2. Index
Cryptography Attacks What is Cryptography
Types Of Attacks
General Attacks
Technical Attacks
Passive Attacks
Active Attacks
Specific Attacks
3. What is Cryptography
Cryptography is a method of storing and transmitting data in a particular form so that only
those for whom it is intended can read and process it.
Cryptography is closely related to the disciplines of cryptology and cryptanalysis.
Cryptography includes techniques such as microdots, merging words with images, and other
ways to hide information in storage or transit.
However, in today's computer-centric world, cryptography is most often associated with
scrambling plaintext (ordinary text, sometimes referred to as cleartext) into ciphertext (a
process called encryption), then back again (known as decryption).
4. TYPES OF ATTACKS
A General View:
1. Criminal attacks
2. Publicity attacks
3. Legal Attacks
A Technical View:
1. Modification
2. Fabrication
3. Interruption
4. Interception
5. Attacks: A General View
Criminal Attacks:
Criminal Attacks are the simplest to understand.
Fraud: Modern Fraud attacks concentrate on manipulating some aspects
of electronic currency, credit cards, electronic stock certificates etc.
Scams: Scams come in various forms, some of the most common ones
being sale of services, auctions, multi-level marketing schemes etc.People are
enticed to send money in return of great profits but end up losing their money.
Eg: Nigeria Scam.
6. Destruction: Some sort of grudge is the motive behind such attacks. For example
unhappy employees attack their oen organization, whereas terrorists strike at much
bigger levels.Users Loses there authorization to access the site.
Publicity Attacks: Occur because the attackers want to see their names appear on
television news channels and newspapers.The attacks are usually performed by
students in universities or employees in large organizations,who seek publicity by
adopting a novel approach of attacking computer systems.
Legal Attacks: For example, an attacker may sue a bank for a performing an online
transaction,which she never wanted to perform. In court, she could innocently say
something . A judge Is likely to sympathize with the attacker.
7. Attacks: A Technical View
Interception: Discussed in the context of confidentiality, earlier. It means that
an unauthorized party has gained access to a resource. The party can be a
person, program or computer-based system. Examples of interception are
copying of data or programs and listening to network traffic.
Fabrication: Discussed in the context of authentication, earlier. This lnvolves
creation of illegal objects on a computer system. For example, the attacker
may add fake records to a database.
Modification: Discussed in the context of integrity. For example, the attacker
may modify thr values in a database.
Interruption: Discussed in the context of availability. Here, the resources
becomes unavailable , lost or unusable. Examples of interruption are causing
problems to a hardware device, erasing program , data or os components
8. Passive Attacks
Passive attacks are in the nature of eavesdropping on, or monitoring of,
transmissions. The goal of the opponent is to obtain information that is being
transmitted. Two types of passive attacks are release of message contents
and traffic analysis.
The release of message contents is easily understood . A telephone
conversation, an electronic mail message, and a transferred file may contain
sensitive or confidential information. We would like to prevent an opponent
from learning the contents of these transmissions.
A second type of passive attack, traffic analysis, is subtler. Suppose that we
had a way of masking the contents of messages or other information traffic so
that opponents , even if they captured the message, could not extract the
information from the message. The common technique for masking contents
is encryption.
9. If we had encryption protection in place, an opponent might still be able to
observe the pattern of these messages. The opponent could determine the
location and identity of communicating hosts and could observe the
frequency and length of messages being exchanged. This information
might be useful in guessing the nature of the communication that was
taking place.
Passive attacks are very difficult to detect because they do not involve any
alteration of the data. Typically, the messages are sent and received in
seemingly normal fashion. Neither the sender nor receiver is aware that a
third party has read the messages or observed the traffic pattern. However,
it is feasible to prevent the success of these attacks. Message encryption
is a simple solution to thwart passive attacks. Thus, the emphasis in
dealing with passive attacks is on prevention rather than detection.
10. Active Attacks
Active attacks involve some modification of the data stream or the creation
of a false stream and can be subdivided into four categories: masquerade,
replay, modification of messages, and denial of service.
Replay involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect.
A masquerade takes place when one entity pretends to be a different
entity .A masquerade attack usually includes one of the other forms of
active attack. For example, authentication sequences can be captured and
replayed after a valid authentication sequence has taken place, thus
enabling an authorized entity with few privileges to obtain extra privileges
by impersonating an entity that has those privileges.
11. Modification of messages simply means that some portion of a legitimate
message is altered, or that messages are delayed or reordered, to produce an
unauthorized effect . For example, a message meaning "Allow John Smith to read
confidential file accounts" is modified to mean "Allow Fred Brown to read
confidential file accounts."
The denial of service prevents or inhibits the normal use or management of
communications facilities (Figure 1.4 d). This attack may have a specific target;
for example, an entity may suppress all messages directed to a particular
destination (e.g., the security audit service). Another form of service denial is the
disruption of an entire network, either by disabling the network or by overloading
it with messages so as to degrade performance.
12.
13. The Practical Side Of Attacks
They can be classified into two broad categories
1. Application-Level attacks
2. Network-level attacks.
14. Application level attacks: These attacks happen at an application level in the
sense that the attacker attempts to access, modify or prevent access to information
of a particular application or to the application itself. Examples of this are trying to
obtain someones’s credit information on the internet or changing of a message to
change the amount in a transaction, etc.
Network level attacks: These attacks generally aim at reducing the capabilities
of a network by a number of possible means. These attacks generally make an
attempt to either to slow down or completely bring to halt, a computer network. Note
that this automatically can lead to application level attacks, because once someone
is able to gain access to a network usually she is able to access/modify at least
some sensitive information, causing havoc.
15. Programs that Attack:
1. Virus(infects)
2. Worm (replicates)
3. Trojan (hidden)
4. Applets and Active X controls (downloadable)
16. Viruses
piece of software that infects programs
modifying them to include a copy of the virus
so it executes secretly when host program is run
specific to operating system and hardware
taking advantage of their details and weaknesses
a typical virus goes through phases of:
dormant
propagation
triggering
execution
17. Virus Structure
components:
infection mechanism - enables replication
trigger - event that makes payload activate
payload - what it does, malicious or benign
prepended / postpended / embedded
when infected program invoked, executes virus code then original program
code
can block initial infection (difficult)
or propogation (with access controls)
19. Macro Virus
became very common in mid-1990s since
platform independent
infect documents
easily spread
exploit macro capability of office apps
executable program embedded in office doc
often a form of Basic
more recent releases include protection
recognized by many anti-virus programs
20. E-Mail Viruses
more recent development
e.g. Melissa
exploits MS Word macro in attached doc
if attachment opened, macro activates
sends email to all on users address list
and does local damage
then saw versions triggered reading email
hence much faster propagation
21. Virus Countermeasures
prevention - ideal solution but difficult
realistically need:
detection
identification
removal
if detect but can’t identify or remove, must discard and replace infected
program
22. Anti-Virus Evolution
virus & antivirus tech have both evolved
early viruses simple code, easily removed
as become more complex, so must the countermeasures
generations
first - signature scanners
second - heuristics
third - identify actions
fourth - combination packages
23. Worms
replicating program that propagates over net
using email, remote exec, remote login
has phases like a virus:
dormant, propagation, triggering, execution
propagation phase: searches for other systems, connects
to it, copies self to it and runs
may disguise itself as a system process
concept seen in Brunner’s “Shockwave Rider”
implemented by Xerox Palo Alto labs in 1980’s
24. Morris Worm
one of best know worms
released by Robert Morris in 1988
various attacks on UNIX systems
cracking password file to use login/password to logon to other systems
exploiting a bug in the finger protocol
exploiting a bug in sendmail
if succeed have remote shell access
sent bootstrap program to copy worm over
26. Recent Worm Attacks
Code Red
July 2001 exploiting MS IIS bug
probes random IP address, does DDoS attack
Code Red II variant includes backdoor
SQL Slammer
early 2003, attacks MS SQL Server
Mydoom
mass-mailing e-mail worm that appeared in 2004
installed remote access backdoor in infected systems
Warezov family of worms
scan for e-mail addresses, send in attachment
28. Mobile Phone Worms
first appeared on mobile phones in 2004
target smartphone which can install s/w
they communicate via Bluetooth or MMS
to disable phone, delete data on phone, or send premium-priced
messages
CommWarrior, launched in 2005
replicates using Bluetooth to nearby phones
and via MMS using address-book numbers
29. Worm Countermeasures
overlaps with anti-virus techniques
once worm on system A/V can detect
worms also cause significant net activity
worm defense approaches include:
signature-based worm scan filtering
filter-based worm containment
payload-classification-based worm containment
threshold random walk scan detection
rate limiting and rate halting
32. Trojan Horse
program with hidden side-effects
which is usually superficially attractive
eg game, s/w upgrade etc
when run performs some additional tasks
allows attacker to indirectly gain access they do not have
directly
often used to propagate a virus/worm or install a
backdoor
or simply to destroy data
33.
34. Applets and ActiveX controls
An ActiveX control is a component program object that can be re-used by
many application programs within a computer or among computers in a
network. The technology for creating ActiveX controls is part of Microsoft's
overall ActiveX set of technologies, chief of which is the Component Object
Model (COM).
ActiveX controls can be downloaded as small programs or animations for
Web pages, but they can also be used for any commonly-needed task by
an application program in the latest Windows and Macintosh
environments. In general, ActiveX controls replace the earlier OCX(Object
Linking and Embedding custom controls). An ActiveX control is roughly
equivalent in concept and implementation to the Java applet.
35. Cookies
Web Browsers and Servers use HTTP protocol to communicate and HTTP
is a stateless protocol. But for a commercial website, it is required to
maintain session information among different pages. For example, one
user registration ends after completing many pages. But how to maintain
users' session information across all the web pages.
In many situations, using cookies is the most efficient method of
remembering and tracking preferences, purchases, commissions, and
other information required for better visitor experience or site statistics.
38. Sniffing Attack
Sniffing is the act of intercepting and inspecting data packets using sniffers
(Software or hardware devices) over the Net.
Sniffing is a passive security attack in which a machine separated from the
intended destination reads data on a network.
These passive security attacks are those, that do not alter the normal flow
of data on a communication link or inject data in to the link, but lead to
leakages of different kinds of information like: Passwords, Financial
figures, Confidential/Sensitive data & Low level Protocol information.
Sniffing is considered as the virtual counterpart of shoulder surfing.
Sniffers are also used as a troubleshooting tool by the Network
Administrators.
39. Spoofing Attack
Spoofing is the act of identity impersonation. IP Spoofing is the technique used by
intruders to gain access to a Network by sending messages to a computer with an IP
address indicating that the message is coming from a trusted host.
To engage in IP spoofing, a hacker uses variety of techniques to find an IP address
of a trusted host and then modify the packet headers so that it appears that the
packets are coming from that host.
As IP being connectionless, routers use the "destination IP" address in order to
forward packets through the Internet, but ignore the "source IP" address which is
only used by the destination machine when it responds back to the source. This
makes the task of an attacker much easier to forge the identity by modifying the IP
Packets and becoming a part of the destination network. However, IP spoofing is an
integral part of many network attacks that do not need to see responses (blind
spoofing). With the current IP protocol technology, it is impossible to eliminate IP-
spoofed packets.
40. Phishing Attack
Phishing is a type of social engineering attack often used to steal user
data, including login credentials and credit card numbers.
It occurs when an attacker, masquerading as a trusted entity, dupes a
victim into opening an email, instant message, or text message.
The recipient is then tricked into clicking a malicious link, which can lead to
the installation of malware, the freezing of the system as part of a
ransomware attack or the revealing of sensitive information.
An attack can have devastating results. For individuals, this includes
unauthorized purchases, the stealing of funds, or identify theft
41. PHISHING ATTACK EXAMPLES
The following illustrates a common phishing scam attempt:
1. A spoofed email ostensibly from myuniversity.edu is mass-distributed to as many
faculty members as possible.
2. The email claims that the user’s password is about to expire. Instructions are
given to go to myuniversity.edu/renewal to renew their password within 24 hours
Several things can occur by clicking the link. For example:
1. The user is redirected to myuniversity.edurenewal.com, a bogus page appearing
exactly like the real renewal page, where both new and existing passwords are
requested. The attacker, monitoring the page, hijacks the original password to gain
access to secured areas on the university network.
2. The user is sent to the actual password renewal page. However, while being
redirected, a malicious script activates in the background to hijack the user’s session
cookie. This results in a reflected XSS attack, giving the perpetrator privileged
access to the university network.
42.
43. Pharming Attack
Pharming is an attacker’s attack intended to redirect a website’s traffic to
another, bogus site. Pharming can be conducted either by changing the hosts
file on a victim’s computer or by exploitation of a vulnerability in DNS server
software. DNS servers are computers responsible for resolving Internet names
into their real IP addresses.
Compromised DNS servers are sometimes referred to as “poisoned.” Pharming
requires unprotected access to target a computer, such as altering a
customer’s home computer, rather than a corporate business server.
The term “pharming” is a neologism based on the words “farming” and
“phishing.” Phishing is a type of social-engineering attack to obtain access
credentials, such as user names and passwords. In recent years, both
pharming and phishing have been used to gain information for online identity
theft.
44. Pharming has become a major concern to businesses hosting ecommerce
and online banking websites. Sophisticated measures known as anti-
pharming are required to protect against this serious threat. Antivirus
software and spyware removal software cannot protect against pharming.
A pharming attack will redirect the victim to the fake website (an attacker
website) even though the victim enters the correct address for the
legitimate website. For Example: The victim intends to
access www.twitter.com, so he writes the right URL to the browser, the
URL will still be www.twitter.com, but he will surf the fake website instead.
45. How does it works
Method 1: DNS Poisoning:
1. Attacker hacks into the DNS server and changes the IP address for
www.targetsite.com to IP of www.targetsite1.com (Fake page).
2. So if the user enter the URL in address bar, the computer queries
the DNS server for the IP address of www.targetsite.com.
3. Since the DNS server has already been poisoned by the attacker, it
returns the IP address of www.targetsite1.com(fake page).
4. The user will believe it is original website but it is phishing page.
46. Hosts File Modification
1. The hosts file definition, according to Wikipedia, is: The hosts file is a
computer file used by an operating system to map hostnames to IP
addresses. The hosts file is a plain text file, and is conventionally
named hosts.”
2. The hosts file is a plain text file that contains lines of text consisting of an IP
address followed by one or more host names where each field is separated
by white space.
3. An IP address may refer to multiple host names (see the following
example), and a host name may be mapped to both IPv4 and IPv6 IP
addresses (see the following example).
4. By the way, you can leave comments in the hosts file by using the hash
character (#), which indicates this line is a comment. Here is an example of
hosts file content: