More Related Content
Similar to Module 2 threats-b
Similar to Module 2 threats-b (20)
Module 2 threats-b
- 1. Module
2
Module 2
Security Threats & Attacks
© 2010 – Foreground Security. All rights reserved
- 2. Issues & Threats
• Phishing
• Social Engineering
• Viruses, Worms
• Spyware, Malware, Adware, Rootkits
• Trojan Horses
• Dos, DDos
• ID Theft
• Botnets
• Non-compliance
• Password Cracking
• Day-Zero Exploits
• Vulnerabilities, time-to-break
© 2010 Foreground Security. All rights reserved
- 3. Identity Theft
Every 5 seconds a thief steals someone's
identity and goes shopping.
IC3 receives over 164,000 complaints annually with
estimated $54 Billion in losses to individuals
Complaints originate from over 100 countries
Violations include auction fraud, international fraud,
non-delivery. Many originate in Eastern Europe and
Asia
Identity Theft was the top consumer complaint to FTC
© 2010 Foreground Security. All rights reserved
- 4. What Is Identity Theft
• Acquisition of key pieces of identifying
information for the purpose of
impersonation.
Identifying information:
Name
Address
Date of Birth
Social Security Number
Mother’s Maiden Name
Credit Card Number
ATM PIN’s
Bank Account Numbers
© 2010 Foreground Security. All rights reserved
- 5. Identity Theft – How They Do It
High and Low Technology
• Shoulder surfing at ATMs
• Stealing your mail
• Dumpster diving
• Utilizing corrupt employees
• Creating counterfeit checks
• Phishing (E-mail, Websites, Pop-ups)
• Key Loggers, Sniffers, In-Secure Protocols
© 2010 Foreground Security. All rights reserved
- 8. Examples
• Recent Incidents
– University compromises
• Student information (Princeton U. Student acceptance database)
– DSW Shoe Warehouse – 1.4 Million Names
– Card Processing Systems – 40 Million ID’s
– Bank of America – 1.2 Million Government Employees
– ChoicePoint – 4,145,000 Names
– CitiFinancial – 3.9 Million Names
• Missing backup tape
• One in 700 crimes leads to a conviction
• Maxus Case:
• Stole 300,000 credit card numbers
• Attempted a $100,000 extortion
• Offered 25,000 credit cards numbers on website
© 2010 Foreground Security. All rights reserved
Page 8
- 12. E-mail Header (Right-click > Options)
• Return-Path: <service@paypal.com>
• Delivered-To: dave@cyberspann.com
• Received: (qmail 72719 invoked by uid 12281); 22 Jul 2005 21:59:18 -0000
• Received: from unknown (HELO in8.prserv.net) ([32.97.166.48])
• (envelope-sender <service@paypal.com>)
• by 198.63.47.249 (qmail-ldap-1.03) with SMTP
• for <dave@cyberspann.com>; 22 Jul 2005 21:59:18 -0000
• Received: from c-24-4-139-49.hsd1.ca.comcast.net ([24.4.139.49])
• by prserv.net (in8) with SMTP
• id <200507222157461080g91o2he>; Fri, 22 Jul 2005 21:59:17 +0000
• X-Originating-IP: [24.4.139.49]
• X-Message-Info: 8gux664qFXH/clQMpuoZweoHVdQ136Xk
• Received: from 248.76.244.4 by 24.4.139.49; Fri, 22 Jul 2005 16:53:49 -0600
• Message-ID: <TJCYETCSBRXBIABFTGUIEFQP@us.paypal.com>
• From: "PayPal Services" <service@paypal.com>
• Reply-To: "PayPal Services" <service@paypal.com>
• To: benney@attglobal.net
• Subject: PayPal Account Suspended as of 07-22-2005
• Date: Sat, 23 Jul 2005 04:53:49 +0600
• X-Mailer: The Bat! (v1.52f) Business
• MIME-Version: 1.0
• Content-Type: multipart/alternative;
• boundary="--80953993190679285460"
• X-Priority: 3
• Status:
© 2010 Foreground Security. All rights reserved
- 18. Spear Phishing
What is a spear phishing scam?
• Spear phishing describes any highly targeted phishing attack. Spear phishers send e-mail
that appears genuine to all the employees or members within a certain company,
government agency, organization, or group.
• The message might look like it comes from your employer, or from a colleague who might
send an e-mail message to everyone in the company, such as the head of human resources
or the person who manages the computer systems, and could include requests for user
names or passwords.
• The truth is that the e-mail sender information has been faked or "spoofed." Whereas
traditional phishing scams are designed to steal information from individuals, spear phishing
scams work to gain access to a company's entire computer system.
• If you respond with a user name or password, or if you click links or open attachments in a
spear phishing e-mail, pop-up window, or Web site, you might become a victim of identity
theft and you might put your employer or group at risk.
• Spear phishing also describes scams that target people who use a certain product or Web
site. Essentially, scam artists will use any information they can to personalize a phishing
scam to as specific a group as possible.
• The good news is that you can help avoid spear phishing scams by using some of the same
techniques you already use to help avoid standard phishing scams.
© 2010 Foreground Security. All rights reserved
- 20. Defenses
• Never reveal personal or financial information in a
response to an e-mail request, no matter who
appears to have sent it.
• If you receive an e-mail message that appears
suspicious, call the person or organization listed in
the From line before you respond or open any
attached files.
• Never click links in an e-mail message that requests
personal or financial information. Enter the Web
address into your browser window instead.
• Report any e-mail that you suspect might be a spear
phishing attack to the appropriate person within your
company.
© 2010 Foreground Security. All rights reserved
- 21. “Phishing Attacks”
• Active Phishing Sites: 4/2006 = 2854
• Average Monthly Growth Rate
– 7/2005 - 4/2006 = 15%
• Number of Brands Hijacked = 79
– # of brands comprising top 80% of all attacks = 7
• Top Countries Hosting Phishing Sites = China, United
States
• Top Sector = Financial Services
• Average Time On-line for site = 5.8 days
– Antiphishing Working Group –
www.antiphishing.org
© 2010 Foreground Security. All rights reserved
- 25. What is a worm?
• Virus - a code segment which replicates by attaching copies
to existing executables.
– Self-replication
– Requires a host program as a carrier
– Activated by external action
• Worm - a program which replicates itself and causes
execution of the new copy.
– Self-replication
– Self-contained; does not require a host
– Activated by hijacking or creating a process
© 2010 Foreground Security. All rights reserved
- 26. Worldwide Code Red
Infections
700,000 machines infected
$2-2.9 billion in damage (Computer Economics)
$200 million in damage per day during attacks
© 2010 Foreground Security. All rights reserved
- 27. VBSWG – VBS Worm
Generator
© 2010 Foreground Security. All rights reserved
- 28. Other Types of
Worms/Virus
© 2010 Foreground Security. All rights reserved
- 35. The Cost of Spyware & Adware in
the Enterprise
For Businesses
Real costs not quantifiable today
© 2010 Foreground Security. All rights reserved
- 40. Hack Methodology
• 1: Reconnaissance
• 2: Scanning
• 3: Gaining Access
• 4: Maintaining Access/
Malicious Activity
• 5: Covering Tracks
© 2010 Foreground Security. All rights reserved
- 41. Step 1:
Reconnaissance
• “Casing the Joint”
• Incredibly effective for attackers
• Very Useful information obtained:
– Names of System administrators and others
– Phone numbers and postal addresses
– Internet addresses for target machines
– Technologies in use(DNS, E-mail, Web, Microsoft,
SQL/Oracle, Versions)
– Business Partnerships
– More!!
© 2010 Foreground Security. All rights reserved
- 42. Low-Tech
Reconnaissance
• Social engineering
– Sensitive information over the phone or mail
– Attacker can easily guess/get passwords
• Physical Access
– Simply walk through front door
– Piggybacking
– Network connectivity
• Dumpster Diving
© 2010 Foreground Security. All rights reserved
- 43. Internet Searching
• Whois –
– The “white pages” of the Internet, storing:
– Technical, adminstrative, and billing contact names
– Phone numbers and e-mail addresses
– Domain Name Servers
• Arin.net – IP Addresses
• Google
• Linked-In
• Web Postings
• Job Postings (Company or Individual)
© 2010 Foreground Security. All rights reserved
- 45. Step 2: Scanning
• Scanning looks for a way in
– Holes in your armor
• Often relies on automated tools
– Manual checking takes too long
• Why information security is hard:
– Attacker must find one way in to achieve
goal
– You must defend all entry points
© 2010 Foreground Security. All rights reserved
- 46. Phase 2: Scanning
• War Dialing
– THC Scan
• War Driving
– NetStumbler, Kismet, Airsnort
• Network Mapping
– CheopsNG, Winfingerpring
• Port Scanning
– Nmap, SuperScan
• Vulnerability Scanning
– Nessus, LanGuard, SAINT, ISS, Etc.
© 2010 Foreground Security. All rights reserved
- 48. Vulnerability Scanning
• At this point, the attacker knows which systems
are available, how they are connected, and
which ports are open
• What are the vulnerabilities on the target
systems?
• Vulnerability scanning tools look for holes on
the target
– Misconfigurations
– Unpatched systems with known vulnerabilities
– Other weaknesses
• By rapidly checking for thousands of known
vulnerabilities, attacker can get in faster
© 2010 Foreground Security. All rights reserved
- 49. Vulnerability Scanning
• Vulnerability scanning tools consist of a
database of known vulnerabilities, plus
an engine to check if they are present
on the target system(s)
• Nessus is the best free, open-source
scanner
• www.nessus.org
• LanGuard
• www.gfi.com
© 2010 Foreground Security. All rights reserved
- 52. Phase 3: Gaining
Access
• Attackers have many, many ways to
gain access to a target network:
– Breaking in physically
– Manipulating poorly written software
– Exploiting weak password storage
mechanisms
– Gathering data that is not properly
encrypted or not encrypted at all (such as
User Ids, passwords, confidential data)
– Etc., etc, etc
© 2010 Foreground Security. All rights reserved
- 53. Step 3: Gaining Access
• Exploitation - METASPLOIT
• Buffer Overflows - METASPLOIT
© 2010 Foreground Security. All rights reserved
- 54. Password
Cracking/Stealing
• Easily steal or grab password
representations
– Guess
– Brute force
– Dictionary attacks
• Tools
– Windows - L0pht Crack, www.atstake.com
– Unix – John the Ripper,
www.openwall.com
– Network Tools – Netscan, NetbiosAT
© 2010 Foreground Security. All rights reserved
- 55. Hacking Example
Hacking Demonstration
© 2010 Foreground Security. All rights reserved
- 56. Password Cracking
Defenses
• Strong Password Policy
– At least 10 characters, 60-90 days, special
characters
– User awareness
• Multi-factor Authentication
• Pro-active Password Auditing
© 2010 Foreground Security. All rights reserved
- 57. Step 4: Maintaining
Access
• Trojan Horses
• Rootkits
• Malware
• Spyware
• RATs
• Other
© 2010 Foreground Security. All rights reserved
- 58. Phase 4: Maintaining
Access
• Once the attackers gain access, they
don’t want to lose it!
• They alter the system to ensure they
can stay in
• They utilize Trojan Horse and Backdoor
techniques to..
– Hide their Presence on the system
– Guarantee future access
– Run programs when needed
© 2010 Foreground Security. All rights reserved
- 59. Trojan Horses &
Backdoors
• Trojan Horses
– Look like normal, happy software, but
mask some sinister functionality
– Example: fun game program through e-
mail that runs program in background
• Backdoors
– Bypass security controls giving attacker
access
– Example: “Joshua” password in “War
Games” movie
• Allowed complete access to computer
© 2010 Foreground Security. All rights reserved
- 61. Phase 5: Covering the
Tracks
• Once inside your systems, attackers
don’t want to get caught (most times)
• They use large numbers of techniques
to hide
– Rootkits, All-in-one tools
– Hiding files, processes, and network
usage
• Tools/techniques
– Clearing Logs
– Hiding Files and directories
– Hiding ©on Foreground Security. All rights Covert Channels
2010 the network – reserved
- 62. Log Files
• Tools to clear or Edit Log files to hide
activity
• Winzapper – Edit NT Log files
• Clearlogs – Clear remote log files
• Many More
© 2010 Foreground Security. All rights reserved
- 63. Hiding Files/Directories
• NT/2003/XP use NTFS – NTFS offers
access controls and other security tools
• File streaming – every filename is like a
chest of drawers, the top drawer contains
the contents of the file.
• NTFS Alternate Data Streams – other
drawer can be created to store data “under”
original file
• Defenses:
– Virus Protection
– LADS (List Alternate Data Streams)
© 2010 Foreground Security. All rights reserved
www.heysoft.de