NAME:AFAQ AHMAD CHEEMA

ROLL NO:181347
SECTION:BS-IT(IV)
ASSIGNMENT 1:INFORMATION SECURITY
SUBMITTED TO: SIR ZAIN UL ABIDEEN
 QNO1:
Search and read about at least five major incidents of
information security breaches on Critical Infrastructure during
last four years i.e. 2016 to 2020. Write short descriptions of the
nature and types of the attacks, the methods employed,
motivation of attackers and the economic and social impact of
those attacks?

1. Uber
2. Date: Late 2016
Impact: Personal information of 57 million Uber users and 600,000
drivers exposed.
Details: The scope of the Uber breach alone warrants its inclusion on
this list, and it’s not the worst part of the hack. The way Uber handled
the breach once discovered is one big hot mess, and it’s a lesson for
other companies on what not to do.
3. The company learned in late 2016 that two hackers were able to get
names, email addresses, and mobile phone numbers of 57 users of the
Uber app. They also got the driver license numbers of 600,000 Uber
drivers. As far as we know, no other data such as credit card or Social
Security numbers were stolen. The hackers were able to access Uber’s
GitHub account, where they found username and password credentials
to Uber’s AWS account. Those credentials should never have been on
GitHub.
4. Here’s the really bad part: It wasn’t until about a year later that Uber
made the breach public. What’s worse, they paid the hackers $100,000
to destroy the data with no way to verify that they did, claiming it was a
“bug bounty” fee. Uber fired its CSO because of the breach, effectively
placing the blame on him.
5. The breach is believed to have cost Uber dearly in both reputation and
money. At the time that the breach was announced, the company was in
negotiations to sell a stake to Softbank. Initially, Uber’s valuation was
$68 billion. By the time the deal closed in December, its valuation
dropped to $48 billion. Not all of the drop is attributable to the
breach, but analysts see it being a significant factor.
Nature of attack:
The nature of the hack is relatively straightforward, according to
Bloomberg: hackers with access to a public GitHub code repository used
by Uber engineers were able to collect private login credentials to an
Amazon cloud computing server, from which the hackers stole a list of
rider and driver data.
Motivation:

The cybercrime underground is always looking for easy targets, and it sounds like
Uber was a soft target. The attack began when the attackers found private
authentication information that Uber engineers had accidentally exposed publicly on
GitHub. In other words, the “attack”—if we can really call it that—required very little
technical sophistication to perpetrate.

Extortion seems like the motivation. If the goal was to infiltrate Uber for corporate
espionage, then the attackers wouldn’t have declared their presence to Uber.
Similarly, if the goal was to embarrass Uber, then the attackers would have leaked
the stolen information.

2. US Office of Personnel Management (OPM)

Date: 2012-14
Impact: Personal information of 22 million current and former federal employees
Details: Hackers, said to be from China, were inside the OPM system starting in
2012, but were not detected until March 20, 2014. A second hacker, or group,
gained access to OPM through a third-party contractor in May 2014, but was not
discovered until nearly a year later. The intruders exfiltrated personal data –
including in many cases detailed security clearance information and fingerprint
data.

Last year, former FBI director James Comey spoke of the information contained
in the so-called SF-86 form, used for conducting background checks for employee
security clearances. “My SF-86 lists every place I’ve ever lived since I was 18,
every foreign travel I’ve ever taken, all of my family, their addresses,” he said. “So
it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of
that is in there.”

A report, released last fall by the House Committee on Oversight and

Government Reform summed up the damage in its title: “The OPM Data Breach:
How the Government Jeopardized Our National Security for More than a
Generation.”

3. Equifax
Date: July 29 2017

Impact: Personal information (including Social Security Numbers, birth dates,

addresses, and in some cases drivers' license numbers) of 143 million
consumers; 209,000 consumers also had their credit card data exposed.

Details: Equifax, one of the largest credit bureaus in the U.S., said on Sept. 7,
2017 that an application vulnerability on one of their websites led to a data breach
that exposed about 147.9 million consumers. The breach was discovered on July
29, but the company says that it likely started in mid-May.

4. Marriott International
Date: 2014-18
Impact: 500 million customers
Details: In November 2018, Marriott International announced that cyber thieves
had stolen data on approximately 500 million customers. The breach actually
occurred on systems supporting Starwood hotel brands starting in 2014. The
attackers remained in the system after Marriott acquired Starwood in 2016 and
were not discovered until September 2018.

For some of the victims, only name and contact information were compromised.
The attackers were able to take some combination of contact info, passport
number, Starwood Preferred Guest numbers, travel information, and other
personal information. Marriott believes that credit card numbers and expiration
dates of more than 100 million customers were stolen, although the company is
uncertain whether the attackers were able to decrypt the credit card numbers.

The breach was eventually attributed to a Chinese intelligence group seeking to

gather data on US citizens, according to a New York Time article. If true, this
would be the largest known breach of personal data conducted by a nation -state.

5. Adult Friend Finder

Date: October 2016
Impact: More than 412.2 million accounts
Details: The FriendFinder Network, which included casual hookup and adult
content websites like Adult Friend Finder, Penthouse.com, Cams.com,
iCams.com and Stripshow.com, was breached sometime in mid-October 2016.
Hackers collected 20 years of data on six databases that included names, email
addresses and passwords.

Most of the passwords were protected only by the weak SHA-1 hashing algorithm,
which meant that 99 percent of them had been cracked by the time
LeakedSource.com published its analysis of the entire data set on November 14.

CSO Online’s Steve Ragan reported at the time that, “a researcher who goes by
1x0123 on Twitter and by Revolver in other circles posted screenshots taken on
Adult Friend Finder (that) show a Local File Inclusion vulnerability (LFI) being
triggered.” He said the vulnerability, discovered in a module on the production
servers used by Adult Friend Finder, “was being exploited.”

AFF Vice President Diana Ballou issued a statement saying, “We did identify and
fix a vulnerability that was related to the ability to access source code through an
injection vulnerability.”
QNO2:
There are some important traits and characteristics of advanced malware
1. Distributed, Fault tolerant architecture
Advanced malware can have multiple control servers all around the world, and can potentially hold
providing different communication paths in case of any change of circumstances or update the co
2.Malfunctionality
Any changes in the command and control servers can completely change the functionality of the ad
between various end point in order to carry out commands like stealing, deleting, corrupting or chan
3.Polymorphism
An hash signature is the cryptographic symbol of the whole file aur system and any change in the h
detected. So, to avoid being detected by the hash based file we use polymorphism. Polymorphism
regularly mutating to avoid simple hash matches. It can produce unique number of signature hashe
4.Obfuscation
It is a technique to hide the binary strings that are characteristically used in any malware program a
malware program. It can be implemented by using simple substitution cipher.
why tradition security fail to control them?
Advanced malware techniques have algorithms through which it has become very difficult to detec
several reasons
1. Rapidly Expanding Attack Vectors
Today, exploits target end users and have multiple ways/applications through which they can unex
⦁ social media platforms
⦁ Microsoft Office
⦁ Software as a Service Application etc.
This shows that the attackers have more convenient ways for their target and assaults use more ex
when we operate the systems on real time model. Scarely anyone takes notes on email delay mas
using browser and number of other application platefrom.
2.Lack of Comprehensive End-to-End Visibility
Isolated security slution that lack the ability to interact with the other security solution will only have
the attack. In prder to maximize this use many applications are designed from the port based firewa
malware along with them. Advance malware has taken this trend and expanded upon it consistentl
"You can't control threats that you can't see" and malware use variety of techniques to hide itself. li
⦁ Non standard ports and port hoping
⦁ Tunnling
⦁ SSL encryption
⦁ Encoding and Obfuscation etc
3. Targeted Malware
Before malware became the network threat the main goal of the malware was to replicate and spre
malware samples which are readily available and easy to collect. However, advanced malware had
enables the attacker to remotely access the and control the target system which means they not ne
the skilled attacker to successfully infiltrate an organization.
Traditional Network controls are effective
Traditional network security controls were never made to to meet the challenges of advance malwa
traffic and an IP determine which signature to apply on the based port. But advance Malware can s
detection.
Qno3:
1. Reconnaissance
To research identify and select target. Attack gather intel through publically available
sources. They also scan for vulnariabilities that can be exploited within the target network,
service ans mapping out area where they can take advantage.
2. Weaponization and delivery
Attacker will determine which method to use in order to deliver malicious payloads. Some of
the method may include automated tools like exploit kits , spear phishing attack with
malicious links etc.
3. Exploitation
Attacker deploy and attack against the vuluenarable application or system, typically using
exploit kit or weaponize document.
4. Installation
Once they have finished the initial foothold attackers will now install malware in the system in
order to conduct further operations , such as maintaining access, persistance etc
5. Commands and Control
With malware installed attacker now owned both sides of the connections: their malicious
infrastructure and the infected system. They can now actively control the system, instructing
the next stages of attack. Attacker will establish a command channel in order to
communicate and transfer data back and forth
6. Actions on the objective
Now that the attacker got the access over the system, they will act upon on their motivation
in order to achieve their goal. This colud be data exfiltration, destruction of critical
infastructure or to creat a fear or the means for extortion.
Advace attack are very complex in that, in order for an adversory to succeed, they must
progress through every stage of the attack lifecycle.

QNO4:
False Positive:
A false positive is when the system incorrectly accepts a biometric sample as being a match.
(Same as false accept). False Positive is a probability of stating wrongly that a biometric
sample belongs to a certain person (in fact not the real guy).

For example:

➢ Phone gets unlocked by facial recognition when some other guy (not you) is
showing his face to it.

False negative:
A false negative is when biometric systems fail to recognize an authentic individual, which
would lead to something not happening. Depending on what that something is there could
be various consequences:

• Personal: An owner of a safe may be prevented from accessing that safe, leading
to him/her being unable to access a necessary resource.

➢ You are placing your finger onto a fingerprint scanner of your phone to get it
unlocked, but it says it didn't recognize you.

• Institutional: Say my entire server infrastructure is down, I need to access my data

center to restore service. Ever minute is losing my company thousands of dollars in
revenue. The biometric system doesn't recognize me, therefore the company loses
more money and reputation.

QNO5:
1. Honeypots:
In computer terminology, a honeypot is a computer security mechanism set to
detect, deflect, or, in some manner, counteract attempts at unauthorized use of
information systems.

TYPES:
Honeypots can be classified based on their deployment (use/action) and based on
their level of involvement. Based on deployment, honeypots may be classified as

• production honeypots
• research honeypots
Production honeypots are easy to use, capture only limited information, and are
used primarily by corporations. Production honeypots are placed inside the
production network with other production servers by an organization to improve their
overall state of security. Normally, production honeypots are low-interaction
honeypots, which are easier to deploy. They give less information about the attacks
or attackers than research honeypots.
Research honeypots are run to gather information about the motives and tactics of
the black hat. community targeting different networks. These honeypots do not add
direct value to a specific organization; instead, they are used to research the threats
that organizations face and to learn how to better protect against those
threats. Research honeypots are complex to deploy and maintain, capture extensive
information, and are used primarily by research, military, or government
organizations.
Based on design criteria, honeypots can be classified as:

• pure honeypots
• high-interaction honeypots
• low-interaction honeypots
Pure honeypots are full-fledged production systems. The activities of the attacker
are monitored by using a bug tap that has been installed on the honeypot's link to the
network. No other software needs to be installed. Even though a pure honeypot is
useful, stealthiness of the defense mechanisms can be ensured by a more controlled
mechanism.
High-interaction honeypots imitate the activities of the production systems that
host a variety of services and, therefore, an attacker may be allowed a lot of services
to waste their time. By employing virtual machines, multiple honeypots can be
hosted on a single physical machine. Therefore, even if the honeypot is
compromised, it can be restored more quickly. In general, high-interaction honeypots
provide more security by being difficult to detect, but they are expensive to maintain.
If virtual machines are not available, one physical computer must be maintained for
each honeypot, which can be exorbitantly expensive. Example: Honeynet.
Low-interaction honeypots simulate only the services frequently requested by
attackers. Since they consume relatively few resources, multiple virtual machines
can easily be hosted on one physical system, the virtual systems have a short
response time, and less code is required, reducing the complexity of the virtual
system's security. Example honeyd.
Diagram:
 1. Botnets:

A botnet is a collection of internet-connected devices infected by malware that

allow hackers to control them. Cyber criminals use botnets to instigate botnet
attacks, which include malicious activities such as credentials leaks,
unauthorized access, data theft and DDoS attacks.
How does botnets attack work:

Botnet owners can have access to several thousand computers at a time and can
command them to carry out malicious activities. Cybercriminals initially gain access
to these devices by using special Trojan viruses to attack the computers’ security
systems, before implementing command and control software to enable them to
carry out malicious activities on a large scale. These activities can be automated to
encourage as many simultaneous attacks as possible. Different types of botnet
attacks can include:

• Distributed Denial of Service (DDoS) attacks that cause unplanned application

downtime
• Validating lists of leaked credentials (credential-stuffing attacks) leading to
account takeovers
• Web application attacks to steal data
 • Providing an attacker access to a device and its connection to a network

In other cases, cybercriminals will sell access to the botnet network, sometimes
known as a “zombie” network, so that other cybercriminals can make use of the
network for their own malicious activities, such as activating a spam campaign.

Diagram OF Botnets:
 2. Logic Bombs:
A logic bomb is a piece of code intentionally inserted into a software system that
will set off a malicious function when specified conditions are met. For example, a
programmer may hide a piece of code that starts deleting files (such as a
salary data base trigger) should they ever be terminated from the company.
Software that is inherently malicious, such as viruses and worms, often contain logic
bombs that execute a certain payload at a pre-defined time or when some other
condition is met. This technique can be used by a virus or worm to gain momentum
and spread before being noticed. Some viruses attack their host systems on specific
dates, such as Friday 13th or Aprils fool day. A Trojans and other computer
viruses that activate on certain dates are often called time bombs.
Diagram of Logic Bombs:

3. Cracking

In cryptnalysis and computer security, password cracking is the

process of recovering passwords from data that have been stored in or
transmitted by a computer program. A common approach (brute-force
attack) is to repeatedly try guesses for the password and to check them
against an available cryptographic hash of the password.
The purpose of password cracking might be to help a user recover a
forgotten password (installing an entirely new password is less of a
security risk, but it involves System Administration privileges), to gain
unauthorized access to a system, or to act as a preventive measure
whereby system administrator check for easily crackable passwords. On
a file-by-file basis, password cracking is utilized to gain access to digital
evidence to which a judge has allowed access, when a particular file's
permissions are restricted.
Diagram of cracking:

4. Privilege Escalation:
Privilege escalation happens when a malicious user exploits a bug, design
flaw, or configuration error in an application or operating system to gain
elevated access to resources that should normally be unavailable to that
user. The attacker can then use the newly gained privileges to steal
confidential data, run administrative commands or deploy malware – and
potentially do serious damage to your operating system, server
applications, organization, and reputation. In this blog post, we will look at
typical privilege escalation scenarios and learn how you can protect user
accounts in your systems and applications to maintain a good security
posture.

How Does Privilege Escalation Work?

Attackers start by exploiting a privilege escalation vulnerability in a target
system or application, which lets them override the limitations of the current
user account. They can then access the functionality and data of another
user (horizontal privilege escalation) or obtain elevated privileges,
typically of a system administrator or other power user (vertical privilege
escalation). Such privilege escalation is generally just one of the steps
performed in preparation for the main attack.

With horizontal privilege escalation, miscreants remain on the same

general user privilege level but can access data or functionality of other
accounts or processes that should be unavailable to the current account or
process. For example, this may mean using a compromised office
workstation to gain access to other office users’ data. For web applications,
one example of horizontal privilege escalation might be getting access to
another user’s profile on a social site or e-commerce platform, or their bank
account on an e-banking site.

Potentially more dangerous is vertical privilege escalation (also

called privilege elevation), where the attacker starts from a less privileged
account and obtains the rights of a more powerful user – typically the
administrator or system user on Microsoft Windows, or root on Unix and
Linux systems. With these elevated privileges, the attacker can wreak all
sorts of havoc in your computer systems and applications: steal access
credentials and other sensitive information, download and execute
malware, erase data, or execute arbitrary code. Worse still, skilled
attackers can use elevated privileges to cover their tracks by deleting
access logs and other evidence of their activity. This can potentially leave
the victim unaware that an attack took place at all. That way, cybercriminals
can covertly steal information or plant malware directly in company
systems.