CHAPTER 1 INTRODUCTION

1.1 INFORMATION SECURITY
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. The terms information security, computer security and information assurance are frequently incorrectly used interchangeably. These fields are interrelated often and share the common goals of protecting the confidentiality, integrity and availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Computer security can focus on ensuring the availability and correct operation of a computer system without concern for the information stored or processed by the computer. Governments, military, corporations, financial institutions, hospitals, and private business amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. Should confidential information about a business' customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business. Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement. For the individual, information security has a significant effect on privacy, which is viewed very differently in different cultures. The field of information security has grown and evolved significantly in recent years. As a career choice there are many ways of gaining entry into the field. It offers many areas for specialization including: securing network(s) and allied infrastructure, securing applications and databases, security testing, information systems auditing, business continuity planning and digital forensics science, to name a few, which are carried out by Information Security Consultants. This article presents a general overview of information security and its core concepts.

1

Information Security Components: or qualities, i.e., Confidentiality, Integrity and Components: Availability (CIA). Information Systems are decomposed in three main portions, hardware, software and communications with the purpose to identify and apply information security industry standards, as mechanisms of protection and prevention, at three levels or layers: Physical, Personal and Organizational. Essentially, procedures or policies are implemented to tell people (administrators, users and operators) how to use products to ensure information security within the organizations.

2

CHAPTER 2 HISTORY

Since the early days of writing, heads of state and military commanders understood that it was necessary to provide some mechanism to protect the confidentiality of written correspondence and to have some means of detecting tampering. Julius Caesar is credited with the invention of the Caesar cipher c50 B.C., which was created in order to prevent his secret messages from being, read should a message fall into the wrong hands. World War II brought about much advancement in information security and marked the beginning of the professional field of information security. The end of the 20th century and early years of the 21st century saw rapid advancements in telecommunications, computing hardware and software, and data encryption. The availability of smaller, more powerful and less expensive computing equipment made electronic data processing within the reach of small business and the home user. These computers quickly became interconnected through a network generically called the Internet or World Wide Web. The rapid growth and widespread use of electronic data processing and electronic business conducted through the Internet, along with numerous occurrences of international terrorism, fuelled the need for better methods of protecting the computers and the information they store, process and transmit. The academic disciplines of computer security, information security and information assurance emerged along with numerous professional organizations - all sharing the common goals of ensuring the security and reliability of information systems.

3

CHAPTER 3 BASIC PRINCIPLES

3.1 KEY CONCEPTS
For over twenty years, information security has held confidentiality, integrity and availability (known as the CIA triad) to be the core principles of information security. There is continuous debate about extending this classic trio. Other principles such as Accountability have sometimes been proposed for addition – it has been pointed out that issues such as Non-Repudiation do not fit well within the three core concepts, and as regulation of computer systems has increased (particularly amongst the Western nations) Legality is becoming a key consideration for practical security installations. In 2002, Donn Parker proposed an alternative model for the classic CIA triad that he called the six atomic elements of information. The elements are confidentiality, possession, integrity, authenticity, availability, and utility. The merits of the Parkerian hexad are a subject of debate amongst security professionals.

3.1.1 CONFIDENTIALITY Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred. Breaches of confidentiality take many forms. Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it could be a breach of confidentiality. If a laptop computer containing sensitive information about a company’s employees is stolen or sold, it could result in a breach of confidentiality. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information. Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds.

4

3.1.2 INTEGRITY In information security, integrity means that data cannot be modified without authorization. This is not the same thing as referential integrity in databases. Integrity is violated when an employee accidentally or with malicious intent deletes important data files, when a computer virus infects a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a web site, when someone is able to cast a very large number of votes in an online poll, and so on. There are many ways in which integrity could be violated without malicious intent. In the simplest case, a user on a system could mis-type someone’s address. On a larger scale, if an automated process is not written and tested correctly, bulk updates to a database could alter data in an incorrect way, leaving the integrity of the data compromised. Information security professionals are tasked with finding ways to implement controls that prevent errors of integrity.

3.1.3 AVAILABILITY For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks.

3.1.4 AUTHENTICITY In computing, e-Business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim they are.

3.1.5 NON-REPUDIATION In law, non-repudiation implies one’s intention to 5fulfil their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction. Electronic commerce uses technology such as digital signatures and encryption to establish authenticity and non-repudiation.

5

3.1.6 RISK MANAGEMENT A comprehensive treatment of the topic of risk management is beyond the scope of this article. However, a useful definition of risk management will be provided as well as some basic terminology and a commonly used process for risk management. The CISA Review Manual 2006 provides the following definition of risk management: "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization." There are two things in this definition that may need some clarification. First, the process of risk management is an ongoing iterative process. It must be repeated indefinitely. The business environment is constantly changing and new threats and vulnerability emerge every day. Second, the choice of countermeasures (controls) used to manage risks must strike a balance between productivity, cost, effectiveness of the countermeasure, and the value of the informational asset being protected. Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). Vulnerability is a weakness that could be used to endanger or cause harm to an informational asset. A threat is anything (man made or act of nature) that has the potential to cause harm. The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to inflict harm, it has an impact. In the context of information security, the impact is a loss of availability, integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of real property). It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all risk. The remaining risk is called residual risk. A risk assessment is carried out by a team of people who have knowledge of specific areas of the business. Membership of the team may vary over time as different parts of the business are assessed. The assessment may use a subjective qualitative analysis based on informed opinion, or where reliable dollar figures and historical information is available, the analysis may use quantitative analysis. The ISO/IEC 27002:2005 Code of practice for information security management recommends the following be examined during a risk assessment:
• • • • • • • • • •

Security policy, Organization of information security, Asset management, Human resources security, Physical and environmental security, Communications and operations management, Access control, Information systems acquisition, development and maintenance, Information security incident management, Business continuity management, and 6

3.2 CONTROLS
When Management chooses to mitigate a risk, they will do so by implementing one or more of three different types of controls. 3.2.1 ADMINISTRATIVE Administrative controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines. Administrative controls form the framework for running the business and managing people. They inform people on how the business is to be run and how day to day operations are to be conducted. Laws and regulations created by government bodies are also a type of administrative control because they inform the business. Some industry sectors have policies, procedures, standards and guidelines that must be followed – the Payment Card Industry (PCI) Data Security Standard required by Visa and Master Card is such an example. Other examples of administrative controls include the corporate security policy, password policy, hiring policies, and disciplinary policies. Administrative controls form the basis for the selection and implementation of logical and physical controls. Logical and physical controls are manifestations of administrative controls. Administrative controls are of paramount importance. 3.2.2 LOGICAL Logical controls (also called technical controls) use software and data to monitor and control access to information and computing systems. For example: passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls. An important logical control that is frequently overlooked is the principle of least privilege. The principle of least privilege requires that an individual, program or system process is not granted any more access privileges than are necessary to perform the task. A blatant example of the failure to adhere to the principle of least privilege is logging into Windows as user Administrator to read Email and surf the Web. Violations of this principle can also occur when an individual collects additional access privileges over time. This happens when employees’ job duties change, or they are promoted to a new position, or they transfer to another department. The access privileges required by their new duties are frequently added onto their already existing access privileges which may no longer be necessary or appropriate. 3.2.3 PHYSICAL Physical controls monitor and control the environment of the work place and computing facilities. They also monitor and control access to and from such facilities. For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades, fencing, security guards, cable locks, etc. Separating the network and work place into functional areas are also physical controls.

7

An important physical control that is frequently overlooked is the separation of duties. Separation of duties ensures that an individual can not complete a critical task by himself. For example: an employee who submits a request for reimbursement should not also be able to authorize payment or print the check. An applications programmer should not also be the server administrator or the database administratorthese roles and responsibilities must be separated from one another. 3.2.4 ACCESS CONTROL Access to protected information must be restricted to people who are authorized to access the information. The computer programs, and in many cases the computers that process the information, must also be authorized. This requires that mechanisms be in place to control the access to protected information. The sophistication of the access control mechanisms should be in parity with the value of the information being protected – the more sensitive or valuable the information the stronger the control mechanisms need to be. The foundation on which access control mechanisms are built start with identification and authentication. Identification is an assertion of who someone is or what something is. If a person makes the statement “Hello, my name is John Doe.” They are making a claim of who they are. However, their claim may or may not be true. Before John Doe can be granted access to protected information it will be necessary to verify that the person claiming to be John Doe really is John Doe. Authentication is the act of verifying a claim of identity. When John Doe goes into a bank to make a withdrawal, he tells the bank teller he is John Doe (a claim of identity). The bank teller asks to see a photo ID, so he hands the teller his driver’s license. The bank teller checks the license to make sure it has John Doe printed on it and compares the photograph on the license against the person claiming to be John Doe. If the photo and name match the person, then the teller has authenticated that John Doe is who he claimed to be. There are three different types of information that can be used for authentication: something you know, something you have, or something you are. Examples of something you know include such things as a PIN, a password, or your mother’s maiden name. Examples of something you have include a driver’s license or a magnetic swipe card. Something you are refers to biometrics. Examples of biometrics include palm prints, finger prints, voice prints and retina (eye) scans. Strong authentication requires providing information from two of the three different types of authentication information. For example, something you know plus something you have. This is called two factor authentications. On computer systems in use today, the Username is the most common form of identification and the Password is the most common form of authentication. Usernames and passwords have served their purpose but in our modern world they are no longer adequate. Usernames and passwords are slowly being replaced with more sophisticated authentication mechanisms. After a person, program or computer has successfully been identified and authenticated then it must be determined what informational resources they are 8

permitted to access and what actions they will be allowed to perform (run, view, create, delete, or change). This is called authorization. Authorization to access information and other computing services begins with administrative policies and procedures. The policies prescribe what information and computing services can be accessed, by whom, and under what conditions. The access control mechanisms are then configured to enforce these policies. Different computing systems are equipped with different kinds of access control mechanisms – some may even offer a choice of different access control mechanisms. The access control mechanism a system offers will be based upon one of three approaches to access control or it may be derived from a combination of the three approaches. The non-discretionary approach consolidates all access control under a centralized administration. The access to information and other resources is usually based on the individuals function (role) in the organization or the tasks the individual must perform. The discretionary approach gives the creator or owner of the information resource the ability to control access to those resources. In the Mandatory access control approach, access is granted or denied basing upon the security classification assigned to the information resource. Examples of common access control mechanisms in use today include Role-based access control available in many advanced Database Management Systems, simple file permissions provided in the UNIX and Windows operating systems, Group Policy Objects provided in Windows network systems, Kerberos, RADIUS, TACACS, and the simple access lists used in many firewalls and routers. To be effective, policies and other security controls must be enforceable and upheld. Effective policies ensure that people are held accountable for their actions. All failed and successful authentication attempts must be logged, and all access to information must leave some type of audit trail. 3.2.5 CRYPTOGRAPHY Information security uses cryptography to transform usable information into a form that renders it unusable by anyone other than an authorized user; this process is called encryption. Information that has been encrypted (rendered unusable) can be transformed back into its original usable form by an authorized user, who possesses the cryptographic key, through the process of decryption. Cryptography is used in information security to protect information from unauthorized or accidental disclosure while the information is in transit (either electronically or physically) and while information is in storage. Cryptography provides information security with other useful applications as well including improved authentication methods, message digests, digital signatures, nonrepudiation, and encrypted network communications. Older less secure application such as telnet and ftp are slowly being replaced with more secure applications such as ssh that use encrypted network communications. Wireless communications can be encrypted using protocols such as WPA/WPA2 or the older (and less secure) WEP. 9

3.3 DEFENSE IN DEPTH

Information security must protect information throughout the life span of the information, from the initial creation of the information on through to the final disposal of the information. The information must be protected while in motion and while at rest. During its life time, information may pass through many different information processing systems and through many different parts of information processing systems. There are many different ways the information and information systems can be threatened. To fully protect the information during its lifetime, each component of the information processing system must have its own protection mechanisms. The building up, layering on and overlapping of security measures is called defense in depth. The strength of any system is no greater than its weakest link. Using a defense in depth strategy, should one defensive measure fail there are other defensive measures in place that continue to provide protection. Recall the earlier discussion about administrative controls, logical controls, and physical controls. The three types of controls can be used to form the basis upon which to build a defense-in-depth strategy. With this approach, defense-in-depth can be conceptualized as three distinct layers or planes laid one on top of the other. Additional insight into defense-in- depth can be gained by thinking of it as forming the layers of an onion, with data at the core of the onion, people as the outer layer of the onion, and network security, host-based security and application security forming the inner layers of the onion. Both perspectives are equally valid and each provides valuable insight into the implementation of a good defense-in-depth strategy.

10

3.4 LAWS AND REGULATIONS
Below is a partial listing of European, United Kingdom, Canadian and USA governmental laws and regulations that have, or will have, a significant effect on data processing and information security. Important industry sector regulations have also been included when they have a significant impact on information security. • UK Data Protection Act 1998 makes new provisions for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. The European Union Data Protection Directive (EUDPD) requires that all EU members must adopt national regulations to standardize the protection of data privacy for citizens throughout the EU. The Computer Misuse Act 1990 is an Act of the UK Parliament making computer crime (e.g. cracking - sometimes incorrectly referred to as hacking) a criminal offence. The Act has become a model upon which several other countries including Canada and the Republic of Ireland have drawn inspiration when subsequently drafting their own information security laws. The Family Educational Rights and Privacy Act (FERPA) is a USA Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record. Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires the adoption of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. And, it requires health care providers, insurance providers and employers to safeguard the security and privacy of health data. Gramm-Leach-Bliley Act of 1999 (GLBA), also known as the Financial Services Modernization Act of 1999, protects the privacy and security of private financial information that financial institutions collect, hold, and process. Sarbanes-Oxley Act of 2002 (SOX). Section 404 of the act requires publicly traded companies to assess the effectiveness of their internal controls for financial reporting in annual reports they submit at the end of each fiscal year. Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. The act also requires publicly traded companies to engage independent auditors who must attest to, and report on, the validity of their assessments.

11

CHAPTER 4 HOW INFORMATION CAN BE STOLEN? A typical approach in an attack on Internet-connected system is: 1. Network enumeration: Discovering information about the intended target. 2. Vulnerability analysis: Identifying potential ways of attack. 3. Exploitation: Attempting to compromise the system by employing the vulnerabilities found through the vulnerability analysis. In order to do so, there are several recurring tools of the trade and techniques used by computer criminals and security experts.

12

4.1 SECURITY EXPLOIT 4.1.1 INTRODUCTION A security exploit is a prepared application that takes advantage of a known weakness. Common examples of security exploits are SQL injection, Cross Site Scripting and Cross Site Request Forgery which abuse security holes that may result from substandard programming practice. Other exploits would be able to be used through FTP, HTTP, PHP, SSH, Telnet and some web-pages. These are very common in website/domain hacking. 4.1.2 EXPLANATION An exploit (from the same word in the French language, meaning "achievement", or "accomplishment") is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack.

4.1.2.1 CLASSIFICATION There are several methods of classifying exploits. The most common is by how the exploit contacts the vulnerable software. A 'remote exploit' works over a network and exploits the security vulnerability without any prior access to the vulnerable system. A 'local exploit' requires prior access to the vulnerable system and usually increases the privileges of the person running the exploit past those granted by the system administrator. Exploits against client applications also exist, usually consisting of modified servers that send an exploit if accessed with client application. Exploits against client applications may also require some interaction with the user and thus may be used in combination with social engineering method. This is the hacker way of getting into computers and websites for stealing data. Another classification is by the action against vulnerable system: unauthorized data access, arbitrary code execution, denial of service. Many exploits are designed to provide super-user-level access to a computer system. However, it is also possible to use several exploits, first to gain low-level access, then to escalate privileges repeatedly until one reaches root. Normally a single exploit can only take advantage of specific software vulnerability. Often, when an exploit is published, the vulnerability is fixed through a patch and the exploit becomes obsolete for newer versions of the software. This is the reason why some blackhat hackers do not publish their exploits but keep them private to themselves or other crackers. Such exploits are referred to as 'zero day exploits' and to 13

obtain access to such exploits is the primary desire of unskilled attackers, often nicknamed script kiddies. 4.1.2.2 TYPES Exploits are commonly categorized and named by these criteria:
• •

The type of vulnerability they exploit (See the article on vulnerabilities for a list) Whether they need to be run on the same machine as the program that has the vulnerability (local) or can be run on one machine to attack a program running on another machine (remote). The result of running the exploit (EoP, DoS, Spoofing, etc...)

4.1.2.3 PIVOTING Pivoting refers to method used by penetration testers that uses compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. For example, an attacker compromises a web server on a corporate network; the attacker can then use the compromised web server to attack other systems on the network. These types of attacks are often called multi-layered attacks. Pivoting is also known as island hopping. Pivoting can further be distinguished into proxy pivoting and VPN pivoting:

Proxy pivoting generally describes the practice channeling traffic through a compromised target using a proxy payload on the machine and launching attacks from this computer. This type of pivoting is restricted to certain TCP and UDP ports that are supported by the proxy. VPN pivoting enables the attacker to create an encrypted layer 2 tunnel into the compromised machine to route any network traffic through that target machine, for example to run a vulnerability scan on the internal network through the compromised machine, effectively giving the attacker full network access as if she were behind the firewall.

Typically, the proxy or VPN applications enabling pivoting are executed on the target computer as the payload (software) of an exploit.

14

4.2 VULNERABILITY SCANNER 4.2.1 INTRODUCTION A vulnerability scanner is a tool used to quickly check computers on a network for known weaknesses. Hackers also commonly use port scanners. These check to see which ports on a specified computer are "open" or available to access the computer, and sometimes will detect what program or service is listening on that port, and its version number. (Note that firewalls defend computers from intruders by limiting access to ports/machines both inbound and outbound, but can still be circumvented.) 4.2.2 EXPLANATION A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses. There are a number of types of vulnerability scanners available today, distinguished from one another by a focus on particular targets. While functionality varies between different types of vulnerability scanners, they share a common, core purpose of enumerating the vulnerabilities present in one or more targets. Vulnerability scanners are a core technology component of vulnerability management.

4.2.2.1 TYPES OF VULNERABILITY SCANNERS
• • • • •

Port Scanner Network Enumerator Network Vulnerability Scanner Web Application Security Scanner Computer Worm

Friendly types of vulnerability scanners:

CGI Scanner (usually restricted to banner checking; cgi scanners can find vulnerable scripts but usually don't exploit them)

4.2.2.2 NETWORK RECONNAISSANCE Part of the server log, showing attempts to find the administration page.
220.128.235.XXX " "-" 220.128.235.XXX - "-" "-" 220.128.235.XXX 404 - "-" "-" 220.128.235.XXX "-" "-" 220.128.235.XXX - "-" "-" 220.128.235.XXX "-" "-" - - [26/Aug/2010:03:00:09 +0200] "GET /db/db/main.php HTTP/1.0" 404 - "- - [26/Aug/2010:03:00:09 +0200] "GET /db/myadmin/main.php HTTP/1.0" 404 - - [26/Aug/2010:03:00:10 +0200] "GET /db/webadmin/main.php HTTP/1.0" - - [26/Aug/2010:03:00:10 +0200] "GET /db/dbweb/main.php HTTP/1.0" 404 - - [26/Aug/2010:03:00:11 +0200] "GET /db/websql/main.php HTTP/1.0" 404 - - [26/Aug/2010:03:00:11 +0200] "GET /db/webdb/main.php HTTP/1.0" 404 -

15

220.128.235.XXX - "-" "-" 220.128.235.XXX 404 - "-" "-" 220.128.235.XXX 404 - "-" "-" 220.128.235.XXX 404 - "-" "-" 220.128.235.XXX HTTP/1.0" 404 220.128.235.XXX HTTP/1.0" 404 220.128.235.XXX HTTP/1.0" 404 220.128.235.XXX HTTP/1.0" 404 220.128.235.XXX HTTP/1.0" 404 220.128.235.XXX HTTP/1.0" 404 (..)

- - [26/Aug/2010:03:00:13 +0200] "GET /db/dbadmin/main.php HTTP/1.0" 404 - - [26/Aug/2010:03:00:13 +0200] "GET /db/db-admin/main.php HTTP/1.0" - - [26/Aug/2010:03:00:14 +0200] "GET /db/phpmyadmin2/main.php HTTP/1.0" - - [26/Aug/2010:03:00:14 +0200] "GET /db/phpMyAdmin2/main.php HTTP/1.0" - "-" - "-" - "-" - "-" - "-" - "-" [26/Aug/2010:03:00:15 "-" [26/Aug/2010:03:00:15 "-" [26/Aug/2010:03:00:17 "-" [26/Aug/2010:03:00:17 "-" [26/Aug/2010:03:00:18 "-" [26/Aug/2010:03:00:18 "-" +0200] "GET /db/phpMyAdmin-2/main.php +0200] "GET /db/php-my-admin/main.php +0200] "GET /db/phpMyAdmin-2.2.3/main.php +0200] "GET /db/phpMyAdmin-2.2.6/main.php +0200] "GET /db/phpMyAdmin-2.5.1/main.php +0200] "GET /db/phpMyAdmin-2.5.4/main.php

A vulnerability scanner can be used to conduct network reconnaissance, which is typically carried out by a remote attacker attempting to gain information or access to a network on which it is not authorized or allowed. Network reconnaissance is increasingly used to exploit network standards and automated communication methods. The aim is to determine what types of computers are present, along with additional information about those computers—such as the type and version of the operating system. This information can be analyzed for known or recently discovered vulnerabilities that can be exploited to gain access to secure networks and computers. Network reconnaissance is possibly one of the most common applications of passive data analysis. Early generation techniques, such as TCP/IP passive fingerprinting, have accuracy issues that tended to make it ineffective. Today, numerous tools exist to make reconnaissance easier and more effective.

16

4.3 PASSWORD CRACKING 4.3.1 INTRODUCTION Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password. 4.3.2 EXPLANATION Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password. The purpose of password cracking might be to help a user recover a forgotten password (though installing an entirely new password is less of a security risk, but involves system administration privileges), to gain unauthorized access to a system, or as a preventive measure by system administrators to check for easily crackable passwords. On a file-by-file basis, password cracking is utilized to gain access to digital evidence for which a judge has allowed access but the particular file's access is restricted.

4.3.2.1 PRINCIPAL ATTACK METHODS 4.3.2.1.1 WEAK ENCRYPTION If a system uses a poorly designed password hashing scheme to protect stored passwords, an attacker can exploit any weaknesses to recover even 'well-chosen' passwords. One example is the LM hash that Microsoft Windows XP and previous versions use by default to store user passwords of less than 15 characters in length. LM hash converts the password into all uppercase letters then breaks the password into two 7-character fields which are hashed separately—which allows each half to be attacked individually. Password encryption schemes that use stronger hash functions likeMD5, SHA-512 PA, SHA-1, and RIPEMD-160 can still be vulnerable to brute-force and precomputation attacks. Such attacks do not depend on reversing the hash function. Instead, they work by hashing a large number of words or random permutations and comparing the result of each guess to a user's stored password hash. Modern schemes such as MD5-crypt and bcrypt use purposefully slow algorithms so that the number of guesses that an attacker can make in a given period of time is relatively low. Salting, described below, greatly increases the difficulty of such precomputation attacks, perhaps sufficiently to resist all attacks; every instance of its use must be evaluated independently, however. Because progress in analyzing existing cryptographic hash algorithms is always possible, a hash which is effectively invulnerable today may become vulnerable tomorrow. Both MD5 and SHA-1, long thought secure, have been shown vulnerable to less than brute force efficiency attacks. For encryption algorithms (rather different 17

than cryptographic hashes) the same has been true. DES has been broken (in the sense of more efficient than brute force attacks being discovered), and computers have become fast enough that its short key (56 bits) is clearly and publicly insecure against even brute force attacks. Passwords protected by these measures against attack will become vulnerable, and passwords still in use thereby exposed. Historical records are not always and forever irrelevant to today's security problems. 4.3.2.1.2 GUESSING, DICTIONARY AND BRUTE FORCE ATTACKS The distinction between guessing, dictionary and brute force attacks is not strict. They are similar in that an attacker goes through a list of candidate passwords one by one; the list may be explicitly enumerated or implicitly defined, can incorporate knowledge about the victim, and can be linguistically derived. Each of the three approaches, particularly 'dictionary attack', is frequently used as an umbrella term to denote all the three attacks and the spectrum of attacks encompassed by them. 4.3.2.1.2.1 GUESSING Passwords can sometimes be guessed by humans with knowledge of the user's personal information. Examples of guessable passwords include:
• • • • • • • • • • •

blank (none) the words "password", "passcode", "admin" and their derivatives a row of letters from the qwerty keyboard—qwerty itself, asdf, or qwertyuiop) the user's name or login name the name of a significant other, a friend, relative or pet their birthplace or date of birth, or a friend's, or a relative's their automobile license plate number, or a friend's, or a relative's their office number, residence number or most commonly, their mobile number. a name of a celebrity they like a simple modification of one of the preceding, such as suffixing a digit, particularly 1, or reversing the order of the letters. a swear or curse word

Personal data about individuals are now available from various sources, many on-line. Attackers who know the user may have information as well. For example, if a user chooses the password "YaleLaw78" because he graduated from Yale Law School in 1978, a disgruntled business partner might be able to guess the password. Guessing is particularly effective with systems that employ self-service password reset. For example, in September 2008, the Yahoo e-mail account of Governor of Alaska and Vice President of the United States nominee Sarah Palin was accessed without authorization by someone who was able to research answers to two of her security questions, her zip code and date of birth and was able to guess the third, where she met her husband.

18

4.3.2.1.2.2 DICTIONARY ATTACKS Users often choose weak passwords. Examples of insecure choices include the above list, plus single words found in dictionaries, given and family names, any too short password (usually thought to be 6 or 7 characters or less), or any password meeting a too restrictive and so predictable, pattern (eg, alternating vowels and consonants). Repeated research over some 40 years has demonstrated that around 40% of userchosen passwords are readily guessable by sophisticated cracking programs armed with dictionaries and, perhaps, the user's personal information. In one survey of MySpace passwords obtained by phishing, 3.8 percent of those passwords were a single word findable in a dictionary, and another 12 percent were a word plus a final digit; two-thirds of the time that digit was 1. Some users neglect to change the default password that came with their computer system account. And some administrators neglect to change default account passwords provided by the operating system vendor or hardware supplier. An infamous example is the use of FieldService as a user name with Guest as the password. If not changed at system configuration time, anyone familiar with such systems will have 'cracked' an important password; such service accounts often have higher access privileges than do a normal user accounts. Lists of default passwords are available on the Internet. Gary McKinnon, accused by the United States of perpetrating the "biggest military computer hack of all time", has claimed that he was able to get into the military's networks simply by using a Perl script that searched for blank passwords; in other words his report suggests that there were computers on these networks with no passwords at all. Cracking programs exist which accept personal information about the user being attacked and generate common variations for passwords suggested by that information. 4.3.2.1.2.3 BRUTE FORCE ATTACKS A last resort is to try every possible password, known as a brute force attack. In theory, if there is no limit to the number of attempts, a brute force attack will always be successful since the rules for acceptable passwords must be publicly known; but as the length of the password increases, so does the number of possible passwords. This method is unlikely to be practical unless the password is relatively short; however techniques using parallel processing can reduce the time to find the password in inverse proportion to the number of computer devices (CPUs) in use. This depends heavily on whether the prospective attacker has access to the hash of the password as well as the hashing algorithm, in which case the attack is called an offline attack (it can be done without connection to the protected resource) or not, in which case it is called an online attack. Offline attack is generally much easier, because testing a password is reduced to a mathematical computation of the hash of the password to be tried and comparison with the hash of the real password. In an online attack the attacker has to try to authenticate himself with all the possible passwords, and rules and delays can be imposed by the system and the attempts can be logged.

19

A common password length recommendation is eight or more randomly chosen characters combining letters, numbers, and special characters (punctuation, etc). This recommendation makes sense for systems using stronger password hashing mechanisms such as md5-crypt and the Blowfish-based bcrypt, but is inappropriate for many Microsoft Windows systems because they store a legacy LAN Manager hash which splits the password into two seven character halves. On these systems, an eight character password is converted into a seven character password and a one character password. For better security, LAN Manager password storage should be disabled if it will not break supported legacy systems. Systems which limit passwords to numeric characters only, or upper case only, or generally those which limit the range of possible password character choices, also make brute force attacks easier. Using longer passwords in these cases (if possible) can compensate for the limited allowable character set. Of course, even with an adequate range of character choice, users who limit themselves to an obvious subset of the available characters (e.g., use only upper case alphabetic characters, or only digits) make brute force attacks against their accounts much easier. Generic brute-force search techniques are often successful, but smart brute-force techniques, which exploit knowledge about how people tend to choose passwords, pose an even greater threat. NIST SP 800-63 (2) provides further discussion of password quality, and suggests, for example, that an 8 character user-chosen password may provide somewhere between 18 and 30 bits of entropy (randomness), depending on how it is chosen. For example 24 binary digits of randomness is equivalent to 3 randomly chosen bytes, or approximately 5 random characters if they are restricted to upper case alphabetic characters, or 2 words selected from a 4000 word vocabulary. This amount of entropy is far less than what is generally considered safe for an encryption key. How small is too small for offline attacks thus depends partly on an attacker's ingenuity and resources (e.g. available time and computing power). The second of these will increase as computers get faster. Most commonly used hashes can be implemented using specialized hardware, allowing faster attacks. Large numbers of computers can be harnessed in parallel, each trying a separate portion of the search space. Unused overnight and weekend time on office computers can also be used for this purpose. 4.3.2.1.3 PRECOMPUTATION In its most basic form, precomputation involves hashing each word in the dictionary (or any search space of candidate passwords) and storing the word and its computed hash in a way that enables lookup on the list of computed hashes. This way, when a new encrypted password is obtained, password recovery is instantaneous. Precomputation can be very useful for a dictionary attack if salt is not used properly (see below), and the dramatic decrease in the cost of mass storage has made it practical for fairly large dictionaries. Advanced precomputation methods exist that are even more effective. By applying a time-memory tradeoff, a middle ground can be reached - a search space of size N can be turned into an encrypted database of size O(N2/3) in which searching for an encrypted password takes time O(N2/3). The theory has recently been refined into a 20

practical technique. Another example cracks alphanumeric Windows LAN Manager passwords in a few seconds. This is much faster than brute force attacks on the obsolete LAN Manager, which uses a particularly weak method of hashing the password. Windows systems prior to Windows Vista/Server 2008 compute and store a LAN Manager hash by default for backwards compatibility. A technique similar to precomputation, known generically as memoization, can be used to crack multiple passwords at the cost of cracking just one. Since encrypting a word takes much longer than comparing it with a stored word, a lot of effort is saved by encrypting each word only once and comparing it with each of the encrypted passwords using an efficient list search algorithm. The two approaches may of course be combined: the time-space tradeoff attack can be modified to crack multiple passwords simultaneously in a shorter time than cracking them one after the other. 4.3.2.1.4 SALTING The benefits of precomputation and memoization can be nullified by randomizing the hashing process. This is known as salting. When the user sets a password, a short, random string called the salt is suffixed to the password before encrypting it; the salt is stored along with the encrypted password so that it can be used during verification. Since the salt is usually different for each user, the attacker can no longer construct tables with a single encrypted version of each candidate password. Early UNIX systems used a 12-bit salt. Attackers could still build tables with common passwords encrypted with all 4096 possible 12-bit salts. However, if the salt is long enough, there are too many possibilities and the attacker must repeat the encryption of every guess for each user. Modern methods such as md5-crypt and bcrypt use salts of 48 and 128 bits respectively. 4.3.2.1.5 EARLY UNIX PASSWORD VULNERABILITY Early UNIX implementations limited passwords to 8 characters and used a 12-bit salt, which allowed for 4096 possible salt values. While 12 bits was conventionally considered good enough for most purposes in the 1970s, by 2005 disk storage had become cheap enough that an attacker could precompute the hashes of millions of common passwords, including all 4096 possible salt variations for each password, and store the precomputed values on a single portable hard drive. An attacker with a larger budget can build a disk farm with all 6 character passwords and the most common 7 and 8 character passwords stored in encrypted form, for all 4096 possible salts. And when several thousand passwords are being cracked at once, memoization still offers some benefit. Since there is little downside to using a longer salt, and because they render any precomputation or memoization hopeless, modern implementations choose to do so. 4.3.2.2 PREVENTION The best method of preventing password cracking is to ensure that attackers cannot get access even to the encrypted password. For example, on the UNIX operating system, encrypted passwords were originally stored in a publicly accessible file /etc/passwd. On modern Unix (and similar) systems, on the other hand, they are stored in the file /etc/shadow, which is accessible only to programs running with 21

enhanced privileges (ie, 'system' privileges). This makes it harder for a malicious user to obtain the encrypted passwords in the first instance. Unfortunately, many common network protocols transmit passwords in cleartext or use weak challenge/response schemes. Modern UNIX systems have replaced traditional DES-based password hashing with stronger methods based on MD5 and Blowfish. Other systems have also begun to adopt these methods. For instance, the Cisco IOS originally used a reversible Vigenere cipher to encrypt passwords, but now uses md5-crypt with a 24-bit salt when the "enable secret" command is used. These newer methods use large salt values which prevent attackers from efficiently mounting offline attacks against multiple user accounts simultaneously. The algorithms are also much slower to execute which drastically increases the time required to mount a successful offline attack. Solutions like a security token give a formal proof answer by constantly shifting password. Those solutions abruptly reduce the timeframe for brute forcing (attacker needs to break and use the password within a single shift) and they reduce the value of the stolen passwords because of its short time validity. 4.3.2.3 SOFTWARE There are many password cracking software tools, but the most popular are Cain and Abel, John the Ripper, Hydra, ElcomSoft and Lastbit. Many litigation support software packages also include password cracking functionality. Most of these packages employ a mixture of cracking strategies, with brute force and dictionary attacks proving to be the most productive.

22

4.4 PACKET SNIFFER 4.4.1 INTRODUCTION A packet sniffer is an application that captures data packets, which can be used to capture passwords and other data in transit over the network. 4.4.2 EXPLANATION A packet analyzer (also known as a network analyzer, protocol analyzer or sniffer or for particular types of networks, an Ethernet sniffer or wireless sniffer) is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network. As data streams flow across the network, the sniffer captures each packet and, if needed, decodes and analyzes its content according to the appropriate RFC or other specifications.

4.4.2.1 CAPABILITIES On wired broadcast LANs, depending on the network structure (hub or switch), one can capture traffic on all or just parts of the network from a single machine within the network; however, there are some methods to avoid traffic narrowing by switches to gain access to traffic from other systems on the network (e.g. ARP spoofing). For network monitoring purposes it may also be desirable to monitor all data packets in a LAN by using a network switch with a so-called monitoring port, whose purpose is to mirror all packets passing through all ports of the switch when systems (computers) are connected to a switch port. On wireless LANs, one can capture traffic on a particular channel. On wired broadcast and wireless LANs, to capture traffic other than unicast traffic sent to the machine running the sniffer software, multicast traffic sent to a multicast group to which that machine is listening, and broadcast traffic, the network adapter being used to capture the traffic must be put into promiscuous mode; some sniffers support this, others don't. On wireless LANs, even if the adapter is in promiscuous mode, packets not for the service set for which the adapter is configured will usually be ignored. To see those packets, the adapter must be in monitor mode. The captured information is decoded from raw digital form into a human-readable format that permits users of the protocol analyzer to easily review the exchanged information. Protocol analyzers vary in their abilities to display data in multiple views, automatically detect errors, determine the root causes of errors, generate timing diagrams, etc. Some protocol analyzers can also generate traffic and thus act as the reference device; these can act as protocol testers. Such testers generate protocol-correct traffic for functional testing, and may also have the ability to deliberately introduce errors to test for the DUT's ability to deal with error conditions. 23

4.4.2.2 USES The versatility of packet sniffers means they can be used to:
• • • • • • • • • • • • • •

• • • • •

Analyze network problems Detect network intrusion attempts Detect network misuse by internal and external users Documenting regulatory compliance through logging all perimeter and endpoint traffic Gain information for effecting a network intrusion Isolate exploited systems Monitor WAN bandwidth utilization Monitor network usage (including internal and external users and systems) Monitor data-in-motion Monitor WAN and endpoint security status Gather and report network statistics Filter suspect content from network traffic Serve as primary data source for day-to-day network monitoring and management Spy on other network users and collect sensitive information such as passwords (depending on any content encryption methods which may be in use) Reverse engineer proprietary protocols used over the network Debug client/server communications Debug network protocol implementations Verify adds, moves and changes Verify internal control system effectiveness (firewalls, access control, Web filter, Spam filter, proxy)

4.4.2.3 NOTABLE FREE PACKET ANALYZERS
• • • • • • • • •

Capsa Free Cain and Abel dSniff ettercap Microsoft Network Monitor ngrep Network Grep snoop tcpdump Wireshark (formerly known as Ethereal)

4.4.2.4 NOTABLE COMMERCIAL PACKET ANALYZERS
• • • • • • •

Capsa Enterprise Carnivore Clarified Analyzer Congruity Inspector Software Fluke Lanmeter NetScout Sniffer Global Analyzer NetScout Sniffer Portable Professional Analyzer 24

• • • • •

Network Instruments Observer Niksun NetDetector OPNET Technologies ACE Analyst SkyGrabber WildPackets OmniPeek(old name AiroPeek, EtherPeek)

25

4.5 SPOOFING ATTACK 4.5.1 INTRODUCTION A spoofing attack involves one program, system, or website successfully masquerading as another by falsifying data and thereby being treated as a trusted system by a user or another program. The purpose of this is usually to fool programs, systems, or users into revealing confidential information, such as user names and passwords, to the attacker. 4.5.2 EXPLANATION In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.

4.5.2.1 MAN-IN-THE-MIDDLE ATTACK AND INTERNET PROTOCOL SPOOFING An example from cryptography is the man-in-the-middle attack, in which an attacker spoofs Alice into believing the attacker is Bob, and spoofs Bob into believing the attacker is Alice, thus gaining access to all messages in both directions without the trouble of any cryptanalytic effort. The attacker must monitor the packets sent from Alice to Bob and then guess the sequence number of the packets. Then the attacker knocks out Alice with a SYN attack and injects his own packets, claiming to have the address of Alice. Alice's firewall can defend against some spoof attacks when it has been configured with knowledge of all the IP addresses connected to each of its interfaces. It can then detect a spoofed packet if it arrives at an interface that is not known to be connected to the IP address. Many carelessly designed protocols are subject to spoof attacks, including many of those used on the Internet. 4.5.2.2 URL SPOOFING AND PHISHING Another kind of spoofing is "webpage spoofing," also known as phishing. In this attack, a legitimate web page such as a bank's site is reproduced in "look and feel" on another server under control of the attacker. The main intent is to fool the users into thinking that they are connected to a trusted site, for instance to harvest usernames and passwords. This attack is often performed with the aid of URL spoofing, which exploits web browser bugs in order to display incorrect URLs in the browsers location bar; or with DNS cache poisoning in order to direct the user away from the legitimate site and to 26

the fake one. Once the user puts in their password, the attack-code reports a password error, and then redirects the user back to the legitimate site. 4.5.2.3 REFERRER SPOOFING Some websites, especially pornographic paysites, allow access to their materials only from certain approved (login-) pages. This is enforced by checking the referrer header of the HTTP request. This referrer header however can be changed (known as "referrer spoofing" or "Ref-tar spoofing"), allowing users to gain unauthorized access to the materials. 4.5.2.4 POISONING OF FILE-SHARING NETWORKS "Spoofing" can also refer to copyright holders placing distorted or unlistenable versions of works on file-sharing networks, to discourage downloading from these sources. 4.5.2.5 CALLER ID SPOOFING In public telephone networks, it has for a long while been possible to find out who is calling you by looking at the Caller ID information that is transmitted with the call. There are technologies that transmit this information on landlines, on cellphones and also with VoIP. Unfortunately, there are now technologies (especially associated with VoIP) that allow callers to lie about their identity, and present false names and numbers, which could of course be used as a tool to defraud or harass. Because there are services and gateways that interconnect VoIP with other public phone networks, these false Caller IDs can be transmitted to any phone on the planet, which makes the whole Caller ID information now next to useless. Due to the distributed geographic nature of the Internet, VoIP calls can be generated in a different country to the receiver, which means that it is very difficult to have a legal framework to control those who would use fake Caller IDs as part of a scam. 4.5.2.6 E-MAIL ADDRESS SPOOFING The sender information shown in e-mails (the "From" field) can be spoofed easily. This technique is commonly used by spammers to hide the origin of their e-mails and leads to problems such as misdirected bounces (i.e. e-mail spam backscatter). E-mail address spoofing is done in quite the same way as writing a forged return address using snail mail. As long as the letter fits the protocol, (i.e. stamp, postal code) the SMTP protocol will send the message. It can be done using a mail server with telnet.

27

4.6 ROOTKIT 4.6.1 INTRODUCTION A rootkit is designed to conceal the compromise of a computer's security, and can represent any of a set of programs which work to subvert control of an operating system from its legitimate operators. Usually, a rootkit will obscure its instal installation and attempt to prevent its removal through a subversion of standard system security. Rootkits may include replacements for system binaries so that it becomes impossible for the legitimate user to detect the presence of the intruder on the system by looking at process tables. 4.6.2 EXPLANATION A rootkit is software that enables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. Typically, an attacker installs a rootkit on a Typically, computer after first obtaining root level access, either by exploiting a known root-level vulnerability or cracking a password. Once a rootkit is installed, it allows an attacker to mask the active intrusion and to gain privileged access to a computer by privileged circumventing normal authentication and authorization mechanisms. Although rootkits can serve a variety of ends, they have gained notoriety primarily as malware, hiding applications that appropriate computing resources or steal passwords without the knowledge of administrators and users of affected systems. Rootkits can target firmware, a hypervisor, the kernel or, most commonly, user mode applications. user-mode The term rootkit is a concatenation of the “root” user account in UNIX operating systems and the word "kit", which refers to the software components that implement the tool. The term has negative connotations through its association with malware.

4.6.2.1 HISTORY

ootkitRevealer, Screenshot of RootkitRevealer, showing the files hidden by the Extended Copy Protection rootkit. The very first, documented computer virus to target the PC platform in 1986 used cloaking techniques to hide itself; the Brain virus intercepted attempts to read the boot sector, and redirected these to elsewhere on the disk where a copy of the original boot , 28

sector was kept. Over time, DOS cloaking methods became more sophisticated, with advanced techniques including the hooking of interrupt 13 API calls in order to hide modifications to files. The term rootkit or root kit originally referred to a maliciously modified set of administrative tools for a UNIX-like operating system, which granted "root" access. If an intruder could replace the standard administrative tools on a system with a rootkit, the intruder could obtain root access over the system whilst simultaneously concealing these activities from the legitimate system administrator. These early rootkits were trivial to detect by using uncompromised tools to access the same information. Lane Davis and Steven Dake appear to have written the earliest known rootkit in 1990 for Sun OS 4.1.1. An earlier exploit equivalent to a rootkit was perpetrated by Ken Thompson of Bell Labs against a naval laboratory in California to settle a wager. To achieve this, Thompson subverted the C compiler in a UNIX distribution and discussed the exploit in the lecture he gave upon receiving the Turing award in 1983. The first malicious rootkit for the Windows NT operating system appeared in 1999 with a Trojan called NTRootkit created by Greg Hoglund, followed by HackerDefender in 2003. In 2005, Sony BMG included a rootkit program called Extended Copy Protection (XCP) – created by First 4 Internet – on many of its music CDs, in an attempt to enforce DRM. Sony BMG at that time included an application on some of their CD's that ostensibly played music CD's, but that silently installed a rootkit without informing or requesting a user's permission. In addition to the intentional unauthorized modifications made to the target computer, the Sony BMG rootkit would automatically hide any file whose name started with "$sys$". Malware soon appeared that started to take advantage of the free cloaking provided by the Sony BMG permutation, in order to hide from antivirus software. Noted software engineer and architect Mark Russinovich, created a tool called RootkitRevealer, with which he was able to discover Sony BMG's rootkit. Russinovich published this information in his blog, consequently leading to a highly-publicized scandal that subsequently raised the public's awareness of rootkits. The public relations fallout for Sony BMG was compared by one analyst to the Tylenol Scare. In light of adverse publicity, Sony BMG released patches to remedy the breaches, but initial attempts failed to remove the flow-on, security vulnerabilities that the rootkit had either created or that were indirectly attributable to it. A resultant class action lawsuit was eventually brought against Sony BMG, in the United States. 4.6.2.2 USES Modern rootkits for the Windows platform do not elevate access, but rather are used to make some other software payload undetectable by adding stealth capabilities. Most rootkits are classified as malware because the payloads they are bundled with are malicious, for example to covertly steal user passwords, credit card information, computing resources, or to conduct other unauthorized activities. A small number are legitimate utility applications—an example of the latter is a rootkit that provides CDROM emulation capability allowing video game users to defeat anti-piracy features that require the original installation media. 29

Rootkits and their payloads have many uses, mostly nefarious:

• • •

• •

• •

Provide an attacker with full acc access via a back door so the attacker can for example, steal or falsify documents. One of the ways to carry this out is to subvert the login mechanism (such as the /bin/login program on UNIX-like systems or GINA on Windows) The replacement appears to functio as function normal, but also accepts secret login combination that allows an attacker direct access with administrative privileges to a system, bypassing standard authentication and authorization mechanisms. Conceal other malware notably password-stealing key loggers and computer malware, viruses. Conceal cheating in online games from software like Warden. Appropriate the compromised machine as a zombie computer for attacks on other computers. (The attack originates from the compromised system (or network) instead of the attacker's.) "Zombie" computers are typically members of large botnets that can launch denial-of-service attacks and distribute e-mail spam. Detect attacks, for example in a honeypot. Enhance emulation software and security software. Alcohol 120% and Daemon Tools are commercial examples of non hostile rootkits that are used non-hostile to defeat copy-protection mechanisms such as SafeDisc and SecuROM. protection Kaspersky antivirus software also uses techniques resembling rootkits to protect itself from malicious actions. It loads its own drivers to intercept actions. system activity and then prevents other processes from doing harm to itself. Its processes are not hidden, but cannot be terminated by standard methods. Anti-theft protection. theft Enforcement of DRM.

4.6.2.3 TYPES ere There are at least five types of rootkit, ranging from those at the lowest level in firmware (with the highest privileges), through to the least privileged user user-based variants that operate in Ring 3. Hybrid combinations of these may occur spanning, for 3. example, user mode and kernel mode. le, 4.6.2.3.1 USER-MODE

30

Computer security rings (Note that Ring-1 is not shown) User-mode rootkits run in Ring 3 as user rather than low-level system processes. They have a number of possible installation vectors in order to intercept and modify the standard behavior of APIs. Some inject a library (DLL) in other processes, and are thereby able to execute inside any target process in order to spoof it; others with sufficient privileges simply overwrite the memory of a target application. Injection mechanisms include:

• • • •

Use of vendor-supplied application extensions. For example, Windows Explorer has public interfaces that allow third parties to extend its functionality. Interception of messages Debuggers Exploitation of security vulnerabilities Function hooking or patching of commonly used API's, for example to mask a running process or file that resides on a filesystem.

"...since user mode applications all run in their own memory space, the rootkit needs to perform this patching in the memory space of every running application. In addition, the rootkit needs to monitor the system for any new applications that execute and patch those programs’ memory space before they fully execute." 4.6.2.3.2 KERNEL-MODE Kernel-mode rootkits run with the highest operating system privileges (Ring 0) by adding additional code or replacing portions of the core operating system, including both the kernel and associated device drivers. Most operating systems support kernelmode device drivers which execute with the same privileges as the operating system itself. As such, many kernel mode rootkits are developed as device drivers or loadable modules, such as loadable kernel modules in Linux or device drivers in Microsoft Windows. This class of rootkit has unrestricted security access, but is more difficult to write. The complexity makes bugs common, and any bugs in code operating at the kernel level may seriously impact system stability, leading to discovery of a rootkit. One of the first widely known kernel rootkits was developed for Windows NT 4.0 and released in Phrack in the mid-1990s by Greg Hoglund. Kernel rootkits can be especially difficult to detect and remove, because they operate at the same security level as the operating system itself, and are thus able to intercept or subvert operating system operations. Any software, such as antivirus software, running on the compromised system is equally subvertible. In this situation no part of the system can be trusted. A rootkit can modify data structures in the kernel (direct kernel object modification); it can hook kernel functions in the System Service Descriptor Table (SSDT) or modify the gates between user mode and kernel mode in order to implement its cloaking.

31

4.6.2.3.3 BOOT LOADER LEVEL (BOOTKIT) A kernel-mode rootkit variant called a bootkit is used predominantly to attack full disk encryption systems, for example as in the "Evil Maid Attack". The term bootkit itself was coined by Indian security researchers (Nitin Kumar & Vipin Kumar) who presented it at Blackhat Europe 2007. A bootkit replaces the legitimate boot loader with one controlled by an attacker; typically the malware loader persists through the transition to protected mode when the kernel has loaded. For example, the "Stoned Bootkit" subverts the system by using a compromised boot loader to intercept encryption keys and passwords. Apart from preventing unauthorized physical access to machines (a particular problem for portable machines), a Trusted Platform Module, configured to protect the boot path, is the only known defense against this attack. 4.6.2.3.4 HYPERVISOR LEVEL Rootkits have been created as Type II Hypervisors in academia only as proofs of concept. By exploiting hardware features such as Intel VT or AMD-V, this type of rootkit runs in Ring -1 and hosts the target operating system as a virtual machine, thereby enabling the rootkit to intercept all hardware calls made by the original operating system. Unlike normal hypervisors, they do not have to load before the operating system, but can load into an operating system before promoting it into a virtual machine. A hypervisor rootkit does not have to make any modifications to the kernel of the target in order to subvert it—however that does not mean to say that it cannot be detected by the guest operating system, as timing differences may for example be detectable in CPU instructions. The "SubVirt" laboratory rootkit, developed jointly by Microsoft and University of Michigan researchers, is an academic example of a virtual machine based rootkit (VMBR), while Blue Pill is another. In 2009, researchers from Microsoft and North Carolina State University demonstrated a hypervisor-layer anti-rootkit called Hooksafe that provides generic protection against kernel-mode rootkits. 4.6.2.4 HARDWARE/FIRMWARE A firmware rootkit uses device or platform firmware to create a persistent malware image in hardware such as a network card, hard drive or the system BIOS. The rootkit hides in firmware, because it is not usually inspected for code integrity. John Heasman demonstrated the viability of firmware rootkits in both ACPI firmware routines and in a PCI expansion card ROM. In October 2008, criminals tampered with European credit card reading machines before they were installed. The devices intercepted and transmitted credit card details via a mobile phone network. In March 2009, researchers Alfredo Ortega and Anibal Sacco published details of a BIOS-level Windows rootkit that was able to survive disk replacement and OS re-installation. A few months later they found that some laptop BIOSes come with a legitimate preinstalled rootkit known as Computrace LoJack. This is an anti–theft technology system that, as the researchers showed can be turned to malicious purposes. 32

4.6.2.5 INSTALLATION AND CLOAKING Rootkits employ a variety of techniques to gain control of a system; the type of rootkit will also influence the attack vector that is chosen. The most common is to leverage security vulnerabilities. Another approach is to become a Trojan horse, deceiving a computer user into trusting the rootkit's installer as benign—in this case, social engineering convinces a user that the rootkit is beneficial. The installation task is made easier if the principle of least privilege is not applied, since the rootkit then does not have to explicitly request elevated (administrator-level) privileges. Other classes of rootkits can be installed only by someone with physical access to the target system. The installation of rootkits is commercially driven, with a Pay-Per-Install (PPI) compensation method for distributors. Once installed, a rootkit takes active measures to obscure its presence within the host system through subversion or evasion of standard operating system security tools and API’s used for diagnosis, scanning and monitoring. Rootkits achieve this by modifying the behavior of core parts of an operating system by loading code into other processes, the installation or modification of drivers or kernel modules. Obfuscation techniques include concealing running processes from system monitoring mechanisms and hiding system files and other configuration data. It is not uncommon for a rootkit to disable the event logging capacity of an operating system in an attempt to hide evidence of an attack. Rootkits can in theory subvert any operating system activities except CPU scheduling. The "perfect rootkit" can be thought of as similar to a "perfect crime", one that nobody realizes has taken place. In addition to installing more commonly into Ring 0 (kernel-mode) where they have complete access to a system, rootkits also take a number of measures to ensure their survival against detection and cleaning by antivirus software. These include polymorphism, stealth techniques, regeneration and disabling anti-malware software. 4.6.2.6 DETECTION The fundamental problem with rootkit detection is that if the operating system has been subverted, particularly by a kernel-level rootkit, it cannot be trusted to find unauthorized modifications to itself or its components. Actions such as requesting a list of running processes, or a list of files in a directory, cannot be trusted to behave as expected. In other words, rootkit detectors that work while running on infected systems are only effective against rootkits that have some defect in their camouflage, or that run with lower user-mode privileges than detection software in the kernel. As with computer viruses, the detection and elimination of rootkits is an ongoing struggle between both sides of this conflict. Detection can take a number of different approaches, including signatures (e.g. antivirus software), integrity checking (e.g. digital signatures), difference-based detection (comparison of expected vs. actual results) and behavioral detection (e.g. monitoring CPU usage or network traffic). Several products detect some rootkits. UNIX offerings include Zeppoo, chkrootkit, rkhunter and OSSEC. For Windows, free detection tools include Microsoft 33

Sysinternals Rootkit Revealer, Avast Antivirus, Sophos Anti-Rootkit, F-Secure Blacklight (the first rootkit detector), and Radix. Any rootkit detectors that prove effective ultimately contribute to their own ineffectiveness as malware authors adapt and test their code to escape detection by well-used tools. 4.6.2.7 ALTERNATIVE TRUSTED MEDIUM The best and most reliable method for operating system-level rootkit detection is to shut down the computer suspected of infection, and then to check its storage by booting from an alternative trusted medium (e.g. a rescue CD-ROM or USB flash drive). The technique is effective because a rootkit cannot actively hide its presence if it is not running. 4.6.2.7.1 BEHAVIORAL-BASED This approach attempts to infer the presence of a rootkit by looking for rootkit-like behavior. For example, by profiling a system, differences in the timing and frequency of API calls or in overall CPU utilization can be attributed to a rootkit. The method is complex and is hampered by a high incidence of false positives. Defective rootkits can sometimes introduce very obvious changes, for example the Alureon rootkit which crashed Windows systems after a security update was applied. 4.6.2.7.2 SIGNATURE-BASED Antivirus products rarely catch all viruses in public tests, even though security software vendors incorporate rootkit detection into their products. Should a rootkit attempt to hide during an antivirus scan, a stealth detector may notice; if the rootkit attempts to temporarily unload itself from the system, fingerprint (or signature) detection can still find it. This combined approach forces attackers to implement counter-attack mechanisms ("retro" routines) that attempt to terminate antivirus programs. Signature-based detection methods can be effective against well-published rootkits, but less so against specially crafted, custom root rootkits. 4.6.2.7.3 DIFFERENCE-BASED Another method that can detect rootkits compares "trusted" raw data with "tainted" content returned by an API. For example, binaries present on disk can be compared with their copies within operating memory, or the results returned from file system or Registry APIs can be checked against raw structures on the underlying physical disks—however in the case of the former, some valid differences can be introduced by operating system mechanisms, e.g., memory relocation or shimming. This was the method used by Mark Russinovich's RootkitRevealer tool to find the Sony DRM rootkit.

34

4.6.2.7.4 INTEGRITY CHECKING

sha-1 files. The Rkhunter utility uses sha hashes to verify the integrity of system files A cryptographic hash function can be used to compute a "fingerprint" or digital signature that can help to detect subsequent unauthorized changes to on on-disk code libraries. However, unsophisticated schemes check only whether the code has been modified since release by the "publisher"; subversion prior to that time is not detectable. The fingerprint must be re established each time changes are made to the re-established system. The fingerprinting process creates a message digest dependent on every bit in each file being fingerprinted. By recalculating and comparing the message digest at erprinted. regular intervals, changes in the system can be detected and monitored as long as the original baseline was not created when the malware was already present. More sophisticated rootkits are able to subvert the verification process by presenting an able unmodified copy of the file for inspection, or by making modifications in memory rather than on disk. The technique is therefore effective only against the earlist forms of rootkit that simply replace UNIX commands like "1s" in order to mask the replaced " presence of a file. Similarly, detection in firmware can be achieved by computing a cryptographic hash of firmware and comparing hash values to a whitelist of expected values, or by extending the hash value in TPM (Trusted Platform Module) configuration into ) registers, which are later compared to a whitelist of expected values. Code that performs hash, compare, and/or extend operations must also be protected. The notion of an immutable root-of-trust ensures that a rootkit (or more specifically a bootkit) trust does not compromise the system at its most fundamental level. A method of rootkit detection using a TPM is described by the Trusted Computing Group. 4.6.2.7.5 MEMORY DUMPS EMORY Forcing a kernel or complete memory dump will capture an active kernel kernel-mode or user-mode rootkit in the resulting dump file, allowing offline analysis to be performed with a debugger and without the rootkit being able to take any measures to cloak itself. This technique is highly specialized, and may require access to non non-public 35

source code or symbols. Memory dumps cannot be used to detect a hypervisor-based rootkit, which is able to intercept and subvert the lowest-level attempts to read memory. 4.6.2.8 REMOVAL Most rootkits install hooks in user-mode processes; those that operate at the lowest level of the OS (Ring 0), have system privileges, so booting into Safe Mode on a Windows machine will not usually allow removal. Given the stealth nature of rootkits, some experts believe that the only reliable way to remove them is to re-install the operating system from trusted media. A number of vendors of security software offer tools to automatically detect and remove rootkits, typically as part of an antivirus suite. As of 2005, Microsoft's monthly Malicious Software Removal Tool is able to detect and remove some rootkits. Manual removal is often too difficult for a typical computer user. Conversely, antivirus and malware removal tools running on an untrusted system may be ineffective against well-written kernel-mode rootkits. Booting an alternate operating system from trusted media can allow an infected system volume to be mounted and potentially safely cleaned, critical data to be copied off, or alternatively, a forensic examination performed. Lightweight operating systems such as Windows PE, Windows Recovery Console, Windows Recovery Environment, BartPE or Live Distros can be used for this purpose, allowing the system to be cleaned. Some antivirus scanners can bypass file system APIs, which are vulnerable to manipulation by a rootkit. They access raw file system structures directly and use this information to validate the results from system APIs to identify any differences that may be caused by a rootkit that has subverted the system. More often, manual repair is impractical. Even if its type and nature are known, reinstalling the operating system and applications is simpler and quicker. Re-installation time can be greatly reduced by modern drive imaging software, especially when the source image includes necessary hardware drivers and software applications. This is true even if the rootkit is well-known and can be completely removed. 4.6.2.9 PUBLIC AVAILABILITY Like much malware used by attackers, many rootkit implementations are shared and are easily available on the Internet. It is not uncommon to see a compromised system in which a sophisticated publicly available rootkit hides the presence of unsophisticated worms or attack tools that appear to have been written by inexperienced programmers. Most of the rootkits available on the Internet are constructed as an exploit or academic "proof of concept" to demonstrate varying methods of hiding things within a computer system and of taking unauthorized control. Since these are often not fully optimized for stealth, they sometimes leave unintended evidence of their presence. Even so, when such rootkits are used in an attack they are often effective. 36

4.7 SOCIAL ENGINEERING 4.7.1 INTRODUCTION Social Engineering is the art of getting persons to reveal sensitive information about a system. This is usually done by impersonating someone or by convincing people to believe you have permissions to obtain such information. 4.7.2 EXPLANATION Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques; essentially a fancier, more technical way of lying. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. "Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick. The term had previously been associated with the social sciences, but its usage has caught on among computer professionals.

4.7.2.1 SOCIAL ENGINEERING TECHNIQUES AND TERMS All social engineering techniques are based on specific attributes of human decisionmaking known as cognitive biases. These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create attack techniques, some of which are listed here: 4.7.2.1.1 PRETEXTING Pretexting is the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances. It is more than a simple lie, as it most often involves some prior research or setup and the use of priori information for impersonation (e.g., date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target. This technique can be used to trick a business into disclosing customer information as well as by private investigators to obtain telephone records, utility records, banking records and other information directly from junior company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager, e.g., to make account changes, get specific balances, etc. Pretexting has been an observed law enforcement technique, under the auspices of which, a law officer may leverage the threat of an alleged infraction to detain a suspect for questioning and conduct close inspection of a vehicle or premises.

37

Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, or insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim. The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one's feet. 4.7.2.1.2 DIVERSION THEFT Diversion theft, also known as the "Corner Game" or "Round the Corner Game", originated in the East End of London. In summary, diversion theft is a "con" exercised by professional thieves, normally against a transport or courier company. The objective is to persuade the persons responsible for a legitimate delivery that the consignment is requested elsewhere — hence, "round the corner". With a load/consignment redirected, the thieves persuade the driver to unload the consignment near to, or away from, the consignee's address, in the pretense that it is "going straight out" or "urgently required somewhere else". The "con" or deception has many different facets, which include social engineering techniques to persuade legitimate administrative or traffic personnel of a transport or courier company to issue instructions to the driver to redirect the consignment or load. Another variation of diversion theft is stationing a security van outside a bank on a Friday evening. Smartly dressed guards use the line "Night safe's out of order Sir". By this method shopkeepers etc. are gulled into depositing their takings into the van. They do of course obtain a receipt but later this turns out to be worthless. A similar technique was used many years ago to steal a Steinway grand piano from a radio studio in London "Come to overhaul the piano guv" was the chat line. Nowadays ID would probably be asked for but even that can be faked. The social engineering skills of these thieves are well rehearsed, and are extremely effective. Most companies do not prepare their staff for this type of deception. 4.7.2.1.3 PHISHING Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business — a bank, or credit card company — requesting "verification" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate — with company logos and content — and has a form requesting everything from a home address to an ATM card's PIN. For example, 2003 saw the proliferation of a phishing scam in which users received emails supposedly from eBay claiming that the user's account was about to be suspended unless a link provided was clicked to update a credit card (information that the genuine eBay already had). Because it is relatively simple to make a Web site resemble a legitimate organization's site by mimicking the HTML code, the scam 38

counted on people being tricked into thinking they were being contacted by eBay and subsequently, were going to eBay's site to update their account information. By spamming large groups of people, the "phisher" counted on the e-mail being read by a percentage of people who already had listed credit card numbers with eBay legitimately, who might respond. 4.7.2.1.4 IVR OR PHONE PHISHING This technique uses a rogue Interactive Voice Response (IVR) system to recreate a legitimate-sounding copy of a bank or other institution's IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning. One could even record the typical commands ("Press one to change your password, press two to speak to customer service" ...) and play back the direction manually in real time, giving the appearance of being an IVR without the expense. Phone phishing is also called vishing. 4.7.2.1.5 BAITING Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim. In this attack, the attacker leaves a malware infected floppy disk, CD ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device. For example, an attacker might create a disk featuring a corporate logo, readily available from the target's web site, and write "Executive Salary Summary Q2 2010" on the front. The attacker would then leave the disk on the floor of an elevator or somewhere in the lobby of the targeted company. An unknowing employee might find it and subsequently insert the disk into a computer to satisfy their curiosity, or a good samaritan might find it and turn it in to the company. In either case as a consequence of merely inserting the disk into a computer to see the contents, the user would unknowingly install malware on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted company's internal computer network. Unless computer controls block the infection, PCs set to "auto-run" inserted media may be compromised as soon as a rogue disk is inserted.

39

4.7.2.1.6 QUID PRO QUO Quid pro quo means something for something:

An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware. In a 2003 information security survey, 90% of office workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen. Similar surveys in later years obtained similar results using chocolates and other cheap lures, although they made no attempt to validate the passwords.

4.7.2.2. OTHER TYPES Common confidence tricksters or fraudsters also could be considered "social engineers" in the wider sense, in that they deliberately deceive and manipulate people, exploiting human weaknesses to obtain personal benefit. They may, for example, use social engineering techniques as part of an IT fraud. A very recent type of social engineering techniques include spoofing or hacking IDs of people having popular e-mail IDs such as Yahoo!, GMail, HotMail, etc. Among the many motivations for deception are:
• •

• •

Phishing credit-card account numbers and their passwords. Hacking private e-mails and chat histories, and manipulating them by using common editing techniques before using them to extort money and creating distrust among individuals. Hacking websites of companies or organizations and destroying their reputation. Computer virus hoaxes.

4.7.2.3 NOTABLE SOCIAL ENGINEERS 4.7.2.3.1 KEVIN MITNICK Reformed computer criminal and later security consultant Kevin Mitnick popularized the term "social engineering", pointing out that it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system. He claims it was the single most effective method in his arsenal. 4.7.2.3.2 THE BADIR BROTHERS Brothers Ramy, Muzher, and Shadde Badir—all of whom were blind from birth— managed to set up an extensive phone and computer fraud scheme in the village of Kafr Kassem outside Tel Aviv, Israel in the 1990s using social engineering, voice impersonation, and Braille-display computers. 40

4.7.2.4 UNITED STATES LAW The examples and perspective in this article deal primarily with USA and do not represent a worldwide view of the subject. In common law, pretexting is an invasion of privacy tort of appropriation. , 4.7.2.4.1 PRETEXTING OF TELEPHONE RECORDS In December 2006, United States Congress approved a Senate sponsored bill making the pretexting of telephone records a federal felony with fines of up to $250,000 and ten years in prison for individuals (or fines of up to $500,000 for companies). It was signed by President George W. Bush on January 12, 2007. 4.7.2.4.2 FEDERAL LEGISLATION EDERAL The 1999 “GLBA” is a U.S. Federal law that specifically addresses pretexting of banking records as an illegal act punishable under federal statutes. When a business entity such as a private investigator, SIU insurance investigator, or an adjuster investigator, conducts any type of deception, it falls under the authority of the Federal Trade Commission (FTC). This federal agency has the obligation and authority to ensure that consumers are not subjected to any unfair or deceptive business practic US practices. Federal Trade Commission Act, Section 5 of the FTCA states, in part: "Whenever the Commission shall have reason to believe that any such person, partnership, or corporation has been or is using any unfair method of competition or unfair or deceptive act or practice in or affecting commerce, and if it shall appear to the Commission that a proceeding by it in respect thereof would be to the interest of the public, it shall issue and serve upon such person, partnership, or corporation a complaint stating its charges in that respect." g The statute states that when someone obtains any personal, non public information non-public from a financial institution or the consumer, their action is subject to the statute. It relates to the consumer's relationship with the financial institution. For example, a pretexter using false pretenses either to get a consumer's address from the consumer's bank, or to get a consumer to disclose the name of his or her bank, would be covered. The determining principle is that pretexting only occurs when information is obtained through false pretenses. While the sale of cell telephone records has gained significant media attention, and telecommunications records are the focus of the two bills currently before the United States Senate, many other types of private records are being bought and sold in the public market. Alongside many advertisements for cell phone records, wireline records and the records associated with calling cards are advertised. As individuals shift to VoIP telephones, it is safe to assume that those records will be offered for sale as well. Currently, it is legal to sell telephone records, but illegal to obtain them.

41

4.7.2.4.3 1st SOURCE INFORMATION SPECIALISTS U.S. Rep. Fred Upton (R-Kalamazoo, Michigan), chairman of the Energy and Commerce Subcommittee on Telecommunications and the Internet, expressed concern over the easy access to personal mobile phone records on the Internet during Wednesday's E&C Committee hearing on "Phone Records For Sale: Why Aren't Phone Records Safe From Pretexting?" Illinois became the first state to sue an online records broker when Attorney General Lisa Madigan sued 1st Source Information Specialists, Inc., on 20 January, a spokeswoman for Madigan's office said. The Florida-based company operates several Web sites that sell mobile telephone records, according to a copy of the suit. The attorneys general of Florida and Missouri quickly followed Madigan's lead, filing suit on 24 January and 30 January, respectively, against 1st Source Information Specialists and, in Missouri's case, one other records broker - First Data Solutions, Inc. Several wireless providers, including T-Mobile, Verizon, and Cingular filed earlier lawsuits against records brokers, with Cingular winning an injunction against First Data Solutions and 1st Source Information Specialists on January 13. U.S. Senator Charles Schumer (D-New York) introduced legislation in February 2006 aimed at curbing the practice. The Consumer Telephone Records Protection Act of 2006 would create felony criminal penalties for stealing and selling the records of mobile phone, landline, and Voice over Internet Protocol (VoIP) subscribers. 4.7.2.4.4 HEWLETT PACKARD Patricia Dunn, former chairman of Hewlett Packard, reported that the HP board hired a private investigation company to delve into who was responsible for leaks within the board. Dunn acknowledged that the company used the practice of pretexting to solicit the telephone records of board members and journalists. Chairman Dunn later apologized for this act and offered to step down from the board if it was desired by board members. Unlike Federal law, California law specifically forbids such pretexting. The four felony charges brought on Dunn were dismissed. 4.7.2.5 IN POPULAR CULTURE

In the film Hackers, the protagonist used pretexting when he asked a security guard for the telephone number to a TV station's modem while posing as an important executive. In Jeffrey Deaver's book The Blue Nowhere, social engineering to obtain confidential information is one of the methods used by the killer, Phate, to get close to his victims. In the movie Live Free or Die Hard, Justin Long is seen pretexting that his father is dying from a heart attack to have a BMW Assist representative start what will become a stolen car. In the movie Sneakers, one of the characters poses as a low level security guard's superior in order to convince him that a security breach is just a false alarm. In the movie The Thomas Crown Affair, one of the characters poses over the telephone as a museum guard's superior in order to move the guard away from his post. 42

In the James Bond movie Diamonds are Forever, Bond is seen gaining entry to the Whyte laboratory with a then-state-of-the-art card-access lock system by "tailgating". He merely waits for an employee to come to open the door, then posing himself as a rookie at the lab, fakes inserting a non-existent card while the door is unlocked for him by the employee.

43

4.8 TROJAN HORSE 4.8.1 INTRODUCTION A Trojan horse is a program which seems to be doing one thing, but is actually doing another. A Trojan horse can be used to set up a back door in a computer system such that the intruder can gain access later. (The name refers to the horse from the Trojan War, with conceptually similar function of deceiving defenders into bringing an intruder inside.) 4.8.2 EXPLANATION A Trojan horse, or Trojan, is malware that appears to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access of the user's computer system. "It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems", as Cisco describes. The term is derived from the Trojan Horse story in Greek mythology.

4.8.2.1 PURPOSE AND OPERATION 4.8.2.1.1 ADWARE A horse may modify the user's computer to display advertisements in undesirable places, such as the desktop or in uncontrollable pop-ups, or it may be less notorious, such as installing a toolbar on to the user's Web browser without prior notice. This can create the author of the Trojan revenue, despite it being against the Terms of Service of most major Internet advertising networks, such as Google AdSense. 4.8.2.1.2 SECURITY Trojan horses may allow a hacker remote access to a target computer system. Once a Trojan horse has been installed on a target computer system, a hacker may have access to the computer remotely and perform various operations, limited by user privileges on the target computer system and the design of the Trojan horse. Operations that could be performed by a hacker on a target computer system include:
• • • • • • • •

Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute denial-of-service attacks) Data theft (e.g. retrieving passwords or credit card information) Installation of software, including third-party malware Downloading or Uploading of files on the user's computer Modification or deletion of files Keystroke logging Watching the users screen Crashing the Computer 44

Trojan horses in this way require interaction with a hacker to fulfill their purpose, though the hacker need not be the individual responsible for distributing the Trojan horse. It is possible for individual hackers to scan computers on a network using a port scanner in the hope of finding one with a malicious Trojan horse installed, which the hacker can then use to control the target computer. 4.8.2.2 INSTALLATION AND DISTRIBUTION Trojan horses can be installed through the following methods:
• • • • •

Software downloads Bundling (e.g. a Trojan horse included as part of a software application downloaded from a file sharing network) Email attachments Websites containing executable content (e.g., a Trojan horse in the form of an ActiveX control) Application exploits (e.g., flaws in a Web browser, media player, instantmessaging client, or other software that can be exploited to allow installation of a Trojan horse)

Some users, particularly those in the Warez scene, may create and distribute software with or without knowing that a Trojan has been embedded inside. Compilers and higher-level software makers can be written to attach malicious software when the author compiles his code to executable form. 4.8.2.2.1 SELF-REPLICATION A Trojan horse may itself be a computer virus, either by asking other users on a network, such as an instant-messaging network, to install the said software, or by spreading itself through the use of application exploits. 4.8.2.3 REMOVAL Antivirus software is designed to detect and delete Trojan horses and prevent them from ever being installed. Although it is possible to remove a Trojan horse manually, it requires a full understanding of how that particular Trojan horse operates. In addition, if a Trojan horse has possibly been used by a hacker to access a computer system, it will be difficult to know what damage has been done and what other problems have been introduced. In situations where the security of the computer system is critical, it is advisable to simply erase all data from the hard disk and reinstall the operating system and required software. 4.8.2.4 CURRENT USE Due to the popularity of botnets among hackers and the availability of advertising services that permit authors to violate their users' privacy, Trojan horses are becoming more common. According to a survey conducted by BitDefender from January to June 2009, "Trojan-type malware is on the rise, accounting for 83-percent of the global malware detected in the world".

45

4.9 VIRUS 4.9.1 INTRODUCTION A virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. Therefore, a computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. While some are harmless or mere hoaxes most computer viruses are considered malicious. 4.9.2 EXPLANATION A computer virus is a computer program that can copy itself and infect a computer. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability. A true virus can spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer. As stated above, the term "computer virus" is sometimes used as a catch-all phrase to include all types of malware, even those that do not have the reproductive ability. Malware includes computer viruses, computer worms, Trojan horses, most rootkits, spyware, dishonest adware and other malicious and unwanted software, including true viruses. Viruses are sometimes confused with worms and Trojan horses, which are technically different. A worm can exploit security vulnerabilities to spread itself automatically to other computers through networks, while a Trojan horse is a program that appears harmless but hides malicious functions. Worms and Trojan horses, like viruses, may harm a computer system's data or performance. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious or simply do nothing to call attention to themselves. Some viruses do nothing beyond reproducing themselves.

4.9.2.1 HISTORY 4.9.2.1.1 ACADEMIC WORK The first academic work on the theory of computer viruses (although the term "computer virus" was not invented at that time) was done by John von Neumann in 1949 who held lectures at the University of Illinois about the "Theory and Organization of Complicated Automata". The work of von Neumann was later published as the "Theory of self-reproducing automata". In his essay von Neumann postulated that a computer program could reproduce. 46

In 1972 Veith Risak published his article "Selbstreproduzierende Automaten mit minimaler Informationsübertragung" (Self-reproducing automata with minimal information exchange). The article describes a fully functional virus written in assembler language for a SIEMENS 4004/35 computer system. In 1980 Jürgen Kraus wrote his diplom thesis "Selbstreproduktion bei Programmen" (Self-reproduction of programs) at the University of Dortmund. In his work Kraus postulated that computer programs can behave in a way similar to biological viruses. In 1984 Fred Cohen from the University of Southern California wrote his paper "Computer Viruses - Theory and Experiments". It was the first paper to explicitly call a self-reproducing program a "virus"; a term introduced by his mentor Leonard Adleman. An article that describes "useful virus functionalities" was published by J.B. Gunn under the title "Use of virus functions to provide a virtual APL interpreter under user control" in 1984. 4.9.2.1.2 SCIENCE FICTION The Terminal Man, a science fiction novel by Michael Crichton (1972), told (as a sideline story) of a computer with telephone modem dialing capability, which had been programmed to randomly dial phone numbers until it hit a modem that is answered by another computer. It then attempted to program the answering computer with its own program, so that the second computer would also begin dialing random numbers, in search of yet another computer to program. The program is assumed to spread exponentially through susceptible computers. The actual term 'virus' was first used in David Gerrold's 1972 novel, When HARLIE Was One. In that novel, a sentient computer named HARLIE writes viral software to retrieve damaging personal information from other computers to blackmail the man who wants to turn him off. 4.9.2.1.3 VIRUS PROGRAMS The Creeper virus was first detected on ARPANET, the forerunner of the Internet, in the early 1970s. Creeper was an experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971. Creeper used the ARPANET to infect DEC PDP-10 computers running the TENEX operating system. Creeper gained access via the ARPANET and copied itself to the remote system where the message, "I'm the creeper, catch me if you can!" was displayed. The Reaper program was created to delete Creeper. A program called "Elk Cloner" was the first computer virus to appear "in the wild" — that is, outside the single computer or lab where it was created. Written in 1981 by Richard Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread via floppy disk. This virus, created as a practical joke when Skrenta was still in high school, was injected in a game on a floppy disk. On its 50th use the Elk Cloner virus would be activated, infecting the computer and displaying a short poem beginning "Elk Cloner: The program with a personality." 47

The first PC virus in the wild was a boot sector virus dubbed ©Brain, created in 1986 by the Farooq Alvi Brothers in Lahore, Pakistan, reportedly to deter piracy of the software they had written. Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early days of the personal computer, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted the computer from the disk, usually inadvertently. PCs of the era would attempt to boot first from a floppy if one had been left in the drive. Until floppy disks fell out of use, this was the most successful infection strategy and boot sector viruses were the most common in the wild for many years. Traditional computer viruses emerged in the 1980s, driven by the spread of personal computers and the resultant increase in BBS, modem use, and software sharing. Bulletin board driven software sharing contributed directly to the spread of Trojan horse programs, and viruses were written to infect popularly traded software. Shareware and bootleg software were equally common vectors for viruses on BBS's. Macro viruses have become common since the mid-1990s. Most of these viruses are written in the scripting languages for Microsoft programs such as Word and Excel and spread throughout Microsoft Office by infecting documents and spreadsheets. Since Word and Excel were also available for Mac OS, most could also spread to Macintosh computers. Although most of these viruses did not have the ability to send infected email, those viruses which did take advantage of the Microsoft Outlook COM interface. Some old versions of Microsoft Word allow macros to replicate themselves with additional blank lines. If two macro viruses simultaneously infect a document, the combination of the two, if also self-replicating, can appear as a "mating" of the two and would likely be detected as a virus unique from the "parents". A virus may also send a web address link as an instant message to all the contacts on an infected machine. If the recipient, thinking the link is from a friend (a trusted source) follows the link to the website, the virus hosted at the site may be able to infect this new computer and continue propagating. Viruses that spread using cross-site scripting were first reported in 2002, and were academically demonstrated in 2005. There have been multiple instances of the crosssite scripting viruses in the wild, exploiting websites such as MySpace and Yahoo. 4.9.2.2. INFECTION STARATEGIES In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user attempts to launch an infected program, the virus' code may be executed simultaneously. Viruses can be divided into two types based on their behavior when they are executed. Nonresident viruses immediately search for other hosts that can be infected, infect those targets, and finally transfer 48

control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself. 4.9.2.2.1 NONRESIDENT VIRUSES Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file. 4.9.2.2.2 RESIDENT VIRUSES Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. This module, however, is not called by a finder module. The virus loads the replication module into memory when it is executed instead and ensures that this module is executed each time the operating system is called to perform a certain operation. The replication module can be called, for example, each time the operating system executes a file. In this case the virus infects every suitable program that is executed on the computer. Resident viruses are sometimes subdivided into a category of fast infectors and a category of slow infectors. Fast infectors are designed to infect as many files as possible. A fast infector, for instance, can infect every potential host file that is accessed. This poses a special problem when using anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a systemwide scan. If the virus scanner fails to notice that such a virus is present in memory the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently. Some slow infectors, for instance, only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably and will, at most, infrequently trigger anti-virus software that detects suspicious behavior by programs. The slow infector approach, however, does not seem very successful. 4.9.2.3 VECTORS AND HOSTS Viruses have targeted various types of transmission media or hosts. This list is not exhaustive:

• •

Binary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft Windows, the Mach-O format in OSX, and ELF files in Linux) Volume Boot Records of floppy disks and hard disk partitions The master boot record (MBR) of a hard disk 49

• • •

• •

General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and shell script files on UNIX-like platforms). Application-specific script files (such as Telix-scripts) System specific autorun script files (such as Autorun.inf file needed by Windows to automatically run software stored on USB Memory Storage Devices). Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, AmiPro documents, and Microsoft Access database files) Cross-site scripting vulnerabilities in web applications (see XSS Worm) Arbitrary computer files. An exploitable buffer overflow, format string, race condition or other exploitable bug in a program which reads the file could be used to trigger the execution of code hidden within it. Most bugs of this type can be made more difficult to exploit in computer architectures with protection features such as an execute disable bit and/or address space layout randomization.

PDFs, like HTML, may link to malicious code. PDFs can also be infected with malicious code. In operating systems that use file extensions to determine program associations (such as Microsoft Windows); the extensions may be hidden from the user by default. This makes it possible to create a file that is of a different type than it appears to the user. For example, an executable may be created named "picture.png.exe", in which the user sees only "picture.png" and therefore assumes that this file is an image and most likely is safe, yet when opened runs the executable on the client machine. An additional method is to generate the virus code from parts of existing operating system files by using the CRC16/CRC32 data. The initial code can be quite small (tens of bytes) and unpack a fairly large virus. This is analogous to a biological "prion" in the way it works but is vulnerable to signature based detection. This attack has not yet been seen "in the wild". 4.9.2.4 METHODS TO AVOID DETECTION In order to avoid detection by users, some viruses employ different kinds of deception. Some old viruses, especially on the MS-DOS platform, make sure that the "last modified" date of a host file stays the same when the file is infected by the virus. This approach does not fool anti-virus software; however, especially those which maintain and date Cyclic redundancy checks on file changes. Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. For example, the CIH virus, or Chernobyl virus, infects Portable Executable files. Because those files have many empty gaps, the virus, which was 1 KB in length, did not add to the size of the file. Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them.

50

As computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced. Defending a computer against viruses may demand that a file system migrate towards detailed and explicit permission for every kind of file access. 4.9.2.4.1 AVOIDING BAIT FILES AND OTHER UNDESIRABLE HOSTS A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example, many anti-virus programs perform an integrity check of their own code. Infecting such programs will therefore increase the likelihood that the virus is detected. For this reason, some viruses are programmed not to infect programs that are known to be part of anti-virus software. Another type of host that viruses sometimes avoid is bait files. Bait files (or goat files) are files that are specially created by anti-virus software, or by anti-virus professionals themselves, to be infected by a virus. These files can be created for various reasons, all of which are related to the detection of the virus:

Anti-virus professionals can use bait files to take a sample of a virus (i.e. a copy of a program file that is infected by the virus). It is more practical to store and exchange a small, infected bait file, than to exchange a large application program that has been infected by the virus. Anti-virus professionals can use bait files to study the behavior of a virus and evaluate detection methods. This is especially useful when the virus is polymorphic. In this case, the virus can be made to infect a large number of bait files. The infected files can be used to test whether a virus scanner detects all versions of the virus. Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the user that a virus is probably active on the system.

Since bait files are used to detect the virus, or to make detection possible, a virus can benefit from not infecting them. Viruses typically do this by avoiding suspicious programs, such as small program files or programs that contain certain patterns of 'garbage instructions'. A related strategy to make baiting difficult is sparse infection. Sometimes, sparse infectors do not infect a host file that would be a suitable candidate for infection in other circumstances. For example, a virus can decide on a random basis whether to infect a file or not, or a virus can only infect host files on particular days of the week. 4.9.2.4.2 STEALTH Some viruses try to trick antivirus software by intercepting its requests to the operating system. A virus can hide itself by intercepting the antivirus software’s request to read the file and passing the request to the virus, instead of the OS. The virus can then return an uninfected version of the file to the antivirus software, so that it seems that the file is "clean". Modern antivirus software employs various techniques to counter stealth mechanisms of viruses. The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean.

51

4.9.2.4.3 SELF MODIFICATION Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called virus signatures. A signature is a characteristic bytepattern that is part of a certain virus or family of viruses. If a virus scanner finds such a pattern in a file, it notifies the user that the file is infected. The user can then delete, or (in some cases) "clean" or "heal" the infected file. Some viruses employ techniques that make detection by means of signatures difficult but probably not impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus. 4.9.2.4.4 ENCRYPTION WITH A VARIABLE KEY A more advanced method is the use of simple encryption to encipher the virus. In this case, the virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module, which would (for example) be appended to the end. In this case, a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible. Since these would be symmetric keys, stored on the infected host, it is in fact entirely possible to decrypt the final virus, but this is probably not required, since self-modifying code is such a rarity that it may be reason for virus scanners to at least flag the file as suspicious. An old, but compact, encryption involves XORing each byte in a virus with a constant, so that the exclusive-or operation had only to be repeated for decryption. It is suspicious for a code to modify itself, so the code to do the encryption/decryption may be part of the signature in many virus definitions. 4.9.2.4.5 POLYMORPHIC CODE Polymorphic Code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses, however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts which remain identical between infections, making it very difficult to detect directly using signatures. Antivirus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body. See Polymorphic code for technical detail on how such engines operate. Some viruses employ polymorphic code in a way that constrains the mutation rate of the virus significantly. For example, a virus can be programmed to mutate only slightly over time, or it can be programmed to refrain from mutating when it infects a file on a computer that already contains copies of the virus. The advantage of using such slow polymorphic code is that it makes it more difficult for antivirus professionals to obtain representative samples of the virus, because bait files that are infected in one run will typically contain identical or similar samples of the virus. 52

This will make it more likely that the detection by the virus scanner will be unreliable, and that some instances of the virus may be able to avoid detection. 4.9.2.4.6 METAMORPHIC CODE To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that utilize this technique are said to be metamorphic. To enable metamorphism, a metamorphic engine is needed. A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly Language code, 90% of which is part of the metamorphic engine. 4.9.2.5 VULNERABILITY AND COUNTERMEASURES 4.9.2.5.1 THE VULNERABILITY OF OPERATING SYSTEMS TO VIRUSES Just as genetic diversity in a population decreases the chance of a single disease wiping out a population, the diversity of software systems on a network similarly limits the destructive potential of viruses. This became a particular concern in the 1990s, when Microsoft gained market dominance in desktop operating systems and office suites. The users of Microsoft software (especially networking software such as Microsoft Outlook and Internet Explorer) are especially vulnerable to the spread of viruses. Microsoft software is targeted by virus writers due to their desktop dominance, and is often criticized for including many errors and holes for virus writers to exploit. Integrated and non-integrated Microsoft applications (such as Microsoft Office) and applications with scripting languages with access to the file system (for example Visual Basic Script (VBS), and applications with networking features) are also particularly vulnerable. Although Windows is by far the most popular target operating system for virus writers, viruses also exist on other platforms. Any operating system that allows thirdparty programs to run can theoretically run viruses. Some operating systems are more secure than others. Unix-based operating systems (and NTFS-aware applications on Windows NT based platforms) only allow their users to run executables within their own protected memory space. An Internet based experiment revealed that there were cases when people willingly pressed a particular button to download a virus. Security analyst Didier Stevens ran a half year advertising campaign on Google AdWords which said "Is your PC virusfree? Get it infected here!” The result was 409 clicks. As of 2006, there are relatively few security exploits targeting Mac OS X (with a Unix-based file system and kernel). The number of viruses for the older Apple operating systems, known as Mac OS Classic, varies greatly from source to source, with Apple stating that there are only four known viruses, and independent sources stating there are as many as 63 viruses. Many Mac OS Classic viruses targeted the HyperCard authoring environment. The difference in virus vulnerability between Macs and Windows is a chief selling point, one that Apple uses in their Get Mac advertising. In January 2009, Symantec announced the discovery of a trojan that targets Macs. This discovery did not gain much coverage until April 2009. 53

While Linux, and UNIX in general, has always natively blocked normal users from having access to make changes to the operating system environment, Windows users are generally not. This difference has continued partly due to the widespread use of administrator accounts in contemporary versions like XP. In 1997, when a virus for Linux was released – known as "Bliss" – leading antivirus vendors issued warnings that UNIX-like systems could fall prey to viruses just like Windows. The Bliss virus may be considered characteristic of viruses – as opposed to worms – on UNIX systems. Bliss requires that the user run it explicitly and it can only infect programs that the user has the access to modify. Unlike Windows users, most UNIX users do not log in as an administrator user except to install or configure software; as a result, even if a user ran the virus, it could not harm their operating system. The Bliss virus never became widespread, and remains chiefly a research curiosity. Its creator later posted the source code to Usenet, allowing researchers to see how it worked. 4.9.2.5.2 THE ROLE OF SOFTWARE DEVELOPMENT Because software is often designed with security features to prevent unauthorized use of system resources, many viruses must exploit software bugs in a system or application to spread. Software development strategies that produce large numbers of bugs will generally also produce potential exploits. 4.9.2.5.3 ANTI-VIRUS SOFTWARE AND OTHER PREVENTIVE MEASURES Many users install anti-virus software that can detect and eliminate known viruses after the computer downloads or runs the executable. There are two common methods that an anti-virus software application uses to detect viruses. The first, and by far the most common method of virus detection is using a list of virus signature definitions. This works by examining the content of the computer's memory (its RAM, and boot sectors) and the files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a database of known virus "signatures". The disadvantage of this detection method is that users are only protected from viruses that pre-date their last virus definition update. The second method is to use a heuristic algorithm to find viruses based on common behaviors. This method has the ability to detect novel viruses that anti-virus security firms have yet to create a signature for. Some anti-virus programs are able to scan opened files in addition to sent and received e-mails "on the fly" in a similar manner. This practice is known as "onaccess scanning". Anti-virus software does not change the underlying capability of host software to transmit viruses. Users must update their software regularly to patch security holes. Anti-virus software also needs to be regularly updated in order to recognize the latest threats. One may also minimize the damage done by viruses by making regular backups of data (and the operating systems) on different media, that are either kept unconnected to the system (most of the time), read-only or not accessible for other reasons, such as using different file systems. This way, if data is lost through a virus, one can start again using the backup (which should preferably be recent). If a backup session on optical media like CD and DVD is closed, it becomes readonly and can no longer be affected by a virus (so long as a virus or infected file was 54

not copied onto the CD/DVD). Likewise, an operating system on a bootable CD can be used to start the computer if the installed operating systems become unusable. Backups on removable media must be carefully inspected before restoration. The Gammima virus, for example, propagates via removable flash drives. 4.9.2.5.4 RECOVERY METHODS Once a computer has been compromised by a virus, it is usually unsafe to continue using the same computer without completely reinstalling the operating system. However, there are a number of recovery options that exist after a computer has a virus. These actions depend on severity of the type of virus. 4.9.2.5.5 VIRUS REMOVAL One possibility on Windows ME, Windows XP, Windows Vista and Windows 7 is a tool known as System Restore, which restores the registry and critical system files to a previous checkpoint. Often a virus will cause a system to hang, and a subsequent hard reboot will render a system restore point from the same day corrupt. Restore points from previous days should work provided the virus is not designed to corrupt the restore files or also exists in previous restore points. Some viruses, however, disable System Restore and other important tools such as Task Manager and Command Prompt. An example of a virus that does this is CiaDoor. However, many such viruses can be removed by rebooting the computer, entering Windows safe mode, and then using system tools. Administrators have the option to disable such tools from limited users for various reasons (for example, to reduce potential damage from and the spread of viruses). A virus can modify the registry to do the same even if the Administrator is controlling the computer; it blocks all users including the administrator from accessing the tools. The message "Task Manager has been disabled by your administrator" may be displayed, even to the administrator. Users running a Microsoft operating system can access Microsoft's website to run a free scan, provided they have their 20-digit registration number. Many websites run by anti-virus software companies provide free online virus scanning, with limited cleaning facilities (the purpose of the sites is to sell anti-virus products). Some websites allow a single suspicious file to be checked by many antivirus programs in one operation. 4.9.2.5.6 OPERATING SYSTEM REINSTALLATION Reinstalling the operating system is another approach to virus removal. It involves either reformatting the computer's hard drive and installing the OS and all programs from original media, or restoring the entire partition with a clean backup image. User data can be restored by booting from a Live CD, or putting the hard drive into another computer and booting from its operating system with great care not to infect the second computer by executing any infected programs on the original drive; and once the system has been restored precautions must be taken to avoid reinfection from a restored executable file.

55

These methods are simple to do, may be faster than disinfecting a computer, and are guaranteed to remove any malware. If the operating system and programs must be reinstalled from scratch, the time and effort to reinstall, reconfigure, and restore user preferences must be taken into account. Restoring from an image is much faster, totally safe, and restores the exact configuration to the state it was in when the image was made, with no further trouble.

56

4.10 WORM 4.10.1 INTRODUCTION Like a virus, a worm is also a self-replicating program. A worm differs from a virus in that it propagates through computer networks without user intervention. Unlike a virus, it does not need to attach itself to an existing program. Many people conflate the terms "virus" and "worm", using them both to describe any self-propagating program. 4.10.2 EXPLANATION A computer worm is a self-replicating malware computer program. It uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

4.10.2.1 PAYLOADS Many worms that have been created are only designed to spread, and don't attempt to alter the systems they pass through. However, as the Morris worm and Mydoom showed, the network traffic and other unintended effects can often cause major disruption. A "payload" is code designed to do more than spread the worm–it might delete files on a host system (e.g., the ExploreZip worm), encrypt files in a cryptoviral extortion attack, or send documents via e-mail. A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a "zombie" computer under control of the worm author. Networks of such machines are often referred to as botnets and are very commonly used by spam senders for sending junk email or to cloak their website's address. Spammers are therefore thought to be a source of funding for the creation of such worms, and the worm writers have been caught selling lists of IP addresses of infected machines. Others try to blackmail companies with threatened DoS attacks. Backdoors can be exploited by other malware, including worms. Examples include Doomjuice, which spreads better using the backdoor opened by Mydoom, and at least one instance of malware taking advantage of the rootkit and backdoor installed by the Sony/BMG DRM software utilized by millions of music CDs prior to late 2005. 4.10.2.2 WORMS WITH GOOD INTENT Beginning with the very first research into worms at Xerox PARC, there have been attempts to create useful worms. The Nachi family of worms, for example, tried to download and install patches from Microsoft's website to fix vulnerabilities in the host system–by exploiting those same vulnerabilities. In practice, although this may 57

have made these systems more secure, it generated considerable network traffic, rebooted the machine in the course of patching it, and did its work without the consent of the computer's owner or user. Some worms, such as XSS worms, have been written for research to determine the factors of how worms spread, such as social activity and change in user behavior, while other worms are little more than a prank, such as one that sends the popular image micro of an owl with the phrase "O RLY?" to a print queue in the infected computer. Another research proposed what seems to be the first computer worm that operates on the second layer of the OSI model (Data link Layer), it utilizes topology information such as Content-addressable memory (CAM) tables and Spanning Tree information stored in switches to propagate and probe for vulnerable nodes until the enterprise network is covered. Most security experts regard all worms as malware, whatever their payload or their writers' intentions. 4.10.2.3 PROTECTING AGAINST DANGEROUS COMPUTER WORMS Worms spread by exploiting vulnerabilities in operating systems. Vendors with security problems supply regular security updates (see "Patch Tuesday"), and if these are installed to a machine then the majority of worms are unable to spread to it. If vulnerability is disclosed before the security patch released by the vendor, a Zero-day attack is possible. Users need to be wary of opening unexpected email, and should not run attached files or programs, or visit web sites that are linked to such emails. However, as with the ILOVEYOU worm, and with the increased growth and efficiency of phishing attacks, it remains possible to trick the end-user into running a malicious code. Anti-virus and anti-spyware software are helpful, but must be kept up-to-date with new pattern files at least every few days. The use of a firewall is also recommended. In the April-June, 2008, issue of IEEE Transactions on Dependable and Secure Computing, computer scientists describe a potential new way to combat internet worms. The researchers discovered how to contain the kind of worm that scans the Internet randomly, looking for vulnerable hosts to infect. They found that the key is for software to monitor the number of scans that a machine on a network sends out. When a machine starts sending out too many scans, it is a sign that it has been infected, allowing administrators to take it off line and check it for viruses. 4.10.2.4 MITIGATION TECHNIQUES
• • • •

TCPWrapper/libwrap enabled network service daemons ACLs in routers and switches Packet-filters Nullrouting

58

4.10.2.5 HISTORY The actual term "worm"' was first used in John Brunner's 1975 novel, The Shockwave Rider. In that novel, Nichlas Haflinger designs and sets off a data-gathering worm in an act of revenge against the powerful men who run a national electronic information web that induces mass conformity. "You have the biggest-ever worm loose in the net, and it automatically sabotages any attempt to monitor it... There's never been a worm with that tough a head or that long a tail!" On November 2, 1988, Robert Tappan Morris, a Cornell University computer science graduate student, unleashed what became known as the Morris worm, disrupting perhaps 10% of the computers then on the Internet and prompting the formation of the CERT Coordination centre and Phage mailing list. Morris himself became the first person tried and convicted under the 1986 Computer Fraud and Abuse Act.

59

4.11 KEY LOGGERS 4.11.1 INTRODUCTION A keylogger is a tool designed to record ('log') every keystroke on an affected machine for later retrieval. Its purpose is usually to allow the user of this tool to gain access to confidential information typed on the affected machine, such as a user's password or other private data. Some key loggers uses virus trojan-, and rootkit ssword virus-, , rootkit-like methods to remain active and hidden. However, some key loggers are used in legitimate ways and sometimes to even enhance computer security. As an example, a business might have a key logger on a computer that was used as at a Point of Sale t and data collected by the key logger could be use for catching employee fraud. 4.11.2 EXPLANATION

) Keystroke logging (often called keylogging) is the action of tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. There are numerous keylogging methods, ranging from hardware and software based approaches to software-based electromagnetic and acoustic analysis.

4.11.2.1 APPLICATION 4.11.2.1.1 SOFTWARE-BASED KEYLOGGERS BASED

based A logfile from a software-based keylogger.

A screen capture from a software software-based keylogger. These are software programs designed to work on the target computer’s operating system. From a technical perspective there are five categories: 60

Hypervisor-based: The keylogger can theoretically reside in a malware hypervisor running underneath the operating system, which remains untouched. It effectively becomes a virtual machine. Blue Pill is a conceptual example. Kernel based: This method is difficult both to write and to combat. Such keyloggers reside at the kernel level and are thus difficult to detect, especially for user-mode applications. They are frequently implemented as rootkits that subvert the operating system kernel and gain unauthorized access to the hardware, making them very powerful. A keylogger using this method can act as a keyboard driver for example, and thus gain access to any information typed on the keyboard as it goes to the operating system. API-based: These keyloggers hook keyboard APIs; the operating system then notifies the keylogger each time a key is pressed and the keylogger simply records it. APIs such as GetAsyncKeyState (), GetForegroundWindow (), etc. are used to poll the state of the keyboard or to subscribe to keyboard events. These types of keyloggers are the easiest to write, but where constant polling of each key is required, they can cause a noticeable increase in CPU usage, and can also miss the occasional key. A more recent example simply polls the BIOS for preboot authentication PINs that have not been cleared from memory. Form Grabber based: Form Grabber-based keyloggers log web form submissions by recording the web browsing onSubmit event functions. This records form data before it is passed over the internet and bypasses https encryption. Packet-analyzers: This involves capturing network traffic associated with HTTP POST events to retrieve unencrypted passwords.

4.11.2.1.1.1 REMOTE ACCESS SOFTWARE KEYLOGGERS These are local software keyloggers programmed with an added feature to transmit recorded data from the target computer to a monitor at a remote location. Remote communication is facilitated by one of four methods:
• • • •

Data is uploaded to a website, database or an FTP account. Data is periodically emailed to a pre-defined email address. Data is wirelessly transmitted by means of an attached hardware system. The software enables a remote login to the local machine via the internet or ethernet, for data logs stored on the target machine to be accessed.

4.11.2.1.1.2 RELATED FEATURES Software Keyloggers may be augmented with features that capture user information without relying on keyboard key presses as the sole input. Some of these features include:
• •

Clipboard logging. Anything that has been copied to the clipboard can be captured by the program. Screen logging. Screenshots are taken in order to capture graphics-based information. Applications with screen logging abilities may take screenshots of the whole screen, just one application or even just around the mouse cursor. 61

• •

They may take these screenshots periodically or in response to user behaviors response (for example, when a user has clicked the mouse). A practical application used by some keyloggers with this screen logging ability is to take small screenshots around where a mouse has just clicked; these defeat web web-based keyboards (for example, the web based screen keyboards that are often used web-based by banks) and any web web-based on-screen keyboard without screenshot screen protection. Programmatically capturing the text in a control. The Microsoft Windows API allows programs to request the text 'value' in some controls. This means that some passwords may be captured, even if they are hidden behind password masks (usually asterisks). The recording of every program/folder/window opened including a screenshot of each and every website visited, also including a screenshot of each. The recording of search engines queries, Instant Messenger Conversations, FTP Downloads and other internet based activities (including the bandwidth used). In some advanced software keyloggers, sound can be recorded from a user's microphone and video from a user's webcam.

4.11.2.1.2 HARDWARE-BASED KEYLOGGERS

based A hardware-based keylogger.

based A connected hardware-based keylogger. Hardware-based keyloggers do not depend upon any software being installed as they based exist at a hardware level in a computer system.

Firmware-based: BIOS BIOS-level firmware that handles keyboard events can be modified to record these events as they are processed. Physical and/or rootlevel access is required to the machine, and the software loaded into t BIOS the needs to be created for the specific hardware that it will be running on. Keyboard hardware: Hardware keyloggers are used for keystroke logging by means of a hardware circuit that is attached somewhere in between the 62

computer keyboard and the computer, typically inline with the keyboard's cable connector. More stealthy implementations can be installed or built into standard keyboards, so that no device is visible on the external cable. Both types log all keyboard activity to their internal memory, which can be subsequently accessed, for example, by typing in a secret key sequence. A hardware keylogger has an advantage over a software solution: it is not dependent on being installed on the target computer's operating system and therefore will not interfere with any program running on the target machine or be detected by any software. However its physical presence may be detected if, for example, it is installed outside the case as an inline device between the computer and the keyboard. Some of these implementations have the ability to be controlled and monitored remotely by means of a wireless communication standard. 4.11.2.1.2.1 WIRELESS KEYBOARD SNIFFERS These passive sniffers collect packets of data being transferred from a wireless keyboard and its receiver. As encryption may be used to secure the wireless communications between the two devices, this may need to be cracked beforehand if the transmissions are to be read. 4.11.2.1.2.2 KEYBOARD OVERLAYS Criminals have been known to use keyboard overlays on ATMs to capture people's PINs. Each keypress is registered by the keyboard of the ATM as well as the criminal's keypad that is placed over it. The device is designed to look like an integrated part of the machine so that bank customers are unaware of its presence. 4.11.2.1.2.3 ACOUSTIC KEYLOGGERS Acoustic cryptanalysis can be used to monitor the sound created by someone typing on a computer. Each character on the keyboard makes a subtly different acoustic signature when stroked. It is then possible to identify which keystroke signature relates to which keyboard character via statistical methods such as frequency analysis. The repetition frequency of similar acoustic keystroke signatures, the timings between different keyboard strokes and other context information such as the probable language in which the user is writing are used in this analysis to map sounds to letters. A fairly long recording (1000 or more keystrokes) is required so that a big enough sample is collected. 4.11.2.1.2.4 ELECTROMAGNETIC EMISSIONS It is possible to capture the electromagnetic emissions of a wired keyboard from up to 20 metres (66 ft) away, without being physically wired to it. In 2009, Swiss researches tested 11 different USB, PS/2 and laptop keyboards in a semi-Anechoic chamber and found them all vulnerable, primarily because of the prohibitive cost of adding shielding during manufacture. The researchers used a wide-band receiver to tune into the specific frequency of the emissions radiated from the keyboards.

63

4.11.2.1.3 OTHER 4.11.2.1.3.1 OPTICAL SURVEILLANCE Optical surveillance, while not a keylogger in the classical sense, is nonetheless an approach that can be used to capture passwords or PINs. A strategically placed camera, such as a hidden surveillance camera at an ATM, can allow a criminal to watch a PIN or password being entered. 4.11.2.2 HISTORY An early keylogger was written by Perry Kivolowitz and posted to the Usenet news group net.unix-wizards,net.sources on November 17, 1983. The posting seems to be a motivating factor in restricting access to /dev/kmem on UNIX systems. The Usermode program operated by locating and dumping character lists (clists) as they were assembled in the UNIX kernel. 4.11.2.3 CRACKING Writing simple software applications for keylogging can be trivial, and like any nefarious computer program, can be distributed as a trojan horse or as part of a virus. What is not trivial for an attacker, however, is installing a covert keystroke logger without getting caught and downloading data that has been logged without being traced. An attacker that manually connects to a host machine to download logged keystrokes risks being traced. A Trojan that sends keylogged data to a fixed e-mail address or IP address risks exposing the attacker. 4.11.2.3.1 TROJAN Young and Yung devised several methods for solving this problem and presented them in their 1997 IEEE Security & Privacy paper (their paper from '96 touches on it as well). They presented a deniable password snatching attack in which the keystroke logging trojan is installed using a virus or worm. An attacker that is caught with the virus or worm can claim to be a victim. The cryptotrojan asymmetrically encrypts the pilfered login/password pairs using the public key of the trojan author and covertly broadcasts the resulting ciphertext. They mentioned that the ciphertext can be steganographically encoded and posted to a public bulletin board such as Usenet. 4.11.2.3.2 CIPHERTEXT Young and Yung also mentioned having the cryptotrojan unconditionally write the asymmetric ciphertexts to the last few unused sectors of every writable disk that is inserted into the machine. The sectors remain marked as unused. This can be done using a USB token. So, the Trojan author may be one of dozens or even thousands of people that are given the stolen information. Only the Trojan author can decrypt the ciphertext because only the author knows the needed private decryption key. This attack is from the field known as crptovirology.

64

4.11.2.3.2.1 USE BY LAW ENFORCEMENT In 2000, the FBI used a keystroke logger to obtain the PGP passphrase of Nicodemo Scarfo, Jr., son of mob boss Nicodemo Scarfo. Also in 2000, the FBI lured two suspected Russian cyber criminals to the US in an elaborate ruse, and captured their usernames and passwords with a keylogger that was covertly installed on a machine that they used to access their computers in Russia. The FBI then used these credentials to hack into the suspects' computers in Russia in order to obtain evidence to prosecute them. 4.11.2.4 COUNTERMEASURES The effectiveness of countermeasures varies, because keyloggers use a variety of techniques to capture data and the countermeasure needs to be effective against the particular data capture technique. For example, an on-screen keyboard will be effective against hardware keyloggers, transparency will defeat some screenloggers but not all - and an anti-spyware application that can only disable hook-based keyloggers will be ineffective against kernel-based keyloggers. Also, keylogger software authors may be able to update the code to adapt to countermeasures that may have proven to be effective against them. 4.11.2.4.1 LIVE CD/USB Rebooting the computer using a Live CD or Live USB is a possible countermeasure against software keyloggers if the CD is clean of malware and the operating system contained on it is secured and fully patched so that it cannot be infected as soon as it is started. Booting a different operating system does not impact the use of a hardware keylogger. 4.11.2.4.2 ANTI-SPYWARE Many anti-spyware applications are able to detect software keyloggers and quarantine, disable or cleanse them. These applications are able to detect softwarebased keyloggers based on patterns in executable code, heuristics and keylogger behaviors (such as the use of hooks and certain APIs). No software-based anti-spyware application can be 100% effective against all keyloggers. Also, software-based anti-spyware cannot defeat non-software keyloggers (for example, hardware keyloggers attached to keyboards will always receive keystrokes before any software-based anti-spyware application). However, the particular technique that the anti-spyware application uses will influence its potential effectiveness against software keyloggers. As a general rule, anti-spyware applications with higher privileges will defeat keyloggers with lower privileges. For example, a hook-based anti-spyware application cannot defeat a kernel-based keylogger (as the keylogger will receive the keystroke messages before the anti-spyware application), but it could potentially defeat hook- and API-based keyloggers.

65

4.11.2.4.3 NETWORK MONITORS Network monitors (also known as reverse-firewalls) can be used to alert the user whenever an application attempts to make a network connection. This gives the user the chance to prevent the keylogger from "phoning home" with his or her typed information. 4.11.2.4.4 AUTOMATIC FORM FILLER PROGRAMS Automatic form-filling programs may prevent keylogging by removing the requirement for a user to type personal details and passwords using the keyboard. Form fillers are primarily designed for web browsers to fill in checkout pages and log users into their accounts. Once the user's account and credit card information has been entered into the program, it will be automatically entered into forms without ever using the keyboard or clipboard, thereby reducing the possibility that private data is being recorded. However someone with physical access to the machine may still be able to install software that is able to intercept this information elsewhere in the operating system or while in transit on the network. (Transport Layer Security prevents the interception of data in transit by network sniffers and proxy tools.) 4.11.2.4.5 ONE-TIME PASSWORDS (OTP) Using one-time passwords may be keylogger-safe, as each password is invalidated as soon as it's used. This solution may be useful for someone using a public computer; however an attacker who has remote control over such a computer can simply wait for the victim to enter his/her credentials before performing unauthorized transactions on their behalf while their session is active. One-time passwords also prevent replay attacks where an attacker uses the old information to impersonate. One example is online banking where one-time passwords are implemented to protect accounts from keylogging attacks as well as replay attacks. KYPS is a service that gives OTP access to websites that normally do not offer OTP access. 4.11.2.4.6 SECURITY TOKENS Use of smart cards or other security tokens may improve security against replay attacks in the face of a successful keylogging attack, as accessing protected information would require both the (hardware) security token as well as the appropriate password/passphrase. Knowing the keystrokes, mouse actions, display, clipboard etc used on one computer will not subsequently help an attacker gain access to the protected resource. Some security tokens work as a type of hardware assisted one time password system, and others implement a cryptographic challenge-response authentication, which can improve security in a manner conceptually similar to one time passwords. Smartcard readers and their associated keypads for PIN entry may be vulnerable to keystroke logging through a so called supply chain attack where an attacker substitutes the card reader/PIN entry hardware for one which records the user's PIN.

66

4.11.2.4.7 ON-SCREEN KEYBOARDS Most on screen keyboards (such as the onscreen keyboard that comes with Microsoft Windows XP) send normal keyboard event messages to the external target program to type text. Every software keylogger can log these typed characters sent from one program to another. Additionally, keylogging software can take screenshots of what is displayed on the screen (periodically, and/or upon each mouse click). 4.11.2.4.8 KEYSTROKE INTERFERENCE SOFTWARE Keystroke Interference software is also available. These programs attempt to trick keyloggers by introducing random keystrokes, although this simply results in the keylogger recording more information than it needs to. An attacker has the task of extracting the keystrokes of interest—the security of this mechanism, specifically how well it stands up to cryptanalysis, is unclear. 4.11.2.4.9 SPEECH RECOGNITION Similar to on-screen keyboards, speech-to-text conversion software can also be used against keyloggers, since there are no typing or mouse movements involved. The weakest point of using voice-recognition software may be how the software sends the recognized text to target software after the recognition took place. 4.11.2.4.10 HANDWRITING RECOGNITION AND MOUSE GESTURES Also, many PDAs and lately Tablet PCs can already convert pen (also called stylus) movements on their touchscreens to computer understandable text successfully. Mouse gestures utilize this principle by using mouse movements instead of a stylus. Mouse gesture programs convert these strokes to user-definable actions, such as typing text. Similarly, graphic tablets and light pens can be used to input these gestures; however these are less common everyday. The same potential weakness of speech recognition applies to this technique as well. 4.11.2.4.11 MACRO EXPANDERS/RECORDERS With the help of many Freeware/Shareware programs, a seemingly meaningless text can be expanded to a meaningful text and most of the time context-sensitively, e.g. "we" can be expanded "en.Wikipedia.org" when a browser window has the focus. The biggest weakness of this technique is that these programs send their keystrokes directly to the target program. However, this can be overcome by using the ‘alternating’ technique described below, i.e. sending mouse clicks to non-responsive areas of the target program, sending meaningless keys, sending another mouse click to target area (e.g. password field) and switching back and forth.

67

4.11.2.4.12 NON-TECHNOLOGICAL METHODS Alternating between typing the login credentials and typing characters somewhere else in the focus window can cause a keylogger to record more information than they need to, although this could easily be filtered out by an attacker. Similarly, a user can move their cursor using the mouse during typing, causing the logged keystrokes to be in the wrong order e.g. by typing a password beginning with the last letter and then using the mouse to move the cursor for each subsequent letter. Lastly, someone can also use context menus to remove, copy, cut and paste parts of the typed text without using the keyboard. An attacker who is able to capture only parts of a password will have a smaller key space to attack if he chose to execute a brute force attack. Another very similar technique utilizes the fact that any selected text portion is replaced by the next key typed. E.g. if the password is "secret", one could type "s", then some dummy keys "asdfsd". Then these dummies could be selected with mouse, and next character from the password "e" is typed, which replaces the dummies "asdfsd". These techniques assume incorrectly that keystroke logging software cannot directly monitor the clipboard, the selected text in a form, or take a screenshot everytime a keystroke or mouse click occurs. They may however be effective against some hardware keyloggers.

68

CHAPTER 5 HOW TO SECURE INFORMATION?

5.1 SECURING YOUR WIRELESS NETWORK
These days wireless networking products are so ubiquitous and inexpensive that just about anyone can set up a WLAN in a matter of minutes with less than $100 worth of equipment. This widespread use of wireless networks means that there may be dozens of potential network intruders lurking within range of your home or office WLAN.

What can I do?
Most WLAN hardware has gotten easy enough to set up that many users simply plug it in and start using the network without giving much thought to security. Nevertheless, taking a few extra minutes to configure the security features of your wireless router or access point is time well spent. Here are some of the things you can do to protect your wireless network: 1) Secure your wireless router or access point administration interface Almost all routers and access points have an administrator password that's needed to log into the device and modify any configuration settings. Most devices use a weak default password like "password" or the manufacturer's name, and some don't have a default password at all. As soon as you set up a new WLAN router or access point, your first step should be to change the default password to something else. You may not use this password very often, so be sure to write it down in a safe place so you can refer to it if needed. Without it, the only way to access the router or access point may be to reset it to factory default settings which will wipe away any configuration changes you've made. 2) Don't broadcast your SSID

Most WLAN access points and routers automatically (and continually) broadcast the network's name, or SSID (Service Set Identifier). This makes setting up wireless clients extremely convenient since you can locate a WLAN without having to know what it's called, but it will also make your WLAN visible to any wireless systems within range of it. Turning off SSID broadcast for your network makes it invisible to your neighbours and passers-by (though it will still be detectible by WLAN "sniffers"). 3) Enable WPA encryption instead of WEP

802.11's WEP (Wired Equivalency Privacy) encryption has well-known weaknesses 69

that make it relatively easy for a determined user with the right equipment to crack the encryption and access the wireless network. A better way to protect your WLAN is with WPA (Wi-Fi Protected Access). WPA provides much better protection and is also easier to use, since your password characters aren't limited to 0-9 and A-F as they are with WEP. WPA support is built into Windows XP (with the latest Service Pack) and virtually all modern wireless hardware and operating systems. A more recent version, WPA2, is found in newer hardware and provides even stronger encryption, but you'll probably need to download an XP patch in order to use it. 4) Remember that WEP is better than nothing

If you find that some of your wireless devices only support WEP encryption (this is often the case with non-PC devices like media players, PDAs, and DVRs), avoid the temptation to skip encryption entirely because in spite of its flaws, using WEP is still far superior to having no encryption at all. If you do use WEP, don't use an encryption key that's easy to guess like a string of the same or consecutive numbers. Also, although it can be a pain, WEP users should change encryption keys often-- preferably every week. 5) Use MAC filtering for access control

Unlike IP addresses, MAC addresses are unique to specific network adapters, so by turning on MAC filtering you can limit network access to only your systems (or those you know about). In order to use MAC filtering you need to find (and enter into the router or AP) the 12-character MAC address of every system that will connect to the network, so it can be inconvenient to set up, especially if you have a lot of wireless clients or if your clients change a lot. MAC addresses can be "spoofed" (imitated) by a knowledgeable person, so while it's not a guarantee of security, it does add another hurdle for potential intruders to jump. 6) Reduce your WLAN transmitter power

You won't find this feature on all wireless routers and access points, but some allow you lower the power of your WLAN transmitter and thus reduce the range of the signal. Although it's usually impossible to fine-tune a signal so precisely that it won't leak outside your home or business, with some trial-and-error you can often limit how far outside your premises the signal reaches, minimizing the opportunity for outsiders to access your WLAN. 7) Disable remote administration Most WLAN routers have the ability to be remotely administered via the Internet. Ideally, you should use this feature only if it lets you define a specific IP address or limited range of addresses that will be able to access the router. Otherwise, almost anyone anywhere could potentially find and access your router. As a rule, unless you absolutely need this capability, it's best to keep remote administration turned off. (It's usually turned off by default, but it's always a good idea to check.) 70

5.2 SOME OTHER COMMON METHODS

Always make backups of your files and folders and store them in a separate place than your computer. Make sure you have a good firewall. This will prevent worms, Trojan viruses and spy ware from infecting your system. Some applications require that you disable your firewall, so use good judgement. Review your browser and email setting for security. Make sure to constantly erase your "cookies" folder. Cookies pose almost no threat for damaging computers however; they do track your daily actions online. Set your "internet zone" for high and your "trusted sites" for medium low security. Watch out for Active-X and JavaScript files as hackers can plant viruses and other harmful elements in your programs.

Norton is the way to go! Install some kind of antivirus software and make sure to set it for automatic updates. New viruses are found everyday, so make sure you update regularly.

Don't open attachments! Don't open unknown email attachments, many of these contain viruses and allow hackers to get into your system. Only run and download programs from places you trust. Never send these files to friends and co-workers due to the high virus risks. Turn off your computer and disconnect from the internet. Hackers can't get into your system if your computer is off.

71

CHAPTER 6 CONCLUSION There is no such thing as 100 percent security, IT environment keep changing, new security risks can occur at any time. The amount of effort applied to implementing a safe and secure working environment should be based on how much of an impact a security problem could cause to the business. However, implementing good security does not necessarily mean investing large amount of time and expense. For example raising awareness, recognizing the risks that can occur and taking sensible precautions can be achieved with little effort. Amount of protection required depends on how likely a security risk may occur and how big an impact it would have if it occurs. Protection is achieved through a combination of technical and non technical safeguards. For large enterprises protection will be a major task with a layered series of safeguards such as physical security measures, background checks, user identifiers, passwords, smart cards, biometrics and firewalls. In the ever-changing technological environment, security that is state of the art today may be obsolete tomorrow. Therefore security protection must keep pace with these changes. “Information security provides the management processes, technology and assurance to allow business management to ensure business transactions can be trusted; ensure IT services are usable and can resist and recover from failures due to error, attacks or disaster; and ensure critical confidential information is withheld from those who should not have access to it”.

72

Sign up to vote on this title
UsefulNot useful