Cyber and Network Security

UNIT-III

Tools and Methods used in cybercrime:

Cybercrime Attack Types

Cybercrime can attack in various ways. Here, is some most common cybercrime attack mode:

Hacking: It is an act of gaining unauthorized access to a computer system or network.

Denial of Service Attack: In this cyber-attack, the cyber-criminal uses the bandwidth of the victim‘s
network or fills their e-mail box with spam mail. Here, the intention is to disrupt their regular services.

Software Piracy: Theft of software by illegally copying genuine programs or counterfeiting. It also
includes the distribution of products intended to pass for the original.

Phishing: Phishing is a technique of extracting confidential information from the bank/financial

institutional account holders by illegal ways.

Spoofing: It is an act of getting one computer system or a network to pretend to have the identity of
another computer. It is mostly used to get access to exclusive privileges enjoyed by that network or
computer.

Cyber Crime Tools

There are many types of Digital forensic tools

Kali Linux: Kali Linux is open-source software that is maintained and funded by Offensive Security. It
is a specially designed program for digital forensics and penetration testing.

Ophcrack: This tool is mainly used for cracking the hashes, which are generated by the same files of
windows. It offers a secure GUI system and allows you to runs on multiple platforms.

EnCase:This software allows an investigator to image and examine data from hard disks and removable
disks.

SafeBack: SafeBack is mainly using for imaging the hard disks of Intel-based computer systems and
restoring these images to some other hard disks.

Data dumper: This is a command-line computer forensic tool. It is freely available for the UNIX
Operating system, which can make exact copies of disks suitable for digital forensic analysis.

Md5sum: A tool to check helps you to check data is copied to storage successfully or not.

BTIT 603 Page 1

 Cyber and Network Security

Summary:

 Cybercrime is an unlawful action against any person using a computer, its systems, and its online
or offline applications.
 The fraud did by manipulating computer network is an example of Cybercrime
 Various types of Cyber-crime attack modes are

1) Hacking 2) Denial Of Service Attack 3) Software Piracy 4) Phishing 5) Spoofing.

 Some important tool use for preventing cyber-attack are

1)Kali Linux, 2) Ophcrack, 3) EnCase, 4) SafeBack, 5) Data Dumber

 Kali Linux is an open-source software that is maintained and funded by Offensive Security.
 Ophcrack is a tool that is mainly used for cracking the hashes, which are generated by the same
files of windows.
 EnCase tool allows an investigator to image and examine data from hard disks and removable
disks
 SafeBack is mainly using for imaging the hard disks of Intel-based computer systems and
restoring these images to some other hard disks.
 Data dumper is a command-line computer forensic tool.
 Md5sum is a helps you to check data is copied to storage successfully or not.

Proxy server and Anonymizer

Proxy Server

It is a server (a computer system or an application) that acts as an intermediary for requests from clients
seeking resources from other servers. A client connects to the proxy server, requesting some service,
such as a file, connection, web page, or other resource available from a different server and the proxy
server evaluates the request as a way to simplify and control its complexity. Proxies were invented to
add structure and encapsulation to distributed systems. Today, most proxies are web proxies, facilitating
access to content on the World Wide Web and providing anonymity.

Types of proxy –
 A proxy server may reside on the user‘s local computer, or at various points between the user‘s
computer and destination servers on the Internet.
 A proxy server that passes requests and responses unmodified is usually called a gateway or
sometimes a tunnelling proxy.
 A forward proxy is an Internet-facing proxy used to retrieve from a wide range of sources (in
most cases anywhere on the Internet).
 A reverse proxy is usually an Internet-facing proxy used as a front-end to control and protect
access to a server on a private network. A reverse proxy commonly also performs tasks such as
load-balancing, authentication, decryption or caching.

Open proxies – An open proxy is a forwarding proxy server that is accessible by any Internet
user. Gordon Lyon estimates there are ―hundreds of thousands‖ of open proxies on the Internet.

BTIT 603 Page 2

 Cyber and Network Security

An anonymous open proxy allows users to conceal their IP address while browsing the Web or
using other Internet services. There are varying degrees of anonymity however, as well as a
number of methods of ‗tricking‘ the client into revealing itself regardless of the proxy being
used.

Reverse proxies – A reverse proxy (or surrogate) is a proxy server that appears to clients to be
an ordinary server. Requests are forwarded to one or more proxy servers which handle the
request. The response from the proxy server is returned as if it came directly from the original
server, leaving the client no knowledge of the origin servers. Reverse proxies are installed in the
neighbourhood of one or more web servers. All traffic coming from the Internet and with a
destination of one of the neighbourhood‘s web servers goes through the proxy server. The use of
―reverse‖ originates in its counterpart ―forward proxy‖ since the reverse proxy sits closer to the
web server and serves only a restricted set of websites.
There are several reasons for installing reverse proxy servers.

Encryption / SSL acceleration: when secure web sites are created, the SSL encryption is often
not done by the web server itself, but by a reverse proxy that is equipped with SSL acceleration
hardware. See Secure Sockets Layer. Furthermore, a host can provide a single ―SSL proxy‖ to
provide SSL encryption for an arbitrary number of hosts; removing the need for a separate SSL
Server Certificate for each host, with the downside that all hosts behind the SSL proxy have to
share a common DNS name or IP address for SSL connections. This problem can partly be
overcome by using the SubjectAltName feature of X. 509 certificates.

Load balancing: the reverse proxy can distribute the load to several web servers, each web
server serving its own application area. In such a case, the reverse proxy may need to rewrite the
URLs in each web page (translation from externally known URLs to the internal locations).
Serve/cache static content: A reverse proxy can offload the web servers by caching static content
like pictures and other static graphical content.

Compression: the proxy server can optimize and compress the content to speed up the load
time.

Spoon feeding: reduces resource usage caused by slow clients on the web servers by caching the
content the web server sent and slowly ―spoon feeding‖ it to the client. This especially benefits
dynamically generated pages.

Security: the proxy server is an additional layer of defence and can protect against some OS and
Web Server specific attacks. However, it does not provide any protection from attacks against
the web application or service itself, which is generally considered the larger threat.

Extranet Publishing: a reverse proxy server facing the Internet can be used to communicate to a
firewall server internal to an organization, providing extranet access to some functions while
keeping the servers behind the firewalls. If used in this way, security measures should be
considered to protect the rest of your infrastructure in case this server is compromised, as its web
application is exposed to attack from the Internet.
If the destination server filters content based on the origin of the request, the use of a proxy can
circumvent this filter. For example, a server using IP-based geolocation to restrict its service to a

BTIT 603 Page 3

 Cyber and Network Security

certain country can be accessed using a proxy located in that country to access the service.
Web proxies are the most common means of bypassing government censorship, although no
more than 3% of Internet users use any circumvention tools. In some cases users can circumvent
proxies which filter using blacklists using services designed to proxy information from a non-
blacklisted location.
Proxies can be installed in order to eavesdrop upon the data-flow between client machines and
the web. All content sent or accessed – including passwords submitted and cookies used – can be
captured and analysed by the proxy operator. For this reason, passwords to online services (such
as webmail and banking) should always be exchanged over a cryptographically secured
connection, such as SSL. By chaining proxies which do not reveal data about the original
requester, it is possible to obfuscate activities from the eyes of the user‘s destination. However,
more traces will be left on the intermediate hops, which could be used or offered up to trace the
user‘s activities. If the policies and administrators of these other proxies are unknown, the user
may fall victim to a false sense of security just because those details are out of sight and mind. In
what is more of an inconvenience than a risk, proxy users may find themselves being blocked
from certain Web sites, as numerous forums and Web sites block IP addresses from proxies
known to have spammed or trolled the site. Proxy bouncing can be used to maintain your
privacy.

Anonymizer
An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet
untraceable. It is a proxy server computer that acts as an intermediary and privacy shield
between a client computer and the rest of the Internet. It accesses the Internet on the user‘s
behalf, protecting personal information by hiding the client computer‘s identifying information.
There are many reasons for using anonymizers. Anonymizers help minimize risk. They can be
used to prevent identity theft, or to protect search histories from public disclosure. Some
countries apply heavy censorship on the internet. Anonymizers can help in allowing free access
to all of the internet content, but cannot help against persecution for accessing the Anonymizer
website itself. Furthermore, as information itself about Anonymizer websites are banned in these
countries, users are wary that they may be falling into a government-set trap.
Anonymizers are also used by people who wish to receive objective information with the
growing target marketing on the internet and targeted information. For example, large news
outlets such as CNN target the viewer‘s according to region and give different information to
different populations. Websites such as YouTube obtain information about the last videos
viewed on a computer, and propose ―recommended‖ videos accordingly, and most of the online
targeted marketing is done by showing advertisements according to that region. Anonymizers are
used for avoiding this kind of targeting and getting a more objective view of information.

Types
Protocol specific anonymizers – Sometimes anonymizers are implemented to work only with
one particular protocol. The advantage is that no extra software is needed. The operation occurs
in this manner: A connection is made by the user to the anonymizer. Commands to the
anonymizer are included inside a typical message. The anonymizer then makes a connection to
the resource specified by the inbound command and relays the message with the command
stripped out. An example of a protocol-specific anonymizer is an anonymous remailer for e-mail.
Also of note are web proxies and bouncers for FTP and IRC.

BTIT 603 Page 4

 Cyber and Network Security

Protocol independent anonymizers – Protocol independence can be achieved by creating a

tunnel to an anonymizer. The technology to do so varies. Protocols used by anonymizer services
may include SOCKS, PPTP, or OpenVPN. In this case either the desired application must
support the tunnelling protocol, or a piece of software must be installed to force all connections
through the tunnel. Web browsers, FTP and IRC clients often support SOCKS for example,
unlike telnet.

Phishing and identity theft

A phishing attack is when someone deliberately tries to obtain your username and password to use them
in a malicious way. These individuals want your username and password to send spam or more seriously
infiltrate the University‘s network. Do not be tricked into giving away your username or password.

Most phishing is conducted by email. Some attacks are pretty obvious. For example, "Your mail box is
over quota, please reply to this email including your username and password to get more quota". Or you
may be provided with a ‗link‘ in an email that takes you to a form that asks for your username and
password.

Protect your Password

 You will never be asked for your password by University staff - all such requests are fraudulent.
 Never send your password in an email.

We do not enforce email quotas

 We will never tell you that your "email is almost full" or "you have reached your quota".

Be suspicious of

 Any email that requires "immediate action" or creates a sense of urgency.

 Emails addressed to "Dear Customer" or some other generic salutation.
 Grammatical errors or spelling mistakes.
 Any link in an unsolicited email and be even more suspicious if that link asks you to login with
your username and password. If there is any doubt, do not login and contact the IC Helpdesk (students)
or the ITS Service desk (staff).

Example of phishing email

As an example of a phishing email, a number of students received an email claiming to be from 'EC
Mail management', with the subject line 'Notification'. The text of the mail is as follows:

A few characteristics give away that this is a good example of a phishing email. They are:

BTIT 603 Page 5

 Cyber and Network Security

1. The recipient is addressed as 'Dear User'. This email is sent by someone who has no idea who
you are. The University, when it sends email to students, will know who you are, and will not use a
'Dear User' instead of your name.
2. Incorrect capitals in the first sentence, the phrase 'Very Important' is capitalised and placed just
before the 'Click here' link to provide a sense of urgency to click the link.
3. The University does not need you to click on links to enable 'mail management and Virus
Scanning'.
4. Spelling errors. The space between 'terminated' and 'in' is missing.
5. The use of phrases like 'failure to adhere to our urgent notice' is pretty characteristic of a
phishing attempt.
6. The mail is not signed by a person.

What is identity theft?

Identity theft is when someone pretends to be someone else by assuming that person's identity, usually
to gain access to resources such as your username, password, credit card and banking data.

There are a number of ways to do this from impersonating someone over the phone, stealing credentials
through phishing to searching through your rubbish.

You can protect yourself by:

 Being alert to phishing attacks.

 Never sending credit card details over insecure channels such as email.
 Securing your desktop and mobile devices.
 Protecting sensitive data when disposing of computer equipment.

BTIT 603 Page 6

 Cyber and Network Security

Password Cracking

Password cracking (also called, password hacking) is an attack vector that involves hackers attempting
to crack or determine a password. Password hacking uses a variety of programmatic techniques and
automation using specialized tools. These password cracking tools may be referred to as ‗password
crackers‘. Credentials can also be stolen via other tactics, such as by memory-scraping malware, and
tools like Redline password stealer, which has been part of the attack chain in the recent, high-
profile Lapsus$ ransom ware attacks.

A password can refer to any string of characters or secret to authenticate an authorized user to a
resource. Passwords are typically paired with a username or other mechanism to provide proof of
identity.

Credentials are involved in most breaches today. Forrester Research has estimated that compromised
privileged credentials are involved in about 80% of breaches. When a compromised account has
privileges, the threat actor can easily circumvent other security controls, perform lateral movement, and
crack other passwords. This is why highly privileged credentials are the most important of all
credentials to protect.

Common Password-Cracking Techniques

1. Brute Force Attack

In a brute-force attack, the attacker tries to crack the password by submitting various combinations until
the correct one is found. The attacker uses software to make this process automated and run exhaustive
combinations of passwords in significantly less amount of time. In the past few years, such software
have been invigorated with the advancement in hardware and technology. In 2012, a password-cracking
expert unveiled a computer cluster that can guess 350 billion combinations per second — and could
crack any standard Windows password in less than 6 hours.

Now, that might make our flesh crawl but the good thing is this method is effective when it comes to
guessing short passwords. As per NIST, 80-bit passwords are capable to resist the brute force attack.
Thus, creating long passwords with phrases, numerics and values make it difficult and time-consuming
to crack.

2. Dictionary Attack

This password-cracking technique ‗dictionary attack‘ gets its name for a reason. In this method, the
hacker systematically enters every word in the dictionary to crack the password. This is a type of brute
force attack but instead of submitting various combinations of symbols, numbers and words, this
method only uses words that could be found in a dictionary.

The reason why this method can effectively crack the passwords is users‘ negligence towards creating a
strong password. UK‘s National Cyber Security Centre (NCSC) conducted a survey to analyze the
accounts whose passwords were compromised. And as per the survey these accounts used silly common
passwords, person‘s names, names of bands, names of football clubs and dictionary words.

BTIT 603 Page 7

 Cyber and Network Security

So if you are using a dictionary word as a password to sign in, there are chances your account is prone
to be compromised.

However, you can be immune to a dictionary attack by using a combination of random dictionary words
— such as ‗GreenElephantTowerStone’. As well as it‘s best to combine it with numbers and characters
for higher complexity and better security.

3. Rainbow Table Attack

When your passwords are stored on the server they are encrypted into meaningless strings of characters

instead of storing as a plain text. This process is called hashing and it prevents your password from

being misused. Whenever you enter your password to log in, it is converted into a hash value and
compared with the previously stored one. And if the values match, you are logged into the system.

Now, since the passwords are converted into hashes, the hackers try to gain authentication by cracking

the password hash. And they do it by using a Rainbow table — a list of pre-computed hashes of possible

password combinations. The hackers can look up to the rainbow table to crack the hash resulting in
cracking your password.

Thus, it finds password hash from the database and eliminates the need to crack it. And further, it
doesn‘t require to find the password itself. If the hash matches, the breach is successful.

Rainbow table attack can be prevented by using different techniques including salt technique — which

is adding random data to the passwords before hashing it.

4. Social Engineering

While the above password-cracking techniques use technical vulnerabilities, social engineering takes

advantage of human errors and psychology. To put it simply social engineering is an act of manipulating
the victim to gain confidential information such as bank information or passwords.

The reason why this method is quite prevalent among cybercriminals is that they know humans are the

doorway to access the important credential and information. And through social engineering, they use

BTIT 603 Page 8

 Cyber and Network Security

tried and tested methods to exploit and manipulate ages-old human instincts, instead of finding new
ways to break-in secure and advanced technology.

For example, it can be much easier to trick someone to share their password rather than trying to crack

it. In fact, as per KnowBe4, a company providing security awareness training, 97% of the

cybercriminals targets through Social Engineering.

5. Phishing

Phishing is a type of social engineering used by cybercriminals to trick the users and acquire their
sensitive information which is then used for cybercrimes such as financial breaches and data theft.

There are varied types of phishing — email spoofing, URL spoofing, website spoofing, smishing,
vishing and more. The most common ones are done through email, phone and SMS.

In any of these types, the attacker masquerades as someone from a legit organization and creates a sense

of curiosity, fear or urgency in the victims and tries to deceive them to provide sensitive information
such as — identification information, financial and banking details, passwords and more.

An example can be a Phishing email informing the victim about a blocked credit card and creating a

sense of urgency prompting you to login in to unblock it. Such email contains links to fake websites that

resemble as legit but are used as a ploy. Once you click on the link and enter the credentials they now

have access to it. So it‘s essential to recognize and differentiate the illegitimate ones to save yourself
from a Phishing catastrophe.

Some of the signs that you can recognize phishing are: too good to be true type of offers, generic email

greeting, emails from unusual senders with hyperlinks and attachments, sweepstake, lottery, unrealistic
or free prizes.

Keylogger and spyware

Keylogger

BTIT 603 Page 9

 Cyber and Network Security

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (or
logging) the keys struck on a keyboard, typically in a covert manner so that the person using the
keyboard is unaware that their actions are being monitored.

It has the capability to record every keystroke you make to a log file, usually encrypted. A keylogger
recorder can record instant messages, e-mail, and any information you type at any time using your
keyboard. The log file created by the keylogger can then be sent to a specified receiver. Some keylogger
programs will also record any e-mail addresses you use and Web site URLs you visit.

Legitimate programs may have a keylogging function which can be used to call certain program
functions using ―hotkeys,‖ or to toggle between keyboard layouts (e.g. Keyboard Ninja). There is a lot
of legitimate software which is designed to allow administrators to track what employees do throughout
the day, or to allow users to track the activity of third parties on their computers. However, the ethical
boundary between justified monitoring and espionage is a fine line. Legitimate software is often used
deliberately to steal confidential user information such as passwords.

Most modern keyloggers are considered to be legitimate software or hardware and are sold on the open
market. Developers and vendors offer a long list of cases in which it would be legal and appropriate to
use keyloggers, including:

 Parental control: parents can track what their children do on the Internet, and can opt to be
notified if there are any attempts to access websites containing adult or otherwise inappropriate
content;
 Jealous spouses or partners can use a keylogger to track the actions of their better half on the
Internet if they suspect them of ―virtual cheating‖;
 Company security: tracking the use of computers for non-work-related purposes, or the use of
workstations after hours;
 Company security: using keyloggers to track the input of key words and phrases associated with
commercial information which could damage the company (materially or otherwise) if disclosed;
 Other security (e.g. law enforcement): using keylogger records to analyze and track incidents
linked to the use of personal computers;
 Other reasons.

Spyware
 Spyware is software that aims to gather information about a person or organization without their
knowledge and that may send such information to another entity without the consumer‘s
consent, or that asserts control over a computer without the consumer‘s knowledge.
 ―Spyware‖ is mostly classified into four types: system monitors, trojans, adware, and tracking
cookies. Spyware is mostly used for the purposes of tracking and storing Internet users‘
movements on the Web and serving up pop-up ads to Internet users.
 Whenever spyware is used for malicious purposes, its presence is typically hidden from the user
and can be difficult to detect.

Viruses and Worms:

1. Worms: Worms is similar to virus but it does not modify the program. It replicate itself more and
more to cause slow down the computer system. Worms can be controlled by remote. The main

BTIT 603 Page 10

 Cyber and Network Security

objective of worms to eat the system resources.

2. Virus: A virus is a malicious executable code attached to another executable file which can be
harmless or can modify or delete data. When the computer program runs attached with virus it
perform some action such as deleting a file from the computer system. Virus can‘t be controlled by
remote.

Difference between Worms and Virus:

S.No. WORMS VIRUS
A Worm is a form of malware that replicates A Virus is a malicious executable code attached
1. itself and can spread to different computers via to another executable file which can be harmless
Network. or can modify or delete data.
The main objective of worms to eat the system The main objective of virus is to modify the
2.
resources. information.
It doesn‘t need a host to replicate from one
3. It require host is needed for spreading.
computer to another.
4. It is less harmful as compared. It is more harmful.
Worms can be detected and removed by the Antivirus software are used for protection against
5.
Antivirus and firewall. viruses.
6. Worms can be controlled by remote. Virus can‘t be controlled by remote.
7. Worms are executed via weaknesses in system. Viruses are executed via executable files.
Morris Worm, Storm Worm and SQL Slammer Resident and Non -resident viruses are two types
8.
are some of the examples of worms. of Virus.
9. It does not needs human action to replicate. It needs human action to replicate.
10. Its spreading speed is faster. Its spreading speed is slower as compared.

Trojan and backdoors

A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software.
Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems.
Users are typically tricked by some form of social engineering into loading and executing Trojans on
their systems.
Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain
backdoor access to your system. These actions can include:
 Deleting data
 Blocking data
 Modifying data
 Copying data
 Disrupting the performance of computers or computer networks
Unlike computer viruses and worms, Trojans are not able to self-replicate.


Trojan and its impact

Backdoor - A backdoor Trojan gives malicious users remote control over the infected computer. They
enable the author to do anything they wish on the infected computer – including sending, receiving,
launching and deleting files, displaying data and rebooting the computer. Backdoor Trojans are often
used to unite a group of victim computers to form a botnet or zombie network that can be used for

BTIT 603 Page 11

 Cyber and Network Security

criminal purposes.
Exploit - are programs that contain data or code that takes advantage of vulnerability within application
software that‘s running on your computer.
Rootkit - are designed to conceal certain objects or activities in your system. Often their main purpose
is to prevent malicious programs being detected – in order to extend the period in which programs can
run on an infected computer.
Trojan-Banker - programs are designed to steal your account data for online banking systems, e-
payment systems and credit or debit cards.
Trojan-Downloader - can download and install new versions of malicious programs onto your
computer – including Trojans and adware.

Protection against Trojan

Here are some dos and don‘ts to help protect against Trojan malware. First, the dos:
Computer security begins with installing and running an internet security suite. Run periodic diagnostic
scans with your software. You can set it up so the program runs scans automatically during regular
intervals.
Update your operating system‘s software as soon as updates are made available from the software
company. Cybercriminals tend to exploit security holes in outdated software programs. In addition to
operating system updates, you should also check for updates on other software that you use on your
computer.
Protect your accounts with complex, unique passwords. Create a unique password for each account
using a complex combination of letters, numbers, and symbols.
Keep your personal information safe with firewalls.
Back up your files regularly. If a Trojan infects your computer, this will help you to restore your data.
Be careful with email attachments. To help stay safe, scan an email attachment first.

A lot of things you should do come with a corresponding thing not to do — like, do be careful with email
attachments and don‘t click on suspicious email attachments. Here are some more don‘ts.
Don‘t visit unsafe websites. Some internet security software will alert you that you‘re about to visit an
unsafe site, such as Norton Safe Web.
Don‘t open a link in an email unless you‘re confident it comes from a legitimate source. In general,
avoid opening unsolicited emails from senders you don‘t know.
Don‘t download or install programs if you don‘t have complete trust in the publisher.
Don‘t click on pop-up windows that promise free programs that perform useful tasks.
Don‘t ever open a link in an email unless you know exactly what it is.

Steganography DoS and DDoS attack:

Steganography is, broadly, a type of covert communication involving the use of any medium to hide messages.
Steganography is a relatively old technique of hiding ‗secret‘ data in plain sight to avoid detection. Seeing a
resurgence of late, bad actors are taking advantage of steganography to circumnavigate cybersecurity,
distribute malware, and secure a wider presence with less effort.Steganography doesn‘t just encode a message but
instead hides the fact that there is any message at all. This was, in its simplest form, practiced in ancient Greece.
According to the historian Herodotus, Histiaeus (a tyrant and ruler of Miletus in the late 6th century BCE) shaved
the head of one of his servants and tattooed a message onto their scalp. After the servant‘s hair grew back and
they reached the message recipient, the receiver shaved the servant‘s scalp again to read the message. The first

BTIT 603 Page 12

 Cyber and Network Security

formally recorded use of the term was in 1499 by Johannes Trithemius in his disquisition on cryptography and
steganography, The Steganographia, itself disguised as a book about magic.

DOS Attack

A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it
inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or
sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users
(i.e., employees, members, or account holders) of the service or resource they expected.
Victims of DoS attacks often target web servers of high-profile organizations such as banking,
commerce, and media companies, or government and trade organizations. Though DoS attacks do not
typically result in the theft or loss of significant information or other assets, they can cost the victim a
great deal of time and money to handle.
A denial-of-service (DoS) attack is a type of cyber-attack in which a malicious actor aims to render a
computer or other device unavailable to its intended users by interrupting the device's normal
functioning.
DoS attacks typically function by overwhelming or flooding a targeted machine with requests until
normal traffic is unable to be processed, resulting in denial-of-service to addition users.
A DoS attack is characterized by using a single computer to launch the attack.

There are two general methods of DoS attacks: flooding services or crashing services.
Flood attacks occur when the system receives too much traffic for the server to buffer, causing them to slow
down and eventually stop.
Popular flood attacks include:
Buffer overflow attacks – the most common DoS attack. The concept is to send more traffic to a
network address than the programmers have built the system to handle. It includes the attacks listed
below, in addition to others that are designed to exploit bugs specific to certain applications or
networks
ICMP flood – leverages misconfigured network devices by sending spoofed packets that ping every
computer on the targeted network, instead of just one specific machine. The network is then triggered
to amplify the traffic. This attack is also known as the smurf attack or ping of death.
SYN flood – sends a request to connect to a server, but never completes the handshake. Continues until
all open ports are saturated with requests and none are available for legitimate users to connect to.

Other DoS attacks simply exploit vulnerabilities that cause the target system or service to crash. In these
attacks, input is sent that takes advantage of bugs in the target that subsequently crash or severely destabilize
the system, so that it can‘t be accessed or used.

Protection from DoS attack

A general rule: The earlier you can identify an attack-in-progress, the quicker you can contain the damage.
Here are some things you can do.
Method 1: Get help recognizing attacks - Companies often use technology or anti-DDoS services to
help defend themselves. These can help you recognize between legitimate spikes in network traffic and
a DDoS attack.
Method 2: Contact your Internet Service provider - If you find your company is under attack, you
should notify your Internet Service Provider as soon as possible to determine if your traffic can be
rerouted. Having a backup ISP is a good idea, too. Also, consider services that can disperse the massive

BTIT 603 Page 13

 Cyber and Network Security

DDoS traffic among a network of servers. That can help render an attack ineffective.
Method 3: Investigate black hole routing - Internet service providers can use ―black hole routing.‖ It
directs excessive traffic into a null route, sometimes referred to as a black hole. This can help prevent
the targeted website or network from crashing. The drawback is that both legitimate and illegitimate
traffic is rerouted in the same way.
Method 4: Configure firewalls and routers - Firewalls and routers should be configured to reject bogus
traffic. Remember to keep your routers and firewalls updated with the latest security patches.
Method 5: Consider front-end hardware - Application front-end hardware that‘s integrated into the
network before traffic reaches a server can help analyze and screen data packets. The hardware
classifies the data as priority, regular, or dangerous as they enter a system. It can also help block
threatening data.

DDOS Attack

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a
targeted server, service or network by overwhelming the target or its surrounding infrastructure with a
flood of Internet traffic.
DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of
attack traffic. Exploited machines can include computers and other networked resources such as IoT
devices.
From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing
regular traffic from arriving at its destination.

Working

DDoS attacks are carried out with networks of Internet-connected machines.

These networks consist of computers and other devices (such as IoT devices) which have been infected
with malware, allowing them to be controlled remotely by an attacker. These individual devices are
referred to as bots (or zombies), and a group of bots is called a botnet.
Once a botnet has been established, the attacker is able to direct an attack by sending remote
instructions to each bot.
When a victim‘s server or network is targeted by the botnet, each bot sends requests to the target‘s IP
address, potentially causing the server or network to become overwhelmed, resulting in a denial-of-
service to normal traffic.
Because each bot is a legitimate Internet device, separating the attack traffic from normal traffic can be
difficult.

Identification of DDOS Attack

The most obvious symptom of a DDoS attack is a site or service suddenly becoming slow or unavailable. But
since a number of causes — such a legitimate spike in traffic — can create similar performance issues, further
investigation is usually required. Traffic analytics tools can help you spot some of these telltale signs of a
DDoS attack:
Suspicious amounts of traffic originating from a single IP address or IP range
A flood of traffic from users who share a single behavioral profile, such as device type, geo-location, or
web browser version
An unexplained surge in requests to a single page or endpoint
Odd traffic patterns such as spikes at odd hours of the day or patterns that appear to be unnatural (e.g. a
spike every 10 minutes)

BTIT 603 Page 14

 Cyber and Network Security

Types of DDOS attack

Application layer attacks - Sometimes referred to as a layer 7 DDoS attack (in reference to the 7th
layer of the OSI model), the goal of these attacks is to exhaust the target‘s resources to create a denial-
of-service. The attacks target the layer where web pages are generated on the server and delivered in
response to HTTP requests. A single HTTP request is computationally cheap to execute on the client
side, but it can be expensive for the target server to respond to, as the server often loads multiple files
and runs database queries in order to create a web page. Layer 7 attacks are difficult to defend against,
since it can be hard to differentiate malicious traffic from legitimate traffic.
Protocol attacks - also known as state-exhaustion attacks, cause a service disruption by over-
consuming server resources and/or the resources of network equipment like firewalls and load
balancers. Protocol attacks utilize weaknesses in layer 3 and layer 4 of the protocol stack to render the
target inaccessible.
Volumetric attacks - This category of attacks attempts to create congestion by consuming all available
bandwidth between the target and the larger Internet. Large amounts of data are sent to a target by
using a form of amplification or another means of creating massive traffic, such as requests from a
botnet.
Fragmentation Attacks - are another common form of a DDoS attack. The cybercriminal exploits
vulnerabilities in the datagram fragmentation process, in which IP datagrams are divided into smaller
packets, transferred across a network, and then reassembled. In Fragmentation attacks, fake data
packets unable to be reassembled, overwhelm the server.

Protection from DDOS attack

Method 1: Take quick action

Method 2: Configure firewalls and routers
Method 3: Consider artificial intelligence
Method 4: Secure your Internet of Things devices


SQL Injection
SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for
backend database manipulation to access information that was not intended to be displayed. This
information may include any number of items, including sensitive company data, user lists or private
customer details.
The impact SQL injection can have on a business is far-reaching.
A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables and,
in certain cases, the attacker gaining administrative rights to a database, all of which are highly
detrimental to a business.
When calculating the potential cost of a SQLi, it‘s important to consider the loss of customer trust
should personal information such as phone numbers, addresses, and credit card details are stolen.
While this vector can be used to attack any SQL database, websites are the most frequent targets.


Types of SQL Injections

SQL injections typically fall under three categories: In-band SQLi (Classic), Inferential SQLi (Blind) and Out-
of-band SQLi. You can classify SQL injections types based on the methods they use to access backend data
BTIT 603 Page 15
 Cyber and Network Security

and their damage potential.

In-band SQLi - The attacker uses the same channel of communication to launch their attacks and to gather
their results. In-band SQLi‘s simplicity and efficiency make it one of the most common types of SQLi attack.
There are two sub-variations of this method:
Error-based SQLi—the attacker performs actions that cause the database to produce error messages.
The attacker can potentially use the data provided by these error messages to gather information about
the structure of the database.
Union-based SQLi—this technique takes advantage of the UNION SQL operator, which fuses
multiple select statements generated by the database to get a single HTTP response. This response may
contain data that can be leveraged by the attacker.

Inferential (Blind) SQLi - The attacker sends data payloads to the server and observes the response and
behavior of the server to learn more about its structure. This method is called blind SQLi because the data is
not transferred from the website database to the attacker, thus the attacker cannot see information about the
attack in-band.
Blind SQL injections rely on the response and behavioral patterns of the server so they are typically slower to
execute but may be just as harmful. Blind SQL injections can be classified as follows:
Boolean—that attacker sends a SQL query to the database prompting the application to return a result.
The result will vary depending on whether the query is true or false. Based on the result, the
information within the HTTP response will modify or stay unchanged. The attacker can then work out
if the message generated a true or false result.
Time-based—attacker sends a SQL query to the database, which makes the database wait (for a period
in seconds) before it can react. The attacker can see from the time the database takes to respond,
whether a query is true or false. Based on the result, an HTTP response will be generated instantly or
after a waiting period. The attacker can thus work out if the message they used returned true or false,
without relying on data from the database.

Out-of-band SQLi - The attacker can only carry out this form of attack when certain features are enabled on
the database server used by the web application. This form of attack is primarily used as an alternative to the
in-band and inferential SQLi techniques.
Out-of-band SQLi is performed when the attacker can‘t use the same channel to launch the attack and gather
information, or when a server is too slow or unstable for these actions to be performed. These techniques count
on the capacity of the server to create DNS or HTTP requests to transfer data to an attacker.

SQL Injection Prevention Techniques

Input validation - The validation process is aimed at verifying whether or not the type of input
submitted by a user is allowed. Input validation makes sure it is the accepted type, length, format, and
so on. Only the value which passes the validation can be processed. It helps counteract any commands
inserted in the input string.
Parametrized queries - are a means of pre-compiling an SQL statement so that you can then supply
the parameters in order for the statement to be executed. This method makes it possible for the database
to recognize the code and distinguish it from input data.
Stored procedures - require the developer to group one or more SQL statements into a logical unit to
create an execution plan. Subsequent executions allow statements to be automatically parameterized.
Simply put, it is a type of code that can be stored for later and used many times.
Escaping - Always use character-escaping functions for user-supplied input provided by each database
management system (DBMS). This is done to make sure the DBMS never confuses it with the SQL

BTIT 603 Page 16

 Cyber and Network Security

statement provided by the developer.

Avoiding administrative privileges - Don't connect your application to the database using an account
with root access. This should be done only if absolutely needed since the attackers could gain access to
the whole system.
Web application firewall - A WAF operating in front of the web servers monitors the traffic which
goes in and out of the web servers and identifies patterns that constitute a threat. Essentially, it is a
barrier put between the web application and the Internet.

Buffer Overflow
Buffers are memory storage regions that temporarily hold data while it is being transferred from one
location to another.
A buffer overflow (or buffer overrun) occurs when the volume of data exceeds the storage capacity of
the memory buffer. As a result, the program attempting to write the data to the buffer overwrites
adjacent memory locations.
For example, a buffer for log-in credentials may be designed to expect username and password inputs
of 8 bytes, so if a transaction involves an input of 10 bytes (that is, 2 bytes more than expected), the
program may write the excess data past the buffer boundary.
Buffer overflows can affect all types of software. They typically result from malformed inputs or failure
to allocate enough space for the buffer. If the transaction overwrites executable code, it can cause the
program to behave unpredictably and generate incorrect results, memory access errors, or crashes.

Buffer overflow example

Buffer Overflow Attack

Attackers exploit buffer overflow issues by overwriting the memory of an application. This changes the
execution path of the program, triggering a response that damages files or exposes private information.
For example, an attacker may introduce extra code, sending new instructions to the application to gain
access to IT systems.
If attackers know the memory layout of a program, they can intentionally feed input that the buffer
cannot store, and overwrite areas that hold executable code, replacing it with their own code. For
example, an attacker can overwrite a pointer (an object that points to another area in memory) and point
it to an exploit payload, to gain control over the program.

Types of Buffer Overflow Attacks

Stack-based buffer overflows are more common, and leverage stack memory that only exists during
the execution time of a function.
Heap-based attacks are harder to carry out and involve flooding the memory space allocated for a
program beyond memory used for current runtime operations.

BTIT 603 Page 17

 Cyber and Network Security

Protection against Buffer overflow

Developers can protect against buffer overflow vulnerabilities via security measures in their code, or by using
languages that offer built-in protection.

In addition, modern operating systems have runtime protection. Three common protections are:

Address space randomization (ASLR)—randomly moves around the address space locations of data
regions. Typically, buffer overflow attacks need to know the locality of executable code, and
randomizing address spaces makes this virtually impossible.
Data execution prevention—flags certain areas of memory as non-executable or executable, which
stops an attack from running code in a non-executable region.
Structured exception handler overwrites protection (SEHOP)—helps stop malicious code from
attacking Structured Exception Handling (SEH), a built-in system for managing hardware and software
exceptions. It thus prevents an attacker from being able to make use of the SEH overwrite exploitation
technique. At a functional level, an SEH overwrite is achieved using a stack-based buffer overflow to
overwrite an exception registration record, stored on a thread‘s stack.

Security measures in code and operating system protection are not enough. When an organization discovers
buffer overflow vulnerability, it must react quickly to patch the affected software and make sure that users of the
software can access the patch.

Attack on Wireless Network

Our modern networks are increasingly moving towards wireless technologies. As convenient as they are,
wireless connections have one major drawback – security. Compared to their wired counterparts, securing
wireless technologies poses a bit of an extra challenge.

In a wired network, packets of information are transferred along a physical medium, such as a copper cable or
fiber optics. In a wireless setup, your data is quite literally broadcast through the air around you. Furthermore,
physical access is not required to gain access to a network. What this means is that cyber criminals now have
new ways to wreak havoc on your network infrastructure.

Wireless technologies offer convenient solutions to our needs. They are practical and fast, moreover they set us
free of the clutter caused by wires and cables. On the other hand, it is no secret that wireless networks are more
vulnerable to attacks and intruders.

What is a wireless network attack?

With the widespread use of internet, we are able to conduct our business processes online and without being tied
down by cables and wires. Wireless networks are one of the relatively new technologies brought to our lives by
the internet technologies. They are easy to use, facilitate our business processes and mobilize our businesses. On
the downside, wireless networks are much more vulnerable to attacks and intruders.

Commonly known as wireless network attacks, penetration and intrusion acts that target wireless networks pose
serious threats. Wireless network attacks aim to capture the information sent across the network and/or intrude
with the traffic of information.

Types of Wireless Attacks

BTIT 603 Page 18

 Cyber and Network Security

Wireless Attacks can come at you through different methods. For the most part you need to worry about Wi-Fi.
Some methods rely on tricking users, others use brute force, and some look for people who don‘t bother to secure
their network. Many of these attacks are intertwined with each other in real world use. Here are some of the kinds
of attacks you could encounter:
 Packet Sniffing: When information is sent back and forth over a network, it is sent in what we call packets.
Since wireless traffic is sent over the air, it‘s very easy to capture. Quite a lot of traffic (FTP, HTTP, SNMP,
ect.) is sent in the clear, meaning that there is no encryption and files are in plain text for anyone to read. So
using a tool like Wireshark allows you to read data transfers in plain text! This can lead to stolen passwords or
leaks of sensitive information quite easily. Encrypted data can be captured as well, but it‘s obviously much
harder for an attacker to decipher the encrypted data packets.
 Rouge Access Point: When an unauthorized access point (AP) appears on a network, it is referred to as a rouge
access point. These can pop up from an employee who doesn‘t know better, or a person with ill intent. These
APs represent a vulnerability to the network because they leave it open to a variety of attacks. These include
vulnerability scans for attack preparation, ARP poisoning, packet captures, and Denial of Service attacks.
 Password Theft: When communicating over wireless networks, think of how often you log into a website. You
send passwords out over the network, and if the site doesn‘t use SSL or TLS, that password is sitting in plain
text for an attacker to read. There are even ways to get around those encryption methods to steal the password.
I‘ll talk about this with man in the middle attacks.
 Man in the Middle Attack: It‘s possible for hackers to trick communicating devices into sending their
transmissions to the attacker‘s system. Here they can record the traffic to view later (like in packet sniffing) and
even change the contents of files. Various types of malware can be inserted into these packets, e-mail content
could be changed, or the traffic could be dropped so that communication is blocked.
 Jamming: There are a number of ways to jam a wireless network. One method is flooding an AP with de-
authentication frames. This effectively overwhelms the network and prevents legitimate transmissions from
getting through. This attack is a little unusual because there probably isn‘t anything in it for the hacker. One of
the few examples of how this could benefit someone is through a business jamming their competitors WiFi
signal. This is highly illegal (as are all these attacks), so businesses would tend to shy away from it. If they got
caught they would be facing serious charges.
 War Driving: War driving comes from an old term called war dialing, where people would dial random phone
numbers in search of modems. War driving is basically people driving around looking for vulnerable APs to
attack. People will even use drones to try and hack APs on higher floors of a building. A company that owns
multiple floors around ten stories up might assume nobody is even in range to hack their wireless, but there is
no end to the creativity of hackers!
 Bluetooth Attacks: There are a variety of Bluetooth exploits out there. These range from annoying pop up
messages, to full control over the victims Bluetooth enabled device.
 WEP/WPA Attacks: Attacks on wireless routers can be a huge problem. Older encryption standards are
extremely vulnerable, and it‘s pretty easy to gain the access code in this case. Once someone on your network,
you‘ve lost a significant layer of security. APs and routers are hiding your IP address from the broader Internet
using Network Address Translation (unless you use IPv6 but that‘s a topic for another day). This effectively
hides your private IP address from those outside your subnet, and helps prevent outsiders from being able to
directly attack you. The keyword there is that it helps prevent the attacks, but doesn‘t stop it completely.

Another thing to take note of is that our mobile devices are at risk whenever they connect to public WiFi.
Whether you use a phone, tablet, or laptop; accessing an insecure network is putting a target on your data.
Understand the risks or consider using a VPN.

BTIT 603 Page 19