TEAM Betatesters &

Editor-in-Chief
Joanna Kretowicz
Proofreaders
joanna.kretowicz@eforensicsmag.com
Lee McKenzie
Editors:
Hammad Arshed
Marta Sienicka
sienicka.marta@hakin9.com Ali Abdollahi

Dominika Zdrodowska Bernhard Waldecker

dominika.zdrodowska@eforensicsmag.com
Avi Benchimol
Marta Strzelec
marta.strzelec@eforensicsmag.com Amit Chugh

Bartek Adach Kevin Goosie

bartek.adach@pentestmag.com
Saeed Dehqan
Proofreader:
Lee McKenzie Alex Giles

Senior Consultant/Publisher: Matthew Sabin

Paweł Marciniak
Alexandre D'Hondt
CEO:
Joanna Kretowicz Craig Thornton
joanna.kretowicz@eforensicsmag.com

Marketing Director:
Joanna Kretowicz
joanna.kretowicz@eforensicsmag.com

DTP
Marta Sienicka
sienicka.marta@hakin9.com

Cover Design
Hiep Nguyen Duc
Joanna Kretowicz

Publisher
Hakin9 Media Sp. z o.o.
02-676 Warszawa
ul. Bielawska 6/19
Phone: 1 917 338 3631

www.hakin9.org

All trademarks, trade names, or logos mentioned or used are the

property of their respective owners.

The techniques described in our articles may only be used in private,

local networks. The editors hold no responsibility for misuse of the
presented techniques or consequent data loss.
Dear readers,

In this month’s edition, we wanted to come back to the topic of password security. And that’s why we

prepared a few articles that will show you a slightly different approach to this area.

We start with “Brute Force techniques with MITRE ATT&CK” that goes straight into the action and presents

various hacking techniques to uncover passwords. Additionally, the authors show two methods that can be

used, either online or offline.

To learn more about offensive techniques, check out the next article: “Exploration of Passwords on

Wireless Security”. The authors perform an experiment that will use available hacking tools to attempt to

gain access to a lab wireless network.

Moving forward, there are two other articles that present a slightly different approach to the password

topic. First, we will take a closer look at the problem of securing passwords. In “Password Security

Problems”, the authors prepared amazing research where they review each potential threat and mistake

made by everyday users and security specialists. The second article will focus on the situation after the

attack. The majority of users change their password to something very similar or don’t change it at all. How

does that influence the security process after a breach? You will find out in the research.

As always there are other articles that we hope you will find interesting! Automotive hacking, SOCMINT,

DPAPI-in-depth with tooling, and more awaits you!

We hope that you will enjoy this edition and all the articles we prepared. Before you dive into hacking

passwords, a small note: As the times grow uncertain and troubling, remember - If you’e feeling

overwhelmed or stressed by it all, be reassured that this is a very normal response. However, it’s important

to go easy on yourself. Make sure to make time for self-care and have fun hacking ;-)

Enjoy the reading,

Hakin9 Editorial Team

3
4
5
 BRUTE FORCE
TECHNIQUES WITH
MITRE ATT&CK
 ISABELLA LEAL
Founder at Minas TI, QA Analyst, Back-End Developer,

Cyber Security Professional, Speaker, Womcy Voluntary,

Hacker Culture Author.

7
 JOAS ANTONIO
He has more than 8 years of academic and professional

experience, Instructor and Consultant Red Team by

ACADI-TI, Information Security Researcher, Ethical

Hacker and Professional PenTester, OWASP Member

and Researcher, Cybrary Teacher Assistant, Microsoft

Innovative Educator, Bug Bounty Hunter, has over +460

technology courses and +45 International Certifications,

8
 Brute Force techniques with MITRE ATT&CK

Introduction

Brute Force is a technique that consists of discovering a password and trying to crack it, using random combinations or a
wordlist. In addition, you have two methods that can be used, either online or offline.

Online

Online password attacks are the traditional type of attack that you can do against a web application, exposed SSH terminal,
or really any login interface. An online password attack consists of trying a large number of username/password
combinations on the login portal in the hope of guessing the correct password.

Offline

Offline attacks are already different from online attacks since the attack is aimed at encryption, password hashes, and all
types of encryption algorithms. So you are trying to break and reveal the password in full text.

https://www.triaxiomsecurity.com/2018/10/19/whats-the-difference-between-offline-and-online-password-attac
ks/

https://phoenixnap.com/blog/brute-force-attack

Brute Force techniques in advanced attacks

Attackers can use brute force techniques to gain access to accounts when passwords are unknown or when password hashes
are obtained through exploitation. Without knowledge of the password for an account or set of accounts, an attacker can
systematically guess the password using a repetitive or iterative mechanism. The brute force of passwords can occur
through interaction with a service that will check the validity of these credentials or offline against the credential data
acquired in the form of password hashes.

When carrying out an attack, the password cracking process is essential, especially if it is for privilege escalation or lateral
movement. Many scenarios are exemplified in MITRE ATT&CK, will we see some of them?

https://attack.mitre.org/techniques/T1110/

APT39 - Ncrack Brute Force

After compromising the machines by taking advantage of security holes and using customized backdoors, the group used
brute force techniques to crack user passwords to escalate privileges. One of the tools widely used was Ncrack, we are going
to see a demonstration of its functionality:

9
 EXPLORATION OF
PASSWORDS ON
WIRELESS SECURITY
JAMES C. DUVALL
Western Kentucky University

11
 Exploration of Passwords on Wireless Security

In this research project, the topic of password length within the context of wireless networking security will be explored. An
experiment will be undertaken that will use available hacking tools and modest equipment to attempt to gain access to a lab
wireless network. The lab wireless network will be built to mimic a production wireless network that could be found in a
small business setting. Quantitative data collected from this experiment will be used to produce summary statistics that will
then be used to demonstrate the degree of impact password length has on the security of the wireless network. This project
will also explore the feasibility of success an amateur hacker may experience with the previously mentioned tools and
equipment using information obtained in online articles detailing the use of these tools.

Background

Almost all computer systems today, no matter how advanced or remote, share one common component, passwords.
Passwords are the basic form of securing a system or the data that it holds. Passwords on computer systems dates back to
the early 1960s. At that time, Fernando Corbató was in charge of the CTSS computer at MIT. The computer was designed
for multiple users to share access and store their individual files. This design, however, led to issues. David Kalat (2018)
explains that “because each user had his own research domain and files, the CTSS needed to be able to distinguish between
them and to present them with only the materials authorized to them” (The first password section, para. 1). Corbató came
up with a solution to the issue, explaining that “putting a password on for each individual user as a lock seemed like a very
straightforward solution” (as cited in McMillan, 2012, para. 7). Since that time, passwords have become an important part
of modern computing.

Since passwords have become such an important part of computing, they have naturally become a highly sought-after prize
for hackers all over the world. Over the past several years, massive security breaches have sadly become a normal part of
Internet-connected life with millions of user’s data exposed to malicious threat actors, including passwords and other
personal information. Last year, an anonymous actor uploaded massive files full of usernames and passwords from past
breaches online for other hackers to download. Andy Greenberg (2019) describes the event, stating that “someone has
cobbled together those breached databases and many more into a gargantuan, unprecedented collection of 2.2 billion
unique usernames and associated passwords and is freely distributing them on hacker forums and torrents” (para. 1). While
one would hope that users are aware that their passwords were compromised and changed them, this information still gives
hackers clues into how people create passwords and how popular some passwords are.

Password policies and best practices have tried to make passwords more secure to prevent hackers from obtaining them.
These policies and practices have focused on password length and complexity, frequent changes, using unique passwords
for each account, and using randomly generated passwords. The problem with these policies is that they have made it more
inconvenient than many want to tolerate so they find workarounds to these policies. People reuse passwords when forced to
change them. They rarely use randomly generated passwords because they are difficult to remember. Arguably, the most
detrimental to the security of their data has been circumventing complexity requirements by using weak passwords that are
minimal length and follow well-known and predictable patterns.

The use of these kinds of weak passwords in one specific area of information technology is what this project will explore,
wireless networking. Wireless networking, as the world knows it today, came about in the late 1990’s with the IEEE 802.11
12
PASSWORD
SECURITY
PROBLEMS
 MARJAN HERIČKO
Dr. Heričko has been a project or work co-ordinator in several applied projects for

industrial partners, e.g. Mikropis Holding, IZUM, Iskratel, Infonet, RRC Računalniške

storitve, RC IRC Celje, Telekom Slovenije, Mobitel, Hermes SoftLab, Nova KBM,

Zavarovalnica, and more. Main research interests

▪ Information Systems Development

▪ Software and Service Engineering

▪ SOA, Component-Based Development, Object-orientation

▪ Agile methods, Process Frameworks

▪ Software Metrics, Functional Size Measurement

▪ Software reuse, Software patterns

▪ Knowledge Management and Semantic Technologies

▪ Distributed Object Models Performance and Efficiency

14
 VIKTOR TANESKI
Faculty of electrical engineering and computer science/Institute of

Informatics Maribor, Slovenia

Main research areas

▪ Passwords, password security

▪ Information system security

▪ Markov models

▪ Markov models used for password strength estimation

15
 Password Security Problems

Alphanumeric passwords are the first line of defense in security for most information systems. Morris and Thompson
identified passwords as a weak point in an Information System’s security 35 years ago. Their findings showed that 86% of
the passwords were too short, contained lowercase letters only, digits only, were easily found in dictionaries and/or easily
compromised. The objective of this paper is to perform a systematic literature review in the area of passwords and
passwords security, in order to determine whether alphanumeric passwords are still weak, short and simple. The results
show that only 42 out of 63 relevant studies propose a solid solution to deal with the identified problems with alphanumeric
passwords, but only 17 have statistically verified it. We find that only three studies have a representative sample, which may
indicate that the results of the majority of the studies cannot be generalized. We conclude that users and their
alphanumeric passwords are still the “weakest link” in the “security chain”. Careless security behavior, involving password
reuse, writing down and sharing passwords, along with an erroneous knowledge concerning what constitutes a secure
password, are the main problems related to the issue of password security.

1. Introduction

The rapid growth of the Internet technology and the widespread use of the websites has changed the way people operate
nowadays. The increased number of online services, online social networks (e.g. Facebook, Twitter, etc.) and other websites
that have content that is tailored to the users’ interests, has increased the need for authentication mechanisms.
Authentication is the core of today’s Web experience [1]. Online services, social networks and websites require
authentication so that users can create a profile, post messages and comments, and tailor the website’s content so it can
match their interests.

In an information security sense, authentication is the process of verifying someone’s identity. Typically, authentication can
be classified into three main categories: knowledge-based authentication - “what you know” (e.g., textual or graphical
passwords), biometrics authentication - “what you are” (e.g., retina, iris, voice, and fingerprint scans), and token-based
authentication - “what you have” (e.g., smart cards, mobile phones or other tokens). Lately, another alternative
authentication method is becoming more available - the two-step verification. The problems with these alternative
authentication methods are not related to the security itself, in fact, these methods also provide excellent security for the
system. Instead, the weaknesses of these authentication methods are that they can be expensive (biometrics, smart cards),
they must be carried around at all times when access to the system is required (smart cards, two-step verification), they are
difficult to implement on a large scale, and they are not widely accepted by the users. Single Sign-On (SSO) is another
method for authentication that is recently becoming more available, that provides access to many resources once the user is
initially authenticated. However, a recent study [2] found that SSO solutions impose a cognitive burden on web users, and
users have significant trust, security, and privacy concerns, which hinders the wide acceptance and usage of SSOs.

We focus on the textual passwords and their security simply because the username-password combination used to be [3]
[4] and still is the most widely used method for authentication [5]. Even though passwords suffer from a number of
problems, they continue to be one of the most common control mechanisms to authenticate users in information systems,
due to their simplicity and cost effectiveness. The problems related to textual passwords and password security are not new.
Morris and Thompson [6] were first to identify textual passwords as a weak point in the information system’s security.

16
 DO PEOPLE
CHANGE THEIR
PASSWORDS AFTER
A BREACH?
 SRUTI BHAGAVATULA
I am currently a 6th year PhD student in the School of Computer Science

and CyLab at Carnegie Mellon University. I am advised by Professor Lujo

Bauer. My research is in the space of security and privacy and I am

interested in teaching and computer science education. I am enrolled in

the Future Faculty Program.

I received a BS in Computer Science from the University of Illinois at

Chicago in May 2014 where I was advised in my undergraduate research

by Professor Chris Kanich. After graduation, I worked at Amazon in Seattle

for about a year until August 2015 as a Software Development Engineer

(SDE).

18
 APU KAPADIA
My research focuses on computer security and privacy with an emphasis

on usable security and human centered computing. A large body of my

research has focused on privacy in the context of 'IoT' and ubiquitous

computing (where computers are 'everywhere' and not always

accompanied by a display or keyboard), as well as social networks.

19
 Do people change their passwords after a breach?

To protect against misuse of passwords compromised in a breach, consumers should promptly change affected passwords
and any similar passwords on other accounts. Ideally, affected companies should strongly encourage this behavior and have
mechanisms in place to mitigate harm. In order to make recommendations to companies about how to help their users
perform these and other security-enhancing actions after breaches, we must first have some understanding of the current
effectiveness of companies’ post-breach practices. To study the effectiveness of password-related breach notifications and
practices enforced after a breach, we examine— based on real-world password data from 249 participants— whether and
how constructively participants changed their passwords after a breach announcement.

Of the 249 participants, 63 had accounts on breached domains; only 33% of the 63 changed their passwords and only 13%
(of 63) did so within three months of the announcement. New passwords were on average 1:3 stronger than old passwords
(when comparing log10-transformed strength), though most were weaker or of equal strength. Concerningly, new passwords
were overall more similar to participants’ other passwords, and participants rarely changed passwords on other sites even
when these were the same or similar to their password on the breached domain. Our results highlight the need for more
rigorous password-changing requirements following a breach and more effective breach notifications that deliver
comprehensive advice.

1. Introduction

Password breaches have been on the rise, affecting mainstream companies such as Yahoo! and gaming sites such as League
of Legends and Neopets among others [5]. Stolen passwords have been largely exposed in insecure forms such as in plain
text or by weak hashes (often unsalted or easily guessed through dictionary attacks) such as MD5 and SHA-1 hashes,
leaving users vulnerable unless they change their passwords on the affected sites [5]. Additionally, when a company suffers
a breach involving passwords, rarely are the users affected solely on the compromised domain [13]. Previous work has
shown that, on average, a user exactly or partially reuses their passwords on over 50% of their accounts [13, 17, 35]. In such
cases, when a person’s password on one domain is compromised, they incur the risk that an attacker will be able to gain
access to their other accounts that use similar or the same passwords. In order to make informed recommendations to
companies on best risk mitigation practices after a breach, it is instructive to examine people’s current password-changing
behavior after breaches.

Prior work has explored problems related to data breaches and changing passwords, e.g., how people comprehend data
breaches [25, 48], what factors make them more inclined to take action after breaches [25, 48], and how people change
passwords in response to reuse notifications [20]. Researchers found that people were more likely to heed advice about
actions after security breaches based on who was giving the advice and often underestimated the harm that could be
incurred as a result of a compromise [25, 48]. Related to password changes, researchers found that very few of their
participants in an online study reported intentions to change passwords after being notified that their passwords were
compromised or reused, including because they believed in the “invincibility” of their passwords [20]. These studies are
important to understand how to better inform people about the impact of data breaches and to understand people’s mental
models when it comes to taking action to protect themselves. However, we still lack an understanding of the actual extent—
empirically measured—to which actions taken by companies to inform their users after a breach are effective.

20
 HACKING
AUTOMOTIVE
SYSTEMS
 OMAR ALASMAR
Omar Alasmar is a Cybersecurity Specialist with 4 years of experience.

Omar has a bachelor’s degree in Computer Engineering from KFUPM and

is currently enrolled in a Cybersecurity Master’s Degree in Georgia Institute

of Technology. Omar holds multiple certifications such as GWAPT and

GPEN and has worked in multiple roles such as penetration testing and

forensics.

22
 Hacking Automotive Systems

Cars are one of the most widely used transportation methods. According to OICA [1], more than 72 million cars were
manufactured in 2016. It is estimated that, by 2035, the number of vehicles worldwide will reach more than 2 billion. Due
to people’s massive dependency on vehicles for transportation, the technology utilized in cars have advanced greatly over
the years. From entirely mechanical to fully autonomous, cars now heavily depend on computers and connectivity. This
paper focuses on the security of cars nowadays. It investigates the weaknesses within cars and illustrates some of the
hacking techniques possible.

Background:

To understand how car attacks work, the technological components of the cars must be explained. This will be divided into
two categories: ECU (Electronic Control Unit) and Automotive Networks.

1. Electronic Control Unit

Modern cars are equipped with many computers such as ECU (Engine Control Unit), PCM (Powertrain Control Module),
CTM (Central Timing Module), SCM (Suspension Control Module), GEM (General Electronic Module) and many others.
These computers are usually called ECU (Electronic Control Unit) [4]. Each ECU has its own benefit and their names
usually reflect their functions.

As illustrated in the following figure, the ECU (Engine Control Unit) interfaces with the different engine components,
receiving their input to generate the proper output.

Figure 1 ECU and Engine [3]

The ECU enhanced engine functionality and efficiency by replacing mechanical functions. It optimizes the fuel/air mixture
and ignition timing dynamically. This is due to its ability to analyse the input received from the different sensors to provide
real-time commands [3].

23
 DPAPI-IN-DEPTH
WITH TOOLING:
STANDALONE DPAPI
 TIJL DENEUT
Tijl Deneut has over 5 years of experience in the IT security sector and is,

amongst others, a Certified Ethical Hacker and an active EC-Council

Certified Instructor. Tijl also teaches security classes at both the Howest

University College and Ghent University, where he also leads several

security research projects. He has had the privilege to present at a number

of security and other conferences, including Info Security (Brussels),

BruCON (Ghent) and the Chaos Communication Congress (Leipzig). And

was also the trainer for classes directed towards, amongst others, the

Belgian Computer Crime Unit.

Twitter: https://twitter.com/tijldeneut

Website: https://www.ic4.be

Github: https://github.com/tijldeneut

25
 DPAPI-in-depth with tooling: standalone DPAPI

The Microsoft Data Protection Application Programming Interface, or DPAPI for short, is a Windows API tool for
developers to enable them to store sensitive data in a way that it is encrypted but still decryptable.

It has been around since Windows 2000, which makes it more or less ancient in computer terms. However, it has since
been tweaked to such an extent that it is no longer recognizable, things like RSA, AES256, SHA512 and even PBKDF2 have
been added or increased in rounds.

This article will go in depth on how Stand Alone DPAPI works: only local Windows accounts (so no Active Directory nor
Microsoft Live) and no TPM. It has been developed and verified on the latest version of Windows 10 x64 (v2004, 19041.508
at the time of writing).

This article will exclusively focus on local User and System DPAPI encryption and provides some in depth cryptographical
insights.

DPAPI in daily life

So where is DPAPI used? The answer: close to everything that is password-related:

• Chrome & Edge (which now share the same Chromium code base) rely on DPAPI for storing cookies, usernames and
passwords

• Many applications such as Outlook and Internet Explorer

• Windows Credential Manager, which is used for File Shares, Remote Desktop sessions

• Wi-Fi passwords, both the PreSharedKey versions as the Enterprise PEAP versions

• Third party tools like OpenVPN, iCloud, VMware Workstation, FortiClient or Dropbox

• Windows Hello Credentials like PIN, Picture Password, Fingerprint

Impact

The impact of DPAPI attacks like this can be massive. Some examples:

• An attacker finds an external drive or a file share holding a read only backup copy of a Windows C-drive. Most
password extraction tools are useless since most of them require to be run on working systems.

• An attacker gets (administrative) access to a Windows workstation and refuses or is unable to run any tools that are
not native to the system. He wants to copy out the required files and perform offline analysis later. For example,
running Mimikatz (even a modified or PowerShell version) on a production device is not always recommended.

• Or maybe even access to a Virtual Hard Drive of a VM (e.g. access to an iSCSI server) holding all the data.

26
 SOCMINT - DATA
PROTECTION RISKS
IN SOCIAL MEDIA
 ANDREI S
̦ANDOR
NATO HUMINT Centre of Excellence, Oradea, Romania

andrei.sandor@natohcoe.org

28
 SOCMINT - Data Protection Risks in Social Media

1. Introduction

Since the emergence of Internet and social media, new Intelligence branches have flourished, like CYBERINT (Cyber
Intelligence), OSINT (Open Source Intelligence) or SOCMINT (Social Media Intelligence), with the aim to exploit different
dimensions of the virtual world. These Intelligence-related disciplines may inquire personal information, statements and
conversations posted voluntarily on websites or social platforms in order to profile people, identify social networks and
organizational structures, and uncover vulnerabilities and threats/ risks that can jeopardize the security of individuals or
organizations. In this respect, the Internet - as an environment - can provide valuable information from both technical and
social sides. This is why the World Wide Web is and will remain an important place to search for data and information that
can be processed into Intelligence, and represents the reason why people working in sensitive domains (e.g. Intelligence)
should be aware of their vulnerabilities and the risks and threats posed by this environment.

As history demonstrates, Intelligence collection evolved and adapted as social trends and technology developed. These two
factors, society and technology, are in a close relationship, as we can see in the case of social media, where the individual or
professional presence/activity may become part of the social behaviour of a person. The most important factor that shaped
modern Intelligence is definitely technology, with the advent of WEB 2.0, social media, and smart technologies. Web 2.0
comes with a new way of information spreading, as social media allows the Web to move from data and applications to user
interaction and experience [1]. This means that the modern World Wide Web does not restrict Internet users to only read
data or information but also allows them to share on different platforms their thoughts, opinions, personal data, and so on.

All this freedom of data sharing comes with big risks regarding personal and organizational security, as new opportunities
for information collection and analysis occur. The main Intelligence or Competitive Intelligence related branches that
benefit from the Web 2.0 development are CYBERINT, OSINT, and social engineering, the last one being analysed from the
perspective of Intelligence collection, and not regarded as criminal activity in cyberspace.

2. CYBERINT in social media – technical means for Intelligence gathering

CYBERINT is a discipline of acquiring, processing, analyzing and disseminating information that identifies, tracks, and
predicts threats, risks, and opportunities in the cyber domain [2]. As the cyber dimension became common space, as an
extension of or reality replica for various activities, both from a technical and social point of view, CYBERINT may overlap
with traditional Intelligence collection disciplines like SIGINT or HUMINT. Commonly, cyber operations are encountered
in three major forms: computer network defense, computer network attack, and computer network exploitation [3]. In this
paper, we refer in particular to the individual/organisational risks emerging from computer network exploitation, where we
consider the computer as any device that may connect to another device or to a cloud and the network – the Internet.

From this technical perspective, the most common vulnerability for both personal and social platform equipment is
represented by gaps in software or hardware design. For any equipment, at a moment of its lifecycle, security vulnerabilities
may occur, as technology develops.

Devices can send information or can be scanned in order to obtain data that may be used for Intelligence processing. The most

29
FACTORING ASSET
GROWTH IN
SYSTEM
DEVELOPMENT
LIFE CYCLE
IMPLEMENTATION
 WAEL ALAGI
Wael Alagi is an ethical hacker working with Saudi Aramco. He is a

Certified Information Security Professional (CISSP) and a Certified

Information Security Manager (CISM). He has six years of experience in

cybersecurity assessment and

compliance auditing.

31
 SULTAN AL-SHARIF
Sultan Al-Sharif is cybersecurity administrator in Saudi Aramco. He has an

MS in Information Technology from Liverpool UK. He is a Certified

Information Security Professional (CISSP) with more than 22 years of

experience in application and mobile cybersecurity security.

32
 Factoring Asset Growth in System Development Life Cycle Implementation

The scaling of an enterprise changes the risk profile associated with its cyber-infrastructure. Consequently, the changes
expose an organization to new security risks due to the adoption of new infrastructure and the expansion of the network, as
well as new interactions between systems.

Increasing the number of contact points between the information architecture of an organization and the Internet increases
its complexity and the associated risk profile. The integration of an asset growth assessment during the system
development life cycle is a crucial process that ensures that the organization can respond effectively to the evolving security
risks.

The system development life cycle is the process involving the initiation, analysis, and design of the system, as well as its
implementation, and maintenance. Each of the SDLC models adopted in the information security program needs detailed
consideration to ensure that the information passing through the system is protected (Radack, n. d.). Effective risk
management strategies ensure that an organization can optimize the protection of the information and cyber assets, while
also positioning it to identify and address systemic vulnerabilities.

High-level requirements of the system are documented during the initiation of the system. This activity is followed by the
acquisition or development of the system in compliance with the documented requirements of the system. The system
undergoes implementation and assessment to determine its security following the initial testing (Radack, n. d.).
Subsequently, the system undergoes operations and maintenance based on the needs of the client organization. At this
stage, the system is deployed to fulfill the functions for which it was created. The sunset stage involves the disposal of the
system after the organization transitions to another one. In this regard, systems have a limited lifespan meaning that they
are subject to replacement when the organization does not require its use.

The case involves asset growth to scale the organization from a small enterprise of 30 employees to a medium-sized one of
120 staff. The increase in staff will result in the scaling of its information systems architecture. For example, the
organization will increase the number of computers from 20 to 95 to support the new staff. The activity will also require an
increase in the size of the network. The process seeks to increase the data storage capacity of the organization to ensure that
it handles the rapid growth in the data needs of the company. Another key factor is that the organization will embrace cloud
computing to ensure that it meets its expanding data needs at an affordable cost.

The roadmap for the adoption of the new cyber assets will be aligned with both the business strategy of the organization
and best practices in information security management. The adoption of cyber assets in the organization will be influenced
by the evolving needs of the organization (Hobbs, 2011). Furthermore, the asset growth is dependent on a plan and
executed strategically to limit the security risks posed by the initiative.

The business footprint of the company is a crucial factor in determining its cybersecurity needs. The retail organization has
one office but intends to open two more offices as part of its expansion strategy. Consequently, the application will have to
be deployed across different networks. Furthermore, the company will have to acquire additional vendors or to renegotiate
its contracts with service partners to align the cyber-infrastructure of the organization with its changing needs.

The workflow management application used by the organization was designed to serve a small enterprise. In this regard,

33
CYBER THREAT
INTELLIGENCE
AND HACKERS
 AZENE D ZENEBE
Dr. Azene Zenebe is a Full Professor of Information Systems in the College

of Business at Bowie State University. He has been at Bowie State

University since 2005. Dr. Zenebe has a Ph. D. in 2005 and Master of

Science in Information Systems in 2003 from University of Maryland

Baltimore County, a Graduate Certificate in 2007 in Information Systems

Security from University of Maryland University College, and a Bachelor of

Science in Statistics with computer science minor from Addis Ababa

University.

35
 MUFARO SHUMBA
My name is Mufaro Shumba. I am a sophomore at the University of

Maryland. My major is Computer Science. This past summer, I worked as a

REU Fellow in Cybersecurity in the Research Experience for

Undergraduates program at Bowie State University. I worked with two

faculty mentors and two fellow undergraduate students on a project

funded by the National Science Foundation (NSF). We used machine

learning to uncover cyber threat intelligence in the dark-net.

36
 Cyber Threat Intelligence and Hackers

In the darknet, hackers are constantly sharing information with each other and learning from each other. These
conversations in online forums, for example, can contain data that may help assist in the discovery of cyber threat
intelligence. Cyber Threat Intelligence (CTI) is information or knowledge about threats that can help prevent security
breaches in cyberspace. In addition, monitoring and analysis of this data manually is challenging because forum posts and
other data on the darknet are high in volume and unstructured. This paper uses descriptive analytics and predictive
analytics using machine learning on forum posts dataset from darknet to discover valuable cyber threat intelligence. The
IBM Watson Analytics and WEKA machine learning tool were used. Watson Analytics showed trends and relationships in
the data. WEKA provided machine learning models to classify the type of exploits targeted by hackers from the forum posts.
The results showed that Crypter, Password cracker and RATs (Remote Administration Tools), buffer overflow exploit tools,
and Keylogger system exploits tools were the most common in the darknet and that there are influential authors who are
frequent in the forums. In addition, machine learning helps build classifiers for exploit types. The Random Forest classifier
provided a higher accuracy than the Random Tree and Naïve Bayes classifiers. Therefore, analyzing darknet forum posts
can provide actionable information and machine learning is effective in building classifiers for prediction of exploit types.
Predicting exploit types as well as knowing patterns and trends on hackers’ plans helps defend the cyberspace proactively.

1. Introduction

Current techniques for dealing with cyber breaches are reactive, meaning once a breach occurs then cyber professionals
take actions. This is no longer acceptable because breaches are only detected on average after about six months and only
10% of breaches are detected in the first 24 hours [1][2]. In that amount of a time, a lot of damage can be done to an entity.
Secrets and information can be leaked, and damage can be done to the entity’s system. The adaptation of cyber threat
intelligence is crucial in keeping ahead of attackers. Cyber threat intelligence is any actionable information, insights, and
knowledge about threats that can help in preventing security breaches in cyberspaces. The discovery of cyber threat
intelligence will help keep security measures to be proactive. Threats may be recognized before they become a problem.

When dealing with hackers, it is important to note that hackers spend a lot of time sharing information in online
communities. One of these communities is the darknet. The darknet is a network with restricted access where people can
stay anonymous for legal and illegal reasons [3].

There are two different types of forums. There are the WhiteHat forums, which are easy to access and useful in teaching
people in becoming hackers. They have tutorials and are more accessible since many are not on the Darknet. On the other
hand, there are the BlackHat forums that are illegal, have encrypted URLs and sell and share the codes for hacking as well
as stolen data. BlackHat forums are harder to access since they are on the darknet and have encrypted URLs. The hacker
communities in the darknet are usually in the form of forums. These forums may have restricted access. They may have
encrypted URLs and an invite and/or money may be required to be able to register. In these forums, hackers share malware
and other tools that can be used to exploit a computer and network systems. Analyzing the contents of forum posts can give
an insight on understanding hackers’ identity, motivations, strategy, targets, tactics, etc., which in turn helps prevent the
next cyberattacks.

Every day, humans create 2.5 quintillion bytes of data [4]. Unstructured data including forum posts are part of this big
37
CYBER CRIMES ON
THE INTERNET OF
THINGS
MOHAN KRISHNA KAGITA
I finished Master's of Information Technology (Networking) form CSU. My

research area of interest on Security and Privacy Issues of Internet of

Things / Internet of Medical Things.

39
 NAVOD THILAKARATHNE
Lecturer (Computer System Security, Computer Software, Computer

Communications Networks), Machine Learning Researcher

40
 Cyber Crimes on the Internet of Things

Internet of Things (IoT) devices are rapidly becoming universal. The success of IoT can’t be ignored in today’s scenario;
along with its success, attacks and threats on IoT devices and facilities are also increasing day by day. Cyber-attacks become
a part of IoT and affect the life and society of users, so steps must be taken to defend cyber seriously. Cybercrimes threaten
the infrastructure of governments and businesses globally and can damage users in innumerable ways. Global cybercrime
damages are predicted to cost up to 6 trillion dollars annually on the global economy. An estimated 328 million dollar
annual losses are from the cyber-attacks in Australia itself. Various steps are taken to slow down these attacks but,
unfortunately, are not able to achieve success properly. Therefore, secure IoT is the need of this time and understanding of
attacks and threats in the IoT structure should be studied. The reasons for cyber-attacks can be 1. Countries having weak
cyber security, 2. Cybercriminals use new technologies to attack. 3. Cybercrime is possible with services and other business
schemes. MSP (Managed Service Providers) face different difficulties in fighting Cybercrime. They have to ensure their
customers’ security as well as their security in terms of their servers, devices, and systems. Hence, they must use effective,
fast, and easily usable antivirus and anti-malware tools.

1. Introduction

IoT (Internet of things) is developing very rapidly and it offers various types of services that made it the fastest-growing
technology with a big influence on society and business infrastructures. IoT has become an integral part of a human’s
modern life, in education, every type of business, healthcare, it stores the sensitive data about companies and individuals,
information about financial transactions, development of the product, and its marketing [37] [49]. In IoT, transmission
from connected devices has generated huge demand to concentrate on security as millions and billions of users perform
sensitive transactions on the internet. Cyber threats and attacks are rising daily in both complexity and numbers. Potential
attackers are increasing with the growth in networks and also the tools or methods they are using are becoming more
effective, efficient, and sophisticated [15]. Hence, to get the full potential of IoT, protection is needed from threats and
attacks. Smart devices or technologies like a hot spot, internet, or other IoT device, has entered every part of the life of
human beings, and security is compromised [20].

41