Module 2 threats-b

Module
2

Module 2
Security Threats & Attacks

© 2010 – Foreground Security. All rights reserved

Issues & Threats

• Phishing
• Social Engineering
• Viruses, Worms
• Spyware, Malware, Adware, Rootkits
• Trojan Horses
• Dos, DDos
• ID Theft
• Botnets
• Non-compliance
• Password Cracking
• Day-Zero Exploits
• Vulnerabilities, time-to-break
© 2010 Foreground Security. All rights reserved

Identity Theft

Every 5 seconds a thief steals someone's
identity and goes shopping.
IC3 receives over 164,000 complaints annually with
estimated $54 Billion in losses to individuals
Complaints originate from over 100 countries
Violations include auction fraud, international fraud,
non-delivery. Many originate in Eastern Europe and
Asia
Identity Theft was the top consumer complaint to FTC


What Is Identity Theft

• Acquisition of key pieces of identifying
information for the purpose of
impersonation.
Identifying information:
Name
Address
Date of Birth
Social Security Number
Mother’s Maiden Name
Credit Card Number
ATM PIN’s
Bank Account Numbers


Identity Theft – How They Do It

High and Low Technology
• Shoulder surfing at ATMs
• Stealing your mail
• Dumpster diving
• Utilizing corrupt employees
• Creating counterfeit checks
• Phishing (E-mail, Websites, Pop-ups)
• Key Loggers, Sniffers, In-Secure Protocols


Example


Examples

• Recent Incidents
– University compromises
• Student information (Princeton U. Student acceptance database)
– DSW Shoe Warehouse – 1.4 Million Names
– Card Processing Systems – 40 Million ID’s
– Bank of America – 1.2 Million Government Employees
– ChoicePoint – 4,145,000 Names
– CitiFinancial – 3.9 Million Names
• Missing backup tape
• One in 700 crimes leads to a conviction
• Maxus Case:
• Stole 300,000 credit card numbers
• Attempted a $100,000 extortion
• Offered 25,000 credit cards numbers on website

Page 8

Phishing


E-mail Header (Right-click > Options)

• Return-Path: <service@paypal.com>
• Delivered-To: dave@cyberspann.com
• Received: (qmail 72719 invoked by uid 12281); 22 Jul 2005 21:59:18 -0000
• Received: from unknown (HELO in8.prserv.net) ([32.97.166.48])
• (envelope-sender <service@paypal.com>)
• by 198.63.47.249 (qmail-ldap-1.03) with SMTP
• for <dave@cyberspann.com>; 22 Jul 2005 21:59:18 -0000
• Received: from c-24-4-139-49.hsd1.ca.comcast.net ([24.4.139.49])
• by prserv.net (in8) with SMTP
• id <200507222157461080g91o2he>; Fri, 22 Jul 2005 21:59:17 +0000

• X-Originating-IP: [24.4.139.49]
• X-Message-Info: 8gux664qFXH/clQMpuoZweoHVdQ136Xk
• Received: from 248.76.244.4 by 24.4.139.49; Fri, 22 Jul 2005 16:53:49 -0600
• Message-ID: <TJCYETCSBRXBIABFTGUIEFQP@us.paypal.com>
• From: "PayPal Services" <service@paypal.com>
• Reply-To: "PayPal Services" <service@paypal.com>
• To: benney@attglobal.net
• Subject: PayPal Account Suspended as of 07-22-2005
• Date: Sat, 23 Jul 2005 04:53:49 +0600
• X-Mailer: The Bat! (v1.52f) Business
• MIME-Version: 1.0
• Content-Type: multipart/alternative;
• boundary="--80953993190679285460"
• X-Priority: 3
• Status:


Spear Phishing

What is a spear phishing scam?

• Spear phishing describes any highly targeted phishing attack. Spear phishers send e-mail
that appears genuine to all the employees or members within a certain company,
government agency, organization, or group.

• The message might look like it comes from your employer, or from a colleague who might
send an e-mail message to everyone in the company, such as the head of human resources
or the person who manages the computer systems, and could include requests for user
names or passwords.

• The truth is that the e-mail sender information has been faked or "spoofed." Whereas
traditional phishing scams are designed to steal information from individuals, spear phishing
scams work to gain access to a company's entire computer system.

• If you respond with a user name or password, or if you click links or open attachments in a
spear phishing e-mail, pop-up window, or Web site, you might become a victim of identity
theft and you might put your employer or group at risk.

• Spear phishing also describes scams that target people who use a certain product or Web
site. Essentially, scam artists will use any information they can to personalize a phishing
scam to as specific a group as possible.

• The good news is that you can help avoid spear phishing scams by using some of the same
techniques you already use to help avoid standard phishing scams.


Spear Phishing


Defenses

• Never reveal personal or financial information in a
response to an e-mail request, no matter who
appears to have sent it.
• If you receive an e-mail message that appears
suspicious, call the person or organization listed in
the From line before you respond or open any
attached files.
• Never click links in an e-mail message that requests
personal or financial information. Enter the Web
address into your browser window instead.
• Report any e-mail that you suspect might be a spear
phishing attack to the appropriate person within your
company.


“Phishing Attacks”

• Active Phishing Sites: 4/2006 = 2854
• Average Monthly Growth Rate
– 7/2005 - 4/2006 = 15%
• Number of Brands Hijacked = 79
– # of brands comprising top 80% of all attacks = 7
• Top Countries Hosting Phishing Sites = China, United
States
• Top Sector = Financial Services
• Average Time On-line for site = 5.8 days
– Antiphishing Working Group –
www.antiphishing.org

Viruses


Evolution of Viruses


Issues & Threats


What is a worm?

• Virus - a code segment which replicates by attaching copies
to existing executables.
– Self-replication
– Requires a host program as a carrier
– Activated by external action
• Worm - a program which replicates itself and causes
execution of the new copy.
– Self-replication
– Self-contained; does not require a host
– Activated by hijacking or creating a process


Worldwide Code Red
Infections

700,000 machines infected
$2-2.9 billion in damage (Computer Economics)
$200 million in damage per day during attacks

VBSWG – VBS Worm
Generator


Other Types of
Worms/Virus


Trojans


Movie


Spyware, Adware


Spyware, Adware, Rootkits,
Botnets


Spyware


The Cost of Spyware & Adware in
the Enterprise

For Businesses

Real costs not quantifiable today

Keystroke Loggers


Spamming


Password Crackers


Hack Methodology

• 1: Reconnaissance
• 2: Scanning
• 3: Gaining Access
• 4: Maintaining Access/
Malicious Activity
• 5: Covering Tracks

Step 1:
Reconnaissance

• “Casing the Joint”
• Incredibly effective for attackers
• Very Useful information obtained:
– Names of System administrators and others
– Phone numbers and postal addresses
– Internet addresses for target machines
– Technologies in use(DNS, E-mail, Web, Microsoft,
SQL/Oracle, Versions)
– Business Partnerships
– More!!


Low-Tech
Reconnaissance

• Social engineering
– Sensitive information over the phone or mail
– Attacker can easily guess/get passwords
• Physical Access
– Simply walk through front door
– Piggybacking
– Network connectivity
• Dumpster Diving


Internet Searching

• Whois –
– The “white pages” of the Internet, storing:
– Technical, adminstrative, and billing contact names
– Phone numbers and e-mail addresses
– Domain Name Servers
• Arin.net – IP Addresses
• Google
• Linked-In
• Web Postings
• Job Postings (Company or Individual)

Internet


Step 2: Scanning

• Scanning looks for a way in
– Holes in your armor
• Often relies on automated tools
– Manual checking takes too long
• Why information security is hard:
– Attacker must find one way in to achieve
goal
– You must defend all entry points


Phase 2: Scanning

• War Dialing
– THC Scan
• War Driving
– NetStumbler, Kismet, Airsnort
• Network Mapping
– CheopsNG, Winfingerpring
• Port Scanning
– Nmap, SuperScan
• Vulnerability Scanning
– Nessus, LanGuard, SAINT, ISS, Etc.

Examples


Vulnerability Scanning

• At this point, the attacker knows which systems
are available, how they are connected, and
which ports are open
• What are the vulnerabilities on the target
systems?
• Vulnerability scanning tools look for holes on
the target
– Misconfigurations
– Unpatched systems with known vulnerabilities
– Other weaknesses
• By rapidly checking for thousands of known
vulnerabilities, attacker can get in faster

Vulnerability Scanning

• Vulnerability scanning tools consist of a
database of known vulnerabilities, plus
an engine to check if they are present
on the target system(s)
• Nessus is the best free, open-source
scanner
• www.nessus.org
• LanGuard
• www.gfi.com


Hacking Examples

• Languard
• Nessus


Phase 3: Gaining
Access

• Attackers have many, many ways to
gain access to a target network:
– Breaking in physically
– Manipulating poorly written software
– Exploiting weak password storage
mechanisms
– Gathering data that is not properly
encrypted or not encrypted at all (such as
User Ids, passwords, confidential data)
– Etc., etc, etc


Step 3: Gaining Access

• Exploitation - METASPLOIT
• Buffer Overflows - METASPLOIT


Password
Cracking/Stealing

• Easily steal or grab password
representations
– Guess
– Brute force
– Dictionary attacks
• Tools
– Windows - L0pht Crack, www.atstake.com
– Unix – John the Ripper,
www.openwall.com
– Network Tools – Netscan, NetbiosAT

Hacking Example

Hacking Demonstration


Password Cracking
Defenses

• Strong Password Policy
– At least 10 characters, 60-90 days, special
characters
– User awareness
• Multi-factor Authentication
• Pro-active Password Auditing


Step 4: Maintaining
Access

• Trojan Horses
• Rootkits
• Malware
• Spyware
• RATs
• Other

Phase 4: Maintaining
Access

• Once the attackers gain access, they
don’t want to lose it!
• They alter the system to ensure they
can stay in
• They utilize Trojan Horse and Backdoor
techniques to..
– Hide their Presence on the system
– Guarantee future access
– Run programs when needed


Trojan Horses &
Backdoors

• Trojan Horses
– Look like normal, happy software, but
mask some sinister functionality
– Example: fun game program through e-
mail that runs program in background
• Backdoors
– Bypass security controls giving attacker
access
– Example: “Joshua” password in “War
Games” movie
• Allowed complete access to computer

Hacking Examples

• Example of a Trojan Horse


Phase 5: Covering the
Tracks

• Once inside your systems, attackers
don’t want to get caught (most times)
• They use large numbers of techniques
to hide
– Rootkits, All-in-one tools
– Hiding files, processes, and network
usage
• Tools/techniques
– Clearing Logs
– Hiding Files and directories
– Hiding ©on Foreground Security. All rights Covert Channels
2010 the network – reserved

Log Files

• Tools to clear or Edit Log files to hide
activity
• Winzapper – Edit NT Log files
• Clearlogs – Clear remote log files
• Many More


Hiding Files/Directories

• NT/2003/XP use NTFS – NTFS offers
access controls and other security tools
• File streaming – every filename is like a
chest of drawers, the top drawer contains
the contents of the file.
• NTFS Alternate Data Streams – other
drawer can be created to store data “under”
original file
• Defenses:
– Virus Protection
– LADS (List Alternate Data Streams)
www.heysoft.de

Module 2 threats-b

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (8)

Similar to Module 2 threats-b

Similar to Module 2 threats-b (20)

Module 2 threats-b