Cyber Security
Cyber Security
Cybersecurity:
Cybersecurity, or information security, is a broad field that encompasses practices, technologies, and
processes designed to protect computers, networks, programs, and data from unauthorized access,
attacks, damage, or theft. As our dependence on digital technologies continues to grow, so does the
importance of cybersecurity in safeguarding sensitive information and maintaining the functionality of
systems.
Cyber Security proper began in 1972 with a research project on ARPANET (The Advanced Research
Projects Agency Network), a precursor to the internet. ARPANET developed protocols for remote
computer networking.
Types of Cybersecurity:
1. Network Security – Focuses on securing computer networks from unauthorized access, data breaches,
and other network-based threats. It involves technologies such as Firewalls, Intrusion detection
systems (IDS), Virtual private networks (VPNs), and Network segmentation.
• Guard your internal network against outside threats with increased network security.
• Sometimes we used to utilize free Wi-Fi in public areas such as cafes, Malls, etc. With this
activity, 3rd Party starts tracking your Phone over the internet. If you are using any payment
gateway, then your bank account can be Empty.
• So, avoid using Free Network because free network Doesn’t support Securities.
2. Application Security –Concerned with securing software applications and preventing vulnerabilities
that could be exploited by attackers. It involves secure coding practices, regular software updates and
patches, and application-level firewalls.
• Most of the Apps that we use on our Cell-phone are Secured and work under the rules and
regulations of the Google Play Store.
• There are 3.553 million applications in Google Play, Apple App Store has 1.642 million, while
Amazon App Store has 483 million available for users to download. When we have other choices,
this does not mean that all apps are safe.
• Many of the apps pretend to be safe, but after taking all information from us, the app share the
user information with the 3rd-party.
• The app must be installed from a trust-worthy platform, not from some 3rd party website in the
form of APK (Android Application Package).
3. Information or Data Security: Focuses on protecting sensitive information from unauthorized access,
disclosure, alteration, or destruction. It includes Encryption, Access controls, Data classification,
and Data loss prevention (DLP) measures.
• Incident response refers to the process of detecting, analyzing, and responding to security
incidents promptly.
• Promoting security awareness among users is essential for maintaining information security. It
involves educating individuals about common security risks, best practices for handling sensitive
information, and how to identify and respond to potential threats like phishing attacks or social
engineering attempts.
4. Cloud Security –It involves securing data, applications, and infrastructure hosted on cloud platforms,
and ensuring appropriate access controls, data protection, and compliance. It uses various cloud service
providers such as AWS, Azure, Google Cloud, etc., to ensure security against multiple threats.
• Cloud base data storage has become a popular option over the last decade. It enhances privacy
and saves data on the cloud, making it accessible from any device with proper authentication.
• These platforms are free to some extent if we want to save more data than we have to pay.
• AWS is also a new Technique that helps to run your business over the internet and provides
security to your data
5. Mobile Security –It involves securing the organizational and personal data stored on mobile devices
such as cell phones, tablets, and other similar devices against various malicious threats. These threats
are Unauthorized access, Device loss or Theft, Malware, etc.
• Mobile is the very common device for day-to-day work. Everything we access and do are from
mobile phone. Ex- Online class, Personal Calls, Online Banking, UPI Payments, etc.
• Regularly backing up mobile device data is important to prevent data loss in case of theft,
damage, or device failure.
• Mobile devices often connect to various networks, including public Wi-Fi, which can pose
security risks. It is important to use secure networks whenever possible, such as encrypted Wi-Fi
networks or cellular data connections.
6. Endpoint Security: Refers to securing individual devices such as computers, laptops, smartphones, and
IoT devices. It includes antivirus software, intrusion prevention systems (IPS), device encryption, and
regular software updates.
• Antivirus and Anti-malware software that scans and detects malicious software, such
as Viruses, Worms, Trojans, and Ransomware. These tools identify and eliminate or quarantine
malicious files, protecting the endpoint and the network from potential harm.
• Firewalls are essential components of endpoint security. They monitor and control incoming and
outgoing network traffic, filtering out potentially malicious data packets.
• Keeping software and operating systems up to date with the latest security patches and updates
is crucial for endpoint security.
5. Critical Infrastructure Security-
1. All of the physical and virtual resources, systems, and networks that are necessary for a society’s
economics, security, or any combination of the above to run smoothly are referred to as critical
infrastructure. Food and agricultural industries, as well as transportation systems, comprise
critical infrastructure.
2. The infrastructure that is considered important might vary depending on a country’s particular
demands, resources, and level of development, even though crucial infrastructure is comparable
across all nations due to basic living requirements.
3. Industrial control systems (ICS), such as supervisory control and data acquisition (SCADA)
systems, which are used to automate industrial operations in critical infrastructure industries,
are frequently included in critical infrastructure. SCADA and other industrial control system
attacks are very concerning. They have the capacity to seriously undermine critical
infrastructure, including transportation, the supply of oil and gas, electrical grids, water
distribution, and wastewater collection.
4. Due to the links and interdependence between infrastructure systems and sectors, the failure or
blackout of one or more functions could have an immediate, detrimental effect on a number of
sectors.
1. Devices frequently run on old software, leaving them vulnerable to recently identified security
vulnerabilities. This is generally the result of connectivity problems or the requirement for end
users to manually download updates from a C&C center.
2. Manufacturers frequently ship Internet of Things (IoT) devices (such as home routers) with easily
breakable passwords, which may have been left in place by suppliers and end users. These
devices are easy targets for attackers using automated scripts for mass exploitation when they
are left exposed to remote access.
3. APIs are frequently the subject of threats such as Man in the Middle (MITM), code injections
(such as SQLI), and distributed denial of service (DDoS) attacks since they serve as a gateway to a
C&C center. You can read more about the effects of attacks that target APIs here.
Importance of Cybersecurity:
1. Protecting Sensitive Data: With the increase in digitalization, data is becoming more and more
valuable. Cybersecurity helps protect sensitive data such as personal information, financial
data, and intellectual property from unauthorized access and theft.
2. Prevention of Cyber Attacks: Cyber-attacks, such as Malware infections, Ransomware, Phishing,
and Distributed Denial of Service (DDoS) attacks, can cause significant disruptions to businesses
and individuals. Effective cybersecurity measures help prevent these attacks, reducing the risk of
data breaches, financial losses, and operational disruptions.
3. Safeguarding Critical Infrastructure: Critical infrastructure, including power grids, transportation
systems, healthcare systems, and communication networks, heavily relies on interconnected
computer systems. Protecting these systems from cyber threats is crucial to ensure the smooth
functioning of essential services and prevent potential disruptions that could impact public
safety and national security.
4. Maintaining Business Continuity: Cyber-attacks can cause significant disruption to businesses,
resulting in lost revenue, damage to reputation, and in some cases, even shutting down the
business. Cybersecurity helps ensure business continuity by preventing or minimizing the impact
of cyber-attacks.
5. Compliance with Regulations: Many industries are subject to strict regulations that require
organizations to protect sensitive data. Failure to comply with these regulations can result in
significant fines and legal action. Cybersecurity helps ensure compliance with regulations such as
HIPAA, GDPR, and PCI DSS.
6. Protecting National Security: Cyber-attacks can be used to compromise national security by
targeting critical infrastructure, government systems, and military installations. Cybersecurity is
critical for protecting national security and preventing cyber warfare.
7. Preserving Privacy: In an era where personal information is increasingly collected, stored, and
shared digitally, cybersecurity is crucial for preserving privacy. Protecting personal data from
unauthorized access, surveillance, and misuse helps maintain individuals’ privacy rights and
fosters trust in digital services.
Challenges of Cybersecurity:
1. Constantly Evolving Threat Landscape: Cyber threats are constantly evolving, and attackers are
becoming increasingly sophisticated. This makes it challenging for cybersecurity professionals to
keep up with the latest threats and implement effective measures to protect against them.
2. Lack of Skilled Professionals: There is a shortage of skilled cybersecurity professionals, which
makes it difficult for organizations to find and hire qualified staff to manage their cybersecurity
programs.
3. Limited Budgets: Cybersecurity can be expensive, and many organizations have limited budgets
to allocate towards cybersecurity initiatives. This can result in a lack of resources and
infrastructure to effectively protect against cyber threats.
4. Insider Threats: Insider threats can be just as damaging as external threats. Employees or
contractors who have access to sensitive information can intentionally or unintentionally
compromise data security.
5. Complexity of Technology: With the rise of cloud computing, IoT, and other technologies, the
complexity of IT infrastructure has increased significantly. This complexity makes it challenging to
identify and address vulnerabilities and implement effective cybersecurity measures.
There are several steps you can take to protect yourself from cyber threats, including:
• Use strong passwords: Use unique and complex passwords for all of your accounts, and consider
using a password manager to store and manage your passwords.
• Keep your software up to date: Keep your operating system, software applications, and security
software up to date with the latest security patches and updates.
• Be wary of suspicious emails: Be cautious of unsolicited emails, particularly those that ask for
personal or financial information or contain suspicious links or attachments.
• Educate yourself: Stay informed about the latest cybersecurity threats and best practices by
reading cybersecurity blogs and attending cybersecurity training programs.
1. Hackers: The term hacker may refer to anyone with technical skills, however, it typically refers to an
individual who uses his or her skills to achieve unauthorized access to systems or networks so as to
commit crimes. The intent of the burglary determines the classification of those attackers as white, grey,
or black hats. White hat attackers burgled networks or PC systems to get weaknesses so as to boost the
protection of those systems. The owners of the system offer permission to perform the burglary, and
they receive the results of the take a look at. On the opposite hand, black hat attackers make the most of
any vulnerability for embezzled personal, monetary or political gain. Grey hat attackers are somewhere
between white and black hat attackers. Grey hat attackers could notice a vulnerability and report it to
the owners of the system if that action coincides with their agenda.
(a). White Hat Hackers – These hackers utilize their programming aptitudes for a good and lawful reason.
These hackers may perform network penetration tests in an attempt to compromise networks to
discover network vulnerabilities. Security vulnerabilities are then reported to developers to fix them and
these hackers can also work together as a blue team. They always use the limited number of resources
which are ethical and provided by the company, they basically perform pentesting only to check the
security of the company from external sources.
(b). Gray Hat Hackers – These hackers carry out violations and do seemingly deceptive things however
not for individual addition or to cause harm. These hackers may disclose a vulnerability to the affected
organization after having compromised their network and they may exploit it.
(c). Black Hat Hackers – These hackers are unethical criminals who violate network security for personal
gain. They misuse vulnerabilities to bargain PC frameworks. theses hackers always exploit the
information or any data they got from the unethical pentesting of the network.
2. Organized Hackers: These criminals embody organizations of cyber criminals, hacktivists, terrorists,
and state-sponsored hackers. Cyber criminals are typically teams of skilled criminals targeted on control,
power, and wealth. These criminals are extremely subtle and organized, and should even give crime as a
service. These attackers are usually profoundly prepared and well-funded.
3. Internet stalkers: Internet stalkers are people who maliciously monitor the web activity of their
victims to acquire personal data. This type of cyber-crime is conducted through the use of social
networking platforms and malware, that are able to track an individual’s PC activity with little or no
detection.
4. Disgruntled Employees: Disgruntled employees become hackers with a particular motive and also
commit cyber-crimes. It is hard to believe that dissatisfied employees can become such malicious
hackers. In the previous time, they had the only option of going on strike against employers. But with the
advancement of technology there is increased in work on computers and the automation of processes, it
is simple for disgruntled employees to do more damage to their employers and organization by
committing cyber-crimes. The attacks by such employees brings the entire system down. Please refer for:
Cyber Law (IT Law) in India
1. Reconnaissance:
• Gathering Information: Criminals collect information about the target, such as network
architecture, employee roles, and security measures in place. This may involve exploiting
publicly available data, social engineering, or other reconnaissance techniques.
2. Vulnerability Analysis:
• Identifying Weaknesses: Criminals assess the target's systems and networks to identify
vulnerabilities that can be exploited. This includes weaknesses in software, unpatched
systems, or gaps in security protocols.
• Exploit Research: Cybercriminals may search for or develop tools that exploit specific
vulnerabilities. They might also purchase exploit kits on the dark web.
3. Planning the Attack:
• Choosing Attack Vector: Cybercriminals decide on the type of attack they will launch,
such as malware infections, phishing campaigns, or denial-of-service attacks.
• Timing: Attackers may plan the timing of the attack to maximize the chances of success,
taking advantage of events or vulnerabilities that increase the likelihood of success.
• Crafting Deceptive Messages: If the attack involves phishing, criminals create convincing
emails, messages, or websites to trick individuals into revealing sensitive information or
downloading malicious content.
• Building Trust: Social engineering techniques are used to build trust with potential
victims, making them more likely to fall for the deception.
5. Malware Development:
6. Execution:
• Launching the Attack: Cybercriminals initiate the attack, deploying malware, sending
phishing emails, or exploiting vulnerabilities to gain unauthorized access.
• Maintaining Access: In some cases, criminals aim to maintain persistent access to the
target's systems for ongoing exploitation.
7. Covering Tracks:
• Monetization: If the goal is financial gain, criminals may proceed to monetize the stolen
data, demand a ransom, or engage in other activities to convert their success into
tangible gains.
The evolving nature of cybersecurity and the constant development of new attack techniques mean that
criminals continually adapt their strategies. Organizations and individuals must stay vigilant, employ
robust cybersecurity measures, and stay informed about emerging threats to mitigate the risk of falling
victim to cyber-attacks.
Social engineering
Social engineering uses human weakness or psychology to gain access to the system, data, personal
information, etc. It is the art of manipulating people. It doesn’t involve the use of technical hacking
techniques. Attackers use new social engineering practices because it is usually easier to exploit the
victim’s natural inclination to trust. For example, it is much easier to fool someone to give their password
instead of hacking their password. Sharing too much information on social media can enable attackers to
get a password or extracts a company’s confidential information using the posts by the employees. This
confidential information helped attackers to get the password of victim accounts.
Phishing scams are the most common type of Social Engineering attacks these days. Tools such as SET
(Social Engineering Toolkit) also make it easier to create a phishing page but luckily many companies are
now able to detect phishing such as Facebook. But it does not mean that you cannot become a victim of
phishing because nowadays attackers are using iframe to manipulate detection techniques. An example
of such hidden codes in phishing pages is cross-site-request-forgery “CSRF” which is an attack that forces
an end user to execute unwanted actions on a web application. Here are a few examples of social
engineering attacks that are used to be executed via phishing:
• Job Scams
Purpose
The purpose of social engineering attacks is typically to steal sensitive information, such as login
credentials, credit card numbers, or personal information. Attackers can use this information for identity
theft, financial fraud, or other malicious purposes. Another purpose of social engineering attacks is to
gain unauthorized access to secure areas or systems. For example, an attacker might use tailgating to
follow an authorized individual into a secure area or use pretexting to convince an individual to give
them access to a restricted system.
There are many different types of social engineering attacks, each of which uses a unique approach to
exploit human weaknesses and gain access to sensitive information. Here are some of the types of
attacks, include:
• Phishing: Phishing is a type of social engineering attack that involves sending an email or
message that appears to be from a legitimate source, such as a bank, in an attempt to trick the
recipient into revealing their login credentials or other sensitive information.
• Baiting: Baiting is a type of social engineering attack that involves leaving a tempting item, such
as a USB drive, in a public place in the hope that someone will pick it up and plug it into their
computer. The USB drive is then used to infect the computer with malware.
• Tailgating: Tailgating is a type of social engineering attack that involves following an authorized
individual into a secure area, such as a building or data center, without proper authorization.
• Pretexting: Pretexting is a type of social engineering attack that involves creating a false identity
or situation in order to trick an individual into revealing sensitive information. For example, an
attacker might pretend to be a customer service representative in order to trick an individual
into giving them their login credentials.
• Vishing: Vishing is a type of social engineering attack that involves using voice phishing, or
“vishing,” to trick individuals into revealing sensitive information over the phone.
• Smishing: Smishing is a type of social engineering attack that involves using SMS messages to
trick individuals into revealing sensitive information or downloading malware.
Prevention
• Timely monitor online accounts whether they are social media accounts or bank accounts, to
ensure that no unauthorized transactions have been made.
• Check for Email headers in case of any suspecting mail to check its legitimate source.
• Avoid clicking on links, unknown files, or opening email attachments from unknown senders.
• Beware of links to online forms that require personal information, even if the email appears to
come from a source. Phishing websites are the same as legitimate websites in looks.
• Adopt proper security mechanisms such as spam filters, anti-virus software, and a firewall, and
keep all systems updated, with anti-keyloggers.
Cyberstalking:
Cyberstalking refers to the use of electronic communications or online platforms to repeatedly harass,
intimidate, or threaten an individual. It involves the persistent and unwanted intrusion into a person's
life through digital means. Cyberstalking can take various forms, and the motives behind it may include
revenge, obsession, control, or harassment. Here are some key aspects of cyberstalking:
• Online Harassment: Cyberstalkers use the internet, social media, email, messaging apps, and
other digital platforms to harass their victims. This can include sending threatening messages,
spreading false information, or engaging in other forms of online abuse.
• Monitoring and Surveillance: Cyberstalkers may engage in monitoring the online activities of
their victims. This can involve tracking their social media posts, gathering personal information,
or using technology to spy on their online and offline behaviors.
• Impersonation: Some cyberstalkers go to the extent of creating fake profiles or impersonating
their victims online. This can lead to the spread of false information, damage to the victim's
reputation, or the solicitation of unwanted attention.
• Doxxing: Cyberstalkers may engage in doxxing, which involves publicly revealing and
disseminating private or personal information about the victim, such as home address, phone
number, or workplace details.
• Online Threats: Cyberstalkers may use the internet to issue threats, whether explicit or implicit,
causing the victim to fear for their safety or well-being.
• Non-consensual Distribution of Intimate Content (Revenge Porn): In some cases, cyberstalkers
may engage in the non-consensual distribution of intimate or explicit content, often as a form of
revenge or to humiliate the victim.
• Cyberbullying: Cyberstalking can overlap with cyberbullying, especially when the harassment is
repetitive and intended to harm the victim emotionally or psychologically.
• Impact on Victims: The consequences of cyberstalking can be severe, leading to emotional
distress, anxiety, depression, and even physical harm in extreme cases. Victims may also face
challenges in maintaining online and offline security.
Legal authorities in many jurisdictions recognize cyberstalking as a criminal offense, and laws have been
enacted to address such behavior. Victims are encouraged to report incidents of cyberstalking to law
enforcement agencies and, if necessary, seek legal protection through restraining orders or other legal
measures.
Preventing cyberstalking involves practicing good online security habits, such as using strong and unique
passwords, being cautious about sharing personal information online, and adjusting privacy settings on
social media platforms. Additionally, individuals should report any incidents of cyberstalking promptly
and seek support from law enforcement and relevant support organizations.
• Anonymity and Untraceability: Cybercafés offer a level of anonymity to users since they don't
necessarily require personal identification to access the services. This anonymity can be
exploited by individuals engaging in cybercrimes, making it difficult for law enforcement to trace
the origin of malicious activities.
• Use for Cybercrime: Cybercafés can be used as locations to launch various cybercrimes, such as
hacking, identity theft, online fraud, and spreading malware. Criminals may use the anonymity
provided by cybercafés to avoid detection.
• Unsecured Computers: In some cases, cybercafés may not implement stringent security
measures on their computer systems. This lack of security can make the computers more
vulnerable to malware infections, keyloggers, and other forms of cyber-attacks.
• Phishing and Scams: Cybercriminals may use cybercafés to engage in phishing attacks and online
scams. They might create fake websites, send phishing emails, or conduct fraudulent activities,
taking advantage of the public nature of these establishments.
• Digital Forensics Challenges: Investigating cybercrimes originating from cybercafés can be
challenging for law enforcement due to the shared and public nature of the computer systems. It
may be difficult to attribute specific actions to individual users without proper logging and
monitoring mechanisms.
• Educational Opportunities: Cybercafés can also serve as educational hubs, providing
opportunities for individuals to learn about digital literacy and responsible internet use. Proper
education and awareness programs can help users understand the potential risks and
consequences of engaging in cybercrimes.
To mitigate the risks associated with cybercafés and prevent their misuse for cybercrimes, several
measures can be implemented:
• User Registration: Cybercafés can implement user registration processes that require individuals
to provide some form of identification before accessing the internet.
• Monitoring and Logging: Implementing monitoring tools and logging mechanisms can help track
the activities of users, making it easier to identify and trace any malicious behavior.
• Security Software: Installing and regularly updating security software on the computer systems
within cybercafés can help protect against malware and other cyber threats.
• User Education: Cybercafés can play a role in educating users about safe internet practices,
including the importance of using strong passwords, avoiding suspicious websites, and being
cautious about online activities.
• Collaboration with Law Enforcement: Establishing partnerships with law enforcement agencies
can facilitate the reporting and investigation of cybercrimes originating from cybercafés.
By implementing these measures, cybercafés can provide a safer online environment for users while
contributing to efforts to combat cybercrimes.
• Distributed Denial of Service (DDoS) Attacks: Botnets are commonly used to carry out DDoS
attacks, where a large number of compromised computers are coordinated to flood a target's
servers or network with traffic, rendering them inaccessible. This can disrupt online services,
websites, or even entire networks.
• Spam and Phishing Campaigns: Botnets can be employed to send massive volumes of spam
emails or phishing messages. The sheer number of compromised computers allows
cybercriminals to distribute malicious links, malware, or phishing attempts widely, increasing the
chances of success in compromising more systems or stealing sensitive information.
• Credential Stuffing Attacks: In credential stuffing attacks, botnets are used to automate the
process of trying large numbers of username and password combinations to gain unauthorized
access to online accounts. This is possible because many individuals reuse passwords across
multiple platforms.
• Cryptocurrency Mining: Botnets can be used to mine cryptocurrencies by leveraging the
combined processing power of the compromised computers. This allows cybercriminals to
generate cryptocurrency without the knowledge or consent of the computer owners.
• Information Theft and Data Breaches: Botnets may be used to exfiltrate sensitive information
from compromised systems. This could include personal data, financial information, login
credentials, or intellectual property. The stolen data can be used for various malicious purposes,
including identity theft or selling on the dark web.
• Keylogging and Spyware: Botnets may deploy keyloggers and spyware on compromised
computers to monitor and record user activities. This can result in the theft of sensitive
information, such as login credentials, credit card numbers, or personal communications.
• Remote Control and Surveillance: Cybercriminals can use botnets to remotely control
compromised computers. This control can be exploited for surveillance, further spreading
malware, or launching additional attacks on other targets.
• Fraudulent Clicks and Ad Fraud: Botnets can generate fake clicks on online advertisements,
leading to ad fraud. This artificially inflates the number of clicks, defrauding advertisers and
siphoning off advertising revenue.
Efforts to combat botnets involve a combination of technical measures, such as antivirus software and
intrusion detection systems, as well as legal and law enforcement actions to dismantle the infrastructure
supporting these malicious networks. Users can contribute to the fight against botnets by maintaining
good cybersecurity practices, such as keeping software updated, using strong and unique passwords, and
being cautious about suspicious emails and links.
Attack Vectors:
Attack vectors refer to the paths or methods through which a cyber attacker can exploit vulnerabilities in
a system or network to compromise its integrity, confidentiality, or availability. Cybersecurity
professionals use the knowledge of attack vectors to design and implement defenses against potential
threats. Here are some common attack vectors:
• Phishing Attacks: Email Phishing: Attackers use deceptive emails to trick individuals into clicking
on malicious links or downloading malicious attachments. Spear Phishing: Targeted phishing
attacks that are customized for specific individuals or organizations.
• Malware Attacks: Drive-By Downloads: Malicious software is automatically downloaded to a
user's device when they visit a compromised or malicious website. Trojan Horses: Malware
disguised as legitimate software that, once installed, allows unauthorized access or control.
• Social Engineering: Manipulating Trust: Attackers exploit human psychology to manipulate
individuals into divulging sensitive information or taking specific actions. Impersonation:
Pretending to be someone else to gain unauthorized access or deceive individuals.
• Credential Attacks: Brute Force Attacks: Repeatedly attempting to guess passwords until the
correct one is found. Credential Stuffing: Using known username and password combinations
obtained from previous data breaches to gain unauthorized access.
• Man-in-the-Middle (MitM) Attacks: Intercepting and possibly altering communications between
two parties without their knowledge.
• SQL Injection: Exploiting vulnerabilities in web applications to execute malicious SQL queries on
a database, potentially allowing unauthorized access or data manipulation.
• Cross-Site Scripting (XSS): Injecting malicious scripts into web pages viewed by other users,
potentially leading to the theft of sensitive information.
• Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks: Overwhelming a
system, network, or service with traffic to disrupt its normal functioning.
• Zero-Day Exploits: Taking advantage of vulnerabilities in software or hardware that are not yet
known to the vendor or the public.
• Physical Attacks: Physically manipulating or gaining unauthorized access to hardware devices or
infrastructure.
• Ransomware Attacks: Encrypting files or systems and demanding a ransom for their release.
• IoT (Internet of Things) Exploitation: Taking advantage of security vulnerabilities in connected
devices to gain unauthorized access or disrupt their functionality.
• USB-based Attacks: Distributing malware or exploiting vulnerabilities through infected USB
devices.
• Watering Hole Attacks: Compromising websites that a target group is likely to visit, exploiting
their trust in those sites to deliver malware.
• Wi-Fi Eavesdropping: Unauthorized interception of Wi-Fi communications to capture sensitive
information.
Understanding these attack vectors is crucial for developing effective cybersecurity strategies.
Organizations and individuals need to implement a multi-layered defense approach, including firewalls,
antivirus software, intrusion detection systems, and user education to mitigate the risks associated with
these attack vectors. Regular updates, patches, and security audits are also essential for maintaining a
secure digital environment.
UNIT 2
Mobile and wireless devices
Mobile and wireless devices play a crucial role in today's interconnected world, providing users
with the ability to communicate, access information, and perform various tasks on the go. Here
are some key aspects related to mobile and wireless devices:
Mobile Devices:
1. Smartphones:
• Smartphones are versatile mobile devices that combine a phone with features
like internet browsing, applications, camera, and more.
• Operating systems include iOS (Apple), Android (Google), and others.
2. Tablets:
• Larger than smartphones, tablets offer a portable computing experience with
touchscreens and various applications.
• Popular operating systems include iOS, Android, and Windows.
3. Wearables:
• Devices like smartwatches and fitness trackers are worn on the body.
• They often connect to smartphones for notifications and health tracking.
4. E-readers:
• Designed for reading digital books, e-readers like Kindle provide a dedicated
platform for e-books.
Wireless Technologies:
1. Wi-Fi:
• Enables wireless local area networking (WLAN) for internet access and device
connectivity.
• Commonly used in homes, offices, and public spaces.
2. Bluetooth:
• Used for short-range wireless communication between devices (e.g.,
headphones, speakers, keyboards).
• Low-power consumption makes it suitable for various applications.
3. NFC (Near Field Communication):
• Allows for short-range communication between devices by bringing them close
together.
• Used for contactless payments, data transfer, and more.
4. 4G and 5G Networks:
• Cellular networks provide mobile data connectivity.
• 4G (LTE) and 5G offer high-speed internet access, with 5G providing faster speeds
and lower latency.
5. Satellite Communication:
• Used in remote areas where traditional communication infrastructure is not
available.
Security and Challenges:
1. Security Concerns:
• Mobile devices face security threats like malware, phishing, and data breaches.
• Encryption, secure authentication, and regular updates are crucial for device
security.
2. Battery Life:
• A key consideration, especially for mobile devices, as users expect longer battery
life.
3. Interoperability:
• Ensuring seamless communication between different devices and platforms.
4. Health Concerns:
• Debates around the potential health effects of prolonged exposure to wireless
signals.
Emerging Technologies:
1. IoT (Internet of Things):
• Connecting various devices to the internet for data exchange and automation.
2. Edge Computing:
• Processing data closer to the source (device) rather than relying solely on
centralized cloud servers.
3. Foldable Devices:
• Innovations in form factors, such as foldable smartphones and tablets.
4. Augmented Reality (AR) and Virtual Reality (VR):
• Integration of AR and VR technologies in mobile devices for immersive
experiences.
Mobile and wireless technologies continue to evolve, influencing how people communicate,
work, and interact with their surroundings. Ongoing advancements contribute to the growth of
a more interconnected and technologically advanced society.
Trends in Mobility:
1. 5G Technology: The rollout and adoption of 5G networks were gaining momentum. 5G
promises significantly faster data speeds, lower latency, and increased capacity, opening
up possibilities for new applications and services.
2. Edge Computing: Edge computing involves processing data closer to the source (device)
rather than relying solely on centralized cloud servers. This trend reduces latency and
enhances real-time processing, crucial for applications like IoT and AR/VR.
3. Internet of Things (IoT): The proliferation of IoT devices continued, connecting various
objects to the internet for data exchange and automation. IoT applications span
industries such as healthcare, agriculture, smart homes, and industrial sectors.
4. Mobile Health (mHealth): The integration of mobile devices in healthcare, known as
mHealth, was expanding. This trend includes health monitoring apps, wearable devices,
and telemedicine solutions.
5. Augmented Reality (AR) and Virtual Reality (VR): AR and VR technologies were gaining
traction, with applications in gaming, education, training, and immersive experiences.
Mobile devices were becoming increasingly capable of supporting AR and VR
applications.
6. Foldable Devices: Manufacturers were experimenting with foldable smartphone and
tablet designs, offering users a more flexible and versatile form factor.
7. Mobile Security: With the increasing reliance on mobile devices for sensitive tasks,
mobile security became a significant concern. Biometric authentication, secure enclaves,
and improved encryption were among the measures implemented to enhance mobile
security.
8. Artificial Intelligence (AI) Integration: AI was being integrated into mobile devices,
enhancing features like voice assistants, image recognition, and predictive analytics. This
trend aimed to provide more personalized and intelligent user experiences.
9. 5G-Enabled IoT: The combination of 5G and IoT was expected to bring about
transformative changes, enabling massive connectivity for a multitude of devices with
high data transfer rates and low latency.
10. Mobile App Development: Cross-platform app development frameworks and
technologies were gaining popularity, allowing developers to create apps that run
seamlessly on multiple operating systems.
11. Remote Work Tools: The COVID-19 pandemic accelerated the adoption of mobile tools
and applications supporting remote work, including video conferencing, collaboration
platforms, and cloud-based productivity tools.
12. Mobile Payments and Digital Wallets: The trend toward cashless transactions and
mobile payments continued to grow, with digital wallets and mobile payment apps
becoming increasingly popular.
It's important to check for the latest updates to understand the current trends in the mobility of
mobile and wireless devices, as the technology landscape is continually evolving.
• SMiShing: Smishing become common now as smartphones are widely used. SMiShing
uses Short Message Service (SMS) to send fraud text messages or links. The criminals
cheat the user by calling. Victims may provide sensitive information such as credit card
information, account information, etc. Accessing a website might result in the user
unknowingly downloading malware that infects the device.
• War driving: War driving is a way used by attackers to find access points wherever they
can be. With the availability of free Wi-Fi connection, they can drive around and obtain a
very huge amount of information over a very short period of time.
• WEP attack: Wired Equivalent Privacy (WEP) is a security protocol that attempted to
provide a wireless local area network with the same level of security as a wired LAN.
Since physical security steps help to protect a wired LAN, WEP attempts to provide
similar protection for data transmitted over WLAN with encryption. WEP uses a key for
encryption. There is no provision for key management with Wired Equivalent Privacy, so
the number of people sharing the key will continually grow. Since everyone is using the
same key, the criminal has access to a large amount of traffic for analytic attacks.
• WPA attack: Wi-Fi Protected Access (WPA) and then WPA2 came out as improved
protocols to replace WEP. WPA2 does not have the same encryption problems because
an attacker cannot recover the key by noticing traffic. WPA2 is susceptible to attack
because cyber criminals can analyze the packets going between the access point and an
authorized user.
• Bluejacking: Bluejacking is used for sending unauthorized messages to another
Bluetooth device. Bluetooth is a high-speed but very short-range wireless technology for
exchanging data between desktop and mobile computers and other devices.
• Replay attacks: In a Replay attack an attacker spy on information being sent between a
sender and a receiver. Once the attacker has spied on the information, he or she can
intercept it and retransmit it again thus leading to some delay in data transmission. It is
also known as playback attack.
• Bluesnarfing: It occurs when the attacker copies the victim’s information from his
device. An attacker can access information such as the user’s calendar, contact list, e-
mail and text messages without leaving any evidence of the attack.
• RF Jamming: Wireless signals are susceptible to electromagnetic interference and radio-
frequency interference. Radio frequency (RF) jamming distorts the transmission of a
satellite station so that the signal does not reach the receiving station.
There are several types of attacks that target these devices, each with its own advantages and
disadvantages:
• Wi-Fi Spoofing: Wi-Fi spoofing involves setting up a fake wireless access point to trick
users into connecting to it instead of the legitimate network. This attack can be used to
steal sensitive information such as usernames, passwords, and credit card numbers. One
advantage of this attack is that it is relatively easy to carry out, and the attacker does not
need sophisticated tools or skills. However, it can be easily detected if users are aware of
the legitimate network’s name and other details.
• Packet Sniffing: Packet sniffing involves intercepting and analyzing the data packets that
are transmitted over a wireless network. This attack can be used to capture sensitive
information such as email messages, instant messages, and web traffic. One advantage
of this attack is that it can be carried out without the user’s knowledge. However, the
attacker needs to be in close proximity to the victim and must have the technical skills
and tools to intercept and analyze the data.
• Bluejacking: Bluejacking involves sending unsolicited messages to Bluetooth-enabled
devices. This attack can be used to send spam, phishing messages, or malware to the
victim’s device. One advantage of this attack is that it does not require a network
connection, and the attacker can be located anywhere within range of the victim’s
Bluetooth signal. However, it requires the attacker to have the victim’s Bluetooth
device’s address and is limited to devices that have Bluetooth capabilities.
• SMS Spoofing: SMS spoofing involves sending text messages that appear to come from a
trusted source, such as a bank or a government agency. This attack can be used to trick
users into revealing sensitive information or downloading malware. One advantage of
this attack is that it can be carried out without the user’s knowledge. However, it
requires the attacker to have the victim’s phone number, and it can be easily detected if
users are aware of the legitimate source of the message.
• Malware: Malware is software designed to infect a device and steal or damage data.
Malware can be distributed through email attachments, software downloads, or
malicious websites. One advantage of this attack is that it can be carried out remotely,
without the attacker needing to be physically close to the victim. However, it requires
the attacker to have a way to deliver the malware to the victim’s device, such as through
a phishing email or a fake website.
Conclusion: Wireless and mobile device attacks can have severe consequences, including the
theft of sensitive data, identity theft, financial loss, and reputational damage. To protect against
these attacks, users should always use strong passwords, keep their devices and software up-to-
date, avoid connecting to unsecured networks, and use reputable app stores. Businesses should
also implement security measures such as firewalls, intrusion detection systems, and employee
training to protect against wireless and mobile device attacks.
Anonymizer
An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet
untraceable. It is a proxy server computer that acts as an intermediary and privacy shield
between a client computer and the rest of the Internet. It accesses the Internet on the user’s
behalf, protecting personal information by hiding the client computer’s identifying information.
There are many reasons for using anonymizers. Anonymizers help minimize risk. They can be
used to prevent identity theft, or to protect search histories from public disclosure. Some
countries apply heavy censorship on the internet. Anonymizers can help in allowing free access
to all of the internet content, but cannot help against persecution for accessing the Anonymizer
website itself. Furthermore, as information itself about Anonymizer websites are banned in
these countries, users are wary that they may be falling into a government-set trap.
Anonymizers are also used by people who wish to receive objective information with the
growing target marketing on the internet and targeted information. For example, large news
outlets such as CNN target the viewers according to region and give different information to
different populations. Websites such as YouTube obtain information about the last videos
viewed on a computer, and propose “recommended” videos accordingly, and most of the
online targeted marketing is done by showing advertisements according to that region.
Anonymizers are used for avoiding this kind of targeting and getting a more objective view of
information.
Types
Phishing
Phishing is one type of cyber-attack. Phishing got its name from “phish” meaning fish. It’s a
common phenomenon to put bait for the fish to get trapped. Similarly, phishing works. It is an
unethical way to dupe the user or victim to click on harmful sites. The attacker crafts the
harmful site in such a way that the victim feels it to be an authentic site, thus falling prey to it.
The most common mode of phishing is by sending spam emails that appear to be authentic and
thus, taking away all credentials from the victim. The main motive of the attacker behind
phishing is to gain confidential information like
• Password
• Credit card details
• Social security numbers
• Date of birth
The attacker uses this information to further target the user and impersonate the user and
cause data theft. The most common type of phishing attack happens through email. Phishing
victims are tricked into revealing information that they think should be kept private. The original
logo of the email is used to make the user believe that it is indeed the original email. But if we
carefully look into the details, we will find that the URL or web address is not authentic.
How Does Phishing Occur?
Below mentioned are the ways through which Phishing generally occurs. Upon using any of the
techniques mentioned below, the user can lead to Phishing Attacks.
• Clicking on an unknown file or attachment: Here, the attacker deliberately sends a
mysterious file to the victim, as the victim opens the file, either malware is injected into
his system or it prompts the user to enter confidential data.
• Using an open or free wifi hotspot: This is a very simple way to get confidential
information from the user by luring him by giving him free wifi. The wifi owner can
control the user’s data without the user knowing it.
• Responding to social media requests: This commonly includes social engineering.
Accepting unknown friend requests and then, by mistake, leaking secret data are the
most common mistake made by naive users.
• Clicking on unauthenticated links or ads: Unauthenticated links have been deliberately
crafted that lead to a phished website that tricks the user into typing confidential data.
Types of Phishing Attacks
There are several types of Phishing Attacks, some of them are mentioned below. Below
mentioned attacks are very common and mostly used by the attackers.
• Email Phishing: The most common type where users are tricked into clicking unverified
spam emails and leaking secret data. Hackers impersonate a legitimate identity and send
emails to mass victims. Generally, the goal of the attacker is to get personal details like
bank details, credit card numbers, user IDs, and passwords of any online shopping
website, installing malware, etc. After getting the personal information, they use this
information to steal money from the user’s account or harm the target system, etc.
• Spear Phishing: In spear phishing of phishing attack, a particular user (organization or
individual) is targeted. In this method, the attacker first gets the full information of the
target and then sends malicious emails to his/her inbox to trap him into typing
confidential data. For example, the attacker targets someone (let’s assume an employee
from the finance department of some organization). Then the attacker pretends to be
like the manager of that employee and then requests personal information or transfers a
large sum of money. It is the most successful attack.
• Whaling: Whaling is just like spear-phishing but the main target is the head of the
company, like the CEO, CFO, etc. a pressurized email is sent to such executives so that
they don’t have much time to think, therefore falling prey to phishing.
• Smishing: In this type of phishing attack, the medium of phishing attack is
SMS. Smishing works similarly to email phishing. SMS texts are sent to victims containing
links to phished websites or invite the victims to call a phone number or to contact the
sender using the given email. The victim is then invited to enter their personal
information like bank details, credit card information, user id/ password, etc. Then using
this information, the attacker harms the victim.
• Vishing: Vishing is also known as voice phishing. In this method, the attacker calls the
victim using modern caller id spoofing to convince the victim that the call is from a
trusted source. Attackers also use IVR to make it difficult for legal authorities to trace the
attacker. It is generally used to steal credit card numbers or confidential data from the
victim.
• Clone Phishing: Clone Phishing this type of phishing attack, the attacker copies the email
messages that were sent from a trusted source and then alters the information by
adding a link that redirects the victim to a malicious or fake website. Now the attacker
sends this mail to a larger number of users and then waits to watch who clicks on the
attachment that was sent in the email. It spreads through the contacts of the user who
has clicked on the attachment.
Impact of Phishing
These are the impacts on the user upon affecting the Phishing Attacks. Each person has their
own impact after getting into Phishing Attacks, but these are some of the common impacts that
happen to the majority of people.
• Financial Loss: Phishing attacks often target financial information, such as credit card
numbers and bank account login credentials. This information can be used to steal
money or make unauthorized purchases, leading to significant financial losses.
• Identity Theft: Phishing attacks can also steal personal information, such as Social
Security numbers and date of birth, which can be used to steal an individual’s identity
and cause long-term harm.
• Damage to Reputation: Organizations that fall victim to phishing attacks can suffer
damage to their reputation, as customers and clients may lose trust in the company’s
ability to protect their information.
• Disruption to Business Operations: Phishing attacks can also cause significant disruption
to business operations, as employees may have their email accounts or computers
compromised, leading to lost productivity and data.
• Spread of Malware: Phishing attacks often use attachments or links to deliver malware,
which can infect a victim’s computer or network and cause further harm.
Signs of Phishing
It is very much important to be able to identify the signs of a phishing attack in order to protect
against its harmful effects. These signs help the user to protect user data and information from
hackers. Here are some signs to look out for include:
• Suspicious email addresses: Phishing emails often use fake email addresses that appear
to be from a trusted source, but are actually controlled by the attacker. Check the email
address carefully and look for slight variations or misspellings that may indicate a fake
address.
• Urgent requests for personal information: Phishing attacks often try to create a sense of
urgency in order to trick victims into providing personal information quickly. Be cautious
of emails or messages that ask for personal information and make sure to verify the
authenticity of the request before providing any information.
• Poor grammar and spelling: Phishing attacks are often created quickly and carelessly,
and may contain poor grammar and spelling errors. These mistakes can indicate that the
email or message is not legitimate.
• Requests for sensitive information: Phishing attacks often try to steal sensitive
information, such as login credentials and financial information. Be cautious of emails or
messages that ask for sensitive information and verify the authenticity of the request
before providing any information.
• Unusual links or attachments: Phishing attacks often use links or attachments to deliver
malware or redirect victims to fake websites. Be cautious of links or attachments in
emails or messages, especially from unknown or untrusted sources.
• Strange URLs: Phishing attacks often use fake websites that look similar to the real ones,
but have slightly different URLs. Look for strange URLs or slight variations in the URL that
may indicate a fake website.
How To Stay Protected Against Phishing?
Until now, we have seen how a user becomes so vulnerable due to phishing. But with proper
precautions, one can avoid such scams. Below are the ways listed to protect users against
phishing attacks:
• Authorized Source: Download software from authorized sources only where you have
trust.
• Confidentiality: Never share your private details with unknown links and keep your data
safe from hackers.
• Check URL: Always check the URL of websites to prevent any such attack. it will help you
not get trapped in Phishing Attacks.
• Avoid replying to suspicious things: If you receive an email from a known source but
that email looks suspicious, then contact the source with a new email rather than using
the reply option.
• Phishing Detection Tool: Use phishing-detecting tools to monitor the websites that are
crafted and contain unauthentic content.
• Try to avoid free wifi: Avoid using free Wifi, it will lead to threats and Phishing.
• Keep your system updated: It’s better to keep your system always updated to protect
from different types of Phishing Attacks.
• Keep the firewall of the system ON: Keeping ON the firewalls helps you in filtering
ambiguous and suspicious data and only authenticated data will reach to you.
How To Distinguish between a Fake Website and a Real Website?
It is very important nowadays to protect yourself from fake websites and real websites. Here are
some of the ways mentioned through which you can identify which websites are real and which
ones are fake. To distinguish between a fake website and a real website always remember the
following points:
• Check the URL of the website: A good and legal website always uses a secure medium to
protect yourself from online threats. So, when you first see a website link, always check
the beginning of the website. That means if a website is started with https:// then the
website is secure because https:// s denotes secure, which means the website uses
encryption to transfer data, protecting it from hackers. If a website uses http:// then the
website is not guaranteed to be safe. So, it is advised not to visit HTTP websites as they
are not secure.
• Check the domain name of the website: The attackers generally create a website whose
address mimic of large brands or companies like www.amazon.com/order_id=23. If we
look closely, we can see that it’s a fake website as the spelling of Amazon is wrong, that
is amazon is written. So, it’s a phished website. So be careful with such types of
websites.
• Look for site design: If you open a website from the link, then pay attention to the
design of the site. Although the attacker tries to imitate the original one as much as
possible, they still lack in some places. So, if you see something off, then that might be a
sign of a fake website. For example, www.sugarcube.com/facebook, when we open this
URL the page open is cloned to the actual Facebook page but it is a fake website. The
original link to Facebook is www.facebook.com.
• Check for the available web pages: A fake website does not contain the entire web
pages that are present in the original website. So, when you encounter fake websites,
then open the option(links) present on that website. If they only display a login page,
then the website is fake.
Anti-Phishing Tools
Well, it’s essential to use Anti-Phishing tools to detect phishing attacks. Here are some of the
most popular and effective anti-phishing tools available:
• Anti-Phishing Domain Advisor (APDA): A browser extension that warns users when they
visit a phishing website. It uses a database of known phishing sites and provides real-
time protection against new threats.
• PhishTank: A community-driven website that collects and verifies reports of phishing
attacks. Users can submit phishing reports and check the status of suspicious websites.
• Webroot Anti-Phishing: A browser extension that uses machine learning algorithms to
identify and block phishing websites. It provides real-time protection and integrates with
other security tools.
• Malwarebytes Anti-Phishing: A security tool that protects against phishing attacks by
detecting and blocking suspicious websites. It uses a combination of machine learning
and signature-based detection to provide real-time protection.
• Kaspersky Anti-Phishing: A browser extension that provides real-time protection against
phishing attacks. It uses a database of known phishing sites and integrates with other
security tools to provide comprehensive protection.
Password Cracking
Password cracking is one of the imperative phases of the hacking framework. Password cracking
is a way to recuperate passwords from the information stored or sent by a PC or mainframe.
The motivation behind password cracking is to assist a client with recuperating a failed
authentication or recovering a password, as a preventive measure by framework chairmen to
check for effectively weak passwords, or an assailant can utilize this cycle to acquire unapproved
framework access.
Types of Password Attacks:
Password cracking is consistently violated regardless of the legal aspects to secure from
unapproved framework access, for instance, recovering a password the customer had forgotten
etc. This hack arrangement depends upon aggressors exercises, which are ordinarily one of the
four types:
1. Non-Electronic Attacks –
This is most likely the hacker’s first go-to to acquire the target system password. These
sorts of password cracking hacks don’t need any specialized ability or information about
hacking or misuse of frameworks. Along these lines, this is a non-electronic hack. A few
strategies used for actualizing these sorts of hacks are social engineering, dumpster
diving, shoulder surfing, and so forth.
2. Active Online Attacks –
This is perhaps the most straightforward approach to acquire unapproved manager-level
mainframe access. To crack the passwords, a hacker needs to have correspondence with
the objective machines as it is obligatory for password access. A few techniques used for
actualizing these sorts of hacks are word reference, brute-forcing, password speculating,
hash infusion, phishing, LLMNR/NBT-NS Poisoning, utilizing Trojan/spyware/keyloggers,
and so forth.
3. Passive Online Attacks –
An uninvolved hack is a deliberate attack that doesn’t bring about a change to the
framework in any capacity. In these sorts of hacks, the hacker doesn’t have to deal with
the framework. In light of everything, he/she idly screens or records the data ignoring
the correspondence channel to and from the mainframe. The attacker then uses the
critical data to break into the system. Techniques used to perform passive online hacks
incorporate replay attacks, wire-sniffing, man-in-the-middle attack, and so on.
4. Offline Attacks –
Disconnected hacks allude to password attacks where an aggressor attempts to
recuperate clear content passwords from a password hash dump. These sorts of hacks
are habitually dreary yet can be viable, as password hashes can be changed due to their
more modest keyspace and more restricted length. Aggressors utilize preprocessed
hashes from rainbow tables to perform disconnected and conveyed network hacks.
Some of the best practices protecting against password cracking include:
1. Perform data security reviews to screen and track password assaults.
2. Try not to utilize a similar password during the password change.
3. Try not to share passwords.
4. Do whatever it takes not to use passwords that can be found in a word reference.
5. Make an effort not to use clear content shows and shows with weak encryption.
6. Set the password change technique to 30 days.
7. Try not to store passwords in an unstable area.
8. Try not to utilize any mainframes or PC’s default passwords.
9. Unpatched computers can reset passwords during cradle flood or Denial of Service
assaults. Try to refresh the framework.
10. Empower account lockout with a specific number of endeavors, counter time, and
lockout span. One of the best approaches to oversee passwords in associations is to set
a computerized password reset.
11. Ensure that the computer or server’s BIOS is scrambled with a password, particularly on
devices that are unprotected from real perils, for instance, centralized servers and PCs.
Key loggers
Key loggers also known as keystroke loggers, may be defined as the recording of the key pressed
on a system and saved it to a file, and the that file is accessed by the person using this malware.
Key logger can be software or can be hardware. Working: Mainly key-loggers are used to steal
password or confidential details such as bank information etc. First key-logger was invented in
1970’s and was a hardware key logger and first software key-logger was developed in 1983.
1. Software key-loggers: Software key-loggers are the computer programs which are developed
to steal password from the victim’s computer. However key loggers are used in IT organizations
to troubleshoot technical problems with computers and business networks. Also, Microsoft
windows 10 also has key-logger installed in it.
1. JavaScript based key logger – It is a malicious script which is installed into a web page,
and listens for key to press such as oneKeyUp(). These scripts can be sent by various
methods, like sharing through social media, sending as a mail file, or RAT file.
2. Form Based Key loggers – These are key-loggers which activates when a person fills a
form online and when click the button submit all the data or the words written is sent
via file on a computer. Some key-loggers works as a API in running application it looks
like a simple application and whenever a key is pressed it records it.
2. Hardware Key-loggers: These are not dependent on any software as these are hardware key-
loggers. keyboard hardware is a circuit which is attached in a keyboard itself that whenever the
key of that keyboard pressed it gets recorded.
1. USB keylogger – There are USB connector key-loggers which has to be connected to a
computer and steals the data. Also, some circuits are built into a keyboard so no external
wire i used or shows on the keyboard.
2. Smartphone sensors – Some cool android tricks are also used as key loggers such as
android accelerometer sensor which when placed near to the keyboard can sense the
vibrations and the graph then used to convert it to sentences, this technique accuracy is
about 80%. Now a days crackers are using keystroke logging Trojan, it is a malware which
is sent to a victims computer to steal the data and login details.
So key-loggers are the software malware or a hardware which is used to steal , or snatch our
login details, credentials , bank information and many more. Some keylogger application used in
2020 are: Kidlogger, Best Free Keylogger, Windows Keylogger, Refog Personal Monitor, All In One
Keylogger
Prevention from key-loggers: These are following below-
1. Anti-Key-logger – As the name suggest these are the software which are anti / against
key loggers and main task is to detect key-logger from a computer system.
2. Anti-Virus – Many anti-virus software also detects key loggers and delete them from the
computer system. These are software anti-software so these cannot get rid from the
hardware key-loggers.
3. Automatic form filler – This technique can be used by the user to not fill forms on
regular bases instead use automatic form filler which will give a shield against key-
loggers as keys will not be pressed.
4. One-Time-Passwords – Using OTPs as password may be safe as every time, we login we
have to use a new password.
5. Patterns or mouse-recognition – On android devices used pattern as a password of
applications and on PC use mouse recognition, mouse program uses mouse gestures
instead of stylus.
6. Voice to Text Converter – This software helps to prevent Keylogging which targets a
specific part of our keyboard.
These techniques are less common but are very helpful against key-loggers.
Spyware
Spyware is a breach of cyber security as they usually get into the laptop/ computer system
when a user unintentionally clicks on a random unknown link or opens an unknown attachment,
which downloads the spyware alongside the attachment. It is a best practice to be cautious of
the sites that are used for downloading content on the system. Spyware is a type of software
that unethically without proper permissions or authorization steals a user’s personal or business
information and sends it to a third party. Spyware may get into a computer or laptop as a
hidden component through free or shared wares.
Spywares perform the function of maliciously tracking a user’s activity, having access to data, or
even resulting in the crashing of the computer/ laptop system. Spyware in many cases runs as a
background process and slows down the normal functioning of the computer system.
Spyware enters the laptop/computer system through the below-listed ways:
• Phishing: It is a form of a security breach where spyware enters the system when a
suspicious link is clicked or an unknown dangerous attachment is downloaded.
• Spoofing: It goes alongside phishing and makes the unauthorized emails appear to come
from legitimate users or business units.
• Free Softwares or Shared Softwares: It gets into the system when a user installs
software that is free of cost but has additional spyware added to them.
• Misleading software: This is advertised as very beneficial for the system and would
boost up the speed of the system but lead to stealing confidential information from the
system.
How does Spyware Enter the Computer System?
Spyware entering the system is very dangerous and therefore proper knowledge of them can
save a lot of trusted information from being accessible to third-party. Spywares are classified on
the basis of the function they perform. There are different types of Spyware, which can attack
our system. These are listed as below:
• Adware: It is a type of Spyware that keeps track of the user’s activity and gives
advertisements based on the tracked activity of the user.
• Tracking Cookies: It is a type of Spyware that tracks a user’s activity and supplies the
same to third parties.
• Trojans: It is a type of Spyware that is the most dangerous. It aims to steal confidential
user information such as bank details, passwords and transfers it to a third party to
perform illegal transactions or frauds.
• Keyloggers: It is a type of Spyware that keeps a track of all the keystrokes that the user
enters through the keyboard. It is dangerous as it contributes bro cyber fraud where
sensitive passwords can be stolen by keeping an eye on the user who entered the
information.
• Stalkerware: It is a type of Spyware that is installed on mobile phones to stalk the user. It
tracks the movement of the user and sends the same to the third party.
• System Monitor: It is a type of Spyware that monitors and keep a track of the entire
system including users activity, sensitive information, keystrokes, calls, and chats. It is
extremely dangerous to user privacy.
How Spyware Infects Devices?
Spyware gets attached to websites and downloads without going much into the notice of the
user. There are many software’s that get downloaded without any warning alongside the
needed software and are very dangerous for our computer system. Another way of spyware,
entering our systems is when the user clicks unverified links or downloads malicious contents on
the computer system.
When spyware enters the computer system it unethically accesses the information that it is not
authorized to view. In most cases, it also supplies this information to third-party users leading to
data leaks. Sensitive information such as passwords and bank information are at much risk if
spyware enters the computer system. Data leak, stealing of sensitive information, tracking
user’s activity/ preferences, making the system slow down, and even crashing the computer
system are the effects that can be caused when spyware enters the computer system without
the user’s consent.
How to Prevent Spyware?
• Installing Antivirus/ Antispyware: The best way to protect your system from spyware is
to install a good quality Anti-spyware or Antivirus such as MalwareBytes, Adaware, AVG
Antivirus, SpywareBlaster, etc. This will help in protecting the computer system in case
spyware tries to attach to our system. Installing Antivirus/ Antispyware also protects the
system from harmful threats by blocking sites that try to steal data or leak the data to
third-party users.
• Beware of Cookie Settings: There are some websites that transfer confidential
information alongside cookies. It is always advisable to keep a check on the cookie
settings and set the settings to high security.
• Beware of the Pop-ups on Websites: Don’t click on the pop-ups that appear on your
website without reading them. Never accept their terms and conditions as it is highly
dangerous. Always close the pop-up windows without clicking on ‘ok’.
• Never Install Free Software: Always be very cautious when you install free software on
your systems. Free software mostly has spyware attached to them and it can directly
leak confidential user information.
• Always read Terms & Conditions: Always read Terms and Conditions before installing
apps on your system. Never accept policies that breach privacy. Download only trusted
and verified apps from Google PlayStore or Apple PlayStore for mobile phones to protect
them from Spyware.
Basis of
Sr.No. Comparison WORMS VIRUS
Detection
and Worms can be detected and removed Antivirus software is used for
5. Protection by the Antivirus and firewall. protection against viruses.
• Hampering computer
performance by slowing down
it
• Pop-up windows linking
• Automatic opening and to malicious websites
running of programs
• Hampering computer
• Sending of emails without your performance by slowing
knowledge down it
• Affected the performance of • After booting, starting of
web browser unknown programs.
• Error messages concerning to • Passwords get changed
9. Symptoms system and operating system without your knowledge
Trojan Horse
The name of the Trojan Horse is taken from a classical story of the Trojan War. It is a code that is
malicious in nature and has the capacity to take control of the computer. It is designed to steal,
damage, or do some harmful actions on the computer. It tries to deceive the user to load and
execute the files on the device. After it executes, this allows cybercriminals to perform many
actions on the user’s computer like deleting data from files, modifying data from files, and
more. Now like many viruses or worms, Trojan Horse does not have the ability to replicate itself.
Now after this many Trojan viruses or Malware came which turned out to be a threat or the
most popular malware attack. As these Trojans can be found as versatile, this is used by many
online criminals for malware attacks. The Trojans are a bit tougher to be identified. Trojans can
be found in MP3 songs that the user may have downloaded, downloading games from an
unsecured website, or advertisement that pops up when the user is browsing the page.
Many people have been infected by Trojans without realizing it. This type of Trojans is called
Direct-Action-Trojans. It can’t spread to any user because when a virus infects the system show
some indications that it has been affected by the virus.
Another example there is a direct action Trojan name Js. ExitW. It can be downloaded from
many malicious sites. The effect of the Js. ExitW is to make the computer fall into a never-
ending loop of start and shutdown. The Trojan does not do any damage which could be
considered dangerous. But we should be aware that there are many Trojans that are far more
dangerous.
Features of Trojan Horse
• It steals information like a password and more.
• It can be used to allow remote access to a computer.
• It can be used to delete data and more on the user’s computers.
How Does Trojan Horse Work?
Unlike computer viruses, a Trojan horse requires a user to download the server side of the
application for it to function because it cannot manifest by itself. This means that for the Trojan
to target a device’s system, the executable (.exe) file must be implemented and the software
installed.
In order to reach as many people’s inboxes as possible, spammers send emails with attachments
that appear to be legal and that contain files that propagate trojan viruses. The trojan will install
and run automatically each and every time the infected device is turned on the email is opened
and downloaded malicious attachment.
Cybercriminals can also utilize social engineering techniques to trick people into installing
malicious software, which can then infect a device with a Trojan. The malicious file may be
hidden in internet links, pop-up ads, or banner advertisements. The malicious file may be
hidden in internet links, pop-up ads, or banner advertisements.
Trojan software can propagate to other computers from a Trojan-infected the computer. A
hacker makes the device into a zombie computer, giving them remote access to it without the
user’s knowledge. The zombie machine can then be used by hackers to spread malware among
a botnet of computers.
A user might, for example, get an email from a friend that has an attachment that likewise
appears to be real. However, the attachment has malicious code that runs on the user’s device
and installs the Trojan. The user may not be aware that anything suspicious has happened
because their machine may continue to function regularly without any signs of it having been
infected.
Until the user makes a certain action, such visiting a specific website or banking app, the
malware will remain undiscovered. As a result, the malicious code will be activated and the
Trojan will do the required hacking activity. The malware may destroy itself, go back to being
dormant, or continue to be active on the device, depending on the type of Trojan and how it
was developed.
Examples of Trojan Horse Virus Attacks
Trojan assaults that infect systems and steal user data are to blame for significant damage.
Typical instances of Trojans include:
• Rakhni Trojan: The Rakhni Trojan infects devices by delivering ransomware or a
cryptojacker utility that allows an attacker to utilize a device to mine bitcoin.
• Tiny Banker: With the use of Tiny Banker, hackers can steal users’ bank information. As
soon as it infected, it was discovered at least 20 U.S. banks.
• Zeus or Zbot: Zeus, often known as Zbot, is a toolkit that allows hackers to create their
own Trojan virus and targets financial services. To steal user passwords and financial
information, the source code employs strategies like form grabbing and keystroke
logging.
Uses of Trojan Horse
1. Spy: Some Trojans act as spyware. It is designed to take the data from the victim like
social networking (username and passwords), credit card details, and more.
2. Creating backdoors: The Trojan makes some changes in the system or the device of the
victim, so this is done to let other malware or any cyber criminals get into your device or
the system.
3. Zombie: There are many times that the hacker is not at all interested in the victim’s
computer, but they want to use it under their control.
Types of Trojan Horse
Now there are many Trojans which is designed to perform specific functions. Some of them are:
• Backdoor trojan: A trojan horse of this kind gives the attacker remote access to the
compromised machine.
• Ransom trojan: This kind of trojan horse is intended to encrypt the data on the
compromised system and then demand payment in exchange for its decryption.
• Trojan Banker: It is designed to steal the account data for online banking, credit and
debit cards, etc.
• Trojan Downloader: It is designed to download many malicious files like the new
versions of Trojan and Adware into the computer of the victims.
• Trojan Dropper: It is designed to prevent the detection of malicious files in the system. It
can be used by hackers for installing Trojans or viruses on the victim’s computers.
• Trojan GameThief: It is designed to steal data from Online Gamers.
• Trojan I’s: It is designed to steal the data of login and passwords like: -a. skype b. yahoo
pager and more.
Other Trojans can also be used like: -Trojan-notifier, Trojan-clicker, and more.
Advantage of Trojan Horse
• It can be sent as an attachment in an email.
• It can be in some pop-up ads that we find on the web page.
• It can be used to allow remote access to a computer.
• It can be used to delete data and more on the user’s computers.
Disadvantages of Trojan Horse
• It can’t manifest by itself. It requires the implementation of the .exe files.
• It remains undetected and starts its execution when the user is doing any online
transaction activity.
• the system or the device where it has been affected will be slow.
• The user can also experience a direct shutdown of the computer.
• The user will experience the files to be opening much slower.
Prevention from Trojan Horse
• Do not download anything like the images, and audios from an unsecured website.
• Do not click on the ads that pop up on the page with advertisements for online games.
• Do not open any attachment that has been sent from an unknown use.
• The user has to install the anti-virus program. This anti-virus program has the capacity to
detect those files which are affected by a virus.
Trojan Horse vs. Backdoor: A Comparative Analysis
In the world of cybersecurity, malicious software tools like Trojan horses and backdoors are
commonly used by cybercriminals to infiltrate systems, steal data, and cause significant damage.
These terms often get thrown around interchangeably, leading to confusion among the general
public. This article aims to clarify the difference between the two by providing a comprehensive
comparison in tabular form. So, if you've ever wondered about the distinction between a Trojan
horse and a backdoor, read on to unravel their unique characteristics and functionalities.
Understanding Trojan Horses
A Trojan horse, inspired by the mythical tale of the wooden horse used to infiltrate the city of
Troy, is a type of malware that disguises itself as legitimate software or files to deceive
unsuspecting users. Once executed, a Trojan horse opens a backdoor on the victim's system,
allowing hackers to gain unauthorized access and carry out various malicious activities without
the user's knowledge. Unlike viruses or worms, which can replicate and spread on their own,
Trojan horses require human interaction to execute and deploy their payload.
Types of Trojan Horses
Trojan horses come in different forms, each designed to serve a specific purpose. Here are some
common types of Trojan horses:
• Remote Access Trojans (RATs): These Trojans enable remote control and administration
of the victim's system, providing hackers with full access and control over the
compromised device. RATs are frequently used in espionage and surveillance activities.
• Keyloggers: These Trojans are programmed to record keystrokes on the victim's system,
allowing hackers to capture sensitive information like passwords, credit card details, and
other personal data.
• Banking Trojans: As the name suggests, these Trojans target online banking services,
intercepting login credentials and financial information to carry out fraudulent
transactions.
Backdoors
While Trojan horses serve as the means to establish a backdoor, the term "backdoor" refers to a
hidden entry point in a system or application intentionally created by software developers for
legitimate purposes, such as system administration or debugging. However, cybercriminals
often exploit these backdoors to gain unauthorized access and control over compromised
systems.
The Purpose of Backdoors
Backdoors can serve both legitimate and malicious purposes, depending on who has control
over them. Software developers may create backdoors to facilitate troubleshooting or allow
system administrators to regain access in case of lockouts. However, when unauthorized
individuals gain access to backdoors, they can manipulate or exploit systems, often resulting in
severe consequences.
Trojan Horse vs. Backdoor: A Comparative Analysis
Functionalities • Can be used for various • Provides unauthorized access and control
malicious activities, such over compromised systems, allowing
as remote control of the manipulation, data theft, or further
victim’s system, data theft, malware deployment.
or installing additional
malware.
Steganography
A steganography technique involves hiding sensitive information within an ordinary, non-secret
file or message, so that it will not be detected. The sensitive information will then be extracted
from the ordinary file or message at its destination, thus avoiding detection. Steganography is
an additional step that can be used in conjunction with encryption in order to conceal or
protect data.
Steganography is a means of concealing secret information within (or even on top of) an
otherwise mundane, non-secret document or other media to avoid detection. It comes from the
Greek words steganos, which means “covered” or “hidden,” and graph, which means “to write.”
Hence, “hidden writing.”
You can use steganography to hide text, video, images, or even audio data. It’s a helpful bit of
knowledge, limited only by the type of medium and the author’s imagination.
Different Types of Steganography
1. Text Steganography − There is steganography in text files, which entails secretly storing
information. In this method, the hidden data is encoded into the letter of each word.
2. Image Steganography − The second type of steganography is image steganography, which
entails concealing data by using an image of a different object as a cover. Pixel intensities are
the key to data concealment in image steganography.
Since the computer description of an image contains multiple bits, images are frequently used
as a cover source in digital steganography.
The various terms used to describe image steganography include:
• Cover-Image - Unique picture that can conceal data.
• Message - Real data that you can mask within pictures. The message may be in the form
of standard text or an image.
• Stego-Image − A stego image is an image with a hidden message.
• Stego-Key - Messages can be embedded in cover images and stego-images with the help
of a key, or the messages can be derived from the photos themselves.
3. Audio Steganography − It is the science of hiding data in sound. Used digitally, it protects
against unauthorized reproduction. Watermarking is a technique that encrypts one piece of
data (the message) within another (the "carrier"). It’s typical uses involve media playback,
primarily audio clips.
4. Video Steganography − Video steganography is a method of secretly embedding data or
other files within a video file on a computer. Video (a collection of still images) can function as
the "carrier" in this scheme. Discrete cosine transform (DCT) is commonly used to insert values
that can be used to hide the data in each image in the video, which is undetectable to the naked
eye. Video steganography typically employs the following file formats: H.264, MP4, MPEG, and
AVI.
5. Network or Protocol Steganography − It involves concealing data by using a network protocol
like TCP, UDP, ICMP, IP, etc., as a cover object. Steganography can be used in the case of covert
channels, which occur in the OSI layer network model.
Steganography Examples Include
• Writing with invisible ink
• Embedding text in a picture (like an artist hiding their initials in a painting they’ve done)
• Backward masking a message in an audio file (remember those stories of evil messages
recorded backward on rock and roll records?)
• Concealing information in either metadata or within a file header
• Hiding an image in a video, viewable only if the video is played at a particular frame rate
• Embedding a secret message in either the green, blue, or red channels of an RRB image
Steganography can be used both for constructive and destructive purposes. For example,
education and business institutions, intelligence agencies, the military, and certified ethical
hackers use steganography to embed confidential messages and information in plain sight.
On the other hand, criminal hackers use steganography to corrupt data files or hide malware in
otherwise innocent documents. For example, attackers can use BASH and PowerShell scripts to
launch automated attacks, embedding scripts in Word and Excel documents. When a poor,
unsuspecting user clocks one of those documents open, they activate the secret, hidden script,
and chaos ensues. This process is a favored ransomware delivery method.
DoS attacks
DoS attacks are attempts to interrupt a website or network’s operations by overwhelming it
with traffic. The attacker achieves this by sending an enormous number of requests to the
target server, which causes it to slow down or even crash, making it inaccessible to legitimate
users.
Denial of service (DOS) is a network security attack, in which, the hacker makes the system or
data unavailable to someone who needs it. Denial of service is of various types:
1. Browser Redirection – This happens when you are trying to reach a webpage, however,
another page with a different URL opens. You can view only the directed page and are
unable to view the contents of the original page. This is because the hacker has
redirected the original page to a different page.
2. Closing Connections – After closing the connection, there can be no communication
between the sender(server) and the receiver(client). The hacker closes the open
connection and prevents the user from accessing resources.
3. Data Destruction – This is when the hacker destroys the resource so that it becomes
unavailable. He might delete the resources, erase, wipe, overwrite or drop tables for
data destruction.
4. Resource Exhaustion – This is when the hacker repeatedly requests access for a resource
and eventually overloads the web application. The application slows down and finally
crashes. In this case the user is unable to get access to the webpage.
How Do DoS Attacks Impact Businesses and Users?
DoS attacks can have severe consequences for businesses and users alike. Here are some
impacts of DoS attacks:
• Loss of Revenue: DoS attacks can cause businesses to lose significant amounts of
revenue as customers are unable to access their website or service.
• Damage to Reputation: DoS attacks can damage a company’s reputation and erode the
trust of its customers.
• Financial Losses: The cost of mitigating a DoS attack can be significant, and businesses
may also have to pay for lost revenue, legal fees and damages.
• Disruption of Critical Services: DoS attacks can disrupt critical services, such as
healthcare and emergency services, which can have life-threatening consequences.
• Loss of Data: Data destruction attacks can cause businesses to lose critical data, leading
to financial losses and damage to the company’s reputation.
Preventing DoS Attacks: There are several measures businesses can take to prevent DoS attacks,
including:
• Implementing DDoS protection solutions that can detect and mitigate DoS attacks in real
time.
• Ensuring their website and network infrastructure is up-to-date with the latest security
patches.
• Using strong authentication mechanisms, such as multi-factor authentication, to prevent
unauthorized access to the network.
• Monitoring network traffic to detect unusual patterns and take immediate action to
prevent potential attacks.
DDoS Attack
Distributed Denial of Service (DDoS) is a type of DOS attack where multiple systems, which are
trojan infected, target a particular system which causes a DoS attack.
A DDoS attack uses multiple servers and Internet connections to flood the targeted resource. A
DDoS attack is one of the most powerful weapons on the cyber platform. When you come to
know about a website being brought down, it generally means it has become a victim of a DDoS
attack. This means that the hackers have attacked your website or PC by imposing heavy traffic.
Thus, crashing the website or computer due to overloading.
Example: In 2000, Michael Calce, a 15-year-old boy who used the online name “Mafiaboy”, was
behind one of the first DDoS attacks. He hacked into the computer networks of various different
universities. He used their servers to operate a DDoS attack that brought down several websites
such as eBay and Yahoo. In 2016, Dyn was hit with a massive DDoS attack that took down major
websites and services such as Netflix, PayPal, Amazon, and GitHub.
DoS
DoS stands for Denial of Service. It is a type of attack on a service that disrupts its normal
function and prevents other users from accessing it. The most common target for a DoS attack is
an online service such as a website, though attacks can also be launched against networks,
machines, or even a single program.
Difference between DoS and DDoS
DoS DDoS
In Dos attack single system targets the In DDoS multiple systems attack the victim’s
victim system. system.
Victim’s PC is loaded from the packet of Victim PC is loaded from the packet of data sent
data sent from a single location. from Multiple locations.
Dos attack is slower as compared to DDoS. A DDoS attack is faster than Dos Attack.
In DOS Attack only a single device is used In a DDoS attack, the volumeBots are used to
with DOS Attack tools. attack at the same time.
DOS Attacks are Easy to trace. DDOS Attacks are Difficult to trace.
SQL injection
SQL injection is a technique used to extract user data by injecting web page inputs as
statements through SQL commands. Basically, malicious users can use these instructions to
manipulate the application’s web server.
1. SQL injection is a code injection technique that can compromise your database.
2. SQL injection is one of the most common web hacking techniques.
3. SQL injection is the injection of malicious code into SQL statements via web page input.
The Exploitation of SQL Injection in Web Applications
Web servers communicate with database servers anytime they need to retrieve or store user
data. SQL statements by the attacker are designed so that they can be executed while the web
server is fetching content from the application server. It compromises the security of a web
application.
Example of SQL Injection
Suppose we have an application based on student records. Any student can view only his or her
own records by entering a unique and private student ID.
Suppose we have a field like the one below:
Student id: The student enters the following in the input field: 12222345 or 1=1.
Query:
SELECT * from STUDENT where
STUDENT-ID == 12222345 or 1 = 1
Now, this 1=1 will return all records for which this holds true. So basically, all the student data is
compromised. Now the malicious user can also delete the student records in a similar fashion.
Consider the following SQL query.
Query:
SELECT * from USER where
USERNAME = “” and PASSWORD=””
Now the malicious can use the ‘=’ operator in a clever manner to retrieve private and secure
user information. So instead of the above-mentioned query the following query when executed
retrieves protected data, not intended to be shown to users.
Query:
Select * from User where
(Username = “” or 1=1) AND
(Password=”” or 1=1).
Since 1=1 always holds true, user data is compromised.
Impact of SQL Injection
The hacker can retrieve all the user data present in the database such as user details, credit card
information, and social security numbers, and can also gain access to protected areas like the
administrator portal. It is also possible to delete user data from the tables.
Nowadays, all online shopping applications and bank transactions use back-end database
servers. So, in case the hacker is able to exploit SQL injection, the entire server is compromised.
Preventing SQL Injection
• User Authentication: Validating input from the user by pre-defining length, type of input,
of the input field and authenticating the user.
• Restricting access privileges of users and defining how much amount of data any
outsider can access from the database. Basically, users should not be granted permission
to access everything in the database.
• Do not use system administrator accounts.
SQL in Web Pages
SQL injection typically occurs when you ask a user for input, such as their username/user ID,
instead of their name/ID, and the user gives you an SQL statement that you execute without the
knowledge about your database.
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users
WHERE UserId = " + txtUserId;
SQL Injection Based on Batched SQL Statements
1. Most databases guide batch SQL statements.
2. A batch of SQL statements is a collection of two or more square statements separated by
using semicolons.
The SQL declaration underneath will return all rows from the “users” desk after which delete
the “Employees” table.
Query:
SELECT * FROM Users;
DROP TABLE Employees
Look at the following example:
Syntax:
txtEmpId = getRequestString("EmpId");
txtSQL = "SELECT * FROM Users
WHERE EmpId = " + txtEmpId;
The valid SQL statement would look like this:
Query:
SELECT * FROM Users WHERE EmpId = 116;
DROP TABLE Employees;
Buffer Overflow
Buffers are memory storage regions that temporarily hold data while it is being transferred from
one location to another. A buffer overflow (or buffer overrun) occurs when the volume of data
exceeds the storage capacity of the memory buffer. As a result, the program attempting to write
the data to the buffer overwrites adjacent memory locations.
For example, a buffer for log-in credentials may be designed to expect username and password
inputs of 8 bytes, so if a transaction involves an input of 10 bytes (that is, 2 bytes more than
expected), the program may write the excess data past the buffer boundary.
Buffer overflows can affect all types of software. They typically result from malformed inputs or
failure to allocate enough space for the buffer. If the transaction overwrites executable code, it
can cause the program to behave unpredictably and generate incorrect results, memory access
errors, or crashes.
What is a Buffer Overflow Attack
Attackers exploit buffer overflow issues by overwriting the memory of an application. This
changes the execution path of the program, triggering a response that damages files or exposes
private information. For example, an attacker may introduce extra code, sending new
instructions to the application to gain access to IT systems.
If attackers know the memory layout of a program, they can intentionally feed input that the
buffer cannot store, and overwrite areas that hold executable code, replacing it with their own
code. For example, an attacker can overwrite a pointer (an object that points to another area in
memory) and point it to an exploit payload, to gain control over the program.
Types of Buffer Overflow Attacks
• Stack-based buffer overflows are more common, and leverage stack memory that only
exists during the execution time of a function.
• Heap-based attacks are harder to carry out and involve flooding the memory space
allocated for a program beyond memory used for current runtime operations.
What Programming Languages are More Vulnerable?
C and C++ are two languages that are highly susceptible to buffer overflow attacks, as they don’t
have built-in safeguards against overwriting or accessing data in their memory. Mac OSX,
Windows, and Linux all use code written in C and C++.
Languages such as PERL, Java, JavaScript, and C# use built-in safety mechanisms that minimize
the likelihood of buffer overflow.
How to Prevent Buffer Overflows
Developers can protect against buffer overflow vulnerabilities via security measures in their
code, or by using languages that offer built-in protection.
In addition, modern operating systems have runtime protection. Three common protections
are:
• Address space randomization (ASLR)—randomly moves around the address space
locations of data regions. Typically, buffer overflow attacks need to know the locality of
executable code, and randomizing address spaces makes this virtually impossible.
• Data execution prevention—flags certain areas of memory as non-executable or
executable, which stops an attack from running code in a non-executable region.
• Structured exception handler overwrite protection (SEHOP)—helps stop malicious code
from attacking Structured Exception Handling (SEH), a built-in system for managing
hardware and software exceptions. It thus prevents an attacker from being able to make
use of the SEH overwrite exploitation technique. At a functional level, an SEH overwrite
is achieved using a stack-based buffer overflow to overwrite an exception registration
record, stored on a thread’s stack.
Security measures in code and operating system protection are not enough. When an
organization discovers a buffer overflow vulnerability, it must react quickly to patch the affected
software and make sure that users of the software can access the patch.
Identity Theft
Identity Theft also called Identity Fraud is a crime that is being committed by a huge number
nowadays. Identity theft happens when someone steals your personal information to commit
fraud. This theft is committed in many ways by gathering personal information such as
transactional information of another person to make transactions.
Example: Thieves use different mechanisms to extract information about customers’ credit
cards from corporate databases, once they are aware of the information, they can easily
degrade the rating of the victim’s credit card. Having this information with the thieves can make
you cause huge harm if not notified early. With these false credentials, they can obtain a credit
card in the name of the victim which can be used for covering false debts.
Types of Identity Thefts:
• Criminal Identity Theft – This is a type of theft in which the victim is charged guilty and
has to bear the loss when the criminal or the thief backs up his position with the false
documents of the victim such as ID or other verification documents and his bluff is
successful.
• Senior Identity Theft – Seniors with age over 60 are often targets of identity thieves.
They are sent information that looks to be actual and then their personal information is
gathered for such use. Seniors must be aware of not being the victim.
• Driver’s license ID Identity Theft – Driver’s license identity theft is the most common
form of ID theft. All the information on one’s driver’s license provides the name,
address, and date of birth, as well as a state driver’s identity number. The thieves use
this information to apply for loans or credit cards or try to open bank accounts to obtain
checking accounts or buy cars, houses, vehicles, electronic equipment, jewelry, anything
valuable and all are charged to the owner’s name.
• Medical Identity Theft – In this theft, the victim’s health-related information is gathered
and then a fraud medical service need is created with fraud bills, which then results in
the victim’s account for such services.
• Tax Identity Theft – In this type of attack attacker is interested in knowing your Employer
Identification Number to appeal to get a tax refund. This is noticeable when you attempt
to file your tax return or the Income Tax return department sends you a notice for this.
• Social Security Identity Theft – In this type of attack the thief intends to know your
Social Security Number (SSN). With this number, they are also aware of all your personal
information which is the biggest threat to an individual.
• Synthetic Identity Theft – This theft is uncommon to the other thefts; thief combines all
the gathered information of people and they create a new identity. When this identity is
being used than all the victims are affected.
• Financial Identity Theft – This type of attack is the most common type of attack. In this,
the stolen credentials are used to attain a financial benefit. The victim is identified only
when he checks his balances carefully as this is practiced in a very slow manner.
Techniques of Identity Thefts: Identity thieves usually hack into corporate databases for
personal credentials which requires effort but with several social-engineering techniques, it is
considered easy. Some common identity theft techniques are:
• Pretext Calling – Thieves pretending to be an employee of a company over phone asking
for financial information are an example of this theft. Pretending as legitimate
employees they ask for personal data with some buttery returns.
• Mail Theft – This is a technique in which credit card information with transactional data
is extracted from the public mailbox.
• Phishing – This is a technique in which emails pertaining to be from banks are sent to a
victim with malware in it. When the victim responds to mail their information is mapped
by the thieves.
• Internet – Internet is widely used by the world as attackers are aware of many
techniques of making users get connected with public networks over Internet which is
controlled by them and they add spyware with downloads.
• Dumpster Diving – This is a technique that has made much information out of the
known institutions. As garbage collectors are aware of this, they search for account
related documents that contain social security numbers with all the personal documents
if not shredded before disposing of.
• Card Verification Value (CVV) Code Requests – The Card Verification Value number is
located at the back of your debit cards. This number is used to enhance transaction
security but several attackers ask for this number while pretending as a bank official.
Steps Of Prevention from Identity Theft:
1. Use Strong Passwords and do not share your PIN with anyone on or off the phone.
2. Use two-factor notification for emails.
3. Secure all your devices with a password.
4. Don’t install random software from the internet.
5. Don’t post sensitive information over social media.
6. While entering passwords at payment gateway ensure its authenticity.
7. Limit the personal information to be carried without.
8. Keep a practice of changing your PIN and password regularly.
9. Do not disclose your information over phone.
10. While traveling does not disclose personal information with strangers.
11. Never share your Aadhaar/PAN number (In India) with anyone whom you do not
know/trust.
12. Never share your SSN (In US) with anyone whom you do not know/trust.
13. Do not make all the personal information on your social media accounts public.
14. Please never share an Aadhaar OTP received on your phone with someone over a call.
15. Make sure that you do not receive unnecessary OTP SMS about Aadhaar (if you do, your
Aadhaar number is already in the wrong hands).
16. Do not fill personal data on the website that claims to offer benefits in return.
17. Last, be a keeper of personal knowledge.
UNIT 4
Computer forensics
Computer forensics, also known as digital forensics, is a branch of forensic science that involves
the investigation and analysis of digital devices and electronic data to gather evidence for legal
purposes. The primary goal of computer forensics is to uncover, preserve, analyze, and present
digital evidence in a way that is admissible in a court of law. This field is crucial in dealing with
cybercrime, fraud, data breaches, and other digital incidents. Here are key aspects of computer
forensics:
1. Evidence Identification and Preservation: The process begins with the identification and
preservation of digital evidence. This involves securing and isolating the device or
storage media to prevent any alteration or contamination of the data.
2. Acquisition: Forensic specialists use specialized tools and techniques to create a forensic
copy (bit-by-bit duplicate) of the original data. This ensures that the original evidence
remains intact and unaltered during the investigation.
3. Analysis: Investigators analyze the acquired data to identify relevant information, such
as files, documents, emails, or other artifacts. This may involve recovering deleted files,
examining metadata, and reconstructing digital activities.
4. Recovery of Deleted Data: Computer forensics tools often include features for
recovering data that has been intentionally or accidentally deleted. This can be crucial in
uncovering evidence that the suspect may have tried to conceal.
5. Timeline Reconstruction: Investigators create a timeline of events to understand the
sequence of actions taken on the digital device. This helps in establishing a chronological
order of activities, which can be important in legal proceedings.
6. Network Forensics: In cases involving network-based attacks or incidents, investigators
may analyze network traffic, logs, and other digital artifacts to trace the source of
unauthorized activities and understand the extent of the compromise.
7. Documentation and Reporting: Thorough documentation of the investigation process is
essential. Investigators create detailed reports that include their findings,
methodologies, and any relevant information that can be presented in court.
8. Legal Admissibility: Computer forensic specialists must adhere to strict protocols to
ensure that the evidence they collect is admissible in court. This involves maintaining the
integrity of the evidence, following established procedures, and obtaining proper
authorization.
9. Expert Testimony: Computer forensic experts may be called upon to testify as expert
witnesses in legal proceedings. Their testimony can help explain complex technical
details to judges and juries.
Computer forensics is a constantly evolving field due to advancements in technology and
changes in cyber threats. Professionals in this field often need to stay updated on the latest
tools and techniques to effectively investigate and respond to digital incidents. Additionally,
they must adhere to ethical standards and legal requirements to ensure the integrity and
admissibility of the evidence they collect.
Computer Forensics is a scientific method of investigation and analysis in order to gather
evidence from digital devices or computer networks and components which is suitable for
presentation in a court of law or legal body. It involves performing a structured investigation
while maintaining a documented chain of evidence to find out exactly what happened on a
computer and who was responsible for it.
Types:
• Disk Forensics: It deals with extracting raw data from the primary or secondary storage
of the device by searching active, modified, or deleted files.
• Network Forensics: It is a sub-branch of Computer Forensics that involves monitoring
and analyzing the computer network traffic.
• Database Forensics: It deals with the study and examination of databases and their
related metadata.
• Malware Forensics: It deals with the identification of suspicious code and studying
viruses, worms, etc.
• Email Forensics: It deals with emails and their recovery and analysis, including deleted
emails, calendars, and contacts.
• Memory Forensics: Deals with collecting data from system memory (system registers,
cache, RAM) in raw form and then analyzing it for further investigation.
• Mobile Phone Forensics: It mainly deals with the examination and analysis of phones
and smartphones and helps to retrieve contacts, call logs, incoming, and outgoing SMS,
etc., and other data present in it.
Characteristics
• Identification: Identifying what evidence is present, where it is stored, and how it is
stored (in which format). Electronic devices can be personal computers, Mobile phones,
PDAs, etc.
• Preservation: Data is isolated, secured, and preserved. It includes prohibiting
unauthorized personnel from using the digital device so that digital evidence, mistakenly
or purposely, is not tampered with and making a copy of the original evidence.
• Analysis: Forensic lab personnel reconstruct fragments of data and draw conclusions
based on evidence.
• Documentation: A record of all the visible data is created. It helps in recreating and
reviewing the crime scene. All the findings from the investigations are documented.
• Presentation: All the documented findings are produced in a court of law for further
investigations.
Procedure:
The procedure starts with identifying the devices used and collecting the preliminary evidence
on the crime scene. Then the court warrant is obtained for the seizure of the evidence which
leads to the seizure of the evidence. The evidence is then transported to the forensics lab for
further investigations and the procedure of transportation of the evidence from the crime scene
to labs are called chain of custody. The evidence is then copied for analysis and the original
evidence is kept safe because analysis is always done on the copied evidence and not the
original evidence.
The analysis is then done on the copied evidence for suspicious activities and accordingly, the
findings are documented in a nontechnical tone. The documented findings are then presented
in a court of law for further investigations.
Some Tools used for Investigation:
Tools for Laptop or PC –
• COFFEE – A suite of tools for Windows developed by Microsoft.
• The Coroner’s Toolkit – A suite of programs for Unix analysis.
• The Sleuth Kit – A library of tools for both Unix and Windows.
Tools for Memory:
• Volatility
• WindowsSCOPE
Tools for Mobile Device:
• MicroSystemation XRY/XACT
Applications
• Intellectual Property theft
• Industrial espionage
• Employment disputes
• Fraud investigations
• Misuse of the Internet and email in the workplace
• Forgeries related matters
• Bankruptcy investigations
• Issues concerned the regulatory compliance
Advantages of Computer Forensics:
• To produce evidence in the court, which can lead to the punishment of the culprit.
• It helps the companies gather important information on their computer systems or
networks potentially being compromised.
• Efficiently tracks down cyber criminals from anywhere in the world.
• Helps to protect the organization’s money and valuable time.
• Allows to extract, process, and interpret the factual evidence, so it proves the
cybercriminal actions in the court.
Disadvantages of Computer Forensics:
• Before the digital evidence is accepted into court it must be proved that it is not
tampered with.
• Producing and keeping electronic records safe is expensive.
• Legal practitioners must have extensive computer knowledge.
• Need to produce authentic and convincing evidence.
• If the tool used for digital forensics is not according to specified standards, then in a
court of law, the evidence can be disapproved by justice.
A lack of technical knowledge by the investigating officer might not offer the desired result.
The need for computer forensics
Computer forensics is crucial for several reasons, and its significance continues to grow as
technology plays an increasingly central role in our personal and professional lives. Here are
some key reasons highlighting the need for computer forensics:
• Digital Evidence in Legal Investigations: Digital devices are often involved in criminal
activities, such as cybercrime, fraud, intellectual property theft, and more. Computer
forensics helps law enforcement and legal professionals collect, analyze, and present
digital evidence in a court of law.
• Cybercrime Investigations: With the rise of cybercrime, including hacking, data
breaches, and online fraud, computer forensics is essential for identifying perpetrators,
understanding attack vectors, and securing evidence to prosecute cybercriminals.
• Data Breach Response: Organizations that experience data breaches need to conduct
thorough investigations to determine the extent of the breach, identify the
compromised data, and understand how the breach occurred. Computer forensics helps
in this process, enabling organizations to improve their cybersecurity measures.
• Employee Misconduct and Insider Threats: Computer forensics is employed to
investigate cases of employee misconduct, such as unauthorized access, data theft, or
policy violations. It helps organizations uncover evidence of insider threats and take
appropriate action.
• Intellectual Property Theft: Companies often face challenges related to the theft of
intellectual property, trade secrets, and proprietary information. Computer forensics
assists in identifying the perpetrators and gathering evidence for legal action.
• Fraud Investigations: Financial fraud, including online scams, identity theft, and
embezzlement, can be effectively investigated using computer forensics. This involves
analyzing digital transactions, communications, and other electronic evidence.
• Incident Response: In the aftermath of a security incident, whether it's a malware
infection, ransomware attack, or any other cybersecurity incident, computer forensics
plays a crucial role in understanding the scope of the incident, mitigating further
damage, and implementing preventive measures.
• Electronic Discovery (eDiscovery): In legal proceedings, parties may request the
discovery of electronic evidence relevant to a case. Computer forensics helps in the
identification, preservation, and retrieval of this digital evidence, ensuring compliance
with legal requirements.
• Regulatory Compliance: Various industries are subject to regulations regarding data
protection and privacy. Computer forensics assists organizations in complying with these
regulations by helping them investigate and report security incidents.
• Protection of Digital Assets: Computer forensics helps organizations protect their digital
assets by identifying vulnerabilities, improving security measures, and responding
effectively to incidents. This proactive approach is crucial in an ever-evolving threat
landscape.
In summary, computer forensics is essential for uncovering and analyzing digital evidence,
whether in the context of criminal investigations, legal proceedings, or cybersecurity incidents. It
plays a pivotal role in maintaining the integrity of digital systems and ensuring justice in the
digital age.
Digital evidence
Digital evidence refers to any information or data that is stored or transmitted in digital form
and is relevant to an investigation or legal proceeding. This type of evidence plays a crucial role
in various fields, including criminal investigations, civil litigation, cybersecurity incidents, and
regulatory compliance. Digital evidence can be found on computers, servers, mobile devices,
networks, and other electronic storage media. Here are some common examples of digital
evidence:
1. Emails and Communication Logs: Digital evidence often includes email communications,
instant messaging logs, and other electronic conversations. These can be crucial in cases
involving cyber threats, harassment, or business disputes.
2. Files and Documents: Documents, spreadsheets, presentations, and other digital files
can serve as evidence in legal proceedings. Digital forensics can analyze file metadata,
timestamps, and content to establish the authenticity and relevance of documents.
3. System Logs and Event Data: Operating system logs, application logs, and event data
provide a timeline of activities on a computer or network. This information is valuable
for reconstructing events and understanding the sequence of actions taken.
4. Internet Browsing History: Web browser histories and cache data can be examined to
determine websites visited, online searches conducted, and online activities. This type of
evidence is relevant in cases involving online threats or criminal behavior.
5. Social Media Content: Social media posts, messages, and interactions can be collected
as digital evidence. This is particularly important in cases of cyberbullying, defamation,
or when establishing an individual's online presence.
6. Digital Images and Videos: Photos and videos captured by digital devices can be used as
evidence in various contexts, such as surveillance footage, crime scene documentation,
or incidents captured on mobile devices.
7. Network Traffic and Packet Captures: In cybersecurity investigations, capturing and
analyzing network traffic can provide insights into unauthorized access, data exfiltration,
or other malicious activities.
8. Metadata: Metadata includes information about other data, such as the creation date,
author, and modification history of a file. Analyzing metadata is essential for verifying
the integrity and authenticity of digital evidence.
9. Database Records: Information stored in databases, such as customer records, financial
transactions, or employee data, can be crucial in investigations related to fraud,
embezzlement, or data breaches.
10. GPS and Location Data: Mobile devices often store location data, providing information
about the movements of individuals. This can be relevant in criminal investigations or
cases involving disputes over location-specific events.
Digital evidence is subject to the same legal standards as traditional forms of evidence.
Admissibility in court depends on the proper handling, preservation, and presentation of this
evidence, often through the expertise of digital forensics professionals. It is essential to follow
established protocols to ensure the integrity and reliability of digital evidence in legal
proceedings.
Author Responsible for creating the message, its contents, and its list of Recipient addresses.
The MHS transfers the message from the Author and delivers it to the Recipients.
The MHS has an Originator role that correlates with the Author role.
User Actor Type Roles and Responsibilities
Return Handler It is a special form of Recipient that provides notifications (failures or completions)
generated by the MHS as it transfers or delivers the message.
It is also called Bounce Handler.
All types of Mediator user actors set HELO/EHLO, ENVID, RcptTo and Received fields. Alias actors
also typically change To/CC/BCC and MailFrom fields. Identities relevant to ReSender are: From,
Reply-To, Sender, To/CC/BCC, Resent-From, Resent-Sender, Resent-To/CC/BCC and MailFrom
fields. Identities relevant to Mailing List processor are: List-Id, List-*, From, Reply-To, Sender,
To/CC and MailFrom fields. Identities relevant to Gateways are: From, Reply-To, Sender,
To/CC/BCC and MailFrom fileds. Message Handling Service (MHS) Actors are responsible for
end-to-end transfer of messages. These Actors can generate, modify or look at only transfer
data in the message. MHS Actors can be of following four types.
Originator It ensures that a message is valid for posting and then submits it to a Relay
It is responsible for the functions of the Mail Submission Agent.
It also performs any post-submission that pertain to sending error and delivery
notice.
The Author creates the message, but the Originator handles any transmission issues
with it
Gateway It connects heterogeneous mail services despite differences in their syntax and
semantics.
It can send a useful message to a Recipient on the other side, without requiring
changes to any components in the Author’s or Recipient’s mail services.
A mail message from Author to Receiver that traverses through aMUA, aMSA, hMSA, MTA
(outbound), MTA (Inbound), hMDA, rMDA, rMailServ and rMUA is considered as good mail by
the Sender Policy Forum (SPF). Mails following through other paths are either fully or partially
non-SMTP based or uses non-standard transfer modes which are often suspected to contain
viruses and spam. Delivery Status Notification (DSN) messages are generated by some
components of MHS (MSA, MTA, or MDA) which provide information about transfer errors or
successful deliveries and are sent to MailFrom addresses. Message Disposition Notification
(MDN) messages are generated by rMUA which provide information about post-delivery
processing are sent to Disposition-Notification-To address. Out Of Office (OOO) messages are
sent by rMDA to return address.
Email Forensics
E-mail forensics refers to the study of source and content of e-mail as evidence to identify the
actual sender and recipient of a message, data/time of transmission, detailed record of e-mail
transaction, intent of the sender, etc. This study involves investigation of metadata, keyword
searching, port scanning, etc. for authorship attribution and identification of e-mail scams.
Various approaches that are used for e-mail forensic are
• Header Analysis – Meta data in the e-mail message in the form of control information
i.e. envelope and headers including headers in the message body contain information
about the sender and/or the path along which the message has traversed. Some of
these may be spoofed to conceal the identity of the sender. A detailed analysis of these
headers and their correlation is performed in header analysis.
• Bait Tactics – In bait tactic investigation an e-mail with http: “<img src>” tag having
image source at some computer monitored by the investigators is send to the sender of
e-mail under investigation containing real (genuine) e-mail address. When the e-mail is
opened, a log entry containing the IP address of the recipient (sender of the e-mail
under investigation) is recorded on the http server hosting the image and thus sender is
tracked. However, if the recipient (sender of the e-mail under investigation) is using a
proxy server then IP address of the proxy server is recorded. The log on proxy server can
be used to track the sender of the e-mail under investigation. If the proxy server’s log is
unavailable due to some reason, then investigators may send the tactic e-mail containing
a) Embedded Java Applet that runs on receiver’s computer or b) HTML page with Active
X Object. Both aiming to extract IP address of the receiver’s computer and e-mail it to
the investigators.
• Server Investigation – In this investigation, copies of delivered e-mails and server logs
are investigated to identify source of an e-mail message. E-mails purged from the clients
(senders or receivers) whose recovery is impossible may be requested from servers
(Proxy or ISP) as most of them store a copy of all e-mails after their deliveries. Further,
logs maintained by servers can be studied to trace the address of the computer
responsible for making the e-mail transaction. However, servers store the copies of e-
mail and server logs only for some limited periods and some may not co-operate with
the investigators. Further, SMTP servers which store data like credit card number and
other data pertaining to owner of a mailbox can be used to identify person behind an e-
mail address.
• Network Device Investigation – In this form of e-mail investigation, logs maintained by
the network devices such as routers, firewalls and switches are used to investigate the
source of an e-mail message. This form of investigation is complex and is used only when
the logs of servers (Proxy or ISP) are unavailable due to some reason, e.g. when ISP or
proxy does not maintain a log or lack of co-operation by ISP’s or failure to maintain chain
of evidence.
• Software Embedded Identifiers – Some information about the creator of e-mail,
attached files or documents may be included with the message by the e-mail software
used by the sender for composing e-mail. This information may be included in the form
of custom headers or in the form of MIME content as a Transport Neutral Encapsulation
Format (TNEF). Investigating the e-mail for these details may reveal some vital
information about the sender’s e-mail preferences and options that could help client-
side evidence gathering. The investigation can reveal PST file names, Windows logon
username, MAC address, etc. of the client computer used to send e-mail message.
• Sender Mailer Fingerprints – Identification of software handling e-mail at server can be
revealed from the Received header field and identification of software handling e-mail at
client can be ascertained by using different set of headers like “X-Mailer” or equivalent.
These headers describe applications and their versions used at the clients to send e-
mail. This information about the client computer of the sender can be used to help
investigators devise an effective plan and thus prove to be very useful.
Email Forensics Tools
Erasing or deleting an email doesn’t necessarily mean that it is gone forever. Often emails can
be forensically extracted even after deletion. Forensic tracing of e-mail is similar to traditional
detective work. It is used for retrieving information from mailbox files.
• MiTec Mail Viewer – This is a viewer for Outlook Express, Windows Mail/Windows Live
Mail, Mozilla Thunderbird message databases, and single EML files. It displays a list of
contained messages with all needed properties, like an ordinary e-mail client. Messages
can be viewed in detailed view, including attachments and an HTML preview. It has
powerful searching and filtering capability and also allows extracting email addresses
from all emails in opened folder to list by one click. Selected messages can be saved to
eml files with or without their attachments. Attachments can be extracted from selected
messages by one command.
• OST and PST Viewer – Nucleus Technologies’ OST and PST viewer tools help you view
OST and PST files easily without connecting to an MS Exchange server. These tools allow
the user to scan OST and PST files and they display the data saved in it including email
messages, contacts, calendars, notes, etc., in a proper folder structure.
• eMailTrackerPro – eMailTrackerPro analyses the headers of an e-mail to detect the IP
address of the machine that sent the message so that the sender can be tracked down.
It can trace multiple e-mails at the same time and easily keep track of them. The
geographical location of an IP address is key information for determining the threat level
or validity of an e-mail message.
• EmailTracer – EmailTracer is an Indian effort in cyber forensics by the Resource Centre
for Cyber Forensics (RCCF) which is a premier centre for cyber forensics in India. It
develops cyber forensic tools based on the requirements of law enforcement agencies.
Exchange Analysis
Every Exchange forensic analysis should start on the Exchange system itself. If the required
information is not available on Exchange, then a deeper analysis at the client side is typically
performed.
To preserve e-mail from a live Microsoft Exchange server, forensic investigators typically take
one of several different approaches, depending on the characteristics of the misuse being
investigated. Those approaches might include:
• Exporting a copy of a mailbox from the server using the Microsoft Outlook e-mail client,
the Exchange Management Shell or a specialized 3rd-party tool;
• Obtaining a backup copy of the entire Exchange Server database from a properly created
full backup of the server;
• Temporarily bringing the Exchange database(s) offline to create a copy;
• Using specialised software such as F-Response or EnCase Enterprise to access a live
Exchange server over the network and copying either individual mailboxes or an entire
Exchange database file.
One of the most complete collections from an Exchange server is to collect a copy of the
mailbox database files. The main advantage in this case is that the process preserves and
collects all e-mail in the store for all users with accounts on the server. If during the course of
the investigation it becomes apparent that new users should be added to the investigation, then
those users’ mailboxes have already been preserved and collected.
Traditionally, the collection of these files from live servers would require shutting down e-mail
server services for a period of time because files that are open for access by Exchange cannot
typically be copied from the server. This temporary shutdown can have a negative impact on the
company and the productivity of its employees. In some cases, a process like this is scheduled to
be done out of hours or over a weekend to further minimize impact on the company.
Some 3rd-party software utilities can also be used to access the live Exchange server over the
network and to preserve copies of the files comprising the information store.
Another approach to collecting mailbox database files is to collect a recent full backup of
Exchange, if there is one. Once these files are preserved and collected, there are a number of
3rd-party utilities on the market today that can extract mailboxes from them, such as Kernel
Exchange EDB Viewer or Kernel EDB to PST.
A different approach that is becoming more and more important, is to use features of Exchange
to perform the investigation. Exchange has a number of features such as audit logs or In-Place
Hold that help, amongst other purposes, the investigation of misuse by keeping a data intact
and a detailed log of actions performed in the messaging system.
Auditing Mailbox Access
In every organization, there are always mailboxes with sensitive information. These might be
the mailboxes of the CEO, directors, users from the HR or Payroll departments, or simply
mailboxes for which administrators have to perform discovery actions to demonstrate
compliance with regulatory or legal requirements. Although normally administrators are not
concerned with the content of user’s mailboxes, there might be someone less honest that
attempts to access someone’s mailbox in order to obtain information of value for their own
benefit.
Versions of Exchange prior to Exchange 2010 did not provide a full range of compliance
capabilities. Managed Folders or Journaling simply were not enough to perform basic audits or
to be fully compliant with legislation such as the Sarbanes-Oxley Act in the United States.
Exchange 2010 Service Pack 1 introduced a new feature known as Auditing Mailbox Access,
which allows administrators to record operations on a mailbox such as the deletion or copy of e-
mails. After enabling audit for one or more mailboxes and configuring the level of detail that we
want to capture, audit entries are captured in the Audit subfolder of the Recoverable Items
folder and can be interrogated using the Exchange Management Shell or the GUI (being that the
Exchange Control Panel or the Exchange Admin Center)
Outlook Analysis
Although nowadays a great part of an investigation is done at the Exchange server level, there
might be situations where a forensics investigator needs to analyze e-mail clients in order to
collect evidence.
E-mail clients, such as Microsoft Outlook and Outlook Express, enable users to send and receive
e-mails, manage newsgroups and organize helpful information in contacts and calendars.
Outlook is probably the most common e-mail client in any organization. It is part of the
Microsoft Office suite and provides a platform for e-mail management. The primary data file
types associated with Outlook are personal data file (.PST) and offline data file (.OST) files.
These PST and OST files contain a user’s e-mail, calendar, contacts and other data that allows
Outlook to function effectively for the user. There is a wide variety of different ways for an
investigator to get to the data within a PST or OST file. Perhaps the easiest is to add a PST file
into Outlook on a forensic workstation. Once the PST file is opened, the investigator can access
and view the user’s mail and other Outlook items as if he was the user himself. If the PST is
password protected, this is obviously more of a challenge, but there are numerous tools
available for cracking PST passwords. Other than Outlook itself, virtually any forensic suite
processes Outlook data files for viewing and searching by the investigator.
Furthermore, the advantage of using a forensic suite to parse e-mail is that many of them can
recover deleted items from the unallocated space within the PST or OST file. Outlook data files
have their own structures, similar to their own file systems, complete with unallocated space in
which investigators can find snippets of deleted conversations and even entire messages.
It is also very important to understand two different methods of operation in Outlook: online
and cached mode. When Outlook is configured to use Cached Exchange Mode, Outlook works
from a local copy of a user’s Exchange mailbox that is stored in an OST file on the user’s
computer. The cached mailbox is updated periodically from Exchange. Cached Exchange Mode
was introduced in Outlook 2003 to provide users a better online and offline experience as
cached mode lets users move between connected and disconnected environments without
interrupting their experience in Outlook. Also, it protects users from network latency and
connectivity issues while they are using Outlook.
In contrast, Online Mode works by using information directly from the Exchange server. When
new information is required in Outlook, a request is made to the server and the information is
displayed. Mailbox data is only cached in memory and never written to disk. Therefore, if the
user experiences any network issues that prevent the connection to Exchange, it becomes
impossible to access any mailbox data.
Digital Forensics
Digital Forensics is a branch of forensic science which includes the identification, collection,
analysis and reporting any valuable digital information in the digital devices related to the
computer crimes, as a part of the investigation. In simple words, Digital Forensics is the process
of identifying, preserving, analyzing and presenting digital evidences. The first computer crimes
were recognized in the 1978 Florida computers act and after this, the field of digital forensics
grew pretty fast in the late 1980-90’s. It includes the area of analysis like storage media,
hardware, operating system, network and applications. It consists of 5 steps at high level:
1. Identification of evidence: It includes of identifying evidences related to the digital
crime in storage media, hardware, operating system, network and/or applications. It is
the most important and basic step.
2. Collection: It includes preserving the digital evidences identified in the first step so that
they don’t degrade to vanish with time. Preserving the digital evidences is very
important and crucial.
3. Analysis: It includes analyzing the collected digital evidences of the committed
computer crime in order to trace the criminal and possible path used to breach into the
system.
4. Documentation: It includes the proper documentation of the whole digital investigation,
digital evidences, loop holes of the attacked system etc. so that the case can be studied
and analysed in future also and can be presented in the court in a proper format.
5. Presentation: It includes the presentation of all the digital evidences and documentation
in the court in order to prove the digital crime committed and identify the criminal.
Branches of Digital Forensics:
• Media forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of audio, video and image evidences during the
investigation process.
• Cyber forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a
cybercrime.
• Mobile forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a
crime committed through a mobile device like mobile phones, GPS device, tablet, laptop.
• Software forensics: It is the branch of digital forensics which includes identification,
collection, analysis and presentation of digital evidences during the investigation of a
crime related to software’s only.
6. Reporting
After the analysis is done, a report is generated. The report may be in oral form or in written
form or both. The report contains all the details about the evidence in analysis, interpretation,
and attribution steps. As a result of the findings in this phase, it should be possible to confirm or
discard the allegations. Some of the general elements in the report are:
• Identity of the report agency
• Case identifier or submission number
• Case investigator
• Identity of the submitter
• Date of receipt
• Date of report
• Descriptive list of items submitted for examination
• Identity and signature of the examiner
• Brief description of steps taken during examination
• Results / conclusions
7. Testifying
This phase involves presentation and cross-examination of expert witnesses. An expert witness
can testify in the form of:
• Testimony is based on sufficient facts or data
• Testimony is the product of reliable principles and methods
• Witness has applied principles and methods reliably to the facts of the case
Experts with inadequate knowledge are sometimes chastised by the court. Precautions to be
taken when collecting digital evidence are:
• No action taken by law enforcement agencies or their agents should change the
evidence
• When a person to access the original data held on a computer, the person must be
competent to do so
• An audit trial or other record of all processes applied to digital evidence should be
created and preserved
• The person in-charge of the investigation has overall responsibility for ensuring that the
law and these are adhered to
Chain of Custody
A chain of custody is the process of validating how evidences have been gathered, tracked, and
protected on the way to the court of law. Forensic professionals know that if you do not have a
chain of custody, the evidence is worthless.
The chain of custody is a chronological written record of those individuals who have had
custody of the evidence from its initial acquisition to its final disposition. A chain of custody
begins when evidence is collected and the chain is maintained until it is disposed of. The chain
of custody assumes continuous accountability.
Network forensics
Network forensics is a subcategory of digital forensics that essentially deals with the
examination of the network and its traffic going across a network that is suspected to be
involved in malicious activities, and its investigation for example a network that is spreading
malware for stealing credentials or for the purpose analyzing the cyber-attacks. As the internet
grew cybercrimes also grew along with it and so did the significance of network forensics, with
the development and acceptance of network-based services such as the World Wide Web, e-
mails, and others.
With the help of network forensics, the entire data can be retrieved including messages, file
transfers, e-mails, and, web browsing history, and reconstructed to expose the original
transaction. It is also possible that the payload in the uppermost layer packet might wind up on
the disc, but the envelopes used for delivering it are only captured in network traffic. Hence, the
network protocol data that enclose each dialog is often very valuable.
For identifying the attacks investigators must understand the network protocols and
applications such as web protocols, Email protocols, Network protocols, file transfer protocols,
etc.
Investigators use network forensics to examine network traffic data gathered from the networks
that are involved or suspected of being involved in cyber-crime or any type of cyber-attack.
After that, the experts will look for data that points in the direction of any file manipulation,
human communication, etc. With the help of network forensics, generally, investigators and
cybercrime experts can track down all the communications and establish timelines based on
network events logs logged by the NCS.
Processes Involved in Network Forensics:
• Identification: In this process, investigators identify and evaluate the incident based on
the network pointers.
• Safeguarding: In this process, the investigators preserve and secure the data so that the
tempering can be prevented.
• Accumulation: In this step, a detailed report of the crime scene is documented and all
the collected digital shreds of evidence are duplicated.
• Observation: In this process, all the visible data is tracked along with the metadata.
• Investigation: In this process, a final conclusion is drawn from the collected shreds of
evidence.
• Documentation: In this process, all the shreds of evidence, reports, conclusions are
documented and presented in court.
Challenges in Network Forensics:
• The biggest challenge is to manage the data generated during the process.
• Intrinsic anonymity of the IP.
• Address Spoofing
Advantages:
• Network forensics helps in identifying security threats and vulnerabilities.
• It analyzes and monitors network performance demands.
• Network forensics helps in reducing downtime.
• Network resources can be used in a better way by reporting and better planning.
• It helps in a detailed network search for any trace of evidence left on the network.
Disadvantage:
• The only disadvantage of network forensics is that It is difficult to implement.
Network forensics involves the analysis of network traffic, logs, and other data to investigate
security incidents, identify the source of attacks, and gather evidence for legal proceedings.
While network forensics is a powerful tool, it comes with its own set of challenges. Here are
some common challenges faced in network forensics:
Encrypted Traffic: The increasing use of encryption in network communications can hinder the
ability to inspect and analyze the content of network traffic. Encrypted data poses a challenge
as it may limit the visibility into malicious activities.
Volume of Data: Networks generate vast amounts of data, and sifting through this volume to
identify relevant information can be overwhelming. Analyzing and storing large datasets
efficiently is a constant challenge in network forensics.
Packet Loss: In large and complex networks, packet loss can occur due to network congestion or
other issues. Packet loss can impact the completeness of the captured data and hinder the
reconstruction of events.
Timeliness: Timely detection and response to security incidents are critical. Network forensics
requires quick analysis to identify and mitigate threats. Delays in investigation may result in the
loss of valuable evidence.
Diversity of Devices and Protocols: Networks comprise diverse devices, each with its own
protocols and communication methods. Analyzing data from different devices and protocols
requires a deep understanding of various technologies.
Data Fragmentation: Network data may be fragmented across multiple sources and devices.
Reassembling fragmented data to reconstruct a coherent picture of events can be challenging,
especially when dealing with distributed or decentralized attacks.
Incident Attribution: Determining the true source of a network attack or security incident is
complex. Attackers often use techniques to hide their identity, making it challenging to attribute
malicious activities accurately.
False Positives and Negatives: Network security tools may generate false positives (indicating
an incident that did not occur) or false negatives (missing actual incidents). Distinguishing
between real threats and false alarms requires careful analysis.
Legal and Privacy Concerns: Network forensics involves handling sensitive information, and
investigators must navigate legal and privacy considerations. Ensuring compliance with
regulations and obtaining necessary permissions can be challenging.
Dynamic Network Environments: Networks are dynamic, with devices joining or leaving, and
configurations changing. Adapting to these changes and maintaining an accurate picture of the
network's state during an investigation can be challenging.
Skill Requirements: Effective network forensics requires specialized skills and knowledge.
Cybersecurity professionals must stay updated on evolving technologies, attack vectors, and
forensic tools to conduct thorough investigations.
Resource Constraints: Limited resources, both in terms of personnel and technology, can
constrain the effectiveness of network forensic investigations. Organizations may face
challenges in acquiring and maintaining the necessary tools and expertise.
Addressing these challenges requires a combination of advanced technology, skilled
professionals, and proactive strategies. Organizations must invest in training, stay informed
about emerging threats, and continuously improve their network forensic capabilities to
effectively respond to security incidents.
Cyber Law
Cyber Law also called IT Law is the law regarding Information-technology including computers
and the internet. It is related to legal informatics and supervises the digital circulation of
information, software, information security, and e-commerce.
IT law does not consist of a separate area of law rather it encloses aspects of contract,
intellectual property, privacy, and data protection laws. Intellectual property is a key element of
IT law. The area of software license is controversial and still evolving in Europe and elsewhere.
Cyber laws, also known as cybersecurity laws or internet laws, encompass a set of legal
regulations and guidelines that govern the use of the internet, digital technology, and
cyberspace. These laws are designed to address various aspects of online activities, data
protection, electronic transactions, and the prevention and prosecution of cybercrimes.
According to the Ministry of Electronics and Information Technology, Government of India :
Cyber Laws yields legal recognition to electronic documents and a structure to support e-filing
and e-commerce transactions and also provides a legal structure to reduce, check cybercrimes.
Importance of Cyber Law:
1. It covers all transactions over the internet.
2. It keeps eye on all activities over the internet.
3. It touches every action and every reaction in cyberspace.
Copyright Infringement:
Copyright protection is given to the owner of any published artistic, literary, or scientific work
over his work to prohibit everyone else from exploiting that work in his name and thereby gain
profit from it.
When these proprietary creations are utilized by anyone without the permission of the owner, it
leads to copyright infringement. If copies of any software are made and sold on the internet
without the permission of the owner or even copying the content from any online source, these
all are examples of copyright infringement.
Copyright Issues in Cyberspace:
1. Linking – It permits a website user to visit another location on the Internet. By simply clicking
on a word or image on one Web page, the user can view another Web page elsewhere in the
world, or simply elsewhere on the same server as the original page.
Linking damages, the rights or interests of the owner of the Linked webpage. It may create the
supposition that the two linked sites are the same and promote the same idea. In this way, the
linked sites can lose their income as it is often equal to the number of persons who visit their
page.
2. Software Piracy – Software piracy refers to the act of stealing software that is lawfully
shielded. This stealing comprises various actions like copying, spreading, altering, or trading the
software. It also comes under the Indian copyright act.
An example of software piracy is downloading a replica of Microsoft Word from any website
other than Microsoft to avoid paying for it as it is a paid software. Piracy can be of 3 types:
1. Soft lifting
2. Software Counterfeiting
3. Uploading-Downloading.
3. Cybersquatting –Cybersquatting means unauthorized registration and use of Internet domain
names that are similar to any business’s trademarks, service marks, or company names. For
example, let us consider Xyz is a very famous company and the company hadn’t created a
website yet. A cybersquatter could buy xyz.com, looking to sell the domain to the company Xyz
at a later date for a profit. The domain name of a famous company can even be used to attract
traffic and this traffic will help cybersquatters earn a lot of money through advertising.
When more than one individual believes that they have the right to register a specific domain
name, then this can lead to a Domain Name Dispute. It arises when a registered trademark is
registered by another individual or organization who is not the owner of a trademark that is
registered.
Trademark Issues in Cyberspace
Trademark means a mark capable of being depicted diagrammatically and which may
distinguish the products or services of one person from those of others and will embody the
form of products, their packaging, and combination of colors. A registered service mark
represents a service. Trademark infringement refers to the unlawful use of a trademark or
service mark which can cause ambiguity, fraud, or confusion about the actual company a
product or service came from. Trademark owners can take the help of the law if they believe
their marks are being infringed.
Advantages of Intellectual Property Rights
1. It provides exclusive rights to the creator’s or inventors.
2. It gives freedom to inventor to share his knowledge without keeping its secret.
3. It helps to creator financially.
4. It provides legal defense to the creator.
Conclusion: With the growth of Cyberspace and technology advancements, copyright and
trademarks are not limited to the usual intellectual property alone but have spread to
intellectual property rights over the internet.
Trademark:
Cyberspace is becoming a hub for intellectual property rights infringement. Several practices by
the cyber site operators resulted in the violation of intellectual property rights and various other
rights of other website operators. It has become crucial that people are aware of the illegal
usage of their websites and webpages.
International conventions and treaties have provided various laws to protect infringement of
IPRs online which are helping e-commerce and e-businesses to grow. However, the Information
technology Act does not provide any provisions in respect of cybercrimes related to IPR,
cyberstalking, cyber defamation, etc.
Also, the Indian Trademark Act, 1999 and Copyright Act, 1957 are silent on issues on online
Trademark and Copyright infringement. Though computer programs are protected under the
Copyright Act, 1957, it does not provide remedies for cyberpiracy.
Patents in Information Technology:
Any kinds of practical application in the computer device are known to be patentable. Not all
soft wares are patentable but devices like pacemakers are very much patentable. A particular
computer program is authorized for patenting only when it contributes to an art. If this program
enhances the speed and the efficiency of the existing program, it has the eligibility to get a
patent for the same program. A few software patents are as follows:
– Program algorithms
– Program language translations
– Menu arrangements
– OS functions
– Editing functions and interface features
– Display presentations
The United States of America has recognized the patents for businesses like online stock trading,
gambling, e-commerce, etc.
What is non-patentable?
Soft wares are basically a form of intangible properties that are safeguarded by copyrights and
not patents, as in the case of literary and artistic works. Programming languages are treated as
any basic languages like English, French, etc are also not patentable but are protected under the
copyright law. Many countries have been debating regarding this to make even the software
programming languages to be protected under the patent law as the patent law provides for a
larger protection. The computer programmes and languages are not considered as a new
invention as they only solve a mathematical or a computer related problem and thus is not used
in any practical application and field.