December 19, 2013

3.2.4 Replay


In a replay attack, an attacker captures network traffic and then replays (or retransmits) the captured traffic at a later time, in order to gain unauthorized access to a system.

This type of attack may succeed in spite of encryption because even though the messages may be encrypted, and the attacker may not know what the actual keys and passwords are, the retransmission of valid logon messages may be sufficient to gain access to the network. This is the reason most certificates contain unique session identifiers and time stamps.

Packet sequencing, time stamps, digital signatures and session tokens (or hash) are countermeasures used against replay attacks:
  • Packet sequencing ensures that any packet received that is not in the proper order is dropped.
  • Time stamps ensure that any packet received outside a specified time window is dropped.
  • A session token is a one-time token or hash used to computationally transform a message such that it cannot be duplicated without being detected.
Replay attack is a type of "man-in-the-middle attack" as it involves surreptitiously intercepting traffic between two parties; a replay attack can be prevented using strong digital signatures that include time stamps and inclusion of unique information from the previous transaction such as the value of a constantly incremented packet sequence number.

A replay attack occurs when an attacker copies a stream of messages between two parties and replays the stream to one or more of the parties. Unless mitigated, the computers subject to the attack process the stream as legitimate messages, resulting in a range of bad consequences, such as redundant orders of an item.†

The impetus for deploying a replay attack include to gain access to resources, by replaying an authentication message and when used in a denial-of-service attack, can be used to look up resources in a target host.

3.2.3 DoS


A denial-of-service (DoS) attack is one where an attacker attempts to prevent legitimate users from accessing information or services. By targeting the computer and its network connection, an attacker may be able to prevent normal access to email, web sites, online accounts (banking, etc.), or other services that run on the affected systems.

In a denial-of-service attack, a resource such as a web server is flooded with false requests, overwhelming the system and preventing legitimate requests from being serviced. Ultimately the system will crash.

The most common and obvious type of DoS attack occurs when an attacker "floods" a network with information. When you enter a URL for a particular web site into your browser for example, you are sending a request to that site's computer server to view the page. The server can only process a certain number of requests at once, so if an attacker overloads the server with requests, it cannot process legitimate requests. This is a denial of service as legitimate users are denied access to the system services.

In normal operation, a Client sends a SYN and the Server responds with a SYN+ACK message, the server will then hold state information in the TCP stack while waiting for Client ACK message. A simple SYN flood (using suitable software) will generate SYN packets which would consume all available TCP memory as the server must maintain state for all half-open connections. And since this state table is finite the server will no longer accept new TCP connections and thus fail or deny service to the user ((or worse, buffer overflows or system memory exhaustion has occurred, not so much a problem today)).†

There are two basic types of DoS attacks. The first floods the communication pipeline with garbage network traffic. The second exploits a weakness, error or standard feature to cause a system to hang, freeze, deplete all its resources, etc. In the end, the victimized system has been denied the ability to perform normal operations (i.e. providing services) either because the network has been overwhelmed or critical services running on a particular system has been disrupted.

DoS attacks can target different areas of a system including the operating system, applications, network protocols and services. Malware that maxes out the processor or memory on a system, preventing any work from occurring or triggered events that force a system into an unstable or lock state are all considered denial-of-service attacks.

Examples of DoS Attacks

The SYN Flood is a type of DoS attack. The SYN Flood attack exploits the TCP three-way handshake protocol, which requires a specific sequence of data exchange between the client and server. The SYN Flood attack deliberately fails to complete the handshake, causing the target (victim) to waste resources waiting for the handshake to complete.

In a SYN Flood attack, a malicious client makes a series of requests to establish a communications channel with the victim server, i.e. it sends a series of SYN packets. However the return address given by the client is invalid, therefore the server spends valuable and finite network resources waiting for an acknowledgement (ACK) that will never be sent. If enough unacknowledged SYN packets are sent by the client, the victim server will be overwhelm and unable to service legitimate network traffic.

Here is some background on the TCP three-way handshake. The Transmission Control Protocol (TCP) uses the three-way handshake to establish a connection between a client and a server.
Communication between the client and server happens with the exchange of TCP packets.

A TCP packet consists of a header portion and the payload. The header includes a set of 8 TCP flags in the 1-byte flag field. Two flags, Synchronize (SYN) and Acknowledgement (ACK) are used in the 3-way handshake to establish a TCP connection. This is illustrated below and consists of the SYN, SYN-ACK and ACK transactions:

  • SYN: This flag is sent by the client in the active-open phase at the start of the TCP handshake initiating the connection request.
  • SYN-ACK: Upon receiving the SYN from the client, the server replies with an acknowledgement of the SYN flag, a SYN-ACK.
  • ACK: The client sends an ACK back to the server. This flag acknowledges receipt of any prior data, and established the TCP connection.
In addition to the SYN Flood, here are some other examples of DoS attacks:
  • ICMP Flood
    • ICMP Flood attack occurs when numerous ICMP (ping) echo requests overwhelm a receiver. The receiver attempts to respond to all the requests, typically resulting in the consumption of large amounts of network bandwidth.
    • Smurf attacks marshal whole networks of computers to send malicious packets with false sender IP address information to all hosts on a network using the broadcast messages.
  • Ping Of Death
    • Attacker sends oversized ping packets to the target system which crashes as it does not know how to handle the invalid packets.
  • Teardrop
    • Numerous partial IP packets are sent to a target with overlapping sequence numbers and offset values. Target attempts to reassemble IP packets from the received partials but the fragments overwrite each other and provide invalid packets.
Most of the basic DoS attacks such as ping of death, and teardrop are now automatically handled by improved versions of the installed protocols.

Denial-of-Service exploits such as SYN Flood exploits basic features (not bugs) of the TCP protocol as such it is difficult to block completely, however there are measures that can be taken to mitigate the effects. For example, a filter placed in front of the network infrastructure, designed to identify DoS signatures can be deployed. When these signatures are identified they can be discarded before they overwhelm the organization’s network infrastructure. Additionally, the use of up-to-date antivirus software, firewalls and other good security practices is encouraged to minimize the chances that the computer will be infected by malware that can be used to initiate a DoS attack.

December 18, 2013

3.2.2 DDoS


In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer. The attack is "distributed" in that the attacker can marshal multiple computers, to launch the denial-of-service attack.

A distributed denial of service attack (DDoS) is a type of DoS attack where multiple systems combine their efforts to target and attack one or multiple victim systems. The attacking systems are typically victims themselves – having been previously infected with malware that enables a malicious user to control and conscribe them into an attack.

The advantage to an attacker of using a distributed denial-of-service attack over a non-distributed denial-of-service attack is that multiple systems can generate greater load on the victim system(s) than in a DoS attack. Additionally it is more difficult to block attacks from multiple attacking systems than one system.

Four common categories of attacks have been defined:
  • TCP Connection Attacks – using up all the available connections to infrastructure devices
  • Volumetric Attacks – consuming the bandwidth either within the target network/service, or between the target network/service and the rest of the Internet
  • Fragmentation Attacks – sending a flood of TCP or UDP fragments to a victim, overwhelming the victim's ability to re-assemble the streams and reducing performance
  • Application Attacks – overwhelming an application or service
There are two defined ways that an attack may be amplified:
  • DNS Reflection – Using Internet protocol spoofing, the victims’s IP address is forged and an attacker can send small requests to a DNS server and all replies will go to the target, not the initiator of the attack. The attacker can format the request in such a way that small requests will initiate large replies.  This allows the attacker to have every request from its botnet amplified many times in size.
  • Chargen Reflection – the Character Generator Protocol (CHARGEN) listens at TCP/UDP port 19 and sends arbitrary characters to the target system and continues until the system closes the connection. Chargen is an outdated testing and debugging service that is still supported by certain networked devices such as printers.

3.1.9 Botnets


What is a botnet? The word botnet is a portmanteau of robot and network.

A “bot” is a type of malicious software (malware) residing on a computer and it allows an attacker to take control and direct the actions of the infected computer. These bot-infected computers are also referred to as victim computers or “zombies”.

A “botnet” is an assembly of multiple bot-infected computers that can be conscribed to undertake a specific mission. Botnets can consist anywhere from a few hundred to millions of infected computers. In 2010, the creator of the Mariposa botnet which reportedly consisted of over 12 million computers was arrested.

The purpose of a botnet is to undertake activities that could take advantage of the ability to marshal large-scale computing resources and apply it to a particular task. Botnets have typically been used to send out spam email messages, spread viruses, steal sensitive information including license keys and financial data on individual computers systems, and overwhelm web sites using distributed denial of service (DDoS) attacks.

A bot can infect your system via a malware such as viruses, worms and Trojan horses. Once deployed on your system the bot opens your system to the commands of the botnet controller, also referred to as a “bot herder” or “bot master”, using standard network protocols such as HTTP, IRC, Twitter, etc.

Countermeasures Against Botnets

Prevention against infection by a bot via malware is preferred. Beyond that, all the normal best security practices are encouraged, including: keeping your security resources such as firewalls, anti-virus programs up-to-date, patch operating systems, avoid anonymous file-sharing sites, vigilance opening email attachments, etc.

The distributed nature of a botnet makes it challenging to take down, however success against an already formed botnet starts with an understanding of how the botnet works. How does it communicate with the bot controller? Is there a specific port or IP address that can be tracked and/or blocked? Does it deploy proprietary payloads that can be identified and removed? If a botnet controller detects a takedown attempt it may react by using the botnet to attack the investigators.

3.1.8 Logic Bomb

Logic bomb

A logic bomb is a form of malicious code that is unauthorized and unknown to the legitimate user. It remains dormant until a triggering event occurs. When triggered it performs some undesirable act.

The triggering event may be a positive trigger or a negative trigger. An example of a positive trigger can be the lapse of a period of time, the modification of a file or system configuration, or an application-specific event such as the removal of an entry in the company’s salary database. A negative trigger can be a failure to respond to a prompt. Logic bombs are considered viruses. Sometimes logic bombs are referred to as slag code or time bomb.

A logic bomb will carry out any number of malicious activities including: deleting data, reformatting drives, modification of system configurations, weakening system security, etc.

Deploying a logic bomb can be considered more an act of precision bombing than indiscriminate bombing. The target of a logic bomb attack is usually a specific function or system at a specific organization. In IT, logic bombs have often been deployed by fired or otherwise disgruntled employees.

Countering logic bombs is difficult as they are usually deployed by authorized and trusted personnel. Countermeasures will include consistent scanning, and monitoring for changes to system resources. Also activities by system administrators should be logged and audited.

3.2.1 Man-in-the-middle


A man-in-the-middle or MITM attack takes place when an attacker intercepts traffic and then tricks the parties on both ends into believing they are communicating directly with each other.

In the man-in-the-middle attack, the attacker interjects itself into the conversation between two parties and acting like a proxy it receives and transmits information from party A to party B and vice versa.

This is a fairly sophisticated attack and in general, it involves placing malicious software or malware between the source and the destination. The software intercepts data from the source and then passes it on to the destination. Once intercepted, the data can either be monitored, logged and/or modified.

A successful man-in-the-middle attack depends on the ability to:
  • compromise the routing and name server system in the network in order to position the malware between two communicating parties
  • coerce the two parties to see the attacker as a valid source and destination of their conversation
  • view an unencrypted data stream or decrypt the communication channel
For a MITM attack to work, the attack must create dual TCP/IP sockets and trick the target to unwittingly connect to a false server. Techniques used to deploy a MITM attack include, among others:
  • ARP Poisoning
  • DNS Spoofing
  • Port Stealing
  • DHCP Spoofing
ARP (Address Resolution Protocol) enables “converting protocol Addresses (e.g., IP addresses) to local network addresses (e.g., Ethernet addresses)”.

Addresses used on the Internet include hostnames, IP addresses, MAC addresses, port numbers, etc. A network device can respond to one or more of these addresses; however each network protocol uses only one of these protocols.

In order for a network protocol, e.g. Ethernet to communicate with another protocol, e.g. Internet Protocol (IP), it must resolve its native MAC address to the address used by the Internet Protocol, the IP address. And it uses another protocol, ARP to resolve the IP address of a host into the MAC address of the same host. The ARP address resolution is a core function for communication on the Internet. Its importance to Internet communication also makes it an enticing target for exploitation.

One MITM attack technique that exploits vulnerabilities in ARP is ARP Poisoning. This is where an attack creates a packet with an incorrect IP address to MAC address mapping and sends it to the victim system. If the victim system accepts this information into its database (ARP cache), the attacker would have effectively poisoned the victim’s ARP cache, allowing it to hijack specific conversations from the victim.

Since ARP poisoning or ARP cache poisoning is possible only within a local area network, countermeasures you can deploy include physically securing your local network to prevent an unauthorized user from inserting an untrusted device. Additionally since part of the vulnerability of ARP is that address mapping can be changed dynamically, you should consider statically setting the address mappings, at least for your important servers. It may not be possible to monitor all hosts in your network, however monitoring is a good final option for your critical servers.

Countermeasures to a man-in-the middle attack include physical security for your local network and internal servers, deployment of intrusion detection systems (IDS) and intrusion prevention systems (IPS), encryption protocols such as using IPSec and VPN on open networks, strong authentication such as Kerberos, certifications and digital signatures and using digitally signed DNS records (DNSSEC) among others.

Note that encryption and certificates can be sidestepped by MITM attacks. MITM attack can happen over an HTTPS connection. The sequence would include the establishment of two independent SSL sessions by the attacker: one from the attacker to the client (source) and on from the attacker to the server (destination). Most modern browsers will recognize when this happens and will issue a warning to the user for example of an invalid certificate, however the user might ignore the warning and proceed with the connection.

3.1.7 Backdoors


"With Sardaukar, you must scan them, scope them - both reflex and hard ray - cut off every scrap of body hair. And when you're through, be certain you haven't discovered everything." – Dune, Frank Herbert.

What is a Backdoor Program?

A backdoor is an undocumented means of access to a computer system that bypasses normal authentication and security mechanisms. A backdoor might be installed deliberately by the software developer or system administrator or it might be installed surreptitiously by an attacker as part of an exploit.

A backdoor violation occurs when software creates a security vulnerability that allows malware or hackers to gain unauthorized access to a system.”

Deliberately enabled backdoors include:
  • Application vendors that enable access that bypasses normal security mechanisms to make it easy to support or troubleshoot their applications.
  • System administrators that install unpublished root or administrative accounts with no passwords.
  • Some applications and operating systems ship with default passwords to ease initial deployment. This can lead to security violations if the user neglects to change the default password or an attacker gains access to the system before the password is changed.
  • The network administrator can disable the password on the auxiliary port on a network router, enabling anyone with physical access to connect and administer the router.
  • On most Linux systems, by default the boot process is not password protected. If you have physical access to the system, you could boot the Linux system into single-user mode and gain root (administrative) access without needing to enter any password.
In addition to backdoors deliberately installed by legitimate users, attackers may introduce backdoors onto the system through various means including:
  • Hidden in the payload of Trojan horse applications
  • Viruses and worms that attack and compromise system applications and configurations
Backdoors, deliberately installed or not, weaken the integrity of the system as they often by bypass legitimate security measures such as firewalls, password protection and intrusion detection systems and thwart monitoring and auditing systems. Attackers can “use back doors that they detect or install themselves, as part of an exploit. E.g, Nimda (a worm) gained entrance through a back door left by Code Red.

Avoiding Backdoor Programs

All general-use computer systems are susceptible to malware (malicious software) such as backdoor programs. You can minimize the chances of malware by recognizing and avoiding the common avenues of infection, including:
  • Drive-by downloads – this is when malware starts downloading automatically when you visit a web page
  • Worms that replicate and automatically seek out targets for infection over the network
  • Malware unwittingly downloaded from sources such as file-sharing networks and compromised web sites
  • URLs embedded in email messages that transfer malicious content when opened
  • Default passwords and other insecure configurations on the system
To protect computers from backdoor exploits:
  • Keep operating system and applications updated
  • Install antivirus and antispyware software and keep them updated
  • Do not open email attachments unless you have confirmed its purpose
  • Make sure your email setting does not automatically open attachments
  • Enable appropriate security and privacy features on web browsers
  • Use an up-to-date firewall program to filter out suspicious traffic
  • Take precautions when using peer-to-peer (P2P) networks
In general, use the sometimes illusive common sense when you are online. Perform regular full back ups to increase the chance of recovering infected or deleted files. Secure the browser by disabling ActiveX, Java, JavaScript features. While this may diminish the browsing experience, it also removes major opportunities for compromising browser security. Those features can be enabled if needed and after the legitimacy of the site has been confirmed.

And like Paul Atreides said, “when you're through, be certain you haven't discovered everything.”

There are numerous examples of backdoor programs and exploits, including those that attack login systems. These might take the form of a hard coded user and password combination which gives access to the system. An example of this was used in the 1983 film WarGames, in which the architect of the "WOPR" computer system had inserted a hardcoded password which gave the user authenticated access to undocumented parts of the system.‡ Alternatively, it can take the form of exploits that replace valid login applications with compromised versions.

In his talk for the Association of Computing Machinery in August 1984, programmer Ken Thompson said, “You can't trust code that you did not totally create yourself.” He goes on to demonstrate how a backdoor can be included in any program in such a way that the exploit would go undetected unless extreme measures were undertaken. This is done by attacking the compiler used to generate any executable program.§

Another particularly dangerous backdoor exploit is one known as an asymmetric backdoor. A traditional backdoor is a symmetric backdoor: anyone that finds the backdoor can in turn use it. The notion of an asymmetric backdoor was introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology: Crypto '96. An asymmetric backdoor can only be used by the attacker who plants it, even if the full implementation of the backdoor becomes public (e.g., via publishing, being discovered and disclosed by reverse engineering, etc.). Also, it is computationally intractable to detect the presence of an asymmetric backdoor under black-box queries. This class of attacks has been termed kleptography.


3.1.5 Trojans


Whatever it is, I’m afraid of Greeks even those bearing gifts.

From classic literature such as Virgil's Aeneid, Book II and Homer's Odyssey, we get the tale of Greek soldiers hiding in a large wooden horse (Trojan Horse) in order to gain access to the city of Troy. Once they had access, they surreptitiously opened the gates of the city and let in an invading Greek force.

A Trojan or Trojan horse in computing is a type of malicious software that is disguised as something useful, legitimate or interesting. Since Trojans cannot replicate on their own, they are designed to trick the user into installing and running it on their computer.

“A Trojan horse is a malicious software program that hides inside other programs. It enters a computer hidden inside a legitimate program, such as a screen saver. It then puts code into the operating system, which enables a hacker to access the infected computer. Trojan horses do not usually spread by themselves; they are spread by viruses, worms, or downloaded software.”

Trojans do not self-activate and are non-self-replicating programs. Trojans rely on the user to execute the malicious software and in so doing activate the program to carry out its function. Among other things, Trojan horse software can:
  • Install backdoor program giving an attacker remote access to the system
  • Install malicious code such as spyware to gather information surreptitiously
  • Conscript the system into a botnet for use in spamming and distributed denial-of-service (DDoS) attacks.
  • Modify system files and configurations for malicious purposes
Trojans are propagated in a variety of ways including as attached documents in an email message or disguised as an application you might want to download, on a web site or file-sharing network.

To protect computers from Trojan horses:
  • Keep operating system and applications updated
  • Install antivirus and antispyware software and keep them updated
  • Do not open email attachments unless you have confirmed its purpose
  • Make sure your email setting does not automatically open attachments
  • Enable appropriate security and privacy features on web browsers
  • Use an up-to-date firewall program to filter out suspicious traffic
  • Take precautions when using peer-to-peer (P2P) networks
In general, use common sense when online. Perform regular full back ups to increase the chance of recovering infected or deleted files. Secure the browser by disabling ActiveX, Java, JavaScript features. While this may diminish the browsing experience, it also removes major opportunities for compromising browser security. Those features can be enabled if needed and after the legitimacy of the site has been confirmed.

Note: Use Trojan horse when referring to the malware and Trojan Horse with a capital H, when citing Greek mythology.


December 15, 2013

3.1.3 Worms


A computer worm is a type of malicious software (malware) that is self-contained, self-replicating and self-propagating. Unlike a virus which is a piece of software code that attaches itself to another program, a worm is a standalone software program.
The primary purpose of a worm is to make copies of itself and to look for other host computers to infect. When a worm is introduced onto a host computer, it sets about doing just that – replicating or making copies of itself and seeking out communication channels it can use to target other hosts.

Worms target vulnerabilities in application, operating system and network protocols. In addition to its primary purpose – propagation, a worm can carry a “payload”, which in this case is a software code written to carry out specific malicious activities such as altering or deleting data, establishing backdoors or other remote control tools.

Even without the “payload”, worms are considered malware because they consume system resources such as CPU, memory and network bandwidth.

Worms and viruses are both considered malware. They both take unauthorized actions and carry out a series of malicious activities. A major difference between a worm and a virus is in how each propagates. A virus cannot spread on its own. It takes the action of a human for example to click on an infected file or visit an infected file to spread the virus. A worm on the other hand is able to spread unassisted, taking advantage of vulnerabilities in system resources such as software bugs, unprotected network ports and lax security protocols, among others. Additionally, worms can self-replicate.

When a worm infects a system, it carries out its primary function which is to make copies of itself. Each copy will work independently to find mechanisms to launch itself to other systems across the network.

A worm can cause harm in one of two ways:
  • It replicates and propagates, using an increasing amount of memory, processing cycles and network bandwidth in the process. This can bring a system to a halt or cause it to crash. If the system is rebooted and brought back online.
  • If the worm carries a payload, it will launch the payload to carry out some malicious activity.
The effect of a worm could be the slow consumption of all system and network resources. Additionally worms are a popular way for unauthorized users to install backdoors or conscript the compromised system into a “botnet”.

“An internet worm is a program that spreads across the internet by replicating itself on computers via their network connections.”

A worm is created to take advantage of a security hole in an application or operating system. Once a system is infected, the worm actively seeks out other systems to infected.

A famous example of an Internet worm is the Morris worm. It was released onto the Internet in 1988 and it took advantage of application vulnerabilities to infect and cripple a significant number of hosts on the Internet.

Counter-measures against worms are similar to that for viruses and Trojans. It is better to take a multi-layer approach to security. This includes applying update patches to the operating system and applications, using anti-virus software and firewalls as appropriate. Also be wary of email attachments, even from familiar sources as their account might have been compromised. Since a worms’ primary transmission mechanism is the network, pay special attention to keeping network software up-to-date.