Lecture 5

Attacks
Attacks
Before talking about attacks let us revise
the security issues first

3
 Question?
What are the differences between computer security, network
security and information security
Computer security focuses on ensuring the availability and correct operation of
a computer system without concern for the information stored or processed by the
computer.

Network security consists of the policies adopted by the network administrator to

prevent and monitor unauthorized access, misuse, modification, or denial of
the computer network and network-accessible resources. People have to provide
credentials like passwords or wireless keys, and the network may be protected with
firewalls and intrusion detection.

Information security is more general concept that concerned with the

confidentiality, integrity and availability of data regardless of the form the data may
take: electronic, print, or other forms. This can include network security, computer
security as well as cryptography, access control (not only who has access but what
they can do), physical security, and more.

4
 Question?
What are the differences between computer security, network
security and information security
Defense in depth

Information security must protect information

throughout the life span of the information, from the
initial creation of the information on through to the final
disposal of the information.

To fully protect the information during its lifetime, each

component of the information processing system must
have its own protection mechanisms. The building up,
layering on and overlapping of security measures is called
defense in depth.

Information Processing System

5
 What does attack mean?
Attacks refer to any unauthorized access, use,
disclosure, disruption, modification, perusal,
inspection, recording or destruction against the
information system.

6
 Introduction
 In information security, we have different types of attacks that may case critical
problem for the governments, organizations, privates and individuals.

 These attacks hack the computer security, network security and information
security.

Attacks

Malware
Social Passive Denial of Protocol
Active attacks (Viruses, Trojan,
Engineering attacks service attacks
Horses, Worms)

7
 Social Engineering Attack
• A social engineering attack is one in which the intended victim is somehow tricked into doing the attacker's
bidding. playing on the recipients' natural desire to take advantage of a good deal. It's important to remember
that if something sounds too good to be true, it's probably a scam.

• An example would be responding to a phishing email, following the link and entering your banking credentials
on a fake website. The stolen credentials are then used for everything from finance fraud to outright identity
theft. An old say comes to mind here, "it pays to be suspicious". With socially engineered attacks, the
opposite is also true - if you aren't suspicious, you likely will end up paying.

• In addition to phishing, social engineering attacks can come in many forms - email, or greeting cards, or
announcements of lottery winnings,
• Another form of this attack is baiting.

• Social engineering attacks are also often used to trick users into infecting their own systems - for example, by
disguising the malware as a video codec or Flash update. An email is sent enticing the recipient to view a
video clip, the victim visits the link contained in the email and installs the "codec/update" which turns out to
be a backdoor Trojan or keystroke logger.

• Remember: with social engineering scams, the attacker is relying on you to make the wrong choice. Choose
not to be a victim.
8
 Social Engineering Attack
• Baiting involves dangling something you want to entice you to take an action
the criminal desires. It can be in the form of a music or movie download on a
peer-to-peer site, or it can be a USB flash drive with a company logo labeled
“Executive Salary Summary Q1 2013” left out in the open for you to find.
Then, once the device is used or downloaded, the person or company’s
computer is infected with malicious software allowing the criminal to advance
into your system.

• Phishing involves false emails, chats, or websites designed to impersonate

real systems with the goal of capturing sensitive data. A message might come
from a bank or other well known institution with the need to “verify” your
login information. It will usually be a mocked-up login page with all the right
logos to look legitimate. It could also be a message claiming you are the
“winner” of some prize or lottery coupled with a request to hand over your
bank information, or even a charity plea after a big natural disaster with
instructions to wire information to the “charity/criminal”.
9
 How do you avoid being a victim of social
engineering attack
1 Be suspicious of phone calls, visits, or email messages from
individuals asking about employees or other internal information. If
an unknown individual claims to be from a legitimate organization, try
to verify his or her identity directly with the company.
Example:
Below is an actual phishing email that started circulating in January 2006. We have removed the link to the
phisher's website. Note the poor grammar, misspellings, contractions ("don't" instead of "do not"), things that a
real bank or credit card company simply wouldn't do.

10
How do you avoid being a victim of social
engineering attack
2 Do not provide personal information or information about your
organization, including its structure or networks, unless you are
certain of a person's authority to have the information.

Example:

Full Name

Password

Passport No.

11
How do you avoid being a victim of social
engineering attack
3 Anytime you need to go to a website for your bank, credit card
companies or other personal, financial or confidential information; do
not follow a link in an email; just type their address in your browser
directly (such as www.visa.com )
Example:

The following link may look like it goes to Visa, but we can sent it to
amazon.com

www.visa.com

12
How do you avoid being a victim of social
engineering attack
4 Do not reveal personal or financial information in email, and do not respond
to email solicitations for this information. This includes following links sent in
email.

5 Don't send sensitive information over the Internet before checking a

website's security (see Protecting Your Privacy for more information).

6 If you are unsure whether an email request is legitimate, try to verify it

by contacting the company directly. Do not use contact information
provided on a website connected to the request; instead, check
previous statements for contact information. Information about known
phishing attacks is also available online from groups such as the Anti-
Phishing Working Group (http://www.antiphishing.org).

13
How do you avoid being a victim of social
engineering attack

7 Pay attention to the URL of a website. Malicious websites may look identical to
a legitimate site, but the URL may use a variation in spelling or a different
domain (e.g., .com vs. .net).

14
How do you avoid being a victim of social
engineering attack

8 Install and maintain anti-virus software, firewalls, and email filters to reduce
some of this traffic (see Understanding Firewalls, Understanding Anti-Virus
Software, and Reducing Spam for more information).

15
How do you avoid being a victim of social
engineering attack

9 Take advantage of any anti-phishing features offered by your email client and
web browser.

16
 What do you do if you think you are a victim?
• If you believe you might have revealed sensitive information about your
organization, report it to the appropriate people within the organization,
including network administrators. They can be alert for any suspicious or
unusual activity.
• If you believe your financial accounts may be compromised, contact your
financial institution immediately and close any accounts that may have
been compromised. Watch for any unexplainable charges to your account.
• Immediately change any passwords you might have revealed. If you used
the same password for multiple resources, make sure to change it for each
account, and do not use that password in the future.
• Watch for other signs of identity theft (see
Preventing and Responding to Identity Theft for more information).
• Consider reporting the attack to the police, and file a report with the
Federal Trade Commission (http://www.ftc.gov/).

17
 Classifying security attacks
Security Attacks

Passive Attacks Active Attacks

A passive attack attempts to learn or An active attack attempts to alter
make use of information from the system resources or affect their
system but does not affect system operation.
resources.

18
 Passive Attacks
Passive attacks are in the nature of eavesdropping on, or monitoring of,
transmissions. The goal of the opponent is to obtain information that is
being transmitted.

Transmitter Receiver

Attacker / Opponent
19
 Passive Attacks classification
Passive Attacks

Release of message
Traffic analysis
contents
The message may contain sensitive traffic analysis is subtler
or confidential information

20
 Passive Attacks
Question: if the message contents are protected by
encryption, do you think the data is save??

No
Why?
 An opponent might still be able to observe the pattern of these
messages.
 The opponent could determine the location and identity of
communicating hosts and could observe the frequency and length of
messages being exchanged.
This information might be useful in guessing the nature of the
communication that was taking place.
21
 Passive Attacks
Why passive attack is dangerous?
Passive attacks are very difficult to detect because they do not
involve any alteration of the data. Typically, the message traffic is
sent and received in an apparently normal fashion and neither the
sender nor receiver is aware that a third party has read the messages
or observed the traffic pattern.

How we can prevent this type of attacks?

However, it is feasible to prevent the success of these attacks, usually
by means of encryption. Thus, the emphasis in dealing with
passive attacks is on prevention rather than detection.

22
 Active Attacks
Active attacks involve some modification of the data stream or the
creation of a false stream.

Transmitter Receiver

Attacker / Opponent

23
 Classifying of Active Attacks

Active Attacks

Modification The denial of

Masquerade Replay
of messages service

24
 Classifying of Active Attacks
Masquerade attacks take place when one entity pretends to be a different entity. A
masquerade attack usually includes some other forms of active attack.

John

Hi, this is John

Attacker / Opponent
25
Classifying of Active Attacks
Replay involves the passive capture of a data unit and its subsequent
retransmission to produce an unauthorized effect.

What is ur pass
Pass: ******* Pass: *******

Bob Pa Alice
ss
: **
**

Attacker / Opponent
26
 Classifying of Active Attacks
Modification of messages simply means that some portion of a legitimate message is
altered, or that messages are delayed or reordered, to produce an unauthorized effect.

Transmitter Receiver

Attacker / Opponent
27
Classifying of Active Attacks
The denial of service prevents or inhibits the normal use or
management of communications facilities.

This attack may have a specific target. Another form of

service denial is the disruption of an entire network or a
server.

28
 Comparison between active
and passive attack
Passive Attack
difficult to detect
measures are available to prevent
their success
Active Attack
Instead, the goal is to detect them
and to recover from any disruption
or delays caused by them. Because
the detection has a deterrent effect,
it may also contribute to prevention.
it is quite difficult to prevent active
attacks absolutely, because to do so
would require physical protection of
all communications facilities and
paths at all times.
29
 Background Information: Denial of Service Attacks

• Denial of Service Attack: an attack on a

computer or network that prevents legitimate use
of its resources.[1]
• DoS Attacks Affect:
– Software Systems
– Network Routers/Equipment/Servers
– Servers and End-User PCs

30
 Background Information: Denial of Service Attacks

• Denial of Service Attack: an attack on a

computer or network that prevents legitimate use
of its resources.[1]
• DoS Attacks Affect:
– Software Systems
– Network Routers/Equipment/Servers
– Servers and End-User PCs

31
 Classification of DoS Attacks [1]

Attack Affected Area Example Description

Network Level Routers, IP Ascend Kill II, Attack attempts to exhaust hardware
Device Switches, “Christmas Tree Packets” resources using multiple duplicate packets
Firewalls or a software bug.

OS Level Equipment Ping of Death, Attack takes advantage of the way

Vendor OS, End- ICMP Echo Attacks, operating systems implement protocols.
User Equipment. Teardrop
Application Finger Bomb Finger Bomb, Attack a service or machine by using an
Level Attacks Windows NT RealServer application attack to exhaust resources.
G2 6.0
Data Flood Host computer or Smurf Attack (amplifier Attack in which massive quantities of data
(Amplification, network attack) are sent to a target with the intention of
Oscillation, Simple using up bandwidth/processing resources.
Flooding)
UDP Echo (oscillation
attack)
Protocol Feature Servers, Client SYN (connection Attack in which “bugs” in protocol are
Attacks PC, DNS Servers depletion) utilized to take down network resources.
Methods of attack include: IP address
spoofing, and corrupting DNS server cache.
 Countermeasures for DoS Attacks[1]
Attack Countermeasure Example Description
Options

Network Level Software patches, Ingress and Software upgrades can fix known bugs and
Device packet filtering Egress Filtering packet filtering can prevent attacking traffic
from entering a network.

OS Level SYN Cookies, drop SYN Cookies Shortening the backlog time and dropping
backlog connections, backlog connections will free up resources.
shorten timeout time SYN cookies proactively prevent attacks.

Application Intrusion Detection GuardDog, other Software used to detect illicit activity.
Level Attacks System vendors.
Data Flood Replication and Load Akami/Digital Extend the volume of content under attack
(Amplification, Balancing Island provide makes it more complicated and harder for
Oscillation, Simple content attackers to identify services to attack and
Flooding)
distribution. accomplish complete attacks.

Protocol Feature Extend protocols to ITEF standard for Trace source/destination packets by a means
Attacks support security. itrace, DNSSEC other than the IP address (blocks against IP
address spoofing). DNSSEC would provide
authorization and authentication on DNS
information.

Page 33
 DoS Shortfalls
• DoS attacks are unable to attack large bandwidth websites
– one upstream client cannot generate enough bandwidth
to cripple major megabit websites.
• New distributed server architecture makes it harder for
one DoS to take down an entire site.
• New software protections neutralize existing DoS attacks
quickly
• Service Providers know how to prevent these attacks from
effecting their networks.
• “Old” Internet Technology – something new needs to take
it’s place (Hackers want the challenge of a new
technology).

34
Distributed Denial of Service Attacks
• What is a Distributed Denial of Service Attack?
As Defined by the World Wide Web Security FAQ: A Distributed Denial of
Service (DDoS) attack uses many computers to launch a coordinated DoS
attack against one or more targets. Using client/server technology, the
perpetrator is able to multiply the effectiveness of the Denial of Service
significantly by harnessing the resources of multiple unwitting accomplice
computers which serve as attack platforms. Typically a DDoS master program
is installed on one computer using a stolen account. The master program, at a
designated time, then communicates to any number of "agent" programs,
installed on computers anywhere on the internet. The agents, when they
receive the command, initiate the attack. Using client/server technology, the
master program can initiate hundreds or even thousands of agent programs
within seconds.[3]

35
 DDoS Architecture
Client Client

Handler Handler Handler Handler

Agents
 Widely Used DDoS Programs
• Trinoo
• Tribe Flood Network
• TFN2K
• stacheldraht (barbed wire)

Exercise: Find out new DDOS programs.

37
THE END