Identifying Potential Risks

1
Identifying Potential Risks
2
Contents

• Differentiate among various systems security
  threats
• Privilege escalation
• Virus
• Worm
• Trojan
• Spyware
• Spam
• Adware
• Rootkits
• Botnets
• Logic bomb

3
Contents

• Implement security applications.
• Differentiate between the different ports and
  protocols, their respective threats and
  mitigation techniques.
• Antiquated protocols
• TCP/IP hijacking
• Null sessions
• Spoofing
• Man-in-the-middle
• Replay
• DoS
• DDoS
• Domain Name Kiting
• DNS poisoning

4
Contents

• Explain the vulnerabilities and mitigations
  associated with network devices.
• Privilege escalation
• Weak passwords
• Back doors
• DoS
• Carry out vulnerability assessments using common
  tools.
• Vulnerability scanners
• Password crackers

5
Index

• Attack Strategies
• Recognizing Common Attacks
• Identifying TCP/IP Security Concerns
• Understanding Software Exploitation
• Surviving Malicious Code
• Other Attacks and Frauds

6
Attack Strategies

• Access attack, someone who should not be able to
  wants to access your resources. Its purpose is to
  gain access to information that the attacker
  isnt authorized to have
• Modification and repudiation attack, someone
  wants to modify information in your systems
• Denial-of-service (DoS) attack

7
Access Attack Types

• Eavesdropping
• Eavesdropping is the process of listening in on
  or overhearing parts of a conversation, including
  listening in on your network traffic
• This type of attack is generally passive
• Snooping
• Occurs when someone looks through your files
  hoping to find something interesting
• The files may be either electronic or on paper

8
Access Attack Types

• Interception can be either an active or a passive
  process
• Intercept (v) to stop something or someone that
  is going from one place to another before they
  get there
• In a networked environment, a passive
  interception would involve someone who routinely
  monitors network traffic.
• Active interception might include putting a
  computer system between the sender and receiver
  to capture information as its sent. The process
  is usually covert.
• Intercept missions can occur for years without
  the knowledge of the parties being monitored.

9
Modification Repudiation Attacks

• Modification attacks involve the deletion,
  insertion, or alteration of information in an
  unauthorized manner that is intended to appear
  genuine to the user
• Theyre similar to access attacks in that the
  attacker must first get to the data on the
  servers, but they differ from that point on.
• The motivation for this type of attack may be to
  plant information, change grades in a class,
  fraudulently alter credit card records, or
  something similar.
• Website defacements are a common form of
  modification attack.

10
Modification Repudiation Attacks

• Repudiation attack is a variation of modification
  attacks
• repudiate / r?pjudie?t /
• to refuse to accept or continue with something
• to state or show that something is not true or
  correct
• Repudiation attacks make data or information
  appear to be invalid or misleading.
• Repudiation attacks are fairly easy to accomplish
  because most e-mail systems dont check outbound
  mail for validity.
• Repudiation attacks, like modification attacks,
  usually begin as access attacks.

11
DoS Attacks

• Denial-of-Service
• DoS attacks prevent access to resources by users
  authorized to use those resources
• Most simple DoS attacks occur from a single
  system
• Types of DoS attacks
• ping of death
• buffer overflow

12
DoS Attacks
13
Wireless DoS

• Requires a powerful transmitter

14
An Easier Wireless DoS
15
DDoS Attacks

• Distributed Denial-of-Service Attacks
• Multiple computer systems used to conduct the
  attack
• Zombies
• Botnet the malicious software running on a zombie

16
DDoS Attacks
17
DDoS Attacks

• How to face with Denial attacks?

18
Index

• Attack Strategies
• Recognizing Common Attacks
• Identifying TCP/IP Security Concerns
• Understanding Software Exploitation
• Surviving Malicious Code
• Other Attacks and Frauds

19
Back Door Attacks

• Back doors?

20
Spoofing Attacks

• A spoofing attack is an attempt by someone or
  something to masquerade as someone else.
• IP spoofing and DNS spoofing

21
Man-in-the-Middle Attacks

• This type of attack is also an access attack, but
  it can be used as the starting point for a
  modification attack
• Places a piece of software between a server and
  the user.

22
Replay Attacks

• The attacker captures the information and replay
  it later.
• The information can be username, passwords,
  certificates from authentication systems such as
  Kerboros.

23
Wall of Sheep

• Captured passwords projected on the wall at DEFCON

24
Replay Attacks

• Solutions Certificates usually contain a unique
  session identifier and a time stamp.

25
Sidejacking

• Records cookies and replays them
• This technique breaks into Gmail accounts
• Technical name Cross Site Request Forgery
• Almost all social networking sites are vulnerable
  to this attack
• Facebook, MySpace, Yahoo, etc.

26
Password-Guessing Attacks

• Brute-force attack.
• Dictionary attack
• Hybrids mixing the two above techniques

27
Privilege Escalation

• Privilege escalation can be the result of an
  error on an administrators part in assigning too
  high a permission set to a user, but its more
  often associated with bugs left in software.
• Cheat codes in video games.

28
Index

• Attack Strategies
• Recognizing Common Attacks
• Identifying TCP/IP Security Concerns
• Understanding Software Exploitation
• Surviving Malicious Code
• Other Attacks and Frauds

29
OSI vs TCP/IP
30
TCP/IP model

• Network Access OSI layers 1 2, defines LAN
  communication, what do I mean by that?
• Network OSI layer 3 defines addressing and
  routing
• Transport/Host to Host OSI layer 4, 5 defines
  a communication session between two applications
  on one or two hosts
• Application OSI layers 6,7 the application
  data that is being sent across a network

31
Network Access Layer

• Maps to Layer 1 and 2 of the OSI model
• The Level that a Network Interface Card Works on
• Source and Destination MAC addresses are used
  defining communications endpoints
• Protocols include
• Ethernet
• Token Ring
• FDDI

32
Network Layer

• Routing, IP addressing, and packaging
• Internet Protocol (IP) is a routable protocol,
  and its responsible for
• IP addressing.
• fragments and reassembles message packets
• only routes information doesnt verify it for
  accuracy(Accuracy checking is the responsibility
  of TCP)

33
Host-to-Host or Transport Layer

• Maps to layer 4 and 5 of the OSI model
• Concerned with establishing sessions between two
  applications
• Source and destination endpoints are defined by
  port numbers
• The two transport protocols in TCP/IP are TCP and
  UDP

34
TCP Transmission Control Protocol

• Connection oriented guaranteed delivery.
• Advantages
• Easier to program with
• Truly implements a session
• Adds security
• Disadvantages
• More overhead / slower

35
UDP - User Datagram Protocol

• Connectionless, non-guaranteed delivery (best
  effort)
• Advantages
• Fast / low overhead
• Disadvantages
• Harder to program with
• No true sessions
• Less security
• A pain to firewall (due to no connections)

36
Application Layer

• Most programs, such as web browsers, interface
  with TCP/IP at this level
• Protocols
• Hypertext Transfer Protocol (HTTP)
• File Transfer Protocol (FTP)
• Simple Mail Transfer Protocol (SMTP)
• Telnet
• Domain Name Service (DNS)
• Routing Information Protocol (RIP)
• Post Office Protocol (POP3)

37
Encapsulation

• Encapsulate
• to express or show something in a short way
• to completely cover something with something
  else, especially in order to prevent a substance
  getting out

38
Modulation Ði?u ch?

• To change data from a form to another
• AM (Amplitude Modulation)
• FM (Frequency Modulation)
• PM (Phase Modulation)
• Keying methods
• Current State Keying
• ASK
• FSK
• State Transition Keying
• Phase Shift Keying (PSK)
• Modulation and Demodulation
• Used in modems and in transfering data units
  among OSI layers

39
Recognizing TCP/IP Attacks

• Port Mirroring
• Sniffing the Network
• TCP Attacks

40
Port Mirroring
41
Sniffers

• A device that captures and displays network
  traffic

42
TCP SYN or TCP ACK Flood Attack

• The client and server exchange information in TCP
  packets
• The TCP client sends an ACK packet to the server
• ACK packets tell the server that a connection is
  requested
• Server responds with an ACK packet
• The TCP Client sends another packet to open the
  connection
• Instead of opening the connection, the TCP client
  continues to send ACK packet to the server.

43
TCP SYN or TCP ACK Flood Attack
44
TCP Sequence Number Attack

• TCP sequence number attacks occur when an
  attacker takes control of one end of a TCP
  session
• Each time a TCP message is sent, either the
  client or the server generates a sequence number
• The attacker intercepts and then responds with a
  sequence number similar to the one used in the
  original session
• Disrupt or hijack a valid session

45
Wireless Attacks

• Rogue access points
• Rogue not behaving in the usual or accepted way
  and often causing trouble
• Employees often set up home wireless routers for
  convenience at work
• This allows attackers to bypass all of the
  network security and opens the entire network and
  all users to direct attacks
• An attacker who can access the network through a
  rogue access point is behind the company's
  firewall
• Can directly attack all devices on the network

46
Wireless Attacks
47
Wireless Attacks

• War driving
• Beaconing
• At regular intervals, a wireless AP sends a
  beacon frame to announce its presence and to
  provide the necessary information for devices
  that want to join the network
• Scanning
• Each wireless device looks for those beacon
  frames
• Unapproved wireless devices can likewise pick up
  the beaconing RF transmission
• Formally known as wireless location mapping

48
Wireless Attacks

• Bluetooth
• A wireless technology that uses short-range RF
  transmissions
• Provides for rapid on the fly and ad hoc
  connections between devices
• Bluesnarfing
• Stealing data through a Bluetooth connection
• E-mails, calendars, contact lists, and cell phone
  pictures and videos,

49
Index

• Attack Strategies
• Recognizing Common Attacks
• Identifying TCP/IP Security Concerns
• Understanding Software Exploitation
• Surviving Malicious Code
• Other Attacks and Frauds

50
Software Exploitations

• Database exploitation
• If a client session can be hijacked or spoofed,
  the attacker can formulate queries against the
  database that disclose unauthorized information.
• Application exploitation
• E-mail exploitation
• Spyware
• Rather than self-replicating, like viruses and
  worms, spyware is spread to machines by users who
  inadvertently ask for it
• Rootkits
• Enables continued privileged access to a
  computer, while actively hiding its presence from
  administrators by subverting standard operating
  system functionality or other applications

51
Index

• Attack Strategies
• Recognizing Common Attacks
• Identifying TCP/IP Security Concerns
• Understanding Software Exploitation
• Surviving Malicious Code
• Other Attacks and Frauds

52
Viruses

• Armored Virus
• designed to make itself difficult to detect or
  analyze
• Companion Virus
• A companion virus attaches itself to legitimate
  programs and then creates a program with a
  different filename extension
• Macro Virus
• a set of programming instructions in a language
  such as VBScript that commands an application to
  perform illicit actions

53
Viruses

• Multipartite Virus attacks the system in
  multiple ways

54
Viruses

• Phage Virus
• Modifies and alters other programs and database
• The only way to remove this virus is to reinstall
  the programs that are infected
• Polymorphic Virus
• Change form in order to avoid detection
• Frequently, the virus will encrypt parts of
  itself to avoid detection

55
Viruses

• Stealth Virus
• Attempts to avoid detection by masking itself
  from applications

56
Logic Bombs

• Logic bombs are programs or snippets of code that
  execute when a certain predefined event occurs.

57
Index

• Attack Strategies
• Recognizing Common Attacks
• Identifying TCP/IP Security Concerns
• Understanding Software Exploitation
• Surviving Malicious Code
• Other Attacks and Frauds

58
Null Sessions

• Connections to a Microsoft Windows 2000 or
  Windows NT computer with a blank username and
  password
• Attacker can collect a lot of data from a
  vulnerable system
• Cannot be fixed by patches to the operating
  systems
• Much less of a problem with modern Windows
  versions, Win XP SP2, Vista, or Windows 7

59
Domain Name Kiting

• Check kiting
• A type of fraud that involves the unlawful use of
  checking accounts to gain additional time before
  the fraud is detected
• Domain Name Kiting
• Registrars are organizations that are approved by
  ICANN to sell and register Internet domain names
• A five-day Add Grade Period (AGP) permits
  registrars to delete any newly registered
  Internet domain names and receive a full refund
  of the registration fee

60
Domain Name Kiting

• Unscrupulous registrars register thousands of
  Internet domain names and then delete them
• Recently expired domain names are indexed by
  search engines
• Visitors are directed to a re-registered site
• Which is usually a single page Web with paid
  advertisement links
• Visitors who click on these links generate money
  for the registrar

61
SNMP (Simple Network Management Protocol)

• Used to manage switches, routers, and other
  network devices
• Early versions did not encrypt passwords, and had
  other security flaws
• But the old versions are still commonly used

62
DNS (Domain Name System)

• DNS is used to resolve domain names like
  www.ccsf.edu to IP addresses like 147.144.1.254
• DNS has many vulnerabilities
• It was never designed to be secure

63
DNS Poisoning
64
Local DNS Poisoning

• Put false entries into the Hosts file
• C\Windows\System32\Drivers\etc\hosts

65
DNS Cache Poisoning

• Attacker sends many spoofed DNS responses
• Target just accepts the first one it gets

66
Sending Extra DNS Records
67
DNS Transfers

• Intended to let a new DNS server copy the records
  from an existing one
• Can be used by attackers to get a list of all the
  machines in a company, like a network diagram
• Usually blocked by modern DNS servers

68
Protection from DNS Attacks

• Antispyware software will warn you when the hosts
  file is modified
• Using updated versions of DNS server software
  prevents older DNS attacks against the server
• But many DNS flaws cannot be patched
• Eventually Switch to DNSSEC (Domain Name System
  Security Extensions)
• But DNSSEC is not widely deployed yet, and it has
  its own problems

69
ARP (Address Resolution Protocol)

• ARP is used to convert IP addresses like
  147.144.1.254 into MAC addresses like
  00-30-48-82-11-34

70
ARP Cache Poisoning

• Attacker sends many spoofed ARP responses
• Target just accepts the first one it gets

71
Results of ARP Poisoning Attacks