18EET452

2- TOOLS AND METHODS USED IN STAGES OF AN ATTACK ON NETWORK

1) Initial covering: two stages Reconnaissance- social networking websites Uncovers information on company’s IP 2) Network probe Ping sweep- seek out potential targets Port scanning 3) Crossing the line toward electronic crime: Commits computer crime by exploiting possible holes on the target system 4) Capturing the network: Attackers attempts to own the network Uses tools to remove any evidence of the attack Trojan horses, backdoors 5) Grab the data: Attacker has captured the network Steal confidential data, customer CC information, deface WebPages… 6) Covering the attack: Extend misuse of the attack without being detected. Start a fresh reconnaissance to a related target system Continue use of resources Remove evidence of hacking

PROXY SEVERS AND ANONYMIZERS PROXY SERVER ➢ A proxy server is a dedicated computer or a software system running on a computer that acts as an intermediary between an endpoint device, such as a computer, and another server from which a user or client is requesting a service. ➢ A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity.

Purpose of a proxy server ➢ Improve Performance: ➢ Filter Requests ➢ Keep system behind the curtain ➢ Used as IP address multiplexer ➢ Its Cache memory can serve all users

Attack on this: the attacker first connects to a proxy server- establishes connection with the target through existing connection with the proxy.

Page 1

18EET452

PHISHING ➢ Stealing personal and financial data ➢ Also can infect systems with viruses ➢ A method of online ID theft Work flow of /How Phishing works? 1. Planning : use mass mailing and address collection techniques- spammers 2. Setup : E-Mail / webpage to collect data about the target 3. Attack : send a phony message to the target 4. Collection: record the information obtained 5. and fraud: use information to commit fraud or illegal purchases

Example of phishing : Sometimes spammers create fake pages that look like the Facebook login page. When you enter your email and password on one of these pages, the spammer records your information and keeps it. This is called phishing. The fake sites, like the one below, use a similar URL to Facebookcom in an attempt to steal people’s login information.The people behind these websites, then use the information to access victims’ accounts and send messages to their friends, further propagating the illegitimate sites. In some instances, the phishers make money by exploiting the personal information they’ve obtained.

Page 2

18EET452

KEYLOGGERS ➢ , often referred to as keylogging or keyboard capturing, is the action of recording (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. ➢ It has uses in the study of human–computer interaction. ➢ There are numerous keylogging methods, ranging from hardware and software-based approaches to acoustic analysis. Types of Keylogger 1. Software-based keyloggers Software-based keyloggers use the target computer’s in various ways, including: imitating a virtual machine, acting as the keyboard driver (kernel-based), using the application programming interface to watch keyboard strokes (API-based), recording information submitted on web-based forms (Form Grabber based) or capturing network traffic associated with HTTP POST events to steal passwords (Packet analyzers). Usually consists of two files DLL and EXE 2. Hardware keyloggers Installing a hardware circuit between the keyboard and the computer that logs keyboard stroke activity (keyboard hardware). Target- ATMs 3. Acoustic keylogging Acoustic keylogging monitors the sound created by each individual keystroke and uses the subtly different acoustic signature that each key emits to analyze and determine what the target computer’s user is typing. AntiKeylogger An anti-keylogger (or anti–keystroke logger) is a type of software specifically designed for the detection of keystroke logger software; often, such software will also incorporate the ability to delete or at least immobilize hidden keystroke logger software on your computer.

Page 3

18EET452

Benefits of Antikeyloggers

SPYWARES is software that aims to gather information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent, or that asserts control over a computer without the consumer's knowledge.

TROJAN HORSES AND BACKDOORS A , or Trojan, in computing is generally a non-self-replicating type of program containing malicious code that, when executed, carries out actions determined by the nature of the Trojan, typically causing loss or theft of data, and possible system harm Examples of threats by Trojans ➢ Erase, overwrite or corrupt data on a computer ➢ Help to spread other malware such as viruses- dropper Trojan ➢ Deactivate or interface with antivirus and programs ➢ Allow remote access to your computer- remote access Trojan ➢ Upload and download files ➢ Gather E-mail address and use for spam ➢ Log keystrokes to steal information – pwds, CC numbers ➢ Copy fake links to false websites ➢ slowdown, restart or shutdown the system ➢ Disable task manager ➢ Disable the control panel BACKDOORS ➢ A in a computer system is a method of bypassing normal , securing unauthorized remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. ➢ Also called a trapdoor. An undocumented way of gaining access to a program, online service or Page 4

18EET452 an entire computer system. ➢ The backdoor is written by the programmer who creates the code for the program. It is often only known by the programmer. A backdoor is a potential security risk.

Functions of backdoors/ allows an attacker to ➢ create, delete, rename, copy or edit any file ➢ Execute commands to change system settings ➢ Alter the windows registry ➢ Run, control and terminate applications ➢ Install arbitrary software and parasites ➢ Control computer hardware devices, ➢ Shutdown or restart computer ➢ Functions of backdoors ➢ Steals sensitive personal information, valuable documents, passwords, login name… ➢ Records keystrokes, captures screenshots ➢ Sends gathered data to predefined E-mail addresses ➢ Infects files, corrupts installed apps, damages entire system ➢ Distributes infected files to remote computers ➢ Installs hidden FTP server ➢ Degrades connection and overall system performance ➢ Decreases system security ➢ Provides no uninstall feature, hides processes, files and other objects EXAMPLES OF BACKDOOR TROJANS ➢ Back Orifice : for remote system administration ➢ Bifrost : can infect Win95 through Vista, execute arbitrary code ➢ SAP backdoors : infects SAP business objects ➢ Onapsis Bizploit: Onapsis Bizploit is an SAP penetration testing framework to assist security professionals in the discovery, exploration, vulnerability assessment and exploitation phases of specialized SAP security assessment

HOW TO PROTECT FROM TROJAN HORSES AND BACKDOORS ➢ Stay away from suspect websites/ links ➢ Surf on the web cautiously : avoid P2P networks ➢ Install antivirus/ Trojan remover software

Page 5

18EET452

STEGANOGRAPHY

➢ Steganography (from Greek steganos, or "covered," and graphie, or "writing") is the hiding of a secret message within an ordinary message and the extraction of it at its destination. ➢ Steganography takes cryptography a step farther by hiding an encrypted message so that no one suspects it exists. Ideally, anyone scanning your data will fail to know it contains encrypted data. ➢ Other names: data hiding, information hiding, digital watermarking. ➢ Digital watermarking is the act of hiding a message (trademark) related to a digital signal (i.e. an image, song, and video) within the signal itself. ➢ It is a concept closely related to steganography, in that they both hide a message inside a

digital signal. ➢ However, what separates them is their goal. ➢ Watermarking tries to hide a message related to the actual content of the digital signal, ➢ While in steganography the digital signal has no relation to the message, and it is merely used as a cover to hide its existence.

DIFFERENCE BETWEEN STEGANOGRAPHY AND CRYPTOGRAPHY ➢ Cryptography is the study of hiding information, while Steganography deals with composing hidden messages so that only the sender and the receiver know that the message even exists. ➢ In Steganography, only the sender and the receiver know the existence of the message, whereas in cryptography the existence of the encrypted message is visible to the world. ➢ Due to this, Steganography removes the unwanted attention coming to the hidden message. ➢ Cryptographic methods try to protect the content of a message, while Steganography uses methods that would hide both the message as well as the content.

Page 6

18EET452

➢ By combining Steganography and Cryptography one can achieve better security.

STEGANALYSIS ➢ Steganalysis is the study of detecting messages hidden using steganography; ➢ The goal of steganalysis is to identify suspected packages, determine whether or not they have a encoded into them, and, if possible, recover that payload.

Page 7

18EET452

SQL INJECTION ➢ SQL injection is a technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the contents to the attacker). ➢ It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.

WHAT AN ATTACKER CAN DO? ➢ ByPassing Logins : by obtaining username and passwords ➢ Accessing secret data : reconnaissance ➢ Adding new data or Modifying contents of website: INSERT/UPDATE ➢ Shutting down the My SQL server

Steps for SQL Injection Attack Step 1: Finding Vulnerable Website:  Find the Vulnerable websites (hackable websites) using Google Dork list, web pages that allow submitting data i.e login page, search page, feedback etc.  Attackers look for webpage that display HTML commands such as POST or GET by checking the sites’s source code. Step 2: Checking the source code of any website,

• attacker checks the source code of the HTML and look for “FORM” tag in the HTML.

• Everything between the

and
have potential parameters which will be useful for finding vulnerabilities. Step 3:The attacker inputs a single quote under the text box provided on the webpage to accept the username and password.

• Checks the user input variable is sanitized or interpreted literally by the server.  If the page remains in same page or showing that page not found or showing some other webpages. Then it is not vulnerable.  If it showing any errors which is related to query, then it is vulnerable.

Step 4: Attackers uses SQL commands

• such as SELECT statement command to retrieve data from data base or INSERT statement to add information to the database.

Page 8

18EET452

BLIND SQL INJECTION ➢ Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker.

➢ The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. ➢ This type of attack can become time-intensive because a new statement must be crafted for each bit recovered. ➢ There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established HOW TO PREVENT SQL INJECTION ATTACKS  Input validation ✓ Replace all single quotes to two single quotes ✓ Sanitize the input: clean characters like ;, --, select, etc ✓ Numeric values should be checked while accepting a query string value ✓ Keep all text boxes and form fields short  Modify error reports SQL errors should not be displayed to the outside world  Other preventions ✓ Never use default system accounts for SQL server 2000 ✓ Isolate database server and : different machines ✓ Extended stored procedures, user defined functions should be moved to an isolated server.

BUFFER OVERFLOW ➢ In and programming, a , or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety. ➢ This may result in erratic program behavior ➢ Buffer overflows are not easy to discover and even when one is discovered, it is generally extremely difficult to exploit. ➢ In a classic buffer overflow exploit, the attacker sends data to a program, which it stores in an undersized stack buffer. The result is that information on the call stack is overwritten, including the function's return pointer. ➢ The data sets the value of the return pointer so that when the function returns, it transfers control to malicious code contained in the attacker's data. ➢ At the code level, buffer overflow vulnerabilities usually involve the violation of a programmer's assumptions. ➢ Many memory manipulation functions in C and C++ do not perform bounds checking and can easily overwrite the allocated bounds of the buffers they operate upon. ➢ Even bounded functions, such as strncpy (), can cause vulnerabilities when used incorrectly.

Page 9

18EET452

➢ The combination of memory manipulation and mistaken assumptions about the size or makeup of a piece of data is the root cause of most buffer overflows.

TYPES OF BUFFER OVERFLOW ➢ stack-based buffer overflow ➢ Heap buffer overflow ➢ NOPs 1) Stack-Based Buffer Overflow  A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack  Attack may exploit this to manipulate the program by ➢ Changing the local variable ➢ Changing the return address ➢ Changing the function pointer or exception handler 2) Heap buffer overflow ➢ A heap overflow is a type of buffer overflow that occurs in the heap data area. ➢ Heap overflows are exploitable in a different manner to that of stack-based overflows. ➢ Memory on the heap is dynamically allocated by the application at run-time and typically contains program data. ➢ Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers. ➢ The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as malloc meta data) and uses the resulting pointer exchange to overwrite a program function pointer. 3) NOP-SLED ➢ A NOP-sled is the oldest and most widely known technique for successfully exploiting a . ➢ It solves the problem of finding the exact address of the buffer by effectively increasing the size of the target area. ➢ To do this, much larger sections of the stack are corrupted with the no-op machine instruction. At the end of the attacker-supplied data, after the no-op instructions, the attacker places an instruction to perform a relative jump to the top of the buffer where the is located. ➢ This collection of no-ops is referred to as the "NOP-sled" because if the return address is overwritten with any address within the no-op region of the buffer it will "slide" down the no- ops until it is redirected to the actual malicious code by the jump at the end. HOW TO MINIMIZE BUFFER OVERFLOW ➢ Assessment of secure code manually ➢ Disable stack execution ➢ Compiler tools ➢ Dynamic run-time checks ➢ Various tools are used to detect/ defend buffer overflow ✓ stackGaurd

Page 10

18EET452

✓ Propolice ✓ LibSafe ATTACKS ON WIRELESS NETWORK In security breaches, penetration of a wireless network through unauthorized access termed as wireless cracking Traditional techniques ➢ Sniffing ➢ Spoofing ➢ DoS ➢ Man-in-the-middle attack ➢ cracking How to secure the wireless n/w 1. Change the default settings of all the equipments/ components of wireless network 2. Enable WPA/WEP encryption 3. Change the default SSID 4. Enable MAC address filtering 5. Disable remote login 6. Disable SSID broadcast 7. Disable the features that are not used in AP 8. Avoid providing the n/w a name which can be easily identified 9. Connect only to secured wireless n/w 10.Upgrade router’s firmware periodically 11. Assign static IP address to devices 12. Enable firewalls on each computer & the router 13. Position the router or AP safely 14. Turn off the n/w during extended periods when not in use 15. Periodic and regular monitor wireless n/w security

PHISHING: phishing is a type of deception designed to steal your identity

Page 11

18EET452

Methods of Phishing Attack

These techniques are briefed in the following: i. Dragnet Method: This method involves the use of spammed emails, bearing falsified corporate identification (e.g., trademarks, logos, and corporate names), that are addressed to a large class of people (e.g., customers of a particular financial institution or members of a particular auction site) to websites or pop-up windows with similarly falsified identification to trigger immediate response. ii. Rod-and-Reel method: This method targets prospective victims with whom initial contact is already made. Specific prospective victims so defined are targeted with false information to them to prompt their disclosure of personal and financial data. iii. Lobsterpot Method: It consists of creation of websites similar to legitimate corporate websites which narrowly defined class of victims by phishers. Smaller class of prospective victims identified in advance, but no triggering of victim response. It is enough that the victims mistake the spoofed website as a legitimate and trust worthy site and provides information of personal data. iv. Gillnet phishing: In gillnet phishing; phishers introduce malicious code into emails and websites. They can, for example misuse browser functionality by injecting hostile content into another site’s pop – up window. Merely by opening a particular email, or browsing a particular website, Internet users may have a Trojan horse introduced into their systems. In some cases, the malicious code will change settings in user’s systems, so that users who want to visit legitimate banking websites will be redirected to a lookalike phishing site. In other cases, the malicious code will record user’s keystrokes and passwords when they visit legitimate banking sites, then transmit those data to phishers for later illegal access to users’ financial accounts.

Phishing techniques

The attacker can attack on any website in different ways. Some of them are as follows

URL (weblink) manipulation: This type of phishing is possible by making some changes in the link provided by the spoofed page. A number of phishing attacks use technical deception process which is designed to make a link in an e- mail that appears to the spoofed organization link. It is possible by doing misspell the URLs or by the use of sub- domains to target the web user. For example, in the URL http://www.mybank.services.com/, it appears that the URL is asking to login the ‘mybank.services’ part of the website, which is actually a phishing URL of the legitimate site.

Website forgery: An phishing attack can use flaws in a trusted website’s scripts tags against the web user. This type of phishing attack which is also known as cross-site scripting is very problematic, because they redirect the user to sign in at bank or services column of web page. In that page everything from the web address to the security certificates appears original and legitimate.

Filter evasion: Images can also be used for the phishing attack. By the use of image in place of text, it is very difficult to trace the phishing webpage. The filter evasion technique uses this methodology while making the phishing webpage. This type of phishing web page takes less time to prepare the spoofing websites, and uses less number of coding tags on the webpage.

Phone phishing: Since the mobile users are increasing rapidly and the internet access from mobile is also increasing, so the phishing attacks are targeting the mobile user to steal the confidential information. In the mobile phishing, the messages looks link coming from the mobile that claimed to be from a bank which told users to dial a number regarding Page 12

18EET452 the problems with their bank account.

Flash phishing : anti phishing toolbar is install/enabled to check the web page content for signs of phishing but have limitations & they don’t analyze flash objects at all phishers use it to emulate the legitimate website. Netizens believe that the website is “clean “and is real website because anti phishing toolbar is unable to detect it

Social phishing: reveal sensitive data by other means and it works in a systematic manner

➢ Phisher send a mail as if it is sent by bank asking to call them back because there was a security breach ➢ The victim calls the bank on phone displayed in the mail ➢ The phone number they provided is fake so the victim is redirected to phisher ➢ Phisher speaks with victim in the similar manner/style as bank employee and gets all his information like account number, password etc…

Classification of phishing scams

Phishing attacks can be classified into various types according to the way attack is done. According to many researchers the various types of phishing attacks has been described below.

Page 13

18EET452

Deceptive Phishing- Messages about the need to verify account information, system failure requiring users to re-enter their information, fictitious account charges, undesirable account changes, new free services requiring quick action, and many other scams are broadcast to a wide group of recipients with the hope that the victim will respond by clicking a link to or signing onto a bogus site where their confidential information falls in this category.

Malware-Based Phishing- Refers to scams that involve running malicious software on users' PCs. Malware can be introduced as an email attachment, as a downloadable file from a web site, or by exploiting known security vulnerabilities.

Key loggers and Screen loggers

This type of malware tracks the input from the keyboard and the relevant information will be send to the hackers through internet. They go into the users' browsers as a small program and run automatically when the browser is started as well as into system files as device drivers or screen monitors.

Session Hijacking

This deals with monitoring the activities of the users until they sign in to the account or transaction and create their important information. At that point the infected software will perform unauthorized actions, such as transferring funds, without the user's knowledge.

Web Trojans- They pop-up invisibly when users are attempting to log in. They collect the user's credentials locally and transmit them to the phisher.

Pharming

DNS-Based Phishing -With a pharming scheme, hackers tamper with a company's hosts files or (DNS)domain name system so that requests for URLs or name service return a bogus address and subsequent communications are directed to a fake site.

Hosts File Poisoning- When a user types a URL to visit a website it must first be translated into an IP address before it is transmitted over the Internet. The majority of SMB(small and medium business organizations) users' PCs running a operating system look up these "host names" in their "hosts" file before undertaking a Domain Name System (DNS) lookup. By "poisoning" the hosts file, hackers have a bogus address transmitted, taking the user unwillingly to a fake website where their information can be stolen.

System Reconfiguration Attacks- Modify settings on a user's PC for malicious purposes. For example: URLs in a favorites file might be modified to direct users to look alike websites. For example: a bank website URL may be changed from "www.gmail.com" to "www.gmai1.com".

Data Theft Sensitive data’s will be stored in Pcs. These data’s will be taken by the victims without knowing to the user. Commonly, this information is user information such as passwords, social security numbers, credit card information, other personal information, or other confidential corporate information By stealing confidential communications, design documents, legal opinions, employee related records, etc., thieves profit from selling to those who may want to embarrass or cause economic damage or to competitors.

Content-Injection Phishing- It describes the situation where hackers replace part of the content of a legitimate site with false content designed to mislead or misdirect the user into giving up their confidential information to the hacker. For example, phisher may insert malicious code to log user's credentials or an overlay which can secretly collect information and deliver it to the phisher.

Page 14

18EET452

Man-in-the-Middle Phishing- In these attacks phisher positions themselves between the user and the legitimate website or system. They record the information being entered but continue to pass it on so that users' transactions are not affected. Later they can sell or use the information or credentials collected when the user is not active on the system.

Search Engine Phishing- Occurs when phishers create websites with attractive (often too attractive) sounding offers and have them indexed legitimately with search engines. Users find the sites in the normal course of searching for products or services and are fooled into giving up their information. For example, scammers have set up false banking sites offering lower credit costs or better interest rates than other banks. Victims who use these sites to save or make more from interest charges are

SSL certificate phishing: advanced type of scam. Targets on web server with ssl certificate to create duplicitous website with fraudulent webpage displaying similar “lock “icon

Spear phishing is an attempt to entice a specifically targeted victim to open a malicious attachment or visit a malicious website with the intent of gaining insight into confidential data and/or acting on nefarious objectives against the victim's organization.

Phishing countermeasures ➢ Keep antivirus up to date ➢ Do not click on hyperlinks in E-Mails ➢ Take advantage of anti-Spam software ➢ Verify https (ssl) ➢ Use anti-spyware software ➢ Use firewall ➢ Do not enter sensitive or financial information into pop-up windows ➢ Protect against DNS pharming attacks

IDENTITY THEFT Refers to the fraud that involves pretending to de some else to steal money or get other benefits. Id theft is punishable offense under the Indian IT Act. Identity theft is a term used to refer to fraud that involves stealing money or getting other benefits by pretending to be someone else [15]. As the result, the someone whose identity has been stolen can suffer various consequences when he/she is held responsible for the perpetrator's actions. This is why in many countries specific laws make it a crime to use another person's identity for personal gain.

TYPES OF IDENTITY THEFT

➢ Financial Identity Theft- another's identity to obtain goods and services includes , tax refund fraud, mail fraud etc ➢ Criminal Identity Theft- posing as another when apprehended for a crime, drug trafficking ,smuggling, money laundering ➢ Identity cloning - another's information to assume his or her identity in daily life ➢ Business Identity Theft -another's business name to obtain credit ➢ Medical Identity Theft ➢ Synthetic Identity Theft ➢ Child Identity Theft

Page 15

18EET452

Techniques of ID Theft

1. Human based methods 2. Computer-based technique

1. Human based methods ➢ Direct access to information ➢ Dumpster diving ➢ Mail theft and rerouting ➢ Shoulder surfing ➢ False or disguised ATMs ➢ Dishonest and mistreated employees ➢ Telemarketing and fake telephone calls

Computer-based technique ➢ Backup theft ➢ Hacking, unauthorized access to systems and database theft ➢ Phishing ➢ Pharming ➢ Redirectors ➢ Hardware

Page 16