UNIT:2

Detour UNIX user ids process ids and

Privileges

What is Unix ID’s?

Each user of a Unix account has a unique UID.
UID 0 means the Superuser (system admin)
A user account belongs to multiple groups.
Subjects are processes associated with UID/GID pairs.
Objects are files.

Describe the Detour used in UNIX user Ids and process Ids.
1. Every user in UNIX like the operating system is identified by a
different integer number, this unique number is called a user ID.
2. There are three types of UID defined for a process, which can be
dynamically changed as for the privilege of task
3. The three different types of user IDs defined are:

• Real user ID: it is an account of the owner of this process. It

defines which files that this process has access to.
• Effective user ID: it is normally the same as a real user ID, but
sometimes it is changed to enable a non-privileged user to access
the file that can only be accessed by root.
• Saved user ID: it is used when a process is running with elevated
privileges needs to do some underprivileged work, this can be
achieved by temporary switching on a non-privileged account.
• Each user account has a unique UID. The UID 0 means the
Superuser ( system admin). A user account belongs to multiple
groups. The subject is processes, associated with uid/ gid pairs.
1. Detour is defined as few words about Unix user IDs and IDs associated
with Unix processes.
2. Every user in Unix like operating system is identified by different
integer number, this unique number is called as UserID.
3. There are three types of UID defined for a process, which can be
dynamically changed as per the privilege of task.

The three different types of UIDS defined are :

À). Real UserID : It is account of owner of this process. It defines which
files that this process has access to.
B). Effective UserID : It is normally same as real UserID, but sometimes
it is changed to enable a non-privileged user to access files that can only
be accessed by root.
C). Saved UserID:It is used when a process is running with elevated
privileges (generally root) needs to do some under-privileged work, this
can be achieved by temporarily switching to non-privileged account.
5. A subject is a program (application) executing on behalf of some
principal(s).
6. A principal may at any time be idle, or have one or more subjects
executing on its behalf. An object is anything on which a subject can
perform operations (mediated by rights) usually objects are passive, for
example :
a. File
b. Directory (or folder)
c. Memory segment.
7. Each user account has a unique UID. The UID 0 means the super user
(System admin). A user account belongs to multiple groups. Subject are
processes, associated with uid/gid pairs.

Confinement Principle:
. The confinement principle is the principle of preventing a server from
leaking information that the user of the service considers confidential.
2. The confinement principle deals with preventing a process from taking
disallowed actions.
3. Consider a client/server situation: the client sends a data request to the
server; the server uses the data, performs some function, and sends the
results (data) back to the client.
4. In this case the confinement principle deals with preventing a server
from leaking information that the user of that service considers
confidential.
5. In confinement principle, access control affects the function of the
server in two ways:
A). Goal of service provider :
The server must ensure that the resources it accesses on behalf of the
client include only those resources that the client is authorized to access.

B). Goal of the service user: The server must ensure that it does not
reveal the client's data to any other entity vhich is not authorized to see
the client's data.

System call interposition:

In computing, a system call is the programmatic way in which a
computer program requests a service from the kernel of the operating
system it is executed on. A system call is a way for programs to interact
with the operating system. A computer program makes a system call
when it makes a request to the operating system’s kernel. System
call provides the services of the operating system to the user programs
via Application Program Interface(API).
It provides an interface between a process and operating system to allow
user-level processes to request services of the operating system. System
calls are the only entry points into the kernel system. All programs
needing resources must use system calls.
Services Provided by System Calls :
1. Process creation and management
2. Main memory management
3. File Access, Directory and File system management
4. Device handling(I/O)
5. Protection
6. Networking, etc.
Types of System Calls : There are 5 different categories of system calls
1)Process control: end, abort, create, terminate, allocate and free
memory.
2)File management: create, open, close, delete, read file etc.
3)Device management
4)Information maintenance
 5)Communication

Process Control

A running program needs to be able to stop execution either normally or

abnormally. When execution is stopped abnormally, often a dump of
memory is taken and can be examined with a debugger.

File Management
Some common system calls are create, delete, read, write, reposition,
or close. Also, there is a need to determine the file attributes –
get and set file attribute. Many times the OS provides an API to make
these system calls.

Device Management

Process usually require several resources to execute, if these resources are

available, they will be granted and control returned to the user process.
These resources are also thought of as devices. Some are physical, such
as a video card, and others are abstract, such as a file.

User programs request the device, and when finished they release the
device. Similar to files, we can read, write, and reposition the device.

Information Management

Some system calls exist purely for transferring information between the
user program and the operating system. An example of this is time,
or date.

The OS also keeps information about all its processes and provides
system calls to report this information.

Communication

There are two models of interprocess communication, the message-

passing model and the shared memory model.

• Message-passing uses a common mailbox to pass messages

between processes.
 • Shared memory use certain system calls to create and gain access
to create and gain access to regions of memory owned by other
processes. The two processes exchange information by reading and
writing in the shared data.

System call interposition is a powerful method for regulating and

monitoring program behavior. A wide variety of security tools have
been developed which use this techniq... Metadata. Abstract: System
callinterposition is a powerful method for regulating and monitoring
program behavior.

Error 404 Hacking digital India part 2

chase
Some attacks discuss in error 404 digital hacking India part 2 chase
are:

• Israel Power Grid hit by a big hack attack is being called one of
the worst cyberattacks ever.
• In 2014 a hydropower plant in upstate New York got hacked.
• France in infrastructure including its main nuclear power plant is
being targeted by a new and dangerous powerful cyber worm.
• Bangladesh's best group hacked into nearly 20000 Indian websites
including the Indian border security force.
• First virus that could crash Power Grid or destroy the pipeline is
available online for anyone to download and Tinker with.
• India’s biggest data breach, (the SBI debit card breach) when this
happened Bank was initially in a state of denial but subsequently
they had to own up the cyber security breach that took place in
Indian history.

VM based Isolation:
A VM is an isolated environment with access to a subset of physical
resources of the computer system. Each VM appears to be running on
the bare hardware, giving the appearance of multiple instances of the
same computer, though all are supported by a single physical system.

Two main types of virtualization are hardware virtualization and

software vir- tualization [
1]. Virtualization software runs on the real object (i.e., the hardware or
software) to be shared. The virtualization software makes multiple virtual
ob- jects that look exactly the same real object.

VM isolation techniques are good strategies to prevent infections from

spreading to the entire cloud environment.

What is a rootkit?

A rootkit is a malicious software bundle designed to give

unauthorized access to a computer or other software. Rootkits are
hard to detect and can conceal their presence within an infected system.
Hackers use rootkit malware to remotely access your computer,
manipulate it, and steal data.

When a rootkit takes hold, your system acts as if it were a zombie

computer, and the hacker can exert absolute control over your device
using remote access. This part of the rootkit definition is what makes
them so powerful.

What does a rootkit do?

Rootkits let malicious code hide within your device. Once a rootkit attack
hits, it grants remote admin access to your operating system while
avoiding detection.
What does a rootkit modify? Because a rootkit’s purpose is to gain
admin-level, privileged access to your computer system, a rootkit can
modify anything an administrator can. Here’s a short list of what a
rootkit can do or modify.

How to remove a rootkit

Rootkit removal is not easy. Because rootkits can bury themselves deep
within your operating system, it’s hard to tell that they’re even there.
But once you know you have one, curing your zombie computer of its
rootkit infection is critical.
Step 1: Run rootkit removal software
Don’t rely on Windows Defender or other inbuilt security software, since
most rootkits can subvert basic protections. For complete protection, use
specialized software like Avast One. Avast combines the world's largest
threat-detection network and machine-learning malware protection into a
single, lightweight tool that can detect and remove rootkits, and defend
against all kinds of future online threats.

Avast One knows how to remove rootkit viruses and prevent them from
coming back. So before a hacker can steal your data or gain privileged
access to your computer, let Avast scan and remove the malware for good.

Step 2: Perform boot-time scan

Modern malware uses sophisticated techniques to evade detection by
antivirus products. Once an operating system is running, rootkits present
on the device can outsmart automated antivirus scans.

If an antivirus program asks the operating system to open a particular

malware file, the rootkit can change the information flow and open a
harmless file instead. They can also change a malware file’s enumeration
code — used for storing and sharing information about malware — which
would prevent it from being included in a scan.

That's why a boot-time scan, like the one included in Avast One, is so
handy. Boot-time scans run during your computer’s startup procedure
and catch rootkits before they can act. The benefit of a boot-time scan is
that usually the rootkit will still be in a dormant state and unable to
conceal itself in your system.

Step 3: Reinstall OS
If antivirus software and a boot-time scan fail to remove the
rootkit, try backing up your data, wiping your device, and
performing a clean install. This is sometimes the only remedy
when a rootkit is operating at the boot, firmware, or hypervisor
level.
For starters, you need to know how to format a hard
drive and clone a hard drive to back up your important files.
You might need to wipe the main C: drive, but you can still keep
most of your data. This is the last resort to removing a rootkit.
Signs of a rootkit attack
The following warning signs may indicate the presence of a
rootkit on your device:

Your system is acting strangely: Rootkits allow hackers

to manipulate your computer’s OS. If your computer is
acting strangely, it could be the work of a hacker via a
rootkit.

Change in settings: In general, your computer shouldn’t do

things without being told — and ideally, the person doing
the telling is you. Rootkit-enabled remote access can allow
someone else to meddle with your settings and
configurations. If something seems different, there might be
cause for concern.

Web pages/network activities intermittent: If your

internet connection suddenly grows spottier than usual, it
might be more than a service hiccup. If a hacker is using a
rootkit to send or receive a lot of traffic from your computer,
it could bog down your internet connection.

Intrusion Detection System

An Intrusion Detection System (IDS) is a system that
monitors network traffic for suspicious activity and issues alerts
when such activity is discovered. It is a software application that
scans a network or a system for the harmful activity or policy
breaching. Any malicious venture or violation is normally
reported either to an administrator or collected centrally using a
security information and event management (SIEM) system. A
SIEM system integrates outputs from multiple sources and uses
alarm filtering techniques to differentiate malicious activity
from false alarms.

Although intrusion detection systems monitor networks for

potentially malicious activity, they are also disposed to false
alarms. Hence, organizations need to fine-tune their IDS
products when they first install them. It means properly setting
up the intrusion detection systems to recognize what normal
traffic on the network looks like as compared to malicious
activity.
Intrusion prevention systems also monitor network packets
inbound the system to check the malicious activities involved
in it and at once send the warning notifications.

Classification of Intrusion Detection System:

IDS are classified into 5 types:
1. Network Intrusion Detection System (NIDS):
Network intrusion detection systems (NIDS) are set up at a
planned point within the network to examine traffic from all
devices on the network. It performs an observation of passing
traffic on the entire subnet and matches the traffic that is
passed on the subnets to the collection of known attacks.
Once an attack is identified or abnormal behavior is observed,
the alert can be sent to the administrator. An example of a
NIDS is installing it on the subnet where firewalls are located
in order to see if someone is trying to crack the firewall.
2. Host Intrusion Detection System (HIDS):
Host intrusion detection systems (HIDS) run on independent
hosts or devices on the network. A HIDS monitors the
incoming and outgoing packets from the device only and will
alert the administrator if suspicious or malicious activity is
detected. It takes a snapshot of existing system files and
compares it with the previous snapshot. If the analytical
system files were edited or deleted, an alert is sent to the
administrator to investigate. An example of HIDS usage can
be seen on mission-critical machines, which are not expected
to change their layout.
3. Protocol-based Intrusion Detection System (PIDS):
Protocol-based intrusion detection system (PIDS) comprises a
 system or agent that would consistently resides at the front
end of a server, controlling and interpreting the protocol
between a user/device and the server. It is trying to secure the
web server by regularly monitoring the HTTPS protocol
stream and accept the related HTTP protocol. As HTTPS is
un-encrypted and before instantly entering its web
presentation layer then this system would need to reside in
this interface, between to use the HTTPS.

4. Application Protocol-based Intrusion Detection System

(APIDS):
Application Protocol-based Intrusion Detection System
(APIDS) is a system or agent that generally resides within a
group of servers. It identifies the intrusions by monitoring
and interpreting the communication on application-specific
protocols. For example, this would monitor the SQL protocol
explicit to the middleware as it transacts with the database in
the web server.
5. Hybrid Intrusion Detection System :
Hybrid intrusion detection system is made by the
combination of two or more approaches of the intrusion
detection system. In the hybrid intrusion detection system,
host agent or system data is combined with network
information to develop a complete view of the network
system. Hybrid intrusion detection system is more effective
in comparison to the other intrusion detection system. Prelude
is an example of Hybrid IDS.

Detection Method of IDS:

1. Signature-based Method:
Signature-based IDS detects the attacks on the basis of the
specific patterns such as number of bytes or number of 1’s or
number of 0’s in the network traffic. It also detects on the
basis of the already known malicious instruction sequence
 that is used by the malware. The detected patterns in the IDS
are known as signatures.

Signature-based IDS can easily detect the attacks whose pattern

(signature) already exists in system but it is quite difficult to
detect the new malware attacks as their pattern (signature) is not
known.

2. Anomaly-based Method:
Anomaly-based IDS was introduced to detect unknown
malware attacks as new malware are developed rapidly. In
anomaly-based IDS there is use of machine learning to create
a trustful activity model and anything coming is compared
with that model and it is declared suspicious if it is not found
in model. Machine learning-based method has a better-
generalized property in comparison to signature-based IDS as
these models can be trained according to the applications and
hardware configurations.

Comparison of IDS with Firewalls:

IDS and firewall both are related to network security but an IDS
differs from a firewall as a firewall looks outwardly for
intrusions in order to stop them from happening. Firewalls
restrict access between networks to prevent intrusion and if an
attack is from inside the network it doesn’t signal. An IDS
describes a suspected intrusion once it has happened and then
signals an alarm.