

 Differentiate among various systems’ security threats:  Privilege escalation  Virus  Worm  Trojan  Spyware  Spam  Adware  Rootkits  Botnets  Logic bomb

 Implement security applications.  Differentiate between the different ports and protocols, their respective threats and mitigation techniques.  Antiquated protocols  TCP/IP hijacking  Null sessions  Spoofing  Man-in-the-middle  Replay  DoS  DDoS  Domain Name Kiting  DNS poisoning

 Explain the vulnerabilities and mitigations associated with network devices.  Privilege escalation  Weak passwords  Back doors  DoS  Carry out vulnerability assessments using common tools.  Vulnerability scanners  Password crackers

 Attack Strategies  Recognizing Common Attacks  Identifying TCP/IP Security Concerns  Understanding Software Exploitation  Surviving Malicious Code  Other Attacks and Frauds

 Access attack, someone who should not be able to wants to access your resources. Its purpose is to gain access to information that the attacker isn’t authorized to have  Modification and repudiation attack, someone wants to modify information in your systems  Denial-of-service (DoS) attack

 Eavesdropping  Eavesdropping is the process of listening in on or overhearing parts of a conversation, including listening in on your network traffic  This type of attack is generally passive  Snooping  Occurs when someone looks through your files hoping to find something interesting  The files may be either electronic or on paper

 Interception can be either an active or a passive process  Intercept (v): to stop something or someone that is going from one place to another before they get there  In a networked environment, a passive interception would involve someone who routinely monitors network traffic.  Active interception might include putting a computer system between the sender and receiver to capture information as it’s sent. The process is usually covert.  Intercept missions can occur for years without the knowledge of the parties being monitored.

 Modification attacks involve the deletion, insertion, or alteration of information in an unauthorized manner that is intended to appear genuine to the user  They’re similar to access attacks in that the attacker must first get to the data on the servers, but they differ from that point on.  The motivation for this type of attack may be to plant information, change grades in a class, fraudulently alter credit card records, or something similar.  Website defacements are a common form of modification attack.

 Repudiation attack is a variation of modification attacks  repudiate / r ɪ pjudie ɪ t /  to refuse to accept or continue with something  to state or show that something is not true or correct  Repudiation attacks make data or information appear to be invalid or misleading.  Repudiation attacks are fairly easy to accomplish because most systems don’t check outbound mail for validity.  Repudiation attacks, like modification attacks, usually begin as access attacks.

 Denial-of-Service  DoS attacks prevent access to resources by users authorized to use those resources  Most simple DoS attacks occur from a single system  Types of DoS attacks:  ping of death  buffer overflow

 Requires a powerful transmitter

 Distributed Denial-of-Service Attacks  Multiple computer systems used to conduct the attack  Zombies  Botnet: the malicious software running on a zombie

 How to face with Denial attacks?

 Attack Strategies  Recognizing Common Attacks  Identifying TCP/IP Security Concerns  Understanding Software Exploitation  Surviving Malicious Code  Other Attacks and Frauds

 Back doors?

 A spoofing attack is an attempt by someone or something to masquerade as someone else.  IP spoofing and DNS spoofing

 This type of attack is also an access attack, but it can be used as the starting point for a modification attack  Places a piece of software between a server and the user.

 The attacker captures the information and replay it later.  The information can be username, passwords, certificates from authentication systems such as Kerboros.

Captured passwords projected on the wall at DEFCON

 Solutions: Certificates usually contain a unique session identifier and a time stamp.

 Records cookies and replays them  This technique breaks into Gmail accounts  Technical name: Cross Site Request Forgery  Almost all social networking sites are vulnerable to this attack  Facebook, MySpace, Yahoo, etc.

 Brute-force attack.  Dictionary attack  Hybrids: mixing the two above techniques

 Privilege escalation can be the result of an error on an administrator’s part in assigning too high a permission set to a user, but it’s more often associated with bugs left in software.  Cheat codes in video games.

 Attack Strategies  Recognizing Common Attacks  Identifying TCP/IP Security Concerns  Understanding Software Exploitation  Surviving Malicious Code  Other Attacks and Frauds

 Network Access = OSI layers 1 & 2, defines LAN communication, what do I mean by that?  Network = OSI layer 3 – defines addressing and routing  Transport/Host to Host = OSI layer 4, 5 – defines a communication session between two applications on one or two hosts  Application = OSI layers 6,7 the application data that is being sent across a network

 Maps to Layer 1 and 2 of the OSI model  The Level that a Network Interface Card Works on  Source and Destination MAC addresses are used defining communications endpoints  Protocols include  Ethernet  Token Ring  FDDI

 Routing, IP addressing, and packaging  Internet Protocol (IP) is a routable protocol, and it’s responsible for:  IP addressing.  fragments and reassembles message packets  only routes information; doesn’t verify it for accuracy(Accuracy checking is the responsibility of TCP)

 Maps to layer 4 and 5 of the OSI model  Concerned with establishing sessions between two applications  Source and destination endpoints are defined by port numbers  The two transport protocols in TCP/IP are TCP and UDP

 Connection oriented “guaranteed” delivery.  Advantages  Easier to program with  Truly implements a “session”  Adds security  Disadvantages  More overhead / slower

 Connectionless, non-guaranteed delivery (best effort)  Advantages  Fast / low overhead  Disadvantages  Harder to program with  No true sessions  Less security  A pain to firewall (due to no connections)

 Most programs, such as web browsers, interface with TCP/IP at this level  Protocols:  Hypertext Transfer Protocol (HTTP)  File Transfer Protocol (FTP)  Simple Mail Transfer Protocol (SMTP)  Telnet  Domain Name Service (DNS)  Routing Information Protocol (RIP)  Post Office Protocol (POP3)

 Encapsulate  to express or show something in a short way  to completely cover something with something else, especially in order to prevent a substance getting out

 To change data from a form to another  AM (Amplitude Modulation)  FM (Frequency Modulation)  PM (Phase Modulation)  Keying methods  Current State Keying  ASK  FSK  State Transition Keying  Phase Shift Keying (PSK)  Modulation and Demodulation  Used in modems and in transfering data units among OSI layers

 Port Mirroring  Sniffing the Network  TCP Attacks

 A device that captures and displays network traffic

 The client and server exchange information in TCP packets  The TCP client sends an ACK packet to the server  ACK packets tell the server that a connection is requested  Server responds with an ACK packet  The TCP Client sends another packet to open the connection  Instead of opening the connection, the TCP client continues to send ACK packet to the server.

 TCP sequence number attacks occur when an attacker takes control of one end of a TCP session  Each time a TCP message is sent, either the client or the server generates a sequence number  The attacker intercepts and then responds with a sequence number similar to the one used in the original session  Disrupt or hijack a valid session

 Rogue access points  Rogue: not behaving in the usual or accepted way and often causing trouble  Employees often set up home wireless routers for convenience at work  This allows attackers to bypass all of the network security and opens the entire network and all users to direct attacks  An attacker who can access the network through a rogue access point is behind the company's firewall  Can directly attack all devices on the network

 War driving  Beaconing  At regular intervals, a wireless AP sends a beacon frame to announce its presence and to provide the necessary information for devices that want to join the network  Scanning  Each wireless device looks for those beacon frames  Unapproved wireless devices can likewise pick up the beaconing RF transmission  Formally known as wireless location mapping

 Bluetooth  A wireless technology that uses short-range RF transmissions  Provides for rapid “on the fly” and ad hoc connections between devices  Bluesnarfing  Stealing data through a Bluetooth connection  s, calendars, contact lists, and cell phone pictures and videos, …

 Attack Strategies  Recognizing Common Attacks  Identifying TCP/IP Security Concerns  Understanding Software Exploitation  Surviving Malicious Code  Other Attacks and Frauds

 Database exploitation  If a client session can be hijacked or spoofed, the attacker can formulate queries against the database that disclose unauthorized information.  Application exploitation  exploitation  Spyware  Rather than self-replicating, like viruses and worms, spyware is spread to machines by users who inadvertently ask for it  Rootkits  Enables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applications

 Attack Strategies  Recognizing Common Attacks  Identifying TCP/IP Security Concerns  Understanding Software Exploitation  Surviving Malicious Code  Other Attacks and Frauds

 Armored Virus  designed to make itself difficult to detect or analyze  Companion Virus  A companion virus attaches itself to legitimate programs and then creates a program with a different filename extension  Macro Virus  a set of programming instructions in a language such as VBScript that commands an application to perform illicit actions

 Multipartite Virus: attacks the system in multiple ways

 Phage Virus  Modifies and alters other programs and database  The only way to remove this virus is to reinstall the programs that are infected  Polymorphic Virus  Change form in order to avoid detection  Frequently, the virus will encrypt parts of itself to avoid detection

 Stealth Virus  Attempts to avoid detection by masking itself from applications

 Logic bombs are programs or snippets of code that execute when a certain predefined event occurs.

 Attack Strategies  Recognizing Common Attacks  Identifying TCP/IP Security Concerns  Understanding Software Exploitation  Surviving Malicious Code  Other Attacks and Frauds

 Connections to a Microsoft Windows 2000 or Windows NT computer with a blank username and password  Attacker can collect a lot of data from a vulnerable system  Cannot be fixed by patches to the operating systems  Much less of a problem with modern Windows versions, Win XP SP2, Vista, or Windows 7

 Check kiting  A type of fraud that involves the unlawful use of checking accounts to gain additional time before the fraud is detected  Domain Name Kiting  Registrars are organizations that are approved by ICANN to sell and register Internet domain names  A five-day Add Grade Period (AGP) permits registrars to delete any newly registered Internet domain names and receive a full refund of the registration fee

 Unscrupulous registrars register thousands of Internet domain names and then delete them  Recently expired domain names are indexed by search engines  Visitors are directed to a re-registered site  Which is usually a single page Web with paid advertisement links  Visitors who click on these links generate money for the registrar

 Used to manage switches, routers, and other network devices  Early versions did not encrypt passwords, and had other security flaws  But the old versions are still commonly used

 DNS is used to resolve domain names like to IP addresses like  DNS has many vulnerabilities  It was never designed to be secure

 Put false entries into the Hosts file  C:\Windows\System32\Drivers\etc\hosts

 Attacker sends many spoofed DNS responses  Target just accepts the first one it gets

 Intended to let a new DNS server copy the records from an existing one  Can be used by attackers to get a list of all the machines in a company, like a network diagram  Usually blocked by modern DNS servers

 Antispyware software will warn you when the hosts file is modified  Using updated versions of DNS server software prevents older DNS attacks against the server  But many DNS flaws cannot be patched  Eventually: Switch to DNSSEC (Domain Name System Security Extensions)  But DNSSEC is not widely deployed yet, and it has its own problems

 ARP is used to convert IP addresses like into MAC addresses like

 Attacker sends many spoofed ARP responses  Target just accepts the first one it gets