Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1


Ratings: (0)|Views: 11 |Likes:
Published by rajunair

More info:

Published by: rajunair on Mar 26, 2009
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Analyze Attacks andVulnerabilities
...man will occasionally stumble over the truth, but usually manages to pick himself up, walk over or around it, and carry on.
 —Winston S. ChurchillTHE SECOND PHASE OF THE I-ADD SECURITY PROCESSis the analyze phase.During this phase you examine known attacks, vulnerabilities, and theoretical attacksin order to generate
These protections and mitigations aremethods or procedures used to inhibit an attacker’s ability to exploit a vulnerability orperform an attack. The protections and mitigations should be identified without con-sideration for other factors, such as cost, limits to functionality, or time to implement.Trade-offs are evaluated and decisions are made during the next I-ADD phase, thedefine phase.
Known Attacks
Identifying known attacks requires research of security-related Web sites, papers, andtrade journals. Although currently known attacks are few in number, relative to wiredsystems, they are likely to grow as wireless systems become more prevalent and pro- vide a richer target for the attacker community. The known attacks we cover here arespecific to the wireless portions of the system. The Web servers, backend servers, andgateways are all subject to known attacks specific to their hardware platform, operat-ing systems, and ancillary applications. The importance of specifically examiningknown attacks separate from theoretical attacks is that known attacks are likely to beattempted by an attacker when targeting a wireless system. Therefore, known attacksdeserve a higher priority when making trade-offs during the next I-ADD phase.
Device Theft
 Device theft 
is just as it sounds, the physical theft of the device by an attacker. Fortu-nately, this is not a concept new or unique to wireless devices or systems, so the needfor protection of wireless devices and systems against physical theft is intuitive todevice and system manufacturers. Unfortunately, devising devices or systems resistantto theft is very difficult.Several mitigations can be employed to minimize the threat. We will not spendmuch time stating the obvious, such as locking and alarming rooms that houseequipment.
The Man in the Middle
The attacker, by interjecting herself between the user and the server, accomplishes the well-known man-in-the-middle network attack. This interjection is done by gainingphysical access to the logical or physical path between the user and the server, such assitting at the user or server’s access point to the network. Alternatively, this can beused to spoof the user to the server and the server to the user. In both scenarios, theattacker has complete access to the communications between the user and the server.
War Driving
In the 1980s, malicious types began
war dialing,
calling phone numbers at random inan attempt to locate unprotected modems and gain access to networks. The early 2000s version of war dialing is
war driving,
roaming around with a laptop, wirelessNIC, and an antenna and attempting to gain access to wireless networks. As we havediscussed, the vast majority of wireless networks deployed do not use WEP or use WEP without implementing RSA’s Fast Packet Keying solution to (more or less) secu-rity. With a $100–150 wireless NIC set in promiscuous mode and a cheap parabolicgrid antenna from Radio Shack, hackers have gained access to thousands of wirelessnetworks across the United States. In populated areas, war drivers have used simpleGPS applications in combination with the wireless NIC and antennae and have suc-cessfully mapped the location of thousands of wireless networks to which they cangain access. No esoteric software or hardware is required. A software applicationcalled
has the ability to analyze the intercepted WEP traffic and, after collect-ing enough data, even determine the root password for the wireless system.
Denial of Service
 Denial of service 
is a class of attacks that take many forms, from subtle to obvious. Anobvious denial of service attack against a wireless system would be to sever the coaxcable on the tower between the transceiver and the antenna. This definitely woulddeny service to anyone wanting to use that particular tower. A more subtle attack
 would be to tie up the system with service requests or to spread a bogus e-mail suchas “New and Destructive Virus,” explaining that you should e-mail everyone you knowso that they can protect themselves. The desired result is that the system becomes sobogged down with these e-mails that legitimate traffic cannot be accommodated. Another popular denial of service attack is the “Please help, my child is dying.” Ane-mail is sent saying that someone, usually a hapless child, is suffering from a terribleaffliction. The e-mail goes on to say that a corporation has agreed to provide
amountfor every e-mail it receives regarding this child, so please forward this e-mail to every-one you know so that this child can be saved. The desired result is to overwhelm thecorporation’s servers and cause them to crash.
The DoCoMo E-Mail Virus
 As of the writing of this chapter, there have been two similar virus attacks against Japan’s DoCoMo cellular system. These attacks are viruses that can be downloadedinto multifunction cellular phones. The viruses cause the user’s phone to automatically dial a number, such as 911, tying up both the cellular and 911 systems. With little imag-ination, you can see how this type of activity can have far-reaching and dire conse-quences.
Vulnerabilities and Theoretical Attacks
Identifying vulnerabilities is a difficult process because you are looking for what mightoccur and trying to anticipate how an attacker could attempt to exploit the system. Theprocess is a dual-mode analysis in which you are examining potentially vulnerableareas while anticipating theoretical attacks. Based on the success or failure of thesetheoretical attacks, the particular component or resource is identified as vulnerable.Recall that you are not making any determination at this point about the practicality ofan attack or the development trade-offs necessary to protect or mitigate the vulner-ability.To begin the examination of vulnerabilities, you begin at the top of the targets listand place yourself in the malicious roles identified earlier. You then create theoreticalattacks to which these targets would be vulnerable. Experience and knowledge of thesystem’s inner workings are crucial if you are to have any expectation of identifying allits potential vulnerabilities. If you are examining an existing system, this requirementmay lead you to utilize the developers to conduct the vulnerability analysis. This isacceptable as long as the team is evenly weighted with those who were not involved with the development. The reason is, developers know what they were trying toaccomplish, and they may make assumptions about how the system functions orresponds under certain circumstances. Further, developers know how the system wasintended to function, but most attacks attempt to cause the system to function in amanner in which it was

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->