THE 12 TYPES OF CYBER CRIME

1. Hacking

In simple words, hacking is an act committed by an intruder by accessing your

computer system without your permission. Hackers (the people doing the
‘hacking’) are basically computer programmers, who have an advanced
understanding of computers and commonly misuse this knowledge for
devious reasons. They’re usually technology buffs who have expert-level skills
in one particular software program or language. As for motives, there could be
several, but the most common are pretty simple and can be explained by a
human tendancy such as greed, fame, power, etc. Some people do it purely to
show-off their expertise – ranging from relatively harmless activities such as
modifying software (and even hardware) to carry out tasks that are outside the
creator’s intent, others just want to cause destruction.

Greed and sometimes voyeuristic tendancies may cause a hacker to break

into systems to steal personal banking information, a corporation’s financial
data, etc. They also try and modify systems so hat they can execute tasks at
their whims. Hackers displaying such destructive conduct are also called
“Crackers” at times. they are also called “Black Hat” hackers On the other
hand, there are those who develop an interest in computer hacking just out of
intellectual curiosity. Some companies hire these computer enthusiasts to find
flaws in their security systems and help fix them. Referred to as “White Hat”
hackers, these guys are against the abuse of computer systems. They
attempt to break into network systems purely to alert the owners of flaws. It’s
not always altruistic, though, because many do this for fame as well, in order
to land jobs with top companies, or just to be termed as security experts.
“Grey Hat” is another term used to refer to hacking activities that are a cross
between black and white hacking.
Some of the most famous computer geniuses were once hackers who went
on to use their skills for constructive technological development. Dennis
Ritchie and Ken Thompson, the creators of the UNIX operating system
(Linux’s predecessor), were two of them. Shawn Fanning, the developer of
Napster, Mark Zuckerberg of Facebook fame, and many more are also
examples. The first step towards preventing hackers from gaining access to
your systems is to learn how hacking is done. Of course it is beyond the
scope of this Fast Track to go into great details, but we will cover the various
techniques used by hackers to get to you via the internet.

a. SQL Injections: An SQL injection is a technique that allows hackers to play

upon the security vulnerabilities of the software that runs a web site. It can be
used to attack any type of unprotected or improperly protected SQL database.
This process involves entering portions of SQL code into a web form entry
field – most commonly usernames and passwords – to give the hacker further
access to the site backend, or to a particular

user’s account. When you enter logon information into sign-in fields, this
information is typically converted to an SQL command. This command checks
the data you’ve entered against the relevant table in the database. If your
input data matches the data in the table, you’re granted access, if not, you get
the kind of error you would have seen when you put in a wrong password. An
SQL injection is usually an additional command that when inserted into the
web form, tries to change the content of the database to reflect a successful
login. It can also be used to retrieve information such as credit card numbers
or passwords from unprotected sites.

b. Theft of FTP Passwords: This is another very common way to tamper with
web sites. FTP password hacking takes advantage of the fact that many
webmasters store their website login information on their poorly protected
PCs. The thief searches the victim’s system for FTP login details, and then
relays them to his own remote computer. He then logs into the web site via
the remote computer and modifies the web pages as he or she pleases.
c. Cross-site scripting:

Also known as XSS (formerly CSS, but renamed due to confusion with
cascading style sheets), is a very easy way of circumventing a security
system. Cross-site scripting is a hard-to-find loophole in a web site, making it
vulnerable to attack. In a typical XSS attack, the hacker infects a web page
with a malicious client-side script or program. When you visit this web page,
the script is automatically downloaded to your browser and executed.
Typically, attackers inject HTML, JavaScript, VBScript, ActiveX or Flash into a
vulnerable application to deceive you and gather confidential information. If
you want to protect your PC from malicious hackers, investing in a good
firewall should be first and foremost. Hacking is done through a network, so
it’s very important to stay safe while using the internet. You’ll read more about
safety tips in the last chapter of this book.

2. Virus dissemination

Viruses are computer programs that attach themselves to or infect a system

or files, and have a tendency to circulate to other computers on a network.
They disrupt the computer operation and affect the data stored – either by
modifying it or by deleting it altogether. “Worms” unlike viruses don’t need a
host to cling on to. They merely replicate until they eat up all available
memory in the system. The term “worm” is sometimes used to mean
selfreplicating “malware” (MALicious softWARE). These terms are often used
interchangeably in the context of the hybrid viruses/worms that dominate

Although mankind’s best invention, the net is still a minefield of threats

the current virus scenario. “Trojan horses” are different from viruses in their
manner of propagation.
They masquerade as a legitimate file, such as an email attachment from a
supposed friend with a very believable name, and don’t disseminate
themselves. The user can also unknowingly install a Trojan-infected program
via drive-by downloads when visiting a website, playing online games or using
internet-driven applications. A Trojan horse can cause damage similar to other
viruses, such as steal information or hamper/disrupt the functioning of
computer systems.

A simple diagram to show how malware can propogate

How does this happen? Well, the malicious code or virus is inserted into the
chain of command so that when the infected program is run, the viral code is
also executed (or in some cases, runs instead of the legitimate program).
Viruses are usually seen as extraneous code attached to a host program, but
this isn’t always the case. Sometimes, the environment is manipulated so that
calling a legitimate uninfected program calls the viral program. The viral
program may also be executed before any other program is run. This can
virtually infect every executable file on the computer, even though none of
those files’ code was actually tampered with. Viruses that follow this modus
operandi include “cluster” or “FAT” (File Allocation Table) viruses, which
redirect system pointers to infected files, associate viruses and viruses that
modify the Windows Registry directory entries so that their own code is
executed before any other legitimate program.
Computer viruses usually spread via removable media or the internet. A flash
disk, CD-ROM, magnetic tape or other storage device that has been in an
infected computer infects all future computers in which it’s used. Your
computer can also contract viruses from sinister email attachments, rogue
web sites or infected software. And these disseminate to every other
computer on your network.

All computer viruses cause direct or indirect economic damages. Based on

this, there are two categories of viruses:

1) Those that only disseminate and don’t cause intentional damage

2) Those which are programmed to cause damage.

However, even by disseminating, they take up plenty of memory space, and

time and resources that are spent on the clean-up job. Direct economic
damages are caused when viruses alter the information during digital
transmission. Considerable expenses are incurred by individuals, firms and
authorities for developing and implementing the anti-virus tools to protect
computer systems.

3. Logic bombs

A logic bomb, also known as “slag code”, is a malicious piece of code which is
intentionally inserted into software to execute a malicious task when triggered
by a specific event. It’s not a virus, although it usually behaves in a similar
manner. It is stealthily inserted into the program where it lies dormant until
specified conditions are met. Malicious software such as viruses and worms
often contain logic bombs which are triggered at a specific payload or at a
predefined time. The payload of a logic bomb is unknown to the user of the
software, and the task that it executes unwanted. Program codes that are
scheduled to execute at a particular time are known as “time-bombs”. For
example, the infamous “Friday the 13th” virus which attacked the host
systems only on specific dates; it “exploded” (duplicated itself) every Friday
that happened to be the thirteenth of a month, thus causing system
slowdowns.

Logic bombs are usually employed by disgruntled employees working in the IT

sector. You may have heard of “disgruntled employee syndrome” wherein
angry employees who’ve been fired use logic bombs to delete the databases
of their employers, stultify the network for a while or even do insider trading.
Triggers associated with the execution of logic bombs can be a specific date
and time, a missing entry from a database or not putting in a command at the
usual time, meaning the person doesn’t work there anymore. Most logic
bombs stay only in the network they were employed in. So in most cases,
they’re an insider job. This makes them easier to design and execute than a
virus. It doesn’t need to replicate; which is a more complex job. To keep your
network protected from the logic bombs, you need constant monitoring of the
data and efficient anti-virus software on each of the computers in the network.

There’s another use for the type of action carried out in a logic bomb
“explosion” – to make restricted software trials. The embedded piece of code
destroys the software after a defined period of time or renders it unusable until
the user pays for its further use. Although this piece of code uses the same
technique as a logic bomb, it has a non-destructive, non-malicious and user-
transparent use, and is not typically referred to as one.
4. Denial-of-Service attack

A Denial-of-Service (DoS) attack is an explicit attempt by attackers to deny

service to intended users of that service. It involves flooding a computer
resource with more requests than it can handle consuming its available
bandwidth which results in server overload. This causes the resource (e.g. a
web server) to crash or slow down significantly so that no one can access it.
Using this technique, the attacker can render a web site inoperable by
sending massive amounts of traffic to the targeted site. A site may temporarily
malfunction or crash completely, in any case resulting in inability of the system
to communicate adequately. DoS attacks violate the acceptable use policies
of virtually all internet service providers.

Another variation to a denial-of-service attack is known as a “Distributed

Denial of Service” (DDoS) attack wherein a number of geographically
widespread perpetrators flood the network traffic. Denial-of-Service attacks
typically target high profile web site servers belonging to banks and credit card
payment gateways. Websites of companies such as Amazon, CNN, Yahoo,
Twitter and eBay! are not spared either.

5. Phishing

This a technique of extracting confidential information such as credit card

numbers and username password combos by masquerading as a legitimate
enterprise. Phishing is typically carried out by email spoofing. You’ve probably
received email containing links to legitimate appearing websites. You probably
found it suspicious and didn’t click the link. Smart move.

How phishing can net some really interesting catches

The malware would have installed itself on your computer and stolen private
information. Cyber-criminals use social engineering to trick you into
downloading malware off the internet or make you fill in your personal
information under false pretenses. A phishing scam in an email message can
be evaded by keeping certain things in mind.

Look for spelling mistakes in the text. Cyber-criminals are not known for
their grammar and spelling.

Hover your cursor over the hyperlinked URL but don’t click. Check if the
address matches with the one written in the message.

Watch out for fake threats. Did you receive a message saying “Your email
account will be closed if you don’t reply to this email”? They might trick you by
threatening that your security has been compromised.

Attackers use the names and logos of well-known web sites to deceive you.
The graphics and the web addresses used in the email are strikingly similar to
the legitimate ones, but they lead you to phony sites.

Not all phishing is done via email or web sites. Vishing (voice phishing)
involves calls to victims using fake identity fooling you into considering the call
to be from a trusted organisation. They may claim to be from a bank asking
you to dial a number (provided by VoIP service and owned by attacker) and
enter your account details. Once you do that, your account security is
compromised. Treat all unsolicited phone calls with skepticism and never
provide any personal information. Many banks have issued preemptive
warnings informing their users of phishing scams and the do’s and don’ts
regarding your account information. Those of you reading Digit for long
enough will remember that we successfully phished hundreds of our readers
by reporting a way to hack other people’s gmail accounts by sending an email
to a made up account with your own username and password… and we did
that years ago in a story about , yes, you guessed it, phishing!

6. Email bombing and spamming

Email bombing is characterised by an abuser sending huge volumes of email

to a target address resulting in victim’s email account or mail servers crashing.
The message is meaningless and excessively long in order to consume
network resources. If multiple accounts of a mail server are targeted, it may
have a denial-of-service impact. Such mail arriving frequently in your inbox
can be easily detected by spam filters. Email bombing is commonly carried
out using botnets (private internet connected computers whose security has
been compromised by malware and under the attacker’s control) as a DDoS
attack.

This type of attack is more difficult to control due to multiple source addresses
and the bots which are programmed to send different messages to defeat
spam filters. “Spamming” is a variant of email bombing. Here unsolicited bulk
messages are sent to a large number of users, indiscriminately. Opening links
given in spam mails may lead you to phishing web sites hosting malware.
Spam mail may also have infected files as attachments. Email spamming
worsens when the recipient replies to the email causing all the original
addressees to receive the reply. Spammers collect email addresses from
customer lists, newsgroups, chat-rooms, web sites and viruses which harvest
users’ address books, and sell them to other spammers as well. A large
amount of spam is sent to invalid email addresses.

Email filters cleaning out spam mail

Sending spam violates the acceptable use policy (AUP) of almost all internet
service providers. If your system suddenly becomes sluggish (email loads
slowly or doesn’t appear to be sent or received), the reason may be that your
mailer is processing a large number of messages. Unfortunately, at this time,
there’s no way to completely prevent email bombing and spam mails as it’s
impossible to predict the origin of the next attack. However, what you can do
is identify the source of the spam mails and have your router configured to
block any incoming packets from that address.

7. Web jacking

Web jacking derives its name from “hijacking”. Here, the hacker takes control
of a web site fraudulently. He may change the content of the original site or
even redirect the user to another fake similar looking page controlled by him.
The owner of the web site has no more control and the attacker may use the
web site for his own selfish interests. Cases have been reported where the
attacker has asked for ransom, and even posted obscene material on the site.

The web jacking method attack may be used to create a clone of the web site,
and present the victim with the new link saying that the site has moved. Unlike
usual phishing methods, when you hover your cursor over the link provided,
the URL presented will be the original one, and not the attacker’s site. But
when you click on the new link, it opens and is quickly replaced with the
malicious web server. The name on the address bar will be slightly different
from the original website that can trick the user into thinking it’s a legitimate
site. For example, “gmail” may direct you to “gmai1”. Notice the one in place
of ‘L’. It can be easily overlooked.

Obviously not gmail.com, but still enough people click

Web jacking can also be done by sending a counterfeit message to the

registrar controlling the domain name registration, under a false identity
asking him to connect a domain name to the webjacker’s IP address, thus
sending unsuspecting consumers who enter that particular domain name to a
website controlled by the webjacker. The purpose of this attack is to try to
harvest the credentials, usernames, passwords and account numbers of users
by using a fake web page with a valid link which opens when the user is
redirected to it after opening the legitimate site.

8. Cyber stalking

Cyber stalking is a new form of internet crime in our society when a person is
pursued or followed online. A cyber stalker doesn’t physically follow his victim;
he does it virtually by following his online activity to harvest information about
the stalkee and harass him or her and make threats using verbal intimidation.
It’s an invasion of one’s online privacy.

Cyber stalking uses the internet or any other electronic means and is different
from offline stalking, but is usually accompanied by it. Most victims of this
crime are women who are stalked by men and children who are stalked by
adult predators and pedophiles. Cyber stalkers thrive on inexperienced web
users who are not well aware of netiquette and the rules of internet safety. A
cyber stalker may be a stranger, but could just as easily be someone you
know.

Cyber stalkers harass their victims via email, chat rooms, web sites,
discussion forums and open publishing web sites (e.g. blogs). The availability
of free email / web site space and the anonymity provided by chat rooms and
forums has contributed to the increase of cyber stalking incidents. Everyone
has an online presence nowadays, and it’s really easy to do a Google search
and get one’s name, alias, contact number and address, contributing to the
menace that is cyber stalking. As the internet is increasingly becoming an
integral part of our personal and professional lives, stalkers can take
advantage of the ease of communications and the availability of personal
information only a few mouse clicks away. In addition, the anonymous and
non-confrontational nature of internet communications further tosses away
any disincentives in the way of cyber stalking. Cyber stalking is done in two
primary ways:

Internet Stalking: Here the stalker harasses the victim via the internet.
Unsolicited email is the most common way of threatening someone, and the
stalker may even send obscene content and viruses by email. However,
viruses and unsolicited telemarketing email alone do not constitute cyber
stalking. But if email is sent repeatedly in an attempt to intimidate the
recipient, they may be considered as stalking. Internet stalking is not limited to
email; stalkers can more comprehensively use the internet to harass the
victims. Any other cyber-crime that we’ve already read about, if done with an
intention to threaten, harass, or slander the victim may amount to cyber
stalking.
 Computer Stalking: The more technologically advanced stalkers apply their
computer skills to assist them with the crime. They gain unauthorised control
of the victim’s computer by exploiting the working of the internet and the
Windows operating system. Though this is usually done by proficient and
computer savvy stalkers, instructions on how to accomplish this are easily
available on the internet.

Cyber stalking has now spread its wings to social networking. With the
increased use of social media such as Facebook, Twitter, Flickr and YouTube,
your profile, photos, and status updates are up for the world to see. Your
online presence provides enough information for you to become a potential
victim of stalking without even being aware of the risk. With the “check-ins”,
the “life-events”, apps which access your personal information and the need to
put up just about everything that you’re doing and where you’re doing it, one
doesn’t really leave anything for the stalkers to figure out for themselves.
Social networking technology provides a social and collaborative platform for
internet users to interact, express their thoughts and share almost everything
about their lives. Though it promotes socialisation amongst people, along the
way it contributes to the rise of internet violations.

9. Data diddling

Data Diddling is unauthorised altering of data before or during entry into a

computer system, and then changing it back after processing is done. Using
this technique, the attacker may modify the expected output and is difficult to
track. In other words, the original information to be entered is changed, either
by a person typing in the data, a virus that’s programmed to change the data,
the programmer of the database or application, or anyone else involved in the
process of creating, recording, encoding, examining, checking, converting or
transmitting data.

This is one of the simplest methods of committing a computer-related crime,

because even a computer amateur can do it. Despite this being an effortless
task, it can have detrimental effects. For example, a person responsible for
accounting may change data about themselves or a friend or relative showing
that they’re paid in full. By altering or failing to enter the information, they’re
able to steal from the enterprise. Other examples include forging or
counterfeiting documents and exchanging valid computer tapes or cards with
prepared replacements. Electricity boards in India have been victims of data
diddling by computer criminals when private parties were computerizing their
systems.

10. Identity Theft and Credit Card Fraud

Identity theft occurs when someone steals your identity and pretends to be
you to access resources such as credit cards, bank accounts and other
benefits in your name. The imposter may also use your identity to commit
other crimes. “Credit card fraud” is a wide ranging term for crimes involving
identity theft where the criminal uses your credit card to fund his transactions.
Credit card fraud is identity theft in its simplest form. The most common case
of credit card fraud is your pre-approved card falling into someone else’s
hands.

Credit card fraud is the most common way for hackers to steal yoiur money
He can use it to buy anything until you report to the authorities and get your
card blocked. The only security measure on credit card purchases is the
signature on the receipt but that can very easily be forged. However, in some
countries the merchant may even ask you for an ID or a PIN. Some credit
card companies have software to estimate the probability of fraud. If an
unusually large transaction is made, the issuer may even call you to verify.

Often people forget to collect their copy of the credit card receipt after eating
at restaurants or elsewhere when they pay by credit card. These receipts
have your credit card number and your signature for anyone to see and use.
With only this information, someone can make purchases online or by phone.
You won’t notice it until you get your monthly statement, which is why you
should carefully study your statements. Make sure the website is trustworthy
and secure when shopping online. Some hackers may get a hold of your
credit card number by employing phishing techniques. Sometimes a tiny
padlock icon appears on the left screen corner of the address bar on your
browser which provides a higher level of security for data transmission. If you
click on it, it will also tell you the encryption software it uses.

A more serious concern is the use of your personal information with the help
of stolen or fake documents to open accounts (or even worse, using your
existing account) to take a loan in your name. These unscrupulous people can
collect your personal details from your mailbox or trash can (remember to
shred all sensitive documents). Think of all the important details printed on
those receipts, pay stubs and other documents. You won’t know a thing until
the credit card people track you down and tail you until you clear all your
dues. Then for months and months you’ll be fighting to get your credit restored
and your name cleared.
With rising cases of credit card fraud, many financial institutions have stepped
in with software solutions to monitor your credit and guard your identity. ID
theft insurance can be taken to recover lost wages and restore your credit. But
before you spend a fortune on these services, apply the no-cost, common
sense measures to avert such a crime.

11. Salami slicing attack

A “salami slicing attack” or “salami fraud” is a technique by which cyber-

criminals steal money or resources a bit at a time so that there’s no noticeable
difference in overall size. The perpetrator gets away with these little pieces
from a large number of resources and thus accumulates a considerable
amount over a period of time. The essence of this method is the failure to
detect the misappropriation. The most classic approach is “collect-the-
roundoff” technique. Most calculations are carried out in a particular currency
are rounded off up to the nearest number about half the time and down the
rest of the time. If a programmer decides to collect these excess fractions of
rupees to a separate account, no net loss to the system seems apparent. This
is done by carefully transferring the funds into the perpetrator’s account.

Attackers insert a program into the system to automatically carry out the task.
Logic bombs may also be employed by unsatisfied greedy employees who
exploit their know-how of the network and/or privileged access to the system.
In this technique, the criminal programs the arithmetic calculators to
automatically modify data, such as in interest calculations.
Stealing money electronically is the most common use of the salami slicing
technique, but it’s not restricted to money laundering. The salami technique
can also be applied to gather little bits of information over a period of time to
deduce an overall picture of an organisation. This act of distributed
information gathering may be against an individual or an organisation. Data
can be collected from web sites, advertisements, documents collected from
trash cans, and the like, gradually building up a whole database of factual

intelligence about the target.

Since the amount of misappropriation is just below the threshold of

perception, we need to be more vigilant. Careful examination of our assets,
transactions and every other dealing including sharing of confidential
information with others might help reduce the chances of an attack by this
method.

12. Software Piracy

Thanks to the internet and torrents, you can find almost any movie, software
or song from any origin for free. Internet piracy is an integral part of our lives
which knowingly or unknowingly we all contribute to. This way, the profits of
the resource developers are being cut down. It’s not just about using someone
else’s intellectual property illegally but also passing it on to your friends further
reducing the revenue they deserve.

Piracy is rampant in India, but you knew that

Software piracy is the unauthorised use and distribution of computer software.
Software developers work hard to develop these programs, and piracy curbs
their ability to generate enoughrevenue to sustain application development.
This affects the whole global economy as funds are relayed from other sectors
which results in less investment in marketing and research.

The following constitute software piracy:

Loading unlicensed software on your PC

Using single-licensed software on multiple computers

Using a key generator to circumvent copy protection

Distributing a licensed or unlicensed (“cracked”) version of software over

the internet and offline

“Cloning” is another threat. It happens when someone copies the idea behind
your software and writes his own code. Since ideas are not copy protected
across borders all the time, this isn’t strictly illegal. A software “crack” is an
illegally obtained version of the software which works its way around the
encoded copy prevention. Users of pirated software may use a key generator
to generate a “serial” number which unlocks an evaluation version of the
software, thus defeating the copy protection. Software cracking and using
unauthorised keys are illegal acts of copyright infringement.

Using pirated material comes with its own risks. The pirated software may
contain Trojans, viruses, worms and other malware, since pirates will often
infect software with malicious code. Users of pirated software may be
punished by the law for illegal use of copyrighted material. Plus you won’t get
the software support that is provided by the developers.

To protect your software from piracy if you’re a developer, you should apply
strong safeguards. Some websites sell software with a “digital fingerprint” that
helps in tracing back the pirated copies to the source. Another common
method is hardware locking. Using this, the software license is locked to a
specific computer hardware, such that it runs only on that computer.
Unfortunately, hackers continue to find their way around these measures.

13. Others

So far we’ve discussed the dedicated methods of committing cyber crimes. In

a nutshell, any offence committed using electronic means such as net
extortion, cyber bullying, child pornography and internet fraud is termed as
cyber crime. The internet is a huge breeding ground for pornography, which
has often been subject to censorship on grounds of obscenity. But what may
be considered obscene in India, might not be considered so in other countries.
Since every country has a different legal stand on this subject matter,
pornography is rampant online. However, according to the Indian Constitution,
largely, pornography falls under the category of obscenity and is punishable
by law. Child pornography is a serious offence, and can attract the harshest
punishments provided for by law. Pedophiles lurk in chat rooms to lure
children. The internet allows long-term victimisation of such children, because
the pictures once put up, spread like wild-fire, and may never get taken down
completely. Internet crimes against children are a matter of grave concern,
and are being addressed by the authorities, but this problem has no easy
solution.

Internal Attack
An internal attack occurs when an individual or a group within an organization seeks to disrupt
operations or exploit organizational assets. In many cases, the attacker employs a significant amount of
resources, tools and skill to launch a sophisticated computer attack and potentially remove any evidence
of that attack as well.

Highly-skilled and disgruntled employees (such as system administrators and programmers) or technical
users who could benefit from disrupting operations may choose to initiate an internal attack against a
company through its computer systems.

External threats are malicious campaigns and threat actors that attempt to exploit security
exposures in your attack surface that exist outside the firewall. All organizations with a digital
presence are exposed to external threats by attackers who attempt to impersonate your brand and
official communications channels on the internet, social media, and through mobile apps.

Targeted external threats that can compromise your employee or customer data security include:

 Deep and dark web discussions about your organization

 Phishing
 Rogue and feral mobile apps
 Social media impersonation of VIPs and support channels
 Domain and subdomain infringement
 Brand tarnishment and abuse
 Data leakage
 Phone & SMShing
 Card cracking and remote deposit capture (RDC) fraud
  Email spoofing and business email compromise (BEC)

Successful exploitation of these threats allows threat actors to steal customer or company data,
distribute malware, divert user traffic, or otherwise exploit trust in your brand.

Security Threats
The word 'threat' in information security means anyone or anything that poses danger to the
information, the computing resources, users, or data. The threat can be from 'insiders' who are
within the organization, or from outsiders who are outside the organization. Studies show that
80% of security incidents are coming from insiders.

Security threats can be categorized in many ways. One of the important ways they are
categorized is on the basis of the “origin of threat,” namely external threats and internal threats.
The same threats can be categorized based on the layers described above.

External and Internal Threats

External threats originate from outside the organization, primarily from the environment in
which the organization operates. These threats may be primarily physical threats, socio-
economic threats specific to the country like a country's current social and economic situation,
network security threats, communication threats, human threats like threats from hackers,
software threats, and legal threats. Social engineering threats like using social engineering sites
to gather data and impersonate people for the purpose of defrauding them and obtaining their
credentials for unauthorized access is increasing. Theft of personal identifiable information,
confidential strategies, and intellectual properties of the organization are other important threats.
Some of these physical threats or legal threats may endanger an entire organization completely.
Comparatively, other threats may affect an organization partially or for a limited period of time
and may be overcome relatively easily. Cybercrimes are exposing the organizations to legal risks
too.

Some of the important external threats are illustrated below in Figure 3-2.
Figure 3-2. External threats

Internal threats originate from within the organization. The primary contributors to internal
threats are employees, contractors, or suppliers to whom work is outsourced. The major threats
are frauds, misuse of information, and/or destruction of information. Many internal threats
primarily originate for the following reasons:

• Weak Security Policies, including:

• Unclassified or improperly classified information, leading to the divulgence or unintended

sharing of confidential information with others, particularly outsiders.

• Inappropriately defined or implemented authentication or authorization, leading to

unauthorized or inappropriate access.
• Undefined or inappropriate access to customer resources or contractors/suppliers, leading to
fraud, misuse of information, or theft.

• Unclearly defined roles and responsibilities, leading to no lack of ownership and misuse of
such situations.

• Inadequate segregation of duties, leading to fraud or misuse.

• Unclearly delineated hierarchy of “gatekeepers” who are related to information security,

leading to assumed identities.

• Weak Security Administration, including:

• Weak administrative passwords being misused to steal data or compromise the systems.

• Weak user passwords allowed in the system and applications, leading to unauthorized access
and information misuse.

• Inappropriately configured systems and applications, leading to errors, wrong processing, or

corruption of data.

• Non-restricted administrative access on the local machines and/or network, leading to misuse
of the system or infection of the systems.

• Non-restricted access to external media such as USB or personal devices, leading to theft of
data or infection of the systems.

• Non-restricted access to employees through personal devices or from unauthenticated networks

and the like, leading to data theft.

• Unrestricted access to contractors and suppliers leading to theft or misuse of information

including through dumpster diving or shoulder surfing.

• Unrestricted website surfing, leading to infections of viruses, phishing, or other malware.

• Unrestricted software downloads leading to infection, copyright violations, or software piracy.

• Unrestricted remote access leading to unauthorized access or information theft.

• Accidentally deleting data permanently.

• Lack of user security awareness, including:

• Identity theft and unauthorized access due to weak password complexity.

• Not following company policies, such as appropriate use of assets, clean desk policy, or clear
screen policy, leading to virus attacks or confidential information leakage.

• Divulging user IDs and/or passwords to others, leading to confidential information leakage.

• Falling prey to social engineering attacks.

• Falling prey to phishing and similar attacks.

• Downloading unwanted software, applications, or images or utilities/tools leading to malware,

viruses, worms, or Trojan attacks.

• Improper e-mail handling/forwarding leading to the loss of reputation or legal violations.

• Improper use of utilities like messengers or Skype and unauthorized divulgence of information
to others.

• Inappropriate configuration or relaxation of security configurations, leading to exploitation of

the systems.

• Entering incorrect information by oversight and not checking it again or processing the wrong
information.

• Ignoring security errors and still continuing with transactions, leading to the organization being
defrauded.

Some of the important external and internal threats are collated in Table 3-1 for easy reference.

Table 3-1. External and internal threats

External Threats Internal Threats

Physical Threats Human Threats

Natural disasters like cyclones, hurricanes, floods, earthquakes, etc.

Frauds, misuse of assets or information

Fire Errors or mistakes by the employees

Terrorist threats like bombs, hostage situation

Espionage, Shoulder surfing

Hardware destruction Social Engineering by the employees

Physical intrusion Exploitation of lack of knowledge or ignorance of fellow employees

Sabotage Use of weak administrator passwords or passwords of others and gaining unauthorized
access

Theft of the assets and Intellectual Property sensitive assets/information

Theft

Network Threats Policies not executed or followed

Sniffing or Eavesdropping Improper segregation of duties leading to fraud or misuse

TCP/IP issues like snooping, authentication attacks, connection hijacking

Malware infection threats due to infected media usage or unauthorized software downloads

Spoofing Internal Application Issues

Man in the middle attack Invalidated inputs

Denial of service attacks Misconfigured application leading to errors or wrong processing

SQL injection Inappropriate error or exception handling leading to issues

Exploitation of default passwords

on network equipment being unchanged

Parameter manipulations; Manipulation of Buffer Overflows

Exploitation of weak encryption Unauthorized access

Software Issues Other Issues

Defects leading to errors Unrestricted access to USB leading to pilferage of information

Defects being exploited System or data corruption may be due to power surges, temperature
control failure or for other reasons

Malware like Viruses, Worms, Trojans, Back doors

Hardware failure due to malfunctioning

Bots or Botnets Infrastructure like UPS failure due to improper maintenance Invalidated inputs

Authentication attacks Exploitation of misconfigurations

(continued)

Table 3-1. (continued)

External Threats Internal Threats

Session Management related issues

Inappropriate error handling or exception handling by the applications

Buffer overflow issues

Cryptography wrongly handled by applications

Parameter manipulations

Operating system related issues – security flaws in the operating system

Human Threats

Social engineering

Attack by hackers/man in the middle Blackmail, extortion

Espionage

Compliance Threat

Common Types of Social Media Crime

By George Khoury, Esq. on February 22, 2017 11:06 AM
While sitting behind a computer screen is widely regarded as much safer than wandering the
streets at night asking people for their opinions in 140 characters or less, computer crimes are
becoming increasingly common. Additionally, in recent years, social media sites have even
become hotbeds for crime, and police are getting wise to it.

Below you'll find five common crimes being committed on, or as a result of, social media.

1. Online Threats, Stalking, Cyberbullying

The most commonly reported and seen crimes that occur on social media involve people making
threats, bullying, harassing, and stalking others online. While much of this type of activity goes
unpunished, or isn't taken seriously, victims of these types of crimes frequently don't know when
they can call the police. If you feel threatened by a statement made online to you, or believe a
direct threat is credible, it's probably a good idea to consider calling the police.

2. Hacking and Fraud

Although logging into a friend's social media account to post an embarrassing status message
may be forgivable between friends, it, technically, can be a serious crime. Additionally, creating
fake accounts, or impersonation accounts, to trick people (as opposed to just remaining
anonymous), can also be punished as fraud depending on the actions the fake/impersonation
account holder takes.

3. Buying Illegal Things

Connecting over social media to make business connections, or buy legal goods or services may
be perfectly legitimate. However, connecting over social media to buy drugs, or other regulated,
controlled or banned products is probably illegal.

4. Posting Videos of Criminal Activity

As smartphone and social media technology continue to improve hand in hand, more and more
criminals are posting videos of their crimes on social media. While this sounds somewhat
horrifying, it really is just short-sighted as more and more police departments and prosecutors are
able to rely on these videos to arrest and convict these criminals.

5. Vacation Robberies

Sadly, one common practice among burglars is to use social media to discover when a potential
victim is on vacation. If your vacation status updates are publicly viewable, rather than restricted
to friend groups, then potential burglars can easily see when you are going to be away for an
extended period of time.
ATM fraud

Computers also make more mundane types of fraud possible. Take the automated teller machine
(ATM) through which many people now get cash. In order to access an account, a user supplies a
card and personal identification number (PIN). Criminals have developed means to intercept
both the data on the card’s magnetic strip as well as the user’s PIN. In turn, the information is
used to create fake cards that are then used to withdraw funds from the unsuspecting individual’s
account. For example, in 2002 the New York Times reported that more than 21,000 American
bank accounts had been skimmed by a single group engaged in acquiring ATM information
illegally. A particularly effective form of fraud has involved the use of ATMs in shopping
centres and convenience stores. These machines are free-standing and not physically part of a
bank. Criminals can easily set up a machine that looks like a legitimate machine; instead of
dispensing money, however, the machine gathers information on users and only tells them that
the machine is out of order after they have typed in their PINs. Given that ATMs are the
preferred method for dispensing currency all over the world, ATM fraud has become an
international problem.

Windows System Artifacts

ntroduction

Learning about artifacts in Windows is crucial for digital forensics examiners, as Windows
accounts for most of the traffic in the world (91.8 of traffic comes from computers using
Windows as their operating system as of 2013) and examiners will most likely encounter
Windows and will have to collect evidence from it in almost all cyber-crime cases. Below, we
will discuss several places from which evidence may be gathered and ways to collect information
from Windows.

Windows actually provides a great abundance of artifacts and being aware of these artifacts is
helpful not only for examiners but for companies and individuals (just to name a few reasons)
trying to permanently and irrevocably erase sensitive information or perform informal
investigations.

Before we start, we have to mention that collecting evidence is not the sole challenge to
examiners; the challenge is to locate and identify, collect, preserve, and interpret the information;
whereas collecting it is only one piece of the puzzle. In this paper, we will only be able to have a
glimpse of this wealth of artifacts but its forensic significance will be immediately unveiled to
us.

The things you will find in this article

In the first part of this series we are going to discuss the Windows registry, its structure, backups
and supporting files, examples from case files which reveal how instrumental the registry might
be in prosecuting suspects, and some open source tools.
Registry
What is the Windows registry and what is its structure?

The Windows registry is an invaluable source of forensic artifacts for all examiners and analysts.
The registry holds configurations for Windows and is a substitute for the .INI files in Windows
3.1. It is a binary, hierarchical database and some of its contents include configuration settings
and data for the OS and for the different applications relying on it. The registry not only keeps
records of OS and application settings but it also monitors and records user-specific data in order
to structure and enhance the user’s experience during interactions with the system. Most of the
time users do not interact with the registry in a straightforward manner, but they interact
indirectly with it via installation routines, applications, and programs, such as Microsoft Installer
files. Nonetheless, system admins have the capability of interacting directly with the registry via
regedit.exe (the registry editor) that comes with all varieties of Windows.

Figure 1: How the Windows registry looks like through the eyes of the registry editor, along with
the registry’s nomenclature.

Figure 1 gives the impression that the structure of the registry is the much familiar folder-based
one, but this is merely an abstraction designed by the registry editor. In reality, the registry is just
a collection of files located on the user’s hard drive. The registry files in charge of the system
and the applications on the user’s machine are located in the following path: Local Disk:\
Windows\system32\config, while the registry files in charge of data that is related to the user and
his application settings are located in the Windows user profile directory called ntuser.dat and
usrclass.dat.

Furthermore, Figure 1 reveals that the binary structure of the registry is based on cells, the
notable ones being keys and values. Although additional cell types exist, it can be said that they
act as pointers to other keys (subkeys) and values. Values encompass data and they do not direct
to other keys.

Registry hives and their supporting files as a useful additive for forensic analysts

Keys, subkeys, and values are typically part of different hives, which are logical groups of the
former and have a set of supporting files that encompass backups of their data. User profile hives
can be found in the HKEY_USERS key and they store specific registry data that is related to the
user’s application settings, desktop, and environment as well as holding data related to his/her
printer(s) and network connections. Each user on a machine has his/her own hive, which is
responsible for his/her user profile.

Below, we have enumerated some extensions of supporting files and have shown what
information to expect from such a file extension:

1. No extension = a thorough replica of the hive’s data.

2. Extension .alt = a duplicate of the HKEY_LOCAL_MACHINE\System hive. It should be noted that the
system key is the sole key whose backup files use this file extension as it is a crucial hive.
3. Extension .log = a record of modifications in the hive’s keys and values.
4. Extension .sav = a backup replica of a hive.

After discussing the types of supporting files and what data they hold, we can move on to show
what file names the supporting files of the standard hives have.

Below is a graphic (Figure 2) that illustrates the standard hives and their supporting files.
Points of interest for forensic analysts in the registry’s key cell structure

Deleting a registry key would not make it “go” somewhere but it would rather cause its size
value to be set to a positive one while undeleted keys have a negative value. Essentially, the
space consumed by the registry keys gets labeled as available and it becomes possible to
overwrite it.

From the point of view of a signed integer, a registry key has a negative value but from a
hexadecimal point of view, the key structure is indeed positive. The code “Unpack(“l”,$dword)”
may be employed to parse the DWORD value as a signed integer using Perl. Keys contain the
useful LastWrite time, which pinpoints when the last modification of the key took place.
Modification may consist of changes to an existing subkey or value, the deletion of existing
subkeys or values, or the creation of new ones.

Figure 3 reveals the most notable key cell structure elements from the point of view of a forensic
analyst. Their size in bytes and their offset are also included in the illustration.

Some preliminary information:

  Registry keys typically begin with a four-byte double word that contains the size of the particular
key.
 After the double word, there is a key node identifier “nk,” which tell us that what we are looking at
is a key and not a value.
 Subsequently, there is a two-byte value that reveals the node type. “0x2C” indicates a root key cell
whereas “0x20” indicates an ordinary key cell.
 The LastWrite time is actually “a 64-bit FILETIME object that marks the number of 100-nanosecond
epochs since midnight of 1 January 1601,” but it can be perceived as equivalent to the time when
the file was last changed, since it reveals when a modification was made to the key.
 An offset pinpoints the distance between the start of an object and a particular point or element,
usually within the same object.

Registry case study

Below, we will be looking at two cases in the solving of which the registry proved to be
instrumental.

Credit card theft

The Windows registry facilitated law enforcement in solving a credit card case in Houston,
Texas. The suspects were a man and his wife who bought goods from the Internet with pilfered
credit card numbers. They were detained as a result of a controlled drop of commodities ordered
from the Internet. When ntuser.dat, the registry, and the protected storage system provider were
scrutinized, a list of numerous names, addresses, and credit card numbers were found. It turned
out that the information in the list was applied online to purchase goods as well, and after an
additional investigation it was concluded that these credit card numbers were used illegally,
without any permission from their owners.

The data retrieved from the registry was sufficient to exact more search warrants which led to the
arrest of 22 persons and the retrieval of illegally bought goods worth more than $100,000.

The development of the events turned out to be the following:

 All defendants pled guilty to organized crime accusations and served time in jail, which may have
not been possible without the help of the Windows registry.

Child pornography

Guests at a hotel located in a little town near Austin, Texas, called the law enforcement
authorities after seeing a person, who looked intoxicated, walking around the hotel naked. When
the law enforcement officials arrived after the 911 call they located the individual and concluded
that he was, in fact, staying at that hotel so they escorted him to his room and there they
discovered that he was staying with another person—but what surprised them was that a picture
of child pornography was being projected on the wall. The picture was projected through a
laptop that had a projector attached to it. In close proximity to the laptop, there were two external
hard drives.

The individual who was already in the room was surprised by the entry of the police and he
asserted that the laptop was his but that the external drives belonged to his intoxicated fellow and
had nothing to do with him. The equipment was immediately confiscated and sent for analysis.
Forensic clones were created from the laptop and the two external hard drives without delay. The
initial analysis of the external hard drives revealed the existence of pictures and movies of child
pornography on them.

Consequently, the forensic analysts had to find out whether any of these external drives were
connected to the laptop of the individual asserting that he had nothing to do with them. Thus, the
laptop’s system registry file was examined to match any entries in the USBStor key with the
external drives. This turned out to be a fruitful examination, as listings for the external drives
were found as well as their hardware serial numbers.

Following these steps, the forensic analysts had to determine whether their results were
authentic, so they linked the suspect’s external drives to their lab’s computer system, using a
freshly installed version of Windows. To avert any alteration to the clones of the EHDs a write
blocker was linked between the two drives and the system.

Lastly, they examined the clone’s system registry file and the USBStor keys and came to the
same conclusion, that the EHDs listings were identical to the defendant’s, in addition to having
the same hardware serial numbers, and this proved that at some point in time the EHDs were
connected to the suspect’s laptop. Ultimately, the culprit was sentenced for possessing child
pornography.
Using open source tools for the examination of the Windows Registry.
Modules

The Win32::TieRegistry is a Perl module that digs out data not only from local systems but also
from remote ones. It can be used on live Windows systems. Equivalent to this is the Python
module winreg, which is presented for the achievement of the same goal. However, tools like
Win32::TieRegistry are not cross-platform and will not work on default OS X or Linux
installations, as they depend on the native Windows API.

There are many Perl scripts that take advantage of the Win32::TieRegistry Perl module, such as
regscan.pl. You may also want to create your own Perl scripts that will collect the LastWrite time
from the registry hives so you can sort and parse the information in any way you like.

Considering you have images collected from the system, the Perl module Parse::Win32Registry
seems like a good choice, partially because it is cross-platform. The Win32::TieRegistry rests on
the shoulders of the API offered by Windows systems and grants us entry into the registry
information on the live systems, while the Parse::Win32Registry module retrieves hive files in
their binary form and gives us a level of abstraction that enables us to open a registry value
simply by procuring the module with a key path like
“Software/Python/PythonCore/3.3/Modules.”

Brief overview of some open source tools

F-Response is a software utility that allows examiners to “conduct live forensics, data recovery,
and eDiscovery over an IP network using their tool(s) of choice.” If you resort to this utility as a
means of widening the scope of your incident response range and capacity, you can be misled
into thinking that you are intermingling with a live system when, in fact, while utilizing F-
Response you will be communicating with hive files in a binary form; therefore, tools based on
the Parse::Win32Registry will be handier than tools based on the Win32::TieRegistry module.

A tool that that is very beneficial in investigations is RegRipper, which not only parses registry
hives extracted from images but also parses registry hives extracted from within a mounted
image and from a system that was entered through F-Response’s application. RegRipper bases its
dealings with the registry hive files on the Parse::Win32Registry module. It operates through
plugins that are tiny files comprising Perl code, which pull out various types of information. rr.pl
is the main script of the application, which can be categorized as a GUI interface to a motor that
handles all those plugins.

The application can be launched in a Linux environment on which WINE has been installed and
it comes in various Linux-centered and forensic-based toolkits such as PlainSight.

RegRipper also contains a command line interface tool named rip.pl that makes it possible for
examiners to execute particular plugins against a hive or run listings of plugins (as they can do
with RegRipper’s GUI – rr.pl). If you are searching for a way in which to obtain concrete data
out of a hive or to test recently produced plugins, Rip.pl comes in handy.
Several scripts were created to exploit the property of registry keys that they do not go away
after deletion. Such an exploit, if it is appropriate to name it so, is a Perl script that was made in
2008 and got the name Regslack. Regslack parses through hive files and recovers removed keys.

Conclusion

This article is a part of a series, “Windows System Artifacts in Digital Forensics.” and objects of
examination in the consecutive articles will be Windows file systems, registry, shortcut files,
hibernation files, prefetch files, event logs, Windows executables, metadata, recycle bin, print
spooling, thumbnail images, and lists of recently used applications, along with a brief discussion
of how to find removed information and how to work with restore points and shadow copies.

Note that most of the abovementioned artifacts are Windows-specific and are unique to this
operating system.

Introduction

For Part I of these series, please visit this page: http://resources.infosecinstitute.com/windows-

systems-and-artifacts-in-digital-forensics-part-i-registry/

This article begins with event logs and discusses their headers’ structure and the structure of their
building blocks—the headers of the event records. It mentions some open source tools that can
parse event logs and briefly explores event logs on versions of Windows below and above
Windows Vista, along with an exploration of their characteristics. Links to pages of the MSDN
are provided for further reference on event logging.

Then the article continues with a brief examination of the three computer sleep modes (sleep,
hibernation, and hybrid sleep) and their significance for forensic analysts. To enable you to
picture this point, an explanation is given about what happens to information that is deleted from
the computer with the standard “Delete” button or through the contextual menu. This explanation
is useful in the context of the discussion as writing the data on the HDD makes it useful to
forensic analysts beyond the point of deletion.

Finally, we have provided a list of quick ways to remove artifacts from your Windows system.
Removal of objects such as thumbs.db, hiberfil.sys, pagefile.sys, metadata, Index.dat is discussed
in this chapter and it concludes with mentioning the names of a few programs that claim to
permanently remove data from your computer.

Event Logs

Event logs have headers for the particular file and headers for the particular entries and both have
the unique identifier (signature) “LfLe” included in their structure. Their length can be viewed as
variable. Figure 1 reveals the structure of an entry header.
Figure 1: This illustrates the structure of an event log’s entry header. It is based on the one
provided by Jeff Hamm in his paper “Carve for Records, Not Files.” Available at:
http://computer-forensics.sans.org/summit-archives/2012/carve-for-record-not-files.pdf

Windows NT, 2000, XP, and 2003 use a logging system called event logging. The MSDN site
contains information concerning the structures that make up event logs
(http://msdn.microsoft.com/en-us/library/windows/desktop/aa363652(v=vs.85).aspx). These
structures are all well-known and it is not difficult to write tools that parse the event records that
these logs contain in a binary form and also extract them from the unallocated space. Parsing a
binary form is valuable because the header clusters of the event log files may output a number of
event records in the particular file, whereas if you parse it in a binary form extra event records
may be produced. The Event Log file extension is “.evt.”

Event log headers are 48 bytes long, marking the beginning of the event log, and they can
contain very useful data for forensic examiners. The header can be used to validate the file; it
includes starting and ending offsets, which contain data pinpointing where the most aged event
record is situated to the Microsoft API and data showing where the ending record is situated,
respectively. Records contained within event logs all have a unique identifier referred to by
Microsoft as a signature; this identifier is “LfLe” and 0x654c664c in the hexadecimal notation.

We mentioned previously that the headers of event log files are 48 bytes in size and that is
additionally specified in the 4-byte DWORD value that brackets the header record (it can be
located both in the record’s start and in its ending); in the given case, the value is 48 or 0x30,
which is valuable to know because the event record’s header, as opposed to the event log file’s
header, has a size of 56 bytes and does not have any of the real subject-matter of the file
embedded in it. Event records are bracketed by size values as well.

Offsets pointing to the strings, the lengths of strings, UserSID, where appropriate, and data input
in the event entry are all parts of the event record’s structure and they reveal data about the entry
itself. Furthermore, two time stamps are inserted in the event record’s header: one pinpointing
when the particular event was generated or “came to life” and another showing when the event
was written to the .evt. The gmtime() function in Perl can effortlessly transform the 32-bit Unix
times of the time stamps into legible dates.

One can make use of evtparse.pl, an open source tool, to parse the information from the
relevant .evt files. Evtparse.pl simply extracts the data and outputs the event record information,
while evtrtp.pl not only produces the event record data but also scans this data and outputs
information concerning the regularity of different SIDs, sources for the event records, and the
data range of all entries located in the file as well (statistics). Such information comes in handy
when an analyst is searching for a bustle that happened on the machine at a given time. For
instance, if an analyst parses an event log in search of a particular event ID or a specific event,
he/she can see whether it is present within the file or whether the date range of the accessible
event entries includes the exposed window or whether events of interest exist within the given
time frame when the incident occurred and can save himself/herself a substantial amount of time
by moving to a different source of data if the search brings no results.
The latest editions of Windows (Windows Vista and later versions) resort to the Windows event
log mechanism, which entirely replaces the event logging mechanism of the previous Windows
versions, such as Windows NT, 2000, XP, and 2003. The Windows event log mechanism is
much more complicated; specifics can be examined at the MSDN Windows Event Log
Reference (http://msdn.microsoft.com/en-us/library/windows/desktop/aa385785(v=vs.85).aspx).
Partially, the change that was done to the new Windows event log scheme is that the structure of
the recorded events and the way they are recorded was modified. A tool based on the Perl high-
level programming language was developed to parse Windows event logs on versions of
Windows Vista and beyond, named evtxparse.pl.

Modes of Computer Sleep and Deleted Data

Background

Computers, just like humans, need time to rest; alternatives to shutting the machine down are
sleep and hibernation. From a user perspective, sleep/hibernation saves a considerable amount of
energy and allows users to resume all processes and applications from where they left them off.
Furthermore, sleep/hibernation may be safer than leaving the computer on when you are taking a
lunch or a coffee break because, when the computer is awakened from its rest, it may be set to
prompt for a username and password, although a simple log off would have the same effect if
you decide to leave it on.

When the computer is sleeping, it needs extremely small amounts of power to maintain and if a
laptop’s battery gets critically low this sleep will be “transformed” to hibernation. There is an
extremely large difference in the evidence that can be collected from the two states.

Hibernation and hybrid sleep are considered “deep sleep” modes because they store the data
related to the processes and applications running on the computer on the hard disk, instead of
storing it in the main memory (sleep mode).

There are three different modes of rest that computers can immerse into: sleep, hibernation, and
hybrid sleep.

Explanation: Deleted Data

To get a picture of why sleep and hibernation differ enormously in importance for forensic
examiners we will briefly discuss what happens when a user deletes data from his hard drive:

1. User deletes a file(s).

2. The computer receives the input from the relevant input device (keyboard/mouse, etc.)
3. The computer marks the space that the file(s) occupied as available.
4. The “removed” file(s) remain(s) untouched until a new one take its/their place and overwrites
it/them

Basically, what happens is that the file moves from the allocated space to the unallocated space.
Allocated space can be explained as being all the files that we can view and execute in Windows.
All files located in the allocated space cannot be overwritten as the section of the hard drive
where they are located is reserved for them; new files can only be stored in the unallocated space
(on standard computers).

Thus, if you have a 1 TB HDD with 500 GB of allocated space and you delete an incriminating
document that holds 5 MB of space, you will be left with 523.999023 GB unallocated space on
raw calculations and 523.475024 GB if you take into account the fact that HDDs start with
99.9% unallocated space, which means that a very long period of time may pass before the 5 MB
that held the incriminating document gets overwritten by new files.

Usually, files in the unallocated space are identified by means of their distinctive features.
Examples of these distinctive features (or signatures) are file headers and footers that may
identify files and signal both their beginning and end. The process of extracting data from the
unallocated space is called “file carving” and it is usually performed via tools but it can also be
performed manually. However, we will discuss file carving in a separate article.

Sleep

Microsoft likens sleep to “pausing a DVD player” (Microsoft’s Windows sleep and hibernation
FAQ), as its function is to resume the processes and programs running on the computer as
promptly as possible (besides conserving energy). What happens in sleep mode is that a minute
amount of power gets constantly fed to the main memory, which conserves the data unimpaired.
However, the main memory (or RAM) is a volatile memory, so the data vanishes as soon as the
power is removed. Therefore, sleep is not a great source of evidence for forensic examiners.

Hibernation

Hibernation uses the least amount of power of the three sleep modes. In hibernation, the
computer creates a snapshot of all the data in RAM and writes it on the HDD. Nevertheless, it is
mostly designed for laptops, not desktops.

MoonSols Windows Memory Toolkit enables forensic analysts to read and write the Windows
hibernation file.

Hybrid sleep

It can be inferred from its name that hybrid sleep is a mixture of the modes “sleep” and
“hibernation”; it is intended for desktops rather than laptops. In this mode, the computer
preserves insignificant amounts of power applied to the machine’s RAM (to maintain the data
and the applications present before the hybrid sleep) and writes this data to the HDD. Suspects
might miss these hibernation files and the page file(s) as they are unknown to many computer
users and are frequently neglected during last minute “delete-a-thons.”
Erasing Windows Artifacts

In this section, we provide a few methods of erasing artifacts.

Thumbs.db, which is a cache in Windows that stores thumbnail images of all graphics files and is
a valuable Windows artifact, can be disabled by clicking Start -> Control Panel -> Folder
Options -> View -> check the button “Always show icons, never thumbnails” in the Files and
Folders section -> Apply -> OK. This action will stop thumbs.db from reappearing after being
deleted (this procedure for disabling it is for Windows Vista and Windows 7). Thumbs.db can
also be deleted in Windows XP by clicking on My Computer -> Tools -> Folder Options ->
View -> check “Do not cache thumbnails” -> OK. However, performance will drop when you
browse through your hard drive’s partition’s contents. There are numerous thumbs.db files
scattered across your computer and you will only see them if you enable the “Show Hidden Files
and Folders” option in Windows.

Also, the evidence that may be piled up in the hibernation’s file hiberfil.sys (all processes,
programs, applications and files opened in a given session are written to the hard drive when you
put your computer in hibernation) may be removed without the file coming back by disabling the
hibernation function. You disable it by opening the command prompt with administrative
privileges and typing “powercfg.exe –h off” (for Windows Vista, Windows 7, and Windows
XP).

Furthermore, free programs such as Index.dat Analyzer can remove all Index.dat files present on
the computer until Windows recreates them. Index.dat is an invaluable source of data for forensic
analysts, as it stores data on each website you open. Websites offering services like search
engines and online banking are kept in such files, as well as e-mails that you have sent through
Microsoft Outlook and Microsoft Outlook Express. Index.dat files are cloaked and not hidden, so
you will be unable to access them through the Windows built-in “Find” or “Search” option and
they are not shown because cloaked files are handled in a different way than hidden files.
Furthermore, files with the index.dat name are being constantly utilized while Windows is in use,
so it is impossible to remove them without leaving Windows first. The deletion options
embedded in IE do not enable you to remove index.dat files and the only other option to deleting
index.dat outside of Windows is killing the explorer.exe process and starting a command shell.
Figure 2: Index.dat Analyzer’s interface.

In Figure 2, we see Index.dat Analyzer ready to remove entries in an IE’s index.dat file.
Index.dat Analyzer can remove an entry or numerous entries if you check them in the box on the
left of the screen, or it can delete the whole index.dat file. Importantly, you can also view
separate entries stored in the file, and you can add other index.dat files to the list of entries. In
this particular picture, we see that each Skype contact’s avatar is stored in the index.dat file. This
particular index.dat file has 5209 entries although IE has been left largely unused on the given
machine. There may be index.dat files that are not related to Internet Explorer but to other
programs and there may be several index.dat files for IE, depending on whether their purpose is
storing the browser’s history, cache, or cookies. After deletion, index.dat will be created again
but its contents would start from blank so any sensitive data on it would be lost.
Figure 3 – A view of an entry of Index.dat’s cache of an image originating from Facebook

Pagefile.sys is a hidden file that is used when the user has used up the existing RAM on his
machine; it serves as a virtual memory file. It is basically resorted to when Windows needs more
memory, in which case it turns to the HDD in the form of pagefile.sys for more space and,
because the hard drive is much slower than the RAM, running many programs at once would
cause the system to slow down. What it does is that, when an application is taking too much
memory, most unused processes in RAM get placed into pagefile.sys so there may be more
memory for the programs that you are actually working with. Thus, once you get rid of it and
you have insufficient RAM, the processes and programs that you are running are going to break
down without giving you time to save or do anything, among other issues that may arise. You
may try is disable pagefile.sys, delete it, and enable it again to recreate the pagefile.sys but this is
somewhat pointless, as explained below. Similarly to hiberfil.sys, pagefile.sys stores the
processes that were running in your RAM at a given time, though the difference is that
pagefile.sys does not store everything that was in your RAM at a given moment. To disable
paging go to Start -> Control Panel -> Systems -> Advanced System Properties -> click on the
Advanced tab -> Performance -> Settings Performance options -> go to another tab “Advanced”
-> Virtual Memory -> Change -> pick a system drive and choose no paging file followed by the
OK/Apply button. Finally, restart the machine.

Note that pagefile.sys is quite important for the decent performance of the system and there
might be no need to reset its contents as pagefile.sys is going through constant changes as you
use your computer.
Furthermore, users can minimize metadata. The process is easy for MS Office applications like
Excel, PowerPoint, and Word. The user simply clicks File -> Check for Issues -> Inspect
Document, inspects it for metadata, and deletes the parts that he wants to get rid of.

Figure 4: Checking a Word document for available metadata

Figure 5: Using MS Word’s Document Inspector to remove the file’s metadata

Lastly, there are gazillions of tools that promise to remove permanently data from your HDD by
overwriting it numerous times. Examples are Eraser, Sdelete, and Evidence Eliminator, among
many others.

We have restrained ourselves in this point to discussing the removal of several artifacts, but
others can also be removed, to some extent, by cyber-criminals.

Conclusion

It can be concluded from our discussion so far that Windows users leave a lot of tracks on their
machine when they perform their daily chores. These tracks can be extracted by forensic analysts
and utilized as evidence. Fortunately, few cyber-crooks manage to erase all of them from their
machine and even fewer know about all of these potential tracks.
Lastly, it can be inferred from the context of our discussions that even people who sell their
second-hand computers on eBay should be cautious because sensitive information can easily be
leaked to curious buyers.

References:

Introduction

In this article, I’m going to focus on prefetch files, specifically, their characteristics, structure,
points of interest in terms of forensic importance, uses, configuration, forensic value and
metadata.

For part one of the series, which discusses the Windows Registry, please visit:
http://resources.infosecinstitute.com/windows-systems-and-artifacts-in-digital-forensics-part-i-
registry/

For part two of the series, which discusses event logs, deleted data, computer sleep and the
erasure of artifacts in Windows, please visit: http://resources.infosecinstitute.com/windows-
systems-and-artifacts-in-digital-forensics-part-ii/
Windows Prefetch files first appeared in Windows XP, and their purpose is to boost the startup
process of launched applications.

1. They include the name of the executable which they accelerate, Unicode itemizations of the
DLLs that the executable requires to function, timestamps which pinpoint when the application
was last launched, and a counter that keeps track of the times that the executable has been
launched, inter alia.

Figure one reveals the four most important elements of a prefetch file in terms of forensic
significance.

Prefetch files can reveal that an application was actually installed and launched by the suspect at
some point in time. Even if prefetch files unveil the presence of a wiping application like
“Evidence Eliminator,” (a program with the purpose of thoroughly removing selections of data
from the hard drive) and nothing else. That’s because the actual evidence was destroyed by the
wiping application. The mere presence of a wiping application can itself become as
incriminatory as the files that were destroyed with it.

2. Basics of Prefetch files

Prefetch filenames have the following naming convention:

{exename}-{hash}.pf

Exename is the name of the executable, hash is an eight character hexadecimal hash of the path
from which the executable was launched, and .pf is the file extension. Note that a dash separates
the exename from the hash and that the filename ought to be made up of only uppercase
characters with the exception of the file extension.

Furthermore, when an application is started from three separate locations on the drive three
distinct prefetch files will be created, each corresponding to one of the locations from which the
application was run. Prefetching also exists in Windows Vista, where it has been enhanced by
SuperFetch, ReadyBoost and ReadyBoot. SuperFetch logs usage scenarios and places resources
into the memory before they are requested/ ReadyBoost is a disk cache which boosts processes
by utilizing any type of portable flash mass storage system as a cache which enables the OS to
service random disk reads with enhanced performance. ReadyBoost’s caching doesn’t only relate
to the page file or system DLLs, but to the whole disk content. In a test case ReadyBoost
increased the speed of an operation from 11.7 to 2 seconds. Although simply increasing the main
memory from 512MB to 1 GB diminished the length of the operation to 0.8 seconds (without
any reliance on ReadyBoost).

Prefetching takes place when the OS (Windows Cache Manager, in particular) is monitoring
components of data that is extracted from the hard drive into the RAM. The monitoring takes
place on 3 occassions. First, it begins on every system startup and lasts for two minutes of the
boot process. Second, it also takes place following the completion of the startup of all Win32
services and lasts for sixty seconds. Finally, it occurs each time an application is launched and
lasts for the first 10 seconds of its execution. Subsequently, the Cache Manager, along with the
Task Scheduler writes the data into .pf files. These files speed up the system by making
themselves promptly available before there is any actual demand for them from the user. Hence,
the prefetcher acts as an allocator of data from the hard drive into the main memory before any
actual request for it has been made.

Note that SSD drives have Prefetch turned off by default.

3. Prefetching configuration in the Registry

Picture one below reveals the values of prefetching that can be configured in the registry. As it
can be seen in the picture, the path to the configuration parameters of Prefetcher is
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management\PrefetchParameters. To configure the Prefetcher, one has to change the value of
EnablePrefetcher to one of the values mentioned below and to configure Superfetch, one has to
do the same with EnableSuperfetch:

3: Enables Prefetcher/Superfetch for application startup and Boot

2: Enables Boot prefetching
1: Enables Prefetcher/Superfetch for application startup
0: Disables Prefetcher/Superfetch

It can be deduced that cyber-criminals can disable their prefetch and get rid of prefetch files,
effortlessly, to remove traces of illegal activity, such as opening an application filled with child
pornography on a regular basis, or accessing copyrighted material without the relevant
permissions. The only cost is the worsening of the performance of the system.

Picture one: Configuration of Prefetcher and Superfetch in the Registry Editor (Windows 7)

Superfetch files begin with the ‘Ag’ prefix and end with the ‘.db’ extension. The data that is
written into Superfetch files is collected by Sysmain.dll, situated in %SystemRoot%/System32,
and is a part of the Service Host process (Svchost.exe) which is situated in the same directory.
The ‘.db’ files can be found in the %SystemRoot%/Prefetch (usually C:\Windows\Prefetch)
directory, along with the other prefetch files.

Windows XP, Vista and Windows 7 perform application prefetching by default while Windows
2003 and 2008 are capable of performing prefetching though the feature is turned off by default.
Also, every version of Windows, following Windows XP, does boot prefetching.

4. Structure of Prefetch files and metadata

The metadata that prefetch files consist of is of particular relevance to forensic analysts. In
Windows XP, the 64-bit time stamp indicating when the executable was last launched has an
offset 0x78 within the file, and the counter that pinpoints the number of times the executable has
been launched is a 4-byte DWORD value situated at offset 0x90 or 144 bytes. On the other hand,
the offset of the last run time stamp is 0x80 in the binary contents of the particular prefetch file,
and the “number of times opened” counter is situated at offset 0x98 in Windows Vista and
Windows 7 systems.

It’s also possible to dig up more data from the metadata of a prefetch file. Inside the prefetch file,
there’s data revealing the volume from which the executable was started, and strings that show
the path to the modules which the executable required to start.

Figure two reveals some key information about the structure of prefetch files:

Table one describes some preliminary characteristics of prefetch files:

Integer
Strings Time stamps
values

Kept in little- Kept in 16-bit Unicode Transformation Format Kept in Coordinated Universal Time
endian (UTF-16), little-endian with no byte-order-mark (UTC) as Windows Filetime

Table 1: characteristics
Figure 2 is based on information gathered from David Koepi
(http://davidkoepi.wordpress.com/2013/09/29/prefetch-forensic/ and two Forensics Wiki pages(
http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format and
http://www.forensicswiki.org/wiki/Prefetch.)

5. Other points of interest in prefetch files

Besides the obvious importance of prefetch files, answering when a certain activity has occurred
(via the last execution time), what activity has taken place, how frequently it was performed (via
the counter that shows the number of times the executable has ran which increments by one on
each launch) prefetch files may reveal obfuscated directories. For instance, let’s say a
prefeteched executable has been executed fifty times (notepad.exe). By examining the prefetch
file, one can see the file path of the files that triggered this execution, (let’s say you stumble upon
list6.txt) which is situated in a TrueCrypt volume. As TrueCrypt enables users to conceal
directories, it’s vital to examine the paths enumerated in the prefetch files, as these may be a
door towards a data source that would have not been otherwise identified. If the examiner didn’t
look at the paths, they may have never identified the obfuscated directory with the C:\Windows\
System32\Neo\hidden\creditcards\list6.txt path hidden with TrueCrypt. Because the System32
directory is filled with programs that are in use by the OS, and an ordinary person would have
never checked its contents.

Additionally, the full directory path enumerated in the prefetch file reveals the user accounts
under the Users directory (for Windows Vista/7) and the Documents and Settings directory for
Windows XP. An examination may unveil that there was a temporary account created with the
purpose of performing criminal activity by pinpointing applications that were launched at some
point in the past. It could be by an unauthorized or abnormal user, which would be an answer to
the “who” question of an investigation.

Furthermore, by examining the full paths enumerated in the prefetch files, one may see whether
the program, application or file was launched from an external storage device as the entry would
differ from the entry of an application accessed from the hard drive. Thereafter, the last
execution time may be utilized for coordination with the USBStor registry key and if the time
stamps match the USBStor registry key entry can be examined to get the serial number of the
external storage device and this will aid in solving the “what” and “why” questions surrounding
an investigation.

When cyber criminals infiltrate a system and modify the timestamps of an application, they
could be unaware of the data that prefetch files contain. If the cyber criminal alter the SIA and
FNA time stamps in the Master File Table to hinder the examination. The entries in the prefetch
files would remain unchanged and will pinpoint the real time stamps. In that way, examiners
may thoroughly avoid the cybercriminal’s time stomping attempts. The Master File Table (MFT)
is a file that the NFTS file system contains. The MFT has no less than one entry per file on the
NFTS file system volume, it even has an entry for itself. These entries include data about each
file such as the file’s size, permissions, contents and time and date stamps. The metadata is kept
in one of two places:
  MFT entries
 Space separate from the MFT but which is defined by it.

Thus, it’s no wonder why time stomping efforts aimed at the MFT is important. It’s an
enormously large collection of valuable metadata. The prefetch files need to be examined to
determine if there were possible time stomping attempts.

6. Summary and Conclusion

To put it in a nutshell, prefetch files are designed to boost the speed of the system. In computers,
the saying “speed kills” must be transformed into a negation, which becomes something like “the
absence of speed kills.” Prefetching can be disabled and enabled as much as one wants, and each
time the contents of prefetch files reset. Besides their primary purpose, prefetch files are useful
for forensic examiners because they can prove that an application was installed and started on a
particular machine. They can pinpoint the time when it was opened and how many times it was
opened. They can reveal from which volume it ran and which modules the application loaded.
Furthermore, prefetch files may also reveal any hidden or obfuscated directories, temporary,
unauthorized or any other abnormal accounts. They may expose any external storage devices and
they can pinpoint if there was time stomping.

Therefore, prefetch files help examiners answer the “who”, “what”, “why”, “when,” and “where”
questions that surround any digital or non-digital investigation. That certainly means that their
analysis is of utmost importance.

Figure three reveals the questions asked whenever a crime has to be investigated. That highlights
the importance of prefetch files for solving cyber crimes, as a source of answers to these
questions.
Alternate Data Streams

Ray Zadjmool Posted On March 24, 2004

12 Views

 Share On Facebook
 Tweet It





When dealing with network security, administrators often times don't truly appreciate the lengths
that a sophisticated hacker would go through to hide his tracks. Simple defacements and script
kiddies aside, a sophisticated hacker with more focused goals looks to a perimeter system breach
as an opportunity to progress further inside a network or to establish a new anonymous base from
which other targets can be attacked.

In order to achieve this task, a sophisticated hacker would need time and resources to install what
is known as a root kit or hacker tools with which he can execute further attacks. With this, comes
the need to hide the tools of his trade, and prevent detection by the systems administrator of the
various hacking applications that he might be executing on the breached system.
One popular method used in Windows Systems is the use of Alternate Data Streams (ADS). A
relatively unknown compatibility feature of NTFS, ADS is the ability to fork file data into
existing files without affecting their functionality, size, or display to traditional file browsing
utilities like dir or Windows Explorer. Found in all version of NTFS, ADS capabilities where
originally conceived to allow for compatibility with the Macintosh Hierarchical File System,
HFS; where file information is sometimes forked into separate resources. Alternate Data Streams
have come to be used legitimately by a variety of programs, including native Windows operating
system to store file information such as attributes and temporary storage.

Amazingly enough, Alternate Data Streams are extremely easy to make and require little or no
skill on the part o the hacker. Common DOS commands like "type" are used to create an ADS.
These commands are used in conjunction with a redirect [>] and colon [:] to fork one file into
another.

For instance: the command

"type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe"

will fork the common windows calculator program with an ADS "anyfile.exe."

Alarmingly files with an ADS are almost impossible to detect using native file browsing
techniques like command line or windows explorer. In our example, the file size of calc.exe will
show as the original size of 90k regardless of the size of the ADS anyfile.exe. The only
indication that the file was changed is the modification time stamp, which can be relatively
innocuous.

Once injected, the ADS can be executed by using traditional commands like type, or start or be
scripted inside typical scripting languages like VB or Perl. When launched, the ADS executable
will appear to run as the original file - looking undetectable to process viewers like Windows
Task Manager. Using this method, it is not only possible to hide a file, but to also hide the
execution of an illegitimate process.
Unfortunately, it is virtually impossible to natively protect your system against ADS hidden files
if you use NTFS. The use of Alternate Data Streams is not a feature that can be disabled and
currently there is no way to limit this capability against files that the user already has access to.
Freeware programs like lads.exe by Frank Heyne (www.heysoft.de) and crucialADS by
CrucialSecurity can be used to manually audit your files for the presence of Alternate Data
Streams. Alternatively, the action of moving a file into another file system that doesn't support
ADS will automatically destroy any Alternate Data Streams.

Ultimately only a third party file checksum application can effectively maintain the integrity of
an NTFS partition against unauthorized Alternate Data Streams. Recently dubbed as host based
"Intrusion Prevention Systems" or "Intrusion Detection Systems", third party security
applications like eTrust Access Control from Computer Associates have been used for years in
high-end government networks to verify the integrity of files used in the most secure
environments. In addition to a heightened level of auditing and access control, these applications
typically create an MD5 hashed database of file checksums that are used to validate a file's
trustworthiness. File injection techniques like Alternate Data Streams trigger an action by which
the file is deemed untrusted and therefore prevented from executing or better yet, prevented from
being changed in the first place.

Another good file integrity application is Tripwire for Servers by Tripwire Inc. Tripwire has
been singularly focused on file integrity management since the early 90's and does a tremendous
job of providing stringent security measures against unauthorized file changes.

Example of an ADS

In order to fully understand the implications of alternate data streams, the following walkthrough
the creation and execution of an ADS using standard Windows 2000 programs on an NTFS 5.0
partition.

Figure 1 shows the executable file for the standard windows program calculator, calc.exe, with
the original size of 90KB and a date modified time stamp of 7/26/2000.
Figure 1

We then append an alternate data stream to calc.exe with another standard windows program,
notepad.exe as shown in Figure 2.

Figure 2

Figure 3 shows that while notepad.exe is 50KB, the file size of calc.exe has not changed from
the original 90KB. We do see however that the date modified time stamp has changed.
Figure 3

In Figure 4 we execute the new ADS notepad.exe using the standard command start.

Figure 4

On our desktop, the program notepad is executed however, an examination of the Windows
Task Manager shows the original file name calc.exe. (Figure 5).
Figure 5

Summary

Ultimately, the mere availability of Alternate Data Streams in NTFS is quite disconcerting and
their usefulness suspect but in the end, the security features of NTFS far outweigh this
potentially dangerous vulnerability. With knowledge and due diligence administrators can take
actions to prevent and detect unauthorized use of ADS and in the end protect themselves
adequately.

Linux

File Permissions in Linux/Unix with Example

Linux is a clone of UNIX, the multi-user operating system which can be accessed by many
users simultaneously. Linux can also be used in mainframes and servers without any
modifications. But this raises security concerns as an unsolicited or malign user can corrupt,
change or remove crucial data. For effective security, Linux divides authorization into 2 levels.

1. Ownership
2. Permission

In this tutorial, you will learn-

  Ownership of Linux files
 Permissions
 Changing file/directory permissions with 'chmod' command
 Absolute(Numeric) Mode
 Symbolic Mode
 Changing Ownership and Group
 Summary

The concept of permissions and ownership is crucial in Linux. Here, we will discuss both of
them. Let us start with the Ownership.

Click here if the video is not accessible

Ownership of Linux files

Every file and directory on your Unix/Linux system is assigned 3 types of owner, given below.

User

A user is the owner of the file. By default, the person who created a file becomes its owner.
Hence, a user is also sometimes called an owner.

Group

A user- group can contain multiple users. All users belonging to a group will have the same
access permissions to the file. Suppose you have a project where a number of people require
access to a file. Instead of manually assigning permissions to each user, you could add all users
to a group, and assign group permission to file such that only this group members and no one
else can read or modify the files.

Other

Any other user who has access to a file. This person has neither created the file, nor he belongs
to a usergroup who could own the file. Practically, it means everybody else. Hence, when you set
the permission for others, it is also referred as set permissions for the world.

Now, the big question arises how does Linux distinguish between these three user types so that
a user 'A' cannot affect a file which contains some other user 'B's' vital information/data. It is like
you do not want your colleague, who works on your Linux computer, to view your images. This
is where Permissions set in, and they define user behavior.

Let us understand the Permission system on Linux.

Permissions

Every file and directory in your UNIX/Linux system has following 3 permissions defined for all
the 3 owners discussed above.

 Read: This permission give you the authority to open and read a file. Read permission on a
directory gives you the ability to lists its content.
 Write: The write permission gives you the authority to modify the contents of a file. The write
permission on a directory gives you the authority to add, remove and rename files stored in the
directory. Consider a scenario where you have to write permission on file but do not have write
permission on the directory where the file is stored. You will be able to modify the file contents.
But you will not be able to rename, move or remove the file from the directory.
 Execute: In Windows, an executable program usually has an extension ".exe" and which you can
easily run. In Unix/Linux, you cannot run a program unless the execute permission is set. If the
execute permission is not set, you might still be able to see/modify the program code(provided
read & write permissions are set), but not run it.

Let's see this

in action

ls - l on terminal gives

ls - l
Here, we have highlighted '-rw-rw-r--'and this weird looking code is the one that tells us about
the permissions given to the owner, user group and the world.

Here, the first '-' implies that we have selected a file.p>

Else, if it were a directory, d would have been shown.

The characters are pretty easy to remember.

r = read permission
w = write permission
x = execute permission
- = no permission

Let us look at it this way.

The first part of the code is 'rw-'. This suggests that the owner 'Home' can:

 Read the file

 Write or edit the file
 He cannot execute the file since the execute bit is set to '-'.
By design, many Linux distributions like Fedora, CentOS, Ubuntu, etc. will add users to a group
of the same group name as the user name. Thus, a user 'tom' is added to a group named 'tom'.

The second part is 'rw-'. It for the user group 'Home' and group-members can:

 Read the file

 Write or edit the file

The third part is for the world which means any user. It says 'r--'. This means the user can only:

 Read the file

Changing file/directory permissions with 'chmod' command

Say you do not want your colleague to see your personal images. This can be achieved by
changing file permissions.

We can use the 'chmod' command which stands for 'change mode'. Using the command, we can
set permissions (read, write, execute) on a file/directory for the owner, group and the world.
Syntax:

chmod permissions filename

There are 2 ways to use the command -

1. Absolute mode
2. Symbolic mode

Absolute(Numeric) Mode

In this mode, file permissions are not represented as characters but a three-digit octal
number.

The table below gives numbers for all for permissions types.

Number Permission Type Symbol

 0 No Permission ---

1 Execute --x

2 Write -w-

3 Execute + Write -wx

4 Read r--

5 Read + Execute r-x

6 Read +Write rw-

7 Read + Write +Execute rwx

Let's see the chmod command in action.

In the above-given terminal window, we have changed the permissions of the file 'sample to
'764'.

'764' absolute code says the following:

  Owner can read, write and execute
 Usergroup can read and write
 World can only read

This is shown as '-rwxrw-r-

This is how you can change the permissions on file by assigning an absolute number.

Symbolic Mode

In the Absolute mode, you change permissions for all 3 owners. In the symbolic mode, you can
modify permissions of a specific owner. It makes use of mathematical symbols to modify the file
permissions.

Operator Description

+ Adds a permission to a file or directory

- Removes the permission

Sets the permission and overrides the permissions

=
set earlier.

The various owners are represented as -

User Denotations

u user/owner

g group

o other

a all

We will not be using permissions in numbers like 755 but characters like rwx. Let's look into an
example
Changing Ownership and Group

For changing the ownership of a file/directory, you can use the following command:

chown user

In case you want to change the user as well as group for a file or directory use the command

chown user:group filename

Let's see this in action

In case you want to change group-owner only, use the command

chgrp group_name filename

'chgrp' stands for change group.

Tip

 The file /etc/group contains all the groups defined in the system
 You can use the command "groups" to find all the groups you are a member of
  You can use the command newgrp to work as a member a group other than your default group

 You cannot have 2 groups owning the same file.

 You do not have nested groups in Linux. One group cannot be sub-group of other
 x- eXecuting a directory means Being allowed to "enter" a dir and gain possible access to sub-
dirs
 There are other permissions that you can set on Files and Directories which will be covered in a
later advanced tutorial

Summary:

 Linux being a multi-user system uses permissions and ownership for security.
 There are three user types on a Linux system viz. User, Group and Other
 Linux divides the file permissions into read, write and execute denoted by r,w, and x
 The permissions on a file can be changed by 'chmod' command which can be further divided
into Absolute and Symbolic mode
 The 'chown' command can change the ownership of a file/directory. Use the following
commands: chown user file or chown user:group file
 The 'chgrp' command can change the group ownership chrgrp group filename
 What does x - eXecuting a directory mean? A: Being allowed to "enter" a dir and gain possible
access to sub-dirs.

how to show or display hidden files in linux

Posted on June 14, 2016 by barkeep

In Linux, as you should already know, there is the concept of hidden files and hidden folders. It
is not exactly hidden in the literal sense, but all that means is that the file managers and file
system utilities will not display these types of files by default.

The hidden file concept is not a security feature and it does not provide any extra protection
compared to other files. However, there are a couple of reasons (or benefits) for these kind of
files.
These files are usually a mechanism to store user preference or system files that are not modified
by user regularly. They are also used by different utilities to store configuration and state of the
programs. As these files are not actively used by user on a normal day-to-day basis, it makes
sense to hide them in most cases.

It also allows the file manager utilities to prevent cluttering up the user interface and provide a
soft division between user files and configuration files.

Any file or folder whose name start with a dot (.) is a hidden file, also known as dot file. These
files will not be displayed by default when listing the contents of a folder. These files can be
referenced just as any file, by using the name of the file (including the dot).

We will see how you can view these files using the most popular directory listing commands and
file managers.

ls command

The ls command is probably the most used command line utility and it lists the contents of the
specified directory. In order to display all files, including the hidden files in the folder, use the -a
or –all option with ls.

$ ls -a

This will display all the files, including the two implied folders: . (current directory) and ..
(parent folder). If you want to omit the display of these two folders, then use the -A or –almost-
all option.

$ ls -A

This is quite useful, if you are using the output of the command as input to some other script.
You probably do not the script to loop in the current folder (depending on the script).

If you want to display only the hidden files, then you will need to specify a regular expression
with the ls command., the following will display just the hidden file and folders.

$ ls -d .[^.]*

The -d option is to ensure that the directory contents are not printed out for each directory in the
list.

dir command

Another popular command used to display directory contents is dir. Almost all options for dir is
the same as ls, which means everything that was shown for ls in the previous section will work
for dir as well.

$ dir -a
will display all files, hidden files and the implied folders (. and ..).

$ dir -A

will display all files, folders including the hidden folders but excluding both . and ..

$ dir -d .[^.]*

will display just the hidden files and hidden folders.

KDE File Manager (dolphin)

The default file manager in KDE is Dolphin. The default setting in Dolphin is not to display
hidden or dot files. There are couple of different ways you can enable the option here.

The easiest is probably the keyboard shortcut Alt+. (Alt and dot). You can easily enable the
display and disable it again using the same shortcut.

The other option is using the menu option. Click on the Hamburger icon on the menu bar (for
Settings/Configuration). In the drop down menu, you will see the option named Show Hidden
Files. Click and select it on it to enable the display of hidden files.
You can leave that option selected, if you want to always display the hidden files. The other
commonly used file manager is Konqueror, which uses embedded dolphin to display the file
system, as well.

We’ll start by looking at commands to find a user’s account information, then proceed to explain
commands to view login details.

1. id Command

id is a simple command line utility for displaying a real and effective user and group IDs as
follows.

$ id tecmint

uid=1000(tecmint) gid=1000(tecmint)
groups=1000(tecmint),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin
),130(sambashare)

2. groups Command

groups command is used to show all the groups a user belongs to like this.
$ groups tecmint

tecmint : tecmint adm cdrom sudo dip plugdev lpadmin sambashare

3. finger Command

finger command is used to search information about a user on Linux. It doesn’t come per-
installed on many Linux systems.

To install it on your system, run this command on the terminal.

$ sudo apt install finger #Debian/Ubuntu

$ sudo yum install finger #RHEL/CentOS
$ sudo dnf install finger #Fedora 22+

It shows a user’s real name; home directory; shell; login: name, time; and so much more as
below.

$ finger tecmint

Login: tecmint Name: TecMint

Directory: /home/tecmint Shell: /bin/bash
On since Fri Sep 22 10:39 (IST) on tty8 from :0
2 hours 1 minute idle
No mail.
No Plan.

4. getent Command

getent is a command line utility for fetching entries from Name Service Switch (NSS) libraries
from a specific system database.

To get a user’s account details, use the passwd database and the username as follows.

$ getent passwd tecmint

tecmint:x:1000:1000:TecMint,,,:/home/tecmint:/bin/bash

5. grep Command

grep command is a powerful pattern searching tool available on most if not all Linus systems.
You can use it to find information about a specific user from the system accounts file:
/etc/passwd as shown below.

$ grep -i tecmint /etc/passwd

tecmint:x:1000:1000:TecMint,,,:/home/tecmint:/bin/bash
6. lslogins Command

lslogins command shows information about known users in the system, the -u flag only displays
user accounts.

$ lslogins -u

UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS

0 root 144 root
1000 tecmint 70 10:39:07 TecMint,,,
1001 aaronkilik 0
1002 john 0 John Doo

7. users Command

users command shows the usernames of all users currently logged on the system like so.

$ users

tecmint
aaron

8. who Command

who command is used to display users who are logged on the system, including the terminals
they are connecting from.

$ who -u

tecmint tty8 2017-09-22 10:39 02:09 2067 (:0)

9. w Command

w command shows all users who are logged on the system and what they are doing.

$ w

12:46:54 up 2:10, 1 user, load average: 0.34, 0.44, 0.57

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
tecmint tty8 :0 10:39 2:10m 4:43 0.46s cinnamon-
sessio

10. last or lastb commands

last/lastb commands displays a list of last logged in users on the system.

$ last
OR
$ last -a #show hostname on the last column
List of Last Logged Users
tecmint tty8 Fri Sep 22 10:39 gone - no logout :0
reboot system boot Fri Sep 22 10:36 still running 4.4.0-21-generic
tecmint tty8 Thu Sep 21 10:44 - down (06:56) :0
reboot system boot Thu Sep 21 10:42 - 17:40 (06:58) 4.4.0-21-generic
tecmint tty8 Wed Sep 20 10:19 - down (06:50) :0
reboot system boot Wed Sep 20 10:17 - 17:10 (06:52) 4.4.0-21-generic
tecmint pts/14 Tue Sep 19 15:15 - 15:16 (00:00) tmux(14160).%146
tecmint pts/13 Tue Sep 19 15:15 - 15:16 (00:00) tmux(14160).%145
...

To show all the users who were present at a specified time, use the -p option as follows.

$ last -ap now

tecmint tty8 Fri Sep 22 10:39 gone - no logout :0

reboot system boot Fri Sep 22 10:36 still running 4.4.0-21-generic

wtmp begins Fri Sep 1 16:23:02 2017

11. lastlog Command

lastlog command is used to find the details of a recent login of all users or of a given user as
follows.

$ lastlog
OR
$ lastlog -u tecmint #show lastlog records for specific user tecmint
Records of Recent Logged Users

Username Port From Latest

root **Never logged in**
kernoops **Never logged in**
pulse **Never logged in**
rtkit **Never logged in**
saned **Never logged in**
usbmux **Never logged in**
mdm **Never logged in**
tecmint pts/1 127.0.0.1 Fri Jan 6 16:50:22 +0530 2017
..

Network Threats

Basic Network Attacks

Many people rely on the Internet for many of their professional, social and personal activites.
But there are also people who attempt to damage our Internet-connected computers, violate our
privacy and render inoperable the Internet services.
Given the frequency and variety of existing attacks as well as the threat of new and more
destructive future attacks, network security has become a central topic in the field of computer
networking.

How are computer networks vulnerable? What are some of the more prevalent types of
attacks today?

Malware – short for malicious software which is specifically designed to disrupt, damage, or
gain authorized access to a computer system. Much of the malware out there today is self-
replicating : once it infects one host, from that host it seeks entry into other hosts over the
Internet, and from the newly infected hosts, it seeks entry into yet more hosts. In this manner,
self-replicating malware can spread exponentially fast.

Virus – A malware which requires some form of user’s interaction to infect the user’s device.
The classic example is an e-mail attachment containing malicious executable code. If a user
receives and opens such an attachment, the user inadvertently runs the malware on the device.

Worm – A malware which can enter a device without any explicit user interaction. For example,
a user may be running a vulnerable network application to which an attacker can send malware.
In some cases, without any user intervention, the application may accept the malware from the
Internet and run it, creating a worm.

Botnet – A network of private computers infected with malicious software and controlled as a
group without the owners’ knowledge, e.g. to send spam.

DoS (Denail of Service) – A DoS attack renders a network, host, or other piece of infrastructure
unusable by legitimate users. Most Internet DoS attacks fall into one of three categories :

• Vulnerability attack : This involves sending a few well-crafted messages to a vulnerable

application or operating system running on a targeted host. If the right sequence of packets is
sent to a vulnerable application or operating system, the service can stop or, worse, the host can
crash.

• Bandwidth flooding : The attacker sends a deluge of packets to the targeted host—so many
packets that the target’s access link becomes clogged, preventing legitimate packets from
reaching the server.

• Connection flooding : The attacker establishes a large number of half-open or fully open TCP
connections at the target host. The host can become so bogged down with these bogus
connections that it stops accepting legitimate connections.

DDoS (Distributed DoS) – DDoS is a type of DOS attack where multiple compromised
systems, are used to target a single system causing a Denial of Service (DoS) attack. DDoS
attacks leveraging botnets with thousands of comprised hosts are a common occurrence today.
DDos attacks are much harder to detect and defend against than a DoS attack from a single host.

Packet sniffer – A passive receiver that records a copy of every packet that flies by is called a
packet sniffer. By placing a passive receiver in the vicinity of the wireless transmitter, that
receiver can obtain a copy of every packet that is transmitted! These packets can contain all
kinds of sensitive information, including passwords, social security numbers, trade secrets, and
private personal messages. some of the best defenses against packet sniffing involve
cryptography.

IP Spoofing – The ability to inject packets into the Internet with a false source address is known
as IP spoofing, and is but one of many ways in which one user can masquerade as another user.
To solve this problem, we will need end-point authentication, that is, a mechanism that will
allow us to determine with certainty if a message originates from where we think it does.

Man-in-the-Middle Attack – As the name indicates, a man-in-the-middle attack occurs when

someone between you and the person with whom you are communicating is actively monitoring,
capturing, and controlling your communication transparently. For example, the attacker can re-
route a data exchange. When computers are communicating at low levels of the network layer,
the computers might not be able to determine with whom they are exchanging data.

Compromised-Key Attack – A key is a secret code or number necessary to interpret secured

information. Although obtaining a key is a difficult and resource-intensive process for an
attacker, it is possible. After an attacker obtains a key, that key is referred to as a compromised
key. An attacker uses the compromised key to gain access to a secured communication without
the sender or receiver being aware of the attack.

Phishing – The fraudulent practice of sending emails purporting to be from reputable companies
in order to induce individuals to reveal personal information, such as passwords and credit card
numbers.

DNS spoofing – Also referred to as DNS cache poisoning, is a form of computer security
hacking in which corrupt Domain Name System data is introduced into the DNS resolver’s
cache, causing the name server to return an incorrect IP address.

 Eavesdropping
 Snooping
 Interception
 Modification Attacks
 Repudiation Attacks
 Denial-of-service (DoS) Attacks
 Distributed denial-of-service (DDoS) Attacks
 Back door Attacks
 Spoofing Attacks
  Man-in-the-Middle Attacks
 Replay Attacks
 Password Guessing Attacks

Eavesdropping - This is the process of listening in or overhearing parts of a conversation. It also

includes attackers listening in on your network traffic. Its generally a passive attack, for example,
a coworker may overhear your dinner plans because your speaker phone is set too loud. The
opportunity to overhear a conversation is coupled with the carelessness of the parties in the
conversation.

Snooping - This is when someone looks through your files in the hopes of finding something
interesting whether it is electronic or on paper. In the case of physical snooping people might
inspect your dumpster, recycling bins, or even your file cabinets; they can look under your
keyboard for post-It-notes, or look for scraps of paper tracked to your bulletin board. Computer
snooping on the other hand, involves someone searching through your electronic files trying to
find something interesting.

Interception - This can be either an active or passive process. In a networked environment, a

passive interception might involve someone who routinely monitors network traffic. Active
interception might include putting a computer system between sender and receiver to capture
information as it is sent. From the perspective of interception, this process is covert. The last
thing a person on an intercept mission wants is to be discovered. Intercept missions can occur for
years without the knowledge of the intercept parties.

Modification Attacks - This involves the deletion, insertion, or alteration of information in an

unauthorized manner that is intended to appear genuine to the user. These attacks can be very
hard to detect. The motivation of this type of attack may be to plant information, change grades
in a class, alter credit card records, or something similar. Website defacements are a common
form of modification attacks.

Repudiation Attacks - This makes data or information to appear to be invalid or misleading

(Which can even be worse). For example, someone might access your email server and
inflammatory information to others under the guise of one of your top managers. This
information might prove embarrassing to your company and possibly do irreparable harm. This
type of attack is fairly easy to accomplish because most email systems don't check outbound
email for validity. Repudiation attacks like modification attacks usually begin as access attacks.

Denial-of-service Attacks - They prevent access to resources by users by users authorized to use
those resources. An attacker may try to bring down an e-commerce website to prevent or deny
usage by legitimate customers. DoS attacks are common on the internet, where they have hit
large companies such as Amazon, Microsoft, and AT&T. These these attacks are often widely
publicized in the media. Several types of attacks can occur in this category. These attacks can
deny access to information, applications, systems, or communications. A DoS attack on a system
crashes the operation system (a simple reboot may restore the server to normal operation). A
common DoS attack is to open as many TCP sessions as possible; This type of attack is called
TCP SYN flood DoS attack. Two of the most common are the ping of death and the buffer
overflow attack. The ping of death operates by sending Internet control message protocol
(ICMP) packets that are lrger than the system can handle. Buffer overflow attacks attempt to put
more data into the buffer than it can handle. Code red, slapper and slammer are attacks that took
advantage of buffer overflows, sPing is an example of ping of death.

Distributed Denial-of-service Attacks - This is similar to a DoS attack. This type of attack
amplifies the concepts of DoS attacks by using multiple computer systems to conduct the attack
against a single organization. These attacks exploit the inherent weaknesses of dedicated
networks such as DSL and Cable. These permanently attached systems have little, if any,
protection. The attacker can load an attack program onto dozens or even hundreds of computer
systems that use DSL or Cable modems. The attack program lies dormant on these computers
until they get attack signal from the master computer. This signal triggers these systems which
launch an attack simultaneously on the target network or system.

Back door Attacks - This can have two different meanings, the original term back door referred
to troubleshooting and developer hooks into systems. During the development of a complicated
operating system or application, programmers add back doors or maintenance hooks. These back
doors allow them to examine operations inside the code while the program is running. The
second type of back door refers to gaining access to a network and inserting a program or utility
that creates an entrance for an attacker. The program may allow a certain user to log in without a
password or gain administrative privileges. A number of tools exist to create a back door attack
such as, Back Orifice (Which has been updated to work with windows server 2003 as well as
erlier versions), Subseven,NetBus, and NetDevil. There are many more. Fortunately, most anti-
virus software will recognize these attacks.

Spoofing Attacks - This is an attempt by someone or something to masquerade as someone else.

This type of attack is usually considered as an access attack. The most popular spoofing attacks
today are IP spoofing and DNS spoofing. The goal of IP spoofing is to make the data look like it
came from a trusted host when it really didn't. With DNS spoofing, The DNS server is given
information about a name server that it thinks is legitimate when it isn't. This can send users to a
website other than the one they wanted to go to.

Man-in-the-Middle Attacks - This can be fairly sophisticated, This type of attack is also an
access attack, but it can be used as the starting point of a modification attack. This involves
placing a piece of software between a server and the user that neither the server administrators
nor the user are aware of. This software intercepts data and then send the information to the
server as if nothing is wrong. The server responds back to the software, thinking it's
communicating with the legitimate client. The attacking software continues sending information
to the server and so forth.

Replay Attacks - These are becoming quite common, This occur when information is captured
over a network. Replay attacks are used for access or modification attacks. In a distributed
environment, logon and password information is sent over the network between the client and
the authentication system. The attacker can capture this information and replay it later. This can
also occur security certificates from systems such as kerberos: The attacker resubmits the
certificate, hoping to be validated by the authentication system, and circumvent any time
sensitivity.

Password Guessing Attacks - This occur when an account is attacked repeatedly. This is
accomplished by sending possible passwords to an account in a systematic manner. These attacks
are initially carried out to gain passwords for an access or modification attack. There are two
types of password guessing attacks:

- Brute-force attack: Attempt to guess a password until a successful guess occurs. This occurs
over a long period. To make passwords more difficult to guess, they should be longer than two or
three characters (Six should be the bare minimum), be complex and have password lockout
policies.
- Dictionary attack: This uses a dictionary of common words to attempt to find the users
password. Dictionary attacks can be automated, and several tools exist in the public domain to
execute them.

Well, there you have it, the only way basically to prevent these types of attacks is to get a good
firewall, anti-virus software, and a good Intrusion Detection System (IDS). Tell your firewall to
drop ICMP packets, that will prevent ICMP flooding. I will write another article in which I will
cover only TCP and UDP attacks such as:

 Sniffing
 Port Scanning
 TCP Syn or TCP ACk Attack
 TCP Sequence number attack
 TCP Hijacking
 ICMP Attacks
 Smurf Attacks
 ICMP Tunelling

Web Jacking

Web Jacking

This method is used in social media where the attackers create a fake website and when the
website opens it will redirect it to an another website and harm the users system. This is
done for fulfilling political objectives for money. Recently the site of Ministry of Information
technology was hacked by Pakistan hackers and also the Bombay crime branch site was also
hacked. It is created to steal the sensitive and confidential data of the users, The knowledge
about cyber security is very important as they can be aware of the hackers. These websites
are hacked by using password hacking system which is of two types .at first ,pre dictionary
words are used multiple times to crack the password and secondly, Brute force is used where
the hackers guess the passwords of the users by trying all combination of numbers, symbols
and alphabets.
 In a case held at USA, made many school children suffer from a serious injury due to the
negligence of the school principal who were threatened by the hackers to pay them 1million
dollars or they will hack their school website by sending an email to all the children to play
a dangerous game . As the principal ignored the message the children were suffered from
injuries. the another type of web jacking is done by making people believe that they have
won lottery and hack their bank account by the details given by the user .

Popular Posts

 RSS FEED
 DEALS
 ACADEMY
 VIRAL NEWS

Fossbytes

 News
 Geek
 Security
 How To
 Top X
 Reviews
 Videos

Home Security

What Is Social Engineering? What Are

Different Types Of Social Engineering
Attacks?
May 30, 2018

SHARE

Facebook
Twitter

You might have heard the word Social Engineering. But, what exactly is Social Engineering?
What are the types of Social Engineering techniques? It can be assumed as a set of methods
primarily intended by the people who want to hack other people or make them do some
particular task to benefit the attacker.

However, to do this, they don’t want to depend mainly on the coding part. Social Engineering
scams are the art of deception used by evil-minded people to nourish their greed for money or
something else.

So, What is Social Engineering?

You might’ve received phone calls or emails from people giving credit card offers. They try to
take their targets into confidence and make them pay a hefty amount to claim the offers. We call
such things as a fraud. That’s an example/type of social engineering, where people try
confidence tricks on their targets.
This social manipulation is not just for financial benefits. Social engineering can be done for
other purposes too, for instance, harvesting information from people. It involves playing with
their mind to get things done.

You can find social engineers everywhere. Even your friends sitting next to you concentrating on
your keyboard while you type your passwords is a social engineer. It’s just that there is no
certification for this thing. So, let’s tell you what are the types of social engineering in detail.

Types of Social Engineering Attacks:

There are many social engineering tactics depending on the medium used to implement it. The
medium can be email, web, phone, USB drives, or some other thing. So, let’s tell you about
different types of social engineering attacks:

1. Phishing

Phishing is the most common type of social engineering attack. The attacker recreates the
website or support portal of a renowned company and sends the link to targets via emails or
social media platforms. The other person, completely unknown of the real attacker, ends up
compromising personal information and even credit card details.

You can prevent phishing emails by using spam filters in your email accounts. Most email
providers do this by default nowadays. Also, don’t open any emails coming from an untrusted
source or you find it suspicious.

2. Spear Phishing

A social engineering technique known as Spear Phishing can be assumed as a subset of

Phishing. Although a similar attack, it requires an extra effort from the side of the attackers.
They need to pay attention to the degree of uniqueness for the limited number of users
they target. And the hard work pays off, the chances of users falling for the false emails are
considerably higher in the case of spear phishing.

3. Vishing

Imposters or social engineers can be anywhere on the internet. But many prefer the old fashioned
way; they use the phone. This type of social engineering attack is known as Vishing. They
recreate the IVR (Interactive Voice Response) system of a company. They attach it to a toll-free
number and trick people into calling the phone number and entering their details. Would you
agree on this? Most people don’t think twice before entering confidential info on a supposedly
trusted IVR system, do they?

4. Pretexting

Pretexting is another example of social engineering you might’ve come across. It’s based on a
scripted scenario presented in front of the targets, used to extract PII or some other information.
An attacker might impersonate another person or a known figure.

You might’ve seen various TV shows and movies where detectives use this technique to get into
places where they’re personally not authorized, or extract information by tricking people.
Another example of pretexting can be fake emails you receive from your distant friends in need
of money. Probably, someone hacked their account or created a fake one.

5. Baiting

If you have seen the movie Troy, you might be able to recall the trojan horse scene. A digital
variant of this technique is known as Baiting and it is one of the social engineering techniques
used by people. Attackers leave infected USB drives or optical disks at public places with a hope
of someone picking it up out of curiosity and using it on their devices. A more modern example
of baiting can be found on the web. Various download links, mostly containing malicious
software, are thrown in front of random people hoping someone would click on them.

6. Tailgating

Similarly, there are other social engineering techniques, like Tailgating, where a person takes
help of an authorized person to get access to restricted areas where RFID authentication or some
other electronic barrier is present.

7. Quid pro quo

Another social engineering method Quid pro quo involves people posing as technical support.
They make random calls to a company’s employees claiming that they’re contacting them
regarding an issue. Sometimes, such people get the chance to make the victim do things they
want. It can be used for everyday people also.

Quid pro quo involves an exchange of something with the target, for instance, the attacker trying
to solve a victim’s genuine problem. The exchange can include materialistic things such as some
gift in return for the information.

How to defend yourself from social engineers?

In the past, you might’ve come across the story of Ivan Kwiatkowski. He had sensed a foul
customer support call before it was too late. He managed to fool the so-called executive on the
other side and installed ransomware on the attacker’s computer. That could be thought of as a
counter-attack on such people. You need to be alert when someone asks you to give your
information or when some unknown person is giving something to you for free.

Recommended: 10 Steps To Defeat Hacking Attacks

Improve your emotional intelligence

Social engineers can also try to hit on the emotional part of people’s brains. They might try to
take you on a guilt trip, make you nostalgic, or even try to impact negatively. The situation
becomes alarming; people tend to open up in front of the ones trying to give them emotional
comfort.

Stay aware of your surroundings

One more thing you must pay attention to save yourself from different types of social
engineering scams is what you do on the internet. A person trying to hack into your online
account may glance through your Facebook profile and find some clues about the answers to the
security questions or even your password.

Think before you act

Mostly, such questions include less important stuff like pet names, school names, birthplace, etc.
Also, pay attention to what web pages you visit or what files you download. They may contain
malicious tools to harvest your information.

Keep your accounts and devices safe

With the abundance of electronic devices and internet nowadays, it’s easier than ever to get
information about almost anyone. For instance, it could be some camera keeping an eye on you
in the subway or on the streets that could be compromised during social engineering attacks.

So, what’s important is to keep your smartphones, PCs, and online accounts safe by adding
strong passwords and other methods like two-factor authentication. Take appropriate security
measures like anti-virus software, firewalls, etc. That’s the minimum you can do. Also, make
sure you don’t have the habit of writing down passwords and financial details.

However, these are general ways to defend oneself from being exploited by a social engineer.
Big organizations have devised more formal methods to deal with such scenarios. This can
include things such as conducting regular drills on employees, training them to deal with such
situations, and establishing proper methods to identify legitimate personnel.

So, this was a brief overview of what is social engineering and its types. If you feel like adding
something, drop your thoughts and feedback.

What is Packet Sniffing ?

When any data has to be transmitted over the computer network, it is broken down into smaller
units at the sender’s node called data packets and reassembled at receiver’s node in original
format. It is the smallest unit of communication over a computer network. It is also called a
block, a segment, a datagram or a cell. The act of capturing data packet across the computer
network is called packet sniffing. It is similar to as wire tapping to a telephone network. It is
mostly used by crackers and hackers to collect information illegally about network. It is also
used by ISPs, advertisers and governments.

ISPs use packet sniffing to track all your activities such as:

 who is receiver of your email

 what is content of that email
 what you download
 sites you visit
 what you looked on that website
 downloads from a site
 streaming events like video, audio, etc.

Advertising agencies or internet advertising agencies are paid according to:

 number of ads shown by them.

 number of clicks on their ads also called PPC (pay per click).

To achieve this target, these agencies use packet sniffing to inject advertisements into the
flowing packets. Most of the time these ads contain malware.

Government agencies use packet sniffing to:

 ensure security of data over the network.

 track an organisation’s unencrypted data.

Packet Sniffer –
Packet sniffing is done by using tools called packet sniffer. It can be either filtered or unfiltered.
Filtered is used when only specific data packets have to be captured and Unfiltered is used when
all the packets have to be captured. WireShark, SmartSniff are examples of packet sniffing tools.

How to prevent packet sniffing –

 Encrypting data you send or receive.

 using trusted Wi-Fi networks.
 Scanning your network for dangers or issues.

What is Authentication

Authentication is the process whereby the system identifies legitimate users from unauthorized
users. It is the process in which a user identifies his/her self to the system. How effective an
authentication process is, is determined by the authentication protocols and mechanisms being
used. Windows Server 2003 provides a few different authentication types which can be used to
verify the identities of network users, including:

 Kerberos authentication protocol

  NT LAN Manager (NTLM) authentication protocol
 Secure Sockets Layer/Transport Security Layer (SSL/TLS)
 Digest authentication
 Smart cards
 Virtual Private Networking (VPN) and Remote Access Services (RAS)

The Kerberos version 5 authentication protocol is the default authentication type for a Windows
Server 2003 environment. Kerberos version 5 makes use of a 'ticket' strategy to authenticate
valid network users, and provides mutual authentication between users and resources. Windows
Server 2003 supports the NTLM authentication protocol to provide compatibility for the earlier
operating systems (OSs) such as for Windows NT 4 compatibility. Secure Sockets
Layer/Transport Security Layer (SSL/TLS) and digest authentication is typically used for Web
applications. SSL/TLS is based on X.509 public-key certificates, and enables mutual
authentication between the client and server.

A few authentication features introduced with

Windows Server 2003 are outlined below:

 Windows Server 2003 includes support for

smart cards, as well as support for a few
different multifactor authentication
mechanisms. Windows Server 2003 can
also support a number of authentication
protocols, such as NTLM, NTLMv2, and
Kerberos version 5.
 With Windows Server 2003 Active Directory, the Active Directory directory service
stores the security credentials, such as the passwords of users, which are used for the
authentication process. Active Directory directory service can store security credentials
for each authentication protocol. The service also enables users to log on to computers in
an Active Directory environment that contains multiple domains and forests.
 A user can log on to any computer through a single domain account. This is known as
single sign-on. A user basically only needs to log on to a domain account once, and with
one password. The sign-on security information of the user is stored in Active Directory.
Whenever a user attempts to access a resource within a domain, network authentication
takes place.

The remainder of this Article focuses on the different authentication types which you can
implement to enforce an authentication strategy within your environment.

Kerberos Authentication Protocol

The foremost authentication protocol type used within a Windows Server 2003 Active Directory
domain is the Kerberos version 5 authentication protocol. The Kerberos authentication protocol
provides the following authentication features:

 Verifies the identify of network users

  Verifies whether the network service that a user is attempting to access is valid. This
security feature prevents users from accessing any fake network services which could
have possibly been created by unauthorized network users. These fake services are
normally created to deceive network users into disclosing their logon credentials.

The terminology used to describe the process by which both the identity of users, and the identity
of services being accessed are verified, is mutual authentication. The name of the Kerberos
authentication protocol is derived from Greek mythology (three headed dog). This is because of
the following three components of the protocol:

 A client requesting authentication or a service

 A server on which the service that the client requests, resides.
 A computer which both the client and server trusts. This is typically a Windws Server
2003 domain controller on which the Key Distribution Center service is running.

The Kerberos authentication type does not transmit passwords during the authentication process.
Instead, it uses tickets. Tickets are specially formatted data packets that allow a client to access a
resource. The ticket contains the identity of the user in an encrypted data format. When
decrypted, the data or information verifies the identity of the client. Because the Kerberos
authentication type makes use of tickets, it offers more security for the authentication process.

The Kerberos authentication type is dependant on the Key Distribution Center (KDC) to issue
tickets. Each network client makes use of DNS to find the closest available KDC to obtain a
Kerberos ticket. The ticket usually remains active for about 8 or 10 hours. The Key Distribution
Center (KDC) is a service which runs as a component of Active Directory. In fact, each domain
controller in a Windows Server 2003 domain operates as a Key Distribution Center (KDC). It is
the Key Distribution Center (KDC) which manages the database of security account information
for each security principal within a domain. Security principals that form the foundation of the
Active Directory security architecture are user accounts, security groups, and computer accounts.
Administrators of domains assign permissions to security principals to access network resources,
and to perform certain actions on these resources. The KDC holds the cryptographic key which is
only known by the particular security principal, and the KDC. This cryptographic key, also
called a long term key, is formed from the logon password of the user, and is used when the KDC
and security principal interact. Because each domain controller in Windows Server 2003
domains operates as a KDC, fault tolerance is enabled for the domain. When one domain
controller is unavailable, any other domain controller in the domain is able to issue tickets.

Kerberos authentication can be used by clients and servers running the following operating
systems (OSs):

 Windows 2000
 Windows XP Professional
 Windows Server 2003

Windows 2000, Windows XP Professional, and Windows Server 2003 computers which are
members of a Windows 2000 or Windows Server 2003 domain use the Kerberos protocol for
network authentication for domain resources. This is the default configuration for these domains.
When a down level client attempts to access a Kerberos secured resource, NTLM authentication
is used; and not Kerberos authentication.

How the Kerberos authentication process work

The steps outlined below describe the Kerberos authentication process.

1. The user provides his/her user name and password. The computer transmits these details
to the KDC.
2. The KDC creates a session key, and a Ticket Granting Ticket (TGT). A TGT is a ticket
that enables a client to receive temporary tickets from the ticket granting service for each
authentication, and it includes the following:
o A copy of the session key
o The name of the user
o An expiration time
3. The TGT is encrypted by the KDC through its master key.
4. The client computer then receives this information from the KDC. At this point the client
computer holds the session key and TGT, and is authenticated to the domain. The session
key and TGT is stored in volatile memory because it offers better security than storing
the information on the hard disk.
5. A Kerberos client passes its TGT and a timestamp encrypted with its session key, to the
KDC when it needs to access resources hosted on a server which is a member of the same
domain. The KDC utilizes its master key to decrypt the TGT, and it utilizes the session
key to decrypt the timestamp. Since the user is the only individual that can use the
session key, the KDC is able to verify that the request to access resources originated frm
the particular user.
6. At this point, the KDC generates a ticket for the client and a ticket for the server hosting
the resources which the client wants to access. Each ticket has a new key which the
server and client will share between each other, and contains the following information:
o The name of the user
o The recipient of the user request
o A timestamp which indicates the time that the ticket was created.
o The expiration time of the ticket
7. The server master key is used by the KDC to encrypt the ticket of the server. The ticket
of the server is stored within the ticket of the client. The session key which the KDC
shares with the particular user is then used to encrypt the entire set of information. This is
then transmitted to the user.
8. The user decrypts the ticket it receives using the session key. The user encrypts the
timestamp through the new key, and then transmits this information and the ticket of the
server hosting resources which it wants to access. Next, the server uses the server master
key to decrypt the server ticket. The new key is then used to decrypt the timestamp.
NT LAN Manager (NTLM) Authentication Protocol

The NT LAN Manager (NTLM) authentication protocol is the main authentication type used to
enable network authentication for versions of Windows earlier than Windows 2000, such as for a
Windows NT 4. The authentication protocol is essentially used for authentication between
machines running Windows NT and Windows Server 2003 machines.

The NTLM authentication type is typically used in the scenarios listed below:

 By Workstations and standalone servers that are members of workgroups.

 By Windows 2000 or Windows XP Professional computers accessing a Windows NT 4.0
primary domain controller or backup domain controller.
 By Windows NT 4.0 domain users when trusts exist with a Windows 2000 or Windows
Server 2003 Active Directory domain or forest.
 By Windows NT 4.0 Workstation clients who want to authenticate to a Windows NT 4.0,
Windows 2000 or Windows Server 2003 domain controller.

Windows Server 2003 supports the following forms of challenge- response authentication
methods:

 LAN Manager (LM): The LM authentication protocol is used to enable backward

compatibility with the earlier OSs such as Windows 95, Windows 98, Windows NT 4.0
SP 3, and earlier Os's. LM authentication is considered the weakest authentication
protocol because it is the easiest to compromise. LM authentication should not be used in
Windows Server 2003 environments.
 NTLM version 1: NTLM version 1 is more secure than LM authentication because it uses
56-bit encryption, and user credentials are stored in the NT Hash format. This format is
more secure than the level of encryption used in LM authentication.
 NTLM version 2: NTLM version 2 utilizes a 128-bit encryption, and therefore offers the
highest level of encryption.

NTLM authentication works by encrypting the logon information of the user. This is done by
applying a hash to the password of the user. A hash is a mathematical function. The security
account database contains the value of the hash which is generated when the password is
encrypted by NTLM. The password of the user is not transmitted over the network. What
happens is that the client applies the hash to the password of the user, prior to it actually sending
the information to the domain controller. The value of the hash is also encrypted.

How the NTLM authentication process works

1. The client and server negotiate the authentication protocol to use.

2. The client transmits the name of the user and the name of the domain to the domain
controller.
3. At this point, the domain controller creates a nonce. This is a 16-byte random character
string.
 4. The nonce is encrypted by the client using the hash of the user password. The client
forwards thi to the domain controller.
5. The domain controller then obtains the hash of the user password from the security
account database to encrypt the nonce.
6. This is then compared to the hash value which the client forwarded.
7. Authentication occurs when the two values are identical.

Secure Sockets Layer/Transport Layer Security (SSL/TLS)

Secure Socket Layer (SSL) is a Windows Server 2003 security protocols which utilizes a public-
key technology to provide a secure channel for applications communicating over a non-secure
network such as the Internet. SSL is typically used by Web browsers and Web servers for secure
communication channels.
The Secure Socket Layer (SSL) protocol functions at the OSI model's network layer to provide
encryption for the following protocols:

 HTTP
 LDAP
 IMAP

The SSL protocol provides the following functions:

 Server authentication makes it possible for the user to verify that the Web server he/she
is accessing is, in fact the server it is portrayed as being.
 Client authentication enables the server to verify the identity of the user.
 Encrypted connections enable data confidentiality, because information passed between
the server and client are encrypted and decrypted.

Before a client and server can partake in secure Internet communication, the client and server
have to perform a security handshake. The security handshake is a process that authenticates
each entity involved in communication, and also establishes the level of security to use for
communication.

The following events occur when a client and server partake in a security handshake:

1. The client sends a request for a secure channel connection to the server.
2. The server sends its public-key certificate to the client. The server can also request the
certificate of the client for mutual authentication.
3. The client then verifies the authenticity of the certificate of the server. At this stage, the
client sends its certificate to the server if the server requested it in Step 2. The server
proceeds to verify the client's certificate.
4. The client produces a session key, and encrypts the session key with the public key of
server.
5. The server and client now have a secure channel for communication, because information
passed between the two are encrypted and decrypted with the session key.
The Transport Layer Security (TLS) protocol, currently being development by the Internet
Engineering Task Force (IETF), will replace the SSL protocol as the new protocol for securing
Internet traffic.

Digest Authentication

Digest authentication is typically used for authenticating Web applications running Internet
Information Services (IIS). Digest authentication utilizes the Digest Access Protocol in the
authentication process. The Digest Access Protocol employs a challenge-response mechanism
for applications using HTTP or Simple Authentication Security Layer (SASL) communications.
Once a client is authenticated, the session key of the client is located on the Web server. When
digest authentication transmits user information over the network, it does so using an encrypted
hash. This prevents unauthorized users who may be attempting to access network resources,
from intercepting the credentials of the user. Any ensuing authentication requests submitted by
the same client are dealt with by using this session key. Because of this feature of digest
authentication, the client does not need to authenticate with a domain controller each time that it
submits an authentication request.

A few conditions have to be met prior to using digest authentication on IIS servers. These are
listed below.

 Any client that wants to access a digest authentication secured resouce has to be running
Internet Explorer 5 or later.
 The IIS server has to be running Windows 2000 or above.
 The domain, to which the IIS server is a member of, has to include a domain controller
that is running Windows Server 2003 or Windows 2000.
 The IIS server and a user that wants to log on to the IIS server has to belong to the same
domain. They can however be joined through trusts.
 Each user that needs to be authenticated must have a legitimate account in Active
Directory, on the particular domain controller.
 The passwords of users have to be stored in a reversibly encrypted format in Active
Directory. You can use the Active Directory Users and Computers console to access the
Account tab of the Properties dialog box of a user, to enable reversible encryption.

Web sites that utilize passport authentication make use of a central Passport server to
authenticate users. Passport authentication works with Microsoft Internet Explorer, Netscape
Navigator, and even with some Unix systems and browsers. This is due to the fact that passport
authentication is not proprietary. Passport encryption utilizes the following Web technologies:

 SSL encryption
 Symmetric key encryption
 HTTP redirects
 Cookies

A few features of passport authentication are listed below:

  All Web pages which are used to manage sign-in and sign-out operations are located in a
central repository.
 These Web pages make use of SSL encryption to transmit information on user names,
and user account passwords.
 The Web site does not receive the actual passport of the user. Instead, it receives a cookie
which includes the encrypted timestamps which was generated when the user initially
signed in.
 Web sites using passport authentication make use of encrypted cookies to enable users to
access multiple sites, with the user not being required to resubmit his/her login
credentials. The actual cookie files utilize strong encryption.
 The central Passport server uses encryption when it sends sign-in credentials and any
other user information to a Web site enabled with passport authentication.

Smart Cards

Windows Server 2003 supports smart card authentication. Smart cards can be used to secure the
following items:

 The certificates of your users

 Public and private keys
 Passwords and other confidential data.

A smart card is a device similar in size to that of a credit card. Smart cards are dependent on the
Windows Server 2003 public key infrastructure (PKI). A smart card is used in conjunction with
an identification number (PIN) to enable authentication and single sign-on in the enterprise. The
smart card actually stores the private key of the user, public key certificate and logon
information. The user attaches the smart card into the smart card reader that is attached to the
computer. The user next inserts the PIN when prompted for the information.

Smart cards are typically used for interactive user logons to provide further security and
encryption for logon credentials. Smart card readers can be installed on servers, so that you can
require administrators to use smart card authentication when using an administrator account. You
can also require remote access logons to use smart card authentication. This assists in preventing
unauthorized users from using VPN or dial-up connections to launch an attack on your network.
Through smart cards, you can encrypt confidential files and other confidential user information
as well.

The cost associated with implementing and administering a smart card authentication strategy is
determined by the following elements:

 The number of and location of users that are to be enrolled in your smart card
authentication strategy.
 The method which the organization is going to utilize to issue smart cards to users.
 The procedures which are going to b implemented to deal with users who misplace their
smart cards.
In addition to the above, with smart card authentication, each computer has to have a smart card
reader, and one computer has to be configured as the smart card enrollment station. It s
recommend to use only plug and play Personal Computer/Smart Card (PC/SC) compliant smart
card readers. The user responsible for the smart card enrollment station has to be issued with an
Enrollment Agent certificate. The owner of this certificate can issue smart cards for users.

Internet Authentication Service (IAS)

The Internet Authentication Service (IAS) functions as a remote Authentication Dial-In User
Service (RADIUS) server, and can be used to manage the login process of users by providing the
following key features:

 Management of user authentication: IAS can be used for dial-up and VPN access, and for
wireless access.
 The IAS service provides the RADIUS protocol which it utilizes to pass authentication
and authorization requests to the proper Active Directory domain.
 Verification of the user to access network resources
 Tracking of user activity

Internet Authentication Service (IAS) is supported in the following editions of Windows Server
2003:

 Windows Server 2003 Standard Edition

 Windows Server 2003 Enterprise Edition
 Windows Server 2003 Datacenter Edition

The default authentication protocols supported by IAS are:

 Point-to-Point Protocol (PPP): The following PPP protocols are supported by IAS:
o EAP-MD5
o Extensible Authentication Protocol-Transport Level Security (EAP-TLS)

Although EAP-TLS is considered the strongest remote access services authentication

method, it can only be used when clients are running Windows 2000, Windows XP or
Windows Server 2003. EAP-TLS utilizes public key certificate based authentication to
provide authentication for wireless connections.

 Extensible Authentication Protocol (EAP): The following EAP protocols are supported
by IAS:
o Password Authentication Protocol (PAP): Windows Server 2003 supports PAP
for backward compatibility. With PAP, user information (user name and
password) is transmitted in clear text.
o Challenge Handshake Authentication Protocol (CHAP): CHAP encrypts the user
name and password of the user through MD5 encryption. A requirement of CHAP
is that user password information has to be stored using reversible encryption in
Active Directory.
 o Microsoft Challenge Handshake Authentication Protocol (MS-CHAP): MS-
CHAP provides better security than that provided by CHAP. The passwords of
users do not have to be stored using reversible encryption.
o Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP
version 2): MS-CHAP version 2 includes the security capability of mutual
authentication. Mutual authentication occurs when the server and client both
verify the identity of each other. MS-CHAP version 2 utilizes separate encryption
keys for sending and receiving security information.

Once IAS has authenticated the user, it can use a few authorization methods to verify that the
authenticated user is permitted to access the network resource(s) he/she is requesting to access.
This includes the following:

 Automatic Number Identification/Calling Line Identification (ANI/CLI): With ANI/CLI,

authorization is determined by the number which the user is calling from.
 Dialed Number Identification Service (DNIS): Authorization is determined by examining
the phone number which the caller is using.
 Remote access policies: Remote access policies can be used to allow or deny network
connection attempts, based on conditions such as group membership details, time of day,
time of week, the access number being used, and other conditions. You can also use
remote access policies to control the amount of time which aremote access client can be
connected to the network. You can specify an encryption level which a remote access
client should use to access network resources.
 Guest authorization: Guest authorization enables users to perform limited tasks, without
needing to provide user credentials (user name and password).

Wireless clients can use certificates, smart cards, and a user name or password to authenticate to
an IAS server. Before a wireless client can connect to your corporate network, you need to define
the following:

 Create a remote access policy for the wireless users which permits these users to access
the corporate network. The remote access policy should include:
o The access method
o User and group information
o The authentication method
o The policy encryption method
o The appropriate permissions
 All Wireless APs should be added on the IAS server as RADIUS clients. This ensures that
login information can be forwarded to IAS.

The events which occur when wireless clients requests network access are outlined below.

1. The Wireless AP requests authentication information from the wireless client.

2. The wireless client then passes this information to the Wireless AP. The Wireless AP
forwards the information to IAS.
 3. When the information IAS receives is valid, it passes an encrypted authentication key to
the Wireless AP.
4. The Wireless AP next utilizes the encrypted authentication key to create a session with
the wireless client.

How to install the Internet Authorization Service (IAS) on a domain controller

1. Click Start, Programs, Control Panel, and then double-click Add/Remove Programs.
2. Select Add/Remove Windows Components.
3. This launches the Windows Components Wizard.
4. Click Networking Services. Click Details.
5. When the Networking Services dialog box opens, enable the Internet Authentication
Service checkbox.
6. Click OK.
7. To start the actual installation of IAS, click Next.
8. When prompted, place the Windows Server 2003 CD into the CD-ROM drive.
9. Once the installation of IAS is complete, click Finish, and then click Close.
10. To register the IAS server with Active Directory so that it can obtain user information
from Active Directory domains, click Start, Programs, Administrative Tools, and then
Internet Authentication Service.
11. Right-click Internet Authentication Service, and then select Register Server in Active
Directory on the shortcut menu.
12. Click OK.

How to create a remote access policy

1. Click Start, Programs, Administrative Tools, and then Internet Authentication Service.
2. Right-click Remote Access Policies and then click New Remote Access Policy on the
shortcut menu.
3. This action starts the New Remote Access Policy Wizard. Click Next on the welcome
screen of the wizard.
4. Click the Use the wizard to set up a typical policy for a common scenario option, and
enter a name for the new remote access policy in the Policy name box. Click Next.
5. When the Access Method screen appears, choose the Dialup access method. The other
access method options include:
o VPN access
o Wireless access
o Ethernet
6. Click Next.
7. Select Group and then choose the group to which you want to grant remote access
permission. Click Next.
8. When the Authentication Methods screen appears, choose the one of the following
authentication methods for the new remote access policy.
o Extensible Authentication Protocol (EAP)
o Microsoft Challenge Handshake Authentication Protocol version 2 (MS-
CHAPv2)
 o Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
9. Click Next
10. Specify the encryption level which users should utilize to connct to the IAS server. Click
Next.
11. Click Finish.

If you want to set any further remote access conditions, right-click the particular remote access
policy, and click Properties from the shortcut menu.

Introduction to Mobile Technologies

ATM is an acronym for Asynchronous Transfer Mode. It's a high-speed networking standard
designed to support voice, video and data communications, and to improve utilization and
quality of service (QoS) on high-traffic networks.

ATM is normally utilized by internet service providers on their private long-distance networks.
ATM operates at the data link layer (Layer 2 in the OSI model) over either fiber or twisted-pair
cable.

Although it's fading in favor of the NGN (next generation network), this protocol is critical to the
SONET/SDH backbone, the PSTN (public switched telephone network) and ISDN (Integrated
Services Digital Network).

ATM also stands for automated teller machine. If you're looking for that type of ATM network
(to see where ATMs are located), you might find VISA's ATM Locator or Mastercard's ATM
Locator to be helpful.

How ATM Networks Work

ATM differs from more common data link technologies like Ethernet in several ways.

For one, ATM uses zero routing. Instead of using software, dedicated hardware devices known
as ATM switches establish point-to-point connections between endpoints and data flows directly
from source to destination.

Additionally, instead of using variable-length packets like Ethernet and Internet Protocol does,
ATM utilizes fixed-sized cells to encode data. These ATM cells are 53 bytes in length, that
include 48 bytes of data and five bytes of header information.

Each cell is processed at their own time. When one is finished, the procedure then calls for the
next cell to process. This is why it's called asynchronous; none of them go off at the same time
relative to the other cells.

The connection can be preconfigured by the service provider to make a dedicated/permanent

circuit or be switched/set up on demand and then terminated at the end of its use.
Four data bit rates are usually available for ATM services: Available Bit Rate, Constant Bit Rate,
Unspecified Bit Rate and Variable Bit Rate (VBR).

The performance of ATM is often expressed in the form of OC (Optical Carrier) levels, written
as "OC-xxx." Performance levels as high as 10 Gbps (OC-192) are technically feasible with
ATM. However, more common for ATM is 155 Mbps (OC-3) and 622 Mbps (OC-12).

Without routing and with fixed-size cells, networks can much more easily manage bandwidth
under ATM than other technologies like Ethernet. The high cost of ATM relative to Ethernet is
one factor that has limited its adoption to the backbone and other high-performance, specialized
networks.

Wireless ATM

A wireless network with an ATM core is called a mobile ATM or wireless ATM. This type of
ATM network was designed to offer high-speed mobile communications.

Similar to other wireless technologies, the ATM cells are broadcasted from a base station and
transmitted to mobile terminals where an ATM switch performs the mobility functions.

VoATM

Another data protocol that sends voice, video, and data packets through the ATM network is
called Voice over Asynchronous Transfer Mode (VoATM). It's similar to VoIP but doesn't use
the IP protocol and is more expensive to implement.

This type of voice traffic is encapsulated in AAL1/AAL2 ATM packets.

Asynchronous Transfer Mode (ATM)

Definition - What does Asynchronous Transfer Mode (ATM) mean?

Asynchronous transfer mode (ATM) is a switching technique used by telecommunication

networks that uses asynchronous time-division multiplexing to encode data into small, fixed-
sized cells. This is different from Ethernet or internet, which use variable packet sizes for data or
frames. ATM is the core protocol used over the synchronous optical network (SONET) backbone
of the integrated digital services network (ISDN).

Help us Help You | 2019 Techopedia Reader Survey | Complete this Short 1 Minute Survey
Techopedia explains Asynchronous Transfer Mode (ATM)

Asynchronous transfer mode was designed with cells in mind. This is because voice data is
converted to packets and is forced to share a network with burst data (large packet data) passing
through the same medium. So, no matter how small the voice packets are, they always encounter
full-sized data packets, and could experience maximum queuing delays. This is why all data
packets should be of the same size. The fixed cell structure of ATM means it can be easily
switched by hardware without the delays introduced by routed frames and software switching.
This is why some people believe that ATM is the key to the internet bandwidth problem. ATM
creates fixed routes between two points before data transfer begins, which differs from TCP/IP,
where data is divided into packets, each of which takes a different route to get to its destination.
This makes it easier to bill data usage. However, an ATM network is less adaptable to a sudden
network traffic surge.

The ATM provides data link layer services that run on the OSI's Layer 1 physical links. It
functions much like small-packet switched and circuit-switched networks, which makes it ideal
for real-rime, low-latency data such as VoIP and video, as well as for high-throughput data
traffic like file transfers. A virtual circuit or connection must be established before the two end
points can actually exchange data.

ATM services generally have four different bit rate choices:

 Available Bit Rate: Provides a guaranteed minimum capacity but data can be bursted to higher
capacities when network traffic is minimal.
 Constant Bit Rate: Specifies a fixed bit rate so that data is sent in a steady stream. This is
analogous to a leased line.
 Unspecified Bit Rate: Doesn’t guarantee any throughput level and is used for applications such
as file transfers that can tolerate delays.
 Variable Bit Rate (VBR): Provides a specified throughput, but data is not sent evenly. This makes
it a popular choice for voice and videoconferencing.

Wireless application protocol (WAP) is a communications protocol that is used for wireless data
access through most mobile wireless networks. WAP enhances wireless specification
interoperability and facilitates instant connectivity between interactive wireless devices (such as
mobile phones) and the Internet.

WAP functions in an open application environment and may be created on any type of OS.
Mobile users prefer WAP because of its ability to efficiently deliver electronic information.

Wireless Application Protocol (WAP)

The WAP cascading style sheet (CSS) is a mobile rendering of the World Wide Web that allows
developers to format screen sizes for mobile device adaptability. Reformatting is not required
when using WAP CSS content, which controls page layout compatibility with a variety of
mobile device display screens.
The core interface of WAP architecture is the WAP datagram protocol, which manages the
transmission layer protocols of Internet models and facilitates operations between mobile
wireless networks and platforms, independent of upper layer protocols. The transport layer deals
with physical network issues, allowing wireless global operations to readily access wireless
gateways. A WAP gateway is a server that facilitates wireless network access.

The WAP Forum, now known as the Open Mobile Alliance (OMA), provides WAP tool testing,
specification development and support for all mobile services.

Print PDFs in mobile forensics

Bluetooth Security
Bluetooth security is increasingly important with hackers using Bluejacking & Bluebugging
and other techniques, but Bluetooth security is now improving.

Bluetooth Tutorial / Summary Includes:

Bluetooth technology basics Radio interface File transfer Bluetooth profiles Pairing &
networking Security

Bluetooth security like that for any other wireless system is very important. With hackers gaining
access to an ever increasing number of systems, Bluetooth security is increasingly important.

The latest releases of Bluetooth have increased the levels of security to combat the threat of
hackers - any wireless link provides an opportunity for entry into a network.

Not only is the level of security increasing on the hardware elements that often have inbuilt
security, but also the level of security built into Bluetooth itself is improving.

Bluetooth security basics

Bluetooth security is of paramount importance as devices are susceptible to a variety of wireless

and networking attacking including denial of service attacks, eavesdropping, man-in-the-middle
attacks, message modification, and resource misappropriation.

Bluetooth security must also address more specific Bluetooth related attacks that target known
vulnerabilities in Bluetooth implementations and specifications. These may include attacks
against improperly secured Bluetooth implementations which can provide attackers with
unauthorized access.
Many users may not believe there is an issue with Bluetooth security, but hackers may be able to
gain access to information from phone lists to more sensitive information that others may hold
on Bluetooth enabled phones and other devices.

There are three basic means of providing Bluetooth security:

 Authentication: In this process the identity of the communicating devices are verified. User
authentication is not part of the main Bluetooth security elements of the specification.
 Confidentiality: This process prevents information being eavesdropped by ensuring that only
authorised devices can access and view the data.
 Authorisation: This process prevents access by ensuring that a device is authorised to use a
service before enabling it to do so.

Security measures provided by the Bluetooth specifications

The various versions of the specifications detail four Bluetooth security modes. Each Bluetooth
device must operate in one of four modes:

 Bluetooth Security Mode 1: This mode is non-secure. The authentication and encryption
functionality is bypassed and the device is susceptible to hacking. Bluetooth devices operation in
Bluetooth Security Mode 1. Devices operating like this do not employ any mechanisms to
prevent other Bluetooth-enabled devices from establishing connections. While it is easy to make
connections, security is an issue. It may be applicable to short range devices operating in an area
where other devices may not be present. Security Mode 1 is only supported up to Bluetooth 2.0
+ EDR and not beyond.
 Bluetooth Security Mode 2: For this Bluetooth security mode, a centralised security manager
controls access to specific services and devices. The Bluetooth security manager maintains
policies for access control and interfaces with other protocols and device users.

It is possible to apply varying trust levels and policies to restrict access for applications with
different security requirements, even when they operate in parallel. It is possible to grant access
to some services without providing access to other services. The concept of authorisation is
introduced in Bluetooth security mode 2. Using this it is possible to determine if a specific device
is allowed to have access to a specific service.

Although authentication and encryption mechanisms are applicable to Bluetooth Security Mode
2, they are implemented at the LMP layer (below L2CAP).

All Bluetooth devices can support Bluetooth Security Mode 2; however, v2.1 + EDR devices can
only support it for backward compatibility for earlier devices.
 Bluetooth Security Mode 3: In Bluetooth Security Mode 3, the Bluetooth device initiates
security procedures before any physical link is established. In this mode, authentication and
encryption are used for all connections to and from the device.

The authentication and encryption processes use a separate secret link key that is shared by
paired devices, once the pairing has been established.
 Bluetooth Security Mode 3 is only supported in devices that conform to Bluetooth 2.0 + EDR or
earlier.
 Bluetooth Security Mode 4: Bluetooth Security Mode 4 was introduced at Bluetooth v2.1 +
EDR.

In Bluetooth Security Mode 4 the security procedures are initiated after link setup. Secure
Simple Pairing uses what are termed Elliptic Curve Diffie Hellman (ECDH) techniques for key
exchange and link key generation.

The algorithms for device authentication and encryption algorithms are the same as those
defined in Bluetooth v2.0 + EDR.

The security requirements for services protected by Security Mode 4 are as follows:
o Authenticated link key required
o Unauthenticated link key required
o No security required

Whether or not a link key is authenticated depends on the Secure Simple Pairing association
model used. Bluetooth Security Mode 4 is mandatory for communication between v2.1 + EDR
devices.

Common Bluetooth security issues

There are a number of ways in which Bluetooth security can be penetrated, often because there is
little security in place. The major forms of Bluetooth security problems fall into the following
categories:

 Bluejacking: Bluejacking is often not a major malicious security problem, although there can be
issues with it, especially as it enables someone to get their data onto another person's phone,
etc. Bluejacking involves the sending of a vCard message via Bluetooth to other Bluetooth users
within the locality - typically 10 metres. The aim is that the recipient will not realise what the
message is and allow it into their address book. Thereafter messages might be automatically
opened because they have come from a supposedly known contact
 Bluebugging: This more of an issue. This form of Bluetooth security issue allows hackers to
remotely access a phone and use its features. This may include placing calls and sending text
messages while the owner does not realise that the phone has been taken over.
 Car Whispering: This involves the use of software that allows hackers to send and receive
audio to and from a Bluetooth enabled car stereo system