The progress in IT industry increased the security issues in a system or an organistion. Corporate organisations have lot of informations which are very sensitive so they spent a large amount of money for the security of these sensitive informations. There are many ways in which a hacker attacks a secured network or an organisation. If one of the system in a network is compromised then the hacker can get total information of the network. Before the hacker attacks it will decide on its target such as an application, network, password, a cryptographic algorithm and so on.
In active attack the attackers are actively attempting to cause harm to a network or system. This is the most serious type of attack since most of the organisation’s operations depend on its critical data. These attacks include Denial of Service (DoS), Distributed Denial of Service (DDoS), buffer overflow, spoofing, Man in the Middle (MITM), replay, TCP/IP hijacking, wardialing, dumpster diving and social engineering attacks.
DoS attack is an incident when a user or organisation is deprived of the services of a resource which is accessible normally. DoS attacks, such as the Ping of Death (POD) and Teardrop attacks, take advantage of the limitations in the TCP/IP protocols.
Flooding the inbound network connections of a service with unwanted informations
There are no immediate remedies to this attack. The best possible ways to reduce the effect of this attack are as follows.
Install and maintain anti-virus softwares
Install a firewall and configure it to restrict unauthorised incoming and outgoing network traffic
Follow specific security practices for distributing e-mail address. Applying email filters manages unwanted traffic.
All the disruptions in services are not DoS attacks. Typical ways to detect the DoS attacks are as follows:
DDoS attack is an additional feature of DoS attack; it is an attack where multiple compromised systems are used to target a single system causing a DoS attack. Since DDoS can attack hundreds and thousands of systems simultaneously, it is generally used on Internet. The attacker installs DDoS software on all the compromised systems and launches a wider attack from all the compromised machines. This attack typically overloads bandwidth, router processing capacity or network stack resources, breaking network connectivity of the victims.
Software component involved in a DDoS attack include the following:
Client – The control software used by the hacker to launch attacks. The client directs command to its subordinate hosts.
Daemon – It is a software program running on a subordinate host. Daemon is the process used for implementing the attack.
13.2.3 Software Exploitation and Buffer Overflows
In software exploitation attack a chunk of data or a sequence of commands take advantage of the vulnerability in order to cause unintended behaviour to a computer software or hardware. Normally it is the flaw in the programming of software which creates bugs within the software. One of the most common bug is buffer overflow where a small amount of memory has been allocated by the programmer
to store a specific amount of data. When the volume of data written to the storage area exceeds the space allocated, a buffer overflow occurs causing the system to crash, wherein it is left open to any intruder.
A spoofing attack is a situation in which an individual or a program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. In routers for sending packets the destination address is only required, but the source address is required only when the destination responds to the sent packet. Hacker takes use of this vulnerability in the network and spoofs as the source address. MITM is an example of spoofing.
13.2.5 MITM Attack
In a MITM attack, the attacker intercepts messages in a public key exchange and then retransmits them, substituting with the attackers own public key for the requested one, so that the two parties still appear to be communicating with each other. Since in this scenario it attacks during the transmission, there are many methods used to authenticate this process. The most present way is to send an encrypted secondary data that must be verified before a transaction can take place. Some online businesses have started methods such as secret keys to verify the genuineness of a customer before processing an order.
13.2.6 Replay Attacks
A breach of security in which information is stored without authorisation and then retransmitted to trick the receiver into unauthorised operations such as false identification or authentication or a duplicate transaction. For example, if messages from an authorised user is captured and resent the next day. Though the attacker cannot open the encrypted message but it can get into the network using this retransmission. This attack can be prevented by attaching the hash function to the message.
13.2.7 TCP/IP Hijacking
It is also called session hijacking. Session hijacking is a security attack, carried out by an intruder, which attempts to insert commands into an active login session. The most common method of session hijacking is IP spoofing. In an IP spoofing, attacker uses source-routed IP packets that inserts commands into an active transmission between two nodes on a network. In this way the attacker masquerades itself as one of the authenticated users.
Wardialing is using communication devices such as a modem to find electronic devices that includes systems that are connected to an accessible network. Wardialing can be very troublesome for some with single line as it hangs system. Wardialers typically hangs after two rings or when a person answers or when it is rejected if uninterested. If there are numerous phone connections in an organisation then all of them will start ringing simultaneously.
13.2.9 Social Engineering
In computer security, social engineering is a term that describes a non-technical intrusion that relies heavily on human interaction and often involves tricking individuals to break normal security procedures.
There are two ways of social engineering as follows:
An attack reveals the user’s personal information such as account name or password, social security number that can be used for identity theft.
An attack run an executable file in order to load a virus, worm, trojan or other malware on the system which can result in identity theft.
Pretexting is a form of social engineering in which an individual lies about their identity or purpose to obtain privileged data about another individual. Pretexting can be done by telephone or e-mail, through customer service messaging or an organisation’s Website. For example, the pretexter calls a victim and communicates as the victim’s financial organisation. The pretexter convinces the victim to give away personal information. Once the pretexter gets the required information of the victims account then, these informations are used to steal from the victim personal account. The term social engineering was popularised by reformed system criminal and security consultant Kevin Mitnick.
Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking e-mail in an attempt to gather personal and financial information from recipients for identity theft. For example, while opening a financial organisation’s Website, it will prompt for user name, ID, account number and password. The Website in which the information was updated is a fake Website sent by the hacker to attain personal information of the victim.
These techniques used in phishing attacks are as follows:
Link manipulation – This technique shows a URL in the phishing message which actually links to the phisher’s Website. This URL is made to look similar to the real Website.
Filter evasion – Filters are set to identify suspicious text. Sometimes images of text are used instead of the text itself in order to get through the filters.
Phone phishing – Phishing is normally done through e-mails with direction to another Website. Even phone messages can be used to have users dial an institution’s phone number which is actually controlled by the phisher. Fake caller-ID information can make these attacks very genuine.
13.2.10 Shoulder Surfing
Shoulder surfing refers to a direct observation, such as looking over an individual’s shoulder look at whatever they are entering to a form or a ATM machine or a password.
13.2.11 Dumpster Diving
It is the practice of sifting through commercial or residential trash to find items that have been discarded by their owners, but which may be useful to the dumpster diver. Information such as phone list, calendar or organisational chart can be used to assist an attacker using social engineering techniques.
For more information on Social Engineering refer chapter 2 Operational Organisational Security.
13.3 Passive Attacks
In passive attack the hacker attempt to steal information stored in a system by eavesdropping. The attacker only reads the information rather then modifying, deleting or replacing the information. This type of attack is mostly used in cryptanalysis.
Vulnerability scanning is important to hackers as well as the one who protects a network. Hackers used this scanner to identify weakness in the system. Security administrator uses this to detect the flaws in the network and fix it.
Eavesdropping on a network is called sniffing. A sniffer illegitimately captures data transmitted on a network. Sniffer software can be used to monitor and analyze network traffic, detecting bottlenecks and problems. Tcpdump is the most common UNIX sniffing tool and it is available with most of the linux distributions.
13.4 Password Attacks
Password attacks are very common attacks as they are easy to perform with successful intrusion. There are two types of password guessing attack brute force attack and dictionary-based attack.
13.4.1 Brute Force Attacks
This attack consists of trying every possible code, combination or password until the right one is revealed. Since the exact number of character used in a password is estimated between 4 to 16 characters. So 100 different values can be used for each character of a password, there are only 1004 to 10016 password combinations. Though the number combination is large still it is vulnerable to brute force attack.
To increase the security against brute force attack:
Increase the length of the password
The password should contain characters other than numbers, such as * or #
Should impose a 30 second delay between failed authentication attempts
Add policies for locking the account after five failed authentication attempts
13.4.2 Dictionary-Based Attacks
A dictionary-based attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password. This attack is not feasible on systems which apply multiple words or characters as password. These attacks are used by spammers.
13.5 Malicious Code Attacks
Malicious code is a threat which is hard to be blocked by antivirus software. Malicious codes are auto executable applications. It can take the form of Java applets, ActiveX controls, plug-ins, pushed content, scripting languages or a number of new programming languages designed to enhance Web pages and e-mail. Usually the victim is unaware of the malicious code attack, making it virtually impossible to recognise an assault until it is too late. Protection against malicious code attack should be proactive and frequently updated with the new set of attacks. The most dangerous malicious code attempts to access and delete, steal, alter or execute unauthorised files. This attack can steal passwords, files or other confidential data. Malicious code can also delete, encrypt or modify files on a disk.
In a system malicious code hides in specific areas. Some areas where the malicious code hides are as follows:
13.6 Cryptographic Attacks
Cryptographic attacks are methods of evading the security of a cryptographic system by finding weaknesses in the areas such as codes, ciphers, cryptographic protocol or key management scheme in the cryptographic algorithm. This attack includes backdoors, viruses, trojan, worms, software exploitation and weak keys.
It is software designed to infiltrate a computer system without the consent of the owner. Malware includes computer viruses, worms, trojan horses and spyware.
Virus is a program or piece of code that is loaded onto a computer without the knowledge of the user and runs against the user’s wishes. Viruses can transmit themselves by attaching to a file or email or on a CD or on an external memory.
Viruses are classified into three parts
File infectors – File infector viruses attach themselves to program files, such as .COM or .EXE files. File infector viruses also infects any program for which execution is requested, such as .SYS, .OVL, .PRG, and .MNU files. These viruses loaded when the program is loaded.
System or boot-record infectors – These viruses infect executable code in system areas on a disk. These viruses attach to the DOS boot sector on diskettes or the Master Boot Record on hard disks. The scenario of boot record infectors is when the operating system is running and files on the diskette can be read without triggering the boot disk virus. However, if the diskette is left in the drive, and then the computer is turned off or restarted, then the computer will first search in A drive when it boots. It will then load the diskette with its boot disk virus, loads it, and makes it temporarily impossible to use the hard disk.
Macro viruses – These are the most common viruses, and they do the least damage. Macro viruses infect Microsoft Word application and typically insert unwanted words or phrases.
A computer worm is a self-contained program that is able to spread functional copies of itself or its segments to other computer systems. Worms use components of an operating system that are automatic and invisible to the user. The worms are detected only when their uncontrolled replication consumes system resources, slowing or halting other tasks.
Trojan horses are classified based on how they breach systems and damage they cause.
The seven main types of trojan horses are as follows:
Remote Access Trojans
Data Sending Trojans
Security Software Disabler Trojans
DoS Attack Trojans
Spyware is a type of malware that is installed on systems and collects small amount of information at a time about the users without their knowledge. Spyware is Internet terminology for advertising supported software such as Adware. All adwares are not spywares. There are also products that display advertising but do not install any tracking mechanism on the system. Spyware programs can collect various types of personal information such as Internet surfing habits and Websites that have been visited. It can also interfere with user’s control on the system such as installing additional software and redirecting Web browser activity. Updated antispywares is used to protect spywares from attacking the systemr.
13.7 Chapter Review Question
1. Which amongst the following is an attack in which hackers are actively attempting to cause harm to a system?
Malicious code attack
Which of the following attack overloads a bandwidth of a Website?
Which of the following attack, where multiple compromised systems are used to target a single system?
When one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. Which of the following defines this attack?
what type of attack is Replay attack?
None of these
what type of attack is Sniffing ?
None of these
what type of active attack is Phishing?
Which of the following is the attack that refers to a direct observation or looking over a individuals shoulder?
None of these
Which amongst the following is the virus that infects Microsoft word application and inserts unwanted words or phrases?
Boot record virus
____________ is a form of social engineering in which an individual lies about their identity or purpose to obtain privileged data about another individual.
None of these
In this chapter, Attacks, you learnt about:
The different types of attacks.
The types of active attack such as DoS, DDoS, Replay, Social Engineering and so on.
The types of passive attacks.
The types of Password, Cryptographic and Malicious attacks.