Computer Security One
Computer Security One
Buffer overflow
Buffer overflow attacks
To understand what a buffer overflow is, you must first understand what a buffer
is.
A buffer is a section of memory that has been set aside by the writer of a program
so that the program can use that memory section for actions related to that
program.
A buffer overflow attack is an exploit that intentionally forces the buffer to
overflow its memory range, or bounds, and deliberately causes interference with
other programs in memory.
Buffer overflow attacks vary depending on what operating system is being
attacked, what memory address range the buffer is assigned to.
The type of buffer overflow attack being carried out can also depend on the
programs that are currently running in memory.
These and many other variables can affect what type of buffer overflow attack is
being used and what the goal of that attack is.
A buffer overflow vulnerability will typically
occur when code
1.Is reliant on external data to control its
behavior.
2.Is dependent on data properties that are
enforced beyond its immediate scope.
3.Is so complex that programmers are not able
to predict its behavior accurately.
Impact Buffer overflow attack
1.Unstable Program Behavior
2.System crash
3.Memory access errors
4.Code over-riding
5.Security exploitation threat
6.Un-authorized data access
7.Excursive privilege actions
8.Data theft and Data loss.
To protect from Buffer Overflow
1.Programmers have to ensure software
boundaries, so that the program doesn’t
process improper data
2.Intrusion detection system can be
implemented to discover when a buffer
overflow attack is being performed.
3.Also, we can implement file system
encryption, access control and auditing.
Attacks on network-using programs
include
1. Denial of Service and Distributed Denial of
Service (DDoS).
2. Network sniffing/eavesdropping.
3. Password cracking. ‘
4. Man–in-the-middle’ attacks.
Denial-of-service (DoS) and
distributed denial-of-service
(DDoS) attacks
Denial-of-service (DoS)
Denial of service (DoS) attacks aim at denying or
degrading the quality of a legitimate user’s
access to a service or network resource.
It also can bring down the server offering such
services itself.
The techniques used in DoS attacks can be applied to
protocol-processing functions at different layers of the
communication architecture.
DoS attacks can threaten the services offered to
mobile users (e.g., servers offering specific
information, or servers of specific companies)
and the communication infrastructure itself.
Purpose is to temporarily or indefinitely interrupt
or suspend services of a host connected to the
Internet.
DoS attacks are more dynamic and comes from
a broader range of attackers
Examples: SYN flooding, Smurf attacks,
Starvation
Methods to carry out Dos attack may vary
1.Saturating the target with external
communications requests (such that it can’t
respond to legitimate traffic) – SERVER
OVERLOAD
2.May include malware to max out target
resources (such as CPU), trigger errors, or
crash the operating system
DoS attacks can be classified into two
categories:
1.Multi-factor authentication
2.Two-factor authentication.
3.Single sign-on
Multi-factor authentication
Multi-factor authentication is a form of authentication that requires the
user to present more than one proof of who they are before they are
allowed access to whatever it is they are attempting to access.
If you do have seen the animated movie The Incredibles, you have
seen a humorous example of multi-factor authentication.
In that movie, to gain access to her lab where she created the
superhero’s suits Edna had to use multi-factor authentication.
In the movie, Edna had to have a security card, a password, a hand
print, a retina scan, and a voice print recognition.
The card was something Edna had, the password was something
Edna knew, and the hand print, retina scan, and voice print match
were all something Edna was.
Two-factor Authentication.
Two-factor authentication is a special case of
multifactor authentication.
In two-factor authentication the user attempting
to gain access to
whatever they are attempting to gain access to
needs two factors that prove they are who they
claim to be.
The ATM example is in reality a two-factor
authentication system.
Single sign-on
Single sign-on is the practice of using a single password, username, or
authentication device such as a smartcard to sign-on to multiple
systems.
The advantage of a single sign-on system is that the end user does
not have to remember multiple passwords and usernames or possess
multiple authentication devices.
The disadvantage of the single sign-on system is that if the user
forgets their password and/or username they will not be able to access
the system.
Even worse, if a single smartcard is being used, should that smartcard
fall into the wrong person’s hands, it can be used to access multiple
systems or locations.
Public Key Infrastructure (PKI)
PKI stands for Public Key Infrastructure, which is a set of
people, policies, software, and equipment needed to handle
digital certificates for various applications.
Some of the main components in this infrastructure are as
follows.
The end user is the person that wishes to make use of the
PKI to carry out some online activity.
The registration authority (RA) is used to verify that a
specific public key belongs to a specific end user.
The certificate authority (CA) is used to issue a digital
certificate to the end user
Kerberos
Kerberos is an authentication protocol that is commonly used to
authenticate clients over an unsecured network, most commonly LANs.
Kerberos is the authentication protocol most commonly used by
Windows-based client/server networks.
A Kerberos system is composed of an authentication service (AS), a
ticket granting service (TGS), and a network services (NS).
In the case of a Windows domain network, the AS and the TGS are
usually located on the same computer, which is also a domain
controller.
Network Services can be found on any server connected to the
domain that provides a service.
These services can be anything from file services to e-mail services, or
anything in between.
Common attacks on website
software including
1. SQL injection,
2. Cross-Site Scripting (XSS) flaws
SQL Injection
SQL injection (SQLi) is a common technique used by
attackers to gain illicit access to databases, steal data, and
perform unwanted operations.
It works by adding malicious code to a seemingly innocent
database query.
SQL injection manipulates SQL code by adding special
characters to a user input that change the context of the
query.
The database expects to process a user input, but instead
starts processing malicious code that advances the
attacker’s goals
SQL injection can expose customer data, intellectual
property, or give attackers administrative access to a
database, which can have severe consequences.
SQL injection vulnerabilities are typically the result of
insecure coding practices.
It is relatively easy to prevent SQL injection if coders
use secure mechanisms for accepting user inputs,
which are available in all modern database systems.
Impact of SQL injection on your applications:
1. Steal credentials—attackers can obtain credentials via SQLi and
then impersonate users and use their privileges.
2. Access databases—attackers can gain access to the sensitive
data in database servers.
3. Alter data—attackers can alter or add new data to the accessed
database.
4. Delete data—attackers can delete database records or drop entire
tables.
5. Lateral movement—attackers can access database servers with
operating system privileges, and use these permissions to access
other sensitive systems.
SQL Injection Prevention
1. Prepared Statements
2. Stored Procedures
3. Allow-list Input Validation
4. Escaping All User-Supplied Input
Prepared Statements
Prepared statements are easy to learn and use, and
eliminate the problem of SQL injection.
They force you to define SQL code, and pass each parameter
to the query later, making a strong distinction between code
and data.
Prepared statements are available in all programming
languages.
Here is an example in Java.
To be on the safe side, OWASP recommends validating the
input parameter just in case.
Stored procedures
Stored procedures are similar to prepared
statements, only the SQL code for the stored
procedure is defined and stored in the
database, rather than in the user’s code.
In most cases, stored procedures can be as
secure as prepared statements, so you can
decide which one fits better with your
development processes.
Allow-list Input Validation
This is another strong measure that can defend
against SQL injection.
The idea of allow-list validation is that user inputs
are validated against a closed list of known legal
values.
For example, if a user input is used to select a
database table, you can use code like this to ensure
that it can only match one of several, known table
names:
Escaping All User-Supplied Input
Escaping means to add an escape character that instructs
the code to ignore certain control characters, evaluating
them as text and not as code.
This option is the least secure of the four, and should only
be used as a last resort.
This is because escaping user input is only effective if the
code escapes all possibilities of control characters, and
attackers come up with numerous creative ways to inject
them.
Cross-Site Scripting (XSS) flaws
Cross-site scripting (XSS) attack is a code
injection security attack which delivers
malicious, client-side scripts to a user’s
web browser for execution.
This happens when developers don’t
properly test their code for the possibility
of allowing scripts to be injected.
The scripts can then be executed without
the site’s original functionality intending
them to be.
These attacks can lead to your customers being
infected with malware, having their sensitive
information stolen, or even having their
computer be recruited into large botnets.
If an XSS vulnerability is present on a website,
then an attacker can craft code that executes
when other users open the same website.
This causes the new users to interact with the
malicious background entity created by the
attacker.
Once a connection has been initiated, usually
via social-engineering tactics convincing a user
to do something they shouldn’t, the attacker is
Types of Cross-Site Scripting
Attacks
1. Reflected (non-persistent) and
2. Stored (persistent).
Reflected XSS
In a reflected XSS attack, the
attacker persuades a victim to click
on a specially crafted link that makes
a request to a vulnerable web server.
This allows the attacker to run
arbitrary code in the victim’s web
browser.
In reflected attacks, the attacker
must target each victim individually.
Stored (Persistent
XSS)
In a stored attack, the attacker embeds
code in a web page or other data stored
on a vulnerable server.
The attacker’s code will then run in the
browser of everyone who visits the
compromised web page.
Because of the potential to exploit
multiple victims with minimal effort,
stored attacks are generally considered to
be more dangerous than reflected
attacks.
How to Prevent Cross-Site
Scripting Attacks
Users should consider the following
measures.
1. Restrict Untrusted JavaScript:
2. Use Built-In Browser Protections:
3. Restrict External Websites from
Requesting Internal Resources:
4. Maintain Good System Hygiene:
Restrict Untrusted JavaScript:
Allowing all JavaScript to run opens a user up
to XSS attacks.
The most effective (but not foolproof) method
for a user to prevent XSS attacks is to allow
JavaScript to run only if it comes from a
domain that the user explicitly trusts.
Installing a browser plug-in that implements
domain whitelisting, such as No Script for
Firefox, is highly recommended.
Internet Explorer users can achieve
whitelisting through the configuration of
Use Built-In Browser Protections:
Some browsers have begun to
incorporate XSS protection
inherently.
For example, as of version 8,
Internet Explorer includes an XSS
filter as well as a Smart Screen filter
that uses reputation to protect
against malicious websites.
These extra security measures
Restrict External Websites from
Requesting Internal Resources:
Allowing external websites to force a
browser to request internal resources can
allow for an attacker to pivot an attack
onto a vulnerable internal website.
The No Script plug-in has a feature called
the Application Boundary Enforcer (ABE)
that can be configured to disallow external
websites from requesting internal
resources.
Maintain Good System Hygiene:
It is important to keep systems and
applications up-to-date with updates and
patches, protected from malware and
securely configured.
Attacks on users’ privacy
including tracking cookies
and keystroke loggers
Tracking cookies attacks
A cookie is a small data file that holds
information about the use of a particular Web
site.
There are two different cookies:
□ Session cookies
Session cookies are temporary cookies that
are valid only for a single Web site session.
□ Persistent cookies
Persistent cookies are stored on a computer
indefinitely so that the site can identify the
The intended use of a persistent cookie is to record user preferences for
a single Web site so that the site can automatically customize its
appearance or behavior for the user’s future visits.
In this way, persistent cookies can help Web sites serve their users
more effectively.
Unfortunately, persistent cookies also can be misused as spyware to
track a user’s Web browsing activities for questionable reasons without
the user’s knowledge or consent.
For example, a marketing firm could place advertisements on many
Web sites and use a single cookie on a user’s machine to track the
user’s activity on all of those Web sites, creating a
detailed profile of the user’s behavior.
Cookies used in this way are known as tracking cookies. Information
collected by tracking cookies is often sold to other parties and used to
target advertisements and other directed content at the user.
Most spyware detection and removal utilities specifically look for
tracking cookies on systems.
Keystroke logger attacks
Keystroke logger OR Key loggers are software programs or hardware
devices that can be loaded onto a computer or plugged into a computer to
record the keystrokes that are typed into the keyboard.
In the case of a hardware key logger, a device is placed between the
keyboard and the keyboard interface on the computer.
Key loggers are a tool that can be useful for finding out what an end user
is doing on their computer in order to troubleshoot what they are doing
wrong in a program.
Hackers can also use key loggers to capture passwords without having to
crack them.
Some key loggers, especially those of the software variety, can also
capture screen shots of what a person is doing on their computer making
them even more useful for both hackers and network administrators alike.
Hackers use key loggers in the following way.
A hacker slips a key logger onto a victim’s computer and sets it to activate
every time the victim starts up their computer.
The key logger then makes a log of every keystroke the user types on
their computer during the day.
The hacker later retrieves the log created by the key logger.
The hacker can do this by either retrieving the actual log or retrieving the
device if it is hardware based.
Once the log has been retrieved, the hacker sifts through the data
collected to determine any usernames and password the victim used
during the day.
This tool also allows the hacker to circumvent other security measures
such as any security questions.
Anything requiring a typed response can be captured by a key logger.
The End……