Professional Documents
Culture Documents
ROLL NO:181347
SECTION:BS-IT(IV)
ASSIGNMENT 1:INFORMATION SECURITY
SUBMITTED TO: SIR ZAIN UL ABIDEEN
QNO1:
Search and read about at least five major incidents of
information security breaches on Critical Infrastructure during
last four years i.e. 2016 to 2020. Write short descriptions of the
nature and types of the attacks, the methods employed,
motivation of attackers and the economic and social impact of
those attacks?
1. Uber
2. Date: Late 2016
Impact: Personal information of 57 million Uber users and 600,000
drivers exposed.
Details: The scope of the Uber breach alone warrants its inclusion on
this list, and it’s not the worst part of the hack. The way Uber handled
the breach once discovered is one big hot mess, and it’s a lesson for
other companies on what not to do.
3. The company learned in late 2016 that two hackers were able to get
names, email addresses, and mobile phone numbers of 57 users of the
Uber app. They also got the driver license numbers of 600,000 Uber
drivers. As far as we know, no other data such as credit card or Social
Security numbers were stolen. The hackers were able to access Uber’s
GitHub account, where they found username and password credentials
to Uber’s AWS account. Those credentials should never have been on
GitHub.
4. Here’s the really bad part: It wasn’t until about a year later that Uber
made the breach public. What’s worse, they paid the hackers $100,000
to destroy the data with no way to verify that they did, claiming it was a
“bug bounty” fee. Uber fired its CSO because of the breach, effectively
placing the blame on him.
5. The breach is believed to have cost Uber dearly in both reputation and
money. At the time that the breach was announced, the company was in
negotiations to sell a stake to Softbank. Initially, Uber’s valuation was
$68 billion. By the time the deal closed in December, its valuation
dropped to $48 billion. Not all of the drop is attributable to the
breach, but analysts see it being a significant factor.
Nature of attack:
The nature of the hack is relatively straightforward, according to
Bloomberg: hackers with access to a public GitHub code repository used
by Uber engineers were able to collect private login credentials to an
Amazon cloud computing server, from which the hackers stole a list of
rider and driver data.
Motivation:
The cybercrime underground is always looking for easy targets, and it sounds like
Uber was a soft target. The attack began when the attackers found private
authentication information that Uber engineers had accidentally exposed publicly on
GitHub. In other words, the “attack”—if we can really call it that—required very little
technical sophistication to perpetrate.
Extortion seems like the motivation. If the goal was to infiltrate Uber for corporate
espionage, then the attackers wouldn’t have declared their presence to Uber.
Similarly, if the goal was to embarrass Uber, then the attackers would have leaked
the stolen information.
Last year, former FBI director James Comey spoke of the information contained
in the so-called SF-86 form, used for conducting background checks for employee
security clearances. “My SF-86 lists every place I’ve ever lived since I was 18,
every foreign travel I’ve ever taken, all of my family, their addresses,” he said. “So
it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of
that is in there.”
3. Equifax
Date: July 29 2017
Details: Equifax, one of the largest credit bureaus in the U.S., said on Sept. 7,
2017 that an application vulnerability on one of their websites led to a data breach
that exposed about 147.9 million consumers. The breach was discovered on July
29, but the company says that it likely started in mid-May.
4. Marriott International
Date: 2014-18
Impact: 500 million customers
Details: In November 2018, Marriott International announced that cyber thieves
had stolen data on approximately 500 million customers. The breach actually
occurred on systems supporting Starwood hotel brands starting in 2014. The
attackers remained in the system after Marriott acquired Starwood in 2016 and
were not discovered until September 2018.
For some of the victims, only name and contact information were compromised.
The attackers were able to take some combination of contact info, passport
number, Starwood Preferred Guest numbers, travel information, and other
personal information. Marriott believes that credit card numbers and expiration
dates of more than 100 million customers were stolen, although the company is
uncertain whether the attackers were able to decrypt the credit card numbers.
Most of the passwords were protected only by the weak SHA-1 hashing algorithm,
which meant that 99 percent of them had been cracked by the time
LeakedSource.com published its analysis of the entire data set on November 14.
CSO Online’s Steve Ragan reported at the time that, “a researcher who goes by
1x0123 on Twitter and by Revolver in other circles posted screenshots taken on
Adult Friend Finder (that) show a Local File Inclusion vulnerability (LFI) being
triggered.” He said the vulnerability, discovered in a module on the production
servers used by Adult Friend Finder, “was being exploited.”
AFF Vice President Diana Ballou issued a statement saying, “We did identify and
fix a vulnerability that was related to the ability to access source code through an
injection vulnerability.”
QNO2:
There are some important traits and characteristics of advanced malware
1. Distributed, Fault tolerant architecture
Advanced malware can have multiple control servers all around the world, and can potentially hold
providing different communication paths in case of any change of circumstances or update the co
2.Malfunctionality
Any changes in the command and control servers can completely change the functionality of the ad
between various end point in order to carry out commands like stealing, deleting, corrupting or chan
3.Polymorphism
An hash signature is the cryptographic symbol of the whole file aur system and any change in the h
detected. So, to avoid being detected by the hash based file we use polymorphism. Polymorphism
regularly mutating to avoid simple hash matches. It can produce unique number of signature hashe
4.Obfuscation
It is a technique to hide the binary strings that are characteristically used in any malware program a
malware program. It can be implemented by using simple substitution cipher.
why tradition security fail to control them?
Advanced malware techniques have algorithms through which it has become very difficult to detec
several reasons
1. Rapidly Expanding Attack Vectors
Today, exploits target end users and have multiple ways/applications through which they can unex
⦁ social media platforms
⦁ Microsoft Office
⦁ Software as a Service Application etc.
This shows that the attackers have more convenient ways for their target and assaults use more ex
when we operate the systems on real time model. Scarely anyone takes notes on email delay mas
using browser and number of other application platefrom.
2.Lack of Comprehensive End-to-End Visibility
Isolated security slution that lack the ability to interact with the other security solution will only have
the attack. In prder to maximize this use many applications are designed from the port based firewa
malware along with them. Advance malware has taken this trend and expanded upon it consistentl
"You can't control threats that you can't see" and malware use variety of techniques to hide itself. li
⦁ Non standard ports and port hoping
⦁ Tunnling
⦁ SSL encryption
⦁ Encoding and Obfuscation etc
3. Targeted Malware
Before malware became the network threat the main goal of the malware was to replicate and spre
malware samples which are readily available and easy to collect. However, advanced malware had
enables the attacker to remotely access the and control the target system which means they not ne
the skilled attacker to successfully infiltrate an organization.
Traditional Network controls are effective
Traditional network security controls were never made to to meet the challenges of advance malwa
traffic and an IP determine which signature to apply on the based port. But advance Malware can s
detection.
Qno3:
1. Reconnaissance
To research identify and select target. Attack gather intel through publically available
sources. They also scan for vulnariabilities that can be exploited within the target network,
service ans mapping out area where they can take advantage.
2. Weaponization and delivery
Attacker will determine which method to use in order to deliver malicious payloads. Some of
the method may include automated tools like exploit kits , spear phishing attack with
malicious links etc.
3. Exploitation
Attacker deploy and attack against the vuluenarable application or system, typically using
exploit kit or weaponize document.
4. Installation
Once they have finished the initial foothold attackers will now install malware in the system in
order to conduct further operations , such as maintaining access, persistance etc
5. Commands and Control
With malware installed attacker now owned both sides of the connections: their malicious
infrastructure and the infected system. They can now actively control the system, instructing
the next stages of attack. Attacker will establish a command channel in order to
communicate and transfer data back and forth
6. Actions on the objective
Now that the attacker got the access over the system, they will act upon on their motivation
in order to achieve their goal. This colud be data exfiltration, destruction of critical
infastructure or to creat a fear or the means for extortion.
Advace attack are very complex in that, in order for an adversory to succeed, they must
progress through every stage of the attack lifecycle.
QNO4:
False Positive:
A false positive is when the system incorrectly accepts a biometric sample as being a match.
(Same as false accept). False Positive is a probability of stating wrongly that a biometric
sample belongs to a certain person (in fact not the real guy).
For example:
➢ Phone gets unlocked by facial recognition when some other guy (not you) is
showing his face to it.
False negative:
A false negative is when biometric systems fail to recognize an authentic individual, which
would lead to something not happening. Depending on what that something is there could
be various consequences:
• Personal: An owner of a safe may be prevented from accessing that safe, leading
to him/her being unable to access a necessary resource.
➢ You are placing your finger onto a fingerprint scanner of your phone to get it
unlocked, but it says it didn't recognize you.
QNO5:
1. Honeypots:
In computer terminology, a honeypot is a computer security mechanism set to
detect, deflect, or, in some manner, counteract attempts at unauthorized use of
information systems.
TYPES:
Honeypots can be classified based on their deployment (use/action) and based on
their level of involvement. Based on deployment, honeypots may be classified as
• production honeypots
• research honeypots
Production honeypots are easy to use, capture only limited information, and are
used primarily by corporations. Production honeypots are placed inside the
production network with other production servers by an organization to improve their
overall state of security. Normally, production honeypots are low-interaction
honeypots, which are easier to deploy. They give less information about the attacks
or attackers than research honeypots.
Research honeypots are run to gather information about the motives and tactics of
the black hat. community targeting different networks. These honeypots do not add
direct value to a specific organization; instead, they are used to research the threats
that organizations face and to learn how to better protect against those
threats. Research honeypots are complex to deploy and maintain, capture extensive
information, and are used primarily by research, military, or government
organizations.
Based on design criteria, honeypots can be classified as:
• pure honeypots
• high-interaction honeypots
• low-interaction honeypots
Pure honeypots are full-fledged production systems. The activities of the attacker
are monitored by using a bug tap that has been installed on the honeypot's link to the
network. No other software needs to be installed. Even though a pure honeypot is
useful, stealthiness of the defense mechanisms can be ensured by a more controlled
mechanism.
High-interaction honeypots imitate the activities of the production systems that
host a variety of services and, therefore, an attacker may be allowed a lot of services
to waste their time. By employing virtual machines, multiple honeypots can be
hosted on a single physical machine. Therefore, even if the honeypot is
compromised, it can be restored more quickly. In general, high-interaction honeypots
provide more security by being difficult to detect, but they are expensive to maintain.
If virtual machines are not available, one physical computer must be maintained for
each honeypot, which can be exorbitantly expensive. Example: Honeynet.
Low-interaction honeypots simulate only the services frequently requested by
attackers. Since they consume relatively few resources, multiple virtual machines
can easily be hosted on one physical system, the virtual systems have a short
response time, and less code is required, reducing the complexity of the virtual
system's security. Example honeyd.
Diagram:
1. Botnets:
Botnet owners can have access to several thousand computers at a time and can
command them to carry out malicious activities. Cybercriminals initially gain access
to these devices by using special Trojan viruses to attack the computers’ security
systems, before implementing command and control software to enable them to
carry out malicious activities on a large scale. These activities can be automated to
encourage as many simultaneous attacks as possible. Different types of botnet
attacks can include:
In other cases, cybercriminals will sell access to the botnet network, sometimes
known as a “zombie” network, so that other cybercriminals can make use of the
network for their own malicious activities, such as activating a spam campaign.
Diagram OF Botnets:
2. Logic Bombs:
A logic bomb is a piece of code intentionally inserted into a software system that
will set off a malicious function when specified conditions are met. For example, a
programmer may hide a piece of code that starts deleting files (such as a
salary data base trigger) should they ever be terminated from the company.
Software that is inherently malicious, such as viruses and worms, often contain logic
bombs that execute a certain payload at a pre-defined time or when some other
condition is met. This technique can be used by a virus or worm to gain momentum
and spread before being noticed. Some viruses attack their host systems on specific
dates, such as Friday 13th or Aprils fool day. A Trojans and other computer
viruses that activate on certain dates are often called time bombs.
Diagram of Logic Bombs:
3. Cracking
4. Privilege Escalation:
Privilege escalation happens when a malicious user exploits a bug, design
flaw, or configuration error in an application or operating system to gain
elevated access to resources that should normally be unavailable to that
user. The attacker can then use the newly gained privileges to steal
confidential data, run administrative commands or deploy malware – and
potentially do serious damage to your operating system, server
applications, organization, and reputation. In this blog post, we will look at
typical privilege escalation scenarios and learn how you can protect user
accounts in your systems and applications to maintain a good security
posture.