Types of Attacks, Hackers Motivations and Methods CS432: Security.

Types of Attacks, Hackers Types of Attacks, Hackers Motivations and MethodsMotivations and Methods

CS432: SecurityCS432: Security

Overview Overview

Access attacks.Access attacks. Modification attacks.Modification attacks. Denial-of-Service attacks.Denial-of-Service attacks. Repudiation attacks.Repudiation attacks.

Access Attacks Access Attacks

An access attack is an attempt to see An access attack is an attempt to see information that the attacker is not information that the attacker is not authorized to see.authorized to see.

Snooping is looking through information Snooping is looking through information files to find something interesting.files to find something interesting.

Eavesdropping is when someone listens in Eavesdropping is when someone listens in on a conversation that they are not a part on a conversation that they are not a part of.of.


Interception is an active attack against the Interception is an active attack against the information.information.

To access the information on paper, the To access the information on paper, the attacker needs to gain access to that attacker needs to gain access to that paper.paper.

Good site security may prevent an Good site security may prevent an outsider from accessing information on outsider from accessing information on paper, but may not prevent an insider from paper, but may not prevent an insider from gaining access.gaining access.


Correct access permissions will prevent Correct access permissions will prevent most casual snooping for electronic most casual snooping for electronic information.information.

Eavesdropping on a transmission can Eavesdropping on a transmission can access information in transit.access information in transit.

A sniffer is a computer that is configured to A sniffer is a computer that is configured to capture all traffic on a network.capture all traffic on a network.

Wireless networks make sniffing easier.Wireless networks make sniffing easier.


Interception attacks are more difficult and Interception attacks are more difficult and more dangerous than simple more dangerous than simple eavesdropping attacks.eavesdropping attacks.

The attacker must insert his system The attacker must insert his system between the sender and the receiver to between the sender and the receiver to intercept information.intercept information.

Information can be intercepted on the Information can be intercepted on the Internet by causing a name resolution Internet by causing a name resolution change.change.

Modification Attacks Modification Attacks

A modification attack is an attempt to A modification attack is an attempt to modify information that the attacker is not modify information that the attacker is not authorized to modify.authorized to modify.

The attacker may change or delete The attacker may change or delete existing information, or insert new existing information, or insert new information in a modification attack.information in a modification attack.

Modifying electronic information is easier Modifying electronic information is easier than modifying information on paper.than modifying information on paper.

Denial-of-Service Attacks Denial-of-Service Attacks

Denial-of-Service (DoS) attacks deny the Denial-of-Service (DoS) attacks deny the use of resources, information, or use of resources, information, or capabilities of a system to legitimate capabilities of a system to legitimate users.users.

Denial of access to information causes the Denial of access to information causes the information to be unavailable.information to be unavailable.

The information may be destroyed, The information may be destroyed, converted into an unusable form, or shifted converted into an unusable form, or shifted to an inaccessible location.to an inaccessible location.


The attacker may target the application The attacker may target the application that manipulates or displays information.that manipulates or displays information.

If an application is unavailable, the If an application is unavailable, the organization cannot perform the tasks organization cannot perform the tasks done by that application.done by that application.

A common type of DoS attack is bringing A common type of DoS attack is bringing down computer systems.down computer systems.


A DoS attack against system communication A DoS attack against system communication may range from cutting wires to flooding may range from cutting wires to flooding networks with excessive traffic.networks with excessive traffic.

The system and the information are left The system and the information are left untouched, but the lack of communication untouched, but the lack of communication prevents access to them.prevents access to them.

Information on paper as well as information Information on paper as well as information in electronic form are subject to physical in electronic form are subject to physical DoS attacks.DoS attacks.


Short-term DoS attacks can be made by Short-term DoS attacks can be made by simply turning off a system.simply turning off a system.

Applications can be rendered unavailable Applications can be rendered unavailable by sending a pre-defined set of commands by sending a pre-defined set of commands that it cannot process properly.that it cannot process properly.

Accidents could also cause DoS incidents.Accidents could also cause DoS incidents.

Repudiation Attacks Repudiation Attacks

In a repudiation attack, false information In a repudiation attack, false information may be given or a real event or transaction may be given or a real event or transaction may be denied.may be denied.

Electronic information is more susceptible Electronic information is more susceptible to repudiation attacks than information in to repudiation attacks than information in the physical form.the physical form.

Denying an event is easier in the Denying an event is easier in the electronic world as there is no proof to link electronic world as there is no proof to link an individual with the event.an individual with the event.

Hacker TechniquesHacker Techniques

Overview Overview

Hacker’s motivation.Hacker’s motivation. Historical hacking techniques.Historical hacking techniques. Advanced techniques.Advanced techniques. Malicious code.Malicious code. Methods used by untargeted hacker.Methods used by untargeted hacker. Methods used by targeted hacker.Methods used by targeted hacker.

Hacker’s Motivation Hacker’s Motivation

The term “hacker” was originally coined for The term “hacker” was originally coined for an individual who could make computers an individual who could make computers work.work.

A hacker currently refers to an individual A hacker currently refers to an individual who breaks into computers.who breaks into computers.

Studies show that hackers are most often Studies show that hackers are most often male, between 16 and 35 years old, male, between 16 and 35 years old, loners, intelligent, and technically loners, intelligent, and technically proficient.proficient.

Hacker’s Motivation Hacker’s Motivation

The most common motivation for hacking into The most common motivation for hacking into computer systems is the challenge of doing computer systems is the challenge of doing so.so.

The challenge motivation is usually The challenge motivation is usually associated with an untargeted hacker.associated with an untargeted hacker.

An untargeted hacker is one who hacks just An untargeted hacker is one who hacks just for the fun of it.for the fun of it.

The greed motivation includes desire for gain The greed motivation includes desire for gain in the form of money, goods, services, or in the form of money, goods, services, or information.information.

Hacker’s Motivation Hacker’s Motivation Sites having something of value (software, Sites having something of value (software,

money, information) are primary targets for money, information) are primary targets for hackers motivated by greed.hackers motivated by greed.

Malicious attacks focus on particular Malicious attacks focus on particular targets.targets.

The hacker motivated by malicious intent The hacker motivated by malicious intent aims at damaging, and not gaining access aims at damaging, and not gaining access to the system.to the system.

The risk of a hacker being caught and The risk of a hacker being caught and convicted is low. Hence, the potential gain convicted is low. Hence, the potential gain from hacking is high.from hacking is high.

Historical Hacking Techniques Historical Hacking Techniques

Open sharing:Open sharing: When the Internet was originally created, When the Internet was originally created,

most systems were configured to share most systems were configured to share information.information.

The Network File System (NFS) used by The Network File System (NFS) used by UNIX allowed one computer to mount the UNIX allowed one computer to mount the drives of another computer across a network.drives of another computer across a network.

Hackers used NFS to read the information by Hackers used NFS to read the information by mounting remote drives.mounting remote drives.


Open sharing (continued):Open sharing (continued): Many operating systems were shipped out Many operating systems were shipped out

with the root file system exportable to the with the root file system exportable to the world.world.

Anyone could mount the system’s root file and Anyone could mount the system’s root file and change anything they wanted if the default change anything they wanted if the default configuration was not changed.configuration was not changed.

Hackers can get into a system with remote Hackers can get into a system with remote access, by identifying one user or access, by identifying one user or administrator account on the system.administrator account on the system.


Weak passwords:Weak passwords: Weak passwords are the most common Weak passwords are the most common

method used by hackers to get into systems.method used by hackers to get into systems. A two-character password is easier to guess A two-character password is easier to guess

than an eight-character one.than an eight-character one. Easy to guess passwords allow hackers a Easy to guess passwords allow hackers a

quick entry into the system.quick entry into the system.


Programming flaws and social engineering:Programming flaws and social engineering: Hackers have used programming flaws such as back Hackers have used programming flaws such as back

doors in a program for accessing systems that use the doors in a program for accessing systems that use the program.program.

Many shopping Websites store information entered by Many shopping Websites store information entered by the buyer on a URL, which can be modified before the buyer on a URL, which can be modified before checking out.checking out.

Social engineering is the use of non-technical means Social engineering is the use of non-technical means to gain unauthorized access to information or systems.to gain unauthorized access to information or systems.

The ability to lie and a kind voice are the most The ability to lie and a kind voice are the most powerful tools used by a hacker using the social powerful tools used by a hacker using the social engineering technique.engineering technique.


Buffer overflow:Buffer overflow: Buffer overflow is an attempt to store too Buffer overflow is an attempt to store too

much information into an allocated space in a much information into an allocated space in a computer’s memory.computer’s memory.

Buffer overflows allow hackers to run a Buffer overflows allow hackers to run a command on the target system.command on the target system.

A hacker can exploit a buffer overflow to A hacker can exploit a buffer overflow to overwrite the return address to point to a new overwrite the return address to point to a new instruction.instruction.


Denial-of-Service (DoS):Denial-of-Service (DoS): DoS attacks are malicious acts to deny DoS attacks are malicious acts to deny

legitimate users access to a system, network, legitimate users access to a system, network, application, or information.application, or information.

Most DoS attacks originate from fake Most DoS attacks originate from fake addresses. addresses.

In a single-source DoS attack, a single system In a single-source DoS attack, a single system is used to attack another system.is used to attack another system.

The SYN flood and the Ping of Death are some The SYN flood and the Ping of Death are some of the single-source DoS attacks that have been of the single-source DoS attacks that have been identified.identified.


Distributed Denial-of-Service (DDoS):Distributed Denial-of-Service (DDoS): DDoS attacks originate from a large number DDoS attacks originate from a large number

of systems.of systems. Trinoo, Tribal Flood Network, Mstream, and Trinoo, Tribal Flood Network, Mstream, and

Stacheldraht are some of the new DDoS Stacheldraht are some of the new DDoS attack tools.attack tools.


Distributed Denial-of-Service (DDoS) Distributed Denial-of-Service (DDoS) (continued):(continued): A hacker talks to a master or server that has A hacker talks to a master or server that has

been placed on a compromised system.been placed on a compromised system. The master talks to the slave or client The master talks to the slave or client

processes that have been placed on other processes that have been placed on other compromised systems. The slaves, also compromised systems. The slaves, also called zombies, perform the actual attack called zombies, perform the actual attack against the target system.against the target system.


The architecture of DDoS attacks.

Advanced Techniques Advanced Techniques

Sniffing switch networks.Sniffing switch networks. IP spoofing.IP spoofing.

Sniffing Switch Networks Sniffing Switch Networks

Hackers use sniffers to gather passwords Hackers use sniffers to gather passwords and other system-related information after and other system-related information after a system is compromised.a system is compromised.

On shared media networks, sniffers use On shared media networks, sniffers use network interface cards (NIC) to access network interface cards (NIC) to access information.information.

In a switched environment, the hacker In a switched environment, the hacker must cause the switch to redirect all traffic must cause the switch to redirect all traffic to the sniffer, or send all traffic to all ports.to the sniffer, or send all traffic to all ports.


Redirecting traffic:Redirecting traffic: A switch directs traffic to ports based on the A switch directs traffic to ports based on the

Media Access Control (MAC) address of the Media Access Control (MAC) address of the Ethernet frame.Ethernet frame.

Address Resolution Protocol (ARP) is used to Address Resolution Protocol (ARP) is used to get the MAC address associated with a get the MAC address associated with a particular IP address.particular IP address.

When a system wants to send traffic to When a system wants to send traffic to another system, it will send an ARP request another system, it will send an ARP request for the destination IP address.for the destination IP address.


Redirecting traffic (continued):Redirecting traffic (continued): A sniffer may respond to an ARP request with A sniffer may respond to an ARP request with

its own MAC address, causing traffic to be sent its own MAC address, causing traffic to be sent to itself.to itself.

This is called ARP spoofing.This is called ARP spoofing. The sniffer must send on the traffic to the The sniffer must send on the traffic to the

correct destination, or it will cause a denial of correct destination, or it will cause a denial of service on the network.service on the network.

ARP spoofing is possible only on local subnets ARP spoofing is possible only on local subnets as the ARP messages do not go outside the as the ARP messages do not go outside the local subnet.local subnet.


Redirecting traffic (continued):Redirecting traffic (continued): Duplicating the MAC address of the target system Duplicating the MAC address of the target system

is another way of getting the switch to redirect the is another way of getting the switch to redirect the traffic to the sniffer.traffic to the sniffer.

In a DNS Spoofing attack, a sniffer responds to In a DNS Spoofing attack, a sniffer responds to the sending system’s DNS requests.the sending system’s DNS requests.

The sniffers response provides its own IP address The sniffers response provides its own IP address as that of the system being requested.as that of the system being requested.

DNA Spoofing is possible if the sniffer is in the DNA Spoofing is possible if the sniffer is in the network path from the sending system to the DNS network path from the sending system to the DNS server.server.


Sending all traffic to all ports:Sending all traffic to all ports: When the memory used by switches to store When the memory used by switches to store

the mappings between MAC addresses and the mappings between MAC addresses and physical ports is full, some switches will fall physical ports is full, some switches will fall “open.”“open.”

That means that the switch will send all traffic That means that the switch will send all traffic to all ports instead of sending traffic for to all ports instead of sending traffic for specific MACs to specific ports.specific MACs to specific ports.

Sniffing requires that the hacker have a Sniffing requires that the hacker have a system on the local switch.system on the local switch.

IP Spoofing IP Spoofing

Details of IP spoofing

IP Spoofing IP Spoofing

Using IP spoofing in the real world

Malicious Code Malicious Code

Malicious codes include three types of Malicious codes include three types of programs:programs: Computer viruses.Computer viruses. Trojan horse programs.Trojan horse programs. Worms.Worms.

Computer Viruses Computer Viruses

Computer viruses are not structured to Computer viruses are not structured to exist by themselves.exist by themselves.

Virus codes execute when the programs to Virus codes execute when the programs to which they are attached are executed.which they are attached are executed.

Malicious viruses may delete files or cause Malicious viruses may delete files or cause systems to become unstable.systems to become unstable.

Some viruses just spread themselves to Some viruses just spread themselves to other systems without performing any other systems without performing any malicious acts.malicious acts.

Trojan Horse Programs Trojan Horse Programs

A Trojan horse is a complete and self-A Trojan horse is a complete and self-contained program.contained program.

It hides its malicious intent behind a It hides its malicious intent behind a facade of something useful or interesting.facade of something useful or interesting.

Most Trojan horse programs contain a Most Trojan horse programs contain a mechanism to spread themselves to new mechanism to spread themselves to new victims.victims.

Worms Worms

A worm is a program that crawls from A worm is a program that crawls from system to system without any assistance system to system without any assistance from its victims.from its victims.

The Morris Worm was the first known The Morris Worm was the first known example of a worm.example of a worm.

CodeRed and Slapper Worm are recent CodeRed and Slapper Worm are recent examples of worms.examples of worms.

Hybrid is the combination of two types of Hybrid is the combination of two types of malicious codes into a single program.malicious codes into a single program.

Methods Used by Untargeted Methods Used by Untargeted Hacker Hacker

Internet reconnaissance:Internet reconnaissance: Untargeted hackers look for any vulnerable Untargeted hackers look for any vulnerable

system they can find.system they can find. The hacker may perform a stealth scan, The hacker may perform a stealth scan,

sometimes in conjunction with a ping sweep.sometimes in conjunction with a ping sweep. A stealth scan is an attempt to identify A stealth scan is an attempt to identify

systems within an address range.systems within an address range. A ping sweep is an attempt to ping each A ping sweep is an attempt to ping each

address and see if a response is received.address and see if a response is received.


Stealth scanning


Reset scans


Telephone and wireless reconnaissance:Telephone and wireless reconnaissance: Wardialing is a method of telephone Wardialing is a method of telephone

reconnaissance to identify systems that have reconnaissance to identify systems that have modems and that answer calls.modems and that answer calls.

Wardriving and Warchalking are methods of Wardriving and Warchalking are methods of wireless reconnaissance.wireless reconnaissance.

An untargeted hacker will use reconnaissance An untargeted hacker will use reconnaissance methods to identify systems. They will look for methods to identify systems. They will look for systems that may be vulnerable to the systems that may be vulnerable to the available exploits.available exploits.


Use of Compromised Systems:Use of Compromised Systems: Hackers normally place a back door entry to Hackers normally place a back door entry to

compromised systems to access them again.compromised systems to access them again. The back door entries are put together in a The back door entries are put together in a

rootkit.rootkit. Hackers may close vulnerabilities they used to Hackers may close vulnerabilities they used to

gain access, so that no other hacker can gain gain access, so that no other hacker can gain access to “their” system.access to “their” system.

A compromised system may be used to attack A compromised system may be used to attack other systems or for reconnaissance purposes.other systems or for reconnaissance purposes.

Methods Used by Targeted Methods Used by Targeted Hacker Hacker

A targeted hacker aims at penetrating or A targeted hacker aims at penetrating or damaging a particular organization.damaging a particular organization.

A targeted hacker is motivated by a desire A targeted hacker is motivated by a desire to gain something the organization has.to gain something the organization has.

The skill level of targeted hackers tends to The skill level of targeted hackers tends to be higher than that of untargeted hackers.be higher than that of untargeted hackers.


Reconnaissance: Reconnaissance: Address reconnaissance is the identification of Address reconnaissance is the identification of

the address space used by the target the address space used by the target organization.organization.

Addresses can be identified through DNS, the Addresses can be identified through DNS, the American Registry of Internet Numbers (ARIN) American Registry of Internet Numbers (ARIN) or through text searches at Network Solutions.or through text searches at Network Solutions.

Phone number reconnaissance is inaccurate Phone number reconnaissance is inaccurate and more difficult than identifying network and more difficult than identifying network addresses.addresses.


Reconnaissance (continued):Reconnaissance (continued): The hacker can perform wireless The hacker can perform wireless

reconnaissance by walking or driving around reconnaissance by walking or driving around the organization’s building.the organization’s building.

System reconnaissance is used to identify the System reconnaissance is used to identify the existing systems, operating systems, and their existing systems, operating systems, and their vulnerabilities.vulnerabilities.

Ping sweeps, stealth scans, or port scans may Ping sweeps, stealth scans, or port scans may be used to identify systems.be used to identify systems.

Stealth scans, mail systems, or Web servers Stealth scans, mail systems, or Web servers may be used to identify the operating system.may be used to identify the operating system.


Reconnaissance (continued): Reconnaissance (continued): Attacking or examining the system for indications Attacking or examining the system for indications

of vulnerabilities can identify vulnerabilities.of vulnerabilities can identify vulnerabilities. Vulnerabilities scanners will provide information, Vulnerabilities scanners will provide information,

but may alert the target organization about the but may alert the target organization about the hacker’s presence.hacker’s presence.

The hacker may gain access to the organization The hacker may gain access to the organization through its remote offices.through its remote offices.

Business reconnaissance will help the hacker Business reconnaissance will help the hacker identify the type of damage that will hurt the target identify the type of damage that will hurt the target the most.the most.


Reconnaissance (continued): Reconnaissance (continued): Studying the employees of the organization may Studying the employees of the organization may

prove valuable for the purpose of social prove valuable for the purpose of social engineering.engineering.

Targeted hackers use physical reconnaissance Targeted hackers use physical reconnaissance extensively.extensively.

Weaknesses in physical security may be used Weaknesses in physical security may be used to gain access to the site.to gain access to the site.

The hacker may also find information by The hacker may also find information by searching a dumpster if trash and paper to be searching a dumpster if trash and paper to be recycled is dumped into it.recycled is dumped into it.


Electronic attack methods:Electronic attack methods: The hacker may attempt to hide the attack The hacker may attempt to hide the attack

from the intrusion detection system by from the intrusion detection system by breaking the attack into packets.breaking the attack into packets.

The hacker must make the system appear as The hacker must make the system appear as normal as possible if the attack is successful.normal as possible if the attack is successful.

The hacker will establish back door entries to The hacker will establish back door entries to allow repeated access to a compromised allow repeated access to a compromised system.system.


Electronic attack methods (continued):Electronic attack methods (continued): Systems with remote access control or Systems with remote access control or

administration systems are prime targets for administration systems are prime targets for attacks via dial-in access.attacks via dial-in access.

The hacker may send a virus or a Trojan horse The hacker may send a virus or a Trojan horse program to an employee’s home system.program to an employee’s home system.

Wireless networks provide the easiest access Wireless networks provide the easiest access path.path.

In many cases, the wireless network is part of the In many cases, the wireless network is part of the organization’s internal network. Hence, it may organization’s internal network. Hence, it may have fewer security devices.have fewer security devices.


Physical attack methods:Physical attack methods: Social engineering is the safest physical Social engineering is the safest physical

attack method.attack method. It may lead to electronic information.It may lead to electronic information. Checking the dumpster or following an Checking the dumpster or following an

employee into the building are other methods employee into the building are other methods of physical attack.of physical attack.

Summary Summary

Access attacks occur when an attacker Access attacks occur when an attacker gains information that he or she is not gains information that he or she is not authorized to access.authorized to access.

Snooping, Eavesdropping, and Snooping, Eavesdropping, and Interception are the three types of Access Interception are the three types of Access attacks.attacks.

Modification attacks are attacks against Modification attacks are attacks against the integrity of information.the integrity of information.

Summary Summary

Denial-of-Service attacks deny legitimate Denial-of-Service attacks deny legitimate users access to the system, information, users access to the system, information, or capabilities.or capabilities.

The attacker may target the information, The attacker may target the information, applications, the system, or the applications, the system, or the communications media itself in a DoS communications media itself in a DoS attack.attack.

Repudiation is an attack against the Repudiation is an attack against the accountability of the information.accountability of the information.

Summary Summary

A hacker may be motivated by the challenge A hacker may be motivated by the challenge of breaking in, greed, or malicious intent.of breaking in, greed, or malicious intent.

Open file sharing, weak passwords, Open file sharing, weak passwords, programming flaws, and buffer overflows programming flaws, and buffer overflows were exploited by hackers to break into were exploited by hackers to break into systems.systems.

In social engineering, the hacker uses In social engineering, the hacker uses human nature and the ability to lie, to human nature and the ability to lie, to access information.access information.

Summary Summary

In Denial-of-Service attacks, legitimate In Denial-of-Service attacks, legitimate users are denied access to the system, users are denied access to the system, network, information, or applications.network, information, or applications.

In Distributed Denial-of-Service attacks, In Distributed Denial-of-Service attacks, many systems are coordinated to attack a many systems are coordinated to attack a single target.single target.

Sniffing switch networks involves getting Sniffing switch networks involves getting the switch to either redirect traffic to the the switch to either redirect traffic to the sniffer or send all traffic to all ports.sniffer or send all traffic to all ports.

Summary Summary

ARP spoofing, MAC duplicating, and DNS ARP spoofing, MAC duplicating, and DNS spoofing are the three methods of spoofing are the three methods of redirecting traffic.redirecting traffic.

IP spoofing involves modifying the source IP spoofing involves modifying the source address to make the packet appear to address to make the packet appear to appear as if coming from elsewhere.appear as if coming from elsewhere.

Viruses, Trojan horse programs, and Viruses, Trojan horse programs, and worms are the three types of malicious worms are the three types of malicious codes.codes.

Summary Summary

Untargeted hackers do not aim at Untargeted hackers do not aim at accessing particular information or accessing particular information or organizations, but look for any system that organizations, but look for any system that can be compromised.can be compromised.

Targeted hackers have a reason for Targeted hackers have a reason for attacking a organization.attacking a organization.

Types of Attacks, Hackers Motivations and Methods CS432: Security.

Documents

Transcript of Types of Attacks, Hackers Motivations and Methods CS432: Security.