IDK0040 Võrgurakendused I

Web Crime

Deniss Kumlander

DoS attack

• Denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers where the attack is aiming to cause the hosted web pages to be unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB).

• DoS attacks have two general forms:– Force the victim computer(s) to reset or consume its resources

such that it can no longer provide its intended service. – Obstruct the communication media between the intended users

and the victim in such that they can no longer communicate adequately.

DoS attack• A "denial-of-service" attack is characterized by an explicit attempt by

attackers to prevent legitimate users of a service from using that service. Examples include:

– attempts to "flood" a network, thereby preventing legitimate network traffic; – attempt to disrupt a server by sending more requests than it can possibly handle,

thereby preventing access to a service; – attempts to prevent a particular individual from accessing a service; – attempts to disrupt service to a specific system or person.

• Attacks can be directed at any network device, including attacks on routing devices and Web, electronic mail, or Domain Name System servers.

• A DoS attack can be perpetrated in a number of ways. There are three basic types of attack:

– consumption of computational resources, such as bandwidth, disk space, or CPU time;

– disruption of configuration information, such as routing information; – disruption of physical network components.

DDoS attack

• A distributed denial of service attack (DDoS) occurs when multiple compromised systems flood the bandwidth or resources of a targeted system, usually a web server(s). These systems are compromised by attackers using a variety of methods.– Malware – Trojans

DDoS unintentional attack• This describes a situation where a website ends up denied, not due

to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story. The result is that a significant proportion of the primary site's regular users — potentially hundreds of thousands of people — click that link in the space of a few hours, having the same effect on the target website as a DDoS attack.

• News sites and link sites — sites whose primary function is to provide links to interesting content elsewhere on the Internet — are most likely to cause this phenomenon. The canonical example is the Slashdot effect. Sites such as Digg, Fark, Something Awful and the webcomic Penny Arcade have their own corresponding "effects", known as "the Digg effect", "farking", "goonrushing" and "wanging"; respectively.

Page hijacking

• Page hijacking is a form of spamming the index of a search engine (spamdexing). It is achieved by creating a rogue copy of a popular website which shows contents similar to the original to a web crawler, but redirects web surfers to unrelated or malicious websites. Spammers can use this technique to achieve high rankings in result pages for certain key words.

• Page hijacking is a form of cloaking, made possible because some web crawlers detect duplicates while indexing web pages. If two pages have the same content, only one of the URLs will be kept. A spammer will try to ensure that the rogue website is the one shown on the result pages.

Domain hijacking

• Domain hijacking is the process by which internet domains are basically stolen.

• Domain theft is an aggressive form of domain hijacking that usually involves an illegal act. In most cases, identity theft is used to trick the domain registrar into allowing the hijacker to change the registration information to steal control of an unexpired domain from the legitimate owner.

• Many people confuse domain hijacking with the "reuse" of an expired domain. One is a legal process and one is not. Domain hijacking is theft, reuse of an expired domain is "opportunity usage“

Cryptographic attacks

• A cryptographic attack is a method for circumventing the security of a cryptographic system by finding a weakness in a code, cipher, cryptographic protocol or key management scheme. This process is also called "cryptanalysis".

Email injection • Email injection is a security vulnerability that can occur in internet

applications that are used to send email messages. Like SQL injection attacks, this vulnerability is a general class of vulnerabilities that occur when one programming language is embedded within another.

• When a form is added to a webpage that submits data to a web application, a malicious user can potentially exploit the MIME format to append additional information to the message being sent, such as a new list of recipients or a completely different message body. Because the MIME format uses a carriage return to delimit the information in a message, and only the raw message determines its eventual destination, adding Carriage Returns to submitted form data can allow a simple guestbook to be used to send thousands of messages at once. A malicious spammer could use this tactic to send large amounts of messages anonymously.

Wardialing• War dialing or wardialing is a method of automatically scanning

telephone numbers using a modem, usually dialing every telephone number in a local area to find out where computers or fax machines are available, then attempting to access them by guessing passwords.

• A more recent phenomenon is wardriving, the searching for Wi-Fi wireless networks by moving vehicle. Wardriving was named after wardialing, since both techniques involve brute-force searches to find computer networks.

• Similar to war dialing is a port scan under TCP/IP, which "dials" every TCP port of every IP address to find out what services are available, then gaining access to them by guessing passwords or by exploiting vulnerabilities in software that runs with elevated privileges. Unlike wardialing, however, port scans will generally not disturb a human being when it tries an IP address that isn't up.

Spoofing attack • In the context of network security, a spoofing attack is a situation

in which one person or program successfully masquerades as another by falsifying data and thereby gains an illegitimate advantage.

• An example from cryptography is the man-in-the-middle attack, in which an attacker spoofs Alice into believing he's Bob, and spoofs Bob into believing he's Alice, thus gaining access to all messages in both directions without the trouble of any cryptanalytic effort.

• The attacker must monitor the packets sent from Alice to Bob and then guess the sequence number of the packets. Then the attacker knocks out Alice with a SYN attack and injects his own packets, claiming to have the address of Alice. Alice's firewall can defend against some spoof attacks when it has been configured with knowledge of all the IP addresses connected to each of its interfaces. It can then detect a spoofed packet if it arrives at an interface that is not known to be connected to the IP address.

Phishing

• phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well

• Most methods of phishing use some form of technical deception designed to make a link in an email appear to belong to the spoofed organization.

Vishing• Vishing is the practice of leveraging Voice over Internet Protocol (VoIP) technology

to trick private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and phishing.

• Vishing exploits the public's trust in landline telephone services, which have traditionally terminated in physical locations which are known to the telephone company, and associated with a bill-payer. However, with the advent of VoIP, telephone services may now terminate in computers, which are far more susceptible to fraudluent attacks than traditional "dumb" telephony endpoints.

• Example– The criminal configures a war dialer to call phone numbers in a given region.– When the phone is answered, an automated recording is played to alert the consumer that

their credit card has had fraudulent activity and the consumer should call the following phone number immediately. The phone number could be a toll free number often with a spoofed caller ID for the financial company they are pretending to represent.

– When the consumer calls the number, it is answered by a typical computer generated voice that tells the consumer they have reached account verification and instructs the consumer to enter their 16-digit credit card number on the key pad.

– Once the consumer enters their credit card number, the visher has all of the information necessary to place fraudulent charges on the consumer's card.

– The call can then be used to harvest additional details such as security PIN, expiry date, date of birth, bank account number, etc.

Spoofing attack• Recording and later emulating the same activity (packets) to login.

• Login spoofing is a technique used to obtain a user's password. The user is presented with an ordinary looking login prompt for username and password, which is actually a malicious program under the control of the attacker. When the username and password are entered, this information is logged or in some way passed along to the attacker, breaching security.

• To prevent this, some operating systems require a special key combination (called a Secure attention key) to be entered before a login screen is presented, for example Control-Alt-Delete. Users should be instructed to report login prompts that appear without having pressed this secure attention key. Only the kernel, which is the part of the operating system that interacts directly with the hardware, can detect whether the secure attention key has been pressed, so it cannot be intercepted by third party programs.

Replay attack

• Recording and later emulating the same activity (packets) to login.

• Avoid: timestamp or session