Transcript Overview

Types of Attacks, Hackers
Motivations and Methods
CS432: Security
Overview
 Access
attacks.
 Modification attacks.
 Denial-of-Service attacks.
 Repudiation attacks.
Access Attacks
 An
access attack is an attempt to see
information that the attacker is not
authorized to see.
 Snooping is looking through information
files to find something interesting.
 Eavesdropping is when someone listens in
on a conversation that they are not a part
of.
Access Attacks
 Interception
is an active attack against the
information.
 To access the information on paper, the
attacker needs to gain access to that
paper.
 Good site security may prevent an
outsider from accessing information on
paper, but may not prevent an insider from
gaining access.
Access Attacks
 Correct
access permissions will prevent
most casual snooping for electronic
information.
 Eavesdropping on a transmission can
access information in transit.
 A sniffer is a computer that is configured to
capture all traffic on a network.
 Wireless networks make sniffing easier.
Access Attacks
 Interception
attacks are more difficult and
more dangerous than simple
eavesdropping attacks.
 The attacker must insert his system
between the sender and the receiver to
intercept information.
 Information can be intercepted on the
Internet by causing a name resolution
change.
Modification Attacks
 A modification
attack is an attempt to
modify information that the attacker is not
authorized to modify.
 The attacker may change or delete
existing information, or insert new
information in a modification attack.
 Modifying electronic information is easier
than modifying information on paper.
Denial-of-Service Attacks
 Denial-of-Service
(DoS) attacks deny the
use of resources, information, or
capabilities of a system to legitimate
users.
 Denial of access to information causes the
information to be unavailable.
 The information may be destroyed,
converted into an unusable form, or shifted
to an inaccessible location.
Denial-of-Service Attacks
 The
attacker may target the application
that manipulates or displays information.
 If an application is unavailable, the
organization cannot perform the tasks
done by that application.
 A common type of DoS attack is bringing
down computer systems.
Denial-of-Service Attacks
 A DoS
attack against system
communication may range from cutting
wires to flooding networks with excessive
traffic.
 The system and the information are left
untouched, but the lack of communication
prevents access to them.
 Information on paper as well as
information in electronic form are subject
to physical DoS attacks.
Denial-of-Service Attacks
 Short-term
DoS attacks can be made by
simply turning off a system.
 Applications can be rendered unavailable
by sending a pre-defined set of commands
that it cannot process properly.
 Accidents could also cause DoS incidents.
Repudiation Attacks
 In
a repudiation attack, false information
may be given or a real event or transaction
may be denied.
 Electronic information is more susceptible
to repudiation attacks than information in
the physical form.
 Denying an event is easier in the
electronic world as there is no proof to link
an individual with the event.
Hacker Techniques
Overview
 Hacker’s
motivation.
 Historical hacking techniques.
 Advanced techniques.
 Malicious code.
 Methods used by untargeted hacker.
 Methods used by targeted hacker.
Hacker’s Motivation
 The
term “hacker” was originally coined for
an individual who could make computers
work.
 A hacker currently refers to an individual
who breaks into computers.
 Studies show that hackers are most often
male, between 16 and 35 years old,
loners, intelligent, and technically
proficient.
Hacker’s Motivation
 The
most common motivation for hacking
into computer systems is the challenge of
doing so.
 The challenge motivation is usually
associated with an untargeted hacker.
 An untargeted hacker is one who hacks
just for the fun of it.
 The greed motivation includes desire for
gain in the form of money, goods,
services, or information.
Hacker’s Motivation
 Sites
having something of value (software,
money, information) are primary targets for
hackers motivated by greed.
 Malicious attacks focus on particular
targets.
 The hacker motivated by malicious intent
aims at damaging, and not gaining access
to the system.
 The risk of a hacker being caught and
convicted is low. Hence, the potential gain
from hacking is high.
Historical Hacking Techniques
Open sharing:



When the Internet was originally created,
most systems were configured to share
information.
The Network File System (NFS) used by
UNIX allowed one computer to mount the
drives of another computer across a network.
Hackers used NFS to read the information by
mounting remote drives.
Historical Hacking Techniques
Open sharing (continued):



Many operating systems were shipped out
with the root file system exportable to the
world.
Anyone could mount the system’s root file and
change anything they wanted if the default
configuration was not changed.
Hackers can get into a system with remote
access, by identifying one user or
administrator account on the system.
Historical Hacking Techniques
Weak passwords:



Weak passwords are the most common
method used by hackers to get into systems.
A two-character password is easier to guess
than an eight-character one.
Easy to guess passwords allow hackers a
quick entry into the system.
Historical Hacking Techniques
Programming flaws and social engineering:




Hackers have used programming flaws such
as back doors in a program for accessing
systems that use the program.
Many shopping Websites store information
entered by the buyer on a URL, which can be
modified before checking out.
Social engineering is the use of non-technical
means to gain unauthorized access to
information or systems.
The ability to lie and a kind voice are the most
powerful tools used by a hacker using the
Historical Hacking Techniques
Buffer overflow:



Buffer overflow is an attempt to store too
much information into an allocated space in a
computer’s memory.
Buffer overflows allow hackers to run a
command on the target system.
A hacker can exploit a buffer overflow to
overwrite the return address to point to a new
instruction.
Historical Hacking Techniques
Denial-of-Service (DoS):




DoS attacks are malicious acts to deny
legitimate users access to a system, network,
application, or information.
Most DoS attacks originate from fake
addresses.
In a single-source DoS attack, a single system
is used to attack another system.
The SYN flood and the Ping of Death are
some of the single-source DoS attacks that
have been identified.
Historical Hacking Techniques
Distributed Denial-of-Service (DDoS):


DDoS attacks originate from a large number
of systems.
Trinoo, Tribal Flood Network, Mstream, and
Stacheldraht are some of the new DDoS
attack tools.
Historical Hacking Techniques
Distributed Denial-of-Service (DDoS)
(continued):


A hacker talks to a master or server that has
been placed on a compromised system.
The master talks to the slave or client
processes that have been placed on other
compromised systems. The slaves, also
called zombies, perform the actual attack
against the target system.
Historical Hacking Techniques
The architecture of DDoS attacks.
Advanced Techniques
 Sniffing
switch networks.
 IP spoofing.
Sniffing Switch Networks
 Hackers
use sniffers to gather passwords
and other system-related information after
a system is compromised.
 On shared media networks, sniffers use
network interface cards (NIC) to access
information.
 In a switched environment, the hacker
must cause the switch to redirect all traffic
to the sniffer, or send all traffic to all ports.
Sniffing Switch Networks
Redirecting traffic:



A switch directs traffic to ports based on the
Media Access Control (MAC) address of the
Ethernet frame.
Address Resolution Protocol (ARP) is used to
get the MAC address associated with a
particular IP address.
When a system wants to send traffic to
another system, it will send an ARP request
for the destination IP address.
Sniffing Switch Networks
Redirecting traffic (continued):




A sniffer may respond to an ARP request with
its own MAC address, causing traffic to be
sent to itself.
This is called ARP spoofing.
The sniffer must send on the traffic to the
correct destination, or it will cause a denial of
service on the network.
ARP spoofing is possible only on local
subnets as the ARP messages do not go
outside the local subnet.
Sniffing Switch Networks
Redirecting traffic (continued):




Duplicating the MAC address of the target
system is another way of getting the switch to
redirect the traffic to the sniffer.
In a DNS Spoofing attack, a sniffer responds
to the sending system’s DNS requests.
The sniffers response provides its own IP
address as that of the system being
requested.
DNA Spoofing is possible if the sniffer is in the
network path from the sending system to the
DNS server.
Sniffing Switch Networks
Sending all traffic to all ports:



When the memory used by switches to store
the mappings between MAC addresses and
physical ports is full, some switches will fall
“open.”
That means that the switch will send all traffic
to all ports instead of sending traffic for
specific MACs to specific ports.
Sniffing requires that the hacker have a
system on the local switch.
IP Spoofing
Details of IP spoofing
IP Spoofing
Using IP spoofing in the real world
Malicious Code
Malicious codes include three types of
programs:



Computer viruses.
Trojan horse programs.
Worms.
Computer Viruses
 Computer
viruses are not structured to
exist by themselves.
 Virus codes execute when the programs to
which they are attached are executed.
 Malicious viruses may delete files or cause
systems to become unstable.
 Some viruses just spread themselves to
other systems without performing any
malicious acts.
Trojan Horse Programs
 A Trojan
horse is a complete and selfcontained program.
 It hides its malicious intent behind a
facade of something useful or interesting.
 Most Trojan horse programs contain a
mechanism to spread themselves to new
victims.
Worms
 A worm
is a program that crawls from
system to system without any assistance
from its victims.
 The Morris Worm was the first known
example of a worm.
 CodeRed and Slapper Worm are recent
examples of worms.
 Hybrid is the combination of two types of
malicious codes into a single program.
Methods Used by Untargeted
Hacker
Internet reconnaissance:




Untargeted hackers look for any vulnerable
system they can find.
The hacker may perform a stealth scan,
sometimes in conjunction with a ping sweep.
A stealth scan is an attempt to identify
systems within an address range.
A ping sweep is an attempt to ping each
address and see if a response is received.
Methods Used by Untargeted
Hacker
Stealth scanning
Methods Used by Untargeted
Hacker
Reset scans
Methods Used by Untargeted
Hacker
Telephone and wireless reconnaissance:



Wardialing is a method of telephone
reconnaissance to identify systems that have
modems and that answer calls.
Wardriving and Warchalking are methods of
wireless reconnaissance.
An untargeted hacker will use reconnaissance
methods to identify systems. They will look for
systems that may be vulnerable to the
available exploits.
Methods Used by Untargeted
Hacker
Use of Compromised Systems:




Hackers normally place a back door entry to
compromised systems to access them again.
The back door entries are put together in a
rootkit.
Hackers may close vulnerabilities they used
to gain access, so that no other hacker can
gain access to “their” system.
A compromised system may be used to attack
other systems or for reconnaissance
purposes.
Methods Used by Targeted
Hacker
 A targeted
hacker aims at penetrating or
damaging a particular organization.
 A targeted hacker is motivated by a desire
to gain something the organization has.
 The skill level of targeted hackers tends to
be higher than that of untargeted hackers.
Methods Used by Targeted
Hacker
Reconnaissance:



Address reconnaissance is the identification
of the address space used by the target
organization.
Addresses can be identified through DNS, the
American Registry of Internet Numbers
(ARIN) or through text searches at Network
Solutions.
Phone number reconnaissance is inaccurate
and more difficult than identifying network
addresses.
Methods Used by Targeted
Hacker
Reconnaissance (continued):




The hacker can perform wireless
reconnaissance by walking or driving around
the organization’s building.
System reconnaissance is used to identify the
existing systems, operating systems, and their
vulnerabilities.
Ping sweeps, stealth scans, or port scans
may be used to identify systems.
Stealth scans, mail systems, or Web servers
may be used to identify the operating system.
Methods Used by Targeted
Hacker
Reconnaissance (continued):




Attacking or examining the system for
indications of vulnerabilities can identify
vulnerabilities.
Vulnerabilities scanners will provide
information, but may alert the target
organization about the hacker’s presence.
The hacker may gain access to the
organization through its remote offices.
Business reconnaissance will help the hacker
identify the type of damage that will hurt the
target the most.
Methods Used by Targeted
Hacker
Reconnaissance (continued):




Studying the employees of the organization
may prove valuable for the purpose of social
engineering.
Targeted hackers use physical
reconnaissance extensively.
Weaknesses in physical security may be used
to gain access to the site.
The hacker may also find information by
searching a dumpster if trash and paper to be
recycled is dumped into it.
Methods Used by Targeted
Hacker
Electronic attack methods:



The hacker may attempt to hide the attack
from the intrusion detection system by
breaking the attack into packets.
The hacker must make the system appear as
normal as possible if the attack is successful.
The hacker will establish back door entries to
allow repeated access to a compromised
system.
Methods Used by Targeted
Hacker
Electronic attack methods (continued):




Systems with remote access control or
administration systems are prime targets for
attacks via dial-in access.
The hacker may send a virus or a Trojan
horse program to an employee’s home
system.
Wireless networks provide the easiest access
path.
In many cases, the wireless network is part of
the organization’s internal network. Hence, it
may have fewer security devices.
Methods Used by Targeted
Hacker
Physical attack methods:



Social engineering is the safest physical
attack method.
It may lead to electronic information.
Checking the dumpster or following an
employee into the building are other methods
of physical attack.
Summary
 Access
attacks occur when an attacker
gains information that he or she is not
authorized to access.
 Snooping, Eavesdropping, and
Interception are the three types of Access
attacks.
 Modification attacks are attacks against
the integrity of information.
Summary
 Denial-of-Service
attacks deny legitimate
users access to the system, information,
or capabilities.
 The attacker may target the information,
applications, the system, or the
communications media itself in a DoS
attack.
 Repudiation is an attack against the
accountability of the information.
Summary
 A hacker
may be motivated by the
challenge of breaking in, greed, or
malicious intent.
 Open file sharing, weak passwords,
programming flaws, and buffer overflows
were exploited by hackers to break into
systems.
 In social engineering, the hacker uses
human nature and the ability to lie, to
access information.
Summary
 In
Denial-of-Service attacks, legitimate
users are denied access to the system,
network, information, or applications.
 In Distributed Denial-of-Service attacks,
many systems are coordinated to attack a
single target.
 Sniffing switch networks involves getting
the switch to either redirect traffic to the
sniffer or send all traffic to all ports.
Summary
 ARP
spoofing, MAC duplicating, and DNS
spoofing are the three methods of
redirecting traffic.
 IP spoofing involves modifying the source
address to make the packet appear to
appear as if coming from elsewhere.
 Viruses, Trojan horse programs, and
worms are the three types of malicious
codes.
Summary
 Untargeted
hackers do not aim at
accessing particular information or
organizations, but look for any system that
can be compromised.
 Targeted hackers have a reason for
attacking a organization.