Chapter 2

Computer Threat
 Computer Threat
Computer threats are malicious activities or software designed to harm,
disrupt, or gain unauthorized access to computer systems.
They can lead to data loss, privacy breaches, and system damage.
Malicious code refers to software or scripts intentionally created to
cause harm, steal data, or compromise system security.

Some of computer threats include viruses, Trojan horses, worms,

and spyware adware and etc...
These malicious programs can cause significant harm, such as
data loss, system damage, or unauthorized access.
 Viruses
 Viruses is Malicious programs that attach themselves to legitimate files or software.
 Is Self-replicating programs
 It Require user action to spread, such as opening an infected file.
 It Can corrupt or delete data, and may spread to other files or systems.
Example: ILOVEYOU: virus spread through infected email attachments.
Melissa Virus: Distributed through infected Word documents, spreading by emailing
itself to contacts.
Michelangelo Virus: Overwriting data on infected systems.

Trojan Horses : program downloaded and installed on a computer that appears harmless.
 A Trojan horse appears as a legitimate software but contains hidden malicious functions.
 Unlike viruses , Trojans do not replicate themselves but rely on user actions to execute.
users are tricked into installing them, thinking they are harmless
 Often used to create backdoors, steal information, or download other malware
 Trojan Horses
Example
 Zeus Trojan: Used to steal banking information by logging keystrokes and capturing sensitive
data.
 Emotet: Initially a banking Trojan, later used to deliver other malware.
 Remote Access Trojan (RAT) : Allows attackers to control a victim's system remotely, often
used for spying.
Worms
 Is standalone malware that replicates itself to spread across networks.
 Do not need user action to spread; exploit vulnerabilities in network or software.
 Can cause network congestion, system crashes, and resource exhaustion.
Example.
Morris Worm : One of the first internet worms, caused widespread network disruption.
Conficker Worm: Exploited Windows vulnerabilities to infect millions of systems, causing
network issues.
Stuxnet Worm: Targeted industrial control systems, notably damaging Iran's nuclear facilities.
 Spyware
 Software that secretly collects user information without their knowledge.
 Monitors user activity, gathers data, and may record keystrokes.
 Invades privacy, can lead to identity theft, and slows down system
performance.

Example
CoolWebSearch: Redirected browsers to unwanted websites, tracking
user activities.
Keyloggers: Monitored and recorded keystrokes to steal sensitive
information like passwords.
Adware (e.g., Gator): Displayed intrusive ads while secretly collecting
user data
 Adware
 Adware is software that displays unwanted advertisements to generate
revenue for the developer.
 It may redirect users to advertising sites, show pop-up ads, or add
banners to browsers.

 While some adware is relatively harmless and funds free software, others
can be intrusive, slowing down devices and consuming system resources.
 Adware can also collect data about user preferences to target ads but is
generally less invasive than spyware.
 Phishing
Phishing is the act of pretending to be someone or something to steal sensitive information. Common targets include
passwords, financial data, or system credentia
How Phishing Works
Attackers may send malicious links or attachments. These can infect systems with malware or trick individuals into
revealing sensitive information.
E.g
Companies like Mastercard can lose millions due to successful phishing attacks. It puts both business operations and
employee safety at risk.

If someone is a customer of ABC bank, he

would probably open the link and enter
the details. But these kinds of emails are
always phishing. Banks do not send emails
like this.
 Eavesdropping
Eavesdropping occurs when an attacker observes traffic on your system and monitors your activities
without your consent. There is active and passive eavesdropping
Methods of Eavesdropping:
Email Monitoring
Attackers can intercept and read your emails.
Website Tracking
Attackers can see which websites you visit.
File Download Monitoring
Attackers can track what items you download.
 Class of Attacks
 Let’s first Loo at Attack and Threats term In computer Security

Threat Attack
 Threats can be intentional or unintentional.  The attack is intentional.

 Threats may or may not be malicious.  The attack is malicious.

 Circumstances that can cause damage.  The objective is to cause damage.

 Information may or may not be altered or  The chance for information alteration and
damaged. damage is very high.

 The threat is comparatively hard to detect.  Comparatively easy to detect.

 Can be blocked by control of  Cannot be blocked by just controlling the

vulnerabilities. vulnerabilities.
 Class of Attacks
 In General, A threat is malicious act, that has the potential to damage the system or
asset while an attack is an intentional act that causes damage to a system or asset
Methods of attack
 Malware (viruses, trojan horse,)
 Social engineering (phishing, scams) Read these Things further
 Password theft (brute force, keylogging)
Impact: Data breaches, Operational disruptions, Potential destruction of assets and reputation
 Class of Attacks

Types of Attack
 Active Attacks − is an attempt to change system resources or influence their operation.
 Passive Attacks − is an attempt to understand or retrieve sensitive data from a system
without influencing the system resources.
Primary Classes of Attack
 Access
 Reconnaissance
 Denial of service(DOS)
Access
 System access refers to unauthorized access to a device without an account or password.
 Unauthorized attempts to gain access to a network or resources
 Class of Attacks
Access Attacks Can be:
External Attacks:
 Conducted by outside individuals or groups.
 The used like hacking, phishing, or exploiting vulnerabilities.
 The goal is to steal confidential data or disrupt services.
Internal Attacks:
 Conducted by trusted, internal users.
 Can involve accessing unauthorized areas out of curiosity or malicious intent.
 The goal is sabotage, data theft, or misuse of resources.
Unauthorized access attacks are attempted via four means
password attacks, trust exploitation, port redirection, and man-in-the-middle attacks.
 All of which try to bypass some facet of the authentication process.
 Access Attacks
Password Attacks
 Attackers use techniques like brute force, dictionary attacks, or credential stuffing to guess or
crack passwords.
 Example: Hackers repeatedly try common or stolen passwords until they find one that works.
 Prevention: Use strong, unique passwords and multi-factor authentication (MFA).
Trust Exploitation
 Occurs when attackers abuse established trust relationships between systems.
 Example: An attacker compromises a server in the demilitarized zone (DMZ) to access the
internal network, exploiting trust between systems.
 Prevention: Restrict trust relationships and regularly monitor access.
Port Redirection
 Involves redirecting traffic from a secure port to an unauthorized one, bypassing security
controls like firewalls.
 Example: An attacker uses a compromised internal machine to redirect traffic through a port
that is otherwise blocked.
 Prevention: Implement strict firewall rules and monitor network traffic for anomalies.
 Access Attacks
Man-in-the-Middle (MitM) Attacks
 An attacker intercepts and alters communication between two parties
without their knowledge.
 Attackers may impersonate one or both parties involved in the
communication.

 The main goal: Intercepting and manipulating communication

between two parties
 Example: A hacker intercepts login credentials transmitted in clear
text, then uses them to access sensitive information.
 Access Attacks
How do man-in-the-middle attacks work?
Successful MITM execution has two distinct phases: interception and
decryption.
Interception:
Attackers position themselves between two parties, intercepting data.
Common methods include unsecured Wi-Fi eavesdropping, network
tampering, and exploiting software vulnerabilities.

Decryption
The intercepted data is captured and decoded, allowing attackers to
steal or alter sensitive information, such as login credentials or
financial details.
 Reconnaissance Attacks
 Reconnaissance is the act of gathering information about a target before launching an
attack.
 Important information that can be compiled during a reconnaissance attack includes the
following:
• Ports open on a server
• Ports open on a firewall
• IP addresses on the host network
• Hostnames associated with the IP addresses

The four common tools used for reconnaissance attacks used for gathering network data
are:-
• packet sniffers, ping sweeps, port scans, and information queries.
 Reconnaissance Attacks

- Captures and analyzes network traffic.

Packet Sniffers - Example: Wireshark.
- Used for monitoring or malicious activity.

Ping Sweeps - Sends echo requests to multiple IP addresses to identify active hosts.
- Useful for network mapping.
- Scans network for open ports to identify running applications.
Port Scans
- Helps find vulnerabilities linked to specific ports.

- FTP: 21 Common UDP Ports

Common TCP Ports - HTTP: 80 - DHCP: 68
- HTTPS: 443 - DNS: 53
- SNMP: 161

Information Queries - Resolves hostnames to IPs or vice versa using tools like nslookup.
- Useful for gathering network information.
 Denial of Service (DoS) Attacks

 A DoS attack prevents legitimate users from accessing information systems, devices, or
network resources by overwhelming the targeted host or network with excessive traffic.
 DoS attack leverages different methods to overwhelm systems, leading to service
disruption or complete outages.

Affected Services:
 Email accounts.
 Websites.
 Online accounts (e.g., banking).
 Other services relying on the affected network.

How DoS Attacks Work:

 Flood the target with traffic until it crashes or becomes unresponsive.
 Prevents access for legitimate users.
 Denial of Service (DoS) Attacks
Common Types of DoS Attacks

1. Buffer Overflow Attack

 Sends more traffic than a system can handle, leading to a flood attack.
 It Overwhelms the system, causing it to crash or become unresponsive.
2. Smurf Attack
 It Floods a target IP with spoofed packets sent to a network broadcast address.
 It Overloads the network, disrupting normal communication.
3. Ping Flood:
 It Exploits the ping protocol by sending large payloads, overloading the system.
 It Stops the system from responding to legitimate requests, potentially causing a crash.
4. ICMP Flood
 It Overwhelms a target with more pings than it can handle, possibly launching a DDoS
attack.
 It Prevents the target from handling regular network traffic.
5. SYN Flood
 It Exploits the TCP handshake by sending numerous requests to open TCP connections
without completing them.
 It Exhausts server resources, making it unable to establish new connections.
 Distributed Denial of Service Attack (DDoS)
 DDoS attacks disrupt services by overwhelming them with traffic from many devices.

 Attack traffic comes from a distributed network, making it hard to block.

 Strong defense strategies include firewalls, rate limiting, and specialized DDoS
protection.

How a DDoS Attack Works

Botnet Creation
 Attacker controls multiple compromised devices (botnet)
 Devices include computers, smartphones, and IoT devices (e.g., smart cameras)
Coordinated Attack
 Botnet devices send a flood of requests to the target simultaneously
 Often uses spoofed IP addresses, making it hard to block

Types of DDoS Attacks

1. Volume-Based: Floods target with massive data (e.g., ICMP flood, UDP flood)
2. Protocol-Based: Exploits protocol weaknesses (e.g., SYN flood)
3. Application Layer: Targets specific applications (e.g., HTTP flood)
Denial of Service (DoS) Attacks Vs Distributed Denial of Service Attack (DDoS)
1. DoS Attack
 Overwhelms a target with traffic from a single source.
 Characteristics:
• Easier to detect and block.
• The attack is localized, making it less potent.
• Simple firewall rules can often mitigate the attack.
2. DDoS Attack
 Involves multiple compromised systems (botnets) flooding the target simultaneously.
 Advantages for Attackers
• Increased Disruption: Leverages many machines to amplify the attack's impact.
• Global Distribution: Difficult to trace due to widespread, often legitimate sources.
• Complex Mitigation: Blocking one source doesn't stop the attack.
• Anonymity: Attackers are hidden behind many compromised systems, making identification
difficult.

Key Takeaway
 DoS Attacks: Simpler but less powerful
 DDoS Attacks: More complex, harder to defend against, and significantly more damaging
Denial of Service (DoS) Attacks Vs Distributed Denial of Service Attack (DDoS)
 Program Flaws

•Program flaws are vulnerabilities or weaknesses in software that can be exploited by

attackers to gain unauthorized access or cause damage.

Types of Program Flaws

 Buffer Overflows: Memory corruption due to excessive data being written to a buffer.
 Time-of-Check to Time-of-Use (TOCTOU) Flaws: Exploits the race condition between
checking a condition and using the resource.
 Incomplete Mediation: Failure to fully validate user inputs, allowing malicious actions to
bypass security checks.
 Buffer Overflows

Buffers are memory storage regions that hold data temporarily.

A buffer overflow occurs when data exceeds the buffer's capacity, overwriting
adjacent memory.

•Implications:
•Affects all software types; can lead to unpredictable behavior, memory access
errors, or crashes.
•Example:
A buffer for an 8-byte username receives a 10-byte input, overwriting memory
past the buffer.
 Buffer Overflows
Types of Buffer Overflow Attacks
•Stack-based Buffer Overflows
• Most common type.
• Exploits stack memory, which exists only during
function execution.
•Heap-based Buffer Overflows
• More complex and harder to execute.
• Floods the memory allocated for a program
beyond current runtime operations.
Vulnerable Programming Languages
Highly Vulnerable
C and C++: No built-in safeguards against memory
overwriting, common in Mac OSX, Windows, and
Linux.
Less Vulnerable:
PERL, Java, JavaScript, C#: Use built-in safety
mechanisms to reduce buffer overflow risks.
How to Prevent Buffer Overflows
•Developer Measures:
• Implement security practices in code.
• Use programming languages with built-in
protection.
•Operating System Protections:
• Address Space Randomization (ASLR):
Randomizes memory address locations,
making it difficult for attacks to target
specific executable code.
• Data Execution Prevention: Flags memory
areas as non-executable to prevent code
execution in those regions.
• Structured Exception Handler Overwrite
Protection (SEHOP): Protects against
exploiting Structured Exception Handling
(SEH) via buffer overflows.
 Time-of-Check to Time-of-Use (TOCTOU) Flaws

Time-of-check to time-of-use (TOCTOU) refers to a class of software bugs that occur due to race
conditions.
This happens when a system checks the state of a component (e.g., security credential) and then uses that
result without ensuring it remains valid.
•Means:
The gap between the time a condition is checked and the time it is used can allow other
processes to alter the state, leading to potential vulnerabilities.

Occurrence:
Common in Unix systems, especially during file operations.
Can also arise in local sockets and due to improper database transaction handling.
•Historical Examples:
BSD 4.3 UNIX: Had a race condition in its mail utility for temporary files using the mktemp()
function.
OpenSSH: Early versions experienced race conditions with Unix domain sockets.

Reference: Wikipedia, "TOCTOU" - Wikipedia Link

 Program Security Defenses

•Strategies and practices implemented to strengthen software security against

vulnerabilities.

Types of Defenses
Software Development Controls: Secure coding practices, code reviews, and thorough
testing techniques.
Database Management Systems Security: Access controls, encryption, and regular
updates to protect sensitive data.
 Controls to Protect Against Program Flaws in Execution

•Mechanisms and practices designed to reduce the risk of exploitation of program flaws
during execution.
Key Controls:
Operating System Support: Utilization of security features in the OS, such as memory
protection and user permissions.
Administrative Controls: Policies and procedures that enforce secure configurations and
access restrictions.
 ?
Thank You