Cyber Security

Prof. Sachin Ponde

 Chapter 3

Tools and Methods Used in Cybercrime

Introduction
Different forms of attacks through which attackers target the computer systems
are as follows:

● Initial Uncovering
● Network Probe (Investigation)
● Crossing the line toward the electronic crime (E-Crime)
● Capturing the network
● Grab the data
● Covering tracks
●
Proxy Servers and Anonymizers
● Proxy Server is computer on a network which acts as an intermediary for
connections with other computers on the network.
● A client connects to the proxy server, requesting some service, such as a file,
connection, web page, or other resource available from a different server and
the proxy server evaluates the request as a way to simplify and control its
complexity.
● An anonymizer or an anonymous proxy is a tool that attempts to make
activity on the Internet untraceable. It is a proxy server computer that acts as
an intermediary and privacy shield between a client computer and the rest of
the Internet. It accesses the Internet on the user’s behalf, protecting personal
information by hiding the client computer’s identifying information.
● Anonymizers are services used to make Web surfing anonymous by utilizing
a website that acts as a proxy server for the web client.
Phishing
● “Phishing” refers to an attack using mail programs to deceive Internet users
into disclosing confidential information that can be then exploited for illegal
purposes.
●
Password Cracking
● Password cracking is a process of recovering passwords from data that have
been stored in or transmitted by a computer system.
● Purpose of password cracking:
○ To recover a forgotten password
○ As a preventive measure by system administrators to check for easily crackable passwords.
○ To gain an unauthorized access to a system.
● Methods
○ Manual Password Cracking
○ Using program and probable password list.
○
● Password cracking attacks can be classified under three categories as
follows:
○ Online attacks (e,g, Man-in-the-Middle Attack)
○ Offline attacks
○ Non-electronic attacks (e.g. Social Engineering, Shoulder Surfing and dumpster diving)
Keyloggers and Spywares
● A key logger is a program that runs in the background or hardware, recording
all the keystrokes. Once keystrokes are logged, they are hidden in the
machine for later retrieval, or shipped raw to the attacker.
● Attacker checks files carefully in the hopes of either finding passwords or
possibly other useful information.
● Key loggers as a surveillance tool, are often used by employers to ensure
employees use work computers for business purpose only.
● There are two types of key loggers:
a. Hardware Keylogger
b. Software Keylogger
Hardware Keylogger
● Hardware keyloggers are small hardware devices.
● These are connected to PC and/or to keyboard and save every keystroke into
a file or in the memory of the hardware device.
● Cybercriminals install such devices on ATM machines to capture ATM Card’s
PIN.
●
Software Keylogger
● Software keyloggers are software programs install on the computer systems
which usually are located between OS and the keyboard hardware, and every
keystroke is recorded.
● Software keyloggers are installed on computer system by Trojans or Viruses
without the knowledge of the user.
● Cybercriminals always install such tools on the insecure computer systems
available in public places i.e. Cybercafes etc. and can obtained the required
information about the victim very easily.
● A keylogger usually consists of two files that gets installed in the same
directory: a dynamic link library (DLL) file and an executable (EXE) file that
installs the DLL file and triggers it to work. DLL does all the recording of
keystrokes.
Spyware
● Applications that send information from your computer to the creator of the
spyware.
● Spyware is type of malware (i.e. malicious software) that is installed on
computers which collects information about users without their knowledge.
● The presence of spyware is typically hidden from the user, it is secretly
installed on the user’s personal computer.
● This can also be used to log keystrokes and send those to whomever.
Virus and Worms
● Computer virus is a program that can “infect” legitimate programs by
modifying them to include a possibly “evolved” copy of itself.
● Viruses spread themselves, without the knowledge or permission of the users,
to potentially large numbers of programs on many machines.
● A computer virus passes from computer to computer in a similar manner as a
biological virus passes from person to person.
● Viruses may also contain malicious instructions that may cause damage or
annoyance, the combination of possibly malicious code with the ability to
spread is what makes viruses a considerable concern.
Trojan Horses and Backdoors
● Trojan Horse is a program in which malicious or harmful code is contained
inside apparently harmless programming or data in such a way that it can get
control and cause harm, for example ruining the FAT on the hard disk.
● A Trojan Horse may get widely redistributed as a part of computer virus.
● The term Trojan Horse comes from Greek Mythology about the Trojan war.
● Unlike viruses and worms, Trojan do not duplicates themselves but they can
be equally destructive.
● A Backdoor is a means of access to a computer program that bypasses
security mechanisms.
● The Backdoor works in the background and hides from the user.
How to protect from Trojan Horses and Backdoors
1. Stay away from suspect websites/weblinks
2. Surf on the Web cautiously
3. Install antivirus/Trojan remover software
Steganography
● Steganography is the practice of concealing (hiding) a file, message, image or
video within another file, message, image or video. The word Steganography
combines the Greek word staganos, meaning “covered, concealed or
protected” and graphein meaning “writing”.
● It is a method that attempts to hide the existence of a message or
communication.
● Steganography is always misunderstood with Cryptography.
● Steganography can be used to make a digital watermark to detect illegal
copying of digital images.
● Digital Watermarking is the process of possibly irreversibly embedding
information into a digital signal.
● The digital signal may be for example audio, pictures or video.
DoS and DDoS Attacks
DoS Attacks

● In this type of criminal act, the attacker floods the bandwidth of the victim’s
network or fills his email box with spam mail depriving him of the services he
is entitled to access or provide.
● The attackers typically target sites or services hosted on high-profile web
servers such as banks, credit cards payment gateways, mobile phone
networks and even root name servers.
● The goal of DoS is not to gain unauthorized access to systems or data, but to
prevent intended users (legitimate users) of a service from using it.
A DoS attack may do the following:

● Flood a network with traffic, thereby preventing legitimate network traffic.

● Disrupt connections between two systems, thereby preventing access to a
service.
● Prevent a particular individual from accessing a service.
● Disrupt service to a specific system or person.
Classification of DoS Attacks
1. Bandwidth Attacks: Loading any website takes certain time. Loading means
complete webpage appearing on the screen and system is awaiting user’s
input.
2. Logic Attacks: these kind of attacks can exploit vulnerabilities in network
software such as web server or TCP/IP stack.
3. Protocol Attacks: protocols here are rules that are to be followed to send
data over network.
4. Unintentional DoS Attack: This is a scenario where a website ends up
denied not due to a attack by a single individual or group of individuals, but
simply due to a sudden enormous spike in popularity.
Types or Levels of DoS Attacks
1. Flood attack
2. Ping of death attack
3. SYN attack
4. Teardrop attack
5. Smurf attack
6. Nuke
Tools used to launch DoS attack
1. Jolt2
2. Nemesy
3. Targa
4. Crazy Pinger
5. SomeTrouble
DDoS Attacks
● In DDoS attack, an attacker may use your computer to attack another
computer.
● By taking advantage of security vulnerabilities or weaknesses, an attacker
could take control of your computer.
● He/She could then force your computer to send huge amount of data to a
website or send spam to particular email addresses.
● The attack is “distributed” because the attacker is using multiple computers,
including yours, to launch the DoS attack.
● The DDoS attack is a distributed DoS wherein a large number of Zombie
systems are synchronised to attack a particular system.
● The Zombie systems are called “secondary victims” and the main target is
called “primary victim”.
● Malware can carry DDoS attack mechanisms - one of the better known
examples of this is MyDoom.
● Botnet is a popular medium to launch DoS/DDoS attacks.
●
Tools used to launch DDoS attack
1. Trinoo
2. Tribe Flood Network (TFN)
3. Shaft
4. Mstream
5. Stacheldraht
How to protect from DoS/DDoS attacks
Computer Emergency Response Team Coordination Center (CERT/CC) offers
many preventive measures from being a victim of DoS attack.
1. Implement Router filter. If is available install patches to guard against TCP
SYN flooding.
2. Disable any unused or inessential network service.
3. Enable quota systems on your OS if they are available.
4. Observe your system’s performance and establish baselines for ordinary
activity
5. Routinely examining your physical security with regard to your current needs.
6. Use tripwire or a similar tool to detect changes in configuration information or
other files.
7. Establish and maintain regular backup schedules
8. Establish and maintain appropriate password policies
Tools for detecting DoS/DDoS attacks
1. Zombie Zapper
2. Remote Intrusion Detector (RID)
3. Find_DDoS
4. DDoSPing
5. Security Auditor’s Research Assistant (SARA)
SQL Injection
● Structured Query Language (SQL) is a database query language designed for
managing data in relational database management systems (RDBMS)
● SQL Injection is code injection technique that exploits a security vulnerability
occurring in the database layer of an application.
● SQL injection attacks are also known as SQL insertion attacks
● Attackers target the SQL servers - common database servers used by many
organizations to store confidential data.
● The prime objective behind this attack is to obtain the information while
assessing a database table that may contain personal information such as
credit card numbers, social security numbers or passwords.
How to Prevent SQL Injection Attacks
1. Input Validation
a. Replace all single quotes to two single quotes
b. Sanitize the input : Use input needs to be checked and cleaned of any characters or strings
that could possibly be used maliciously. E.g. character sequences such as ;, --, select, insert
etc
c. Numeric values should be checked while accepting a query string value.
d. Keep all textboxes and form fields as short as possible to limit the length of user input.
2. Modify Error Reports
a. SQL errors should not be displayed to outside users.