data that
has been stored in or transmitted by a
computer system. A common
approach is to repeatedly try guesses
for the password.

11. Brute Force vs Dictionary

12. Techniques
Packet sniffer
A packet sniffer is an application that
captures data packets, which can be
used to capture passwords and other
data in transit over the network.

13. Packet Sniffer

14. Techniques
Spoofing attack (Phishing)
A spoofing attack involves one
program, system or website that
successfully masquerades as another
by falsifying data and is thereby
treated as a trusted system by a user
or another program—usually to fool
programs, systems or users into
revealing confidential information,
such as user names and passwords.

15. Phishing

16. Techniques
Rootkit
A rootkit is a program that uses low-
level, hard-to-detect methods to
subvert control of an operating system
from its legitimate operators. Rootkits
usually obscure their installation and
attempt to prevent their removal
through a subversion of standard
system security.

17. Rootkit – Sick Computer

18. Techniques – Social
Engineering
Intimidation As in the "angry
supervisor" technique above, the
hacker convinces the person who
answers the phone that their job is in
danger unless they help them. At this
point, many people accept that the
hacker is a supervisor and give them
the information they seek.

19. Techniques – Social
Engineering
Helpfulness The opposite of intimidation,
helpfulness exploits many people's natural
instinct to help others solve problems.
Rather than acting angry, the hacker acts
distressed and concerned. The help desk is
the most vulnerable to this type of social
engineering, as (a.) its general purpose is
to help people; and (b.) it usually has the
authority to change or reset passwords,
which is exactly what the hacker wants.

20. Social Engineering
Example Technique

21. Techniques – Social
Engineering
Name-dropping The hacker uses
names of authorized users to
convince the person who answers the
phone that the hacker is a legitimate
users him- or herself. Some of these
names, such as those of webpage
owners or company officers, can
easily be obtained online. Hackers
have also been known to obtain
names by examining discarded
documents

22. Techniques – Social
Engineering
Technical Using technology is also a
way to get information. A hacker can
send a fax or email to a legitimate
user, seeking a response that
contains vital information. The hacker
may claim that he or she is involved in
law enforcement and needs certain
data for an investigation, or for record-
keeping purposes.

23. Social Engineering Works!

24. Trojan Horse
A Trojan horse is a program that
seems to be doing one thing but is
actually doing another. It can be used
to set up a back door in a computer
system, enabling the intruder to gain
access later.

25. Virus
A virus is a self-replicating program
that spreads by inserting copies of
itself into other executable code or
documents. By doing this, it behaves
similarly to a biological virus, which
spreads by inserting itself into living
cells. While some viruses are
harmless or mere hoaxes, most are
considered malicious.

26. Computer Worm
Like a virus, a worm is also a self-
replicating program. It differs from a
virus in that (a.) it propagates through
computer networks without user
intervention; and (b.) does not need to
attach itself to an existing program.
Nonetheless, many people use the
terms "virus" and "worm"
interchangeably to describe any self-
propagating program.

27. Keylogger
A keylogger is a tool designed to
record ("log") every keystroke on an
affected machine for later retrieval,
usually to allow the user of this tool to
gain access to confidential information
typed on the affected machine.

28. Can Be Bought at Amazon!

29. Botnets
A botnet is a collection of Internet-connected
programs communicating with other similar
programs in order to perform tasks. This can be as
mundane as keeping control of an Internet Relay
Chat (IRC) channel, or it could be used to send
spam email or participate in distributed denial-of-
service attacks. The word botnet is a combination
of the words robot and network. The term is usually
used with a negative or malicious connotation.

30. Legal Botnets
The term botnet is widely used when
several IRC bots have been linked
and may possibly set channel modes
on other bots and users while keeping
IRC channels free from unwanted
users. A common bot used to set up
botnets on IRC is eggdrop.

31. Illegal Botnets
Botnets sometimes compromise computers whose
security defenses have been breached and control
conceded to a third party. Each such compromised
device, known as a "bot", is created when a
computer is penetrated by software from a
malware (malicious software) distribution. The
controller of a botnet is able to direct the activities
of these compromised computers through
communication channels formed by standards-
based network protocols such as IRC and
Hypertext Transfer Protocol

32. Annoying Botnets

33. Botnet Recruitment
Computers can be co-opted into a botnet when
they execute malicious software. This can be
accomplished by luring users into making a drive-
by download, exploiting web browser
vulnerabilities, or by tricking the user into running a
Trojan horse program, which may come from an
email attachment. This malware will typically install
modules that allow the computer to be commanded
and controlled by the botnet's operator. Depending
on how it is written, a Trojan may then delete itself,
or may remain present to update and maintain the
modules.

34. How A Botnet Works

35. The Deep Web
The Deep Web (also called the
Deepnet, Invisible Web, or Hidden
Web is World Wide Web content that
is not part of the Surface Web, which
is indexed by standard search
engines.. Some prosecutors and
government agencies think that the
Deep Web is a haven for serious
criminality.

36. Deep Resources
Dynamic content: dynamic pages
which are returned in response to a
submitted query or accessed only
through a form, especially if open-
domain input elements (such as text
fields) are used; such fields are hard
to navigate without domain
knowledge.

37. Deep Resources
Unlinked content: pages which are not
linked to by other pages, which may
prevent Web crawling programs from
accessing the content. This content is
referred to as pages without backlinks
(or inlinks).

38. Deep Resources
Private Web: sites that require
registration and login (password-
protected resources).
Silk Road

41. Deep Resources
Contextual Web: pages with content
varying for different access contexts
(e.g., ranges of client IP addresses or
previous navigation sequence).

42. Deep Resources
Limited access content: sites that limit
access to their pages in a technical
way (e.g., using the Robots Exclusion
Standard, CAPTCHAs, or no-cache
Pragma HTTP headers which prohibit
search engines from browsing them
and creating cached copies

43. Deep Resources
Scripted content: pages that are only
accessible through links produced by
JavaScript as well as content
dynamically downloaded from Web
servers via Flash or Ajax solutions.

44. Deep Resources
Non-HTML/text content: textual
content encoded in multimedia (image
or video) files or specific file formats
not handled by search engines.
Steganography

45. Steganography

46. Crawling the Deep Web
• Selecting input values for text
search inputs that accept keywords,
• Identifying inputs which accept only
values of a specific type (e.g., date),
• Selecting a small number of input
combinations that generate URLs
suitable for inclusion into the Web
search index.

47. TOR (The Onion Router)
• Uses encryption
• Uses randomness to select hosts
• Tor (anonymity network)

48. Ahmia.fi: Deep Web Search Engine for Tor Hidden Services
https://ahmia.fi/search

49. The Target Data Breach
How Did it happen?
Why didn’t Target detect it?
What damage was caused?
Could it happen again?

51. Cryptolocker
A ransomware trojan which targets
computers running Microsoft Windows
and first surfaced in September 2013.
A CryptoLocker attack may come from
various sources; one such is
disguised as a legitimate email
attachment.

52. Cryptolocker
When activated, the malware encrypts
certain types of files stored on local
and mounted network drives using
RSA public-key cryptography, with the
private key stored only on the
malware's control servers.
The malware then displays a
message which offers to decrypt the
data if a payment is made by a stated
deadline.

54. Cryptolocker
Threatens to delete the private key if
the deadline passes. If the deadline is
not met, the malware offers to decrypt
data via an online service provided by
the malware's operators, for a
significantly higher price in Bitcoin.

55. Money Paid
In December 2013 ZDNet traced four
Bitcoin addresses posted by users
who had been infected by
CryptoLocker, in an attempt to gauge
the operators' takings. The four
addresses showed movement of
41,928 BTC between October 15 and
December 18, about US$27 million at
the time

56. Money Paid
A survey by researchers at the
University of Kent found that 41% of
UK respondents who were
Cryptolocker victims claimed to have
agreed to pay the ransom, a figure
much larger than expected; 3% had
been conjectured by Symantec, and
0.4% by Dell SecureWorks. The
average amount per infection in the
U.S. is $300.

57. Bitcoin Payment Addresses
https://
blockchain.info/address/18iEz617DoD
https://blockchain.info/address/1KP7

58. What is Bitcoin?
Bitcoin is a peer-to-peer payment
system introduced as open source
software in 2009 by developer Satoshi
Nakamoto.[4] The digital currency
created and used in the system is also
called bitcoin

59. How Are Bitcoins Created?
Bitcoins are created as a reward for
payment processing work in which
users who offer their computing power
verify and record payments into a
public ledger. Called mining,
individuals engage in this activity in
exchange for transaction fees and
newly minted bitcoins.

60. Bitcoin Mining Equipment

61. Bitcoin Anonymity?
The public nature of bitcoin means
that, while those who use it are not
identified by name, linking
transactions to individuals and
companies can be done. Additionally,
many jurisdictions require exchanges,
where people can buy and sell
bitcoins for cash, to collect personal
information

62. Bitcoin Anonymity
In order to obfuscate the link between
individual and transaction, some use a
different bitcoin address for each
transaction and others rely on so-
called mixing services that allow users
to trade bitcoins whose transaction
history implicates them for coins with
different transaction histories

63. Bitcoin Proof of Ownership
The ownership of bitcoins associated
with a certain bitcoin address can be
demonstrated with knowledge of the
private key belonging to the address.
For the owner, it is important to
protect the private key from loss or
theft. If a private key is lost, the user
cannot prove ownership by other
means. The coins are then lost and
cannot be recovered.

64. Bitcoin Wallet

65. Buying and Selling Bitcoins
Bitcoins can be bought and sold with
many different currencies from
individuals and companies. Perhaps
the fastest way to purchase bitcoins is
in person or at a bitcoin ATM for cash.

66. Status of Bitcoin (IRS)
The US Government Accountability Office reviewed
virtual currencies upon the request of the Senate
Finance Committee and in May 2013
recommended[136] that the IRS formulate tax
guidance for bitcoin businesses. On 25 March
2014, in time for 2013 tax filing, the IRS issued
guidance that virtual currency is treated as property
for US federal tax purposes and that "an individual
who 'mines' virtual currency as a trade or business
[is] subject to self-employment tax

67. Q&A Session
Anything Goes!
Nicholas Davis
https://www.facebook.com/nicholas.a.davis
Email ndavis1@wisc.edu
Thank you!