Types of Attacks - Threats and Vulnerabilities
Birthday Attack
A Birthday Attack occurs when the attacker sends two different messages using the same hash function, which end up causing a collision.
Blue Snarffing
A rare attack in which an attacker takes control of a blue tooth enabled device. One way to do this is to get your PDA/mobile device, to accept the attackers device as a trusted device.
Armored virus
An Armored Virus is a type of virus that has been designed to thwart attempts by analysts from examining its code by using various methods to make tracing, disassembling and reverse engineering more difficult. Basically, an Armored virus hides its code to mask itself. An Armored Virus may also protect itself from antivirus programs, making it more difficult to trace. To do this, the Armored Virus attempts to trick the antivirus program into believing its location is somewhere other than where it really is on the system.
DDoS
Distributed Denial of Service (Network Level) A distributed denial-of-service (DDoS) is where the attack source is more than one-and often thousands of-unique IP addresses. From commandeered Endpoints like Zombies/Bots.
PII
Personally identifiable information (PII)
Spam
Software that relies on Open Relays into the network and onto the node. Pop-ups are common to spam as well as spyware.
Spim
Spim is spam delivered through instant messaging (IM) instead of through e-mail messaging.
pWWN Spoofing
Spoofing is when something makes something else think it is the authorized device/address when it in fact is not. Wwn is a unique identifier used in storage technologies. Spoofing pwwn or wwn is making something think that it is the authorized device that is connected to the San or nas.
Spyware
Spyware is software that aims to gather information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the consumer's knowledge. Ex: Keyboard monitoring software. Spyware is characterized by numerous pop-ups
Smurf Attack
The Smurf Attack is a distributed denial-of-service (DoS) attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.
PDA/Cell Phone Attacks
Used when devices are connected to Blue tooth functionality. Attack names are: Blue Snarffing Blue Jacking
Brute Force Attack
A brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data (except for data encrypted in an information-theoretically secure manner). Such an attack might be used when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. It consists of systematically checking all possible keys or passwords until the correct one is found. In the worst case, this would involve traversing the entire search space. Brute Force Attacks are time consuming.
SYN Flood
A type of DoS Attack, A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets are handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server can make, keeping it from responding to legitimate requests until after the attack ends.
SYN Flood Attack
A SYN flood is a form of denial-of-service (DoS) attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic in a 3 way TCP handshake. SYN> SYNACK> ACK to SYN> SYNACK....(no ACK).....SYN...
Vampire Attack
A Vampire Attack is when a hacker creates and sends messages by malicious node, which cause more energy consumption by the network, leading to slow depletion of node's battery life. Vampire attacks are not protocol specific They do not disrupt immediate availability Vampires use protocol compliant messages Transmit little data with largest energy drain Vampires do not disrupt or alter discovered paths
Backdoor
A backdoor is a means of access to a computer program that bypasses security mechanisms. A programmer may sometimes install a backdoor so that the program can be accessed for troubleshooting or other purposes. However, attackers often use backdoors that they detect or install themselves, as part of an exploit. Backdoors were originally created to ease administration. Some programmers create backdoors during programming to make development and debugging easier. However, if discovered, hackers can use these backdoors for a malicious attack.
Worm
Self Contained - Stand Alone, Self Activated, Self Replicating Program (Code). Spread through Folders, Macros, and Documents, NOT Files. A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
Replay Attack
A Replay Attack is when an attacker captures part of a communication, and then later sending some or all of that communication to a server while pretending to be the original client.
Dictionary Attack
A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary. EX: Rainbow Table Attack(which uses hash). Dictionary attacks do not occur through email.
Replay Attack
A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. EX: Suppose Alice wants to prove her identity to Bob. Bob requests her password as proof of identity, which Alice dutifully provides (possibly after some transformation like a hash function); meanwhile, Eve is eavesdropping on the conversation and keeps the password (or the hash). After the interchange is over, Eve (posing as Alice) connects to Bob; when asked for a proof of identity, Eve sends Alice's password (or hash) read from the last session, which Bob accepts thus granting access to Eve.
Spoofing
A spoofing attack, a type of Non-technical attack, is when a malicious party impersonates another device or user on a network in order to launch attacks against network hosts, steal data, spread malware or bypass access controls. There are several different types of spoofing attacks that malicious parties can use to accomplish this.
Ping (ICMP) Flood
A type of DoS Attack, Ping flood is based on sending the victim an overwhelming number of ping packets, usually using the "ping" command from Unix-like hosts (the -t flag on Windows systems is much less capable of overwhelming a target, also the -l (size) flag does not allow sent packet size greater than 65500 in Windows). It is very simple to launch, the primary requirement being access to greater bandwidth than the victim. Ping of death is based on sending the victim a malformed ping packet, which will lead to a system crash on a vulnerable system.
Active X Control Attack
ActiveX controls are essentially pieces of software and have access to your entire computer if you opt to install and run them. If you're using Internet Explorer, websites can prompt you to install ActiveX controls — and this feature can be used for malicious purposes. ActiveX controls can be built directly into websites and can contain malicious code that can be easily downloaded by users without their knowledge. ActiveX controls can be disabled in whole or in part within the browser and can also be controlled as add-ons.
Black Box
Black box testing Black box testing refers to testing a system without having specific knowledge to the internal workings of the system, no access to the source code, and no knowledge of the architecture. In essence, this approach most closely mimics how an attacker typically approaches applications. However, due to the lack of internal application knowledge, the uncovering of bugs and/or vulnerabilities can take significantly longer. Black box tests must be attempted against running instances of applications, so black box testing is typically limited to dynamic analysis such as running automated scanning tools and manual penetration testing.
DoS
Denial of Service (Individual Client) Denial of Service - SYN..SYN/ACK... No ACK, identified by nestat -aon CMD. In computing, a denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.
Dumpster Diving
Dumpster diving, at type of non-technical attack, is looking for treasure in someone else's trash. (A dumpster is a large trash container.) In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an attack on a computer network.
IP Spoofing
IP spoofing, a type of DoS attack, also known as IP address forgery or a host file hijack, is a hijacking technique in which a cracker masquerades as a trusted host to conceal his identity, spoof a Web site, hijack browsers, or gain access to a network. In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a forged source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system.
Zombie|Bot|BotNet
In computer science, a zombie is a computer connected to the Internet that has been compromised by a hacker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam and launch denial-of-service attacks. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies. A coordinated DDoS attack by multiple botnet machines also resembles a zombie horde attack. A botnet (also known as a zombie army) is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet. A Bot has had a portion of the HD Partition commandeered to perform malicious activity from a controlling system.
Kiting
Kiting is the practice of monopolizing domain names without paying for them. Newly registered domain names can be canceled with a full refund during an initial five-day window known as an AGP, or add grace period. Kiting enables a hacker to 'float' a domain registration for a maximum of five days (during its grace period).
MAC Spoofing
MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. The MAC address is hard-coded on a network interface controller (NIC) and cannot be changed. However, there are tools which can make an operating system believe that the NIC has the MAC address of a user's choosing. The process of masking a MAC address is known as MAC spoofing. Essentially, MAC spoofing entails changing a computer's identity, for any reason, and it is relatively easy MAC address spoofing is limited to the local broadcast domain.
Pharming Attack
Pharming is a (Social engineering based) cyber attack intended to redirect a website's traffic to another, fake site. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. Both pharming and phishing have been used to gain information for online identity theft. Pharming has become of major concern to businesses hosting ecommerce and online banking websites. Sophisticated measures known as anti-pharming are required to protect against this serious threat. Antivirus software and spyware removal software cannot protect against pharming.
Smishing Attack
SMiShing is a security attack in which the user is tricked into downloading a Trojan horse, virus or other malware onto his cellular phone or other mobile device. SMiShing is short for "SMS phishing."
5 Elements of a Header in a Packet
Sequence Number Source IP Destination IP Packet Length Synchronization
Whailing Attack
Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks.[45] In the case of whaling, the masquerading web page/email will take a more serious executive-level form. The content will be crafted to target an upper manager and the person's role in the company. The content of a whaling attack email is often written as a legal subpoena, customer complaint, or executive issue. Whaling scam emails are designed to masquerade as a critical business email, sent from a legitimate business authority. The content is meant to be tailored for upper management, and usually involves some kind of falsified company-wide concern.
Non Technical Attacks
Social Engineering Dumpster Diving Shoulder Surfing Spoofing
Social Engineering
Social engineering, a type of Non-technical attack, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. The term "social engineering" as an act of psychological manipulation is also associated with the social sciences, but its usage has caught on among computer and information security professionals
TEMPEST
Tempest was the name of a classified (secret) U.S. government project to study (probably for the purpose of both exploiting and guarding against) the susceptibility of some computer and telecommunications devices to emit electromagnetic radiation (EMR) in a manner that can be used to reconstruct intelligible data. Tempest's name is believed to have been a code name used during development by the U. S. government in the late 1960s, but at a somewhat later stage, it became an acronym for Telecommunications Electronics Material Protected from Emanating Spurious Transmissions. Today, in military circles, the term has been officially supplanted by Emsec (for Emissions Security); however, the term Tempest is still widely used in the civilian arena. A TEMPEST Certified building will prevent War-Driving Attacks.
Blue Jacking
Using another blue tooth device that is within range and sending unsolicited messages to the target
Vishing Attack
Vishing works like phishing but does not always occur over the Internet and is carried out using voice technology. A vishing attack can be conducted by voice email, VoIP (voice over IP), or landline or cellular telephone.
Virus Hoax
A Virus Hoax happens when technical support resources are consumed by increased user calls and users are tricked into changing the system configuration.
AdWare
Adware, or advertising-supported software, is any software package that automatically renders advertisements in order to generate revenue for its author. The advertisements may be in the user interface of the software or on a screen presented to the user during the installation process.
Types of DoS Attacks
DoS Attack DDoS Attack Zombie|Bot|BotNet Smurf Attack Fraggle Attack ICMP (ping) Attack SYN Flood Attack
Printer Security Issues and Threats
Document theft or snooping: A person can simply walk over to a printer and pick up a document that belongs to someone else. Unauthorized changes to settings: If your printer settings and controls aren't secure, someone may mistakenly or intentionally alter and reroute print jobs, open saved copies of documents, or reset the printer to its factory defaults, thereby wiping out all of your settings. Saved copies on the internal storage: If your printer has an internal drive, it can store print jobs, scans, copies, and faxes. If someone steals the printer, or if you throw it out before properly erasing the data, someone might recover the saved documents. Eavesdropping on network printer traffic: Hackers can eavesdrop on the traffic on your network, and capture documents that you send from your computers to the printer. Printer hacking via the network or Internet: A person on your network can hack into a network-connected printer fairly easily, especially if it's an older model that lacks newer security features or isn't password-protected. To prevent these things from happening use: - Password protection for access - Use SSL/TLS and IPsec - Keep Drivers and Firmware up to date - Upgrade/Remove older print devices from the network
Fuzzing
Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. A fuzzer is a program which injects automatically semi-random data into a program/stack and detect bugs. EX: Lets's consider an integer in a program, which stores the result of a user's choice between 3 questions. When the user picks one, the choice will be 0, 1 or 2. Which makes three practical cases. But what if we transmit 3, or 255 ? We can, because integers are stored a static size variable. If the default switch case hasn't been implemented securely, the program may crash and lead to "classical" security issues: (un)exploitable buffer overflows, DoS, ... Fuzzing is the art of automatic bug finding, and it's role is to find software implementation faults, and identify them if possible.
Password Cracking Attacks
In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system. A common approach (brute-force attack) is to try guesses repeatedly for the password and check them against an available cryptographic hash of the password. Brute Force Dictionary Replay
ID Theft Attacks
Phishing Vishing Smishing Whailing
Spear Phishing
Phishing attempts directed at specific individuals or companies have been termed spear phishing.
SQL Injection
SQL injection is a code injection technique (via True/False statements), used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
Shoulder Surfing
Shoulder Surfing, a type of Non-technical attack, refers to using direct observation techniques, such as looking over someone's shoulder, to get information.[1] It is commonly used to obtain passwords, PINs, security codes, and similar data.
War Driving Wireless Attack
Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer, smartphone or personal digital assistant (PDA). Software for wardriving is freely available on the Internet. Wardrivers use a Wifi-equipped device together with a GPS device to record the location of wireless networks. The results can then be uploaded to websites like WiGLE, openBmap or Geomena where the data is processed to form maps of the network neighborhood. There are also clients available for smartphones running Android that can upload data directly. For better range and sensitivity, antennas are built or bought, and vary from omnidirectional to highly directional. The maps of known network IDs can then be used as a geolocation system — an alternative to GPS — by triangulating the current position from the signal strengths of known network IDs.
Fraggle Attack
A Fraggle Attack is a denial-of-service (DoS) attack that involves sending a large amount of spoofed UDP traffic to a router's broadcast address within a network. It is very similar to a Smurf Attack, which uses spoofed ICMP traffic rather than UDP traffic to achieve the same goal. A Fraggle Attack is a DoS attack that sends large amounts of UDP traffic to ports 7 and 19.
ARP Poisoning/Spoofing
Address Resolution Protocol (IP to MAC) Poisoning Occurs on the intranet (inside the network). ARP poisoning is a method used for manipulating the flow of traffic between arbitrary hosts on a local area network. Exploiting a network with an ARP poisoning attack allows an attacker to reroute traffic passing between workstations and servers on the LAN through a malicious node, where the traffic can be monitored, modified, or DoSed by the attacker. Ex: A malicious computer is sending data frames with false hardware addresses to a switch. At the highest level, ARP poisoning works by modifying the ARP tables - small databases linking MAC hardware addresses to IP addresses - in target machines by exploiting fundamental weaknesses in the way network drivers handle ARP traffic.Because local area networks are the smallest unit of network infrastructure, the rules for passing data between computers vary from the commonly known TCP/IP and DNS structure used on the Internet. On the LAN, packets are exchanged using physical MAC addresses as a base network identifier rather then IP addresses. ********************************************** ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network. ******************************************** Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network. For example, in IP Version 4, the most common level of IP in use today, an address is 32 bits long.
ICMP Attack
An ICMP Flood (a type of DoS attack)- the sending of an abnormally large number of ICMP packets of any type (especially network latency testing "ping" packets) - can overwhelm a target server that attempts to process every incoming ICMP request, and this can result in a denial-of-service condition for the target server.
White Box
White box testing White box testing, which is also known as clear box testing, refers to testing a system with full knowledge and access to all source code and architecture documents. Having full access to this information can reveal bugs and vulnerabilities more quickly than the "trial and error" method of black box testing. Additionally, you can be sure to get more complete testing coverage by knowing exactly what you have to test. However, because of the sheer complexity of architectures and volume of source code, white box testing introduces challenges regarding how to best focus the testing and analysis efforts. Also, specialized knowledge and tools are typically required to assist with white box testing, such as debuggers and source code analyzers. In addition, if white box testing is performed using only static analysis techniques using the application source code and without access to a running system, it can be impossible for security analysts to identify flaws in applications that are based on system misconfigurations or other issues that exist only in a deployment environment of the application in question.
Cross Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. XSS is a type of Session Hijacking Attack An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. For more details on the different types of XSS flaws, see: Types of Cross-Site Scripting. Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
E Mail Spoofing
Email spoofing is the creation of email messages with a forged sender address. It is easy to do because the core protocols do not have any mechanism for authentication. It can be accomplished from within a LAN or from an external environment using Trojan horses. Spam and phishing emails typically use such spoofing to mislead the recipient about the origin of the message. A common component of email spoofing is an 'Open Relay Session' on a server.
Virus
A computer virus is a malware program that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be "infected". Viruses often perform some type of harmful activity on infected hosts, such as stealing hard disk space or CPU time, accessing private information, corrupting data, displaying political or humorous messages on the user's screen, spamming their contacts, logging their keystrokes, or even rendering the computer useless. However, not all viruses carry a destructive payload or attempt to hide themselves—the defining characteristic of viruses is that they are self-replicating computer programs which install themselves without user consent.
Trojan Horse
A friendly program that is wrapped around a virus, used for malicious activity against a company. A Trojan horse, or Trojan, in computing is any malicious computer program which misrepresents itself as useful, routine, or interesting in order to persuade a victim to install it. Trojans are generally spread by some form of social engineering, for example where a user is duped into executing an e-mail attachment disguised to be unsuspicious, (e.g., a routine form to be filled in), or by drive-by download and do not spread|propagate themselves.
Logic Bomb
A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. Logic Bomb - is activated via conditions, (ie turn on functionality) - does not rely on, but uses Date and Time. Software that is inherently malicious, such as viruses and worms, often contain logic bombs that execute a certain payload at a pre-defined time or when some other condition is met. This technique can be used by a virus or worm to gain momentum and spread before being noticed. Some viruses attack their host systems on specific dates, such as Friday the 13th or April Fools' Day. Trojans that activate on certain dates are often called "time bombs". To be considered a logic bomb, the payload should be unwanted and unknown to the user of the software. As an example, trial programs with code that disables certain functionality after a set time are not normally regarded as logic bombs.
Phage Virus
A phage virus is a computer virus which, rather than attaching to host files, will modify host file programs. It usually modifies the beginning of the executable code, destroying files in the process. If an infected file is transferred, the phage virus continuously transfers to other executable files until they are all infected. A phage virus is destructive because it rewrites the programming of its host with its own code, rendering the host file unusable and resulting in a deleted or corrupted program. A well-known example of a phage virus is the PalmOS/Phage, also known as the Palm Virus and Palm.Phage.Dropper, which rapidly self-propagates on handheld devices with the Palm operating system (OS), resulting in program elimination. This Phage virus incarnation transfers between devices if files are downloaded from the Web, shared via infrared (IR) beaming or synced with a PC.
Priviledge Escalation Attack
A privilege escalation attack is a type of network intrusion that takes advantage of programming errors or design flaws to grant the attacker Admin./elevated access to the network and its associated data and applications. There are two kinds of privilege escalation: vertical and horizontal. Vertical privilege escalation requires the attacker to grant himself higher privileges. This is typically achieved by performing kernel-level operations that allow the attacker to run unauthorized code. Horizontal privilege escalation requires the attacker to use the same level of privileges he already has been granted, but assume the identity of another user with similar privileges. For example, someone gaining access to another person's online banking account would constitute horizontal privilege escalation.
Rootkit
A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) while at the same time masking its existence or the existence of other software. A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network. Typically, a cracker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network. Kernel-Level Rootkits, in particular, are designed to extract confidential information, and hide evidence of an attacker's presence
Stealth virus
A stealth virus is complex malware that hides itself after infecting a computer. Once hidden, it copies information from uninfected data onto itself and relays this to antivirus software during a scan. This makes it a difficult type of virus to detect and delete. A stealth virus is complex malware that hides itself after infecting a computer. Once hidden, it copies information from uninfected data onto itself and relays this to antivirus software during a scan. This makes it a difficult type of virus to detect and delete. A stealth virus can infect a computer system in a number of ways: For instance, when a user downloads a malicious email attachment; installs malware masquerading as programs from websites; or uses unverified software infected with malware. Similar to other viruses, it can take over a wide variety of system tasks and can affect the computer's performance. When performing such tasks, antivirus programs detect the malware, but the stealth virus is designed to actively remain hidden from antivirus programs. It accomplishes this by temporarily moving itself away from the infected file and copying itself to another drive and replacing itself with a clean file. The stealth virus can also avoid detection by concealing the size of the file it has infected. You can detect the virus by starting the system via a disk boot — to avoid systems the virus has control over — and then beginning an antivirus scan. However, even if detected here, there is a chance the virus has copied itself into another file on the system, so it remains a challenging virus to fully eradicate. In general, the best countermeasure is to use strong antivirus software designed to detect viruses and their hidden counterparts.
Man in the Middle Attack (MITM)
A type of Session Hijacking Attack, The Mani in the Middle Attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication. The MITM attack is very effective because of the nature of the http protocol and data transfer which are all ASCII based. In this way, it's possible to view and interview within the http protocol and also in the data transferred. So, for example, it's possible to capture a session cookie reading the http header, but it's also possible to change an amount of money transaction inside the application context. The MITM attack could also be done over an https connection by using the same technique; the only difference consists in the establishment of two independent SSL sessions, one over each TCP connection. The browser sets a SSL connection with the attacker, and the attacker establishes another SSL connection with the web server. In general the browser warns the user that the digital certificate used is not valid, but the user may ignore the warning because he doesn't understand the threat. In some specific contexts it's possible that the warning doesn't appear, as for example, when the Server certificate is compromised by the attacker or when the attacker certificate is signed by a trusted CA and the CN is the same of the original web site. MITM is not only an attack technique, but is also usually used during the development step of a web application or is still used for Web Vulnerability assessments.
Watering Hole Attack
A watering hole attack is a security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit. The goal is to infect a targeted user's computer and gain access to the network at the target's place of employment.
AP Isolation
AP is an abbreviation for access point. An access point, or wireless access point, is a device that permits mobile devices, such as laptop computers and personal digital assistants, to connect wirelessly to a wired computer network. AP isolation is a technique for preventing mobile devices connected to an AP from communicating directly with each other. AP isolation effectively creates a "virtual" network among wireless devices, one in which each device is a separate entity in its own right. AP isolation allows network administrators to separate potentially malicious network traffic from a publicly accessible portion of a wireless network from the main control network. In so doing, it prevents the main control network from being flooded with unsolicited network traffic, which may include viruses, worms and Trojan horses. A typical application of AP isolation is a wireless hotspot, of the type found in airports, coffee bars and railway stations. A wireless hotspot typically allows numerous guest users to connect to an AP and create a single, large wireless network. Without AP isolation, unscrupulous users could connect to network devices other than the AP itself for the purposes of hacking or flood the whole network with traffic, rendering it unusable.
Port Scan Attack
An attacker launches a port scan to see what ports are open, with a listening service, on your machine. A port scan attack, therefore, occurs when an attacker sends packets to your machine, varying the destination port. The attacker can use this to find out what services you are running and to get a pretty good idea of the operating system you have. Most Internet sites get a dozen or more port scans per day. As long as you harden your firewall and minimize the services allowed through it, these attacks shouldn't worry you.
IV Attack
An initialization vector (IV) attack is an attack on wireless networks. It modifies the IV of an encrypted wireless packet during transmission. Once an attacker learns the plaintext of one packet, the attacker can compute the RC4 key stream generated by the IV used. This key stream can then be used to decrypt all other packets that use the same IV. Since there is only a small set of possible initialization vectors, attackers can eventually build a decryption table to decrypt every packet sent over that wireless connection.
Evil Twin Wireless Network Attack (aka Evil Twin Router)
Evil twin Router is a term for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications. An evil twin is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate provider. This type of evil twin attack may be used to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there. EX: The attacker uses a bogus wireless access point, purporting to provide wireless Internet services, but snooping on the traffic. When the users log into unprotected (non-HTTPS) bank or e-mail accounts, the attacker has access to the entire transaction, since it is sent through their equipment. Unwitting web users are invited to log into the attacker's server with bogus login prompts, tempting them to give away sensitive information such as usernames and passwords. Often users are unaware they have been duped until well after the incident has occurred. Users think they have logged on to a wireless hotspot connection when in fact they have been tricked into connecting to its evil twin by it sending a stronger signal within proximity to the wireless client. Rogue access points are easy to set up, for example using a laptop with a wireless card that acts as an access point (known as "host-ap"), but are hard to trace since they can suddenly be shut off. An attacker can make his own wireless networks that appear to be legitimate by simply giving their access point the same SSID and BSSID to the Wi-Fi network on the premises. The rogue access point can be configured to pass the traffic through to the legitimate access point while monitoring the victim's traffic, or it can simply say the system is temporarily unavailable after obtaining a username and password
Gray Box
Gray box testing When we talk about gray box testing, we're talking about testing a system while having at least some knowledge of the internals of a system. This knowledge is usually constrained to detailed design documents and architecture diagrams. It is a combination of both black and white box testing, and combines aspects of each. Gray box testing allows security analysts to run automated and manual penetration tests against a target application. And it allows those analysts to focus and prioritize their efforts based on superior knowledge of the target system. This increased knowledge can result in more significant vulnerabilities being identified with a significantly lower degree of effort and can be a sensible way for analysts to better approximate certain advantages attackers have versus security professionals when assessing applications.
Buffer Overflow Attack
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. This is a special case of the violation of memory safety. A NOP-sled is the oldest and most widely known technique for successfully exploiting a stack buffer overflow.[7] It solves the problem of finding the exact address of the buffer by effectively increasing the size of the target area. To do this, much larger sections of the stack are corrupted with the no-op machine instruction. At the end of the attacker-supplied data, after the no-op instructions, the attacker places an instruction to perform a relative jump to the top of the buffer where the shellcode is located. This collection of no-ops is referred to as the "NOP-sled" because if the return address is overwritten with any address within the no-op region of the buffer it will "slide" down the no-ops until it is redirected to the actual malicious code by the jump at the end. This technique requires the attacker to guess where on the stack the NOP-sled is instead of the comparatively small shellcode.[8] Because of the popularity of this technique, many vendors of intrusion prevention systems will search for this pattern of no-op machine instructions in an attempt to detect shellcode in use. It is important to note that a NOP-sled does not necessarily contain only traditional no-op machine instructions; any instruction that does not corrupt the machine state to a point where the shellcode will not run can be used in place of the hardware assisted no-op. As a result it has become common practice for exploit writers to compose the no-op sled with randomly chosen instructions which will have no real effect on the shellcode execution
MAC Flooding
MAC flooding is a technique employed to compromise the security of network switches. Switches maintain a MAC Table that maps individual MAC addresses on the network to the physical ports on the switch. This allows the switch to direct data out of the physical port where the recipient is located, as opposed to indiscriminately broadcasting the data out of all ports as a hub does. The advantage of this method is that data is bridged exclusively to the network segment containing the computer that the data is specifically destined for. In a typical MAC flooding attack, a switch is fed many Ethernet frames, each containing different source MAC addresses, by the attacker. The intention is to consume the limited memory set aside in the switch to store the MAC address table.[1] The effect of this attack may vary across implementations, however the desired effect (by the attacker) is to force legitimate MAC addresses out of the MAC address table, causing significant quantities of incoming frames to be flooded out on all ports. It is from this flooding behavior that the MAC flooding attack gets its name, and it is this behavior which allows the MAC flooding attack to be used as more than a simple denial-of-service attack[2] against the switching infrastructure. After launching a successful MAC flooding attack, a malicious user could then use a packet analyzer to capture sensitive data being transmitted between other computers, which would not be accessible were the switch operating normally. The attacker may also follow up with an ARP spoofing attack which will allow them to retain access to privileged data after switches recover from the initial MAC flooding attack. *********************************************** MAC flooding sends many packets to a switch, each of which has a different source MAC address in an attempt to use up the memory on the switch, changing the state of the switch to fail open mode, which ultimately makes it function as a hub.
Phishing Attack
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting victims. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies.
DNS Poisoning
Poisoning the cache means changing the real values of URLs. For example, cyber criminals can create a website that looks like say, xyz.com and enter its DNS record in your DNS cache. Thus, when you type xyz.com in the address bar of the browser, the latter will pick up the IP address of the fake website and take you there, instead of the real website. Using this method, cyber criminals can phish out your login credentials and other information such as card details, social security number, phone numbers and more for identity theft. The DNS poisoning is also done to inject malware into your computer or network. Once you land on a fake website using a poisoned DNS cache, the criminals can do anything they want. DNS cache poisoning is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver's cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker's computer (or any other computer). ********************************************** CMD: nslookup www.arp.com 'enter' will give you the IP address assigned to the URL. On the Internet. Then the Address can be poisoned.
Red Teaming
Red Teaming is a process designed to detect network and system vulnerabilities and test security by taking an attacker-like approach to system/network/data access. This process is also called "ethical hacking" since its ultimate purpose is to enhance security. Ethical hacking is an "art" in the sense that the "artist" must posses the skills and knowledge of a potential attacker (to imitate an attack) and the resources with which to mitigate the vulnerabilities used by attackers. Defined loosely, red teaming is the practice of viewing a problem from an adversary or competitor's perspective. The goal of most red teams is to enhance decision making, either by specifying the adversary's preferences and strategies or by simply acting as a devil's advocate. Red teaming may be more or less structured, and a wide range of approaches exists. In the past several years, red teaming has been applied increasingly to issues of security, although the practice is potentially much broader. Business strategists, for example, can benefit from weighing possible courses of action from a competitor's point of view. Alternative analysis is the superclass of techniques of which red teaming may be considered a member. As with red teaming, these techniques are designed to help debias thinking, enhance decision making, and avoid surprise.
Session Hijacking
The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is normally managed for a session token. Because http communication uses many different TCP connections, the web server needs a method to recognize every user's connections. The most useful method depends on a token that the Web Server sends to the client browser after a successful client authentication. A session token is normally composed of a string of variable width and it could be used in different ways, like in the URL, in the header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the body of the http requisition. The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. The session token could be compromised in different ways; the most common are: Predictable session token; Session Sniffing; Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc); Man-in-the-middle attack Man-in-the-browser attack
Polymorphic Virus
These viruses are more difficult to detect by scanning because each copy of the virus looks different than the other copies. Basically, polymorphic code mutates while keeping the original algorithm intact. Code encryption is a common method of achieving polymorphism. A polymorphic virus is a complicated computer virus that affects data types and functions. It is a self-encrypted virus designed to avoid detection by a scanner. Upon infection, the polymorphic virus duplicates itself by creating usable, albeit slightly modified, copies of itself. Polymorphism, in computing terms, means that a single definition can be used with varying amounts of data. In order for scanners to detect this type of virus, brute-force programs must be written to combat and detect the polymorphic virus with novel variant configurations. Removing polymorphic viruses requires that programmers rewrite language strings, which can be time-consuming, complex and costly. In order to detect polymorphic viruses, a scanner with strong string detection that enables it to scan several different strings - including one for each possible decryption scheme - is necessary. A polymorphic function definition can replace several specific ones that are associated with one type. An example of polymorphism would be if the "C" key was switched to "D," or "4" to "5," and so on. Data types and functions are included in polymorphism, and functional programming languages widely use this type of computing technique. Thus, polymorphic viruses can be widely applied.