Chapter Two

Computer Threat
 Outlines:
• Malicious code
 Viruses
 Trojan horses
 Worms
 Spy-wares, etc.
• Class of Attacks
 Reconnaissance
 Access
 Denial of Service, etc.
• Program flaws
 Buffer overflows
 Time-of-check to time-of-use flaws
 Incomplete mediation
• Program Security Defenses
Definition: A computer system threat is anything that leads to loss or corruption of data or
physical damage to the hardware and/or infrastructure.
• Knowing how to identify computer security threats is the first step in protecting
computer systems.
• The threats could be intentional, accidental or caused by natural disasters.

What is a Security Threat?

• Security Threat is defined as a risk that which can potentially harm computer systems and
organization.

• The cause could be physical such as someone stealing a computer that contains vital data.

• The cause could also be non-physical such as a virus attack.

• In these course, we will define a threat as a potential attack from a hacker that can allow them
to gain unauthorized access to a computer system.
2.1 Malicious Code
• Malicious code is a set of instructions that cause a site’s security policy to be violated.
• Malicious code is unwanted files or programs that can cause harm to a computer or
compromised data stored on a computer.
• Computer viruses, worms, Trojan horses and Spy-wares are effective tools with which to
attack computer systems.
 2.1.1 Computer Viruses

• This type of virus propagates itself only as specific programs.

• When the Trojan horse can propagate freely and insert a copy of itself into another file, it
becomes a computer virus.
• A computer virus is a program that inserts itself into one or more files and then performs
some action.
• The first phase, in which the virus inserts itself into a file, is called the insertion phase.
• The second phase, in which it performs some action, is called the execution phase.
• Several types of computer viruses have been identified.
2.1.1.1 Boot Sector Infectors
• The boot sector is the part of a disk used to bootstrap the system or mount a disk.
• Code in that sector is executed when the system “sees” the disk for the first time.
• When the system boots, or the disk is mounted, any virus in that sector is executed. (The
actual boot code is moved to another place, possibly another sector.)
• A boot sector infector is a virus that inserts itself into the boot sector of a disk.

2.1.1.2 Executable Infectors

• An executable infector is a virus that infects executable programs.
• The PC variety of executable infectors are called COM or EXE viruses because they infect
programs with those extensions.
• The virus can prepend itself to the executable or append itself.
3.1.1.3 Multipartite Viruses
• A multipartite virus is one that can infect either boot sectors or applications.
• Such a virus typically has two parts, one for each type. When it infects an executable, it
acts as an executable infector; when it infects a boot sector, it works as a boot sector
infector.
2.1.1.4 Macro Viruses
• A macro virus is a virus composed of a sequence of instructions that is interpreted, rather
than executed directly.
• Conceptually, macro viruses are no different from ordinary computer viruses.
• They can execute on any system that can interpret the instructions.
• Macro viruses typically infect files that support macros, such as Word documents
(.doc, .docx), Excel spreadsheets (.xls, .xlsx), or PowerPoint presentations (.ppt, .pptx).
 2.1.2 Computer Worms
• A computer virus infects other programs. A variant of the virus is a program that spreads from
computer to computer, spawning copies of itself on each one.
• A computer worm is a program that copies itself from one computer to another.
• The major difference between a worm and a virus is that unlike a virus, a worm does not need
a host program or software to insert its code into.
• Worms are standalone programs that are capable of working on its own.
• Also, a virus needs human triggering for replication (i.e. when a user opens/executes the
infected file), while a worm replicates on its own and can spread to other computers through
the network.
• Some prominent examples of worms include Storm Worm, Sobig, MSBlast, Code Red, Nimda,
Morris Worm, etc.
 2.1.3 Trojan Horses

• is a type of malicious software or malware that disguises itself as legitimate software or files
to trick users into downloading and executing them.
• A Trojan horse is a program with an overt (documented or known) effect and a covert
(undocumented or unexpected) effect.
• Dan Edwards was the first to use this term [25].
• Trojan horses are often used in conjunction with other tools to attack systems.
• A propagating Trojan horse (also called a replicating Trojan horse) is a Trojan horse that
creates a copy of itself.
• Trojan horses are designed to appear harmless or even beneficial, but once activated, they can
perform a variety of harmful actions without the user's knowledge.
 2.1.4 Spyware
• It is a type of malware that spies on a person or an organisation by gathering information
about them, without the knowledge of the user.
• It records and sends the collected information to an external entity without consent or
knowledge of the user.
• Spyware usually tracks internet usage data and sells them to advertisers.
• They can also be used to track and capture credit card or bank account information, login
and password information or user’s personal identity.
 2.2 Class of Attacks
♥ The three types of network attacks are:
 Reconnaissance attacks
 Access attacks
 Denial of Service attacks
2.2.1 Reconnaissance
 Reconnaissance is an unauthorized user’s attempt to discover and map network system
devices, services available on those systems, and the vulnerabilities of those systems.
 It is also known as information gathering and, in most cases, precedes an actual access or
Denial of Service (DoS) attack.
 The malicious intruder typically ping sweeps the target network first to determine what IP
addresses are active and responsive.
 This can lead to the intruder finding information about what services or ports are active on
the live IP addresses.
 From the active IP address information, the intruder queries the application ports to
determine the application type and version as well as the type and version of operating
system running on the target host.
 2.2.2 Access attacks
• Access is a broad term that refers to the capability of a specific source (that is, a user on a
computer, connected to a network that is connected to the Internet) to connect to a specific
destination (that is, a computer on a network that is connected to the Internet).
• When a destination has been targeted, the attacker will attempt to use some software
application to reach the destination.
• An access attack can come in the form of unauthorized data retrieval and manipulation,
system access, or privileged escalation.
• Access attacks can also be used to gain control of a system and install and hide software that
will be used later by the hackers.
 2.2.3 Denial of Service, etc.
• DoS is when an attacker disables or corrupts networks, systems, or services in order to deny
the service to its intended users.
• It usually involves crashing the system or slowing it down to the point that it is unusable.
• DoS attacks can also be as simple as wiping out or corrupting information necessary for
business.
• In most cases, performing the attack simply involves running a hack, script, or tool.
• The attacker does not need prior access to the target, only a path to the target. Once the path is
realized, great paralyzing damage can be caused.
• Because many DoS attacks are relatively easy to initiate and can be performed anonymously, it
is the most feared attack on the Internet.
• A Distributed Denial of Service (DDoS) attack is one in which the source of the attack is many
computers (usually spread across a large geographic area) making it very difficult to find and
stop the source(s).
 2.3 Program flaws
• Program security flaws can derive from any kind of software fault.
• That is, they cover everything from a misunderstanding of program requirements to a one-
character error in coding or even typing.
• The flaws can result from problems in a single code component or from the failure of several
programs or program pieces to interact compatibly through a shared interface.
• The security flaws can reflect code that was intentionally designed or coded to be malicious or
code that was simply developed in a sloppy or misguided way.
• Thus, it makes sense to divide program flaws into two separate logical categories: human
errors, intentionally induced flaws (malicious).
• They further divide intentional flaws into malicious and nonmalicious ones.
 Nonmalicious Program flaws:

• Being human, programmers and other developers make many mistakes, most of which are

unintentional and nonmalicious.

• Many such errors cause program malfunctions but do not lead to more serious security

vulnerabilities.
• In this section we consider three classic error types that have enabled many recent security

breaches.
• We explain each type, why it is relevant to security, and how it can be prevented or mitigated.
 1. Buffer Overflow Attack

• A buffer is a temporary area for data storage. When more data (than was originally allocated to
be stored) gets placed by a program or system process, the extra data overflows.
• It causes some of that data to leak out into other buffers, which can corrupt or overwrite
whatever data they were holding.
• In a buffer-overflow attack, the extra data sometimes holds specific instructions for actions
intended by a hacker or malicious user; for example, the data could trigger a response that
damages files, changes data or exposes private information.
• Attacker would use a buffer-overflow exploit to take advantage of a program that is waiting on
a user’s input.
 2. TIME-OF-CHECK TO TIME-OF-USE FLAWS
• In software development, time of check to time of use (TOCTOU, TOCTTOU or TOC/TOU) is
a class of software bugs caused by changes in a system between the checking of a condition
(such as a security credential) and the use of the results of that check.
• This is one example of a race condition. Time-of-check, time of-use race conditions occur
when between the time in which a given resource is checked, and the time that resource is
used, a change occurs in the resource to invalidate the results of the check.
• Consider a Web application that allows a user to edit pages, and also allows administrators to
lock pages to prevent editing.
• A user requests to edit a page, getting a form which can be used to alter its content.
• Before the user submits the form, an administrator locks the page, which should prevent
editing.
• However, since editing has already begun, when the user submits the form, those edits (which
have already been made) are accepted.
• When the user began editing, the appropriate authorization was checked, and the user was
indeed allowed to edit.
3. INCOMPLETE MEDIATION
• Incomplete mediation is another security problem.
• Attackers are exploiting it to cause security problems.
• Inadequate privacy policies, lack of software updates, insufficient user authentication and
incomplete data encryption.
• It is easy to exploit, but it has been exercised less often than buffer overflows, nevertheless,
unchecked data values represent a serious potential vulnerability.
 Security Defences
 In defending against network attack, there are broadly speaking four sets of available tools.
1. First is management — keeping your systems up-to-date and configured in ways that
will minimise the attack surface;
2. Next is filtering — the use of firewalls to stop bad things like Trojans and network
exploits, and to detect signs of attack and compromise if any- thing gets through;
3. Next is intrusion detection — having programs monitoring your net- works and
machines for signs of malicious behaviour;
4. Finally there’s encryption — protocols such as TLS and SSH that enable you to protect
specific parts of the network against particular attacks.
 Database management systems security
• Database security involves protecting the database from unauthorized access, modification, or
destruction.
• Since the database represents an essential corporate resource, database security is an important
subcomponent of any organization’s overall information systems security plan.
• In addition to the need to preserve and protect data for the smooth functioning of the
organization, database designers have a responsibility to protect the privacy of individuals
about whom data is kept.
 Fundamentals of Access Control
• In any organization, access control methods should be defined to restrict access to company
resources as well as employee and client data.
• Access control is a fundamental component in the support of confidentiality and integrity.
• Access control must be addressed in the context of physical security as well as information
system access control.
• To protect the information system, the database administrator is responsible for the following
major tasks:
 Installing the database management system and configuring it securely.
 Creating and securing user accounts and developing appropriate access controls for users.
 Developing and enforcing standards for applications programs that access the database.
 Encrypting sensitive data
 Ensuring that network connections to the data are secure
 Establishing appropriate audit mechanisms for the database
 Protecting the database against intruders by identifying and guarding against security
threats and applying security controls and security updates as needed.
 c h !
u
S oM
Yo u
n k
T ha