3. COMPUTER SECURITY CONCEPTS
Computer Security: The protection afforded to an automated information
system in order to attain the applicable objectives of preserving the integrity,
availability and confidentiality of information system resources (i.e.
hardware, software, firmware, information/data, and telecommunications)
- Assets can be modified by authorized parties
- Assets be available to authorized parties
- Requires information in a computer system
only be accessible by authorized parties. Individuals set their
own privacy requirements.
- Requires that a computer system be able to
verify the identity of a user
- Requires the detection and tracing of a
security breach to a responsible party.
6. COMMUNICATION LINES AND NETWORKS
Release of message contents - a telephone conversation, an electronic mail
message, a transferred file, etc.
Traffic analysis - encryption can mask the contents but message size,
transmission frequency, location and id of communicating hosts can still be
7. COMMUNICATION LINES AND NETWORKS
Replay : passive capture of a data unit and its
retransmission to produce an unauthorized
Masquerade : one entity pretends to be a
different entity (e.g. try to login as someone else)
Modification of messages some portion of a
legitimate message is altered, or messages
are delayed or reordered
Denial of service prevents or inhibits the
normal use or management of communications
facilities (Disable or overload with messages)
9. MALICIOUS SOFTWARE (MALWARE)
point into a program that allows someone who is aware of trapdoor to gain
Anyone watched the movie War Games ?
by programmers to be able to debug and test programs while skipping a
lengthy setup/authentication process during development
Avoids necessary setup and authentication
Ensures that there is a method of activating program if something wrong with the
embedded in a legitimate program that is set to ―explode‖ when certain
conditions are met
Presence or absence of certain files, particular day of the week, particular user
One of the oldest types of program threat, predating viruses and worms
program that contains hidden code that when invoked performs some
unwanted or harmful function
Can be installed through software downloads, bundling, email attachments, websites
with executable content, etc. Trojan-type malware is on the rise, accounting for 83percent of the global malware.
Program that can ―infect‖ other programs by modifying them in such
a way that the infected program can infect other programs
• Dormant phase: Virus is idle
• Propagation phase: Virus places an identical copy of itself into other programs or
into certain system areas on the disk
• Triggering phase: Virus is activated to perform the function (usually harmful)
• Execution phase: Function is performed
• macro - an executable program embedded in a word document or other type of file
• Easily spread; platform independent; infects documents, not the .exe
• Activated when recipient opens the e-mail attachment (e.g. Melissa virus). A new
version that came out in 1999 was activated by opening the e-mail itself.
• Sends itself to everyone on the mailing list of the infected user
Any virus stories?
12. ** HERE VIRUSES
Classification by Target
Boot sector infector - Infects boot record and spreads when system is booted from
the disk containing the virus
File infector - Infects executable files
Macro virus - Infects files with macro code that is interpreted by an application
Classification by concealment strategy
Encrypted virus – a portion of the virus encrypts its main body and stores the key
with itself. When an infected program is executed, the virus decrypt itself and then
replicates. At each replication, a different random key is selected making the detection
Stealth - Designed to hide itself from detection by antivirus software. May use
Polymorphic - Mutates with every infection, making detection by the ―signature‖ of the
Metamorphic – same as polymorphic, but rewrites itself completely making the
detection even more difficult. May change functionality as well as appearance.
13. MALICIOUS SOFTWARE (CONT.)
Exhibits similar characteristics as an e-mail virus, but worm does not need
a host program and it is not passive, it actively seeks out more
machines to infect via
Electronic mail facility: A worm mails a copy of itself to other systems
Remote execution: A worm executes a copy of itself on another system
Remote log-in: A worm logs on to a remote system as a user and then copies itself
from one system to the other
Bots (Zombie or drone)
Program that secretly takes over another Internet-attached computer and uses it to
launch attacks that are difficult to trace to the bot’s creator
planted on hundreds of computers belonging to unsuspecting third parties and then
used to overwhelm a target Web site by launching an overwhelming onslaught of
The collection of bots acting in a coordinated manner is called botnet
Uses of Bots
DDoS (Distributed Denial of Service attacks), spamming, sniffing traffic on a
compromised machine, keylogging, spreading new malware, manipulating online
polls/games/clicks for ads (every bot has a distinct IP address), etc.
14. B OTS
Bots (Zombie or drone)
Program that secretly takes over another Internet-attached computer and uses it to launch
attacks that are difficult to trace to the bot’s creator
Remote Control Facility
A worm propagates and activates itself, whereas a bot is controlled from a central facility
Once a communication path is established, the control module can activate the bots in host
machines (which are taken hostage). For greater flexibility, the control module can instruct the
bots to download a file from an internet site and execute it. This way, a bot can be used for
different kinds of attacks.
Constructing the Attack Network
3 things needed:
(1) attack software (2) a large number of vulnerable machines
(3) locating these machines (scanning or fingerprinting).
Scanning is generally done in a nested (or recursive) manner.
Random – check random IP addresses for vulnerability (generates suspicious internet traffic)
Hit list – a long list is compiled a priori. Each infected machine is given a partial list to infect
generates less internet traffic and therefore makes it more difficult to detect.
Topological – uses information contained on an infected machine to find more hosts to scan
Local subnet – if a host could be infected behind a firewall, that host could be used to infect
others on the same subnet (all behind the same firewall).
Malware which consists of a set of programs designed to take fundamental control of a
computer system and hide the fact that a system has been compromised
Typically, rootkits act to obscure their presence on the system through subversion or
evasion of standard OS security mechanisms.
Techniques used to accomplish this can include concealing running processes from
monitoring programs, or hiding files or system data from the OS
Often, they are Trojans as well, thus fooling users into believing they are safe to run on
Rootkits may also install a "back door" in a system by replacing the login mechanism
(such as /bin/login) with an executable that steals a login combination, which is used to
access the system illegally.
With root access, an attacker has complete control of the system to do anything
Usually via a Trojan horse. A user is induced to load a Trojan horse which then installs the
Another means of rootkit installation is by hacker activity which is a rather lengthy process.
Best Tips to Defend Yourself against Viruses and Worms
You must safeguard your PC. Following these basic rules will
help you protect you and your family whenever you go online.
Protect your computer with strong security software and
keep it updated. McAfee Total Protection provides proven
PC protection from Trojans, hackers, and spyware. Its
integrated anti-virus, anti-spyware, firewall, antispam, anti-phishing, and backup technologies work together
to combat today’s advanced multi-faceted attacks. It scans
disks, email attachments, files downloaded from the web, and
documents generated by word processing and spreadsheet
Use a security conscious Internet service provider
(ISP) that implements strong anti-spam and anti-phishing
procedures. The SpamHaus organization lists the current top10 worst ISPs in this category—consider this when making
Enable automatic Windows updates, or download
Microsoft updates regularly, to keep your operating
system patched against known vulnerabilities
Install patches from other software manufacturers as
soon as they are distributed.
A fully patched computer behind a firewall is the best
defense against Trojan and spyware installation.
Use great caution when opening attachments.
Configure your anti-virus software to automatically scan
all email and instant message attachments.
Make sure your email program doesn’t automatically
open attachments or automatically render graphics, and
ensure that the preview pane is turned off.
Never open unsolicited emails, or attachments that
you’re not expecting—even from people you know.
Be careful when using P2P file sharing. Trojans hide within
file-sharing programs waiting to be downloaded. Use the
same precautions when downloading shared files that you do
for email and instant messaging. Avoid downloading files with
the extensions.exe, .scr, .lnk, .bat, .vbs, .dll, .bin, and .cmd.
Use security precautions for your PDA, cell phone, and
Wi-Fi devices. Viruses and Trojans arrive as an email/IM
attachment, are downloaded from the Internet, or are
uploaded along with other data from a desktop.
Cell phone viruses and mobile phishing attacks are in the
beginning stages, but will become more common as more
people access mobile multimedia services and Internet
content directly from their phones.
Mobile Anti-Virus software for a selected devices is available
for free with some McAfee PC products.
Always use a PIN code on your cell phone and never install or
download mobile software from a un-trusted source.
22. Configure your instant messaging application
correctly. Make sure it does not open automatically
when you fire up your computer.
Beware of spam-based phishing schemes. Don’t
click on links in emails or IM.
Back up your files regularly and store the
backups somewhere besides your PC. If you fall
victim to a virus attack, you can recover photos,
music, movies, and personal information like tax
returns and bank statements.
Stay aware of current virus news by checking
sites like McAfee Labs Threat Cente
nslookup is a computer program used in Windows and Unix to query Domain Name System (DNS) servers to find DNS details, including IP addresses of a particular computer, MX records for a domain and the NS servers of a domain. The name nslookup means "name server lookup". a DNS query tool for Windows and replacement for nslookupdig (domain information groper) is a flexible tool (for Windows) for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig. Nmap is a security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich).Nmap is a "Network Mapper", used to discover computers and services on a computer network, thus creating a "map" of the network. Just like many simple port scanners, Nmap is capable of discovering passive services on a network despite the fact that such services aren't advertising themselves with a service discovery protocol. In addition Nmap may be able to determine various details about the remote computers. These include operating system, device type, uptime, software product used to run a service, exact version number of that product, presence of some firewall techniques and, on a local area network, even vendor of the remote network card.pcAnywhere is a pair of computer programs by Symantec which allows a user of the pcAnywhere remote program on a computer to connect to a personal computer running the pcAnywhere host if both are connected to the internet or the same LAN and the password is known. pcAnywhere runs on several platforms, including Microsoft Windows, Linux, Mac OS X, and Pocket PC.DameWareNT Utilities (DNTU) is an enterprise system management application for Windows NT/2000/XP/2003/Vista which is designed to allow Administrators to have more control over client computers than with Microsoft's Management Console (MMC). DNTU provides an integrated collection of MicrosoftWindows NT administration utilities, incorporated within an "easy to use" centralized interface for remote management of Windows servers and workstationsSecurity defects in DamewareVersions of DameWare Mini Remote Control prior to 2004 could be exploited by an attacker to take over control of a remote machine. The exploit used a buffer overflow in the DameWare code. This security defect was actively used by attackers.Although this problem was reported as fixed in 2004, a similar problem was reported and confirmed in 2005.
A simple virus is easily detected because an infected version of a program is longer than the corresponding uninfected one. A way to thwart this is to compress the executable file so that both the infected and uninfected versions are of identical length.