IS_Unit 5

Syllabus:

5.1 Firewall
 “a network security device either hardware or
so ware-based which monitors all incoming and
outgoing traffic and based on a defined set of
security rules it accepts, rejects, or drops that
specific traffic”
o Need of firewall
o Before firewallsACL performed network
security can’t block packetscan’t keep
threats away
o Firewall can be –
hardware/so ware/combina on
o inspects network traffic
o Accepts or rejects messages- based on set of
rules
o It’s a par on between private(trusted)
n/w & public(un-trusted) n/w passing
through it
o A ributes of firewall: -
 All traffic should pass through it
 It should allow only authorized traffic
 Firewall itself can stop a acks
o Protects system from threats & allows access
to outside world of internet
o Acts as network gateway- to protect internal
resources
o It can control outside resource that
employees are accessing
o It examines packet and forwards towards
des na on
o Firewall is installed on special computer
o separated from network – so incoming
request can’t enter directly into resources
o For mobile networks- firewall helps in secure
login
o Design goals
  All traffic -must pass through
firewall(inside/outside)
 Done by blocking access to local network
 expect via firewall
 If authorized traffic denied by local
security policy will be allowed to pass
through firewall
 Different type of firewall<-> different
type of security policies
 Firewall is immune to unauthorized entry

o
 Types of firewalls

1. Packet Filter
o Router- part of firewall- performs packet
filtering
o Packet filtering router- applies rules on-
incoming packets- decides to forward or
discard
o Router is configured to filter
packets(incoming/outgoing)
o “Packet filtering firewall maintains a filtering
table that decides whether the packet will be
forwarded or discarded”
o
o filtra on rules are based on:
 Source IP address: IP address of system
genera ng IP packet
 Des na on IP address: IP address of
system where packet is trying to reach
 Source and des na on transport-level
address: TCP or UDP define applica ons
such as – SNMP or TELNET
 IP protocol field: it tells the transport
protocol
 Interface: it is for router using 3 or more
ports interfacing incoming and outgoing
packet

o
o Advantages
  Simplicity
 Transparency to users
 High speed
o Disadvantages
 Difficulty of se ng up packet filtering
rules
 Lack of authen ca on
2. Stateful Packet Filter
o it understands request and reply system
o rules for stateful packets are specified only for
first packet in one direc on
o new rules are created a er first outbound
packet
o then all packets proceed automa cally
o stateful packet filter supports  wide range of
protocols – FTP, IRC, H323
o It keeps track of the state of networks
connec on travelling across it
o filtering decisions - based on packet’s history
in the state table.
 o
3. Applica on Gateway
o Also known as – Proxy Server
o Because – it Acts like proxy and decides flow
of applica on-level traffic
o Internal user- contacts applica on-level
gateway using TCP/IP applica on e.g.
TELNET/FTP/HTTP
o Applica on-level gateway will ask user/host-
about remote host- with which he wants
connec on (for communica on)
o prevents the direct connec on between
either side of the firewall
o User provides info like ID and authen ca on
info gateway contacts applica on on
remote host and relays TCP segment
containing app data between 2 endpoints
o If gateway doesn’t implement proxy code for
an appservice is not supported and can’t be
forwarded across firewall
o Gateways are configured – to support specific
features
o These features are considered by network
administrator while denying other features

1. Advantages
i. High security than packet filtering
ii. Only needs to scru nize a few allowable
applica ons
iii. Easy to log and audit incoming traffic
2. Disadvantages
 i. Addi onal overheadas 2 separate
connec ons between end users and
gateway
ii. Gateway should examine and forward all
traffic in both direc ons
4. Circuit Gateways
o It’s a specialized func on- performs
applica on-level gateway for certain app
o it will not allow end-to-end TCP connec on –
but will set up 2 TCP connec ons:
 between TCP user on inner host and
gateway
 between a gateway and TCP user on
outside host
o a er these 2 connec ons gateway
transmits TCP segments from one connec on
to another without examining contents
o security func on will check which connec on
is allowed
o here system administrator trusts the internal
users
o gateway can be configured – to support
applica on level or proxy service on inbound
connec ons and circuit-level func ons for
outbound connec ons
o Gateway can acquire processing overhead of
examining incoming app data for prohibited
func ons but does not acquire that overhead
on outgoing data
 5.2 Firewall Policies, Configura on, Limita ons,
DMZ
 Firewall Policies
o Allow all type of traffic  but block some
services like– TELNET/SNMP and port number
used by an a acker
o Restric ve policy: - Block all traffic and allow
only useful traffic -HTTP, POP3, SMTP, SSH
o If network administrator forgets to block
something  it is exploited for some me
without knowledge
o Most secure op on: block everything
suspicious (a er complaining by someone
allow the protocol)
 Firewall ruleset:
 Firewall allows – HTTP, FTP, SSH, DNS – to
communicate from internal network to
internet
 Allows SMTP – to communicate to mail
server from anywhere
 Allows SMTP and DNS – to communicate
from mail server to internet
 Allows SMTP and POP3- to communicate
from inside to mail server
  Firewall allows only reply packets
 Firewall can block everything else
 Configura on
o Firewall  combina on of packet filter and
applica on-level gateway.
o 3 types of configura ons

1. Screened Host Firewall, Single-Homed

Bas on (dedicated server)
o 2 parts of firewall configura ons:
 A packet filter router: -
 ensures incoming traffic is allowed
 only if it is intended for applica on
gateway
 by examining des na on address field of
each incoming IP packet
 It ensures that outgoing traffic is allowed
 only if originated from applica on-level
gateway
  by examining source address field of
every outgoing packet
 Applica on-level gateway: - performs
authen ca on as well as proxy func ons

o Advantages
 Improves security- by checking both
levels packet and applica on
 Provides flexibility to n/w administrator
to define more security policies
o Disadvantages
 Internal users are connected to both –
applica on gateway and packet filter
router if packet filter is a acked –
whole internal network is exposed to
a acker
2. Screened Host Firewall, Dual-Homed Bas on
o Direct connec on between internal hosts and
packet filter is avoided
o Pkt filter only connects to applica on gateway
o Has separate connec on with internal host
o If packet filter is a acked – only applica on
gateway is visible to a acker

3. Screened Subnet Firewall

o Highly secure among all configura ons
o 2 packet filters are used
 One between internet and applica on
gateway
 Other between applica on gateway and
internal network
 o Achieves 3 levels of security for an a ack to
break into

 Limita ons of Firewalls

o Can’t protect against a acks that bypass the
firewall
o Does not protect against insider threats -
employees innocently cooperates with
external a ackers
o Can’t protect against transfer of virus infected
programs or files
o May not protect against viruses and infected
files as it is not possible to scan all incoming
traffic
o Complexity: Se ng up and keeping up a
firewall can be me-consuming and difficult,
especially for bigger networks
o Limited Visibility: may not be able to iden fy
or stop security risks that operate at other
levels because they can only observe and
manage traffic at the network level
o False Sense of Security: Some businesses may
place an excessive amount of reliance on their
firewall
o Limited adaptability: firewalls are rule-based,
they might not be able to respond to fresh
security threats.
o Limited Scalability: network, businesses that
have several networks must deploy many
firewalls, which can be expensive.
o Cost: Purchasing many devices or add-on
features for a firewall system can be
expensive, especially for businesses.
o
 DMZ (Demilitarized Zone)

 Computer host or small network inserted as a

“neutral zone” in company’s private network and
outside public network
 DMZ is a network barrier between the trusted and
untrusted networks in a company’s private and
public networks
 It avoids outside users – from direct access to
company’s data server
 DMZ is op onal
 More secure approach to firewall
 Effec vely acts as proxy server
 DMZ has separate computer/host – receives request
from users within private network to access websites
or private network
 DMZ host- ini ates session for each request on
public n/w not for private network
 It can only forward packets requested by the host
 Public network users- outside company- can access
DMZ host only
 It can store company’s webpages which can be
served to outside users
 Hence, DMZ can’t give access to company’s data
 If outsider enters DMZ securitywebpages may get
corrupted but other informa on is safe
 DMZ architecture includes- firewalls, routers, servers
 2 types: single firewall DMZ & Duel firewall DMZ
Advantages and Disadvantages of DMZ

 Advantages  Disadvantages

 It provides access to
 Various vulnerabili es
external users by
can be found in DMZ
securing the internal
System’s services.
sensi ve network.

 If an a acker
 A DMZ can be used with
successfully cracks the
a combina on of a
DMZ system, they
firewall & router, which
may access your
as a result provide high
confiden al
security.
informa on.

 By implemen ng DMZ,
only the data that is  An a acker having are
intended to be visible authen cated data
publicly is displayed. the can access the system
rest is hidden and as an authorized user.
secured.

 DMZ enables web  The data provided on

server, email servers etc. a public network to
 Advantages  Disadvantages

to be accessible on the the external networks

internet simultaneously can be leaked or
protec ng it with a replicated.
firewall.


 5.3 Intrusion Detec on System (IDS)
 What is IDS?
 “When the IDS no ces a possible malicious threat,
called an event”
 “Process of monitoring events happening in
computer system / network” IDS
 Analyzes system for possible incidents
 threat of
 viola on of computer security policies,
 standard security prac ces
 acceptable use policies
 IDS <-> Burglar alarm
 In case of intrusion IDS will provide warning or alert
 Operator then tags the event to Incident Handling
Team for further inves ga on
 IDS – observes surrounding ac vi es- tries to iden fy
undesirable ac vi es
 Purpose-
 to iden fy suspicious/ malicious ac vi es
devia ng normal behavior
 Catalog and classify ac vity
 Reply to the ac vity
 2 types of IDS:
1. Host Based IDS
 Examines ac vi es of individual system like 
mail server, web server, individual PC
 Concerned with only individual system
 Has no visibility to network or systems around
it
2. Network Based IDS
 Examines ac vi es on the network
 Visibility only into traffic monitoring – crossing
network link
 Has no idea of what is happening to individual
systems
 Components of IDS
 Traffic Collector
 To collect the ac vity or event from IDS for
examina on
 HIDS Event can be- log files, audit logs, incoming
or outgoing traffic
 NIDS event can be- mechanism for copying
traffic of n/w link

 Analysis Engine
 This will examine collected n/w traffic
 Compares it with known pa erns of
suspicious/malicious ac vi es
 Malicious ac vi es -stored in signature
database
  Analysis Enginebrain of IDS

 Signature Database
 Stores collec on of pa erns and defini ons of
known suspicious/malicious ac vity on
host/network

 User Interface and Repor ng

 Provides interface with human element
 Provides alert whenever required
 Because of this user can interact with IDS
 Vulnerability Assessment
 Examining the state of network security
 informa on is collected and priori zed as per
vulnerabili es:
 Data about open ports
 s/w packages running
 network topology
 vulnerability assessment- updated regularly – to
handle new threats
 keep track of security vulnerabili es and list of
available patches
 Misuse Detec on
 looks for pa erns of n/w traffic or ac vity in log
files that are suspicious
 known as a ack signature
 It contains-
 no. of failed logins to sensi ve host
 bits of IP address of buffer overflow a ack
 TCP SYN packet of SYN flooding a ack
 monitoring– IDS can check security policy and
database to known vulnerabili es and a ack
 Venders need to update latest a acks and
update the issue database
 Customers need to install updates
 Anomaly Detec on (something devia ng from
original)
 To detect intrusion- anomaly detec on uses
sta s cal techniques
 Baseline is established
 During opera on – sta s cal analysis of data
monitored is performed
 If different from baseline alarm is raised
 Anomaly  not a ack every mefailed login
due to forge ng password
 Careful a ackers- remain undetected
 Pa ent a ackers- slowly change normal
behavior un l a ack (which no longer generates
alarm)
 Need to be concerned about
 False posi ve- a ack is flagged when nothing
has happened
 False nega ve- a ack is missed when within
range of normal behavior
 Host Based IDS
 Checks- log files, audit trails, network traffic
(incoming/outgoing)
 HIDS – operates in real me- observes ac vi es,
batch mode on periodic basis
 It is self-contained-
 commercial versions take help of central
system
 they also take local system resources to
operate
 Older version-
 work on batch mode hourly or daily basis
 looking for the events in system log files
 New versions-
 processor speed is increased-
 it looks for log files in real me –
 examines data traffic
 Windows examined logs: -applica ons, system
and security event logs
 UNIX examined logs: - message, kernel, error
logs
 Applica on specific HIDS- examine traffic from
specific services

 HIDS is looking for certain log files like:

 Logins at odd hours
 Login authen ca on failure
 Adding new user account
 Modifica on of access of cri cal system files
 Modifica on or removal of binary files
 Star ng or stopping processes
 Privilege escala on (rapid increase)
 Use of certain programs
 Advantages
 OS specific and detailed signatures
 Examines data a er decryp on
 Very applica on specific

 Disadvantages
 Needs to be installed on every host spot
 High-cost ownership and maintenance
 Uses local system resources
 Very focused view and cannot relate to ac vity
around it
 Excluded from the network
 Passive in nature, so it just informs about the
attack without doing anything about it.
 Network Based IDS
 Focuses on n/w traffic
 Bits and bytes travelling along cables
interconnec ng system
 Checks traffic according to – protocol, type,
amount, source, des na on, content, traffic
already seen
 analysis occurs quickly at the speed network
operates to be effec ve
 Examines traffic in/out- internet, remote offices,
partners etc.
 NIDS looks for certain ac vi es like:
 Denial of service a ack (DOS)
 Port scans or sweeps
 Malicious content in data in packet
 Vulnerability scanning
 Trojans, viruses, worms
 Tunneling
 Brute-force a acks
 Layout of NIDS

 Advantages
 Provides coverage of fewer systems(not single
like HIDS)
 Low cost – deployment, maintenance, upgrade
 Visibility into all n/w traffic
 Can corelate mul ple systems
 Disadvantages
 Ineffec ve for encrypted traffic
 Can’t see traffic that does not pass through it
 it might be slow as compared to the network
speed.
Categories HIDS NIDS

Defini on Host IDS Network IDS

Type It doesn’t work in real- me Operates in real- me

HIDS is related to just a single NIDS is concerned with the

system, as the name suggests it is en re network system;
Concern only concerned with the threats NIDS examines the
related to the Host ac vi es and traffic of all
system/computer, the systems in the network.

NIDS being concerned with

the network is installed at
HIDS can be installed on each and
Installa on places like routers or
every computer or server i.e.,
Point servers as these are the
anything that can serve as a host.
main intersec on points in
the network system

HIDS operates by taking the NIDS works in real- me by

snapshot of the current status of closely examining the data
Execu on the system and comparing it against flow and immediately
Process some already stored malicious repor ng anything
tagged snapshots stored in the unusual.
database, this clearly shows that
Categories HIDS NIDS

there is a delay in its opera on and

ac vi es

As the network is very large

making it hard to keep
HIDS are more informed about the
Informa on track of the integra ng
a acks as they are associated with
About A ack func onali es, they are
system files and processes.
less informed of the
a acks

Ease of As it needs to be installed on every Few installa on points

host, the installa on process can be make it easier to install
Installa on resome. NIDS

Response
Response me is slow Fast response me
Time
 Honeypots
 Honeypots: - innova on in IDS
 uses a simulated a ack target to distract
a ackers away from authen c systems.
 network-a ached system used as a trap
for cyber a ackers to detect and study the tricks
and types of a acks used by hackers
 It’s a computer system- on the internet-setup to
a ract and trap a ackers
 They are designed to:
 Purposely divert hackers from accessing
cri cal system
 Iden fy malicious ac vi es
 Engage a acker for long me  so that he
will stay on the system ll administrator
responds
 Honeypot is designed with sensi ve monitors
and event loggers
 Which detect the accesses and collect
informa on about a ackers
 2 types of Honeypots (based on deployment
method)
1. Produc on Honeypot:
  Used by companies and corpora ons –
for researching hackers aims- diver ng
and mi ga ng risks
2. Research Honeypot:
 Used by non-profit organiza on and
educa onal ins tu ons – for researching
mo ve and tac cs of hacker community-
for targe ng different networks
 Effec ve method to track hackers’ behavior
 Increasing effec veness of computer security
tools
 Advantages of Honeypot
 Acts as a rich source of informa on and helps
collect real- me data.
 Iden fies malicious ac vity even if encryp on is
used.
 Wastes hackers’ me and resources.
 Improves security.

 Disadvantages of Honeypot
 Being dis nguishable from produc on systems,
it can be easily iden fied by experienced
a ackers.
 Having a narrow field of view, it can only iden fy
direct a acks.
 A honeypot once a acked can be used to a ack
other systems.
 Fingerprin ng (an a acker can iden fy the true
iden ty of a honeypot).
 5.4 Email Security
 Email- most widely used on internet
 Used to send- text, pictures, videos, sounds- to
other internet users (keyword followed by colon)
 Email security is extremely important issue
 Text email message has 2 por ons:
 Content
 Header
 Header lines are followed by message
 Header keywords- From, To, Subject, Date
 SMTP (Simple Mail Transfer Protocol)
 It’s a TCP/IP protocol
 Specifies how computer exchange e-mail
 It works with POP (Post Office Protocol)
 Request/response based
 Email client s/w at sender’s end
 Gives email message to SMTP server
 SMTP server transfers message to receiver’s
SMTP server
 SMTP’s duty – to carry email message between
sender and receiver
 On same or different computer
 It also supports:
  Sending single message to one or more
recipients
 Message can include- text, voice, video, or
graphics
 It can send message on networks outside
internet
 SMTP uses -TCP port no 25
 Email delivery happens through TCP connec on
to port 25

 Email communica on:

 Sender’s end- SMTP server takes message
sent by user’s computer
 Sender’s end – SMTP server at sender’s end
transfers message to SMTP server at receiver’s
end
 Receiver’s computer drags the email from
SMTP server at receiver’s end using other
email protocols POP or IMAP
  3 phases of SMTP:
1. Connec on set up
 SMTP server a empt to set up TCP connec on
with target host when it has one or more mail
message to deliver to that host
 Step sequence of connec on setup:
 sender opens TCP connec on with receiver
 receiver iden fies itself with “220 service
Ready”
 sender iden fies itself with the HELLO
command
 receiver accepts senders’ iden fica on with
“250 OK”
 if mail server on des na on is not available-
des na on host returns a “$@! Service Not
 Available” reply in step 2 and process is
terminated
2. Mail transfer
 A er connec on establishment – SMTP sender
sends 1 or more messages to SMTP receiver
 3 logical phases to transfer a message
 MAIL command iden fies originator of the
message
 One or more RCPT commands iden fy
recipients of message
 A DATA command transfers the message text
3. Connec on termina on
 Sender closes the connec on in following way:
 Sender sends QUIT command and waits for
reply
 Sender indicates TCP close opera on for TCP
connec on
 Receiver ini ates its TCP close a er sending is
reply to QUIT command
 Privacy Enhanced Mail (PEM)
 It’s an internet standard providing secure
exchange of E-mail
 Uses cryptographic techniques allowing CIA
 Integrity- allows user to make sure that -
message is not modified-during transport
 Authen ca on- allows user to verify PEM
message is received authen cated person
 Confiden ality- allows message to be kept
secret from other people
 PEM supports 3 cryptographic func ons:
 Encryp on
 Non repudia on
 Message integrity

 PEM opera on
Step 1: Canonical Conversion
 Internet works on computer having TCP/IP stack
regardless of architecture and OS
 So same thing can be represented differently on
different computers
 It transforms all messages into abstract canonical
representa on  regardless of architecture and
OS of senders and receiver’s computer as well
 Email messages will travel in uniform and
independent manner
Step 2: Digital Signature
 Starts by crea ng message digest of email
message – using MD2 or MD5 algorithm

 Message digest is encrypted with sender’s

private key to form sender’s digital signature

Step 3: Encryp on
 Original email and digital signature are
encrypted with symmetric key
 DES or DES3 algorithm in CBC (cipher Block
code) mode is used
Step 4: Base-64 Encoding
 This transforms binary input to printable
character output
 Here binary input processed in block of 3 octets
or 24 bits
 24 bits are considered in 4 sets of 6 bits
 6 bits then mapped into 8 bits characters
 Pre y Good Privacy (PGP)
 Used for encryp on and decryp on of email
 Also uses digital signature to ensure integrity
of email
 Freely available/low-cost commercial version
 Widely used
 Ensures privacy
 Developed by– Philip R. Zimmermann in 1991
 Has become a standard for email security
 PGP encrypted files cannot be read by
unauthorized users or intruders
 How it works?
 Authen ca on
o Sender creates message
o SHA-1 is used to generate 10-bit hash
code of message
o Hash code encrypted -using sender’s
private key  result is pretended
message
o Receiver uses- sender’s public key to
decrypt recovers the hash code
o Receiver generates new hash code and
compares
o If matches  message accepted
 Confiden ality
o PG provides confiden ality by encryp on
o Sender generates message – 128-bit
number
o This is used as session key of this message
only
o Message encrypted using 3DES using
session key
o Session key- encrypted using recipient’s
public key pretended to be the
message
o Receiver decrypts with his private key
o Receiver can only decrypt and recover
session key
o Session key is used for decryp on

 Secure Mul purpose Internet Mail Extension

(S/MIME)
 Tradi onal mail systems are text based
 Now we exchange -mul media files,
documents in different formats
 MIME system extends -basic email system by
permi ng users to send- binary files
 They have normal internal text message 
with special header and forma ed sec ons of
text
 These sec ons hold-
o ASCII encoded por on of data
o Each sec on starts with explana on of
data
o How it should be interpreted or decoded
at recipient’s end
o Receiver’s email system uses explana on
to decode received data
 MIME enhanced with security features 
called as Secure MIME
 It’s a standard for
o public key encryp on
o signing of e-mail encapsulated in
MIME,S/MIME
 developed by RSA Data Security Inc
 Provides cryptographic security
o authen ca on,
o message integrity,
o non-repudia on of origin,
o privacy
o data security service for E-mail applica on
 S/MIME Func onality
 Similar to PGP
 Provides digital signature and encryp on of
email message
 Func ons
o Enveloped data:
o Consist of encrypted content and
encrypted encryp on key for one or more
recipient
o Signed data:
o Digital signature obtained using hashing
the content then encrypt with private
key of signer
o Content and signature are encoded with
base 64
o Clear-signed data:
o Because of this encoding recipient can
view message but cannot see verified
signature
o Signed and Enveloped data:
o Signed only and encrypted only data can
be nested
o Encrypted data can be signed
o Signed data can be encrypted
o Cryptographic algorithms used by
S/MIME:
 For digital signature: DSS (digital
signature standard) and RSA
 For hash func on: SHA-1 and MD5
 For session key encryp on: Diffie-
Helman
 For message encryp on: AES, Triple
DES, RC2/40
 MAC: HMAC (Hash Based Message
Authen ca on Code) with SHA-1
 5.5 Cyber Crime
 Introduc on
 All criminal ac vi es using – computer,
internet and world wide web
 Also known as computer crime
 Illegal things performed-
o commi ng fraud,
o trafficking in child pornography
o intellectual property,
o stealing iden es,
o viola ng proper es
 Poten al problem to- commerce,
entertainment, government
 A ack happens on individual or corporate
virtual body
 Cybercrime ranges from-viola on of personal
or corporate informa on to using obtained
informa on to blackmail a firm or individual
 Transac on based crimes: fraud, digital piracy,
money laundering, counterfei ng (fraud
imita ng someone else)
  Within corpora on or government
organiza ons: deliberately altering data for
profit or poli cal objec ves
 Other crimes:
1. Financial: crime disrupt business ability to
conduct ‘e-commerce’
2. Piracy: copying copyright material- new way of
old crime-distribu ng crea ve work protected
by copyright
3. Hacking: act of illegal access to computer
system or network- for fraud or terrorism
4. Cyber-terrorism: hacking designed to cause
terror- E-terrorism cause violencegenerate
harm or fear
5. Online pornography: strict laws- laws for minors
6. Sabotage: hacking involving hijacking of
government or corpora on web-site
purposeful destruc on of property- slowing
down and damaging work
 Hacking
 Well known computer crime
 Hacker: “who finds and exploits weakness of
computer system and network”
 This is unauthorized access
 Purpose:
o launch malicious programs- virus worms
trojan horses that shut down/destroy
en re system/network
o Taking credit card numbers, internet
passwords, personal informa on,
accessing commercial database
 Types of hackers:


o White Hat:
o Non-malicious purpose
o They are security experts
o Hired to test  how vulnerable a
protec ve setup is
o Perform vulnerability assessment and
penetra on tests
o Also called as “Ethical Hackers”

o Black Hat:
o Known as crackers
o Has malicious purpose
o Breaks computer security system, n/w
system, telecommunica on
systemwithout authoriza on
o Malicious purpose:
 piracy iden ty the , credit card
fraud, damage
o May use- worms, malicious sites
o Grey Hat:
o Combina on of white and black hats
o Not a penetra on tester but will go
ahead and surf internet for vulnerable
system he could exploit
o He will inform admin of website about
vulnerabili es – he found a er hacking
the site
o Will hack site freely- without any
promp ng or authorized from owners
o Will offer a repair to vulnerabili es he has
exposed for small fees

o Elite Hacker:
o Social status among hackers is
underground
o ELITE – hackers among hackers
o Masters of decep on
o Solid reputa on among their groups
o They are cream of hacker crop
 o Script Kiddie:
o Part me /non expert hacker
o He breaks into people’s computer
o Does not have knowledge about IT
security
o Uses prepackaged automated script,
tools or s/w wri en by real hackers

 Digital Forgery
 Falsely altering or manipula ng documents
 Intension is misleading others
 May produce false documents
 Big problems today’s era we create, process,
transmit, and store documents digitally
 They can alter- pictures, images, documents,
music for economic gain
 May involve electronic forgery or iden ty
the
 Digitally forged pictures appeal to viewer’s
eyes
 Using picture processing so ware  one can
alter anything in the photo
 Picture processing so ware- Adobe
Photoshop, Adobe Premier, Corel Draw, GIMP
 Photos are changed pixel by pixel
 These changes are hard to spot with human
eyes

 Cyberstalking or Harassment
 Following a person online anonymously
 Stalker virtually follows vic m and his/her
ac vi es
 Involves online harassment
 Cyberstalker uses- social media, websites and
search engines to ins ll fear
 Cyberstalker knows the vic m- makes the
person feel afraid or concerned for their
safety
 Vic ms are mostly – women or children
 Iden ty The and Fraud
 Iden ty the :
 It’s a kind of fraud
 Cybercriminals steal personal data-
passwords, bank account details, credit cards,
debit cards, social security, other sensi ve
informa on
 Through iden ty the criminal can steal
money
 Fraud:
 Cyber crime intends to deceive a person in
order to gain important data or informa on
 Fraud can be done by  altering, destroying,
stealing or suppressing informa on
 Cyber Terrorism
 Any planned, poli cally mo vated a ack
against informa on, computer system,
computer programs and data which results
in violence against non-combatant(non-
figh ng) targets by sub-na onal groups or
clandes ne (secret/non legal) agents
 Cyber terrorist a acks- explicitly designed to-
cause physical harm to individuals
 Targets- banking industry, military
installa ons, power plants, air traffic control
centers, water systems
 Carried out on private servers
 Hackers can-
o break into computer system, introduce
viruses to vulnerable networks, deface
websites, launch denial-of-service, make
terroris c threats electronically
 Can endanger the public safety of millions of
people
 Can cause massive panic or fatali es
 Cyber Defama on
 Injury caused to reputa on of a person in the
eyes of a third person
 By word, oral or wri en, by signs or by visible
representa ons
 Intension to lower the reputa on of a
person in the eyes of pubic
 “Publishing a defamatory material against
another person with the help of computer or
internet”
 Harm caused to the person is widespread,
irreparable as informa on is shared with
en re world
 This affects welfare of community as a whole
 Impacts economy of a country
 Mediums of cyber defama on:
o World wide web
o Discussion groups
o Intranets
o Mailing list and bulle n boards
o E-mail
 OS Fingerprin ng
 Process of iden fying OS of target device or
system based on analysis of network packets
it sends and receives
 OS detec on can be- ac ve or passive
 Ac ve OS fingerprin ng tools: interacts with
target network
 Passive OS fingerprin ng tools: does not
interact with target system
o Passive OS Fingerprin ng
o Gathers informa on about target system
o Without ac vely interac ng with OS
o Examines network packets- to iden fy
specific characteris cs IP address,
ac ve systems, open ports

o Passive Sniffing
o Act of observing and capturing network
packets without sending any data to the
target
o Uses collected informa on during
sniffingto analyses pa erns and
features revealing target system’s OS
 o Commonly used items:
o IP TTL Value
o Different OS assign unique default IP TTL
( me-to-live) values to outbound packets
o TCP Window Size
o Ini al window size used by TCP varies
between OS
o IP DF Op on
o Opera ng systems handle Don’t Fragment
(DF) flag differentlyresul ng in
varia ons in fragmenta on behavior
o IP TOS Op on
o Type of service (TOS) field- which
priori zes certain packetsimplemented
differently by various OS vendors
 Ac ve OS Fingerprin ng
 More powerful than passive
 Eliminates the need to wait for random
packets for analysis
 Uses tools to inject packets into n/w
 Analyses difference between  how various
vendors implement TCP/IP stack
 Observing these differences OS version can be
iden fied
 Common methods used:
o FIN Probe-
o Sends packet with FIN(FINISH) flag set to
observe – how system handles such
requests
o Bogus Flag Probe-
o Uses packet with invalid/unexpected flag
combina on to elicit dis nc ve responses
o Ini al Sequence Number (ISN) Sampling-
o Analyzes pa ern of sequence numbers in
TCP connects to determine randomness
and predictability
o IPID Sampling-
o Observes behavior of ID field of IP header
to iden fy pa erns unique to specific OS
o TCP Ini al Window-
o Examines size of ini al TCP window
adver sed by the system
o ACK Value-
o Analyses how system responds to ACK
packets under certain condi ons
o Type of Service-
o Tests how target system handles the type
of service field in IP packet
 o TCP Op on-
o Evaluates use and order of TCP op ons
(such as MSS maximum segment size,
window scaling)
o Fragmenta on Handling-
o Examines how system handles
fragmented IP packets
5.6 Cyber Law
o Introduc on and Need
o Describes legal issues related to use of
communica on technology
o Rules that control the conduct of cyber
ac vity and security under cyber space
o Law is related to computers, network,
so ware, data storage devices, internet,
websites, emails, electronic devices, cell
phones, mobiles, ATM machines etc
o Also includes intellectual property-
privacy, freedom of expression,
jurisdic on
o Cyber law is an a empt to apply laws
designed for physical world to human
ac vi es on internet
o IT Act 2000- has been made punishable
o Objec ve- create environment where
Informa on Technology can be used
safely
o IT Act 2000 is altered by IT Act 2008-
known as Cyber Law
o Has separate chapter en tled Offences
o Various cyber crimes have been declared
as penal offences punishable with
imprisonment and fine
o Categories
o 3 major categories
 Crime Against Individual
 Includes cyber harassment and
stalking
 Distribu on of child pornography
 Credit card fraud
 Human trafficking
 Spoofing
 Iden ty the
 Online libel or slander
 Government
 If cyber-crime commi ed against
government
 Considered as a ack on na on’s
sovereignty
 It includes- hacking, accessing
confiden al informa on, cyber
warfare, cyber terrorism, pirated
so ware
 Property
 Online crimes against property
 Computer or server
 DDOS A ack, hacking, virus
transmission, cyber and typo
squa ng, computer vandalism,
copyright infringement, IPR viola on