NAME:AHMAD BILAL MEHMOOD

ROLL NO:181311 SECTION:BS-IT(IV)

ASSIGNMENT 1:INFORMATION
SECURITY SUBMITTED TO: SIR ZAIN
UL ABIDEEN
QNO1:
Search and read about at least five major incidents of
information security breaches on Critical Infrastructure during
last four years i.e. 2016 to 2020. Write short descriptions of the
 nature and types of the attacks, the methods employed,
motivation of attackers and the economic and social impact of
those attacks?

1. Uber 2. Date:
Late 2016
Impact: Personal information of 57 million Uber users and 600,000 drivers
exposed. Details: The scope of the Uber breach alone warrants its inclusion
on this list, and it’s not the worst part of the hack. The way Uber handled the
breach once discovered is one big hot mess, and it’s a lesson for other
companies on what not to do. 3. The company learned in late 2016 that two
hackers were able to get
names, email addresses, and mobile phone numbers of 57 users of the Uber
app. They also got the driver license numbers of 600,000 Uber drivers. As far as
we know, no other data such as credit card or Social Security numbers were
stolen. The hackers were able to access Uber’s GitHub account, where they
found username and password credentials to Uber’s AWS account. Those
credentials should never have been on GitHub. 4. Here’s the really bad part: It
wasn’t until about a year later that Uber
made the breach public. What’s worse, they paid the hackers $100,000 to
destroy the data with no way to verify that they did, claiming it was a “bug
bounty” fee. Uber fired its CSO because of the breach, effectively placing the
blame on him. 5. The breach is believed to have cost Uber dearly in both
reputation and
money. At the time that the breach was announced, the company was in
negotiations to sell a stake to Softbank. Initially, Uber’s valuation was $68
billion. By the time the deal closed in December, its valuation dropped to $48
billion. Not all of the drop is attributable to the breach, but analysts see it
being a significant factor. Nature of attack: The nature of the hack is
relatively straightforward, according to Bloomberg: hackers with access to a
public GitHub code repository used by Uber engineers were able to collect
private login credentials to an Amazon cloud computing server, from which
the hackers stole a list of rider and driver data. Motivation:

The cybercrime underground is always looking for easy targets, and it sounds like
Uber was a soft target. The attack began when the attackers found private
authentication information that Uber engineers had accidentally exposed publicly on
GitHub. In other words, the “attack”—if we can really call it that—required very little
technical sophistication to perpetrate.
Extortion seems like the motivation. If the goal was to infiltrate Uber for corporate
espionage, then the attackers wouldn’t have declared their presence to Uber.
Similarly, if the goal was to embarrass Uber, then the attackers would have leaked
the stolen information.

2. US Office of Personnel Management (OPM)

Date: 2012-14 Impact: Personal information of 22 million current and former federal
employees Details: Hackers, said to be from China, were inside the OPM system
starting in 2012, but were not detected until March 20, 2014. A second hacker, or
group, gained access to OPM through a third-party contractor in May 2014, but was
not discovered until nearly a year later. The intruders exfiltrated personal data –
including in many cases detailed security clearance information and fingerprint data.

Last year, former FBI director James Comey spoke of the information contained in the
so-called SF-86 form, used for conducting background checks for employee security
clearances. “My SF-86 lists every place I’ve ever lived since I was 18, every foreign
travel I’ve ever taken, all of my family, their addresses,” he said. “So it’s not just my
identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.”

A report, released last fall by the House Committee on Oversight and Government
Reform summed up the damage in its title: “The OPM Data Breach: How the
Government Jeopardized Our National Security for More than a Generation.”

3. Equifax
Date: July 29 2017

Impact: Personal information (including Social Security Numbers, birth dates,

addresses, and in some cases drivers' license numbers) of 143 million consumers;
209,000 consumers also had their credit card data exposed.

Details: Equifax, one of the largest credit bureaus in the U.S., said on Sept. 7, 2017
that an application vulnerability on one of their websites led to a data breach that
exposed about 147.9 million consumers. The breach was discovered on July 29, but
the company says that it likely started in mid-May.
4. Marriott International
Date: 2014-18 Impact: 500 million customers Details: In November 2018, Marriott
International announced that cyber thieves had stolen data on approximately 500
million customers. The breach actually occurred on systems supporting Starwood
hotel brands starting in 2014. The attackers remained in the system after Marriott
acquired Starwood in 2016 and were not discovered until September 2018.

For some of the victims, only name and contact information were compromised. The
attackers were able to take some combination of contact info, passport number,
Starwood Preferred Guest numbers, travel information, and other personal
information. Marriott believes that credit card numbers and expiration dates of more
than 100 million customers were stolen, although the company is uncertain whether
the attackers were able to decrypt the credit card numbers.

The breach was eventually attributed to a Chinese intelligence group seeking to gather
data on US citizens, according to a New York Time article. If true, this would be the
largest known breach of personal data conducted by a nation-state.

5. Adult Friend Finder

Date: October 2016 Impact: More than 412.2 million accounts Details: The
FriendFinder Network, which included casual hookup and adult content websites like
Adult Friend Finder, Penthouse.com, Cams.com, iCams.com and Stripshow.com,
was breached sometime in mid-October 2016. Hackers collected 20 years of data on
six databases that included names, email addresses and passwords.

Most of the passwords were protected only by the weak SHA-1 hashing algorithm,
which meant that 99 percent of them had been cracked by the time LeakedSource.com
published its analysis of the entire data set on November 14.

CSO Online’s Steve Ragan reported at the time that, “a researcher who goes by
1x0123 on Twitter and by Revolver in other circles posted screenshots taken on Adult
Friend Finder (that) show a Local File Inclusion vulnerability (LFI) being triggered.” He
said the vulnerability, discovered in a module on the production servers used by Adult
Friend Finder, “was being exploited.”

AFF Vice President Diana Ballou issued a statement saying, “We did identify and fix a
vulnerability that was related to the ability to access source code through an injection
vulnerability.”

QNO2:
There are some important traits and characteristics of advanced malware 1. Distributed, Fault tolera
architecture Advanced malware can have multiple control servers all around the world, and can poten
other infect providing different communication paths in case of any change of circumstances or update
per need 2.Malfunctionality Any changes in the command and control servers can completely chang
functionality of the advance malw between various end point in order to carry out commands like steal
deleting, corrupting or chaning any da 3.Polymorphism An hash signature is the cryptographic symbo
whole file aur system and any change in the hash symbo detected. So, to avoid being detected by the
file we use polymorphism. Polymorphism is used to a regularly mutating to avoid simple hash matches
produce unique number of signature hashes for even t 4.Obfuscation It is a technique to hide the bina
that are characteristically used in any malware program and are dete malware program. It can be impl
using simple substitution cipher. why tradition security fail to control them? Advanced malware techniq
algorithms through which it has become very difficult to detect them easi several reasons 1. Rapidly E
Attack Vectors Today, exploits target end users and have multiple ways/applications through which they
unexpectedly de ⦁ social media platforms ⦁ Microsoft Office ⦁ Software as a Service Application etc. This sho
attackers have more convenient ways for their target and assaults use more expensive too when we operate
on real time model. Scarely anyone takes notes on email delay masseges as an using browser and number of
application platefrom. 2.Lack of Comprehensive End-to-End Visibility Isolated security slution that lac
to interact with the other security solution will only have visibility in the attack. In prder to maximize this u
applications are designed from the port based firewalls by dyna malware along with them. Advance malwar
this trend and expanded upon it consistently. "You can't control threats that you can't see" and malware use
techniques to hide itself. like\ ⦁ Non standard ports and port hoping ⦁ Tunnling ⦁ SSL encryption ⦁ Encodin
Obfuscation etc 3. Targeted Malware Before malware became the network threat the main goal of the
was to replicate and spread itself as malware samples which are readily available and easy to collect.
advanced malware had changed th enables the attacker to remotely access the and control the target
which means they not need many in the skilled attacker to successfully infiltrate an organization. Tradi
Network controls are effective Traditional network security controls were never made to to meet the ch
advance malware. Traditio traffic and an IP determine which signature to apply on the based port. But
Malware can simply find a detection.

Qno3:
1. Reconnaissance To research identify and select target. Attack gather intel through
publically available sources. They also scan for vulnariabilities that can be exploited within
the target network, service ans mapping out area where they can take advantage. 2.
Weaponization and delivery
 Attacker will determine which method to use in order to deliver malicious payloads. Some of the
method may include automated tools like exploit kits , spear phishing attack with malicious links
etc. 3. Exploitation Attacker deploy and attack against the vuluenarable application or system,
typically using exploit kit or weaponize document. 4. Installation Once they have finished the
initial foothold attackers will now install malware in the system in order to conduct further
operations , such as maintaining access, persistance etc 5. Commands and Control With
malware installed attacker now owned both sides of the connections: their malicious
infrastructure and the infected system. They can now actively control the system, instructing the
next stages of attack. Attacker will establish a command channel in order to communicate and
transfer data back and forth 6. Actions on the objective Now that the attacker got the access
over the system, they will act upon on their motivation in order to achieve their goal. This colud
be data exfiltration, destruction of critical infastructure or to creat a fear or the means for
extortion. Advace attack are very complex in that, in order for an adversory to succeed, they
must progress through every stage of the attack lifecycle.

QNO4:
False Positive:
A false positive is when the system incorrectly accepts a biometric sample as being a match.
(Same as false accept). False Positive is a probability of stating wrongly that a biometric sample
belongs to a certain person (in fact not the real guy).

For example:

➢ Phone gets unlocked by facial recognition when some other guy (not you) is
showing his face to it.
False negative: A false negative is when biometric systems fail to recognize an
authentic individual, which would lead to something not happening. Depending on what that
something is there could be various consequences:

• Personal: An owner of a safe may be prevented from accessing that safe, leading to
him/her being unable to access a necessary resource.

➢ You are placing your finger onto a fingerprint scanner of your phone to get it
unlocked, but it says it didn't recognize you.

• Institutional: Say my entire server infrastructure is down, I need to access my data center
to restore service. Ever minute is losing my company thousands of dollars in revenue. The
biometric system doesn't recognize me, therefore the company loses more money and
reputation.

QNO5:
1. Honeypots:
In computer terminology, a honeypot is a computer security mechanism set to
detect, deflect, or, in some manner, counteract attempts at unauthorized use of
information systems.

TYPES:

Honeypots can be classified based on their deployment (use/action) and based on

their level of involvement. Based on deployment, honeypots may be classified as

• productionhoneypots
• research honeypots

Production honeypots are easy to use, capture only limited information, and are used
primarily by corporations. Production honeypots are placed inside the production
network with other production servers by an organization to improve their overall state
of security. Normally, production honeypots are low-interaction honeypots, which are
easier to deploy. They give less information about the attacks or attackers than
research honeypots.
Research honeypots are run to gather information about the motives and tactics of
the black hat. community targeting different networks. These honeypots do not add
direct value to a specific organization; instead, they are used to research the threats
that organizations face and to learn how to better protect against those threats.
Research honeypots are complex to deploy and maintain, capture extensive
information, and are used primarily by research, military, or government organizations.
Based on design criteria, honeypots can be classified as:

• pure honeypots
• high-interaction honeypots
• low-interaction honeypots Pure honeypots are full-fledged production systems.
The activities of the attacker are monitored by using a bug tap that has been installed
on the honeypot's link to the network. No other software needs to be installed. Even
though a pure honeypot is useful, stealthiness of the defense mechanisms can be
ensured by a more controlled mechanism.
High-interaction honeypots imitate the activities of the production systems that host a
variety of services and, therefore, an attacker may be allowed a lot of services to waste
their time. By employing virtual machines, multiple honeypots can be hosted on a single
physical machine. Therefore, even if the honeypot is compromised, it can be restored
more quickly. In general, high-interaction honeypots provide more security by being
difficult to detect, but they are expensive to maintain. If virtual machines are not
available, one physical computer must be maintained for each honeypot, which can be
exorbitantly expensive. Example: Honeynet.
Low-interaction honeypots simulate only the services frequently requested by
attackers. Since they consume relatively few resources, multiple virtual machines
can easily be hosted on one physical system, the virtual systems have a short
response time, and less code is required, reducing the complexity of the virtual
system's security. Example honeyd. Diagram:
 1. Botnets:

A botnet is a collection of internet-connected devices infected by malware that

allow hackers to control them. Cyber criminals use botnets to instigate botnet
attacks, which include malicious activities such as credentials leaks,
unauthorized access, data theft and DDoS attacks. How does botnets
attack work:

Botnet owners can have access to several thousand computers at a time and can
command them to carry out malicious activities. Cybercriminals initially gain access to
these devices by using special Trojan viruses to attack the computers’ security
systems, before implementing command and control software to enable them to carry
out malicious activities on a large scale. These activities can be automated to
encourage as many simultaneous attacks as possible. Different types of botnet
attacks can include:

• Distributed Denial of Service (DDoS) attacks that cause unplanned application

downtime
• Validating lists of leaked credentials (credential-stuffing attacks) leading to
account takeovers
• Web application attacks to steal data
• Providing an attacker access to a device and its connection to a network

In other cases, cybercriminals will sell access to the botnet network, sometimes
known as a “zombie” network, so that other cybercriminals can make use of the
network for their own malicious activities, such as activating a spam campaign.

Diagram OF Botnets:
2. Logic Bombs:
A logic bomb is a piece of code intentionally inserted into a software system that will
set off a malicious function when specified conditions are met. For example, a
programmer may hide a piece of code that starts deleting files (such as a salary data
base trigger) should they ever be terminated from the company. Software that is
inherently malicious, such as viruses and worms, often contain logic bombs that
execute a certain payload at a pre-defined time or when some other condition is met.
This technique can be used by a virus or worm to gain momentum and spread before
being noticed. Some viruses attack their host systems on specific dates, such as Friday
13th or Aprils fool day. A Trojans and other computer viruses that activate on certain
dates are often called time bombs. Diagram of Logic Bombs:

3. Cracking

In cryptnalysis and computer security, password cracking is the process

of recovering passwords from data that have been stored in or transmitted
by a computer program. A common approach (brute-force
attack) is to repeatedly try guesses for the password and to check them
against an available cryptographic hash of the password. The purpose of
password cracking might be to help a user recover a forgotten password
(installing an entirely new password is less of a security risk, but it involves
System Administration privileges), to gain unauthorized access to a
system, or to act as a preventive measure whereby system administrator
check for easily crackable passwords. On a file-by-file basis, password
cracking is utilized to gain access to digital evidence to which a judge has
allowed access, when a particular file's permissions are restricted.
Diagram of cracking:

4. Privilege Escalation:
Privilege escalation happens when a malicious user exploits a bug, design
flaw, or configuration error in an application or operating system to gain
elevated access to resources that should normally be unavailable to that
user. The attacker can then use the newly gained privileges to steal
confidential data, run administrative commands or deploy malware – and
potentially do serious damage to your operating system, server applications,
organization, and reputation. In this blog post, we will look at typical privilege
escalation scenarios and learn how you can protect user accounts in your
systems and applications to maintain a good security posture.

How Does Privilege Escalation Work?

Attackers start by exploiting a privilege escalation vulnerability in a target

system or application, which lets them override the limitations of the current
user account. They can then access the functionality and data of another user
(horizontal privilege escalation) or obtain elevated privileges, typically of a
system administrator or other power user (vertical privilege escalation).
Such privilege escalation is generally just one of the steps performed in
preparation for the main attack.

With horizontal privilege escalation, miscreants remain on the same

general user privilege level but can access data or functionality of other
accounts or processes that should be unavailable to the current account or
process. For example, this may mean using a compromised office
workstation to gain access to other office users’ data. For web applications,
one example of horizontal privilege escalation might be getting access to
another user’s profile on a social site or e-commerce platform, or their bank
account on an e-banking site.

Potentially more dangerous is vertical privilege escalation (also called

privilege elevation), where the attacker starts from a less privileged account
and obtains the rights of a more powerful user – typically the administrator or
system user on Microsoft Windows, or root on Unix and Linux systems. With
these elevated privileges, the attacker can wreak all sorts of havoc in your
computer systems and applications: steal access credentials and other
sensitive information, download and execute malware, erase data, or execute
arbitrary code. Worse still, skilled attackers can use elevated privileges to
cover their tracks by deleting access logs and other evidence of their activity.
This can potentially leave the victim unaware that an attack took place at all.
That way, cybercriminals can covertly steal information or plant malware
directly in company systems.