Police/NCA Cybercrime Training Denis A Nicole dan@ecs.soton.ac.uk 2014-08-07

1
Police/NCA Cybercrime Training Denis A
Nicoledan_at_ecs.soton.ac.uk2014-08-07
2

• When the militarys top cyberwarriors gathered
  last year inside a secretive compound at Fort
  Meade, Maryland, for a classified war game
  exercise, a team of active-duty troops faced off
  against several teams of reservists.
• And the active-duty team apparently took a
  beating.
• They were pretty much obliterated, said one
  Capitol Hill staffer who attended the exercise.
  The active-duty team didnt even know how theyd
  been attacked.
• http//www.navytimes.com/article/20140804/NEWS04/3
  08040019

3

• Congress has authorized the FBI to add 2,000
  personnel to its rolls this year, and many of
  those new recruits will be assigned to tackle
  cyber crimes, a growing priority for the agency.
  And thats a problem, FBI Director Comey told the
  White Collar Crime Institute, an annual
  conference held at the New York City Bar
  Association in Manhattan. A lot of the nations
  top computer programmers and hacking gurus are
  also fond of marijuana.
• I have to hire a great work force to compete
  with those cyber criminals and some of those kids
  want to smoke weed on the way to the interview,
  Mr. Comey said.
• Mr. Comey said that the agency was grappling
  with the question right now of how to amend the
  agencys marijuana policies, which excludes from
  consideration anyone who has smoked marijuana in
  the previous three years, according to the FBIs
  Web site. One conference goer asked Mr. Comey
  about a friend who had shied away from applying
  because of the policy. He should go ahead and
  apply, despite the marijuana use, Mr. Comey
  said.
• http//blogs.wsj.com/law/2014/05/20/director-comey
  -fbi-grappling-with-hiring-policy-concerning-marij
  uana/

4
Nobody but us?
https//firstlook.org/theintercept/document/2014/0
8/05/directorate-terrorist-identities-dti-strategi
c-accomplishments-2013/
5
http//stakeholders.ofcom.org.uk/market-data-resea
rch/market-data/communications-market-reports/cmr1
4/uk/
6
Year of Code

• Teachers could be trained how to educate students
  in computer programming in a day
• Lottie Dexterhttp//www.bbc.co.uk/news/technology
  -26150717

7
1969

• Toby Harris went on to be the first chair of the
  Metropolitan Police Authority.

8
Content

• Basics of Computer Networking
• IP4 and IP6, NAT (private addresses)
• BGP (Border Gateway Protocol), attacks
• DNS, dynamic DNS, secure DNS, attacks
• HTTP, HTTPS, VPNs, ssh
• Firewalls
• Public Key Infrastructure
• Tor, Bitcoin
• This is all standard material for us

9
Cybercrime concepts

• Basic SQL injection, cross-site scripting, DDoS.
• Malware viruses, attack surfaces (software and
  hardware).
• Patching, antivirus, network monitoring.
• Motivations, sophistication of attackers,
  insiders?
• Forensic analysis little real experience at
  Southampton.
• Network traffic analysis off-site specialists.

10
Types of Malware

• Browser attacks
• Application attacks
• OS attacks
• Rootkits
• HW attacks

11
Basic Computer Forensics

• Major tools are probably
• EnCase expensive, no experience in
  ECShttps//www.guidancesoftware.com/
• SANS we have some experience here
  http//digital-forensics.sans.org/community/cheat-
  sheets
• More advanced techniques
• Malware analysis (IDA Pro)https//www.hex-rays.co
  m/products/ida/
• Password Crackinghttp//www.openwall.com/john/

12
Hands-on laboratory work

• RFID
• CHIP AND PIN
• Penetration testing PonziBank
• XSS
• Side Channels
• Malware analysis

13
Which do you trust?
14
EMV electrical protocol
C1 Vcc (5V, 55mA until Jan 2014) C2 Reset
(active low) C3 Clock (1MHz to 5MHz) C5
Ground C7 Input/Output (1 bit 372 clocks)
15
Check a PIN

• Sending 80 CA 9F 17 00 How many tries do I have
  left?
• Received 9F 17 01 03 90 00 Three. It might not
  tell you!
• Sending 00 20 00 80 08 24 00 00 FF FF FF FF FF
  Is it 0000?
• Received 63 C2 Nope two tries left
• State of non-volatile memory changed. Counter
  0x2
• Sending 00 20 00 80 08 24 00 01 FF FF FF FF FF
  0001?
• Received 90 00 Yes
• Sending 80 CA 9F 17 04
• Received 9F 17 01 03 90 00 Were back to three
  tries
• If you brick your card, an ATM should check
  online and reset it.

Gives a good introduction to ASN.1
16
PonziBank
http//xkcd.com/327/
17
ResearchC/C VerificationPresentation to
HPDenis A Nicoledan_at_ecs.soton.ac.uk2014-05-07
18
Our contribution to security

• A whole new class of software vulnerabilities
  arise in multicore chips all modern phones,
  desktops and servers.
• The vulnerabilities are timing-dependent and
  cannot usually be found by conventional testing.

19
ESBMC is a Collaboration between

• University of Southampton
• Jeremy Morse and Denis Nicole
• Federal University of Amazonas, Brazil
• Mikhail Ramalho, Mauro Freitas, Felipe Sousa,
  Hendrio Marques and Lucas Cordeiro
• University of Stellenbosch, South Africa
• Bernd Fischer

20
ESBMC is a bounded model checker

• It exhaustively analyses all possible behaviours
  of a (multithreaded) C or C program up to a
  fixed depth of
• loop iteration (including backward jumps and
  recursion),
• thread interleaving.
• Within these bounds, it checks for
• C errors pointer errors, arithmetic errors,
  array bounds, malloc()/free(), assert() failures,
  data races, etc.
• Violation of Linear Temporal Logic
  specifications.

21
Model Checking is not Simulation

• Simulation (testing) checks correctness for a
  particular input and a particular thread
  interleaving.
• You need to run multiple simulations with
  different data and different timing before you
  get some assurance.
• Model Checking exhaustively analyses all possible
  behaviours over a range of possible inputs and
  generates a witness, a trace of program state, if
  there are any possible failures.
• Good-coverage simulation may be effective against
  random errors it offers little protection
  against tailored attacks.

22
Improvement by competition

• The field of C model checking research is now
  large enough to support annual competitions
  perhaps the best known is that held in
  conjunction with the International Conference on
  Tools and Algorithms for the Construction and
  Analysis of Systems (TACAS).
• The team is proud to report that ESBMC v1.17 won
  the Gold Medal in the SystemC and Concurrency
  categories and the Bronze Medal in the overall
  ranking of the first International Competition on
  Software Verification at TACAS 2012.
• ESBMC v1.20 won the  Bronze Medal in the overall
  ranking of the second competition at TACAS 2013.