Social Engineering Attacks

Understanding Basic Attacks

• Today, the global computing infrastructure is most likely target of
attacks
• Attackers are becoming more sophisticated, moving away from
searching for bugs in specific software applications toward probing
the underlying software and hardware infrastructure itself
Social Engineering
• Easiest way to attack a computer system requires almost no technical
ability and is usually highly successful
• Social engineering relies on tricking and deceiving someone to access
a system
• Social engineering is not limited to telephone calls or dated
credentials
Social Engineering (continued)
• Dumpster diving: digging through trash receptacles to find computer
manuals, printouts, or password lists that have been thrown away
• Phishing: sending people electronic requests for information that
appear to come from a valid source
Social Engineering (continued)
• Develop strong instructions or company policies
regarding:
• When passwords are given out
• Who can enter the premises
• What to do when asked questions by another
employee that may reveal protected information
• Educate all employees about the policies and
ensure that these policies are followed
Password Guessing
• Password: secret combination of letters and numbers that validates or
authenticates a user
• Passwords are used with usernames to log on to a system using a
dialog box
• Attackers attempt to exploit weak passwords by password guessing
Password Guessing (continued)
Password Guessing (continued)
• Characteristics of weak passwords:
• Using a short password (XYZ)
• Using a common word (blue)
• Using personal information (name of a pet)
• Using same password for all accounts
• Writing the password down and leaving it under the
mouse pad or keyboard
• Not changing passwords unless forced to do so
Password Guessing (continued)
• Brute force: attacker attempts to create every possible password
combination by changing one character at a time, using each newly
generated password to access the system
• Dictionary attack: takes each word from a dictionary and encodes it
(hashing) in the same way the computer encodes a user’s password
Password Guessing (continued)
• Software exploitation: takes advantage of any weakness in software
to bypass security requiring a password
• Buffer overflow: occurs when a computer program attempts to stuff more
data into a temporary storage area than it can hold
Password Guessing (continued)
• Policies to minimize password-guessing attacks:
• Passwords must have at least eight characters
• Passwords must contain a combination of letters,
numbers, and special characters
• Passwords should expire at least every 30 days
• Passwords cannot be reused for 12 months
• The same password should not be duplicated and used
on two or more systems
Weak Keys
• Cryptography:
• Science of transforming information so it is secure while being transmitted or
stored
• Does not attempt to hide existence of data; “scrambles” data so it cannot be
viewed by unauthorized users
Weak Keys (continued)
• Encryption: changing the original text to a secret message using
cryptography
• Success of cryptography depends on the process used to encrypt and
decrypt messages
• Process is based on algorithms
Weak Keys (continued)
• Algorithm is given a key that it uses to encrypt the message
• Any mathematical key that creates a detectable pattern or structure
(weak keys) provides an attacker with valuable information to break
the encryption
Mathematical Attacks
• Cryptanalysis: process of attempting to break an encrypted message
• Mathematical attack: analyzes characters in an encrypted text to
discover the keys and decrypt
the data
Birthday Attacks
• Birthday paradox:
• When you meet someone for the first time, you have a
1 in 365 chance (0.027%) that he has the same birthday
as you
• If you meet 60 people, the probability leaps to over
99% that you will share the same birthday with one of
these people
• Birthday attack: attack on a cryptographical system
that exploits the mathematics underlying the
birthday paradox
Examining Identity Attacks
• Category of attacks in which the attacker attempts to assume the
identity of a valid user
Man-in-the-Middle Attacks
• Make it seem that two computers are
communicating with each other, when actually
they are sending and receiving data with a
computer between them
• Can be active or passive:
• Passive attack: attacker captures sensitive data being
transmitted and sends it to the original recipient
without his presence being detected
• Active attack: contents of the message are intercepted
and altered before being sent on
Replay
• Similar to an active man-in-the-middle attack
• Whereas an active man-in-the-middle attack changes the contents of
a message before sending it on, a replay attack only captures the
message and then sends it again later
• Takes advantage of communications between a network device and a
file server
TCP/IP Hijacking
• With wired networks, TCP/IP hijacking uses spoofing, which is the act
of pretending to be the legitimate owner
• One particular type of spoofing is Address Resolution Protocol (ARP)
spoofing
• In ARP spoofing, each computer using TCP/IP must have a unique IP
address
TCP/IP Hijacking (continued)
• Certain types of local area networks (LANs), such as Ethernet, must
also have another address, called the media access control (MAC)
address, to move information around the network
• Computers on a network keep a table that links an IP address with the
corresponding address
• In ARP spoofing, a hacker changes the table so packets are redirected
to his computer
Identifying Denial of Service Attacks
• Denial of service (DoS) attack attempts to make a server or other
network device unavailable by flooding it with requests
• After a short time, the server runs out of resources and can no longer
function
• Known as a SYN attack because it exploits the SYN/ACK “handshake”
Identifying Denial of Service Attacks
(continued)
• Another DoS attack tricks computers into responding to a false
request
• An attacker can send a request to all computers on the network
making it appear a server is asking for a response
• Each computer then responds to the server, overwhelming it, and
causing the server to crash or be unavailable to legitimate users
Identifying Denial of Service Attacks
(continued)
Identifying Denial of Service Attacks
(continued)
• Distributed denial-of-service (DDoS) attack:
• Instead of using one computer, a DDoS may use hundreds or thousands of
computers
• DDoS works in stages