Chapter 5 Attacks
Principles (Reasons for effectiveness)
* Authority * Intimidation * Consensus/social proof * Scarcity and urgency * Familiarity/liking * Trust
Potential risks with NFC
* Confidentiality: Attacks can take advantage of the risk posed by any communications methods. This includes eavesdropping. Any sensitive data must be encrypted to mitigate such concerns. * Denial of service: Similar to our discussion previously on jamming and interference, NFC could be subject to such disruptions, too. * Man-in-the-middle (MITM): Theoretically, MITM attacks are possible. But again, given the limitations of proximity such attacks present their own challenges. * Malicious code: As with any client device, presenting malware and user awareness are key controls.
Xmas Tree
A Christmas tree is a packet that makes use of each option for the underlying protocol. Because these packets require more processing, they are often used in what's called a Xmas Tree attack to disrupt service.
EXAMALERT
A Man-in-the-Middle attack takes place when a computer intercepts traffic and either eavesdrops on the traffic or alters it.
Botnets
A bot, short for robot, is an automated computer program that needs no user interaction. Bots are systems that outside sources can control. A bot provides a spam or virus originator with the venue to propagate.
Cram Saver 3: What is a botnet, and how does a system become part of a botnet?
A botnet consists of a large number of compromised computers that are able to forward transmissions to other computers outside the network. Most computers that are part of a botnet are often compromised via malicious code executed upon the system.
Code Red
A buffer overflow exploit is used to spread this worm.
Birthday attack
A cryptographic method against a secure hash. A birthday attacks finds collisions within has functions, which results in a more efficient method of brute-force hashes.
Botnet
A large number of computers that forward transmissions to other computers on the internet. You might also hear a botnet referred to as a zombie army.
EXAMALERT
A logic bomb is also referred to as slag code. It is malicious in intent and usually planted by a disgruntled employee.
War driving
A popular pastime involves driving around with a laptop system configured to listen for open 802.1X APs announcing their service set identifier (SSID) broadcasts.
Typo squatting/URL hijacking
A simple method used frequently for benign purposes but can and is easily used for more malicious attacks.
Email spoofing
A spammer of computer virus can forge the email packet information in an email so that us appears the email is coming from a trusted host, from one of your friends, or even from your own email address.
Cram Saver 2: What symptoms indicate that a system contains spyware?
A system infected with spyware might exhibit various symptoms, such as sluggishness, changes to the web home pages, web pages automatically added to bookmarks, and websites that launch unexpectedly.
Cram Saver 3: What is the difference between a tracking cookie and a session cookie?
A tracking cookie is a particular type of permanent cookie that sticks around. Spyware, for example, would likely use tracking cookies. Session cookies, in contrast, stay around only for that particular visit to a website.
Viruses
A virus is a program or piece of code that runs on your computer without your knowledge. It is designed to attach itself to other code and replicate it. It replicates when an infected file is executed or launched. It then attaches to other files, adds its code to the application's code, and continues to spread. Even a simple virus is dangerous because it can use all available resources and bring the system to a halt. Many viruses can replicate themselves across networks and bypass security systems.
Logic bombs
A virus or trojan horse designed to execute malicious actions when a certain event occurs or a period of time goes by. For a virus to be considered a logic bomb, the user of the software must be unaware of the payload. A programmer might create a logic bomb to delete all his code from the server on a future date, most likely after he has left the company.
Cram Quiz 2: Which one of the following best describes a polymorphic virus? A. A virus that infects EXE files. B. A virus that attacks the boot sector and then attacks the system files. C. A virus inserted into a Microsoft Office document such as word or excel. D. A virus that changes its form each time it is executed.
A virus that changes its form each time it is executed.
NOTE
According to the Federal Communications Commission (FCC), "Federal law prohibits the operation, marketing, or sale of any type of jamming equipment, including devices that interfere with cellular and Personal Communication Services (PCS), police radar, Global Positioning Systems (GPS) and wireless network services (Wi-Fi)."
Malicious add-ons
Active content within websites offers an attractive attack space for aggressors, who might craft special "drivers" required for content access that are in fact trojans or other forms of malware. Other attackers craft malware to take advantage of unpatched add-ons to directly inject code or gain access to a user's system when a vulnerable browser is directed to an injected website.
Adware
Advertising-supported software, or adware is another form of spyware. It is an online way for advertisers to make a sale. These companies also install tracking software on your system, which keeps in contact with the company though your internet connection. It reports the data to the company such as your general surfing habits and which sites you visit. Adware is legitimate only when users are informed up front that they will receive ads.
ARP poisoning
All network cards have a unique 48-bit address that us hardcoded into the network card. For network communications to occur, this hardware address must be associated with an IP address. Address Resolution Protocol (ARP), which operates at layer 2 (data link layer) of the OSI model, associates MAC addresses to IP addresses. ARP is a lower-layer protocol that is simple and consists of requests and replies without validation. However, this simplicity also leads to a lack of security.
Directory traversal
Allows one to navigate the directories. In most cases the directory structure is restricted; however, and attack using directory traversal enables the attacker to gain access to otherwise restricted files and directions.
Smishing
Also known as SMS phishing, that involves using phishing methods through text messaging.
Vishing
Also known as voice phishing, the attacker often uses fake caller ID to appear as a trusted organization and attempts to get the individual to enter account details via the phone.
EXAMALERT
Although cookies generally provide benefits to the end users, spyware would be most likely use a tracking cookie. A tracking cookie is a particular type of permanent cookie that sticks around, whereas a session cookie stays around only for that particular visit to a website.
Cram Saver 2: Describe several different examples of social engineering attacks.
Although there are countless answers, social engineering relies on extracting useful information by tricking the target. Examples include scenarios that involve impersonating someone else, coercing someone else into divulging sensitive information without cause for concern, or convincing someone to install a malicious program to assist you.
Hoaxes
Although they present a threat, the threat at face value does not actually exist. Because a hoax seems like it could be legitimate, it is often the resulting actions by people that actualize various threats.
Cram Saver 1: How does a virus differ from a worm?
Although worms and viruses are similar, the biggest difference is that a worm can replicate itself without any user interaction.
Reverse social engineering
An attacker provides information to the legitimate user that causes the user to believe the attacker is an authorized technical assistant.
Distributed DoS
Another form of attack is a simple extension of a DoS attack. Masters are the computers that run the client software, and zombies run software. The attackers creates masters, which in turn create a large number of zombies or recruits. The software running on the zombie can launch multiple types of attacks, such as UDP or SYN floods on a particular target. In simple terms, the attacker distributes zombie software that allows the attacker partial or full control of the infected computer systems.
Backdoors
Application code function created intentionally or unintentionally that enable unauthorized access to network resources. Many times during application development, software designers put in shortcut entry points to allow rapid code evaluation and testing. If not removed before application deployment, such entry points can present the means for an attacker to gain unauthorized access later.
WEP (Wired Equivalent Privacy)/WPA (Wi-Fi Protected Access) attacks -Provide methods to encrypt wireless traffic between wireless clients and AP.
Attack types: * Active attacks that allow new traffic to be injected based on known plain text * Active attacks to decrypt the traffic by tricking the AP * Passive attacks using statistical analysis that can decrypt the traffic * Dictionary - building attacks that within 24 hours allow decryption of all traffic.
Consensus/social proof
Based on the idea that people tend to trust like-minded people such as friends and family, that is about doing or believing what others around us believe.
EXAMALERT
Be sure to understand how a social engineer can use the previously mentioned principles for their gain, and in particular, why these strategies are effective.
EXAMALERT
Because ARP does not require any type of validation, as ARP requests are sent the requesting devices believe that the incoming ARP replies are from the correct devices. This can allow a perpetrator to trick a device into thinking any IP is related to any MAC address.
Session hijacking
Because browsers access resources on a remote server using a predefined port (80 for HTTP and 443 for HTTPS), browser traffic is easily identifiable by an attacker who may elect to hijack legitimate user credentials and session data fir unauthorized access to secured resources.
Cram Saver 1: What is the difference between bluejacking and bluesnarfing?
Bluejacking involves sending an unsolicited broadcast message to nearby Bluetooth-enabled devices. In contrast, bluesnarfing is more nefarious in that, if successful, it enables the attacker to gain unauthorized access to the device. Bluejacking is commonly used to enable bluesnarfing.
Cram Quiz 2: Which of the following types of attacks can result from the length of variables not being properly checked in the code of a program? A. Buffer overflow B. Replay C. Spoofing D. Denial of service
Buffer overflow.
Cross-Site scripting (XSS)
By placing malicious client-side script on a website, an attacker can cause an unknowing browser user to conduct unauthorized access activities, expose confidential data, and provide logging of successful attacks back to the attacker without the user being aware of participation. XSS vulnerabilities can be used to hijack the user's session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A.
Rainbow table
Can most easily be thought of as a very large set of precomputed hash values for every possible combination of characters. With the assumption that the attacker has enough resources to store an entire rainbow table in memory, a successful attack on passwords is able to occur with great efficiency.
Buffer overflows
Cause disruption of service and loss of data. This condition occurs when the data presented to an application or service exceeds the storage-space allocation that has been reserved in memory for that application or service. A buffer overflow can result in the following: * Overwriting of data or memory storage * A denial of service due to overloading the input buffer's ability to cope with the additional data * The originator can execute arbitrary code, often at a privileged level.
NOTE
Clients should regularly clear their browsing cookie caches to avoid exposing long-term browsing habits in this way. Where possible, client browsers can also be configured to block third-party cookies, although many online commerce sites require this functionality for their operation.
Cram Saver 1: Identify and explain at least two different types of code injection techniques.
Common code injection techniques include XSS, SQL injection, LDAP injection, and XML injection. XSS involves including client-side script on a website for malicious purpose to exploit a vulnerability. SQL, LDAP, and XML injections, like XSS, are similar in that they piggyback malicious code through an input field in the application. SQL injection is targeted at databases, LDAP injection at directories, and XML injections at XML documents and code.
DNS Poisoning
DNS poisoning enables a perpetrator to redirect traffic by changing the Ip record for a specific domain, thus permitting the attack to send legitimate traffic anywhere he chooses. This not only sends a requester to a different website, but also catches the information for a short period, distributing the attack's effect to the server users. DNS poisoning may also be referred to as DNS cache poisoning because it affects the information that is cached.
Cram Quiz 1: You're the security admin for a bank. The users are complaining about the network being slow. It is not a particularly busy time of the day, however. You capture network packets and discover hundreds of ICMP packets have been sent to the host. What type of attack is likely being executed against your network? A. Spoofing B. Man-in-the-middle C. Password attack D. Denial-of-service
Denial of Service. A ping flood is a DoS attack that attempts to block service or reduce activity on a host by sending ping requests directly to the victim using ICMP. Spoofing involves modifying the source address of traffic or source of information. A man-in-the-middle attack is commonly used to gather information in transit between two hosts.
EXAMALERT
Do not confuse the difference between polymorphic and armored virus. While they both try to defeat countermeasures, remember that armored viruses use mechanisms to keep them from being disassembled and analyzed.
Intimidation
Does not need to necessarily be so severe that one fears physical harm. A social engineer would more likely use intimidation to play upon a fear of getting in trouble or getting fired.
Packet Sniffing
Enables the attacker to capture the data and decode if from its raw form into readable text.
Cram Quiz 1: What is the term given to a rogue access point in which they serve as a man in the middle from which further attacks can be carried out? A. War driving B. Evil Twin C. War twinning D. Twin driving
Evil twin.
Cram Quiz 2: Which one of the following is not an example of a denial-of-service attack? A. Fraggle B. Smurf C. Gargomel D. Teardrop
Gargomel. Does not exist.
Header manipulation
HTTP headers are control data used between the web browser and web server. In most cases, websites and applications do not rely on the headers for important data, yet it was a common practice in the past, and it is still used across many less-secure applications and sites. These headers could easily be modified by the user using freely available proxy software.
Cram Saver 2: Why should HTTP headers not be used to transport important and sensitive data?
HTTP headers can easily be manipulated through the use of proxy software. because headers originate at the client, the end user can modify the data.
Replay
In a replay attack, packets are captured by using sniffers. After the pertinent information is extracted, the packets are placed back on the network. This type of attack can be used to replay bank transactions or other similar types of data transfer in the hopes of replicating or changing activities, such as deposits or transfers. Protecting yourself against relay attacks involves some type of time stamp associated with the packets or time-valued, non-repeating serial numbers. Security protocols such as IPsec prevent replays of data traffic in addition to providing authentication and data encryption.
NOTE
In case if a DDoS attack, your best weapon is to get in touch quickly with your upstream Internet service provider (ISP) and see whether it can divert traffic or block the traffic at a higher level.
Cram Saver 2: Which of the following describes a pastime in which wireless networks are marked with a special symbol upon a nearby object?
In combination with war driving, war chalking describes the activity of drawing special symbols on nearby objects to describe the state of existing wireless networks.
Watering hole attack
In many ways, a watering hole attack is similar to spear phishing discussed earlier. But instead of using email, the attacker will attack a site frequently visited by the target. The goal is often to compromise the larger environment (for example, the company the target works for).
Cram Quiz 3: Which one of the following is a best practice to prevent code injection attacks? A. Session cookies B. Input validation C. Implementing the latest security patches D. Using unbound variables
Input validation. One of the best and most important countermeasures to prevent code injection attacks.
SQL injection
Inserts malicious code into strings, which are later passes to a database server. The SQL server then parses and executes this code.
Tailgating
Involves piggybacking or following closely behind someone who has authorized physical access within an environment.
Zero-Day (zero-hour or day zero) attack threat
Is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer, also called zero-day vulnerabilities. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability. *In a zero-day attack, the developer has not had the chance to distribute a fix or patch for his software because he does not know the exploit vulnerability exists.
Port stealing
Is a man-in-the-middle attack that exploits the binding between the port and the MAC address. The principle behind port stealing is that an attacker sends numerous packets with the source IP address of the victim and the destination MAC address of the attacker. This attack applies to broadcast networks built from switches.
Social engineering
Is a process by which an attacker might extract useful information from users who are often just tricked into helping the attacker. It is extremely successful because it relies on human emotions. Common examples of social engineering include: * An attacker calls a valid user and impersonates a guest, temp agent, or new user asking for assistance in accessing the network or requests details involving the business processes of the organization. * An attacker contacts a legitimate user, posing as a technical aide attempting to update some type of information and asks for identifying user details that can then be used to gain access. * An attacker poses as a network administrator, directing the legitimate user to reset his password to a specific value so that an imaginary update can be applied.
Near-Field communication (NFC)
Is a set of standards for contactless communication between devices.
MAC flooding
Is an attack directed at network switches. This type of attack is successful because of the nature of the way all switches and bridges work. The amount of space allocated to store source addresses of packets is very limited. When the table becomes full, the device can no longer learn new information and becomes flooded. As a result, the switch can be forced into a hub-like state that will broadcast all network traffic to every device in the network.
Phishing
Is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication, usually an email.
Impersonation
Is simply a method whereby one assumes the character or appearance of someone else.
Authority
Job titles, uniforms, symbols, badges, and even specific expertise all represent elements we often equate with authority. With such proclaimed and believed authority, we naturally feel an obligation to comply.
Ransomware
Just like it sounds, ransomware is a form of malware that attempts to hold one ransom, often for monetary gain.
Spam
Just like junk mail clogs our regular mailbox, spam clogs our email boxes. Spam is a term that refers to the sending of unsolicited commercial email. Email spam targets individual users with direct mail messages. Most spam is commercial advertising, often for products such as "get rich quick" schemes, physical enhancements, and cheap medications.
Buffer overflows
Like desktop-and system-based applications, many web browser applications offer an attacker a mechanism for providing input in the form of a crafted uniform resource locator (URL) value. By extending the input values beyond the memory space limitations of the expected input values, an attacker can inject code into adjacent memory space to allow execution of arbitrary code on the web server.
Armored virus
Like polymorphic malware, the aim of an armored virus is to make it difficult to detect. Further, armored viruses, like the name suggests, seek to make it difficult to analyze the functions (thus creating a metaphorical layer of armor around the virus).
Shoulder surfing
Literally means looking over someone's shoulder to obtain information. Common situations include entering one's PIN at an ATM or typing in a password on a computer system.
Cram Quiz 1: Which one of the following is designed to execute malicious actions when a certain event occurs or a specific time period elapses? A. Logic bomb B. Spyware C. Botnet D. DDOS
Logic bomb.
EXAMALERT
Maintaining operating system, application, and add-on updates helps to reduce the threat posed by many browser-based attack forms. When possible, restricting automatic code execution of JavaScript or ActiveX controls and cookie generation can also strengthen the client's browser security stance.
Melissa
Melissa first appeared in March 1999. It is a macro virus, embedded in a Microsoft Word document. When the recipient receives the word document as an attachment to an email message and opens the document, the virus sends the email to the first 50 addresses in the victim's email address and attaches itself to each message.
Michelangelo
Michelangelo is a master boot record virus. It is based on an older virus called Stoned. The Michelangelo virus erases the contents of the infected drive on March 6th (it's namesake's birthday) of the current year.
EXAMALERT
Multifactor authentication mechanisms such as a token that changes every 30 seconds or a text message to a phone are important counter measure to mitigate password-based attacks. This requires uses to have something in their possession in addition to the knowledge of a password or passphrase.
Password hybrid attack
Not only provides a compromise, but also is a useful tool to help identify weak passwords and controls for audit purposes. A hybrid attack uses the dictionary attack method, but builds upon this by doing such things as adding numbers to the end of the words, substituting certain letters for numbers and capitalizing the first letter of each word.
Web spoofing
Occurs when an attacker creates a convincing, but false copy of an entire website. The fake one looks just like the real one; it has all the same pages and links.
Cram Quiz 2: which of the following best describes packet sniffing? A. Packet sniffing allows an attacker to capture and decrypt data into readable text. B. Packet sniffing allows and attacker to smell which network components are transmitting sensitive data. C. Packet sniffing allows an attacker to capture and decode data from its raw form into readable text. D. Packet sniffing allows an attacker to encode and transmit packets to disrupt network services.
Packet sniffing allows and attacker to capture and decode data from its raw form into readable text.
Familiarity/liking
People will tend to comply with requests from those whom they like or have common ground with. Liking often leads to trust.
EXAMALERT
Phishing combines technical deceit with the elements of traditional social engineering. Be sure to know the different variants of phishing attacks.
Cram Saver 1: Phishing, spear phishing, whaling, vishing, and smishing are commonly used for what purpose, and what are the technical differences between each?
Phishing, spear phishing, whaling, vishing, and smishing are very similar. Each is a technique commonly used as a part of a social engineering ploy. Phishing is normally done through email across a large audience, whereas spear phishing targets and individual. Whaling, in essence, is spear phishing, but instead is directly targeted at a very high-value target. Vishing and smishing are also similar to phishing but use voice and SMS text messaging.
Polymorphic malware
Polymorphic malware is malicious code able to change its shape. As a result, such malware can mutate to evade detection by traditional antivirus software.
Privilege Escalation
Programming errors can result in system compromise, allowing someone to gain unauthorized privileges. Software exploitation take advantage of a program's flawed code, which then crashes the system and leaves it in a state where arbitrary code can be executed, or an intruder can function as an administrator. Perhaps the most popular method of privilege escalation is a buffer-overflow attack.
Trojan Horses
Programs disguised as useful applications. Trojans do not replicate themselves like viruses, but they can still be as destructive. Code hidden inside the application can attack your system directly or allow the system to be compromised by the code's originator. Trojans can perform actions without the user's knowledge of consent such as collecting and sending data or causing the computer to malfunction. The most common trojans include backdoor, downloader, infostealer, and keylogger trojans.
Rogue Access Points
Refers to situations in which an unauthorized wireless access point has been set up.
EXAMALERT
Remember that zero-day vulnerabilities do not have a patch yet available. Keep this in mind when evaluating techniques to protect your organization. Effective security policies, training, and mitigating controls are more effective, even compared to the most aggressive patch management strategies, when it comes to zero-day exploits.
NOTE
Requesting to be removed from junk email lists often results in more spam because it verifies that you have a legitimate, working email address.
Rootkits
Rootkits are more widely used and are increasingly difficult to detect on a computer mainly for the purpose of compromising the system and getting escalated privileges, such as administrative rights. A rootkit is usually installed on a computer by first obtaining user-level access. After rootkit is installed, it enables the attacker to gain root or privileged access to the computer. Root or privileged access could allow the compromise of other machines on the network. A rootkit might consist of programs that view traffic and keystrokes, alter existing files to escape detection, or create a backdoor to the system.
EXAMALERT
Rootkits can be included as part of software package, installed by way of an unpatched vulnerability or by the user downloading and installing it.
Dumpster diving
Scavenging discarded equipment and documents. This allows for extraction of sensitive information from it without ever contacting anyone in the organization. Examples of materials thrown in garbage include: * Old company directories * Old QA or testing analysis * Employee manuals * Training manuals * Hard drives * Floppy disks *Optical media * USB flash drives * Printed emails
Cram Quiz 1: Which of the following is an effective way to get information in crowded places such as airports, conventions, or supermarkets? A. Vishing B. Shoulder surfing C. Reverse social engineering D. Phishing
Shoulder surfing. Uses direct-observation techniques.
EXAMALERT
Social engineering is a common practice used by attackers, and one that is not easily countered via technology. It is important to understand that the best defense against social engineering is a program of ongoing user awareness and education.
LDAP injection
Some websites perform LDAP queries based on data provided by the end user. LDAP injection involves changing the :DAP input so that the web app runs with escalated privileges.
Spoofing
Spoofing is a method of providing false identity information to gain unauthorized access. This is accomplished by modifying the source address of traffic or source of information.
EXAMALERT
Spoofing seeks to bypass IP address filters by setting up a connection from a client and sourcing the packets with an IP address that is allowed through the filter.
EXAMALERT
Spyware monitors user activity on the system and can include keystrokes typed. The information is then sent to the originator of the spyware.
Cram Quiz 2: At your place of employment, you are rushing to the door with your arms full of bags. As you approach, the woman before you scans her badge to gain entrance while holding the door for you, but not without asking to see your badge. What did she just prevent? A. Phishing B. Whaling C. Tailgating D. Door driving
Tailgating.
Man-in-the-Middle
The Man-in-the-Middle attack takes place when an attacker intercepts traffic and then tricks the parties at both ends into believing that they are communicating with each other.
Informed spoofing
The attacker can participate in a session and can monitor the bidirectional communications.
Blind spoofing
The attacker sends only data and only makes assumptions of responses.
Cram Saver 1: Employees internal to an organization might be threats to the organization. Describe the types of insider threats.
The insider threat is typically classified as either a malicious insider or none malicious insider. The latter is typically unaware of an organization's security policy or is often just trying to accomplish his job. On the other hand, a malicious insider might be motivated by financial gain, be disgruntled, or be looking ti gain a competitive advantage.
Arbitrary/Remote code execution
The process to describe an attacker's ability to execute programs and commands on the attacked machine.
Cram Saver 3: What can an organization do to prevent sensitive information from being divulged via dumpster diving?
The proper disposal of data and equipment should be a part of an organization's security policy. Such a policy would likely require ongoing end-user awareness, as well as procedures around the shredding or other proper disposal of sensitive information.
Denial of Service
The purpose of a denial-of-service (DoS) attack is to disrupt the resources or services that a user would expect to have access to. These types of attacks are executed by manipulating protocols and can happen without the need to be validated by the network. An attack typically involves flooding a listening port on your machine with packets. The premise is to make your system so busy processing the new connections that it cannot process legitimate service requests.
Love Bug
The virus originated in an email titled "I love you." When the attachment was launched, the virus sent copies of the email to everybody listed in the user's address book. The virus arrived asa visual basic scripting edition (VBScript) attachment that deleted files, including mp3s, mp2s, and JPGs. It also sent usernames and passwords to the virus author. It infected about 15 million computers and crashed servers around the world.
Flash cookies/local shared objects (LSO)
These objects are simply data files that can be created on a client computer, and like cookies, they help enhance one's experience on the web or provide another useful function. Unlike cookies, which store data in plain text only, LSOs are capable of more complex data stores.
Cram Quiz 3: Users received a spam email from an unknown source and chose the option in the email to unsubscribe and are now getting more spam as a result. Which one of the following is most likely the reason? A. The unsubscribe option does not actually do anything. B. The unsubscribe request was never received. C. Span filters were automatically turned off when making the selection to unsubscribe. D. They confirmed that they are a "live" email address.
They confirmed that they are a "live" email address.
Bonk
This attack affects mostly older operating systems by sending counter UDP packets to DNS port 53. The attack modifies the fragment offset in the packet. The target machine then attempts to reassemble the packet. Because of the offset modification, the packet is too big to be reassembled and the system crashes.
Ping flood
This attack attempts to block service or reduce activity on a host by sending ping requests directly to the victim. A variation of this type of attack is the ping of death, in which the packet size is too large and the system does not know how to handle the packets.
Land
This attack exploits behavior in the operating systems of several versions of Windows, UNIX, OS X, and Cisco IOS with respect to their TCP/IP stacks. The attacker spoofs a TCP/IP SYN packet to the victim system with the same source and destination IP address and the same source and destination ports. This confuses the system as it tries to respond to the packet.
Smurf/Smurfing
This attack is based on the Internet Control Message Protocol (ICMP) echo reply function. It is more commonly know as ping, which is the command-line tool used to invoke this function. In this attack, the attacker sends ping packets to the broadcast address in the ping packets with the source address of the victim, thus causing a flood of traffic to be sent to the unsuspecting network device.
Fraggle
This attack is similar to a smurf attack. The difference is that is used UDP rather than ICMP. The attacker sends spoofed UDP packets to broadcast addresses as in the smurf attack. These UDP packets are directed to port 7 (Echo) or port 19 (Chargen). When connected to port 19, a character generator attack can be run.
SYN flood
This attack takes advantage of the TCP three-way handshake. The source system sends a flood of SYN requests and never sends the final ACK, thus creating half-open TCP sessions. Because the TCP stack waits before resetting the port, the attack overflows the destination computer's connection buffer, making it impossible to service connection requests from valid users.
Morris
This famous worm took advantage of a Sendmail vulnerability and shut down the entire internet in 1988.
Teardop
This form of attack targets a know behavior of UDP in the TCP/IP stack of some operating systems. The teardrop attack sends fragmented UDP packets to the victim with odd offset values in subsequent packets. When the operating system attempts to rebuild the original packets from the fragments, the fragments overwrite each other, causing confusion. Because some operating systems cannot gracefully handle the error, the system will most likely crash and reboot.
Boink
This is a bonk attack that targets multiple ports rather than just port 53.
Spear phishing
This is a targeted version of phishing. Whereas phishing often involves mass email, spear phishing might go after a specific individual.
Pharming
This is a term coined based upon farming and phishing. Pharming does not require the user to be tricked into clicking a link. Rather pharming redirects victims to a bogus website even if the user correctly entered the intended site. To accomplish this, the attacker employs another attack, such as a DNS cache poisoning.
Acid rain
This is an old DOS trojan that, when run, deletes system files, renames folders, and creates many empty folders.
Vundo
This trojan downloads and displays fraudulent advertisements.
Simpsons
This trojan is a self-extracting batch file that attempts to delete files.
Mocmex
This trojan is found in digital photo frames and collects online gaming passwords.
Nuker
This trojan was designed to function as a DOS attack against a workstation connected to the internet.
Polymorphic
This type of virus can change form each time it is executed. It was developed to avoid detection by antivirus software.
Program
This type of virus infects executable program files and becomes active in memory.
Multipartie
This type of virus is a hybrid of boot and program viruses. It first attacks a boot sector and then attacks system files or vice versa.
Macro
This type of virus is inserted into a Microsoft Office document and emailed to unsuspecting users.
Boot sector
This type of virus is placed into the first sector of the hard drive so that when the computer boots, the virus loads into memory.
Stealth
This type of virus uses techniques to avoid detection, such as temporarily removing itself from the infected file or masking the file's size.
Mydoom
This was a very fast-spreading worm. It spread via email and was used by spammers to send spam.
Nimda
This worm infects using several methods, including mass mailing, network share propagation, and several Microsoft vulnerabilities. Its name is admin spelled backwards.
Blaster
This worm made it difficult to patch infected systems as it would restart systems. Blaster exploits a vulnerability in the remote procedure call (RPC) interface.
Cookies
To overcome the limitations of a stateful connection when scaled to global website deployments, the Netscape Corporation created a technology using temporary files stored in the client's browser cache to maintain settings across multiple pages, servers, or sites. These small files are known as cookies. They can be used to maintain data such as user settings between visits to the same site on multiple days or to track user browsing habits, such as those used by sites hosting DoubleClick banner advertisements. Cookies can be used to track information such as the name and IP address of the client system and the operating system and browser client being used. Additional information includes the name of the target and previous URLs, along with any specific settings set within the cookie by the host website.
EXAMALERT
To prevent an IV attack, an IV must not be repeated with a given key and should appear random. More important, WEP should never be used and is depreciated.
Cram Quiz 1: Spyware is most likely to use which one of the following types of cookies? A. Session B. Transport C. Tracking D. Poisonous
Tracking.
Password dictionary attack
Trying every single word in the dictionary to gain unauthorized access.
Spyware
Undesirable code sometimes arrives with commercial software distributions. Spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Basically, spyware is software the communicates information from a user's system to another party without notifying the user. Some indications that your system contains spyware might be: * The system is slow, especially when browsing the internet. * It takes a long time for the Windows desktop to come up. * Clicking a link does nothing or goes to an unexpected website. * The browser home page changes, and you might not be able to reset it. * Web pages are automatically added to your favorites.
Cram Saver 3: An initialization vector (IV) should be which of the following? A. Unique and unpredictable B. Unique and predictable C. Repeatable and random D. Repeatable and unique.
Unique and unpredictable.
Password brute-force attack
Unlike a simple dictionary attack, rely on cryptanalysis or algorithms capable of performing exhaustive key searches.
War chalking
Uses a set of symbols and shorthand details to provide specifics needed to connect using the AP.
XML injections
Uses malicious code to compromise XML applications, typically web services. XML injection attempts to insert malicious content into the structure of an XML message to alter the logic of the target application.
EXAMALERT
Viruses have to be executed by some type of action, such as running a program.
Cram Saver 3: What wireless protocol was subject to an IV attack?
WEP was cracked as a result of an IV attack. Specifically, the IV was too short and had a high probability of repeating itself.
Scarcity and urgency
We will tend to want or value something more if we believe it is less available. We are likely to be more impulsive if we believe it to be the last one.
Whaling
Whaling is identical to spear phishing except for the "size of the fish." Whaling employs spear phishing tactics but is intended to go after high-profile targets such as executives within a company.
EXAMALERT
When an attacker has enough systems compromised with the installed zombie software, he can initiate an attack against a victim from a wide variety of hosts. The attacks come in the form of the standard DoS attacks, but the effects are multiplied by the total number of zombie machines under the control of the attacker.
WPS attacks
Wi-Fi Protected Setup (WPS), originally known as Wi-Fi Simple Config, is an extension of the wireless standards whose purpose was to make it simple for end users to establish secure wireless home networks.
EXAMALERT
Wi-Fi protected Setup should not be used to prevent attacks. It should be disabled, at a minimum.
Cram Quiz 3: Which one of the following is not a type of phishing attack? A. Spear phishing B. Wishing C. Whaling D. Smishing
Wishing.
Worms
Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host. This process repeats with no user intervention . After the worm is running on a system, it checks for internet connectivity. If it finds connectivity, the worm then tries to replicate from one system to the next. Worms propagate by using email, instant message, file sharing (P2P), and IRC channels. Packet worms spread as network packets and directly infiltrate the RAM of the victim machine, where the code is then executed. Often, worms are used as the mechanism by which to install backdoors on a user's system. These backdoors can provide subsequent access for the attacker or allow the attacker to maintain control of the system as part of a larger network of controlled systems. These systems are collectively know as botnets. The individual computers that make up these botnets are known as zombies.