Computer Network Security Chapter 1: Introduction and Security Threats

pg. 1
Chapter 1: Introduction and Security Threats

1. Computer, Data , Information, Network Security

Computer Security is the application of hardware, firmware and software security

features to a
computer system in order to protect against, or prevent, the unauthorized
disclosure, manipulation,
deletion of information.
It means that-
 To prevent theft of or damage to the hardware.
 To prevent theft of or damage to the information.
 To prevent disruption of service.

Data security is the means of ensuring that data is kept safe from corruption and
that access to it
is suitably controlled. Thus data security helps to ensure privacy. It also helps
in protecting
personal data. Data Security Technologies are:
 Disk Encryption
 Hardware based Mechanisms for Protecting Data
 Backups
 Data Masking
 Data Erasure

Information Security means protecting information and information systems from

unauthorized
access, use, disclosure, disruption, modification or destruction.

"Network security" refers to any activity designed to protect the usability and
integrity of your
network and data. It includes both hardware and software technologies. Effective
network security
manages access to the network. It targets a variety of threats and stops them from
entering or
spreading on your network.

The terms information security, computer security and information assurance are
frequently
incorrectly used interchangeably. These fields are interrelated often and share the
common goals
of protecting the confidentiality, integrity and availability of information;
however, there are some
subtle differences between them.

2. Threats to Security

2.1 Viruses: A computer virus is a piece of software that can “infect” other
programs by modifying
them;
• The modification includes injecting the original program with a routine to make
copies of
the virus program, which can then go on to infect other programs.
 A computer virus carries in its instructional code the recipe for making perfect
copies of
itself.

Computer Network Security Chapter 1: Introduction and Security Threats

pg. 2
• The typical virus becomes embedded in a program on a computer.
• Then, whenever the infected computer comes into contact with an uninfected piece
of
software, a fresh copy of the virus passes into the new program.

A computer virus has three parts:

Infection mechanism:
• The means by which a virus spreads, enabling it to replicate.
• The mechanism is also referred to as the infection vector.

Trigger:
• The event or condition that determines when the payload is activated or
delivered.

Payload:
• What the virus does, besides spreading.
• The payload may involve damage or may involve benign but noticeable
activity.

During its lifetime, a typical virus goes through the following four phases:
Dormant phase:
• The virus is idle.
• The virus will eventually be activated by some event, such as a date, the
presence of another
program or file, or the capacity of the disk exceeding some limit.
• Not all viruses have this stage.

Propagation phase:
• The virus places an identical copy of itself into other programs or into
certain system areas
on the disk.
• Each infected program will now contain a clone of the virus, which will
itself enter a
propagation phase.

Triggering phase:
• The virus is activated to perform the function for which it was intended.
• As with the dormant phase, the triggering phase can be caused by a variety
of system events,
including a count of the number of times that this copy of the virus has made
copies of
itself.

Execution phase:
• The function is performed.
• The function may be harmless, such as a message on the screen, or damaging,
such as the
destruction of programs and data files.

Computer Network Security Chapter 1: Introduction and Security Threats

pg. 3
2.2 Worm: It is a program that can replicate itself and send copies from computer
to computer
across network connections.
• Upon arrival, the worm may be activated to replicate and propagate again.
In addition to propagation, the worm usually performs some unwanted function.
• An e-mail virus has some of the characteristics of a worm because it
propagates itself from
system to system.
A worm actively seeks out more machines to infect and each machine that is infected
serves as an
automated launching pad for attacks on other machines.

2.3 Intruders: An Intruder is a person who attempts to gain unauthorized access to

a system, to
damage that system, or to disturb data on that system. In summary, this person
attempts to
violate Security by interfering with system Availability, data Integrity or data
Confidentiality.
Three main classes of intruders:

Masquerader: An individual who is not authorized to use the computer and who
penetrates a
system’s access controls to exploit a legitimate user’s account

Misfeasor: A legitimate user who accesses data, programs, or resources for which
such access is
not authorized, or who is authorized for such access but misuses his or her
privileges

Clandestine user: An individual who seizes supervisory control of the system and
uses this
control to evade auditing and access controls or to suppress audit collection.

2.4 Insiders:
• An Insider threat is a malicious threat to an organization that comes from people
within the
organization, such as employees, former employees, contractors or business
associates, who
have inside information concerning the organization's security practices, data and
computer
systems.
• The threat may involve fraud, the theft of confidential or commercially valuable
information.
• Insiders are more dangerous than outside intruders.
• They have the access and knowledge necessary to cause immediate damage to an
organization.
• Most security is designed to protect against outside intruders and thus lies at
the
boundary between the organization and the rest of the world.
• Besides employees, insiders also include a number of other individuals who have
physical access

Computer Network Security Chapter 1: Introduction and Security Threats

 pg. 4
3. Difference between Virus and Worm

4. Difference Intruders & Insiders

INTRUDERS INSIDERS
Intruders are authorized or unauthorized users
who are trying to access the system or network.
Insiders are authorized users who try to
access system or network for which he is
unauthorized.
Intruders are hackers or crackers. Insiders are not hackers.
Intruders are illegal users. Insiders are legal users.
Intruders are less dangerous than Insiders Insiders are more dangerous than
Intruders.
Intruders do not have access to system Insiders have easy access to the system
because they are authorized users
Many security mechanisms are used to protect
system from Intruders.
There is no such mechanism to protect
system from Insider

5. Avenue of Attack
There are two general reasons a particular computer system is attacked: either it
is specifically
targeted by the attacker, or it is an opportunistic target. In the first case, the
attacker has chosen
the target not because of the hardware or software the organization is running but
for another
reason, perhaps a political reason. An example of this type of attack would be an
individual in one
Virus Worm
A virus is a piece of code that attaches itself to
legitimate program
A worm is a malicious program that spread
automatically.
Virus modifies the code. Worm does not modifies the code
Virus does not replicate itself Worm replicate itself
Virus is a destructive in nature Worm is non-destructive in nature
Aim of virus is to infect the code or program
stored on computer system
Aim of worm is to make computer or
network unusable
Virus can infect other files Worm does not infect other files but it
occupies memory space replication.
Virus may need a trigger for execution Worm does not need any trigger

Computer Network Security Chapter 1: Introduction and Security Threats

pg. 5
country attacking a government system in another. Second type of attack, an attack
against a target
of opportunity, is conducted against a site that has software that is vulnerable to
a specific exploit.

6. The steps in attack (General Process)

a. First attacker gathers as much information about the organization as possible.
The type of
information attacker wants includes IP address, phone numbers, name of individuals,
and
what networks the organization maintains. This step is known as profiling.
b. Next step is to determine what target systems are available and active. This is
accomplished
with ping sweep which simply sends a “ping” to the target machine.
c. The next step if often to perform a port scan. This will help identify which
ports are open,
thus giving an indication of which services may be running on the target machine.
Operating system and application programs running as well as service that are
available on
the target machine is determining.
d. Further research is conducted to find possible vulnerabilities and once a list
of these is
developed, the attacker is ready to take next step: an actual attack on the target.

7. Security Basics
When we talk about computer security, we mean that we are addressing three
important aspects of
any computer-related system: confidentiality, integrity, and availability.
 Confidentiality ensures that computer-related assets are accessed only by
authorized
parties. That is, only those who should have access to something will actually get
that
access. By "access," we mean not only reading but also viewing, printing, or simply
knowing that a particular asset exists. Confidentiality is sometimes called secrecy
or
privacy.
 Integrity means that assets can be
modified only by authorized parties or only
in authorized ways. In this context,
modification includes writing, changing,
changing status, deleting, and creating.
 Availability means that assets are
accessible to authorized parties at
appropriate times. In other words, if some
person or system has legitimate access to a
particular set of objects, that access should
not be prevented.

8. Active and Passive Attacks

Main aim of a security system is to detect and prevent such security attacks.
Security attacks have
been classified as passive attacks and active attacks.

Passive Attacks: Passive attacks are kind of a read only attack where attacker is
usually interested
in just gathering information without disruption of computer system’s operations
and service.
Passive attack usually involves monitoring and analysis of data transmission to
gain some
Relationship between confidentiality,
integrity, and availability.

Computer Network Security Chapter 1: Introduction and Security Threats

 pg. 6
meaningful information out of it. Passive attacks are made by directly laying hands
on message
contents in the form of emails, sensitive files etc. consisting confidential
information.
Another way in which a passive attack is made is by analysis of traffic where raw
data is studied
and analyzed to deduce interesting patterns out - of it. For example an attack by
studying the data
traffic rate of a victim can deduce at what is the peak time of data transfer when
his operations can
be disrupted and will affect most.
Since passive attacks are silent in nature and show no immediate and visible signs
of attack, they
are very difficult to detect.

Active Attacks: Involves alteration of data or disruption of normal working of a

system. Active
attacks are usually made by masquerading attackers identity with someone else’s to
either gain
extra privileges or save attackers when the attack is detected. IP masquerading is
one widely used
technique for active attacks.

9. Common Types of Attacks

Without security measures and controls in place, our data might be subjected to an
attack. Some
attacks are passive, meaning information is monitored; others are active, meaning
the information
is altered with intent to corrupt or destroy the data or the network itself.
Our networks and data are vulnerable to any of the following types of attacks if
you do not have a
security plan in place.

9.1 Password-Based Attacks:

A common denominator of most operating system and network security plans is
password-based
access control. This means your access rights to a computer and network resources
are determined
by who you are, that is, your user name and your password.
Older applications do not always protect identity information as it is passed
through the network
for validation. This might allow an eavesdropper to gain access to the network by
posing as a valid
user.
When an attacker finds a valid user account, the attacker has the same rights as
the real user.
Therefore, if the user has administrator-level rights, the attacker also can create
accounts for
subsequent access at a later time.
After gaining access to your network with a valid account, an attacker can do any
of the following:
 Obtain lists of valid user and computer names and network information.
 Modify server and network configurations, including access controls and routing
tables.
 Modify, reroute, or delete your data.
9.2 Denial-of-Service Attack
Unlike a password-based attack, the denial-of-service attack prevents normal use of
your computer
or network by valid users.
After gaining access to your network, the attacker can do any of the following:
 Randomize the attention of your internal Information Systems staff so that they
do not see
the intrusion immediately, which allows the attacker to make more attacks during
the
diversion.
 Send invalid data to applications or network services, which causes abnormal
termination
or behavior of the applications or services.

Computer Network Security Chapter 1: Introduction and Security Threats

pg. 7
 Flood a computer or the entire network with traffic until a shutdown occurs
because of the
overload.
 Block traffic, which results in a loss of access to network resources by
authorized users.

9.3 Man-in-the-Middle Attack

As the name indicates, a man-in-the-middle attack occurs when someone between you
and the
person with whom you are communicating is actively monitoring, capturing, and
controlling your
communication transparently. For example, the attacker can re-route a data
exchange. When
computers are communicating at low levels of the network layer, the computers might
not be able
to determine with whom they are exchanging data.
Man-in-the-middle attacks are like someone assuming your identity in order to read
your message.
The person on the other end might believe it is you because the attacker might be
actively
replying as you to keep the exchange going and gain more information. This attack
is capable of
the same damage as an application-layer attack, described later in this section.

9.4 Sniffer Attack

A sniffer is an application or device that can read, monitor, and capture network
data exchanges
and read network packets. If the packets are not encrypted, a sniffer provides a
full view of the
data inside the packet. Even encapsulated (tunneled) packets can be broken open and
read unless
they are encrypted and the attacker does not have access to the key.
Using a sniffer, an attacker can do any of the following:
 Analyze your network and gain information to eventually cause your network to
crash or
to become corrupted.
 Read your communications.

9.5 Spoofing
Spoofing is nothing more than making data look like it has come from a different
source. This is
possible in TCP/IP because of the friendly assumptions behind the protocols.
When the protocols were developed, it was assumed that individuals who had access
to the network
layer would be privileged users who could be trusted. When a packet is sent from
one system to
another, it includes not only the destination IP address and port but the source IP
address as well.
You are supposed to fill in the source with your own address, but there is nothing
that stops you
from filling in another system’s address. This is one of the several forms of
spoofing.
1. Spoofing E-Mail
2. IP address Spoofing
3. Spoofing and Trusted Relationships
4. Spoofing and Sequence Numbers

9.5.1 Email Spoofing

E-mail spoofing is where you send a message with a From address different than your
own. A very
simple method often used to demonstrate how simple it is to spoof an e-mail address
is to telnet to
port 25 (the port associated with e-mail) on a system. From there, you can fill in
any address for
the From and To sections of the message, whether or not the addresses are yours and
whether they
actually exist or not.
This same method can be, and has been, used to spoof web sites. The most famous
example of this
is probably www.whitehouse.com. The www.whitehouse.gov site is the official site
for the White

Computer Network Security Chapter 1: Introduction and Security Threats

pg. 8
House. The www.whitehouse.com URL takes you to a pornographic site. In this case,
nobody is
likely to take the pornographic site to be the official government site, and it was
not intended to be
taken that way. If, however, the attackers made their spoofed site appear similar
to the official one,
they could easily convince many viewers that they were at the official site.

9.5.2 Identity Spoofing (IP Address Spoofing)

Most networks and operating systems use the IP address of a computer to identify a
valid entity.
In certain cases, it is possible for an IP address to be falsely assumed— identity
spoofing. An
attacker might also use special programs to construct IP packets that appear to
originate from valid
addresses inside the corporate intranet.
After gaining access to the network with a valid IP address, the attacker can
modify, reroute, or
delete your data.

9.6 Distributed Denial of Service attack (DDOS)

DOS attacks are conducted using a single attacking system. A denial of service
attack employing
multiple attacking systems is known as a distributed denial of service (DDOS)
attack. The goal of
a DDOS attack is the same: to deny the use of or access to a specific service or
system.
In a DDOS attack, the method used to deny service is simply to overwhelm the target
with traffic
from many different systems. A network of attack agents (sometimes called zombies)
is created
by the attacker, and upon receiving the attack command from the attacker, the
attack agents
commence sending a specific type of traffic against the target.

9.7 Replay Attacks

A replay attack is exactly what it sounds like: it is an attack where the attacker
captures a portion
of a communication between two parties and retransmits it at a later time. For
example, an attacker
might replay a series of commands and codes used in a financial transaction in
order to cause the
transaction to be conducted multiple times.
The best way to prevent replay attacks is with encryption, cryptographic
authentication, and time
stamps. If a portion of the certificate or ticket includes a date/time stamp or an
expiration date/time,
and this portion is also encrypted as part of the ticket or certificate, replaying
it at a later time will
prove useless, since it will be rejected as having expired.

9.8 TCP/IP Hijacking

TCP/IP hijacking and session hijacking are terms used to refer to the process of
taking control of
an already existing session between a client and a server. The advantage to an
attacker of hijacking
over attempting to penetrate a computer system or network is that the attacker
doesn’t have to
circumvent any authentication mechanisms, since the user has already authenticated
and
established the session. Once the user has completed the authentication sequence,
the attacker can
then usurp the session and carry on as if the attacker, and not the user, had
authenticated with the
system. In order to prevent the user from noticing anything unusual, the attacker
may decide to
attack the user’s system and perform a denial of service attack on it, taking it
down so that the user,
and the system, will not notice the extra traffic that is taking place.

9.9 Phishing Attack

This type of attack use social engineering techniques to steal confidential
information - the most
common purpose of such attack targets victim's banking account details and
credentials. Phishing

Computer Network Security Chapter 1: Introduction and Security Threats

pg. 9
attacks tend to use schemes involving spoofed emails send to users that lead them
to malware
infected websites designed to appear as real on-line banking websites. Emails
received by users in
most cases will look authentic sent from sources known to the user (very often with
appropriate
company logo and localized information) - those emails will contain a direct
request to verify some
account information, credentials or credit card numbers by following the provided
link and
confirming the information on-line. The request will be accompanied by a threat
that the account
may become disabled or suspended if the mentioned details are not being verified by
the user.

Types of Phishing Attacks

1. Social Phishing - in the recent years Phishing techniques evolved much to
include as well social
media like Facebook or Tweeter - this type of Phishing is often called Social
Phishing.
2. Spear Phishing Attack - this is a type of Phishing attack targeted at specific
individuals, groups
of individuals or companies. Spear Phishing attacks are performed mostly with
primary purpose
of industrial espionage and theft of sensitive information while ordinary Phishing
attacks are
directed against wide public with intent of financial fraud.

9.10 SQL Injection

The point of the hack is not just to get information from the target site.
Depending on the intention
of the malicious hooligans attacking you, it can include to bypass logins, to
access data as in the
Yahoo! case, to modify the content of a website as when hackers replace the website
with a new
front page, or simply shutting down the server.
• Step one of the attack is to scan site to see if a vulnerability exists.
• After a site is identified a hacker will attempt to gain a foothold and search
for files containing
usernames and directories that are known to contain sensitive data.
• The attack is opportunistic and does not take a lot of research or a large team
to pull off.
• SQL injection is the actual injection of SQL commands into web applications
through user input
fields.
• When an application uses internal SQL commands and you also have user input
capabilities
(like a login screen), SQL commands can be injected that can create, read, update,
or delete any
data available to the application.

10. Malware : Viruses and Logic Bombs

A computer virus is a computer program that can replicate itself and spread from
one computer
to another. The term "virus" is also commonly, but erroneously, used to refer to
other types
of malware, including but not limited to adware and spyware programs that do not
have a
reproductive ability.
Malware includes computer viruses, computer worms, ransomware, trojan horses,
keyloggers,
most rootkits, spyware, dishonest adware, and other malicious software.
Computer Network Security Chapter 1: Introduction and Security Threats

pg. 10
In order to replicate itself, a virus must be permitted to execute code and write
to memory. For this
reason, many viruses attach themselves to executable files that may be part of
legitimate programs
(code injection). If a user attempts to launch an infected program, the virus' code
may be executed
simultaneously. Viruses can be divided into two types based on their behavior when
they are
executed:
Nonresident viruses
Nonresident viruses can be thought of as consisting of a finder module and a
replication module.
The finder module is responsible for finding new files to infect. For each new
executable file the
finder module encounters, it calls the replication module to infect that file.
Resident viruses
Resident viruses contain a replication module that is similar to the one that is
employed by
nonresident viruses. This module, however, is not called by a finder module. The
virus loads the
replication module into memory when it is executed instead and ensures that this
module is
executed each time the operating system is called to perform a certain operation.
The replication
module can be called, for example, each time the operating system executes a file.
In this case the
virus infects every suitable program that is executed on the computer.
Computer virus is a harmful software program written intentionally to enter a
computer without
the user's permission or knowledge. It has the ability to replicate itself, thus
continuing to spread.
Some viruses do little but replicate, while others can cause severe harm or
adversely affect the
program and performance of the system. A virus should never be assumed harmless and
left on a
system.
There are different types of viruses which can be classified according to their
origin, techniques,
types of files they infect, where they hide, the kind of damage they cause, the
type of operating
system, or platform they attack. Let us have a look at few of them.

Memory Resident Virus

These viruses fix themselves in the computer memory and get activated whenever the
OS runs and
infects all the files that are then opened. This type of virus hides in the RAM and
stays there even
after the malicious code is executed. It gets control over the system memory and
allocate memory
blocks through which it runs its own code, and executes the code when any function
is executed.It
can corrupt files and programs that are opened, closed, copied, renamed, etc.
Examples: Randex,
CMJ, Meve, and MrKlunky
Protection is possible due by installing an antivirus program.
Direct Action Viruses
The main purpose of this virus is to replicate and take action when it is executed.
When a specific
condition is met, the virus will go into action and infect files in the directory
or folder that are
specified in the AUTOEXEC.BAT file path. This batch file is always located in the
root directory
of the hard disk and carries out certain operations when the computer is booted.
FindFirst/FindNext technique is used where the code selects a few files as its
victims. It also infects
the external devices like pen drives or hard disks by copying itself on them.
The viruses keep changing their location into new files whenever the code is
executed, but are
generally found in the hard disk's root directory. It can corrupt files. Basically,
it is a file-infecter
virus.Examples: Vienna virus. Protection is possible due by Installing an antivirus
scanner.

Computer Network Security Chapter 1: Introduction and Security Threats

pg. 11
However, this type of virus has minimal effect on the computer's performance.

Overwrite Viruses
A virus of this kind is characterized by the fact that it deletes the information
contained in the files
that it infects, rendering them partially or totally useless once they have been
infected. The virus
replaces the file content. However, it does not change the file size.
Examples: Way, Trj.Reboot, Trivial.88.D For protection the only way to clean a file
infected by
an overwrite virus is to delete the file completely, thus losing the original
content. However, it is
very easy to detect this type of virus, as the original program becomes useless.

Boot Sector Virus

This type of virus affects the boot sector of a hard disk. This is a crucial part
of the disk, in which
information of the disk itself is stored along with a program that makes it
possible to boot (start)
the computer from the disk. This type of virus is also called Master Boot Sector
Virus or Master
Boot Record Virus. It hides in the memory until DOS accesses the floppy disk, and
whichever
boot data is accessed, the virus infects it.
Examples: Polyboot.B, AntiEXE. The best way of avoiding boot sector viruses is to
ensure that
floppy disks are write-protected. Also, never start your computer with an unknown
floppy disk in
the disk drive.

Macro Virus
Macro viruses infect files that are created using certain applications or programs
that contain
macros, like .doc, .xls, .pps, .mdb, etc. These mini-programs make it possible to
automate series
of operations so that they are performed as a single action, thereby saving the
user from having to
carry them out one by one. These viruses automatically infect the file that
contains macros, and
also infects the templates and documents that the file contains. It is referred to
as a type of e-mail
virus.These hide in documents that are shared via e-mail or networks. Examples:
Relax, Melissa.A,
Bablas, O97M/Y2K. The best protection technique is to avoid opening e-mails from
unknown
senders. Also, disabling macros can help to protect your useful data.

Directory Virus
Directory viruses (also called Cluster Virus/File System Virus) infect the
directory of your
computer by changing the path that indicates the location of a file. When you
execute a program
file with an extension .EXE or .COM that has been infected by a virus, you are
unknowingly
running the virus program, while the original file and program is previously moved
by the virus.
Once infected, it becomes impossible to locate the original files. It is usually
located in only one
location of the disk, but infects the entire program in the directory. Examples:
Dir-2 virus. For
protection all you can do is, reinstall all the files from the backup that are
infected after formatting
the disk.

Polymorphic Virus
Polymorphic viruses encrypt or encode themselves in a different way (using
different algorithms
and encryption keys) every time they infect a system. This makes it impossible for
antivirus
software to find them using string or signature searches (because they are
different in each
encryption). The virus then goes on to create a large number of copies. Examples:
Elkern, Marburg,

Computer Network Security Chapter 1: Introduction and Security Threats

pg. 12
Satan Bug and Tuareg. Install a high-end antivirus as the normal ones are incapable
of detecting
this type of virus.

Companion Viruses
Companion viruses can be considered as a type of file infector virus, like resident
or direct action
types. They are known as companion viruses because once they get into the system
they
'accompany' the other files that already exist. In other words, to carry out their
infection routines,
companion viruses can wait in memory until a program is run (resident virus), or
act immediately
by making copies of themselves (direct action virus).
Hideout: These generally use the same filename and create a different extension of
it. For example:
If there is a file "Me.exe", the virus creates another file named "Me.com" and
hides in the new file.
When the system calls the filename "Me", the ".com" file gets executed (as ".com"
has higher
priority than ".exe"), thus infecting the system.
Examples: Stator, Asimov.1539 and Terrax.1069. For protection install an antivirus
scanner and
also download Firewall.

FAT Virus
The file allocation table (FAT) is the part of a disk used to store all the
information about the
location of files, available space, unusable space, etc. FAT virus attacks the FAT
section and may
damage crucial information. It can be especially dangerous as it prevents access to
certain sections
of the disk where important files are stored. Damage caused can result in loss of
information from
individual files or even entire directories.
Examples: Link Virus. Before the virus attacks all the files on the computer,
locate all the files that
are actually needed on the hard drive, and then delete the ones that are not
needed. They may be
files created by viruses.

Multipartite Virus
These viruses spread in multiple ways possible. It may vary in its action depending
upon the
operating system installed and the presence of certain files. In the initial phase,
these viruses tend
to hide in the memory as the resident viruses do; then they infect the hard disk.
Examples: Invader,
Flip and Tequila. You need to clean the boot sector and also the disk to get rid of
the virus, and
then reload all the data in it. However, ensure that the data is clean.

Web Scripting Virus

Many web pages include complex codes in order to create an interesting and
interactive content.
This code is often exploited to bring about certain undesirable actions. The main
sources of web
scripting viruses are the web browsers or infected web pages.
Examples: JS.Fortnight is a virus that spreads through malicious e-mails.
Protection: Install the microsoft tool application that is a default feature in
Windows 2000,
Windows 7 and Vista. Scan the computer with this application.

Logic Bombs
Logic bombs are small programs or sections of a program triggered by some event
such as a certain
date or time, a certain percentage of disk space filled, the removal of a file, and
so on. For example,
a programmer could establish a logic bomb to delete critical sections of code if
he/she is terminated

Computer Network Security Chapter 1: Introduction and Security Threats

pg. 13
from the company. Logic bombs are most commonly installed by insiders with access
to the
system. Logic bombs go undetected until launched, the results can be destructive,
and your entire
data can be deleted!