IJISC Vol. 3 Issue 1

INTERNATIONAL JOURNAL OF INFORMATION SECURITY AND CYBERCRIME Volume 3, Issue 1/2014

Scientific journal edited by Romanian Association for Information Security Assurance

SITECH Publishing Craiova, 2014

International Journal of Information Security and Cybercrime

Vol. 3 Issue 1/2014

© 2014 Editura Sitech Craiova All rights reserved. This book is protected by copyright. No part of this book may be reproduced in any form or by any means, including photocopying or utilized any information storage and retrieval system without written permission from the copyright owner. SITECH Publishing is part of the list of prestigious Romanian publishing houses recognized by CNATDCU, for Panel 4, which includes the fields: legal sciences, sociological sciences, political and administrative sciences, communication sciences, military sciences, information and public order, economics sciences and business administration, psychological sciences, education sciences, physical education and sport.

Editura SITECH Craiova, România Aleea Teatrului, nr. 2, Bloc T1, parter Tel/Fax: +40.251.414.003 E-mail: [email protected]

IJISC - International Journal of Information Security and Cybercrime is a biannual scientific publication indexed in international databases. The purpose of journal is to analyze information, computers and communications security and to identify new valences of cybercrime phenomenon. The scientific journal IJISC is edited by RAISA - Romanian Association for Information Security Assurance in collaboration with Department of Electronics Technology and Reliability from University Politehnica of Bucharest, Romania and Police Department from “A. I. Cuza” Police Academy, Romania. Website: www.ijisc.com E-mail: [email protected] ISSN 2285 - 9225


Vol. 3 Issue 1/2014

JOURNAL EDITORIAL BOARD EDITORIAL COUNCIL PRESIDENT Professor Ioan BACIVAROV, PhD University Politehnica of Bucharest, Romania

EDITOR-IN-CHIEF Assistant Professor Ioan-Cosmin MIHAI, PhD “A.I. Cuza” Police Academy, Romania

EXECUTIVE EDITOR Dipl.-Ing. Gabriel-Marius PETRICĂ University Politehnica of Bucharest, Romania

SCIENTIFIC BOARD Professor Emeritus Alessandro BIROLINI, PhD ETH Zurich, Switzerland

Professor Angelica BACIVAROV, PhD University Politehnica of Bucharest, Romania

Associate Professor Nicolae GHINEA, PhD “A.I. Cuza” Police Academy, Romania

Professor Fabrice GUERIN, PhD ISTIA, University of Angers, France

Associate Professor K. JAISHANKAR, PhD Manonmaniam Sundaranar University, India

Professor Gheorghe POPA, PhD “A.I. Cuza” Police Academy, Romania

Professor Daniela-Elena POPESCU, PhD University of Oradea, Romania

Associate Professor Gheorghe POPESCU, PhD “A.I. Cuza” Police Academy, Romania

Professor Ștefan PRUNĂ, PhD “A.I. Cuza” Police Academy, Romania

Professor Sandeep TIWARI, PhD Amity University, India

Researcher Fergus TOOLAN, PhD University College Dublin, Ireland

Professor George ȚICAL, PhD National College for Home Affairs, Romania

Professor Barbu VLAD, PhD Ministry of Internal Affair, Romania

Professor Ton van der WIELE, PhD Erasmus University Rotterdam, Netherlands


Vol. 3 Issue 1/2014

JOURNAL EDITORIAL BOARD ASSOCIATE EDITORS Laurențiu GIUREA, PhD “A.I. Cuza” Police Academy, Romania

Jorge Luis Gando LEAL, PhD University of Barcelona, Spain

Cezar Marius PANTEA, PhD “A.I. Cuza” Police Academy, Romania

Joshua Del PINO Shimane Prefectural Education Division, Japan

Pradeep Kumar SINGH, PhD (P) Amity University, India

Paulo Miguel Relogio de SOUSA Ministry of Economy, Portugal

Marin-Claudiu ȚUPULAN, PhD “A.I. Cuza” Police Academy, Romania

EDITORS Eugeniu-Ciprian CONSTANTIN, PhD “A.I. Cuza” Police Academy, Romania

Mihail-Petrică MARCOCI, PhD “A.I. Cuza” Police Academy, Romania

George PANFIL, PhD “A.I. Cuza” Police Academy, Romania

Cezar PEȚA, PhD “A.I. Cuza” Police Academy, Romania

Cristian-Eduard ȘTEFAN, PhD “A.I. Cuza” Police Academy, Romania

Oana-Mihaela VIȘAN, PhD “A.I. Cuza” Police Academy, Romania

GRAPHICS EDITOR Adrian-Constantin ROȘOAIA

The responsibility for the content of articles belongs entirely to the author(s). The journal is indexed in Index Copernicus, Google Scholar, Global Impact Factor, GetCited, MIAR 2014 and Academia.edu international databases.


Vol. 3 Issue 1/2014

Table of Contents Editorial Gabriel PETRICĂ......................................................................................................................... 7

SECTION I: Advances in Information Security Research Nine Decades of Modern Quality. Walter A. Shewhart - A Pioneer and Visionary of Quality Ioan C. BACIVAROV .................................................................................................................. 9 An Analysis on Software Testability and Security in Context of Object and Aspect Oriented Software Development P. K. SINGH, O. P. SANGWAN, Amrendra PRATAP, Amar Pal SINGH .................................. 17 Information Security Analyst Profile Ionuț-Daniel BARBU, Cristian PASCARIU .............................................................................. 29 Wireless LAN Security Issues (II). Security Assurance Cătălina GHERGHINA, Gabriel PETRICĂ ............................................................................... 37

SECTION II: Studies and Analysis of Cybercrime Phenomenon An Analysis of the Cybercrime Phenomenon. Damages Caused by Cyber-Attacks Răzvan-Ionuț MARIN ................................................................................................................ 47 Computer Fraud Loredana BASAMAC ................................................................................................................ 53

SECTION III: Cyber-Attacks Evolution and Cybercrime Trends Phishing - Detection and Removal Marian-Iulian PRIPAS ................................................................................................................ 59 REPORT on the Cyber Security Alerts Received by CERT-RO During 2013 CERT-RO.................................................................................................................................... 65

SECTION IV: Book Reviews and Conferences Analysis SPARKS Events Series Ionuț-Daniel BARBU, Cristian PASCARIU .............................................................................. 81 Agora Conference: IT & Infrastructure Security Ioan-Cosmin MIHAI .................................................................................................................. 85


Vol. 3 Issue 1/2014

Editorial Gabriel PETRICĂ Faculty of ETTI, University POLITEHNICA of Bucharest, Romania In early 2014, the security analysis made by companies like Kaspersky or Bitdefender have identified the main directions chosen by cybercriminals. In addition to "classic" online attacks from infected websites, the main targets are users' privacy, financial frauds (stealing money, including Bitcoin currency, using applications or spam for mobile devices) and cyber-espionage attacks, with very dangerous consequences at governmental level. Attacks from websites (online threats) A malware website can be created when a malicious user (website administrator) deliberately publish webpages that points to malware applications (browser add-ins, DLLs or executable files), but infected sites can be those with dynamic, user-generated content (e.g. forums) as well as legitimate resources that have been hacked. According to securelist.com, among the countries where users face the greatest risk of online infection in 2014 are Vietnam (51.4%), Mongolia (44.7%), Russia and the former Commonwealth of Independent States countries. The countries with the safest online environments are Singapore (10.5%), Japan (13.2%), Sweden (14.5%), South Africa (15.6%), Taiwan (16.1%), Denmark (16.4%), and Finland (16.8%). The privacy of users The privacy of users, leading to greater popularity of VPNs (Virtual Private Network) or Tor service (The Onion Router) - a free software for enabling online anonymity and resisting censorship. The number of users who have turned to Darknet trying to protect their personal information has increased in last years. A Darknet is a private network where connections are made only between trusted peers using nonstandard protocols and ports, being distinct from other distributed peer-to-peer networks because sharing is anonymous (IP addresses are not publicly shared). However, in addition to trusted users, Tor continues to attract "evil forces" anonymous networks that can hide malicious activities like illegal commerce or money laundering. For example, Kaspersky Lab experts detected on February 2014 the first Trojan for Android, which uses a domain from .onion as a command and control center. Users' money The experts expect cyber-criminals continue to develop methods to steal money. A new way hackers try to steal money is using applications on mobile devices like smartphones or tablets. In March 2014, Kaspersky Lab detected TrojanSMS.AndroidOS. Waller.a; this malware is able to steal money from QIWI electronic wallets associated with infected smartphones. The Trojan target only users in Russia, but is able to expand everywhere electronic wallets are administered via SMS.


Vol. 3 Issue 1/2014

Cyber-criminals used also Trojans for mobile platforms that steals money by spamming. In a malicious spam usually exist an offer to download an app using a link that points to malware, or a link to a website that redirects users to an infected page. Similar to malicious spam in standard e-mail, cyber-criminals use social engineering to spread to thousand users, on a wider ranger. For example, the Trojan for mobile platforms Faketoken affected users in 55 countries (Germany, Sweden, France, Italy, UK and USA). In the first quarter 2014, the number of Trojans for mobile banking systems has almost doubled - from 1,321 to 2,503. In the last 2-3 years, Bitcoin has become very popular and the use of this crypto-currency has increased, so it has become a more attractive target for cybercriminals. In 2013, according to the ‘Financial cyber threats in 2013’ study by Kaspersky Lab, the number of attacks targeting Bitcoin currency increased more than 2.5 times and accounted for 8.3 million incidents. The experts expected an increase of attacks targeting Bitcoin users’ wallets and exchange platforms. In the first three months of this year, there were several incidents that have confirmed this prediction. Among the most notable are the attack on MtGox , one of the biggest exchanges for Bitcoin, and the hacking of the personal blog and Reddit account of MtGox CEO Mark Karpeles, used then to post the MtGox2014Leak.zip which actually turned out to be malware capable of searching for and stealing Bitcoin wallet files from victims. In an attempt to supplement their illicit gains, cyber criminals infect computers and use their resources to generate more digital currency. Trojan.Win32.Agent.aduro, the twelfth most commonly detected malware tool on the Internet in Q1, is an example of a Trojan used in this type of action. Cyber-espionage operations In the first quarter 2014 there was a major incident of cyber espionage - Kaspersky Lab published in February a report about one of the most advanced threats called The Mask. The main target was confidential information belonging to government agencies, embassies, energy companies, research institutes, private investment companies, and activists’ organizations from 31 countries. The Mask includes a sophisticated backdoor Trojan capable of intercepting all communication channels and of harvesting all kinds of data from the infected computer (like encryption or SSH keys, VPN configurations, RDP files or other files types related to sensitive information). According to researchers, the complexity of tools used by the attackers suggest that this could be a campaign sponsored by a state. A cyber-espionage campaign called Turla, infecting hundreds of government computers across Europe and the United States, occurred in early March, 2014. Researchers from BAE Systems Applied Intelligence consider Turla a successor of Red October campaign discovered in October 2012, a massive global cyber-espionage operation targeting diplomatic, military and nuclear research networks. RAISA (www.raisa.org) will continue to inform users about the latest cyberattacks and computer vulnerabilities through Cybersecurity Web Portal (www. securitatea-informatiilor.ro) and Cybercrime Web Portal (www.criminalitateainformatica.ro). Sources: kaspersky.com, securelist.com

Section I - Advances in Information Security Research

Nine Decades of Modern Quality Walter A. Shewhart - A Pioneer and Visionary of Quality Ioan C. BACIVAROV* EUROQUALROM, University POLITEHNICA of Bucharest, Romania [email protected] Abstract Security is considered - together with reliability, maintainability, availability, safety a.o. - one of the dynamic components of quality vector. The modern quality was born 90 years ago, when Walter Shewhart introduced the first control chart, which launched statistical process control and quality improvement. This paper analyses some important moments of the scientific activity of this great quality guru, during an exemplary life devoted to quality. Walter Shewhart was a pioneer and a visionary of modern quality control. Shewhart's name opens the select gallery of the great names in the history of modern quality. This gallery contains the names of the great 'gurus' of quality, among which we could mention: Joseph M. Juran, Edwards Deming, Kaoru Ishikawa, Philip Crosby, Armand V. Feigenbaum a.o. Index terms: Quality, Modern quality, Quality control, Quality improvement, Quality guru, Quality diagram, Walter Shewhart, SPC References: [1]. [2]. [3]. [4]. [5]. [6]. [7]. *

Walter Andrew Shewhart (2013, Dec. 05). [Online] Available: http://wwwgroups.dcs.st-and.ac.uk Lucent Technologies (2013, Dec. 08). [Online] Available: http://www.lucent. com/work/family American Society for Quality (2013, Nov. 12). [Online] Available: http://www. ask.org/join/about/history M.D. Fagen (ed.), A History of Engineering and Science in the Bell System: The Early Years (1875-1925), 1975. D.J. Wheeler, Understanding Variation: The Key to Managing Chaos, SPC Press, Inc., 1999. D. Bayart, W.A. Shewhart, C.C. Heyde and E. Seneta, Statisticians of the Centuries, Springer Verlag, New York, 2000, pp. 398-401. E.W. Deming, and W.A. Shewhart, American Statistician 21, no. 2, 1967.

Professor dr. Ioan Bacivarov is the Director of EUROQUALROM Laboratory, University POLITEHNICA of Bucharest, Romania, the Editor-in-Chief of the journal “Asigurarea Calitatii - Quality Assurance”, the Director of the “IJISC - International Journal of Information Security and Cybercrime” and Editor-for-Europe of the journal “Quality Engineering” (U.S.A.)

Section I - Advances in Information Security Research [8]. [9]. [10]. [11]. [12]. [13].

W. Shewhart, Economic control of quality of manufactured product, New York: D. Van Nostrand Company, 1931. Shewhart (2014, Jan. 11). [Online] Available: http://www.statisticool.com/ shewhart.htm Western Electric History (2014, Jan. 16). [Online] Available: http://www. bellsystemmemorial.com/westernelectric_history.html Shewhart (2014, Jan. 21). [Online] Available: http://www.sigma-engineering. co.uk/ light/shewhartbiog.htm Shewhart Biography (2014, Jan. 19). [Online] Available: http://www-groups. dcs.st-and.ac.uk/history/Biographies/Shewhart.html I.C. Bacivarov, “Monștrii sacri ai calității: Walter A. Shewhart”, Calitatea - Acces la succes, no. 2, 2001.


An Analysis on Software Testability and Security in Context of Object and Aspect Oriented Software Development P. K. SINGH1, O. P. SANGWAN2, Amrendra PRATAP1, Amar Pal SINGH1 1 ASET, Amity University, Noida, India [email protected], [email protected], [email protected] 2 School of ICT, Gautam Buddha University, Gr. Noida, India [email protected] Abstract Testability is a property of program which introduces with the purpose of forecasting efforts need to test the programs. Software quality is the most important factor in the development of software, which depend upon many quality attributes. The absence of testability is responsible for higher maintenance and testing effort. This paper presents a literature review on software testability and its importance. Object-Oriented and Aspect-Oriented metrics are considered for analysis. These metrics are closely related to the Software quality factors i.e. Controllability, Observability, Built in Test Capability, Understandability and Complexity, all these factors are independent to each other. We have identified factors which affect software testability in general as well specific to Aspect Oriented Systems. In addition to testability, security features in term of aspect oriented programming have been explored. Index terms: Software Testability, Factors of Software Testability, Object Oriented Metric, Software Testing, Aspect Oriented Metrics, Separation of Concerns (SoC), Cohesion, Coupling and Size, Software Security, AOP Security References: [1].

[2]. [3]. [4].

[5].

M. Bruntink and A.V. Deursen, “Predicting Class Testability using ObjectOriented Metrics”, published in proceedings of 4th IEEE International Workshop on Source Code Analysis and Manipulation, Chicago, US, 2004, pp. 136-145. ISO/IEC 9126:1991(E), Copyright by Joint Technical Committee, 1998. IEEE Standard Glossary of Software Engineering Terminology, IEEE, 1990. Mary Jean Harrold, “Testing: a Roadmap”, published in proceedings of the Conference on The Future of Software Engineering, Limerick, Ireland, 2000, pp. 61-72. J.M. Voas and K.W. Miller, “Improving the Software Development Process using Testability Research”, at NASA-Langley Research Center, IEEE Software, 1992, pp. 114-121.

Section I - Advances in Information Security Research [6]. [7].

[8].

[9].

[10].

[11].

[12]. [13]. [14].

[15].

[16]. [17]. [18]. [19]. [20].

[21].

S. Jungmayr, “Reviewing Software Artifacts for Testability”, EuroSTAR, Barcelona, Spain, 1999, pp. 8-12. C. SantAnna, A. Garcia, C. Chavez, C. Lucena, A. Staa, “On the Reuse and Maintenance of Aspect Oriented Software: An Assessment Framework”, published in proceedings of 17th Brazilian Symposium on Software Engineering, PUC-Rio, Computer Science Department, TecComm, 2003. G. Kiczales, E. Hilsdale, J. Hugunin, M. Kersten, J. Palm and W.G. Griswold, “An Overview of AspectJ”, published in proceedings of the 15th European Conference on Object Oriented Programming, Springer, Heidelberg, Berlin, 2001, pp. 327-353. R.P. Santos, H.A.X. Costa, P.A. Parreira Júnior, A.F. Amâncio, A.M.P. Resende and C.M.L. Werner, “An Approach Based on Maintainability Criteria for Building Aspect-Oriented Software Implementation Model”, INFOCOMP Journal of Computer Science, Special Edition, 2009, pp. 11-20. J. Zhao, “Measuring Coupling in Aspect Oriented Systems”, Published in Proceedings 10th International Software Metrics Symposium, Information Processing Society, Japan, 2004. J. Zhao, B. Xu, “Measuring Aspect Cohesion”, Published in Proceedings of International Conference on Fundamental Approaches to Software Engineering, Springer-Verlag, Barcelona, Spain, 2004, pp. 54-68. M. Ceccato and P. Tonella, “Measuring the Effects of Software Aspectization”, published in WCRE: 1st Workshop on Aspect Reverse Engineering, 2004. S.R. Chidamber and C.F. Kemerer, “A Metrics Suite for Object Oriented Design”, Software Engineering, IEEE Transactions, Vol. 20, No. 6, 1994, pp. 476-493. C. Zhang and H.A. Jacobsen, “Quantifying Aspects in Middleware Platforms in AOSD”, published in proceedings of the 2nd International Conference on Aspect Oriented Software Development, ACM Press, New York, USA, 2003, pp. 130139. S.L. Tsang, S. Clarke and Elisa Baniassad, “Object Metrics for Aspect Systems: Limiting Empirical Inference based on Modularity”, Technical report, Distributed Systems Group, Dublin, Ireland, 2000. E. Mulo, “Design for Testability in Software Systems”, Master’s Thesis, submitted to Delft University of Technology, Netherland, 2007. Y. Wang, “Design for Test and Software Testability”, University of Calgary, 2003. N. Pan, E. Song, “An Aspect-oriented Testability Framework”, ACM, RACS’12, San Antonio, USA, 2012. J. Bach, “Heuristics of Software Testability”, Satisfice, Inc., Version 2.2, 2013. V. Basili, L. Briand and W. Melo, “A Validation of Object-Oriented Design Metrics as Quality Indicators”, IEEE Transactions on Software Engineering, Vol. 22, No. 10, 1996, pp. 751-761. R.A. Khan and K. Mustafa, “Metric based Testability Model for Object-Oriented Design (MTMOOD)”, ACM SIGSOFT Software Engineering Notes, Vol. 34, No. 2, 2009.

Section I - Advances in Information Security Research [22]. M.R. Shaheen and L. Bousquet, “Survey of Source Code Metrics for Evaluating Testability of Object-Oriented Systems”, ACM Transactions on Computational Logic, 2010. [23]. M. Nazir Mohd and R.A. Khan, “Software Design Testability Factors: A New Perspective”, published in proceedings of the 3rd National Conference on Computing for Nation Development, 2009. [24]. S. Abdullah, R. Srivastava, M.H. Khan, “Testability Estimation of Object Oriented Design: A Revisit”, IJARCCE, Vol. 2, Issue 8, 2013. [25]. R.V. Binder, “Design for testability in object-oriented systems,” Communications of the ACM, Vol. 37, No. 9, 1994, pp. 87-101. [26]. W.N. Bruce and H. Shi, “A Preliminary Testability Model for Object-Oriented Software”, published in proceeding of International Conference on Software Engineering, IEEE, Education Practice, 1998, pp. 330-337. [27]. J. Hannemann and G. Kiczales, "Design pattern implementation in Java and AspectJ", ACM Sigplan Notices. Vol. 37, No. 11, ACM, 2002. [28]. S. Jungmayr, “Testability during Design”, published in proceedings of the GI Working Group Test, Analysis and Verification of Software, Software TechnikTrends, Potsdam, 2002, pp. 10-11. [29]. J. Gao and M.-C. Shih, “A Component Testability Model for Verification and Measurement”, published in proceedings of the 29th annual International Computer Software and Applications Conference, IEEE Computer Society, 2005, pp. 211-218. [30]. J.M. Voas and K.H. Miller, “Software Testability: The New Verification,” IEEE Software, Vol. 12, 1995, pp. 17-28. [31]. R. Bache and M. Mullerburg, “Measures of Testability as a basis for Quality Assurance”, Software Engineering Journal, Vol. 5, No. 2, 1990, pp. 86-92. [32]. P.K. Singh and O.P. Sangwan, “Aspect Oriented Software Metrics Based Maintainability Assessment: Framework and Model”, published in proceedings of Confluence-2013, The Next Generation Information Technology Submit, 26th -27th September, Amity University, Noida, India, 2013. [33]. M. Bruntink and A. Deursen, “An Empirical Study into Class Testability,” Journal of Systems and Software, Vol. 79, 2006, pp. 1219-32. [34]. R.S. Freedman, “Testability of Software Components”, IEEE Transactions on Software Engineering, Vol. 17, No. 6, 1991, pp. 553-564. [35]. M.A.S. Boxall and S. Araban, “Interface Metrics for Reusability Analysis of Components”, published in proceedings of Australian Software Engineering Conference, Melbourne, Australia, 2004, pp. 40-46. [36]. P.K. Singh, O.P. Sangwan and A. Sharma, “A Systematic Review on Fault Based Mutation Testing Techniques and Tools for Aspect-J Programs”, published in proceedings of 3rd IEEE International Advance Computing Conference, IACC2013 at AKGEC Ghaziabad, India, 2013. [37]. E.K. Piveta, A. Moreira, M.S. Pimenta, J. Araújo, P. Guerreiro and R.T. Price, “An empirical study of aspect-oriented metrics”, Journal of ELSEVIER, Science of Computer Programming, Vol. 78.1, 2012, pp. 117-144.

Section I - Advances in Information Security Research [38]. P. Malla and B. Gurung, “Adaptation of Software Testability Concept for Test Suite Generation”, PhD Thesis submitted to School of Computing Blekinge Institute of Technology, SE-37179, Karlskrona, Sweden, 2012. [39]. S. Jungmayr, “Improving Testability of Object Oriented Software”, Dissertation.de-Verlag im Internet GmbH, Berlin, 2004. [40]. M. Bruntink, “Testability of Object-Oriented Systems: a Metrics-based Approach”, Master Thesis Submitted to University of Amsterdam, Software improvement group, 2003. [41]. M. Nazir, R.A. Khan and K. Mustafa, “A Metrics Based Model for Understandability Quantification”, Journal of Computing, Vol. 2, Issue 4, 2010. [42]. A. Kumar, “Analysis and Design of Metrics for Aspect-Oriented Systems”, PhD Thesis submitted to School of Mathematics and Computer Applications, Thapar University, Patiala, Punjab, India, 2010. [43]. R. Burrows, F.C. Ferrari, A. Garcia and F. Taiani, “An Empirical Evaluation of Coupling Metrics on Aspect-Oriented Programs”, ACM, WETSoM, Cape Town, South Africa, 2010. [44]. Juliana Saraiva, E. Barreiros, A. Almeida, F. Lima, A. Alencar, G. Lima, S. Soares and F. Castor, “Aspect-Oriented Software Maintenance Metrics: A Systematic Mapping Study”, published in proceedings of the EASE - Published by the IET, 2012. [45]. R. Huang, M. Li and Z. Li, “Research of Improving the Quality of the ObjectOriented System”, International Journal of Information and Education Technology, Vol. 3, No. 4, 2013. [46]. Aopmetrics project. (2014, Apr 10). [Online]. Available: http:// aopmetrics.tigris.org/ [47]. Y. Coady and G. Kiczales, “Back to the Future: A Retroactive Study of Aspect Evolution in Operating System Code”, Published in proceedings of the 2nd International Conference on Aspect Oriented Software Development, ACM Press, New York, USA, 2003, pp. 50-59. [48]. P.K. Singh, P. Mittal, L. Batra and U. Mittal, “A Perception on Programming Methodologies for Software Development”, International Journal of Computer Applications, USA, 2014, pp. 1-6. [49]. J. Viega, J.T. Bloch and P. Chandra, “Applying Aspect Oriented Programming to Security”, Cutter IT Journal, Vol. 14, No. 2, 2001, pp. 31-39. [50]. B.D. Win, F. Piessens, W. Joosen and T. Verhanneman, “On the Importance of the Separation-of-Concerns Principle in Secure Software Engineering”, In Workshop on the Application of Engineering Principles to System Security Design, 2002. [51]. B.D. Win, B. Vanhaute and B.D. Decker, "How aspect-oriented programming can help to build secure software “, Informatica 25, Belgium, 2002. [52]. S. Gao, Y. Deng, H. Yu, X. He, K. Beznosov and K. Cooper, “Applying AspectOrientation in Designing Security Systems: A Case Study”, Published in SEKE, 2004, pp. 360-365.


Information Security Analyst Profile Ionuț-Daniel BARBU1, Cristian PASCARIU2 1 Faculty of ETTI, University POLITEHNICA of Bucharest, Romania [email protected] 2 Electronic Arts Romania [email protected] Abstract Internet of Things is a concept dating back to 1991 and it refers, in fact to a scenario where everything is connected to the Internet. The idea of having everything interconnected and moreover, connected to the internet becomes more and more usual nowadays and futurologists start to be extremely realistic when admitting that from the car to house appliances, body characteristics such as temperature to pet automatic feeding machine, everything will be connected to World Wide Web. In this world a critical aspect emerges, that of information security. We are starting to be more and more reluctant to providing information which relates to us but what if that is taken without our knowledge and what if we are a large enterprise with valuable intellectual property. This is one of the main reasons why in the Information Security field the demand for jobs is growing extremely rapidly. IT security specialists are almost always found in any major enterprise/establishment due to the nature and value of the data within larger businesses. This article details the Information Security related jobs, thoroughly studying the InfoSec analyst role. Moreover it highlights the critical importance of training and certification programs. Index terms: information security, confidentiality, integrity, defense in depth, monitoring, vulnerability assessment, forensics, data loss prevention, penetration testing, network security, Security Auditor, International Information Systems Security Certification Consortium, CISCO, Qualys, BlueCoat, Sourcefire, CheckPoint, MTA Security, CCNA Security, CompTIA Security, ISO 27000, ISACA, EC-Council, Offensive Security, OSCP References: [1]. [2]. [3]. [4]. [5]. [6].

S. Harris, CISSP Boxed Set, Second Edition (All-in-One), 2004. M. Walker, CEH Certified Ethical Hacker Boxed Set, 2005. E. Cole, SANS GIAC Certification: Security Essentials Toolkit (GSEC), 2010. P. Gregory, CISA Certified Information Systems Auditor All-in-One Exam Guide, 2nd Edition, 2008. M. Ciampa, Security+ Guide to Network Security Fundamentals, 2002. D. Landoll, The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Second Edition, 2003

Section I - Advances in Information Security Research [7]. [8]. [9]. [10]. [11]. [12]. [13]. [14].

Security Analysis, (2014, Feb. 12). [Online] Available: http://www. infosecinstitute.com/jobs/security-analyst.html Information Security (2014, Feb. 15). [Online] Available: http://www. franklin.edu/information-security-bachelors-degree-program Security Certification (2014, Feb. 10). [Online] Available: http://www. sourcefire.com/services/certification Security Certification (2014, Mar. 08). [Online] Available: http://www.isaca.org/ CERTIFICATION/Pages/default.aspx Security Certification (2014, Jan. 22). [Online] Available: http://www.tomsitpro. com/articles/information-security-certifications-205.html Information Security Certification (2014, Jan. 27). [Online] Available: http://www.offensive-security.com/information-security-certifications/ ISO 27001 (2014, Feb. 11). [Online] Available: http://www.iso.org/iso/ home/standards/management-standards/iso27001.htm IT Security Certification (2014, Mar. 14). [Online] Available: http:// greenwireit.com/blog/2013/03/20/complete-list-it-security-certifications/


Wireless LAN Security Issues (II). Security Assurance Cătălina GHERGHINA, Gabriel PETRICĂ Faculty of ETTI, University POLITEHNICA of Bucharest, Romania [email protected], [email protected] Abstract Unlike wired networks, in wireless LANs there are plenty of opportunities for unauthorized access by intruders with different purposes: curiosity, fun, gain control or espionage. The purpose of this paper is to present the main threats in WLAN security and some options available to block or limit unauthorized access. The security policy in a WLAN has to take into consideration the number of potential clients, the importance of data, the probability of attacks and the cost of protection measures. Index terms: wireless, network, security, vulnerability, WLAN References: [1]. [2]. [3]. [4]. [5]. [6]. [7]. [8].

F. Ohrtman, Voice Over 802.11, Artech House, 2004. T. Karygiannis and L. Owens, Wireless Network Security. 802.11, Bluetooth and Handheld Devices, NIST Special Publication 800-48, Nov. 2002. J. Khan and Anis Khwaja, Building Secure Wireless Networks with 802.11, Wiley, 2003. A. Holt, C.-Y. Huang, 802.11 Wireless Networks. Security and Analysis, Springer, 2010. Angelica Bacivarov, C. Ciuchi and G. Petrică, Servicii Internet, Editura Matrix Rom, Bucureşti, 2011. F. Ohrtman and K. Roeder, Wi-Fi Handbook: Building 802.11b Wireless Networks, McGraw-Hill, 2003. M. Gast, 802.11 Wireless Networks: The Definitive Guide, O'Reilly, 2002. Wireless Security (2013, Dec. 12). [Online] Available: http://en.wikipedia.org/ wiki/Wireless_security

Section II - Studies and Analysis of Cybercrime Phenomenon

O analiză a fenomenului criminalității informatice. Prejudicii aduse de atacurile cibernetice An Analysis of the Cybercrime Phenomenon. Damages Caused by Cyber-Attacks Răzvan-Ionuț MARIN “A.I. Cuza” Police Academy, Bucharest, Romania [email protected] Abstract The advance of the technology was very fast in the last century and the computer is more present in our lives as well as the Internet. Referring to any crime that involves a computer and a network, cybercrime can be defined as a crime in which a computer is the object of the crime (hacking, phishing, spamming) or is used as a tool to commit an offence (child pornography, hate crimes). This article presents what are the damages produced worldwide by the cybercrime phenomenon. This tends to be the future problem of the police activity, a challenge in which the future policemen will have to be more prepared, smarter and updated to the last technology in the world, respecting a new and improved law. Index terms: cybercrime, cyber-attacks, computer frauds References: [1]. [2]. [3]. [4]. [5].

Ș. Prună, I.-C. Mihai, Criminalitatea informatică, Editura Sitech, 2008. M. Dobroiu, Infracțiuni în domeniul informatic, Editura C.H. Beck, 2006. I. Vasiu, Criminalitatea informatică, Editura Nemira, 1998. Ioana Vasiu and L. Vasiu, Criminalitatea în cyberspațiu, Editura Universul Juridic, 2011. Central Police Training and Development Authority, (2014, Apr. 23). [Online] Available: http://www.centrex.police.uk

Section II - Studies and Analysis of Cybercrime Phenomenon

Fraude informatice Computer Frauds Loredana BASAMAC “A.I. Cuza” Police Academy, Bucharest, Romania [email protected] Abstract Organized crime is present globally and creates significant flaws among companies or at governmental level, having devastating effects on political, economic and social activity. Along with the establishment of a democratic regime in our country, all barriers hindering the development of organized crime have disappeared. This paper presents the cybercrime phenomenon and different forms of computer fraud. Index terms: organized crime, cybercrime, skimming, phishing References: [1]. [2]. [3]. [4]. [5]. [6]. [7].

M. Ţical, Crima organizată şi terorismul, Editura Fundaţiei Universitare Dunărea de Jos, Galaţi, 2006. Cybercrime (2013, Dec. 02). [Online] Available: http://www.mpublic.ro/ jurisprudenta/publicatii/criminalitatea_informatica.pdf I. Bidu, Crima organizată transfrontalieră - Amenințare la adresa securității internaționale, Editura A.N.I, București, 2004. Cybercrime (2013, Dec. 02). [Online] Available: http://www.igpr.ro/ relatii_publice/detalii.aspx?id=7136 Phishing Attack (2013, Dec. 04). [Online] Available: http://www.efrauda.ro/ pages.do?idMenu=3 M. Dobrinoiu, Criminalitatea informatică, Editura A.N.I, București, 2009. Ș. Vlăduţescu, A. Barbu, F. Spînu, and M. Dumitrescu, Cardingul - principala formă de manifestare a criminalității informatice, Editura A.N.I., Bucureşti, 2010.

Section III - Cyber-Attacks Evolution and Cybercrime Trends

Detectarea și eliminarea phishing-ului Phishing Attack - Detection and Removal Marian-Iulian PRIPAS Faculty of ETTI, University POLITEHNICA of Bucharest, Romania [email protected] Abstract This paper reviews the main methods to combat phishing (especially those which targets the e-mail servers existing on the Internet) and discuss about phishing eradication, automatic identification of phishing and compromised email accounts. Phishing is one of the most common computer crime, the goal being to collect confidential information like passwords, PIN codes, account numbers, card numbers, and then using them for stealing the money. Usually, phishing is correlated with companies in the banking and financial industry or even online stores. Index terms: phishing, online attacks, cybercrime, cyber fraud References: [1].

[2].

[3].

[4]. [5]. [6].

A. Bergholz J. de Beer, S. Glahn, M. Moens G. Paab and S. Strobel, “New filtering approaches for phishing email”, Journal of Computer Security, 18(1), 2010, pp. 7-35. J.S. Downs, M.B. Holbrook and L.F. Cranor, “Decision strategies and susceptibility to phishing”, Proceedings of the second symposium on Usable privacy and security, ACM, 2006, pp. 79-90. Z. Ramzan, "Phishing attacks and countermeasures", Peter Stavroulakis, Mark Stamp (Eds.), Handbook of Information and Communication Security, Springer, 2010. Phishing Attack (2014, Apr. 22). [Online] Available: http://en.wikipedia.org/ wiki/Phishing Protecting against Phishing Attacks (2014, Feb.06). [Online] Available: http:// www. antiphishing.org/resources/ Phishing Attack Stats (2014, Feb. 13). [Online] Available: http://www. arbornetworks. com/asert/2006/04/some-q1-06-phishing-stats/


REPORT on the Cyber Security Alerts Received by CERT-RO During 2013 Romanian National Computer Security Incident Response Team [email protected] 1. Summary of the report The Romanian National Computer Security Incident Response Team CERT-RO is an independent structure, with expertise in the field of cyber security that has the capacity to prevent, analyze, identify and respond to cyber security incidents threatening our national cyber-space. CERT-RO is coordinated by the Ministry for Information Society and is fully financed by the state budget. As a national contact point in the matter of cyber security incidents, during 2013 (1st of January – 31st of December), CERT-RO was informed by various domestic or international partners, about several cyber security incidents that affected our national cyber-space, as follows: 1. Alerts collected and transmitted by automated systems: 43.231.149. 2. Total number of compromised unique IP’s extracted from the alerts: 2.213.426. 3. Individual alerts, manually collected, and alerts created on the basis of data collected by CERT-RO: 450. The objective of this report is to analyze the cyber security alerts collected / managed by CERT-RO in 2013, in order to obtain an overall view of the nature and dynamics of this types of events relevant to the evaluation of the risks targeting the IT&C systems in Romania. Based on the collected data, the following have been observed: • Over 16% of the total number of IPs allocated to Romania (approx. 13.5 million) were involved in at least one cyber-security alert reported to CERT-RO in 2013; • Approximately 78% of the alerts refer to systems in Romania that have been compromised through the exploitation of some technical vulnerabilities and got infected with different versions of malware and have become part of a botnet; the total number of unique IPs identified is 1,945,597, and represents 14% of the total IPs allocated to Romania. • Over 16% of the alerts refer to systems in Romania, compromised by attackers that have exploited some misconfigurations on DNS servers, and used the


• •

• •

• •

servers for launching further attacks on other targets in Internet (DNS amplification attacks, DNS cache poisoning etc.). More than 5% of the alerts refer to entities within Romania that sent spam emails to various targets on Internet; 40% of all the alerts refer to systems in Romania infected with the Conficker worm; according to the collected data more than 12,5% of the total number of IPs allocated to Romania have been reported to CERT-RO as being infected with Conficker; the worm, identified in 2008, targets Microsoft Windows systems without the latest security patches installed; 50% of all the unique IPs reported to CERT-RO, were identified as running Microsoft Windows operating systems, versions 98, 2000, XP or 2003; Over 39% of the individual alerts (5.2) refer to entities in Romania that host phishing web pages, affecting the activity of financial institutions in Romania and abroad; 10,239 .ro domains were compromised in 2013, representing approx. 1.4% of the total number of .ro domains; 60% of these domains were infected with various types of malware; 61 IPs were reported as infected with various types of APTs.

The above findings lead to the following conclusions: • Cyber security threats upon our national cyber-space have diversified, and have evolved both in terms of quantity and in terms of technical complexity; • The majority of the compromised systems in Romania, are part of botnets, being used as proxies for carrying out attacks on targets outside the country, thus representing potential threats to other systems connected to Internet; • Based on the analysis of the malware types specific to our national cyber-space and of the types of compromised systems, both revealed in this report, it appears that, in quantitative terms, most attacks are directed towards outdated, obsolete systems, lacking security features (e.g. systems affected by Conficker) or are not updated with the latest security patches/updates; • An increasing number of entities in Romania become targets of APTs, attacks with a high degree of complexity that are launched by groups with the capacity and motivation to persistently attack a target in order to obtain certain benefits (usually sensitive information); it is expected an increase in the number and severity of such attacks nationwide during 2014; • Romania cannot be considered anymore just a generator of cyber security incidents, because the analysis of the data presented in the current report demonstrates that is mostly used as a proxy by other attackers. 2. About CERT-RO The Romanian National Computer Security Incident Response Team - CERT-RO is an independent structure, with expertise in the field of cyber security that has the

Section III - Cyber-Attacks Evolution and Cybercrime Trends capacity to prevent, analyze, identify and respond to cyber security incidents threatening our national cyber-space. CERT-RO is coordinated by the Ministry for Information Society and is fully financed by the state budget. CERT-RO’s main tasks are: - organizing and maintaining a national database regarding threats, vulnerabilities and cyber security incidents identified by or reported to CERT-RO, techniques and technologies used for attacks as well as good practices regarding cyber infrastructures protection; - provides the required organizational and technical support for information exchange between different CERT teams, users, regulators, equipment and cyber security solutions providers and internet services providers; - provides a unique contact point for collecting information and complaints about cyber security incidents in an automated and secured manner, or through direct communication, depending on the case; - elaborates legislative proposals, submitted to the Ministry for the Informational Society (MSINF) or to the Supreme Council for National Defense (CSAT), regarding the changes that apply to the legal framework in order to foster the improvement of cyber security of the systems used to provide services of public interest; - constitutes the "Early Warning and real-time information System"(EWS), regarding cyber security incidents. Its main goals are: sending real-time alerts on cyber security incident, issuing reports on the distribution and nature of the cyber security incidents and facilitating collaboration with national authorities responsible for cyber security, in order to prevent and eliminate the effects of the cyber security incidents; - provides public services such as: preventive services (announcements of new threats or vulnerabilities identified at a national or/and international level; security audits, risk assessments and penetration testing on demand; reports regarding cyber security incidents that could affect or involve Romanian entities), reactive services (alerts and warnings regarding suspicious activities possibly preceding an attack, handling of cyber security incidents at national level), and consultancy services (CERT teams training, risk analysis regarding cyber infrastructures applicable to local and national level). CERT-RO collects data, regarding cyber security incidents and events affecting or involving entities in Romania, from national or international sources. Thus, once an incident is identified, based on the internal procedures, CERT-RO deploys a series of actions that ensure its response activity. In most cases, the main goals of the incident response activity, regarding cyber security incidents, are as follow: 1. Immediate stopping or mitigation of the effects of the incident (e.g. shutdown, takedown of the malicious server etc.); 2. Preliminary analysis of the impact generated by the incident/event; 3. Identification and alerting of all affected parties, or parties that could be affected by the cyber security incidents/events and those responsible for remediation of the situation; 4. Identification and alerting of all institutions or public authorities responsible for managing the situation;

Section III - Cyber-Attacks Evolution and Cybercrime Trends 5. Dissemination of technical documents regarding methods for detection and mitigation of cyber security incidents, useful for other entities that may be affected by a similar incident. According to its legal attributes, CERT-RO provides the organizational and technical support for information exchange between various entities (national authorities, individuals or companies, CERT teams, security solution providers, internet service providers, etc.) involved in cyber security incidents, and ensures their good cooperation. CERT-RO does not have legal authority for solving all kinds of cyber security incidents. For example the cyber security incidents that had resulted from cybercrimes are the responsibility of the law enforcement agencies, according to their legal competence. Also, according to the law, cyber security incidents that could constitute threats to the national security are managed by institutions with competence in this specific domain. If CERT-RO receives such notification, it will forward them to the proper authority. 3. The objective of this report The objective of this report is to analyze cyber security incidents reported to CERT-RO, between 01.01 - 31.12.2013, in order to obtain a general overview of the nature and dynamics of these types of events/incidents, relevant for assessing cyber security risks targeted at the IT&C infrastructures within Romania, that are in CERTROs constituency. Based on the data collected, meaning incidents reported to CERT-RO by various public or private entities and other data collected from the public sources by CERT-RO specialists, this document contains the main categories of incidents that affected the Romanian national cyberspace in 2013. For a better evaluation of the information presented in this document, it is relevant to mention that CERT-RO has not received all the data regarding cyber security incidents that affected or involved resources of the Romanian national cyberspace. Even so, the volume of the data analyzed is considered sufficient to fully characterize the current state of security of the Romanian cyber infrastructure. The statistics presented in this report are mainly based on information obtained from different sources, regarding URLs and IP addresses detected as performing suspicious or malicious traffic in the Internet. We consider necessary to provide some clarification on the common terms used in this report. Thus, in the content of this document we will refer to the following terms: • Cyber security event - any event or situation relevant in terms of cyber security, that can cause a change of normality within a system and indicate a possible violation of its security policies, or a failure of the protective measures that could be highlighted and properly documented; • Cyber security incident - an event within the cyber space that has consequences or affects cyber security of a system, or any action, contrary to any regulations enforced, regarding computer systems, which may

Section III - Cyber-Attacks Evolution and Cybercrime Trends consequently affect or already affected its cyber security, or may lead to compromising the information processed by it. • Cyber security alert - any cyber security incident or event reported, that involves or may involve entities from Romania. 4. CERT-RO’s data sources CERT-RO collects data regarding cyber security incidents, events or alerts from several sources, as follow: 1. Alerts collected and transmitted via automated systems (e.g.: honeypots). Those types of alerts are sent only by specialized organizations, such as CERT’s or other security companies, which have in their possession cyber security incident detection systems. The number of these kinds of alerts is significantly higher than other types and can reach values around 500,000 daily alerts. 2. Individual alerts, reported by various entities - individuals or legal persons from Romania and abroad. The number of this kind of alerts reaches 5-10 daily; 3. Information collected by CERT-RO, from various sources. These sources includes various information collected from public or restricted sources, such as specialized websites or security companies, about specific vulnerabilities, cyber security threats or incidents. The nature of the reported alerts, as well as the quantity of available data for each of the categories requires a different approach for each case. Alerts sent by automated systems require automatic processing. In this case, the received data it resumes to lists of IPs detected as doing malicious or suspicious activities over the Internet, and some extra details about the suspicious activity (timestamp, incident type, used ports, the attack etc.). Most of these alerts are automatically processed by CERT-RO and are sent to the ISPs who own the networks that contain the system which triggered the alert. Most of the time, in this type of alerts, CERT-RO has no exact information about the real user behind the IP address, so the identification process is passed to the internet service provider (ISP). Also, the ISP has the responsibility to forward the alert to the real client. Although this type of alerts does not provide details about the target, they provide an overview of the types of cyber threats that are affecting Romanian cyber infrastructures. Individual alerts as well as the alerts collected by CERT- RO, are considerably reduced in number, but the reported information about the incident is much more accurate and relevant (the affected organization, the source of the attack and the vector of attack). In most of the cases, the data is collected by CERT-ROs analysts from the affected entities, along with incident reporting. Statistically speaking, these types of alerts are valuable, because they reflect better the state of national cyber security. 5. The Early Warning System (EWS) of CERT-RO CERT-RO operates a pilot project for an Early Warning and Real-Time Information System (EWS), that is designed as a collection of procedures and systems

Section III - Cyber-Attacks Evolution and Cybercrime Trends that processes all received alerts, in real time, in order to immediately warn affected parties (ISP , individuals or legal persons directly affected , etc.), as well as for publishing reports regarding the distribution and nature of cyber security incidents and for collaborating with national authorities with responsibilities in cyber security and cybercrime fields, in order to prevent and eliminate the effects of the incidents. This report is based on the alerts processed during 2013 by the EWS of CERT- RO. 6. Statistics based on the alerts received 6.1. Alerts collected and transmitted through automated systems In the reference period (01.01 - 31.12.2013), CERT-RO received the following alerts: 1. Total number of automatic alerts received: 43.231.149 2. Total number of unique IP extracted from all alerts: 2.213.426 Depending on the content of each alert, the alerts were sorted into various classes and types of alerts according to Table 1. 6.1.1. Distribution of alerts based on types and classes The table and the graphic below show the distribution of the alerts received based on classes and types of alerts. Some of the unique IPs reported can be found in several types of alerts. Table 1. Types of alerts Alert Class Alert Type Botnet Botnet Drone Vulnerabilities Open Resolver Abusive Content Spam Information Gathering Scanner Malware Malicious URL Cyber Attacks Bruteforce Vulnerabilities Open Proxy Fraud Phishing Botnet Botnet C&C Server Malware Infected IP APT RedOctober Compromised Resources Compromised Router TOTAL

Alert number 33.677.871 6.782.888 1.986.605 603.524 116.535 30.150 13.809 13.556 4.082 1840 287 2 43.231.149

The alerts from "Botnet Drones" category (computers infected with various malware, which are part of different botnet networks) predominates with a 78% percentage of the total alerts received in 2013. The total number of identified unique IPs based on the reported alerts is 1,945,597, which is 14% of the total number of IPs allocated to Romania.


Fig. 1. Types of alerts 6.1.2. Monthly distribution of alerts The graph below represents the distribution of alerts per month, meaning the month in which they were received by CERT-RO.

Fig. 2. Distribution of alerts per month 6.1.3. Distribution of alerts by Autonomous System Number (ASN) Furthermore, the received alerts were distributed by ASN's (Autonomous System Number, http://en.wikipedia.org/wiki/Autonomous_System_Number), according to the

Section III - Cyber-Attacks Evolution and Cybercrime Trends IP address of each alert. The received alerts have targeted 1148 unique ASNs from Romania, this number covering almost all Romanian ASNs (http://bgp.he.net/ country/RO). The table and chart below represents the top 30 internet service providers (ISP), who own IPs that were detected as generating malicious traffic, visible on the internet (sorted by the number of hosted compromised IPs). Usually, an ISP has assigned one or more ASN's. Table 2. Top 30 ASNs that host malicious IPs

1 2 3 4 5 6 7 8 9 10

AS NUMBER 8708 9050 6830 6910 48161 12632 12302 8953 2614 35725

11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

34711 41496 39743 6663 39737 44563 15471 50604 41273 47148 41571 35002 51102 39543 31605 40997 35664 31102 39464 44605

No.

AS NAME RCS & RDS SA Romtelecom UPC Dial Telecom S.R.L SC NextGen Communications SRL RCS & RDS SA Vodafone Romania S.A. Orange Romania SA RoEduNet COSMOTE Romanian Mobile Telecommunication SA DIGINET SA TV SAT 2002 SRL Voxility S.R.L. Euroweb Romania SA Net Vision Telecom SRL ENIASAN SRL S.N. Radiocomunicatii S.A. SC MEDIA SUD SRL Electrosim SRL STARNETRANS SRL Transilvania Digital Network SA SC NextGen Communications SRL IMPATT SRL TENNET TELECOM SRL Canal S SRL TITA & Company SRL CCC Blue Telecom SA TV Adler-Trading SRL Star Design I&E SRL TeleCablu&Net Srl Others

Percent (%) 35,96 32,27 7,88 3,46 2,68 2,27 1,36 1,17 0,45 0,33 0,31 0,29 0,25 0,24 0,24 0,24 0,22 0,22 0,22 0,22 0,21 0,20 0,20 0,18 0,18 0,17 0,17 0,17 0,15 0,15 7,96


RCS & RDS SA ROMTELECOM UPC DIAL TELECOM S.R.L SC NextGen Communications SRL

8%

RCS & RDS SA

2% 3%

36% Vodafone Romania S.A.

3%

Orange Romania SA

8%

ROEDUNET

32%

COSMOTE DIGINET SA TV SAT 2002 SRL Voxility S.R.L. Euroweb Romania SA

Fig. 3. Top 20 ASNs that host malicious IPs Note: The presence of a compromised/infected IP in an ISP’s network does not mean that the Internet service provider (ISP) is guilty for that incident. Most times, the infected IP that generated the alert is a customer of that ISP, thus the responsibility for the generated traffic (according to art. 13 of Law 365/2002 and other regulations in the field), disinfection and proper system security goes to the client in discussion.

Section III - Cyber-Attacks Evolution and Cybercrime Trends 6.1.4. Types of malware frequently present into Romanian cyberspace In about 75% of the received alerts, it was possible to identify the malware type which affected the compromised system. In this regard, it was issued a "Top 25" of the most common types of malware from the Romanian cyberspace. Table 3. Top 25 types of malware in Romania 2013 # Malware type Percent (%) 1 Conficker 53,4543 2 Sality 10,9534 3 Citadel 8,2338 4 Pushdo 6,7392 5 Zeroaccess 3,1662 6 Slenfbot.5050 3,0855 7 Virut 1,5755 8 Kelihos 1,3314 9 IRCBot 0,9238 10 Zeus 0,5706 11 Trafficconverter 0,3484 12 Grum 0,1508 13 Torpig 0,0252 14 Ransomware 0,0199 15 Blackenergy 0,0127 16 Tdss 0,0075 17 Trojan.Iframe.BMY 0,0045 18 Neurevt 0,0038 19 Trojan.Script.CEV 0,0031 20 Hermes 0,0025 21 Dorkbot 0,0024 22 DDoS_Khan 0,0023 23 DDoS_DirtJumper 0,0022 24 Gamarue 0,0017 25 Trojan.Iframe.BZW 0,0016 According to Wikipedia.org, “Conficker”, also known as “Downup”, “Downadup” and “Kido”, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. Conficker’s final goal is to obtain control over infected computer, which can then be controlled remotely. According to the analyzed data, 1,693,323 unique IPs (76% of all reported IPs or 12.5% of all unique IPs from Romania) are infected with this worm.


7%

9% 59% 12%

Conficker Sality Citadel Pushdo Zeroaccess Slenfbot.5050 Virut Kelihos IRCBot Zeus Trafficconverter Grum Torpig Ransomware Blackenergy Tdss Trojan.Iframe.BMY Neurevt Trojan.Script.CEV Hermes Dorkbot DDoS_Khan DDoS_DirtJumper Gamarue Trojan.Iframe.BZW

Fig. 4. Top 25 malware types in Romania in 2013 6.1.5. Types of operating systems affected by alerts In about 11% of the received alerts it was possible to exactly identify the type of operating system of the affected client. Therefore, the table below shows a ranking of the most affected types of operating systems installed onto Romanian systems. Table 4. Distribution of alerts number per types of operating systems affected # Operating system Total no. of alerts 1 Windows 4.344.677 2 Solaris 55.524 3 Linux 8.532 4 ChacheFlow 698 5 FreeBSD 95 6 OpenBSD 69 7 NetBSD 61 8 Novell 25 9 Cisco 23 10 Checkpoint 9 TOTAL 4.409.713

Section III - Cyber-Attacks Evolution and Cybercrime Trends According to data reported to CERT-RO, most infected Windows operating systems run the 98/XP/2000/2003 versions. Some of these versions are no longer supported by the manufacturer, them already being declared as "end of life" versions, and other versions will not receive support in the near future. These versions of Windows operating systems run on approx. 50% of all unique IPs reported to CERT-RO. 6.2. Individual alerts Along with automated alerts, CERT-RO analysts received a series of cyber security incidents reported directly by individuals or organizations located in Romania and abroad, such as: Table 5. The distribution of individual alerts Alert Class Alert Type Alert no. Fraud Phishing 173 Malware Infected IP 95 Information Gathering Scanner 43 Cyber Attacks DDoS 42 Malware Malicious URL 31 Abusive Content Spam 11 Botnet Botnet Drone 11 Compromised Resources Compromised Website 7 Cyber Attacks Exploit Attempt 7 Compromised Resources Defacement 6 Compromised Resources Compromised Network/System 4 Abusive Content Disclosure of Confidential Data 3 Fraud Unlawful eCommerce/Services 3 Other Other 3 Abusive Content Disclosure of Personal Data 2 Botnet Botnet C&C Server 2 Compromised Resources Comprimised Application/Service 2 Cyber Attacks APT 2 Abusive Content Child Pornography 1 Cyber Attacks Bruteforce 1 Information Gathering Social Engineering 1 TOTAL 450


Fig. 5. The distribution of individual alerts Depending on the affected entity type, the incidents distribution is the one presented in the chart below. It is worth mentioning that the affected entities are not necessarily individuals or legal persons from Romania. Table 6. Incidents distribution by affected entities The type of No. of # affected entity alerts 1 Banking institutions 142 2 Private institutions 80 3 Education institutions 29 4 Public Institutions 18 5 Natural persons 17 6 ISP 5 7 ”Law enforcement” agencies 1 8 Not specified 158 TOTAL 450

Section III - Cyber-Attacks Evolution and Cybercrime Trends Also, depending on the affected system type, the distribution of security incidents is as follows: Table 7. Incidents distribution by affected systems Type of No. of # affected system alerts 1 Networks 180 2 Banking/payment services 132 3 Web sites 85 4 Email 18 5 Workstations 15 6 Social Networks 3 7 Databases 2 8 Not specified 15 TOTAL 450 6.3. Statistics on “.ro” compromised domains The received alerts often refer to ".ro" domains affected by various types of incidents. Thus, for the reference period, CERT-RO holds data of 10.239 compromised domains. From a total number of 710.000 domains registered in Romania (according to ICI-ROTLD data), in December 2013, the number of “.ro” domains reported to CERT-RO as being infected represents a percentage of about 1.4%. The distribution of affected domains, by incident types, is found in the table below.

Fig. 6. Compromised “.ro” domains


Fig. 7. Compromised .ro domains - alerts distributed by months 6.4. Advanced Persistent Threats (APT) On February 25th, 2013, CERT-RO received a notification regarding a new cyber threat called "MiniDuke", which was categorized as a high risk APT, specialized in extracting data from the infected systems, focusing on the entities within the "governmental structures and research institutions” field of activity (http://www.kaspersky.com/about/news/virus/2013/Kaspersky_Lab_Identifies_MiniDu ke_a_New_Malicious_Program_Designed_for_Spying_on_Multiple_Government_Ent ities_and_Institutions_Across_the_World). The malware associated with the threat was exploiting vulnerabilities in Adobe Reader, was spreading via email using special techniques of social engineering, and was copying files that were subsequently transmitted to the attacker. In Romania, 6 victims were found infected, and for the fulfilling the incident response activities a collaboration with other national authorities with legal competences in Romania was necessary. Also, during 2013 we received 287 alerts regarding the "Red October" threat. These alerts have targeted 55 unique IPs in Romania, subsequently notified by CERT-RO. These kinds of attacks have also been identified during the past year and have targeted government structures or embassies in Romania. 7. Conclusions and comments By analyzing the data received by CERT- RO and presented in this report, we can conclude that cyber threats targeting the Romanian national cyberspace have diversified, evolutionary trends being observed, both in terms of quantity and of technical degree of complexity. Most alerts analyzed by CERT- RO, from the automatic or individual segment of alerts, refer to entities in Romania, victims of attacks/attackers that have usually exploited technical vulnerabilities. The main goal of the attacks was to infect the computer systems with various malicious applications in order to make them part of different types of botnets (zombies).

Section III - Cyber-Attacks Evolution and Cybercrime Trends These compromised systems (victims), who pose as real threats to other entities connected to the Internet, are often used to serve as "proxies" for carrying out other attacks on targets outside Romania. There are significant advantages for the attacker for using such an approach, for example the possibility to hide his real identity and also to use of a large number of computers (depending on the number of infected computer systems) to launch attacks. Also, based on the malware types specific to the Romanian national cyberspace and on the types of compromised systems, it appears that, from a quantitative point of view, most attacks are directed towards obsolete systems, outdated, with no native security features (i.e. systems affected by Conficker) or that are not updated with the latest security patches/updates. It is worth noting that Romanian entities are becoming more frequent targets for APT threats, respectively cyber-attacks with a high degree of complexity, launched by groups that have the capacity and motivation to persistently attack a target in order to obtain certain benefits (usually sensitive information). Also, given the complexity of some functions possessed by the APT malware (capable of intercepting electronic communications, unauthorized access to data related to financial transactions and electronic means of payment, etc. cyber espionage. ex: Red October, Miniduke), present in a smaller number of alerts within the analyzed period, and that these types of threats show a moderate evolutionary trend, it may be expected a nationwide growth in the number and severity of such attacks, during 2014; In this context, we maintain our conclusion of the previous report published by CERT-RO for the first six months of the past year, that Romania cannot be considered just a source of cyber-security incidents or threats, but the analysis of the presented data demonstrating the intermediate/transit character of some significant systems connected to the Internet in Romania, used as proxy for launching attacks on other targets in Internet. Among the main difficulties encountered in the incident response activity, we can mention the lack of explicit legal regulations regarding the responsibilities for notification, responding, prevention and mitigation of cyber security incidents by the state institutions or companies in the private sector, this hindering our activities and the real-time response to such incidents. In this context, we consider necessary to supplement the national legislation framework with the stipulations contained in certain documents that are found at European level.

Section IV - Book Reviews and Conferences Analysis

SPARKS Events Series Ionuț-Daniel BARBU Romanian Association for Information Security Assurance Cristian PASCARIU Electronic Arts Romania SPARKS #2 SPARKS #2 was the second conference in the SPARKS events series. This Security and Hacking meeting took place on April 14, 2014 at TechHub, Bucharest. That fact that this is intended as a place to meet security enthusiasts after work was confirmed also by this second event. The participants already felt connected and the atmosphere was a very productive one. As a consequence the number of questions was higher than the last time and discussions were also lucrative. SPARKS #2 has begun with a very captivating presentation concerning the advantages and disadvantages of bug bounty programs. The discussion was structured on two important branches, observing the main points of view. On one hand, from the hacker, ethical or not, perspective, the dispute looks as follows - the two options being: performing a penetration test and providing the results to the targeted company, therefore having the chance of obtaining an amount of money depending on the target’s policy. The other approach could have been publicly disclosing the results and gaining the recognition of the communities.

Ionut Cernica

Section IV - Book Reviews and Conferences Analysis On the other hand there are several companies implementing bug bounty programs. This state that, after signing an agreement, a user can legally perform security penetration tests against target’s assets. This, of course has advantages and disadvantages as it can attract also hackers and large amounts of money to be paid. In our opinion, Ionut Cernica held a very interesting presentation on this matter as he provided his own experience. He took part in various bug bounty programs for wellknown companies such as Facebook, PayPal etc. The advantages in this situation was, as expected, the financial part. Companies have the tendency not to admit their assets’ vulnerabilities therefore not keeping their part of the agreement. As a summary, we strongly recommend security enthusiasts to attend any presentation held by Ionut Cernica, Security Engineer at SafeTech Innovations. The second presentation showed vulnerabilities in the mobile devices field. It is already well known that mobile device security becomes a very important branch of IT security due to bring-your-own-device programs. As a consequence, mobile communications companies are taking countermeasures on this matter. I am referring to both device producers such as Apple, Samsung, Nokia and also telecommunications service companies: Orange, Vodafone etc. The first impression was of a very well chosen title “Z.E.R.O - Zero Errors Rarely Occur”. During his speech, Bogdan Alecu, System Administrator at Levi9 captivated the audience by constantly asking whether we knew that free calls can still be placed. Furthermore, the CVE-2014-1286 was detailed disclosing one of Apple’s vulnerabilities. This reveals the possibility of performing a denial of service attack against Apple mobile devices. Apple’s knowledge base site publicly disclose these vulnerabilities. As stated on this site, for the protection of customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. SPARKS #3 SPARKS #3, the third conference in the SPARKS events series, took place on June 2, 2014 at TechHub, Bucharest. Once more, this has proved to be the place to meet members of the security community after work.

Ionut Popescu

Section IV - Book Reviews and Conferences Analysis We are starting to get the feeling that we are already connected so the fact that after the presentations people stay for knowledge sharing sessions is quite normal. This time, the discussions were more intrusive, targeted and honest. The attendants are encouraged to speak their minds. As a consequence the number of questions was higher than the last time and discussions with regards to the subjects were also lucrative. SPARKS #3 has begun with a deeply technical captivating presentation where Ionut Popescu took us step by step through shellcode development both for Linux and Windows. He marketed the presentation as a 101 course for writing your own code. As usual for this conference, the prerequisites are not so demanding, so even if an attendee was not skilled in shellcode writing, by the end of the presentation he would have gathered a general idea and basic knowledge on this matter. Additionally, the speaker, Penetration Tester for KPMG Romania introduced the audience to assembler programming languages. Ionut is a former software developer very passionate about security field. His research includes low level aspects of programming. Additionally, his studies include MCTS Windows internal certification. As a “white hat” hacker he is involved in one of the largest Romanian security forums - Romanian Security Team.

Vali-Marius Malinoiu

The second session of this event was held by Vali-Marius Malinoiu, a security enthusiast with very good presentation skills. Although the contents discussed were not so technical, he won the audience with his speech. Along the 30 minutes, Vali told the story of “A hacker who went fishing”. It is worth underlining that the hacker went fishing, not phishing. What Vali did, was placing a friend’s mobile device as bait somewhere in Bucharest for no reason. Actually, his purpose was to prove a point. He started his presentation by asking what we would do in case of phone loosing. He also was enquiring whether we have a back-up plan. To be more precise, Vali developed an Android Remote access tool bases on a client server structure. After installing the client on the mobile device and configuring the software, he placed the phone in a public restaurant and left it there. Not surprisingly, the device was taken and the installed software started to do its job. What this means is that every 10 minutes, the device silently takes a photo and sends it to the server. Additionally, it attaches the location. It is worth mentioning that the location is obtained

Section IV - Book Reviews and Conferences Analysis through Google Services and not directly by GPS. As a consequence, the energy consumption is notably low. Furthermore, to reduce the risk of being uninstalled, the software is installed as a default service, making it hard to detect as a running application. Lastly, Vali informed us that for setting everything up, the device must be rooted. His project can be found on GitHub and can prove to be useful in an unfortunate event. As expected, by the end of the presentations, the attendants started sharing ideas and experience so this SPARKS session also finished in a very friendly manner. Already a custom, SPARKS accommodates both security home practitioners and corporate employees. The attendance was free of charge which made it available to a wide variety of technical fellows from university students, IT employees, security specialists to just passionate people. However for administrative purposes, prior registration and confirmation was required. For further details and for future events we strongly recommend the conference’s web page: sparks.ccsir.org. In the end of this article we would thank to Andrei Avadanei, the leader of the organizing team. This proves to be recurrent in Bucharest Information Security community. To conclude, we are really looking forward to the next month meeting. Source: sparks.ccsir.org Photos: cristiannicolau.wordpress.com

Section IV - Book Reviews and Conferences Analysis

Agora Conference: IT & Infrastructure Security Ioan-Cosmin MIHAI “A.I. Cuza” Police Academy, Romania Agora Conference “IT & Infrastructure Security” took place on February 27, 2014, at Marshal Garden Hotel - Amethyst Room, under the slogan “Security solutions - necessary more than ever”. Agora Conference brought to the audience important names in providing complete security solutions such as Symantec, Allied Telesis, Cisco Romania or Websense.

Agora Conference

The conference program started with Cisco Security Report for 2014, presented by Mr. Dorin Pena - General Manager Cisco Romania. In this report he presented the main forms of cyber-attacks that took place in Romania in 2013. According to this report, the year 2013 was highlighted by the fact that the number of system vulnerabilities what have been exploited reached a record. Mr. Marius Turlea - Technology Solutions Manager at Symantec, presented “Symantec Solutions for Information Security in IT&C Environment”. He talked about DLP - Data Loss Prevention, Endpoint Protection, Critical System Protection and a new product launched by Symantec: Data Center Security. This new product will control all the infrastructure (storage, network, and server) that is virtualized and delivered as a service.

Section IV - Book Reviews and Conferences Analysis Another interesting presentation form the conference was “Auditing Mobile Applications Security”, held by Mr. Florin-Mihai Iliescu - General Manager Infologica. Mobile applications audit has become a necessity nowadays. The audit is required to discover any programming errors and to ensure that the product meets safety requirements. The presentation marked 10 years of the company Infologica in information systems audit, with a pleasant surprise given to the conference participants. Agora Conference proved to be an important event in the field of computer security, through valuable participants and through discussions and security solutions presented. Photo source: Agora


Vol. 3 Issue 1/2014

Author Guidelines As an author, you are kindly advised to follow the next instructions. Reading and understanding the requirements before submittal would ensure adherence to IJISC standards and would facilitate acceptance by the scientific reviewers. 1.

Papers must be submitted in English, French or Romanian having an even number of pages (maximum 12 pages). At least 50% of the last page should be occupied by text.

2.

For papers writing it is recommended the use the text processor Microsoft Word and one of the template models (found on www.ijisc.com/authorguidelines/). We will do the final formatting and all necessary format conversions of your paper.

3.

The papers will be submitted using our online interface: www.ijisc.com/ paper-submission/. Please do not send your papers by e-mail!

4.

The papers will be reviewed by two scientific reviewers, well-known in their domains of activity. Usually, it takes 1 to 3 months between the moment you finished your submission and a response is given by scientific reviewers.

5.

The papers will be send back to the authors for corrections if: 1. the figures, pictures or tables are not contained in the text; 2. the reviewers require modifications or supplementary information.

6.

The papers will be rejected if their scientific content is not adequate, if they don’t contain original elements and if they are not properly written in English, French or Romanian.

7.

The bibliography must show the authors adequate documentation. At least 7-10 quality references should be cited. Citation standard is IEEE. Please read IEEE Citation Reference: www.ieee.org/documents/ieeecitationref.pdf

8.

The whole responsibility for the calculation exactitude, experimental data, scientific affirmation and paper translation belongs to the authors.

9.

The authors will declare on their own responsibility that the article or parts of it were not published before in others journals.

10. It is mandatory that the authors respect the Copyright Laws. An IJISC Copyright Form will have to accompany your submission. The signed copyright form has to be scanned and uploaded by using the online interface on the website. More information: www.ijisc.com/author-guidelines/


Vol. 3 Issue 1/2014

Review Policy The submitted papers are subject of a double blinded peer review process, in order to select for publishing the articles meeting the highest possible standards. IJISC reviewers are experts in the field of information security and cybercrime from academic police structures and university departments. In the reviewing process, the reviewers’ identities are not disclosed to the authors, nor are the authors’ identities disclosed to the reviewers. When a manuscript is submitted to IJISC, it is initially sent to Editorial Board for the primary evaluation in order to determine whether or not the paper fits the scope of the Journal. If the Editorial Board accept it, the paper then enters a blind reviewing process. In the reviewing process, the Editor-in-Chief sends the manuscript to two experts in the field, without the name of authors. The reviewers will consider the following evaluation criteria: • the subject relevancy in the area of the journal topics; • the quality of the scientific content; • the accuracy of data, statistics and facts; • the reasonable conclusions supported by the data; • the correct use of the bibliographic references. After evaluation process, the reviewers must include observations and suggestions for papers improvement that are sent to the authors, without the names of the reviewers. Referees’ evaluations usually include an explicit recommendation of what to do with the paper. Most recommendations are along the lines of the following: • to accept it; • to accept it in the event that its authors improve it in certain ways; • to reject it, but encourage revision and invite resubmission; • to reject it. If the decisions of the two reviewers are not the same (accept/reject), the paper is sent to a third reviewer. If the suggestions of reviewers for improving the paper are rejected by the author, the chief editor invites the author to reply to reviewers with the respect of anonymity. Observing the dialog, the chief editor may send the paper to additional reviewers. The final decision for publication is done by the Editor-in-Chief based on the examination of reviewers and the scope of the Journal. The Editor-in-Chief is responsible for the quality and selection of manuscripts chosen to be published and the authors are always responsible for the content of each article. More information: www.ijisc.com/review-policy/


Vol. 3 Issue 1/2014

Romanian Association for Information Security Assurance RAISA - Romanian Association for Information Security Assurance is a professional, non-governmental, non-partisan political, nonprofit and public benefit association. RAISA AIM The aim of Romanian Association for Information Security Assurance is promoting and supporting information security activities in compliance with applicable laws. RAISA VISION The vision of the Association is to promote research and education in information security field and to contribute to the creation and dissemination of knowledge and technology in this domain. RAISA has a strong representation at the national level, bringing together professors and researchers from top universities and Romanian institutions, PhD, Master’s and license students, as well as companies in the IT segment. RAISA OBJECTIVES To achieve the stated purpose, Romanian Association for Information Security Assurance proposes the following objectives: • Collaboration with the academic community from Romania or abroad in order to organize conferences, scientific seminars and workshops for presenting the development and implementation of effective measures to improve information security; • Collaboration with research centers, associations and companies from Romania or abroad, to organize informative events in information technology security field; • To perform specific programs for education and training of personnel involved in electronic information management (data processing, storage, security); • To ensure the dissemination of notice relating to existing vulnerabilities and nationally and internationally newly identified threats; to provide solutions for data restoration and policies to prevent and combat incidents based on the information provided by suppliers of software solutions; • To publish scientific journals for university staff, PhD students or Master's students, researchers, students and other professional categories in the field of information security and cybercrime; • To grant awards, scholarships or sponsorships to people with outstanding merits in the field of information security. Website: www.raisa.org


Vol. 3 Issue 1/2014

RAISA Members Benefits RAISA MEMBERS Romanian Association for Information Security Assurance is an organization that consists of: • Founding members - are individuals who have participated in the founding process of the Association, have agreed with the Statute of the Association at the date of establishment and are parts of the members’ category, with all their rights. The founding members pay annual membership fee and have the right to deliberative vote during the General Assembly. • Members - are individuals who have joined the Association after the date of establishment. The members pay annual membership fee and have all the rights, respecting the obligations stipulated in Statute of the Association. They have the right to deliberative vote during the General Assembly. • Honorary Members - can be scientists, professors, cultural or religious personalities, valuable professionals, who have rendered outstanding services to the Association. They are exempted from contributions and their vote is advisory. • Collaborators/Volunteers - anyone who wants to participate in Association activities without becoming a member. Their collaborations are on no-cost basis; they don't pay a membership fee and don't have the right to vote. RAISA MEMBERSHIP BENEFITS: • free access to RAISA scientific events; • discount to workshops and conferences organized by RAISA; • discount for professional courses promoted by RAISA on e-learning platform www.cpf.ro; • possibility to be involved in RAISA projects, support offered for research and development; • free access to IJISC full-text articles: www.ijisc.com; • 10% discount for books sold by RAISA; • free subscription to latest news in information security field on RAISA official channel: www.securitatea-informatiilor.ro; • free subscription to latest news in cybercrime filed on RAISA official channel: www.criminalitatea-informatica.ro; • member name listing on RAISA website. Get the most from your membership! www.raisa.org/members/