Module 7 Textbook Study Questions

What are the steps of an online intrusion?

1. Malware, such as a worm or trojan, enters a digital device. 2.The malware runs and creates a backdoor. 3. The backdoor surreptitiously opens a communications link to a hacker. 4. The hacker sends commands that run programs, search for confidential data, and remotely control devices.

What is a RAT?

A RAT (Remote Access Trojan) is malware that arrives in a trojan disguised as legitimate software and sets up a secret communication link to a hacker. RATs are the underlying technology for most online intrusions.

What is a backdoor?

A backdoor is an undocumented method of accessing a digital device. RATs create a backdoor to a victim's device that can be used by a hacker to send commands that take control of the device's camera, activate the microphone, or launch screen captures. Images and audio acquired by hackers are commonly posted on social media sites and used to extort money from victims who do not want their private activities made public.

What does a brute force attack use?

A brute force attack uses password-cracking software to generate every possible combination of letters, numerals, and symbols. Because it exhausts all possible combinations to discover a password, a brute force attack can run for days before a password is cracked.

What are keyloggers

A common type of spyware called a keylogger records keystrokes and sends them to a hacker who sifts out user passwords to access the victim's accounts. Keyloggers are a common tool of identity thieves and industrial spies.

What is a virus?

A computer virus is a set of self-replicating program instructions that surreptitiously attaches itself to a legitimate executable file on a host device. When the infected file is run, the virus code is loaded into RAM with the rest of the program. Once in RAM, the virus code is executed. When executed, the virus can replicate itself by injecting malicious code into other files.

What is ransomware?

A computer virus that encrypts a user's storage, until the victim pays money to unlock it

What is a worm?

A computer worm is a small self-replicating, self-distributing program designed to carry out unauthorized activity on a victim's device. Worms are usually standalone executable programs that can spread themselves from one device to another without any assistance from victims.

What is a cryptographic algorithm?

A cryptographic algorithm is a procedure for encryption or decryption.

What is a cryptographic key?

A cryptographic key (usually just called a key) is a word, number, or phrase that must be known to encrypt or decrypt data.

What does a dictionary attack help hackers to do?

A dictionary attack helps hackers guess your password by stepping through a dictionary containing word lists in common languages such as English, Spanish, French, and German. These dictionaries also include common mutations of words, such as p@sswOrd, and hundreds of frequently used passwords, such as qwerty and 12345.

What is DDos?

A distributed denial of service attack

What is a dropper?

A dropper is designed to deliver or "drop" malicious code into a device. It is similar to a setup program that unzips and installs software applications on Windows devices except that droppers secretly install malware rather than legitimate software.Droppers are commonly the first phase of a sophisticated malware attack. Most droppers contain compressed or encrypted malware files. When delivered, these files are uncompressed in memory to avoid detection. The uncompressed files are executed, sometimes to carry out a payload or to collect and install other malware components. Stuxnet famously used a dropper to initiate its attack

What does a file-sharing worm do?

A file-sharing worm copies itself into a shared folder under an innocuous name. When the folder is distributed over a file sharing network or BitTorrent, the worm tags along and spreads to all the devices that participate in the share.

What is a firewall?

A firewall is a device or software that is designed to block unauthorized access while allowing authorized communications.

What are the most common email scams?

A high percentage of illegitimate spam contains stock market frauds, pretexting scams, advance fee fraud, phishing attacks, and ads for dubious products.

What is the purpose of a manual scan?

A manual scan is initiated by a user for the purpose of scanning one or more files. Manual scans are useful if you suspect that a virus has slipped into a device despite security measures.

What does a password strength meter indicate?

A password strength meter indicates the strength of a password and its resistance to brute force and dictionary attacks.

What is a personal firewall?

A personal firewall is a software-based deterrent against unauthorized port access. A network router can be deployed as a hardware-based firewall.

What is a port scan?

A port scan pings a packet of data to the port. If a reply is received, the port is open.

What is side-loading?

A process where an app from a source other than an official app store is installed on a device.

What is a rogue antivirus exploit?

A rogue antivirus exploit usually begins with a virus warning and an offer to disinfect the infected device. The goal of this exploit is to trick consumers into clicking a link that downloads malware. Some of these fraudulent alerts offer a free virus scan or download, which often doesn't work or actually infects devices with the dangerous malware it is supposed to protect against.

How do spam filters work?

A spam filter uses a set of rules to examine email messages and determine which are spam. Messages that are identified as spam can be blocked, deleted, or moved to a junk mail folder.

What is a spear phishing attack?

A spear phishing attack is more targeted. It is typically sent only to members of a specific organization.

How do trojans differ from viruses and worms?

A trojan (sometimes called a "Trojan Horse") is a computer program that seems to perform one function while actually doing something else. Unlike a worm, a trojan is not designed to spread itself to other devices. Also differing from viruses and worms, most trojans are not designed to replicate themselves.

What's a virus hoax?

A virus hoax usually arrives as an email message containing dire warnings about a supposedly new virus on the loose. It typically provides a link to download some type of detection and protection software. It may include removal instructions that actually delete parts of the operating system. And, of course, you are encouraged to forward this "crucial" information to your friends.

What is a virus signature?

A virus signature is a section of program code that contains a unique series of instructions known to be part of a malware exploit. . Although they are called virus signatures, the unique code may identify a virus, worm, trojan, or other type of malware.

What is a zero-day attack?

A zero-day attack exploits previously unknown vulnerabilities in software applications, hardware, and operating system program code.

What is the encryption standard currently used worldwide?

AES (Advanced Encryption Standard) is the encryption standard currently used worldwide.

Is there a way to stop MITM attacks that use fake digital certificates?

Although most fake digital certificates contain the server's credentials and an encryption key, they may not contain a valid signature from a certificate authority. Most modern browsers flag Websites that do not have a valid digital certificate.

What is an Evil Twin?

An Evil Twin is a LAN server that is designed to look like a legitimate Wi-Fi hotspot. Hackers are skilled at creating fraudulent sites, referred to as Evil Twins, that resemble legitimate sites.

What is an IMSI catcher?

An IMSI catcher is an eavesdropping device used for intercepting mobile phone signals and tracking the location of cellular devices. IMSI catchers are used for MITM attacks

What does an Internet worm look for?

An Internet worm looks for vulnerabilities in operating systems, open communications ports, and JavaScripts on Web pages.

What is a honeypot?

An irresistible computer system or Web site containing fake information that allows investigators to monitor hackers until identification is possible.

What is the risk of online intrusions?

An online intrusion takes place when an unauthorized person gains access to a digital device by using an Internet connection and exploiting vulnerabilities in hardware or software.

Does antivirus software protect devices from intrusions?

Antivirus software can prevent some, but not all, intrusions. It has a good track record for blocking exploits that attempt to gain access using a trojan or worm, especially if a signature of the exploit exists in the virus database. New exploits, such as zero-day attacks, may not be caught by antivirus software, however

What is rootkit?

Any code that is designed to hide the existence of processes and privileges is referred to as a rootkit.

What is spyware?

Any software that secretly gathers personal information without the victim's knowledge is classified as spyware .More than a nuisance, the data compiled by adware has the potential to become a record of an individual's habits and lifestyle.

Who are blacklist and header filtering usually performed by?

Blacklist and header filtering is usually performed by ISPs and email services, such as Google and Yahoo!.

What is address spoofing?

Broadly speaking, address spoofing changes an originating address or a destination address to redirect the flow of data between two parties. In the context of security exploits, address spoofing can take place on various levels of communication.

What makes a password susceptible to a brute force attack?

Brute force attacks methodically try every possible password until the correct one is found. Consider a simple guess-the-number game. You have a much better chance of guessing a number between 1 and 10 than guessing the correct number between 1 and 10,000. In the same way, a password selected from a universe of 10,000 possibilities is easier to crack than a password selected from a universe of 100 million possibilities.

How does address spoofing affect browsing?

By spoofing Google's IP address, however, Chinese authorities were able to send users to a fake Google site. The fake site examined queries and blocked those that were destined for banned sites or contained controversial key words.

Commands from Botmaster:

Click fraud: automated ad-clicking generates per-click revenue for botmasters DDoS: Flood an IP address with massive amounts of traffic Spam: Send billions of spam emails per day Mine Bitcoins: Run algorithms required to generate online cash. Crack encryption: Run brute force algorithms to crack passwords and encryption keys Proof of concept: A test run designed to determine the effectiveness of an attack if carried out against a primary target

How does a digital certificate hack work?

Consider what you know about MITM attacks, and imagine that by using DNS address spoofing, all the data from Chinese Internet users gets tunneled through a government server.

There are four common types of spam filters:

Content filters, Header filters, Blacklist filters, permission filters

How is data encrypted?

Data is encrypted by using a cryptographic algorithm and a key.

Where does spam originate

Databases used by spammers contain millions of email addresses. Some of these addresses are legitimately compiled from customer lists, but many more are harvested from social media sites, discussion forums, Web sites, and other online locations using email extractor software.

What is the problem with TLS?

Digital certificates can be faked. Valid digital certificates are issued by official security authorities. These certificates are validated or "signed" by the certificate authority. A fake digital certificate contains the server's credentials and an encryption key, but it might not have a valid signature.

Who provides permission filters and content filters to consumers?

Email clients and Webmail services provide consumers with permission filters and content filters.

Basic digital security depends on two techniques

Encryption and authentication

What can be encrypted?

Encryption is commonly applied to data packets sent over wired or wireless networks, bank card numbers and other personal data sent to eCommerce sites, email messages that contain confidential information, entire storage volumes for a digital device, and individual files that contain sensitive information.

How does encryption work?

Encryption transforms a message or data file in such a way that its contents are hidden from unauthorized readers.

How do hackers exploit communication ports?

Hackers use a technique called port scanning to discover which ports are open on a device.

How well does heuristic analysis work?

Heuristic analysis requires time and system resources to examine files that arrive as downloads and email attachments. The process can slightly affect performance while the analysis is in progress.

Who operates IMSI catchers?

IMSI catchers are not operated by cellular service companies, but rather by law enforcement agencies, criminals, and hackers. IMSI catchers are portable. They can be easily moved and quickly deployed, for example, during civil unrest when lawmakers want to intercept calls among protest organizers.

What is IMSI?

IMSI is an acronym for International Mobile Subscriber Identity. It is a 64-bit number that uniquely identifies a cellular device. When a device connects to a cellular network, the IMSI is sent from the device to the tower. The tower uses the IMSI to determine if the device is a valid subscriber. The IMSI can also be used to determine the location of a cellular device.

When was the first computer virus designed to affect personal computers appear?

In 1982 when the Apple II was at the height of its popularity.

What is the difference between a pharming attack and phishing attack?

In a pharming attack, the criminal "hijacks" the intended site's DNS (domain name system) server and the result is that you are redirected to an imposter site. Much like in a phishing scam, many won't notice any difference, and will enter their username and password as usual, and the attacker captures it.

What is Man-in-the-Middle?

In the context of cyber security, an eavesdropping exploit is referred to as a man-in-the-middle (MITM or MIM) attack. MUM attacks include Evil Twins, address spoofing, digital certificate hacks, and IMSI catchers.

What is social engineering?

In the context of cyber security, social engineering (SE) is a deceptive practice that exploits human psychology by inducing victims to interact with a digital device in a way that is not in their best interest.

What can malware be used for?

Malware can be used for many types of exploits, such as deleting files, recording login keystrokes, opening access for intruders, and allowing remote control of a device.

What are malware threats?

Malware refers to any computer program designed to surreptitiously enter a digital device. Malware can be classified by the way in which it enters a device or by the type of activity it carries out. Common classifications of malware include viruses, worms, and trojans.

What are the characteristics of online intrusions?

Most online intrusions begin with malware. A worm or trojan infiltrates a device and sets up a backdoor that can be used for future access. That access can be used directly by a human to log in to the victim's device over the Internet. It can be used as a gateway be used as a conduit infected devices.

The general formula for calculating the number of possible passwords is:

NumberOfCharacters ^PasswordLength

How does an IMSI catcher work?

Once a mobile device has connected, the IMSI catcher collects the subscriber's ID and location before forwarding the signals to a legitimate tower so that the caller does not notice a disruption in service. IMSI catchers can also capture voice calls, text messages, and data streams that emanate from hijacked devices.

How do PUAs end up on my devices?

PUAs are installed using social engineering techniques.

What is password entropy?

Password entropy is a measure in bits of a password's unpredictability. For example, the entropy of a four-digit iPhone passcode is 14 bits.

What is pharming?

Pharming redirects Web site traffic to fraudulent Web sites that distribute malware, collect personal data, sell counterfeit products, and perpetrate other scams.

What is phishing?

Phishing is an email scam that masquerades as a message from a trusted friend, legitimate company, or agency of authority, such as the IRS. The goal of a phishing scam is usually to obtain private information, including login passwords and bank card numbers.

What does PUA stand for?

Potentially unwanted application

What does PUP stand for?

Potentially unwanted program

What is pretexting?

Pretexting is a term describing spam that uses a false pretext to trick victims into participating.

How can SE attacks be carried out?

SE attacks can be carried out using a variety of technologies, such as email, malware, fraudulent Web sites, SMS, and IRC.

What is safe browsing?

Safe Browsing is a service offered by Google that checks URLs against a list of suspicious Web site URLs.

What is a social engineer?

Social engineer is a judgment-neutral term for a person who devises and carries out a scam in order to accomplish a goal, such as financial gain, unauthorized access, or service disruption.

Why are people fooled by SE?

Social engineering attacks prey on human vulnerabilities, such as gullibility, ignorance, curiosity, greed, courtesy, indifference, and carelessness. The "bait" that is set forth in various social engineering scams is based on one or more incentives designed to compel individuals to participate in the scam.

What portion of email is spam?

Spam is a nuisance and it accounts for approximately 70% of all email.

What is spam?

Spam is defined as unsolicited messages that are usually sent in massive numbers using electronic mail systems. It is junk mail that recipients do not request or want.

What is adware?

Spyware called adware monitors Web browsing activity to supply ad-serving sites with data used to generate targeted ads. More than a nuisance, the data compiled by adware has the potential to become a record of an individual's habits and lifestyle.

What types of interception exploits are threats?

Spyware, Adware, Keyloggers, and Man-in-the-Middle

What is a payload or malware exploit?

The action carried out by malware code

How does a password manager work?

The core function of a password manager (sometimes called a keychain) is to keep track of passwords so users don't have to memorize them. Some password managers also have the ability to fill in forms with stored address and credit card data.

Why is encryption vulnerable?

The current method of encrypting communication between a client and a server depends on a security protocol called TLS (Transport Layer Security) that checks a digital certificate to verify a server's identity and pass a public key to the client. The client then uses the public key to encrypt data that is sent to the server.

What are the most common types of PUPs and PUAs?

The most common types of PUPs and PUAs are toolbars and alternative browsers.

How do man-in-the-middle attacks work?

The objective of a MITM attack is for a third party to intercept communications between two entities without their knowledge. The third party may passively monitor the communication or may actively modify the data before it reaches its destination. The person in the middle impersonates the other two entities to give the illusion that the two entities are communicating with each other, when in reality they are communicating with an intruder

What is decryption?

The process of converting ciphertext into plaintext, which is the reverse process of encryption

What is encryption?

The process of converting plaintext into ciphertext

What is code injection?

The process of modifying an executable file or data stream by adding additional commands

How well does encryption protect files?

There are various encryption methods, and some are more secure than others.

What is the difference between a dropper and code injection?

There is a difference between a dropper and code injection. A dropper installs a malicious program on a device, and it works with an entire program. Code injection inserts a segment of malicious code into another program. It carries only a short segment of code rattier than an entire program.

What are blacklist filters?

These filters block mail that originates from IP addresses of known spammers.

What are permission filters?

These filters block or allow mail based on the sender's address.

What are content filters?

These filters examine the content within a message for certain words or phrases commonly used in spam emails.

What are header filters?

These filters review the email header for falsified information, such as spoofed IP addresses.

What do hosts contain?

This file contains URLs and their corresponding IP addresses, which override the mapping accessed from a domain name server. Malware that enters a device, perhaps in a trojan, seeks out the Hosts file and inserts a bogus URL.

What is a DNS address spoof?

This kind of spoof changes the IP address that corresponds to a URL. The spoofed URL directs victims to a fraudulent Wets she. What is an ARP address spoof?

What is an email address spoof?

This kind of spoof changes the sender's address. The spoofed address masks the source of spam.

What is IP address spoof?

This kind of spoof modifies the source if' address of data packets used in a denial-of service attack.

How does the Evil Twin exploit work?

To establish an Evil Twin, hackers set up a Wi-Fi hotspot complete with an Internet connection. The network is unsecured, so data that travels over the network is not encrypted, which allows the hacker to capture any information that users enter as they surf the Web, make purchases from online stores, log in to online banking services, and enter passwords at social media sites.

How dependable is antivirus software?

Today's antivirus software is quite dependable but not infallible.

What are trojans?

Trojans are standalone programs that masquerade as useful utilities or applications, which victims download and install unaware of their destructive nature. Trojans depend on social engineering—fooling users—to spread.

What can trojans contain?

Trojans can contain viruses, code to take control of a device, or routines called droppers.

A botmaster controls a network of victims' computers using IRC channels for communication.

True

A mass-mailing worm spreads by sending itself to every address in the worms contacts list of an infected device.

True

A password is typically used as the key to encrypt and decrypt data

True

A router acts as a firewall to block connections that are not initiated inside a local network

True

An encrypted message or file is referred to as ciphertext.

True

An original message or file that has not yet been encrypted is referred to as plaintext or cleartext.

True

Antivirus software is a type of utility software that looks for and eliminates viruses, trojans, worms, and other malware.

True

Authentication techniques such as passwords, PINs, fingerprint scans, and facial recognition can prevent unauthorized access to the data on Web sites or stolen devices.

True

Botnets have been used to carry out massive DDoS (distributed denial of service) attacks designed to flood a legitimate Web site or an Internet router with so much traffic that it can no longer provide its intended service.

True

Heuristics may produce false positives that mistakenly identify a legitimate file as malware.

True

IMSI catchers are sometimes sailed stingrays after the brand name of a well-known cellular surveillance device.

True

It is possible to crack AES, but the process is difficult and requires lots of computer power.

True

LTE cellular networks and devices offer better security than earlier 2G and 3G networks, but even LTE technology is vulnerable to IMSI attacks.

True

Malware is also a component of cyberwarfare attacks that pose a threat to national security.

True

Modern rootkits are used to hide malicious code by replacing parts of the operating system with modified code.

True

On-access scans are also called real-time protection, background scanning, and autoprotect.

True

Only one software-based firewall should be active, however, because firewalls have a tendency to conflict with each other.

True

Passwords stored locally are tied to the device on which they are created.

True

Pharming attacks can also be carried out by malware that changes an IP address in a file called Hosts.

True

Some of the most common phishing attacks appear to originate from FedEx, UPS, DHL, or the U.S. Postal Service and pertain to package delivery services.

True

The DNS address spoof changes the ARP (Address Resolution Protocol) routing table on a local area network. The spoofed address redirects traffic through a secondary, potentially malicious device.

True

The encrypted file that stores user IDs and passwords is protected by a master password.

True

The number of possible passwords depends on factors that include the size of the character set and the length of the password. Longer passwords and those consisting of letters, numbers, and symbols are more difficult to crack.

True

The poster child for social engineering scams is called advance fee fraud, in which a victim is promised a large sum of money in exchange for a bank account number from which a small advance fee is withdrawn.

True

The takeaway about entropy is that passwords with higher entropy are more secure than passwords with low entropy. A 46-bit password, therefore, is far more secure than a 13-bit password.

True

Today, more than 80% of malware infections are trojans.

True

How does two-factor authentication increase security?

Two-factor authentication increases security by verifying identity based on two components, such as a password and a verification code.

What is user authentication?

User authentication is any technique used to verify or confirm a person's identity.

How does a virus spread?

Viruses spread when people exchange infected files on disks and CDs, as email attachments, and on file sharing networks, social networking sites, and download sites.

What are logic bombs?

Viruses that deliver their payloads in response to some other system event

What are time bombs?

Viruses that deliver their payloads on a specific date

What makes a password susceptible to a dictionary attack?

Weak passwords such as passpass or computercomputer

What happens when malware is detected?

When antivirus software detects malware, it can try to remove the infection, put the file into quarantine, or simply delete the file

How can worms enter a device?

Worms can enter a device through security holes in browsers and operating systems, as email attachments, and when victims click infected pop-up ads or links contained in email messages.

Do I need NAT in addition to a personal firewall?

Yes. NAT is the best line of defense against attacks that originate from the Internet, but it does not protect against threats that originate inside a network.

Are there different types of intrusions?

Yes. RATs, remote utilities, ransomware, and botnets are the most common types of online intrusions.

What is a botnet?

ckers who gain control over several computers can organize them into a client-server network known as a botnet. In addition to computers, botnets can contain just about any device that connects to the Internet, including smartphones, baby cams, DVRs, smartphone devices, and IoT sensors.