Internet Security Issues


Published on

My paper on Internet Security Issues presented and published at National Conference(2006) India.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Internet Security Issues

  1. 1. Internet Security Issues Introduction B> Active Tampering The attacker can modify the data traveling in Thi either direction i.e. from user to server as well as s paper discusses some common methods from server to user. used by hackers. It presents the information from the hacker's perspective. The intention is just unveiling the mysterious world of Hacking and C> The Trap giving useful tips to System Administrators to The attacker must somehow lure the user to enter secure their systems. The aim extends to his false web. This can be done by providing a generating a new breed of Ethical Hackers who link to the false web on a popular web page, or can make the Internet more secure by their sheer emailing the user with a link to the false web. will and skill. Contents D> Completing the Attack • Web Spoofing There are still come clues that can warn the user • DOS [Denial of Service] Attack of mischief, which can again, be easily removed • Trojan Insights by the attacker. For E.g. • SQL Injection Attacks E> The Status Line • Google as a Hacking Tool. The status line is a single line of text that informs • Anonymity the users of the status of web transfers. Typically • Methods of Protection found at the bottom of the browser. When a user moves the mouse over a link, the Web Spoofing – The Art of status line displays the URL that the link leads Deception to. Thus the user can find out if he is being misled. Web spoofing allows an attacker to create a However, the contents of the status line can “shadow copy” of the entire World Wide Web. easily be changed using JavaScript. Accesses to the shadow Web are funneled through the attacker’s machine, allowing the F> The Location Line attacker to monitor all of the victim’s activities The location line displays the URL of the web including any passwords or account numbers the page being shown in browser. The attack as victim enters. The attacker can also cause false described so far causes a rewritten URL to or misleading data to be sent to Web servers in appear in the location line, giving the victim a the victim’s name, or to the victim in the name possible indication that an attack is in progress. of any Web server. In short, the attacker This clue can also be hidden using JavaScript. observes and controls everything the victim does on the Web. How Attack Works The user may divulge sensitive information like passwords or credit card information since for him, it’s a valid website. Here, the attacker observes all the traffic from user to the website as he has access to all user requests. Thus, this kind of attack leads to privacy intrusion as well as tampering of user requested data, both of which can have disastrous consequences. A> Passive Monitoring Since most online transactions are done using forms, the attacker has access to all data entered by the user, one such data can be username- password.
  2. 2. DoS [Denial of Service] Attack specially designed data packet, which is, send by A Dos (denial of service) attack is a kind of computer systems to terminate connections with attack which exploits an existing vulnerability in one another. the operating system or in the soft wares of the The Hacker Continuously sends SYN Packets target machine or Internet Protocols like TCP/IP without responding to previous SYN Requests, thus bringing down the aimed service or thus the target server is slowly filled up with sometimes all the services of the target system. unfinished SYN requests, ultimately causing the In short it prevents legitimate users to use the target server to reboot. services offered by the target system. Such specialized Data packets can be formed by One of Dos attacks is explained below: Hacking tools available on the net. Note: There are many more sophisticated Dos Attacks presently. C> Teardrop Attack This attack is also executed by exploiting A> SYN Flooding vulnerability present in the Operating Systems. This kind of DoS attack is executed by exploiting the TCP/IP 3 way handshake based Packet Reassembling Vulnerability authentication system. In this attack what happens, an attacker floods the target computer Suppose if one wants to send a big file to another with unfinished SYN requests. Since the victim computer, then the original file is broken into computer cannot finish these SYN requests it has small parts called Data Packets and then sent to to use its system resource to store temporarily the remote system. Each Data packet contains these SYN requests thus slowly overloading the information like sequence number, byte length, system resource and finally ending up by Type of protocol, etc. crashing it or rebooting it. The head part contains the info for reassembling. Lets take a small example: Say I want to send a B> TCP/IP 3 way authentication system file of size 3000 KB .Now what happens this file For a successful connection between two is split up into say 3 parts each containing 1000 computers, Host and Client a complete and KB successful 3-way handshake must take place. Note: In practice the original file is split up into much smaller parts. First the client sends a SYN Packet Now these 3 parts are called data packets and (SYN request) to the Host asking for a each packet will carry 1000 KB. The header part TCP/IP connection. of the first packet will have a bye length of 1 – Second the host replies with a 1000.Similarly the header part of second and SYN/ACK packet to the client thus third packet will have a byte length of 1001-2000 indicating its response and and 2001-3000. acknowledgement. Now each packet has an OFFSET field, which indicates which byte to which byte a particular Third the client sends an ACK packet to data packet contains. Now according to this the host thus completing the connection. OFFSET field the data packets are reassembled in the target system to generate the original file. Client --- SYN ---- Host 1st Handshake Data Pkt No. Type Size OFFSETFIELD Host----- SYN/ACK---- Client 2nd Handshake 1 TCP/IP 1000 1-1000 2 TCP/IP 1000 1001-2000 rd Client---- ACK-------- Host 3 Handshake 3 TCP/IP 1000 2001-3000 This is the very basis of connection establishment between two computers Host and The Attack Client. At first this procedure is carried out then In Teardrop attack custom made data packets the username password authentication or any with confusing OFFSET fields are send to the other form of authentication takes place. target system, thus ending it up in system crash Note: SYN packets, ACK Packets are special or reboot. First I want to send a file of size say data packets designed by the Operating System. 5000 KB to the target system and the file is split Just like SYN, ACK packets FIN is also a up into 5 data packets each carrying 1000 KB at
  3. 3. my end which is supposed to be reassembled in knowledge. The remote user can even hack into the target system. For executing the teardrop some bank using your computer and u may not attack on the target system I have to modify the get a hint. OFFSET field of these data packets which will Here are some registry hideouts that some be send to the target system where the target Trojans employ. system will attempt to reassemble it according to There are many other places on a Windows the OFFSET field. system that Trojans can add scripts and shortcuts Say the first packet will have an OFFSET field to startup Trojan processes: of 1-1000... Then 1001-2000, now I play the trick from the third packet onwards. I send the [HKEY_LOCAL_MACHINESoftwareMicroso third packet with an OFFSET field of 2000- ftWindowsCurrentVersionRun] 3000, the fourth with 3000-4000 and the fifth with 4000-5000. Now 2000, 3000, 4000 has [HKEY_LOCAL_MACHINESoftwareMicroso appeared twice in the OFFSET field of the data ftWindowsCurrentVersionRunOnce] packets send to the target system. The target system will expect something like: [HKEY_LOCAL_MACHINESoftwareMicroso ftWindowsCurrentVersionRunServices] 1 1000 [HKEY_LOCAL_MACHINESoftwareMicroso 1001 2000 ftWindowsCurrentVersionRunServicesOnce] 2001 3000 3001 4000 [HKEY_CURRENT_USERSoftwareMicrosoft 4001 5000 WindowsCurrentVersionRun] But actually it is getting something like: [HKEY_CURRENT_USERSoftwareMicrosoft WindowsCurrentVersionRunOnce] 1 1000 1001 2000 Note: For the following registry keys, the key 2000 3000 value should be exactly quot;%1 %*”. Any 3000 4000 programs that are added to the key value will get 4000 5000 executed every time a binary file (.exe, .com) is executed, i.e.quot;Trojan.exe %1 %*quot;. The target system will have no idea as to how to [HKEY_CLASSES_ROOTexefileshellopenco handle this kind of data packets and mmand] reassembling these data packets according to [HKEY_LOCAL_MACHINESOFTWARECla TCP/IP or Ipv4 will result in system crash or ssesexefileshellopencommand] reboot. Also, check Startup folder: to go to this folder, click on Start->Programs->Startup, and right Trojan Insights click on Startup and select quot;Openquot; from the This is one of the biggest threats on the Internet. menu. Check every file in this folder and make Trojans are sophisticated programs that disguise sure you know what they are. These files will themselves as proper software but when startup automatically every time you login to executed perform malicious functions. Just to get your systems. Check out following files on you an idea, Analyze this-You download a software windows. from some untrusted website that boasts some Win.ini(load=Trojan.exeor cool features. In the event of nonupdated run=Trojan.exe Antivirus software the Trojan wont be detected. System.ini(Shell=Explorer.exe You execute the software and it appears to be trojan.exe) normal, but deep down the Trojan will have Autoexec.bat - look for added Trojan opened a backdoor to your system and starts files, may be in the following file acting as a server and notifies a client (the Trojan extensions: .exe, .scr, .pif, .com, .bat maker) somewhere in Alaska. Since the server Config.sys - look for added Trojan files has to do what the client asks for, the remote user Any suspicious or new batch files (.BAT), can now view all your files, log your passwords, which might call the actual Trojan. send e-mails, download anything, upload files to In addition, watch out for social engineering. your computer...all this WITHOUT your Don't be fooled by processes or programs with
  4. 4. similar and/or exactly the same filename as the legitimate Windows system programs. Many <@language=quot;vbscriptquot;> known Trojans have included programs with <% exact same name as Windows system programs, dim conn,rs,log,pwd but put them into different folders log=Request.form(quot;login_namequot;) pwd=Request.form(quot;passquot;) Possible signs and symptoms due to Trojan infections: set conn = Server.CreateObject(quot;ADODB.Conne ctionquot;) 1>Your CD-ROM door opens and closes by conn.ConnectionString=quot;provider=microsoft.jet. itself. OLEDB.4.0;data source=c:foldermultiplex.mdb 2>Messages start popping up on your monitor quot; screen that appears to be talking to you. conn.Open 3> Your printer may print out strange messages set rs = Server.CreateObject(quot;ADODB.Recordse on its own. tquot;) 4> Your mouse pointer may start moving on quot;Select * from table1 where login='quot;&lo its own. g& quot;' and password='quot; &pwd& quot;' quot;,conn 5> An unknown person starts typing in your If rs.EOF instant message window when you are chatting response.write(quot;Login failedquot;) with a friend. else response.write(quot;Login successfulquot;) End if SQL Injection Attack %> Databases have been the heart of a commercial website. An attack on the database servers can Looking at the above code at first site it seems cause a great monetary loss for the company. OK. A user will type his login name and Database servers are usually hacked to get the password in login.htm page and click the submit credit card information. And just one hack on a button. The value of the text boxes will be commercial site will bring down its reputation passed to the logincheck.asp page where it will and also the customers, as they also want their be checked using the query string. If it doesn't credit card info secured. Most of the commercial get an entry satisfying the query and will reach websites use Microsoft SQL (MSSQL) and end of file a message of login failed will be Oracle database Servers. A common mistake displayed. Every thing seems to be OK. But wait made by the web designers can reveal the a minute. Think again .Well if you have made a databases of the server to the hacker. The whole page like this then a hacker can easily login game is of query strings. So it is assumed that successfully without knowing the password. Lets the reader has some knowledge about queries look at the query again. and asp. This hack is done using only the quot;Select * from table1 where login='quot;&log&quot;' and browser. So you even don't require any other password='quot;&pwd&quot;' quot;. Now if a user types his tools except IE or Netscape. login name as quot;abcquot; and password as quot;defquot; then Normally, in order to make a login page, the web these values will pass to the asp page with post designer will write the following code. method and then the above query will become quot;Select * from table1 where login=' abc ' and Login.htm password=' def ‘ “ That’s fine. There will be an entry abc <html> and def in login and password fields in the <body> database so we will receive a message as login <form method=get action=quot;logincheck.aspquot;> successful. Now what if I type loginname as <input type=quot;textquot; name=quot;login_namequot;> quot;abcquot; and password as <input type=quot;textquot; name=quot;passquot;> ' or 'a'='a in the password text box. <input type=quot;submitquot; value=quot;sign inquot;> The query will become as follows: </form> quot;Select * from table1 where login=' abc ‘ </body> And password=' 'or 'a'='a' quot;. And submit and </html> bingo! I will get the message as Login successful The query gets satisfied as query changes and logincheck.asp password needs to ' ' or 'a' needs to be equal to
  5. 5. 'a'. Clearly password is not ' ' but at the same The site option allows you to come up with time 'a'=‘a’. So condition is satisfied. And a results that only belong to a certain domain name hacker is in with login quot;abc”. extension or to a specific site. E.g.Site:mil or site:gov Google as a Hacking Tool It is said that Google is a Hacker’s best friend. E> Combining Search Options Knowledge of specific search strings can yield filetype:xls quot;restrictedquot; • some very interesting results. But, first we must site:mil filetype:xls quot;passwordquot; • learn to search intelligently. Google allows a lot site:mil “index of” admin • of interesting features for better search results, but these very features can be easily used to obtain access to sensitive data like password lists, Bank Database sheets, etc. However, this is Anonymity only in case of improper security measures and can easily be rectified. Nowadays, privacy has become a major issue on the Internet. Someone like your employer or A> Features rival companies might be gathering all your info Google Search options: to sell to yet other companies, or even the Specific file types: *.xls, *.doc, *.pdf *.ps *.ppt government, may be on your track while you *.rtf peacefully surf the web. Thus, anonymity on the Google allows you to search for specific file web means being able to use all of its services types, so instead of getting html-files as a result with no concern about someone snooping on (websites) you get Microsoft excel files for your data. example. The search string you would use would be: A> Surfing Anonymously Filetype:xls (for excel files) or filetype:doc for word files. The Web servers on the Internet log every GET But maybe more interesting would be searching request made, together with date, hour, and IP. for *.db files and *.mdb files. Things that come We can make use of proxy servers to surf to mind are *.cfg files or *.pwd files, *.dat files. anonymously. The proxy connection works like Try and think of something that might get you this. some interesting results. User PC ---- > Proxy Server --- > Web Server B> Inurl So, when user requests for a URL, this request is Another useful search option is the inurl: option first received by the Proxy Server, which then which allows one to search for a certain word fetches the contents from the Web Server and one would want to be in the url. This gives you then forwards it to the originating PC. Thus, the the opportunity to search for specific IP address logged on the Web Server is that of directories/folders, especially in combination the Proxy Server and not of the User PC. with the “index of” option However, the User IP can still be obtained if we E.g. inurl:admin which would give you results of access the Proxy Server. The Solution to this is website urls that have the word “admin” in the Proxy Chaining. url. Proxy Chaining works like this: C> Index of If you use the “index of” string you will find User PC -- > P1 -- > P2 -- >…--- >Pn -- > Web directory listings of specific folders on servers. Server E.g.‘index of’ admin or index.of.admin which would get you many directory listings of P [I] are Proxy Servers where I = 1,2,..,n admin folders. Thus by this technique we can make the User PC almost untraceable. Further, to make it D> Site impossible, we can chain Proxy Servers located in rival countries, thus adding a political obstacle to the tracing process, since rival countries will
  6. 6. never divulge information of Servers in their Methods of protection land. An Antivirus (I suggest Norton/pc- • cillin/ Mcafee/AVG) It’s very important B> Web proxy to keep them all updated. An Antivirus is as good as its virus definition files There are several websites that offer anonymous meaning it generally does not detect surfing. These websites fetch contents and pass it new viruses, which are not mentioned in on the User PC. However, there is always the the definition files. threat of such websites keeping a log of your A Firewall (I suggest Zone alarm /Tiny • surfing habits. Firewall / sygate) Tiny is my favorite as it is least interfering and most effective E.G. leaving you completely invisible on the net. WinXP has an inbuilt firewall and hence does not need an additional one. A Trojan buster (Trojan-remover/a2). • Additionally, we can chain several such web An Absolute essential in Networked proxies together. environment. E.G. Also “Regrun” is a useful tool, which • regularly checks and notifies you about any changes that have been made to the bin/anon-www.cgi/http:// ********** system files and registries or any new software has been installed, thus giving The Desired URL is typed in place of *. you added protection. The process is like this: User PC -- > -- > -- > Desired Web site. Biography Aniruddha S. Deshpande B.E. Information Technology K.J.Somaiya College of Engineering Email: