Chapter 2: Attacks, Concepts, and Techniques

consist of a multiphase, long term, stealthy and advanced operation against a specific target; usually well funded and targets organizations or nations for business or political reasons

APT

Distributed Denial of Service Attack. Typically a virus installed on many computers (thousands) activate at the same time and flood a target with traffic to the point the server becomes overwhelmed.

DDoS attack

an assault whose purpose is to disrupt computer access to an internet service

DoS attack

allows the attacker to control over a device without the user's knowledge, allowing the attacker to intercept and capture user information before relaying it to its intended destination

Man In the Middle (MitM)

variation of man-in-middle that is used to take control over a mobile device. when infected, the mobile device can be instructed to exfiltrate user-sensitive information and send it to the attackers

Man in the Mobile (MitMo)

widely used to steal financial information; many malware and techniques exist to provide attackers with ______ capabilities

MitM

capacitators installed very close to one another

RAM memory

Based on the capacitor design flaw, an exploit called _________ was created

Rowhammer

exploit that allows data to be retrieved from nearby address memory cells, even if the cells are protected.

Rowhammer

the most common goal of ______________ is to increase traffic to malicious sites that may host malware or perform social engineering

SEO poisoning

Often found in image files, audio files, or games; differs from a virus because it binds itself to non-executable files

Trojan horse

malware that carries out malicious operations under the guide of a desired operation; exploits the privileges of the user that runs it

Trojan horse

example of an exploit with MitMo capabilities; allows attackers to quietely capture 2-step verification SMS messages sent to users

ZeuS

the process of controlling who does what; ranges from managing physical access to equipment to dictating who has access to a resource (like a file) and what they can do with it (like read or change the file)

access control

many security vulnerabilities are created by the improper use of access controls

access-control problems

designed to automatically deliver advertisements

advertising supported software

often installed with some versions of software; some are designed to only deliver advertisements, but some can come with spyware

adware

the act of using an exploit against a vulnerability

attack

systems and sensitive data can be protected through techniques such as

authentication, authorization, and encryption

attacks that use multiple techniques to compromise a target

blended attacks

malware designed to automatically perform action, usually online; most are harmless, but botnets are one increasing use of malicious bots (several computers are infected with bots which are programmed to quietly wait for commands provided by the attacker)

bot

network of infected hosts used in a DDoS attack

botnet

networks of computers that have been appropriated by hackers without the knowledge of their owners

botnets

password cracking technique: attacker tries several possible passwords in an attempt to guess the password; usually involve a word-list file (text file containing a list of words taken from a dictionary)

brute-force attacks

occurs when data is written beyond the limits of a buffer. by changing data beyond the boundaries of a buffer, the application accesses memory allocated to other processes, which can lead to a system crash, data compromise, or escalation of privileges

buffer overflow

memory areas allocated to an application

buffers

due to the proximity of capacitators for RAM memory, constant changes applied to one of those capacitators

could influence neighboring capacitators

programs often work with ________

data input

hardware vulnerabilities are specific to ________________ and are not generally exploited through _______________________-

device models, random compromising attempts

most viruses require __________________ and can activate at a specific time or date

end-user activation

the term used to describe a program written to take advantage of known vulnerability

exploit

another common method of infiltration; attackers will scan computers to gain information about them

exploiting vulnerabilities

often introduced by hardware design flaws

hardware vulnerabilities

when a maliciously formatted packet is sent to a host or application and the receiver is unable to handle it

maliciously formatted packets

short for malicious software; any code that can be used to steal data, bypass access controls, or cause harm to, or compromise a system

malware

spyware often _____________________ in order to overcome security measures and often bundles itself with _______________________

modifies security settings, legitimate software or Trojan horses

viruses can be harmless and simply display a picture or they can be destructive, such as those that _____________________________________

modify or delete data or mutate to avoid detection

rootkits can also ________________________________________, making them very hard to detect; a computer infected by a rootkit usually needs to be wiped and reinstalled

modify system forensics and monitoring tools

password cracking technique: by listening and cracking packets sent on the network, an attacker may be able to discover the password if the password is being sent unencrypted (in plain text); if the password is encrypted, the attacker may still be able to reveal it by using a password cracking tool

network sniffing

data input coming into a program could have malicious content, designed to force the program to behave in an unintended way. consider a program that receives an image for processing; a malicious user could craft an image file with invalid image dimensions. the maliciously crafted dimensions could force the program to allocate buffers of incorrect and unexpected sizes

non-validated input

when a network, host, or application is sent an enormous quantity of data at a rate which it cannot handle, causing a slowdown in transmission or response, or a crash of a device or service

overwhelming quantity of traffic

the two types of DoS attacks

overwhelming quantity of traffic and maliciously formatted packets

teams that are dedicating to searching, finding, and patching software vulnerabilities

penetration testing teams

most rootkits take advantage of software vulnerabilities to

perform privilege escalation and modify system files

when a malicious party sends a fraudulent email disguised as being from a legitimate, trusted source in order to trick the recipient into installing malware on their device or into sharing personal or financial information

phishing

nearly all access controls and security practices can be overcome if the attacker has.....

physical access to target equipment

can be used by an attacker to probe ports of a target computer to learn about which services are running on that computer

port scanner

when an attacker calls an individual and lies to them in an attempt to gain access to privileged data (ex. an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient)

pretexting

when the output of an event depends on ordered or timed outputs; this becomes a source of vulnerability when the required ordered or timed events do not occur in the correct order or proper timing

race conditions

designed to hold a computer system or the data it holds captive until a payment is made; usually works by encrypting data in the computer with a key unknown to the user. some other versions of this can take advantage of specific system vulnerabilities to lock down the system. spread by a downloaded file or some software vulnerability

ransomware

designed to modify the operating system to create a backdoor, which is used by attackers to access the computer remotely

rootkit

type of malware designed to persuade the user to take a specific action based on fear; usually forge pop-up windows that resemble operating system dialogue windows; these windows convey forged messages stating the system is at risk or needs the execution of a specific program to return to normal operation. if the user agrees to this and allows the mentioned program to execute, their system will be infected with malware

scareware

any kind of software or hardware defect

security vulnerabilities

access attack that attempts to manipulate individuals into performing actions or divulging confidential information

social engineering

password cracking technique: the attacker manipulates a person who knows the password into providing it

social engineering

usually introduced by errors in the operating system or application code

software vulnerabilities

when an attacker requests personal information from a party in exchange for something, like a free gift

something for something (quid pro quo)

a highly targeted phishing attack that sends emails customized to a specific person; attacker researches the target's interests before sending the email

spear phishing

USB drives, optical disks, network shares, or email

spread viruses

designed to track and spy on users; often includes activity trackers, keystroke collection, and data capture.

spyware

when an attack quickly follows an authorized person into a secure location

tailgating

specialize in finding vulnerabilities in software

third party security researchers

a malicious executable code that is attached to other executable files, often legitimate programs

virus

systems/sensitive data can be protected through techniques such as authentication, authorization, and encryption; developers should not attempt to create their own security algorithms because it will likely introduce vulnerabilities. it is strongly advised that developers use security libraries that have already been created, tested, and verified.

weaknesses in security practices

a public internet database containing information about domain names and their registrants

whois

malicious code that replicate themselves by independently exploiting vulnerabilities in networks; these usually slow down networks and are different from viruses because they can run by themselves

worms

responsible for some of the most devastating attacks on the Internet (ex. Code Red worm that infected over 300,000 servers in 19 hours)

worms

worms share similar patterns; they all have an enabling vulnerability, a way to propagate themselves, and they all contain a payload

worms

the infected hosts in botnets are called ______ and controlled by ___________

zombies, handler systems