1. No category

ATTACKERS AND THEIR ATTACKS

32677_02 5/11/2004 10:15:42 Page 29
C
H
A
P
2
T
E
R
T
W
O
ATTACKERS AND THEIR
ATTACKS
After completing this chapter, you should be able to do the following:
➤
➤
➤
Develop attacker profiles
Describe basic attacks
Describe identity attacks
ON
➤
➤
Identify denial of service attacks
Define malicious code (malware)
THE JOB
Dan C. is the CEO of an agency that offers credit card protection services. Dan’s
company searches the Internet for stolen credit card numbers and personal data, and
then reports the theft to the victims, their banks, and even the Federal Bureau of
Investigation (FBI). Dan says that those who steal credit card numbers, known as
“carders,” are generally more motivated by status than by money. However, an
increasing number of carders are part of organized crime rings, particularly in the
United States and the former Soviet Union states. Dan has found that knowing the
motivation of the attackers can help create a strong defense against attacks.
Dan knows that when a credit card number is stolen, it is often posted on carder
Web sites. These sites are dedicated to obtaining, verifying, and swapping credit card
numbers, along with names, addresses, and other information a carder needs to use
the card for ordering goods and services illicitly. Because different carders can use a
single stolen card number to order merchandise, it is often difficult to identify usage
patterns and apprehend the thieves.
Dan’s skills are in high demand for two reasons. First, he understands who the
attackers are and why they attack. Second, he knows the “tricks of the trade” and
how attackers attack. Dan has found that looking at an attack from the attacker’s
perspective provides him with valuable information in tracking down the culprits
and hindering their future attacks.
One of Dan’s recent jobs began when his company accessed information from a
carder Web site that contained more than 60 stolen credit card numbers and the
users’ names and addresses. Investigators in Dan’s company called the victims and
asked where they shopped online. Soon a pattern developed: all the victims purchased from online merchants who were linked to an e-commerce hosting provider
in California. This hosting provider was responsible for verifying customer credit
card information whenever an order was placed on a merchant’s Web site. When the
sale was completed, the credit card numbers and personal data remained on the
hosting provider’s Web site.
Dan customarily recommends that online merchants insist that their e-commerce
hosting provider conduct vulnerability assessments several times each year. In addition, a separate file server should be allocated to each merchant, so that if one server
is compromised, other merchants are not affected. All stored credit card information
should also be encrypted.
When Dan contacted the California hosting provider, the system administrator
admitted that a minor “flaw” in their e-commerce shopping cart software affected a
“small number” of their 4,000 e-commerce clients. A few months later, other merchants discovered that carders had broken into their accounts maintained by the
same hosting provider. The hosting provider refused to comment on the situation.
Copyright © 2005 by Course Technology. All rights reserved.This publication
29is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/17/2004 11:17:35 Page 30
30
Chapter 2
Attackers and Their Attacks
Know your enemy is the first and most important rule in any conflict. Whether you are
involved in a sporting event or a war among nations, you must know who your opponents
are and how they attack. The same holds true for information security and attacks on
computer systems. Armed with this information, you can create a defense that will help
neutralize the attacks and minimize any damage.
People who attack computer systems and information fall into several categories, each with
different motivations for their actions. Each type of attacker also employs a variety of attacks
ranging from very basic to extremely sophisticated.
In this chapter, you discover who is responsible for attacking information and the systems
that store, process, and exchange that information. You examine some of the motives
attackers have for striking and damaging computer systems, and explore the types of attacks
that attackers unleash.With this information, you can begin to organize a sound defense to
attempt to thwart their attacks.
DEVELOPING ATTACKER PROFILES
Six categories of people violate network and computer systems: hackers, crackers, script
kiddies, spies, employees, and cyberterrorists. The type of attackers, their skills, and the
reasons they attack are varied. Table 2-1 summarizes the attackers, their level of skill, and
their motivations for attacks. The following sections examine this information in more
detail.
Table 2-1
Attacker profiles
Attacker
Hacker
Cracker
Script kiddie
Spy
Employee
Cyberterrorist
Skill Level
High
High
Low
High
Varies
High
Motivation
Improve security
Harm systems
Gain recognition
Earn money
Varies
Support ideology
Hackers
You can use the common term “hacker” in two ways. First, “hacker” is used in a generic
sense, particularly in the news media, to refer to anyone who illegally breaks into or attempts
to break into a computer system. Used in this way, a hacker is synonymous with an attacker.
The term “hacker” also has a narrower definition. A hacker is described as a person who
uses his or her advanced computer skills to attack computers, but not with a malicious
intent. Instead, hackers use their skills to expose security flaws.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 5/4/2004 12:40:10 Page 31
Developing Attacker Profiles
31
Those who call themselves hackers like to think of themselves as an elite group of people
who are adept at exploring computers and networks. Although breaking into another
person’s computer system is illegal, hackers believe it is ethically acceptable as long as they do
not commit theft, vandalism, or breach any confidentiality. This is sometimes called the
“hacker code of ethics.” Hackers claim that their motive is to improve security. They
consider it their responsibility to seek out security holes so that they can be fixed. These
hackers like to think of themselves “ethical hackers.”
In truth, many security problems have been first revealed by hackers and not by
the developers of the software or hardware. Ethical hackers who discover
security holes often post their information on the Internet or contact the vendor
directly.
Ethical hackers tend to minimize or misconstrue the consequences of their activities.They
rationalize that their behavior really serves society at large. These hackers either consider
their violation a victimless crime, or they blame the victim for having poor security. Some
researchers believe that because human contact is minimized through the network, hacking
becomes a game where serious consequences can be easily ignored.
Do hackers have lofty motives and perform a valuable service to society? If you use the term
“hacker” in the generic sense of an “attacker,” then the answer is clearly no. Even if you use
the term to refer to people who think of themselves as ethical hackers, the motivation and
benefit of their actions are still questionable.
The Norwegian Supreme Court has ruled that hackers who simply probe
computer networks linked to the Internet have not violated any laws.
Crackers
A cracker is a person who violates system security with malicious intent. Like hackers,
crackers have advanced knowledge of computers and networks and the skills to exploit
them. Unlike ethical hackers who claim to be only searching for security weaknesses,
crackers destroy data, deny legitimate users of service, or otherwise cause serious problems
on computers and networks. Crackers can be identified by their malicious actions: they
intend to do harm to any computer they can break into.
The term cracker was coined around 1985 by ethical hackers who wanted to
distance themselves from those who attack computer systems with malicious
intent.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
2
32677_02 6/17/2004 11:17:57 Page 32
32
Chapter 2
Attackers and Their Attacks
A particularly disturbing trend among crackers is the attempt to outdo one another. Because
crackers take pride in breaking into computers or writing malicious code that can cause
devastation on a computer, one cracker may become angry when other crackers break into
more computers or cause more harm than he can. In one celebrated instance in 2004, two
rival crackers from Germany and the Czech Republic started a “gang war” between
themselves, each one battling to outdo the other by releasing increasingly potent variants of
viruses.With misspelled online taunts such as “don’t ruine our busssiness” and “wanna start
a war?”, these two crackers and their associates unleashed over a dozen viruses in one week.
Internet users were left scrambling to protect their systems from this barrage of attacks
between the rivals.
Script Kiddies
Much like crackers, script kiddies want to break into computers to create damage.
However, whereas crackers have an advanced knowledge of computers and networks, script
kiddies are unskilled users. Script kiddies do their work by downloading automated hacking
software from Web sites (generally for free) and then using it to break into computers.
While script kiddies lack the technical skills of crackers, they are sometimes considered more
dangerous. Script kiddies tend to be young computer users who have almost unlimited
amounts of leisure time, which they can use to attack systems. Their success in using
automated software scripts tends to fuel their desire to break into more computers and cause
even more harm. Because script kiddies do not understand the technology behind what they
are doing, they often indiscriminately target a wide range of computers, causing problems
for a large audience.
Script kiddies want to bolster their egos—their attacks give them an exaggerated sense of
self-importance.They break into a computer so that they can send a message that says,“Look
what I can do; I’m smarter than anybody else.”
Spies
A computer spy is a person who has been hired to break into a computer and steal
information. Spies do not randomly search for unsecured computers to attack as script
kiddies, crackers, and hackers do. Rather, spies are hired to attack a specific computer that
contains sensitive information. Their goal is to break into that computer and take the
information without drawing any attention to their actions. Spies, like hackers, possess
excellent computer skills.
The motivation for being a spy is almost always financial. Spies are interested in breaking into
another computer for personal profit.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/17/2004 11:18:23 Page 33
Developing Attacker Profiles
33
Employees
One of the largest information security threats to a business actually comes from an unlikely
source: its employees. Employees break into their company’s computer for the following
reasons:
■
Like hackers, employees might want to show the company a weakness in their
security.
■
Employees might feel that they have been overlooked in a promotion and, like a
script kiddie, want to say, “I’m smarter than all of you.”
■
Like spies, employees could be motivated by money. A competitor might approach
an employee who has mounted personal gambling debts and offer money in
exchange for stealing information. In some instances, employees have even been
blackmailed into stealing from their employer.
Because most companies focus their attention on protecting computers from outside attacks,
they sometimes make systems relatively accessible from inside the company. A business
might have security guards on the ground floor, but leave the door to the upstairs server
closet open because “trusted” employees are the only ones on that floor. Along with this
trust, employees already have access to some computer information, so gaining additional
access is not usually difficult. Sometimes an employee only has to make a telephone call to
receive clearance to additional information.
Cyberterrorists
Terrorism has become a major security concern around the world as terrorists work to
advance their causes. Using airplanes, trains, cars, and even their own bodies, terrorists
attempt to harm as many innocent civilians as possible, causing widespread panic and
disrupting normal society. One particularly alarming feature of terrorists is that their major
attacks are often unprecedented: that is, they attack in ways that have not been used before.
Many security experts fear that terrorists will turn their attacks to the network and
computer infrastructure to cause panic. Known as cyberterrorists, their motivation may be
defined as ideology, or attacking for the sake of their principles or beliefs. A report
distributed by the Institute for Security Technology Studies at Dartmouth College lists these
three goals of a cyberattack:
■
Deface electronic information (such as Web sites) to spread disinformation and
propaganda.
■
Deny service to legitimate computer users.
■
Commit unauthorized intrusions into systems and networks that result in critical
infrastructure outages and corruption of vital data.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
2
32677_02 6/17/2004 11:18:35 Page 34
34
Chapter 2
Attackers and Their Attacks
A White House cybersecurity adviser has urged greater attention to potential
security breaches online. He cautioned, ″As long as we have vulnerabilities in
cyberspace, and as long as America has enemies, we are at the risk of the two
coming together to severely damage our great country.″
Cyberterrorists are sometimes considered the attackers that should be feared the most.The
skill level of a cyberterrorist is very high. Also, it is almost impossible to predict when or
where an attack may occur. Unlike hackers or crackers who continuously probe systems or
create attacks, cyberterrorists can lie dormant for several years and then suddenly strike a
network in a new way.Their targets can include a small group of computers or networks that
can affect the largest number of users, such as the computers that control the electrical power
grid of a state or region. An isolated attack could cause a power blackout that would affect
tens of millions of people.
Cyberterrorists or groups related to them also use the Internet to finance some
of their operations. These same players are involved in online fraud and use
stolen credit card numbers.
One of the targets highest on the list of cyberterrorists is the Internet itself.Whereas hackers
and crackers do not want to disrupt parts of the Internet because doing so would hamper
their own communications, cyberterrorists consider the Internet a prime target. Attacks
launched directly against the Internet have revealed its weaknesses. In October, 2002, an
attack was launched against the 13 Internet root servers, which contain the master directory
for matching Internet Protocol (IP) addresses with Web names and without which the
Internet could not function. This attack made several of the servers unavailable to regular
Internet traffic for about one hour. Cyberterrorists who launch attacks like this could have
a devastating impact on communication around the world.
The Department of Homeland Security’s 2004 budget of $36.2 billion includes
$829 million for information infrastructure protection from cyberterrorists.
UNDERSTANDING BASIC ATTACKS
Just as computers and networks have continued to evolve, so too have the methods that
attackers use. In the 1980s, individual computers were targeted for attack, while in the 1990s,
individual networks were the prime targets.Today the global computing infrastructure is the
most likely target of attacks. In general, attackers are becoming more sophisticated and are
moving away from searching for bugs in specific software applications and toward probing
the underlying software and hardware infrastructure itself. Also, attacks in the twenty-first
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/17/2004 11:19:30 Page 35
Understanding Basic Attacks
35
century allow little time to react. It’s not uncommon for a virus to propagate itself
worldwide in only 10 minutes. In addition, these sophisticated attacks can be difficult to
detect. Instead of attacking the computing infrastructure directly, attackers can embed the
attack in data, which makes detection harder. As attackers’ methods become more sophisticated, network professionals must keep track of how attackers attack so they can erect
proper defenses.
Just as network professionals must learn to identify a variety of attackers, so too must they
identify a variety of attacks. The different types of attacks can be generally classified into four
broad categories: basic attacks, identity attacks, denial of service (DoS), and malicious code.
This section examines basic attacks, and the following sections discuss the other three
categories.
Basic attacks are those that do not always require a high degree of technical skill, but
sometimes rely more on guesswork and cunning than anything else.The five types of basic
attacks are social engineering, password guessing, weak keys, mathematical attacks, and
birthday attacks.
Social Engineering
The easiest way to attack a computer system requires almost no technical ability and is
usually highly successful. Social engineering relies on tricking and deceiving someone to
access a system. Consider these examples:
■
Maria is a customer service representative who receives a telephone call from
someone claiming to be a client. This person has a thick accent that makes his
speech hard to understand. Maria asks him to respond to a series of questions to
ensure that he is an approved client. However, when asked a question, the caller
mumbles his response with an accent and Maria cannot understand him. Too
embarrassed to keep asking him to repeat his answer, Maria finally provides him
with the password.
■
The help desk at a large corporation is overwhelmed by the number of telephone
calls it receives after a virus attack. Ari is a help desk technician and receives a
frantic call from a user who identifies himself as Frank, a company vice president.
Frank says that an office assistant has been unable to complete and send him a
critical report because of the virus and is now going home sick. Frank must have
that office assistant’s network password so he can finish the report, which is due by
the end of the day. Because Ari is worn out from the virus attack and has more calls
coming in, he looks up the password and gives it to Frank. Ari does not know that
Frank is not an employee, but an outsider who now can easily access the company’s
computer system.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
2
32677_02 6/28/2004 14:2:18 Page 36
36
Chapter 2
■
Attackers and Their Attacks
Natasha, a contract programmer at a financial institution, drives past a security
guard who recognizes her and waves her into the building. However, the guard
does not realize that Natasha’s contract was terminated the previous week. Once
inside, Natasha pretends that she is performing an audit and questions a new
employee, who willingly gives her the information she requests. Natasha then uses
that information to transfer more than $10 million to her foreign bank account.
These examples are based on actual incidents, and share a common characteristic: no
technical skills or abilities were needed to break into the system. Social engineering relies on
the friendliness, frustration, or helpfulness of a company employee to reveal the information
necessary to access a system. Social engineering is a difficult security weakness to defend
because it relies on human nature (“I just want to be helpful”) and not on computer systems.
Social engineering is not limited to telephone calls or dated credentials. One popular
technique called dumpster diving involves digging through trash receptacles to find
computer manuals, printouts, or password lists that have been thrown away. Another
approach is known as phishing, which involves sending people electronic requests for
information that appear to come from a valid source. For example, an attacker might send a
consumer an e-mail message that claims to be from a legitimate organization with which the
user is familiar. The e-mail instructs the user to click a link in the message to go to the
company’sWeb site to receive a gift as a valued customer. However, the link actually takes the
consumer to a fake Web site that looks identical to the real site.The user is asked to verify
or update bank account or credit card information, which the attacker then steals.
Social engineering is best defeated in two ways. First, you should develop strong procedures
in the form of instructions or company policies regarding when passwords are given out,
who can enter the premises, and what to do when asked questions by another employee that
may reveal protected information. The second way to defeat social engineering is by
educating all employees about the policies and ensuring that these policies are followed.
Password Guessing
A password is a secret combination of letters and numbers that validates or authenticates a
user. Passwords are used with usernames to log on to a system, using a dialog box such as the
one shown in Figure 2-1. A username is a unique identifier, such as Jsmith, Traci_Li, or
Administrator. While anyone could type the person’s username, only that person would
know the valid password.
Although passwords are the first and sometimes only line of defense for a computer system,
passwords provide weak security for several reasons. Most users today have an average of 10
different passwords for the computers and applications they access, such as computers at
work, school, and home, e-mail accounts, banks, and Internet stores.The sheer number of
passwords makes it difficult to remember all of them. In addition, some passwords expire
after a set period of time, such as 30 days, and a new one must be created.This makes it even
more difficult to remember the current password. Finally, some computer systems prevent a
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 10:54:6 Page 37
Understanding Basic Attacks
37
2
To log on to this system,
you must enter or select
a username and then
enter the correct
password for that user
Figure 2-1
Username and password
previously used password from being “recycled” and used again. For these reasons, many
users implement weak passwords, which compromise security. Characteristics of weak
passwords include:
■
Passwords that are short (such as XYZ)
■
A common word used as a password (such as blue)
■
Personal information in a password (such as the name of a pet)
■
Using the same password for all accounts
■
Writing the password down and leaving it under the mouse pad or keyboard
■
Not changing passwords unless forced to do so
Attackers attempt to exploit weak passwords by password guessing. Password-guessing
attacks fall into three categories.The first type of attack is brute force, in which an attacker
attempts to create every possible password combination by systematically changing one
character at a time in a hypothetical password, and then using each newly generated
password to access the system. For example, if a password contains four numbers, such as
4983, the brute force attack starts with the combination 0000 and attempts to use that as the
password. If it fails, the next attack is 0001, then 0002, and so on until all possible
combinations are exhausted.
Although it may at first appear that a brute force attack could take a long time, it actually may
not. In the 4983 example, if a password consists of four numbers, then there are 10 × 10 ×
10 × 10 or 10,000 possible combinations. A standard personal computer can easily create
more than 1,000,000 possible password combinations per second.
Brute force password attack programs are readily available on the Internet.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 10:54:7 Page 38
38
Chapter 2
Attackers and Their Attacks
Although most personal computers can be set to lock out an account after a set number of
bad attempts at a password (typically three), it is not always possible to set this limitation on
all computers, such as a pool of Web servers. To circumvent the “three strikes” limitation,
attackers attempt to copy the file containing all of the user passwords from the file server
onto their own computer and then try as many combinations as needed to crack the
passwords using brute force. On some earlier versions of Microsoft Windows (Windows 95,
98, ME, and early NT versions), attackers did not need to steal the password file from
another computer—each password was encrypted the same way on all Windows computers.
For example, the password “Sunday” on System A was encrypted the same way as “Sunday”
on System B.
Windows 2000 and XP passwords are stored in a file called SAM (Security
Accounts Manager) that is located in the Windows\System32\Config directory.
Linux passwords are stored in the file /etc/passwd.
The second type of password guessing is a dictionary attack. Unlike a brute force attack
in which all possible combinations are used, a dictionary attack takes each word from a
dictionary and encodes it (called hashing) in the same way the computer encodes a user’s
password. Attackers then compare the encoded dictionary words against those in the
encoded password file.When attackers find a match, they know which dictionary word is the
password. Figure 2-2 shows a dictionary attack.
abacus
acorn
after
agree
ajar
alarm
ameliorate
File server
Encoded
password file
5%0*agT$
uIo(^7$3
*9%4#Bhg
oIk&63(0
2mIu8F@5
Hashing
Match
8&6%^OUj
9*mNj%4^
(*JmHYtg
2/31!#24U
3e@$%^7v
*9%4#Bhg
Hashing results
Figure 2-2
Dictionary attack
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 10:54:7 Page 39
Understanding Basic Attacks
39
During World War II, British code breakers used a dictionary attack to help break
German coded messages.
2
The third type of attack is software exploitation. This attack takes advantage of any
weakness in software to bypass security that requires a password. One of the most common
exploitations is a buffer overflow, which occurs when a computer program attempts to
stuff more data into a temporary storage area (a buffer) than it can hold. The extra data
overwrites valid computer data, and can contain instructions telling the computer what to
do, such as allowing an unauthorized person to access the computer. Although a computer
program should check the size of the data going into the buffer to prevent extra data from
entering, a bug in the program might not check the length of the data and allow it to
overwrite other computer code. Some computer programming languages automatically
check for buffer overflow and prevent it from occurring.
Buffer overflow is not limited to bypassing passwords, but can be used in a
variety of attacks.
In Figure 2-3, the buffer for a program is six characters and is adjacent to another computer
storage area that contains instructions for the computer. If data more than six characters long
is stuffed into the buffer (such as “ABCDEF LET SMITH IN WITHOUT PASSWORD”),
the extra data overwrites the computer instruction storage area and gives an instruction to
the computer to allow a hacker to access the system.This is illustrated in Figure 2-4.
Computer Instructions
Buffer
1
2
3
4
5
6
Print
Run program
Accept keyboard input
Figure 2-3
Buffer and instruction space
Although it is an easy task to check for buffer overflow, many computer programs contain
design flaws that omit this critical step. In one of the most notorious buffer overflow attacks,
discovered in July of 2000, Microsoft Outlook and Outlook Express let attackers breach a
computer’s security by simply sending an e-mail message that contained a buffer overflow.
The user did not have to read or open the message for the malicious instructions to be
written into the program instruction area. (This flaw has now been fixed.)
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 10:54:8 Page 40
40
Chapter 2
Attackers and Their Attacks
Computer Instructions
Buffer
1
2
3
4
5
6
A
B
C
D
E
F
LET SMITH IN WITHOUT PASSWORD
Run program
Accept keyboard input
Figure 2-4
Buffer overflow into instruction space
The latest microprocessor computer chips from AMD separate the parts of
memory that execute a program from those that accept user input, thus
preventing a buffer overflow. Microsoft Windows XP Service Pack 2 must be
installed to take advantage of this feature.
Password-guessing attacks can be minimized by establishing strong password policies and
then enforcing those policies. Following are some of the policies that can minimize
password-guessing attacks:
■
Passwords must have at least eight characters.
■
Passwords must contain a combination of letters, numbers, and special characters.
■
Passwords should expire at least every 30 days.
■
Passwords cannot be reused for 12 months.
■
The same password should not be duplicated and used on two or more systems.
Passwords on Windows XP systems can be enhanced by using a space in the
password or by using nonprintable characters. You can create these special
characters by holding down the Alt key and entering a value on the numeric
keypad.
Weak Keys
Cryptography, from two Greek words—crypto, meaning hidden, and graph, meaning
writing—is the science of transforming information so that it is secure while it is being
transmitted or stored. Cryptography does not attempt to hide the existence of the data (that
is known as steganography); instead it “scrambles” the data so that it cannot be viewed by
unauthorized users.
Cryptography dates back centuries. One of the most famous ancient cryptographers was
Julius Caesar.When sending written messages to his generals, Caesar shifted each letter three
places down in the alphabet, so that an A was replaced by a D, a B was replaced by an E, and
so forth. Changing the original text to a secret message using cryptography is known as
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/28/2004 14:2:28 Page 41
Understanding Basic Attacks
41
encryption.When Caesar’s generals received his messages, they reversed the process (such
as replacing a D with an A) to change the secret message back to its original form.This is
called decryption.
The success of cryptography depends on the process used to encrypt and decrypt messages.
This process is based on a procedure called an algorithm.The algorithm is given a value
known as a key that it uses to encrypt the message. For example, when Caesar was devising
his simple substitution method of cryptography and realized he could shift letters of the
alphabet to encrypt the message, he decided to shift each letter by three positions, thereby
choosing the number 3 as the key. His algorithm involved taking any letter of the alphabet,
determining its position in the alphabet (A=1, B=2, etc.), and adding the key value (3) to the
position.
A substitution algorithm like Caesar’s is too simple for contemporary use because the key
creates a repeating pattern. Attackers could examine a paragraph of Caesar’s text and quickly
determine the key, which would give them the necessary tools to decrypt Caesar’s messages.
Instead, much more sophisticated methods using mathematical keys are the basis for modern
cryptography. However, any mathematical key that creates a detectable pattern or structure
provides an attacker with valuable information to break the encryption. Keys that create this
type of repeating pattern are known as weak keys.
Many cryptography tools have one or more groups or classes of weak keys. However, this
does not necessarily mean the cryptography tool is unusable.The best defense against weak
keys is to be aware of the known sets of weak keys when using specific cryptography tools.
Also, long keys (at least 128 bits) are less likely to be compromised.
Mathematical Attacks
Cryptanalysis is the process of attempting to break an encrypted message. One type of
cryptanalysis is a mathematical attack, which often develops a statistical analysis of the
characters in an encrypted text, and then analyzes the statistics to discover the keys and
decrypt the data. Although this would take an enormous amount of time by hand, modern
computers make mathematical attacks of this nature much more feasible.
Mathematical attacks can best be resisted by not sending the same encrypted message more
than once. If the attacker knows the original message, sending the same message encrypted
in different ways facilitates finding the keys.
Birthday Attacks
When you meet someone for the first time, you have a 1 in 365 chance (0.27%) that he has
the same birthday as you. However, the chance of meeting someone with your birthday
increases remarkably as you meet more people.With the first 23 people that you meet, you
have a 50% chance and not a 6.3% chance (23 in 365) that someone has the same birthday
as you. If you meet 60 people, the probability leaps to over 99% that you will share the same
birthday with one of these people.This phenomenon is called the birthday paradox.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
2
32677_02 6/28/2004 14:2:32 Page 42
42
Chapter 2
Attackers and Their Attacks
In cryptography, the birthday paradox is significant.When encrypting a message, you might
assume that the best approach would be to randomly select a different key value each time.
However, if you pick random values for the key, then you actually create duplicate values
sooner than you would expect, much like meeting someone who shares your birthday.That
is, even with random selection, duplicate values appear quickly. A birthday attack is an
attack on a cryptographical system that exploits the mathematics underlying the birthday
paradox.
Attackers use a birthday attack to find two messages that encrypt (hash) to the same value in
much less time than finding a message that hashes to a preset value. To defend against a
birthday attack, the encryption software should use the largest possible keys.
EXAMINING IDENTITY ATTACKS
Another category of attacks are those in which the attacker attempts to assume the identity
of a valid user. The three types of identity attacks are man-in-the-middle, replay, and
Transmission Control Protocol/Internet Protocol (TCP/IP) hijacking attacks.
Man-in-the-Middle Attacks
Suppose that Alice, an elementary school student, is in danger of receiving a poor grade in
math. Her teacher mails a letter to Alice’s parents requesting a conference. However, Alice
waits for the mail, takes the original letter from the mailbox, and replaces it with a
counterfeit letter that praises her for her math work. She also forges her parent’s signature on
the original letter to decline a conference, and mails it back to the teacher.The parents read
the fake letter and compliment Alice on her hard work, while Alice’s teacher wonders why
Alice’s parents do not want a conference. Alice has conducted a man-in-the-middle
attack by intercepting communication from her teacher to her parents and forging a
response to the teacher.
Man-in-the-middle attacks on computer information are common attacker tools.This type
of attack makes it seem that two computers are communicating with each other, when
actually they are sending and receiving data with a computer between them, or the “man in
the middle.” In Figure 2-5, Computer A and Computer B are communicating without
recognizing that an attacker, as the man in the middle, is intercepting their transmissions.
One example of a man-in-the-middle attack is a hacker who sets up his own
Web site to look like a legitimate site. The hacker then intercepts the data
intended for the real site to steal passwords and credit card numbers. He can
also send data back to the unsuspecting user from his own Web site.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/28/2004 14:2:36 Page 43
Examining Identity Attacks
Computer A
Man in the middle
43
Computer B
2
Computer A thinks
it is talking to
Computer B
Figure 2-5
Man in the middle
intercepts communications
Computer B thinks
it is talking to
Computer A
Man-in-the-middle attack
Man-in-the-middle attacks can be active or passive. In a passive attack, the attacker captures
the sensitive data that is being transmitted and then sends it on to the original recipient
without his presence being detected. In an active attack, the contents of the message are
intercepted and altered before they are sent on.
You can use a variety of defenses against man in the middle attacks. Most of these defenses
involve network devices that are prohibited from forwarding redirected messages.
Replay
A replay attack is similar to an active man-in-the-middle attack. However, whereas an
active man-in-the-middle attack changes the contents of a message before sending it on, a
replay attack only captures the message and then sends it again later (replays it).
A replay attack takes advantage of the communications between a network device and a file
server. Administrative messages that contain specific network requests are frequently sent
between a network device and a file server. Once the file server receives the message, it
responds with another administrative message to the sender. Each of these transmissions is
encrypted to prevent an attacker from seeing the contents, and also contains a code that
indicates if it has been tampered with. The server reads the code; if it recognizes that a
message has been tampered with, it does not respond.
Using a replay attack, an attacker could capture the message sent from the network device
to the server. Later, he could send that original message to the server without tampering
with the message, and the server would respond, thinking it came from a valid device. Now
a “trusted” relationship has been established between the attacker and the server. Because the
attacker knows that he will receive a response from the server when he sends a valid message,
the attacker can begin to change the content of the captured message and code bit by bit.
He’ll know he’s made the correct modification when the server responds. Eventually, the
attacker might be able to decrypt the entire message. Figure 2-6 illustrates a replay attack.
Replay attacks are generally difficult to carry out. They can be repelled by using network
equipment that is properly configured.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 10:54:9 Page 44
44
Chapter 2
Attackers and Their Attacks
Sender
Attacker
1. Sends message
File server
2. Intercepts message
3. Sends message to create
link with file server
Creates link with attacker
4. Alters message and sends to server
Rejects altered message
5. Alters message correctly and
sends to file server
Accepts correctly
altered message
6. Knows how to decrypt message
Figure 2-6
Replay attack
TCP/IP Hijacking
With man-in-the-middle attacks and replay, the attacker intercepts messages that are
intended for a valid device.What if the attacker sets up a device that appears to be valid and
tricks other users to send their messages to it? That is essentially what TCP/IP hijacking
involves.
With wired networks,TCP/IP hijacking uses a technique known as spoofing, which is the
act of pretending to be the legitimate owner when in reality you are not. One particular type
of spoofing is Address Resolution Protocol (ARP) spoofing. To understand ARP
spoofing, remember that each computer using TCP/IP must have a unique IP address. In
addition, certain types of local area networks (LANs), such as Ethernet, must also have
another address, called the media access control (MAC) address, to move information
around the network. Computers on a network keep a table that links an IP address with the
corresponding address, as shown in Figure 2-7.
In an ARP spoofing attack, a hacker changes the table so that packets are redirected to his
computer, as shown in Figure 2-8.With TCP/IP hijacking, the attacker uses ARP spoofing
to send information from the user’s computer to the attacker’s computer instead of to a valid
computer.
On wireless networks, TCP/IP hijacking can add a new twist. Because wireless devices
communicate with a central device similar to a base station, an attacker could set up his own
base station and trick all wireless devices to communicate with the imposter access point
instead of the legitimate base station. Figure 2-9 shows TCP/IP hijacking on a wireless
network.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 10:54:10 Page 45
Examining Identity Attacks
45
2
IP address = 206.23.19.233
MAC address = 00-50-F2-7C-69-32
IP address
MAC address
206.23.19.233 00-50-F2-7C-69-32
206.23.19.101 01-40-A1-36-21-03
206.23.19.32 02-59-B2-52-C5-01
IP address = 206.23.19.101
MAC address = 01-40-A1-36-21-03
IP address = 206.23.19.32
MAC address = 02-59-B2-52-C5-01
Figure 2-7
Address table
IP address = 206.23.19.233
MAC address = 00-50-F2-7C-69-32
IP address
MAC address
206.23.19.233 00-50-F2-7C-69-32
206.23.19.101 01-40-A1-36-21-03
206.23.19.32 02-59-B2-52-C5-01
06-32-A5-A9-34-89-01
MAC address changed
IP address = 206.23.19.101
MAC address = 01-40-A1-36-21-03
Data redirected to attacker’s computer
IP address = 206.23.19.49
MAC address = 06-32-A5-A9-34-89-01
Attacker’s computer
Figure 2-8
IP address = 206.23.19.32
MAC address = 02-59-B2-52-C5-01
ARP spoofing
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 10:54:10 Page 46
46
Chapter 2
Attackers and Their Attacks
Authentic
access point
Imposter
access point
Figure 2-9
Wireless network TCP/IP hijacking
IDENTIFYING DENIAL
OF
SERVICE ATTACKS
Under normal network conditions, a computer contacts a server with a request (called a
SYN).The server responds to the computer (with an ACK, or acknowledgement) and then
waits for a reply.To allow for a slow connection, the server might wait several minutes for the
reply.When the computer replies, the data transfer can begin.
In contrast to a normal network situation, a denial of service (DoS) attack attempts to
make a server or other network device unavailable by flooding it with requests, such as to
display a Web page or access a stored file. The server responds to each request from the
computers that started the process. However, with a DoS attack, the computers that
launched the DoS attack are programmed not to reply to the server’s response.The server
“holds the line open” and continues to wait for a response (which is not coming) while
receiving more requests and keeping those lines open for responses. After a short time, the
server runs out of resources and can no longer function. This is known as a SYN attack
because it exploits the SYN/ACK “handshake.” Figure 2-10 shows a server waiting for a
response during a DoS attack.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 10:54:11 Page 47
Identifying Denial of Service Attacks
47
Server
Computer A
Request
Response
Waiting for reply from A
Computer B
Request
Response
Waiting for reply from B
Computer C
Request
Response
Waiting for reply from C
Computer D
Request
Response
Waiting for reply from D
Computer E
Request
Response
Waiting for reply from E
Figure 2-10
Server waiting for response
Some DoS programs attempt to manipulate the priority level of a program.
Microsoft Windows assigns priority levels (from 1-32) to processes that are
running. The highest priority level for an application program is 15.
Another DoS attack tricks computers into responding to a false request. On a computer
network, a user might want to know if another computer is turned on and functioning
properly. The user can send a special “Are you there?” message (called a ping) using the
Internet Control Message Protocol (ICMP) that the receiving computer immediately
replies to if it is available. An attacker can send a request to all computers on the network that
makes it appear a server is asking for a response. Each of the computers then responds to the
server, overwhelming it, and causing the server to crash or be unavailable to legitimate users.
This is called a Smurf attack.
Some hardware vendors are now including security tools in their products that
allow a security manager to access a network that is under a DoS attack by using
a special management channel that is effectively immune from the attack. Using
regular equipment connected to the network while under attack would not be
possible.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
2
32677_02 6/22/2004 10:54:11 Page 48
48
Chapter 2
Attackers and Their Attacks
A variant of the DoS is the distributed denial-of-service (DDoS) attack. Instead of using
one computer, a DDoS may use hundreds or thousands of computers. DDoS works in the
following stages:
■
An attacker breaks into a large computer with plenty of disk space and a fast
Internet connection.This computer is called the handler.
■
Special software is loaded onto the handler computer to scan thousands of
computers, looking for those that have a software vulnerability in the operating
system.
■
When it locates a computer with a vulnerability, the handler installs software on
this computer, known as a zombie, and then moves on to the next computer.The
user of the zombie has no indication that his or her computer has malicious
software installed.
■
The handler instructs all of the zombie computers to flood a specific server with
requests.
DDoS attacks have been successfully launched against many large organizations such as
Microsoft Corporation.These attacks can be difficult to defend against because it is difficult
to restrict hundreds or thousands of computers from accessing a network.
According to the security organization Sandvine, five percent of all daily Internet
traffic contains DoS code.
UNDERSTANDING MALICIOUS CODE (MALWARE)
Malicious code, also called malware, consists of computer programs designed to break
into computers or to create havoc on computers.The most common types of malware are
viruses, worms, logic bombs,Trojan horses, and back doors.
According to the security organization Sandvine, Internet service providers
(ISPs) in North America spend more than $245 million annually to combat
malware.
Viruses
A computer virus is a program that secretly attaches itself to another document or program
and executes when that document or program is opened. A virus might contain instructions
that cause problems ranging from displaying an annoying message to erasing files from a hard
drive or causing a computer to crash repeatedly. After it infects one computer, the virus seeks
another computer to attack.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/29/2004 9:7:17 Page 49
Understanding Malicious Code (Malware)
49
Like its biological equivalent, viruses require a host to carry them from one system to
another. Although viruses once spread by exchanging infected disks, today viruses spread
primarily through e-mail attachments. Modern viruses can send themselves to all the
contacts listed in an e-mail address book.The recipients, seeing they have received a message
from a friend or business associate, might unsuspectingly open the attachment, infect their
computers, and send the virus to others.
The number of known viruses is staggering. According to Sophos, an antivirus software
vendor, more than 89,000 known viruses attack computers, and on average, one new virus
is written and released every hour.
The defense against viruses is antivirus software. This software can scan a computer for
infections and isolate a file that contains a virus. It also can monitor computer activity and
scan all documents, such as e-mail attachments, that might contain a virus.The drawback of
antivirus software is that it must be updated to recognize new viruses. Known as definition
files or signature files, these updates can be downloaded automatically from the Internet
to a user’s computer.
Microsoft claims that fewer than 30 percent of all users have up-to-date
antivirus software installed.
Worms
Another type of malicious code is known as a worm. Although similar in nature, worms are
different from viruses in two regards. First, a virus attaches itself to a computer document,
such as an e-mail message, and is spread by traveling along with the document. A worm, on
the other hand, does not have to be attached to a host document to spread, but can travel by
itself. A second difference is that a virus needs the user to perform some type of action, such
as starting a program or reading an e-mail message, to start the infection. A worm does not
always require action by the computer user to start. Worms can replicate themselves until
they clog all available resources, such as computer memory or the network bandwidth
connection.
Because worms are self-executing, meaning they do not require any action on the part of the
user, many users falsely believe they are safe because they have not opened their e-mail
message or started a program. However, a worm can start on its own without any action from
the user. After a worm infects a computer it does its damage at will.
Worms are usually distributed via e-mail attachments as separate executable programs.
Unlike a virus, a worm does not depend on the e-mail message for its survival, but is
self-contained within a separate program and only uses e-mail as a convenient means of
distribution. In many instances, reading the e-mail message starts the worm. However, if the
worm does not start automatically, attackers can trick the user to start the program and
launch the worm.These tricks include:
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
2
32677_02 6/29/2004 9:7:17 Page 50
50
Chapter 2
Attackers and Their Attacks
■
Give the program a name with multiple extensions, such as Readme.txt.exe.This
trick works because Windows hides known extensions by default, so the user only
sees Readme.txt. Users might think this program is only a text file (because of the
.txt extension) when it is actually an executable program (a file with an .exe
extension).
■
Give the program a file extension such as .scr, as in Americanflag.scr, which makes
it seem that the file is a harmless screen saver. However, .scr files are actually
executable programs.This trick works because many users are unsure about what
types of files are dangerous executables.
You can protect against worms using a combination of procedures and products. Be sure to
apply operating system patches regularly, avoid downloading files from the Internet if you are
not sure they are safe, and do not open any programs sent to you via e-mail, even if you
recognize the sender. For worms that infect networks, several devices can filter out worms
before they can reach the network itself.
The network devices that can filter out worms are discussed in Chapter 5.
Logic Bombs
Logic bombs are another type of malicious code. A logic bomb is a computer program that
lies dormant until it is triggered by a specific event, such as a certain date being reached on
the system calendar or a person’s rank in an organization dropping below a specified level.
Once triggered, the program can perform many malicious activities. One logic bomb was
planted in a company’s payroll system by an employee.This program was designed so that if
the employee’s name was removed from the payroll (meaning he quit or was fired), the logic
bomb would corrupt the entire computerized accounting system.
Logic bombs are difficult to defend against because they can be a single statement buried in
a computer program that contains hundreds or thousands of lines. Some suggestions to
protect an organization from logic bombs include the following:
■
Use network surveillance and monitoring programs that record the activities of
employees who have clearance to systems that could contain a logic bomb, and
then review the activity records on a regular basis.
■
Create and enforce company policies regarding software development that discourages planting logic bombs, such as requiring all code to be reviewed by a peer
programmer, programming group, or a group leader.
■
Use software that compares the original version of the program code with the
updated version and documents any differences.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/28/2004 14:3:0 Page 51
Understanding Malicious Code (Malware)
■
51
Perform background checks on potential employees who are hired to work in
areas in which logic bombs could be planted. In many cases, employees are
dismissed from a previous employer because of unethical behavior and might
continue the behavior on a new job.
■
Watch for employees who have been recently turned down for a promotion, raise,
or bonus. Disgruntled employees are more likely to plant logic bombs. The
activities of such an employee may need to be closely monitored.
■
Treat employees right by providing advancement opportunities, training, regular
salary reviews, and reasonable work environments and workloads. Communicate
regularly with all employees about upcoming successes or potential difficulties.
Employees show a much higher level of satisfaction if they are kept informed of
issues. Satisfied employees are far less likely to hurt an organization.
Trojan Horses
Named after a device used in a Greek legend, a Trojan horse is a program that hides its true
intent and then reveals itself when activated. A Trojan horse might disguise itself as a free
calendar program or other interesting software. Once installed on the user’s computer,
however, it can launch into action.
One of the simplest Trojan horse strategies involves giving a malicious program the name of
a file associated with a benign program. One common trick is to include a space between the
program’s filename and the extension on a Windows computer. For example, the program
with the filename Notepad.exe might be innocent, but a file named Notepad.exe could be
a Trojan horse that contains malicious code. In addition, the name of the file itself could
disguise its true intent, such as Free Antivirus.exe.
Another Trojan horse technique is to combine two or more executable programs into a
single filename. For example, the files Erase_hard_drive_on_april18.exe and Free_screen_
saver.exe could be combined into a single file named Free_for_you.exe. When Free_for_
you.exe is executed, it first installs the malicious program and then executes the benign
program.
Combining programs allows script kiddies to create Trojan horses by inserting
malicious code in benign programs without writing a single line of code
themselves.
You can defend against Trojan horses with the following products:
■
Antivirus tools, which are one of the best defenses against combination programs
■
Special software that alerts you to the existence of a Trojan horse program
■
Anti-Trojan horse software that disinfects a computer containing a Trojan horse
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
2
32677_02 6/28/2004 14:3:4 Page 52
52
Chapter 2
Attackers and Their Attacks
Back Doors
A back door is a secret entrance into a computer of which the user is unaware. Many
viruses and worms install a back door that allows a remote user to access a computer without
the legitimate user’s knowledge or permission.
A back door is an alternative way of entering a computer system. Back doors are often
designed into computer systems to help during the testing phase of the program. For
example, consider a program that requires the user to enter a password. A programmer who
is testing and changing a program would find it cumbersome to make a minor change and
run the program to test it, only to have to log on each time.The programmer could write
a back door to the program, which instructs the computer to bypass the logon security
window if the F4 key is pressed while the program is loading. This back door program is
intended to be removed from the software prior to its final release. However, the program
with the back door is sometimes released to the public.
For several years, charges have been raised that Microsoft Windows contains a
back door that allows the U.S. National Security Agency to bypass all Windows
security settings. Microsoft denies the allegation.
Attackers likewise create back doors to work with viruses.When a virus infects a computer,
it might also create a back door for the attacker. Antivirus software can remove the virus but
does not detect the presence of a back door. Computers with back doors become systems
available to launch future attacks.This makes the distribution of the attacker’s next virus that
much easier because he already has a large base of computers from which to launch an
attack.
In 2004, the Mydoom virus, called one of the fastest-spreading e-mail viruses
ever, left thousands of computers infected with back door programs in its wake.
Back doors can be prevented by using tools that scan and listen for these types of programs
and then immediately alert the user. Other programs can scan a system for the presence of
an open back door.
CHAPTER SUMMARY
People who attack networks and other computer systems fall into six categories: hackers,
crackers, script kiddies, spies, employees, and cyberterrorists. Each type of attacker has a
particular intent and motivation for attacking computers and their information.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 10:54:13 Page 53
Chapter Summary
53
A hacker possesses advanced computer skills far beyond the average user. Hackers use
these skills to attempt to access computer resources by circumventing any protective
measures that are in place. Some hackers commit their acts to seek out security flaws and
report these flaws; others attack out of boredom or curiosity.
A cracker violates system security with malicious intent. Crackers use their advanced
computer knowledge and skills to destroy data, deny legitimate users of service, or
otherwise cause serious problems on computers and networks.
Script kiddies download automated hacking software from Web sites and then use it to
break into computers. Not necessarily sophisticated about computers and networks, script
kiddies are motivated by egotism.
Other types of attackers violate information systems for different reasons. A computer spy
is hired to break into a computer and steal information for financial gain. Employees
attack systems out of egotism, vengeance, or financial gain. Cyberterrorists have an
ideological motivation for attacking computers and networks.
The methods that attackers use have changed over time. Attackers targeted individual
computers in the 1980s, and individual networks in the 1990s. Today, they target the
global computing infrastructure. Attackers are becoming more sophisticated, moving
away from searching for bugs in specific software applications and toward probing the
underlying software and hardware infrastructure itself. Also, attacks in the twenty-first
century allow little time to react.
Attacks on computer systems can be generally classified into four broad categories: basic
attacks, identity attacks, denial of service, and malicious code.
One type of basic attack is social engineering, which relies on trickery and deceit to learn
a password or be approved to enter a building, for example.
Password guessing is a basic attack that attempts to learn a user’s password by a variety of
means. A brute force attack attempts to create every possible password combination by
systematically changing one character of a proposed password. A dictionary attack
involves encoding and analyzing dictionary words to find a valid password. Software
exploitation takes advantage of a weakness in the software to bypass password security.
Another type of basic attack focuses on encrypted data. Cryptography uses an algorithm
and keys to encrypt and decrypt messages. Attacks search for a repeating pattern of
encrypted characters that reveal the key, known as a weak key attack. Mathematical attacks
attempt to develop a statistical analysis of the encrypted message and then analyze that
data to discover the keys. A birthday attack exploits the fact that random values do not
create statistically random encrypted messages.
A category of attacks known as identity attacks attempt to assume the identity of a valid
user. A man-in-the-middle attack makes it seem that two computers are communicating
with each other, when actually they are sending and receiving data with a computer
between them. Whereas a man-in-the-middle attack changes the contents of a message
before sending it on, a replay attack only captures the message and then sends it later.
TCP/IP hijacking uses spoofing to redirect messages to the attacker’s computer.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
2
32677_02 6/22/2004 14:23:27 Page 54
54
Chapter 2
Attackers and Their Attacks
A denial of service attack floods a server or device with requests, making it unable to
respond to valid requests. A distributed denial-of-service attack uses hundreds or thousands of computers to send the flood of messages. This makes it difficult to isolate the
source and prevents the messages from entering the network.
Malicious code, also called malware, consists of computer programs that are intentionally
created to break into computers or to create havoc on computers. The most common
types of malware are viruses, worms, logic bombs,Trojan horses, and back doors.
KEY TERMS
Address Resolution Protocol (ARP) spoofing — An attack that changes an internal
computer table to redirect messages to another destination.
algorithm — The underlying process for encrypting and decrypting messages.
antivirus software — Software that can scan a computer for infections and isolate any file
that contains a virus.
back door — A computer’s secret entrance of which the user is unaware.
birthday attack — An attack on a cryptographical system that exploits the mathematics
underlying the birthday paradox.
birthday paradox — A statistical anomaly in which the chances of meeting someone with
your birthday increases as you meet more people.
brute force — An attack that re-creates every possible password by systematically changing
one character at a time in a proposed password.
buffer — A temporary storage area.
buffer overflow — An attack that attempts to stuff more data into a temporary storage area
than it can hold.
cracker — A person who violates system security with a malicious intent.
cryptanalysis — The process of attempting to decode an encrypted message.
cryptography — The science of transforming information so that it is secure while it is
being transmitted or stored.
cyberterrorist — An attacker motivated by ideology to attack computers or infrastructure
networks.
decryption — The process of restoring an encrypted message to its original text.
definition file — A component of antivirus software that contains the latest code to
identify a virus.
denial of service (DoS) — An attack that attempts to make a server or other network
device unavailable by flooding it with requests.
dictionary attack — An attack that encodes words from a dictionary in the same way a
computer does to look for a password match.
distributed denial of service (DDoS) — A denial of service attack that uses multiple
computers to send messages.
dumpster diving — A social engineering attack of digging through trash receptacles to
find computer information for an attack.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 14:23:34 Page 55
Key Terms
55
encryption — The process of changing original text to a secret message using
cryptography.
hacker — 1) Anyone who illegally breaks into or attempts to break into a computer system.
2) A person who uses advanced computer skills to attack computers, but not with a
malicious intent.
handler — A computer used to coordinate a distributed denial-of-service attack.
hash — To encode a password.
key — A value that an algorithm uses to encrypt or decrypt messages.
logic bomb — A computer program that lies dormant until it is triggered by a specific
event.
malicious code (malware) — Computer programs created to break into computers or to
create havoc on computers.
man-in-the-middle attack — An attack that intercepts communication between valid
devices.
mathematical attack — An attack that develops a statistical analysis of encrypted text to
discover the keys.
media access control (MAC) address — A unique address used by specific types of
networks.
password — A secret combination of letters and numbers that validates a user.
password guessing — Attempts to exploit weak passwords to access a computer.
phish — To send requests for information that appear to come from a valid source.
ping — A request sent to a computer to determine if it is functional.
replay attack — An attack that captures only a transmitted message and then sends it again
later.
script kiddie — An unskilled user who downloads automated attack software to attack
computers.
signature file — A component of antivirus software that contains the latest code to identify
a virus.
Smurf attack — A denial of service attack that redirects pings to the attack victim.
social engineering — An attack that relies on tricking and deceiving someone to access a
system.
software exploitation — An attack that takes advantage of a weakness in software to bypass
requiring a password.
spoof — To pretend to be a legitimate owner.
spy — A person who has been hired to break into a computer and steal information.
SYN attack — A denial of service attack that floods the server with requests.
TCP/IP hijacking — An attack that tricks devices into sending messages to an attacker’s
computer.
Trojan horse — A program that hides its true intent and then reveals itself when activated.
virus — A program that secretly attaches itself to another document or program and
executes when that document or program is opened.
weak key — A key that creates a repeating pattern.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
2
32677_02 6/22/2004 14:23:37 Page 56
56
Chapter 2
Attackers and Their Attacks
worm — A malicious program that does not attach to another document or need user
action to spread.
zombie — A computer that sends requests to a server in a distributed denial-of- service
attack.
REVIEW QUESTIONS
1. Attackers known as
like to think of themselves as an elite group
who are performing a valuable service in identifying security weaknesses.
a. crackers
b. script kiddies
c. hackers
d. cyberterrorists
2. A
possesses advanced computer skills and attacks computers
with a malicious intent.
a. script kiddie
b. hacker
c. cracker
d. worm zombie
3. The motivation for a computer spy is
a. financial
b. egotism
c. ideological
d. social
.
4. One reason employees are so successful at attacking their company’s computers is
.
a. they have superior networking skills
b. employees already have access to all company information
c. a company’s information security is focused on keeping out intruders
d. employees have unlimited access to company computers
5. Each of the following is a goal of cyberterrorists except
a. defacing electronic information
b. denying service to legitimate users
c. committing unauthorized intrusions into critical infrastructures
d. replacing computers with unauthorized devices
.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 14:24:23 Page 57
Hands-On Projects
57
6. Today, the global computing infrastructure is the most likely target of attacks.True or
false?
7. Instead of attacking the computing infrastructure directly, attackers can embed the
attack in the data itself, which makes detection harder.True or false?
8. Social engineering is the easiest way to attack a computer system, requires almost no
technical ability, and is usually highly successful.True or false?
9. There is no defense for social engineering attacks.True or false?
10. The first line and strongest defense of any computer system is passwords.True or
false?
11. When an attacker sends out counterfeit e-mail messages to direct users to his own
site, this is called
.
12. With a(n)
attack, the attacker attempts to create every possible
password combination by systematically changing one character at a time and then
using each newly generated password to access the system.
13. A(n)
attack takes each word from a dictionary and encodes it in
the same way in which the computer would encode a user’s password.
14. A(n)
occurs when a computer program attempts to stuff more
data into a temporary storage area than it can hold, overwriting valid computer data.
15. Cryptography is based on a procedure called an algorithm, which is given a starting
value known as a(n)
.
16. Explain how an attacker would use a mathematical attack.
17. What is the birthday paradox and how is it used by attackers?
18. What is the difference between a man-in-the-middle attack and a replay?
19. Explain how a denial of service (DoS) attack works.
20. What is the difference between a worm and a virus?
HANDS-ON PROJECTS
Project 2-1: Backing Up Data
One of the most important lines of defense against hackers is to perform regular backups in
the event that data is corrupted or lost.Yet most users do not make regular backups of data.
In this project, you use the Windows XP Professional Backup utility to back up data on a
personal computer to a floppy disk. Note that you usually back up much more data, using
a CD, tape, hard disk, or other high-capacity storage device, than you will in this project.The
procedure you follow is the same as the following procedure.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
2
32677_02 6/22/2004 14:24:53 Page 58
58
Chapter 2
Attackers and Their Attacks
If you are using Windows XP Home Edition, you might need to install the
Backup utility from the setup CD.
1. Insert a blank formatted floppy disk into the floppy disk drive.
2. Click Start, point to All Programs, point to Accessories, point to System Tools,
and then click Backup.The Backup or Restore Wizard starts, as shown in Figure
2-11. Click Next.
Figure 2-11
Backup or Restore Wizard
If the Backup program starts in Advanced mode, click the Wizard Mode link to use
the wizard, and then click Next.
3. The Backup or Restore dialog box opens, displaying the question, “What do you
want to do?” Click the Back up files and settings option button, if necessary, and
then click Next.
4. The What to Back Up dialog box opens, displaying the question, “What do you want
to back up?” Click the Let me choose what to back up option button, as shown
in Figure 2-12. Click Next.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 14:25:6 Page 59
Hands-On Projects
59
2
Figure 2-12
What to Back Up dialog box
If you wanted to back up all of the important documents on the computer that
you had saved, you would click the My documents and settings option button.
5. The Items to Back Up dialog box opens, where you select the drives, folders, or files
that you want to back up. For this project, select one small file on the hard drive. In
the left pane of the dialog box, click the plus sign (+) in front of My Computer to
expand the file listing, and then click Local Disk (C:). (Do not check the drive C
check box.) The contents of drive C appear in the right pane.
6. Scroll the right pane to locate the file AUTOEXEC.BAT, and then click the check
box in front of it. A check mark also appears in the left pane in front of Local Disk
(C:), as shown in Figure 2-13. (The list of files on your drive C will be different.)
Click Next.
7. The Backup Type, Destination, and Name dialog box opens, which lets you select
where you want to save the backup. For this project, be sure that 3 ½ Floppy (A:)
is selected.Type Backup as the name for this backup file, if necessary. Click Next.
If you were backing up to a device such as a tape, flash drive, or CD, you could click
Browse and select that device here.
8. In the Completing the Backup or Restore Wizard dialog box, click the Advanced
button to examine additional backup options.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 14:25:7 Page 60
60
Chapter 2
Figure 2-13
Attackers and Their Attacks
Selecting a file
9. The Type of Backup dialog box opens, where you can choose the type of backup
that fits your need. Make sure that Normal appears in the Select the type of backup
text box. Click Next.
10. The How to Back Up dialog box opens, which displays the different backup options
and explanations, as shown in Figure 2-14. Because you are backing up one small file
in this project, none of the options are necessary. Click Next.
Figure 2-14
How to Back Up dialog box
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 14:25:17 Page 61
Hands-On Projects
61
11. The Backup Options dialog box opens, where you can append the new backup to
an existing one or replace the existing backup. Because this is the first backup on the
floppy disk, either option will work. Click Next.
12. The When to Back Up dialog box opens, where you specify when to back up the
selected files. Click the Now option button, if necessary, and then click Next.
If you wanted this backup to run unattended at a later time, you could indicate that here
by clicking Later.The Schedule Entry dialog box would be available with the current
date and time. Clicking the Set Schedule button would allow you to set when the
backup should start.
13. The final dialog box displays all of the options selected, as shown in Figure 2-15.To
start the backup, click Finish.The Backup Progress window is displayed as the
backup progresses.
Figure 2-15
Completing the Backup or Restore Wizard dialog box
14. When the backup is complete, a summary appears, as shown in Figure 2-16. Click
Close.
If files are damaged and need to be restored from the backup, start the Backup
or Restore Wizard and click Restore files or settings.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
2
32677_02 6/22/2004 14:26:5 Page 62
62
Chapter 2
Figure 2-16
Attackers and Their Attacks
Backup summary
Project 2-2: Viewing and Modifying the ARP Table
Attackers frequently modify the ARP table to redirect communications from a valid device
to an attacker’s computer as part of a TCP/IP hijacking attack. In this project, you view the
ARP table on your computer and make modifications to it. Although an attacker would
attempt to manipulate ARP tables on a centralized network device, this project allows you
to see how easy it is to perform this type of attack.
1. Open a Command Prompt window by clicking Start, pointing to All Programs,
pointing to Accessories, and then clicking Command Prompt.
2. To view your current ARP table, type arp –a and press Enter. Depending on your
network, your window will look similar to Figure 2-17.The Internet Address is the
IP address of another device on the network while the Physical Address is the address
of that device.
3. To compare these addresses with the IP address and address of your computer, type
ipconfig/all and then press Enter.
4. To create a new entry in the ARP table, type arp –s 192.168.2.255
00-40-ca-56-55-59 and then press Enter.
5. Type arp –a and then press Enter.This new entry is now listed in the table.
6. To delete the entry, type arp –d 192.168.2.255 and then press Enter.
7. Review the table again by typing arp –a and then pressing Enter.
8. Close the Command Prompt window by typing Exit and then pressing Enter.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 14:26:36 Page 63
Hands-On Projects
63
2
MAC address of the device
IP address of the device
Figure 2-17
ARP table
Project 2-3: Stopping Zombies
A zombie is a computer that has been manipulated by a handler to launch DDoS attacks. In
this project, you download software that would instruct zombies to stop attacking during a
DDoS attack.
1. Use your Web browser (such as Internet Explorer) to go to
http://razor.bindview.com.
2. On the Welcome to RAZOR Web page, click the Tools link.
3. Scroll down and click Zombie Zapper.
4. Read through the license agreement and click Zombie Zapper™ Windows NT
Executable v1.2 to download the ZZ.exe file. (This version works with Windows
NT,Windows 2000, and Windows XP.) If the File Download dialog box opens, click
the Save button, navigate to a folder that you use for downloads, and then click the
Save button. If the Download Complete dialog box opens, close it.
5. Close your Web browser, and then start Zombie Zapper by double-clicking the
ZZ.exe file to display the Zombie Zapper dialog box, shown in Figure 2-18.
6. In the Target IP text box, you usually enter the address of the system attacking you.
For this project, in the Target IP text box, type the address of another system on
your network with which you are familiar. If you are unsure of the IP address of a
system, ask your system administrator or use the arp –a command. Do not enter the
IP address of an unknown system outside of your network.
7. Accept the default settings and click Zap to begin. During a DDoS attack, Zombie
Zapper will send ten “kill packets” to that zombie to stop the flood of packets.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 14:26:36 Page 64
64
Chapter 2
Figure 2-18
Attackers and Their Attacks
Zombie Zapper dialog box
Project 2-4: Password Guessing
Password guessing is a technique used to attempt to break easy passwords. In this project, you
use the Advanced Word 2000 Password Recovery (AW2000PR) tool to perform different
types of password-guessing techniques. AW2000PR recovers passwords to Microsoft Word
documents using brute-force and dictionary attacks. You download a trial copy of
AW2000PR in this project.The trial version of this software limits the Brute force method
to passwords that are only four characters long, and the Dictionary method to recognized
English words.The professional version of this software does not have these limitations.
1. Start Microsoft Word, and open a new, blank document, if necessary.
2. Click Tools on the menu bar, and then click Options.The Options dialog box
opens. Click the Security tab to see the options shown in Figure 2-19.
3. In the Password to Open text box, type 1234, and then click OK.The Confirm
Password dialog box opens so you can verify the password.Type 1234 again and click
OK.
4. In the new Word document, type Weak. Save this document as Weak in the Chap02
folder of your work folder for this book, and then close the document.
5. Open another new blank document. Click Tools on the menu bar, and then click
Options.When the Options dialog box opens, click the Security tab, if necessary.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 14:26:59 Page 65
Hands-On Projects
65
2
Figure 2-19
Security tab in the Options dialog box
6. In the Password to Open text box, type dictionary, and then click OK. In the Confirm Password dialog box, type dictionary again to verify the password, and then
click OK.
7. In the new Word document, type Dictionary. Save this document as Dictionary in
the Chap02 folder of your work folder for this book, and then close the document.
8. Use your Web browser (such as Internet Explorer) to go to
www.elcomsoft.com/aw2000pr.html. Download the free trial version of
AW2000PR, close your browser, and then install the program on your computer.
9. Start the program to display the opening window shown in Figure 2-20.
10. Enter or select the following options to recover the password for Weak.doc:
Encrypted Word document: Click the Open file button, and then select and open
the file Weak.doc. If a dialog box opens advising you to select an appropriate attack
type, click OK.
Type of attack: Select Brute-force attack.
Password Length Options: Enter 1 for Minimal Length and 4 for Maximal length, if
necessary.
Brute-force range options: Select the 0-9 check box and uncheck the a-z check box.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 14:27:0 Page 66
66
Chapter 2
Attackers and Their Attacks
Start recovery button
Open file button
Figure 2-20
AW2000PR main window
11. Click the Start recovery button. (Refer back to Figure 2-20 to find this button.)
The Password successfully recovered dialog box opens. Note the password for this file
and the number of milliseconds that it took to crack this password.
12. Click OK and enter or select the following options to recover the password for
Dictionary.doc:
Encrypted Word document: Click the Open file button, and then select and open
the file Dictionary.doc. (Click OK if a dialog box advising you to select an
appropriate attack type opens.)
Type of attack: Select Dictionary Attack.
13. Click the Dictionary tab. Notice that AW2000PR uses its default dictionary to
recover the password instead of the Microsoft Word dictionary.
14. Click the Start Recovery button.The Password successfully recovered dialog box
opens. Note the password for this file and the number of milliseconds that it took to
crack this password.
15. Click OK.Then close the AW2000PR program. If a dialog box opens asking
whether you want to save the project, click the No button.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
32677_02 6/22/2004 14:27:0 Page 67
Case Projects
67
Project 2-5: Exploring the Linux Password File
The password file in a Linux system is easy for any user to access. Although the passwords
are encrypted, you can view the Linux password file to see how easily an attacker could
access it. In this project, you open and view a Linux password file.
1. Log on to a Linux computer
2. All user account information is stored in the passwd file located in the etc directory.
To display information regarding your account, type grep username /etc/passwd
where “username” is your logon name, and then press Enter.The information
appears similar to that shown in Figure 2-21.
Figure 2-21
Passwd file
Following the username, the password appears masked (for example, as an asterisk or X).
A unique user ID number and group ID number are assigned to each user and the
group to which they belong.The home directory is where this user has his or her files
stored, while the shell indicates the type of user interface.
3. To display all of the user accounts, type cat /etc/passwd and press Enter.
4. Log off of the Linux system.
CASE PROJECTS
Case Project 2-1: The Debate Over Cyberterrorism
Not all security experts agree that the threat of cyberterrorism is significant. Because no
worldwide attack has yet been launched, some doubt that one will ever be launched.What
do you think? Using the Internet and other sources, research the cyberterrorism threat.What
specific targets would be on the attackers’ list? What reasons do others give for denying the
threat? What instances of regional or national cyberterrorism, particularly in the Middle
East, have already taken place? Write a one-page paper on your findings.
Case Project 2-2: Phishing
The use of phishing by attackers is growing significantly.What steps can minimize its impact?
Using the Internet, research phishing and the practical steps that can be taken by users to
avoid being tricked into giving out their personal information. Sites such as PayPal,
Citibank, and those of other financial organizations often contain suggestions to consumers
about defending against phishing. Create a one-page bullet list of practice steps.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
2
32677_02 6/22/2004 14:27:1 Page 68
68
Chapter 2
Attackers and Their Attacks
Case Project 2-3: Social Engineering
The threat from social engineering is always present. Research social engineering tactics
used by attackers.What are two of the most daring social engineering attacks that you can
find? What types of policies should a company have to prevent social engineering? Write a
one-page paper describing your findings.
Case Project 2-4: DDoS Attacks
Many security experts predict that distributed denial-of-service (DDoS) attacks are among
the most threatening. With the use of file-sharing, peer-to-peer services, and distributed
computing power, DDoS attacks could be launched from thousands of computers.What is
being done to combat this threat? Using the Internet, research DDoS attacks.
Case Project 2-5: Worms versus Viruses
The Western Consulting Group (WCG) provides services for a broad range of businesses in
the area.They have asked you to help them with a project.
A local civic group is having a luncheon and needs a speaker to give a presentation about
threats to information security. Create a 15-minute PowerPoint presentation that outlines
what the information security threats are and who makes them. Because this audience has
a diverse background, the presentation should not be highly technical.
Copyright © 2005 by Course Technology. All rights reserved.This publication is protected by federal copyright law. No part of this publication
may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been
used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz