Professional Documents
Culture Documents
Name:Ahmad Bilal Mehmood ROLL NO:181311 SECTION:BS-IT (IV) Assignment 1:information Security Submitted To: Sir Zain Ul Abideen QNO1
Name:Ahmad Bilal Mehmood ROLL NO:181311 SECTION:BS-IT (IV) Assignment 1:information Security Submitted To: Sir Zain Ul Abideen QNO1
1. Uber 2. Date:
Late 2016
Impact: Personal information of 57 million Uber users and 600,000 drivers
exposed. Details: The scope of the Uber breach alone warrants its inclusion
on this list, and it’s not the worst part of the hack. The way Uber handled the
breach once discovered is one big hot mess, and it’s a lesson for other
companies on what not to do. 3. The company learned in late 2016 that two
hackers were able to get
names, email addresses, and mobile phone numbers of 57 users of the Uber
app. They also got the driver license numbers of 600,000 Uber drivers. As far as
we know, no other data such as credit card or Social Security numbers were
stolen. The hackers were able to access Uber’s GitHub account, where they
found username and password credentials to Uber’s AWS account. Those
credentials should never have been on GitHub. 4. Here’s the really bad part: It
wasn’t until about a year later that Uber
made the breach public. What’s worse, they paid the hackers $100,000 to
destroy the data with no way to verify that they did, claiming it was a “bug
bounty” fee. Uber fired its CSO because of the breach, effectively placing the
blame on him. 5. The breach is believed to have cost Uber dearly in both
reputation and
money. At the time that the breach was announced, the company was in
negotiations to sell a stake to Softbank. Initially, Uber’s valuation was $68
billion. By the time the deal closed in December, its valuation dropped to $48
billion. Not all of the drop is attributable to the breach, but analysts see it
being a significant factor. Nature of attack: The nature of the hack is
relatively straightforward, according to Bloomberg: hackers with access to a
public GitHub code repository used by Uber engineers were able to collect
private login credentials to an Amazon cloud computing server, from which
the hackers stole a list of rider and driver data. Motivation:
The cybercrime underground is always looking for easy targets, and it sounds like
Uber was a soft target. The attack began when the attackers found private
authentication information that Uber engineers had accidentally exposed publicly on
GitHub. In other words, the “attack”—if we can really call it that—required very little
technical sophistication to perpetrate.
Extortion seems like the motivation. If the goal was to infiltrate Uber for corporate
espionage, then the attackers wouldn’t have declared their presence to Uber.
Similarly, if the goal was to embarrass Uber, then the attackers would have leaked
the stolen information.
Last year, former FBI director James Comey spoke of the information contained in the
so-called SF-86 form, used for conducting background checks for employee security
clearances. “My SF-86 lists every place I’ve ever lived since I was 18, every foreign
travel I’ve ever taken, all of my family, their addresses,” he said. “So it’s not just my
identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.”
A report, released last fall by the House Committee on Oversight and Government
Reform summed up the damage in its title: “The OPM Data Breach: How the
Government Jeopardized Our National Security for More than a Generation.”
3. Equifax
Date: July 29 2017
Details: Equifax, one of the largest credit bureaus in the U.S., said on Sept. 7, 2017
that an application vulnerability on one of their websites led to a data breach that
exposed about 147.9 million consumers. The breach was discovered on July 29, but
the company says that it likely started in mid-May.
4. Marriott International
Date: 2014-18 Impact: 500 million customers Details: In November 2018, Marriott
International announced that cyber thieves had stolen data on approximately 500
million customers. The breach actually occurred on systems supporting Starwood
hotel brands starting in 2014. The attackers remained in the system after Marriott
acquired Starwood in 2016 and were not discovered until September 2018.
For some of the victims, only name and contact information were compromised. The
attackers were able to take some combination of contact info, passport number,
Starwood Preferred Guest numbers, travel information, and other personal
information. Marriott believes that credit card numbers and expiration dates of more
than 100 million customers were stolen, although the company is uncertain whether
the attackers were able to decrypt the credit card numbers.
The breach was eventually attributed to a Chinese intelligence group seeking to gather
data on US citizens, according to a New York Time article. If true, this would be the
largest known breach of personal data conducted by a nation-state.
Most of the passwords were protected only by the weak SHA-1 hashing algorithm,
which meant that 99 percent of them had been cracked by the time LeakedSource.com
published its analysis of the entire data set on November 14.
CSO Online’s Steve Ragan reported at the time that, “a researcher who goes by
1x0123 on Twitter and by Revolver in other circles posted screenshots taken on Adult
Friend Finder (that) show a Local File Inclusion vulnerability (LFI) being triggered.” He
said the vulnerability, discovered in a module on the production servers used by Adult
Friend Finder, “was being exploited.”
AFF Vice President Diana Ballou issued a statement saying, “We did identify and fix a
vulnerability that was related to the ability to access source code through an injection
vulnerability.”
QNO2:
There are some important traits and characteristics of advanced malware 1. Distributed, Fault tolera
architecture Advanced malware can have multiple control servers all around the world, and can poten
other infect providing different communication paths in case of any change of circumstances or update
per need 2.Malfunctionality Any changes in the command and control servers can completely chang
functionality of the advance malw between various end point in order to carry out commands like steal
deleting, corrupting or chaning any da 3.Polymorphism An hash signature is the cryptographic symbo
whole file aur system and any change in the hash symbo detected. So, to avoid being detected by the
file we use polymorphism. Polymorphism is used to a regularly mutating to avoid simple hash matches
produce unique number of signature hashes for even t 4.Obfuscation It is a technique to hide the bina
that are characteristically used in any malware program and are dete malware program. It can be impl
using simple substitution cipher. why tradition security fail to control them? Advanced malware techniq
algorithms through which it has become very difficult to detect them easi several reasons 1. Rapidly E
Attack Vectors Today, exploits target end users and have multiple ways/applications through which they
unexpectedly de ⦁ social media platforms ⦁ Microsoft Office ⦁ Software as a Service Application etc. This sho
attackers have more convenient ways for their target and assaults use more expensive too when we operate
on real time model. Scarely anyone takes notes on email delay masseges as an using browser and number of
application platefrom. 2.Lack of Comprehensive End-to-End Visibility Isolated security slution that lac
to interact with the other security solution will only have visibility in the attack. In prder to maximize this u
applications are designed from the port based firewalls by dyna malware along with them. Advance malwar
this trend and expanded upon it consistently. "You can't control threats that you can't see" and malware use
techniques to hide itself. like\ ⦁ Non standard ports and port hoping ⦁ Tunnling ⦁ SSL encryption ⦁ Encodin
Obfuscation etc 3. Targeted Malware Before malware became the network threat the main goal of the
was to replicate and spread itself as malware samples which are readily available and easy to collect.
advanced malware had changed th enables the attacker to remotely access the and control the target
which means they not need many in the skilled attacker to successfully infiltrate an organization. Tradi
Network controls are effective Traditional network security controls were never made to to meet the ch
advance malware. Traditio traffic and an IP determine which signature to apply on the based port. But
Malware can simply find a detection.
Qno3:
1. Reconnaissance To research identify and select target. Attack gather intel through
publically available sources. They also scan for vulnariabilities that can be exploited within
the target network, service ans mapping out area where they can take advantage. 2.
Weaponization and delivery
Attacker will determine which method to use in order to deliver malicious payloads. Some of the
method may include automated tools like exploit kits , spear phishing attack with malicious links
etc. 3. Exploitation Attacker deploy and attack against the vuluenarable application or system,
typically using exploit kit or weaponize document. 4. Installation Once they have finished the
initial foothold attackers will now install malware in the system in order to conduct further
operations , such as maintaining access, persistance etc 5. Commands and Control With
malware installed attacker now owned both sides of the connections: their malicious
infrastructure and the infected system. They can now actively control the system, instructing the
next stages of attack. Attacker will establish a command channel in order to communicate and
transfer data back and forth 6. Actions on the objective Now that the attacker got the access
over the system, they will act upon on their motivation in order to achieve their goal. This colud
be data exfiltration, destruction of critical infastructure or to creat a fear or the means for
extortion. Advace attack are very complex in that, in order for an adversory to succeed, they
must progress through every stage of the attack lifecycle.
QNO4:
False Positive:
A false positive is when the system incorrectly accepts a biometric sample as being a match.
(Same as false accept). False Positive is a probability of stating wrongly that a biometric sample
belongs to a certain person (in fact not the real guy).
For example:
➢ Phone gets unlocked by facial recognition when some other guy (not you) is
showing his face to it.
False negative: A false negative is when biometric systems fail to recognize an
authentic individual, which would lead to something not happening. Depending on what that
something is there could be various consequences:
• Personal: An owner of a safe may be prevented from accessing that safe, leading to
him/her being unable to access a necessary resource.
➢ You are placing your finger onto a fingerprint scanner of your phone to get it
unlocked, but it says it didn't recognize you.
• Institutional: Say my entire server infrastructure is down, I need to access my data center
to restore service. Ever minute is losing my company thousands of dollars in revenue. The
biometric system doesn't recognize me, therefore the company loses more money and
reputation.
QNO5:
1. Honeypots:
In computer terminology, a honeypot is a computer security mechanism set to
detect, deflect, or, in some manner, counteract attempts at unauthorized use of
information systems.
TYPES:
• productionhoneypots
• research honeypots
Production honeypots are easy to use, capture only limited information, and are used
primarily by corporations. Production honeypots are placed inside the production
network with other production servers by an organization to improve their overall state
of security. Normally, production honeypots are low-interaction honeypots, which are
easier to deploy. They give less information about the attacks or attackers than
research honeypots.
Research honeypots are run to gather information about the motives and tactics of
the black hat. community targeting different networks. These honeypots do not add
direct value to a specific organization; instead, they are used to research the threats
that organizations face and to learn how to better protect against those threats.
Research honeypots are complex to deploy and maintain, capture extensive
information, and are used primarily by research, military, or government organizations.
Based on design criteria, honeypots can be classified as:
• pure honeypots
• high-interaction honeypots
• low-interaction honeypots Pure honeypots are full-fledged production systems.
The activities of the attacker are monitored by using a bug tap that has been installed
on the honeypot's link to the network. No other software needs to be installed. Even
though a pure honeypot is useful, stealthiness of the defense mechanisms can be
ensured by a more controlled mechanism.
High-interaction honeypots imitate the activities of the production systems that host a
variety of services and, therefore, an attacker may be allowed a lot of services to waste
their time. By employing virtual machines, multiple honeypots can be hosted on a single
physical machine. Therefore, even if the honeypot is compromised, it can be restored
more quickly. In general, high-interaction honeypots provide more security by being
difficult to detect, but they are expensive to maintain. If virtual machines are not
available, one physical computer must be maintained for each honeypot, which can be
exorbitantly expensive. Example: Honeynet.
Low-interaction honeypots simulate only the services frequently requested by
attackers. Since they consume relatively few resources, multiple virtual machines
can easily be hosted on one physical system, the virtual systems have a short
response time, and less code is required, reducing the complexity of the virtual
system's security. Example honeyd. Diagram:
1. Botnets:
Botnet owners can have access to several thousand computers at a time and can
command them to carry out malicious activities. Cybercriminals initially gain access to
these devices by using special Trojan viruses to attack the computers’ security
systems, before implementing command and control software to enable them to carry
out malicious activities on a large scale. These activities can be automated to
encourage as many simultaneous attacks as possible. Different types of botnet
attacks can include:
In other cases, cybercriminals will sell access to the botnet network, sometimes
known as a “zombie” network, so that other cybercriminals can make use of the
network for their own malicious activities, such as activating a spam campaign.
Diagram OF Botnets:
2. Logic Bombs:
A logic bomb is a piece of code intentionally inserted into a software system that will
set off a malicious function when specified conditions are met. For example, a
programmer may hide a piece of code that starts deleting files (such as a salary data
base trigger) should they ever be terminated from the company. Software that is
inherently malicious, such as viruses and worms, often contain logic bombs that
execute a certain payload at a pre-defined time or when some other condition is met.
This technique can be used by a virus or worm to gain momentum and spread before
being noticed. Some viruses attack their host systems on specific dates, such as Friday
13th or Aprils fool day. A Trojans and other computer viruses that activate on certain
dates are often called time bombs. Diagram of Logic Bombs:
3. Cracking
4. Privilege Escalation:
Privilege escalation happens when a malicious user exploits a bug, design
flaw, or configuration error in an application or operating system to gain
elevated access to resources that should normally be unavailable to that
user. The attacker can then use the newly gained privileges to steal
confidential data, run administrative commands or deploy malware – and
potentially do serious damage to your operating system, server applications,
organization, and reputation. In this blog post, we will look at typical privilege
escalation scenarios and learn how you can protect user accounts in your
systems and applications to maintain a good security posture.