Common Attacks

1. Alteration attacks
They occur when someone makes unauthorized modifications to code or data, attacking its integrity. These
attacks can take many different forms and have a variety of consequences. An organization might have a
Software Development Life Cycle, but the binary code can be altered. A person with access can recompile an
existing program to add another library or DLL, or use a binary editor like HT Editor.
Note: Alteration attacks apply to data as well as code.

The primary defense against an alteration attack is a cryptographic hash. If you can record the state of a
program or data before it is altered and securely store the hash, you can periodically recheck the program
or data and compare it with the stored hash.

2. Logic Bombs, Trojan Horses, and Trap Doors

There are many types of malicious code in the world today. Though they are only a small subset of these,
logic bombs, Trojan horses, and trap doors are fairly common.

Logic Bombs
Logic bombs are small programs or sections of a program triggered by some event such as a certain date
or time, a certain percentage of disk space filled, the removal of a file, and so on. For example, a
programmer could establish a logic bomb to delete critical sections of code if she is terminated from the
company. Logic bombs are most commonly installed by insiders with access to the system.

Trojan Horses
Trojan horses (often just called Trojans) are programs that must be installed or executed by a user to be
effective. Often, these are disguised as helpful or entertaining programs which can include operating system
patches, Linux packages, or games. Once executed, however, Trojans perform actions the user did not
intend such as opening certain ports for later intruder access, replacing certain files with other malicious
files, and so on.1

Logic bombs for good

Some of these techniques can also be used against attackers in a devious sort of way. Administrators
sometimes intentionally deploy pseudo flaws, also known as honey tokens, which are things that look
vulnerable to attack but really act as alarms or triggers of automatic actions when an intruder attempts to
exploit the flaw. Do not confuse the single pseudo flaw with the concept of a pseudo flaw that extends to
encompass an entire host or network - often referred to as a honeypot or a honeynet; neither of these
terms properly refers to a single pseudo flaw.

Trap doors
Trap doors, also referred to as backdoors, are bits of code embedded in programs by the programmer(s) to
quickly gain access at a later time, often during the testing or debugging phase. If an unscrupulous
programmer purposely leaves this code in or simply forgets to remove it, a potential security hole is
introduced. Hackers often plant a backdoor on previously compromised systems to gain later access. Trap
doors can be almost impossible to remove in a reliable manner. Often, reformatting the system is the only
sure way.

Defending against logic bombs and trap/back doors

"How can companies defend against such attacks? by hiring the right people and then treating them right. In
other words, this is a people problem and so it needs a human solution. All the technology in the world is
not going to prevent an insider, with authorized system access and detailed knowledge of the system, from
planting a logic bomb. There are some technologies, such as network surveillance and monitoring programs,
that might detect attempts to create logic bombs. Integrity checking software might deflect attacks from
logic bombs. Properly enforced software development policies and procedures will make it harder for
someone to plant a logic bomb. But the bottom line is that a determined insider is almost impossible to
stop."9

3. Spear phishing
Is a pinpoint attack against some subset of people (users of a website or product, employees of a company,
members of an organization) to attempt to undermine that company or organization. It isolates a specific
group of people, as opposed to spamming the world, and attempts to get them to do something to gain
access to proprietary data or company systems. It will often look real and appear to come from a legitimate
member of the organization. For instance, a spear phish may appear to come from an executive of the
company asking for login IDs and passwords.

As an example, the CIO of Acme Inc. is John Doe. The entire organization receives an e-mail from John Doe
saying that everyone should send their user IDs and passwords to him because he is doing a system audit.
Those who do not will get their access to the network terminated and may face disciplinary action.
Employees then respond to the email thinking they are sending the email to John Doe, but it is really going
to Joe Hacker.

While spear phishing is unique in that it is highly customized to the recipient to increase the chance of
exploitation, the defenses against spear phishing are largely the same. If a user gets a suspicious e-mail,
they can simply call the sender and verify they sent it. Users should avoid sending confidential information
over e-mail. Because spear phishing tried to imitate legitimate users, it is typically very easy to verify if an
e-mail is legitimate by simply calling the apparent sender.[1]

Microsoft offers the following 5 tips to avoid phishing:[2]

 Never reveal personal or financial information in a response to an e-

mail request, no matter who appears to have sent it.
 If you receive an e-mail message that appears suspicious, call the
person or organization listed in the "From" line before you respond or
open any attached files.
 Never click links in an e-mail message that requests personal or
financial information. Enter the Web address into your browser window
instead.
 Report any e-mail that you suspect might be a spear phishing campaign
within your company.
 Use Internet Explorer 7 or the Windows Live Toolbar, both of which
contain Phishing Filter, which scans and helps identify suspicious Web
sites, and provides up-to-the-hour updates and reporting on known
phishing sites.

4.System interrupts

Are any sort of call to software or hardware to have it do something else, that is, something it is
not already doing. Interrupts can occur when a system's hardware is accessed for some reason
(perhaps a hard disk is being read or written to), a user makes a system call as a request for some
type of service, or an error is detected in a currently executing process. Interrupts can often
improve processing capabilities; for example, rather than wait on a slow I/O device, the CPU
will perform an interrupt.

"Most modern general purpose microprocessors handle the interrupts the same way. When a
hardware interrupt occurs the CPU stops executing the instructions that it was executing and
jumps to a location in memory that either contains the interrupt handling code or an instruction
branching to the interrupt handling code. This code usually operates in a special mode for the
CPU interrupt mode, and normally, no other interrupts can happen in this mode."[1]

"Interrupts have numbers, and there can be up to 256 different interrupts. When an interrupt
occurs (like a keypress or a mouse click), the application running is stopped and the contents of
the [Code Segment Instruction Pointer] CS/IP/ flags are pushed into the stack, and the routine
that has to handle the interrupting event is executed. After execution of the routine, using an
IRET call, execution returns to the application. The locations of all the interrupt handling
routines are maintained at the beginning (0000:0000) of memory, and it is called the Interrupt
Service Routine table."[2]

What are the security implications of interrupts?

An attacker could use an interrupt simply by having the OS execute a particular system call that
would perform a malicious action. A classic example was the boot sector virus that would issue
an interrupt to execute a write to a specific portion of the disk, the boot sector.

5.Spam
Spam is a term used to describe unsolicited email, also known as unsolicited commercial email (UCE) or
junk email. The messages are usually mass mailed and considered invasive by those who receive them.
Traditionally, spam has been thought of more as an inconvenience, requiring workers to sift through and
delete dozens and sometimes hundreds of e-mail messages per day and this sifting and deleting affects
employee productivity

If employees are bombarded by spam, then they have to determine what is real and what is fake, and that
puts employees and the business at risk. The majority of the spam they get is useless and harmless, but
mixed in the pile of junk are emails with web links that could lead to websites that could dupe the
employees into downloading malicious code into their business computer network. The greatest concern is
when the employees reply to spam, validating their email address and giving information away.

SPAM Management
Having established the case that spam is a problem both as an additional cost, but also as a security risk,
we consider how to manage this problem.

Sender Permitted From, or SPF, is a new protocol that works in conjunction with existing e-mail protocols to
ensure that a person sending an e-mail on behalf of a given address has the right to do so. "SPFv1 allows
the owner of a domain to specify their mail sending policy, e.g. which mail servers they use to send mail
from their domain. The technology requires two sides to play together: (1) the domain owner publishes this
information in an SPF record in the domain's DNS zone, and when someone else's mail server receives a
message claiming to come from that domain, then (2) the receiving server can check whether the message
complies with the domain's stated policy. If, e.g., the message comes from an unknown server, it can be
considered a fake.

6.The Risk of Default Passwords

System administrators leave their devices with default username and password combinations for a variety of
reasons. Simply not knowing that a password needs to be changed or assuming that their perimeter firewall
will protect them from unauthorized access are some of the reasons for doing so. This practice is definitely
not a good idea considering an attacker can break into your network by some other means, then easily gain
access to these devices. A bigger issue we're seeing is that some worms are configured to automatically
propagate and search for systems set with a default username and password.

Many times system administrators believe that the default username and passwords for specific devices are
generally not known. This is not always the case. There are websites on the Internet which are specifically
there to provide the default username and password combinations for a ton of vendors products. The
Default Password List maintains a wide list of these combinations for products from many different vendors
including Cisco and Check Point.

For whatever reason, vendors will continue to include default username and password combinations in their
products. It's up to all users to ensure that the default settings of any product implemented in our
environment are changed before they go into use.

7.Remote Maintenance
When we hear the term remote access, remote maintenance, we typically think of authorized
administrators with the ability to login from systems while on the road or at home for support reasons.
Remote maintenance can also extend to vendors and support technicians that need access to the device to
assist in configuration or troubleshooting. In many cases, the remote maintenance tools that are authorized
to vendors and support technicians grant a higher level of privilege to the operator than that which is
granted to the administrator. This privilege includes unrestricted access to the operating system versus a
standard configuration interface.

The most well known remote access tool is GoToMyPC. "It enables secure browser-based access to any
Internet-connected PC. Transmitting keyboard, mouse and display updates over a highly compressed,
encrypted stream, this award-winning service yields a 'good as being there' experience over broadband and
impressive performance over dial-up. GoToMyPC enables screen sharing, file transfer and remote printing.

The support of remote maintenance is a requirement for many organizations, as well as the support
organizations they rely on. Unfortunately, it can reveal weaknesses in the overall security of the network as
well. If your support organization has access to the server or appliance platform for maintenance and
troubleshooting, what prevents your attacker from accessing the same resource? Some support
organizations might require static password authentication to access the remote maintenance services on
your devices, and some might even require the use of public key cryptography to restrict access to only
authorized individuals. Few support the ability to remotely maintain and expire support passwords, or utilize
key revocation mechanisms that would stop a disgruntled employee from abusing their previously
authorized access.

Remote access is such an important part of a hacker's attack. An example is the remote access/remote
maintenance of the hackers in the TJX attack. Hackers managed to crack the encryption code and they
digitally eavesdropped on employees logging into TJX's central database in Framingham and stole one or
more user names and passwords. With that information, they set up their own accounts in the TJX system
and collected transaction data including credit-card numbers into about 100 large files for their own access.
They were able to go into the TJX system remotely from any computer on the Internet.

8.Traffic Analysis
Traffic analysis is a special type of inference attack technique that looks at communication patterns between
entities in a system. "Traffic analysis is the process of intercepting and examining messages in order to
deduce information from patterns in communication. It can be performed even when the messages are
encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even
intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the
context of military intelligence or counter-intelligence, and is a concern in computer security."[1] Knowing
who's talking to whom, when, and for how long, can sometimes clue an attacker in to information of which
you'd rather she not be aware.

The size of packets being exchanged between two hosts can also be valuable information for an attacker,
even if they aren't able to view the contents of the traffic (being encrypted or otherwise unavailable). Seeing
a short flurry of single-byte payload packets with consistent pauses between each packet might indicate an
interactive session between two hosts, where each packet indicates a single keystroke. Large packets
sustained over time tend to indicate file transfers between hosts, also indicating which host is sending and
which host is receiving the file. By itself, this information might not be terribly damaging to the security of
the network, but a creative attacker will be able to combine this information with other information to
bypass intended security mechanisms.

Attackers would commonly use traffic analysis in addition to some other method of attack, it is most useful
for reconnaissance, to find vulnerable hosts for instance, or potentially in competitive intelligence to
determine characteristics of someone else's system. However, in the case of insiders or authorized users you
have the "inference problem, wherein authorized users are able to make valid deductions, based only on
data they are authorized to access, about data they are not authorized to access.

Fortunately, traffic analysis can also be used as a defensive technique by identifying anomalies in traffic
patterns. Using traffic analysis, administrators can baseline the traffic to and from hosts on the network over
time, in a graphical format (line charts or other graphs). As a daily routine, the administrator can review
these charts and see patterns in network activity to and from hosts and networks, including packet quantity,
packet sizes, bandwidth utilization, connections per hour, etc. After becoming familiar with the baseline
utilization of the network, an administrator will be able to quickly spot anomalies in connections between
hosts and networks such as port-scans, Denial of Service attacks, significant increases in bandwidth
utilization, and other factors that might indicate hosts that are under attack or have become compromised.
9.Password Spoof Programs
- Is a type of attack aimed at stealing password information that can be used to gain unauthorized
access to a computer system at the expense of some unauthorized user
- The attack involves spoofing a user into believing that a computer terminal is correctly prompting
that user to log in password information. When the user is logged onto the system, the password
information is directed into a specified file from where they will be accessed.