Internet Security Issues
Introduction B> Active Tampering
The attacker can modify the data traveling in
Thi either direction i.e. from user to server as well as
s paper discusses some common methods
from server to user.
used by hackers. It presents the information from
the hacker's perspective. The intention is just
unveiling the mysterious world of Hacking and C> The Trap
giving useful tips to System Administrators to The attacker must somehow lure the user to enter
secure their systems. The aim extends to his false web. This can be done by providing a
generating a new breed of Ethical Hackers who link to the false web on a popular web page, or
can make the Internet more secure by their sheer emailing the user with a link to the false web.
will and skill.
Contents D> Completing the Attack
• Web Spoofing There are still come clues that can warn the user
• DOS [Denial of Service] Attack of mischief, which can again, be easily removed
• Trojan Insights by the attacker. For E.g.
• SQL Injection Attacks
E> The Status Line
• Google as a Hacking Tool.
The status line is a single line of text that informs
the users of the status of web transfers. Typically
• Methods of Protection
found at the bottom of the browser.
When a user moves the mouse over a link, the
Web Spoofing – The Art of
status line displays the URL that the link leads
to. Thus the user can find out if he is being
Web spoofing allows an attacker to create a
However, the contents of the status line can
“shadow copy” of the entire World Wide Web.
Accesses to the shadow Web are funneled
through the attacker’s machine, allowing the
F> The Location Line
attacker to monitor all of the victim’s activities
The location line displays the URL of the web
including any passwords or account numbers the
page being shown in browser. The attack as
victim enters. The attacker can also cause false
described so far causes a rewritten URL to
or misleading data to be sent to Web servers in
appear in the location line, giving the victim a
the victim’s name, or to the victim in the name
possible indication that an attack is in progress.
of any Web server. In short, the attacker
observes and controls everything the victim does
on the Web.
How Attack Works
The user may divulge sensitive information like
passwords or credit card information since for
him, it’s a valid website. Here, the attacker
observes all the traffic from user to the website
as he has access to all user requests. Thus, this
kind of attack leads to privacy intrusion as well
as tampering of user requested data, both of
which can have disastrous consequences.
A> Passive Monitoring
Since most online transactions are done using
forms, the attacker has access to all data entered
by the user, one such data can be username-
DoS [Denial of Service] Attack specially designed data packet, which is, send by
A Dos (denial of service) attack is a kind of computer systems to terminate connections with
attack which exploits an existing vulnerability in one another.
the operating system or in the soft wares of the The Hacker Continuously sends SYN Packets
target machine or Internet Protocols like TCP/IP without responding to previous SYN Requests,
thus bringing down the aimed service or thus the target server is slowly filled up with
sometimes all the services of the target system. unfinished SYN requests, ultimately causing the
In short it prevents legitimate users to use the target server to reboot.
services offered by the target system. Such specialized Data packets can be formed by
One of Dos attacks is explained below: Hacking tools available on the net.
Note: There are many more sophisticated Dos
Attacks presently. C> Teardrop Attack
This attack is also executed by exploiting
A> SYN Flooding vulnerability present in the Operating Systems.
This kind of DoS attack is executed by
exploiting the TCP/IP 3 way handshake based Packet Reassembling Vulnerability
authentication system. In this attack what
happens, an attacker floods the target computer Suppose if one wants to send a big file to another
with unfinished SYN requests. Since the victim computer, then the original file is broken into
computer cannot finish these SYN requests it has small parts called Data Packets and then sent to
to use its system resource to store temporarily the remote system. Each Data packet contains
these SYN requests thus slowly overloading the information like sequence number, byte length,
system resource and finally ending up by Type of protocol, etc.
crashing it or rebooting it. The head part contains the info for reassembling.
Lets take a small example: Say I want to send a
B> TCP/IP 3 way authentication system file of size 3000 KB .Now what happens this file
For a successful connection between two is split up into say 3 parts each containing 1000
computers, Host and Client a complete and KB
successful 3-way handshake must take place. Note: In practice the original file is split up into
much smaller parts.
First the client sends a SYN Packet
Now these 3 parts are called data packets and
(SYN request) to the Host asking for a
each packet will carry 1000 KB. The header part
of the first packet will have a bye length of 1 –
Second the host replies with a 1000.Similarly the header part of second and
SYN/ACK packet to the client thus third packet will have a byte length of 1001-2000
indicating its response and and 2001-3000.
acknowledgement. Now each packet has an OFFSET field, which
indicates which byte to which byte a particular
Third the client sends an ACK packet to
data packet contains. Now according to this
the host thus completing the connection.
OFFSET field the data packets are reassembled
in the target system to generate the original file.
Client --- SYN ---- Host 1st Handshake
Data Pkt No. Type Size OFFSETFIELD
Host----- SYN/ACK---- Client 2nd Handshake
1 TCP/IP 1000 1-1000
2 TCP/IP 1000 1001-2000
Client---- ACK-------- Host 3 Handshake
3 TCP/IP 1000 2001-3000
This is the very basis of connection
establishment between two computers Host and
Client. At first this procedure is carried out then
In Teardrop attack custom made data packets
the username password authentication or any
with confusing OFFSET fields are send to the
other form of authentication takes place.
target system, thus ending it up in system crash
Note: SYN packets, ACK Packets are special
or reboot. First I want to send a file of size say
data packets designed by the Operating System.
5000 KB to the target system and the file is split
Just like SYN, ACK packets FIN is also a
up into 5 data packets each carrying 1000 KB at
my end which is supposed to be reassembled in knowledge. The remote user can even hack into
the target system. For executing the teardrop some bank using your computer and u may not
attack on the target system I have to modify the get a hint.
OFFSET field of these data packets which will Here are some registry hideouts that some
be send to the target system where the target Trojans employ.
system will attempt to reassemble it according to There are many other places on a Windows
the OFFSET field. system that Trojans can add scripts and shortcuts
Say the first packet will have an OFFSET field to startup Trojan processes:
of 1-1000... Then 1001-2000, now I play the
trick from the third packet onwards. I send the [HKEY_LOCAL_MACHINESoftwareMicroso
third packet with an OFFSET field of 2000- ftWindowsCurrentVersionRun]
3000, the fourth with 3000-4000 and the fifth
with 4000-5000. Now 2000, 3000, 4000 has [HKEY_LOCAL_MACHINESoftwareMicroso
appeared twice in the OFFSET field of the data ftWindowsCurrentVersionRunOnce]
packets send to the target system. The target
system will expect something like: [HKEY_LOCAL_MACHINESoftwareMicroso
But actually it is getting something like:
Note: For the following registry keys, the key
value should be exactly quot;%1 %*”. Any
programs that are added to the key value will get
executed every time a binary file (.exe, .com) is
executed, i.e.quot;Trojan.exe %1 %*quot;.
The target system will have no idea as to how to
handle this kind of data packets and
reassembling these data packets according to
TCP/IP or Ipv4 will result in system crash or
Also, check Startup folder: to go to this folder,
click on Start->Programs->Startup, and right
click on Startup and select quot;Openquot; from the
This is one of the biggest threats on the Internet.
menu. Check every file in this folder and make
Trojans are sophisticated programs that disguise
sure you know what they are. These files will
themselves as proper software but when
startup automatically every time you login to
executed perform malicious functions. Just to get
your systems. Check out following files on you
an idea, Analyze this-You download a software
from some untrusted website that boasts some
cool features. In the event of nonupdated
Antivirus software the Trojan wont be detected.
You execute the software and it appears to be
normal, but deep down the Trojan will have
Autoexec.bat - look for added Trojan
opened a backdoor to your system and starts
files, may be in the following file
acting as a server and notifies a client (the Trojan
extensions: .exe, .scr, .pif, .com, .bat
maker) somewhere in Alaska. Since the server
Config.sys - look for added Trojan files
has to do what the client asks for, the remote user
Any suspicious or new batch files (.BAT),
can now view all your files, log your passwords,
which might call the actual Trojan.
send e-mails, download anything, upload files to
In addition, watch out for social engineering.
your computer...all this WITHOUT your
Don't be fooled by processes or programs with
similar and/or exactly the same filename as the
legitimate Windows system programs. Many <@language=quot;vbscriptquot;>
known Trojans have included programs with <%
exact same name as Windows system programs, dim conn,rs,log,pwd
but put them into different folders log=Request.form(quot;login_namequot;)
Possible signs and symptoms due to
Trojan infections: set conn = Server.CreateObject(quot;ADODB.Conne
1>Your CD-ROM door opens and closes by conn.ConnectionString=quot;provider=microsoft.jet.
itself. OLEDB.4.0;data source=c:foldermultiplex.mdb
2>Messages start popping up on your monitor quot;
screen that appears to be talking to you. conn.Open
3> Your printer may print out strange messages set rs = Server.CreateObject(quot;ADODB.Recordse
on its own. tquot;)
4> Your mouse pointer may start moving on rs.open quot;Select * from table1 where login='quot;&lo
its own. g& quot;' and password='quot; &pwd& quot;' quot;,conn
5> An unknown person starts typing in your If rs.EOF
instant message window when you are chatting response.write(quot;Login failedquot;)
with a friend. else
SQL Injection Attack %>
Databases have been the heart of a commercial
website. An attack on the database servers can Looking at the above code at first site it seems
cause a great monetary loss for the company. OK. A user will type his login name and
Database servers are usually hacked to get the password in login.htm page and click the submit
credit card information. And just one hack on a button. The value of the text boxes will be
commercial site will bring down its reputation passed to the logincheck.asp page where it will
and also the customers, as they also want their be checked using the query string. If it doesn't
credit card info secured. Most of the commercial get an entry satisfying the query and will reach
websites use Microsoft SQL (MSSQL) and end of file a message of login failed will be
Oracle database Servers. A common mistake displayed. Every thing seems to be OK. But wait
made by the web designers can reveal the a minute. Think again .Well if you have made a
databases of the server to the hacker. The whole page like this then a hacker can easily login
game is of query strings. So it is assumed that successfully without knowing the password. Lets
the reader has some knowledge about queries look at the query again.
and asp. This hack is done using only the quot;Select * from table1 where login='quot;&log"' and
browser. So you even don't require any other password='quot;&pwd"' quot;. Now if a user types his
tools except IE or Netscape. login name as quot;abcquot; and password as quot;defquot; then
Normally, in order to make a login page, the web these values will pass to the asp page with post
designer will write the following code. method and then the above query will become
quot;Select * from table1 where login=' abc ' and
Login.htm password=' def ‘ “
That’s fine. There will be an entry abc
<html> and def in login and password fields in the
<body> database so we will receive a message as login
<form method=get action=quot;logincheck.aspquot;> successful. Now what if I type loginname as
<input type=quot;textquot; name=quot;login_namequot;> quot;abcquot; and password as
<input type=quot;textquot; name=quot;passquot;> ' or 'a'='a in the password text box.
<input type=quot;submitquot; value=quot;sign inquot;> The query will become as follows:
</form> quot;Select * from table1 where login=' abc ‘
</body> And password=' 'or 'a'='a' quot;. And submit and
</html> bingo! I will get the message as Login successful
The query gets satisfied as query changes and
logincheck.asp password needs to ' ' or 'a' needs to be equal to
'a'. Clearly password is not ' ' but at the same The site option allows you to come up with
time 'a'=‘a’. So condition is satisfied. And a results that only belong to a certain domain name
hacker is in with login quot;abc”. extension or to a specific site.
E.g.Site:mil or site:gov
Google as a Hacking Tool
It is said that Google is a Hacker’s best friend. E> Combining Search Options
Knowledge of specific search strings can yield inurl:nasa.gov filetype:xls quot;restrictedquot;
some very interesting results. But, first we must site:mil filetype:xls quot;passwordquot;
learn to search intelligently. Google allows a lot site:mil “index of” admin
of interesting features for better search results,
but these very features can be easily used to
obtain access to sensitive data like password
lists, Bank Database sheets, etc. However, this is Anonymity
only in case of improper security measures and
can easily be rectified. Nowadays, privacy has become a major issue on
the Internet. Someone like your employer or
A> Features rival companies might be gathering all your info
Google Search options: to sell to yet other companies, or even the
Specific file types: *.xls, *.doc, *.pdf *.ps *.ppt government, may be on your track while you
*.rtf peacefully surf the web. Thus, anonymity on the
Google allows you to search for specific file web means being able to use all of its services
types, so instead of getting html-files as a result with no concern about someone snooping on
(websites) you get Microsoft excel files for your data.
example. The search string you would use would
be: A> Surfing Anonymously
Filetype:xls (for excel files) or filetype:doc for
word files. The Web servers on the Internet log every GET
But maybe more interesting would be searching request made, together with date, hour, and IP.
for *.db files and *.mdb files. Things that come We can make use of proxy servers to surf
to mind are *.cfg files or *.pwd files, *.dat files. anonymously. The proxy connection works like
Try and think of something that might get you this.
some interesting results. User PC ---- > Proxy Server --- > Web Server
B> Inurl So, when user requests for a URL, this request is
Another useful search option is the inurl: option first received by the Proxy Server, which then
which allows one to search for a certain word fetches the contents from the Web Server and
one would want to be in the url. This gives you then forwards it to the originating PC. Thus, the
the opportunity to search for specific IP address logged on the Web Server is that of
directories/folders, especially in combination the Proxy Server and not of the User PC.
with the “index of” option However, the User IP can still be obtained if we
E.g. inurl:admin which would give you results of access the Proxy Server. The Solution to this is
website urls that have the word “admin” in the Proxy Chaining.
Proxy Chaining works like this:
C> Index of
If you use the “index of” string you will find User PC -- > P1 -- > P2 -- >…--- >Pn -- > Web
directory listings of specific folders on servers. Server
E.g.‘index of’ admin or index.of.admin
which would get you many directory listings of P [I] are Proxy Servers where I = 1,2,..,n
Thus by this technique we can make the User PC
almost untraceable. Further, to make it
D> Site impossible, we can chain Proxy Servers located
in rival countries, thus adding a political obstacle
to the tracing process, since rival countries will
never divulge information of Servers in their Methods of protection
land. An Antivirus (I suggest Norton/pc-
cillin/ Mcafee/AVG) It’s very important
B> Web proxy to keep them all updated. An Antivirus
is as good as its virus definition files
There are several websites that offer anonymous meaning it generally does not detect
surfing. These websites fetch contents and pass it new viruses, which are not mentioned in
on the User PC. However, there is always the the definition files.
threat of such websites keeping a log of your A Firewall (I suggest Zone alarm /Tiny
surfing habits. Firewall / sygate) Tiny is my favorite as
it is least interfering and most effective
E.G. leaving you completely invisible on the
www.anonymizer.com net. WinXP has an inbuilt firewall and
http://anonymouse.org/ hence does not need an additional one.
A Trojan buster (Trojan-remover/a2).
Additionally, we can chain several such web An Absolute essential in Networked
proxies together. environment.
E.G. Also “Regrun” is a useful tool, which
http://www.proxyking.net/cgiproxy/nph- regularly checks and notifies you about
proxy.pl/110010A/http/Anonymouse.org/cgi- any changes that have been made to the
bin/anon-www.cgi/http:// ********** system files and registries or any new
software has been installed, thus giving
The Desired URL is typed in place of *. you added protection.
The process is like this:
User PC -- > www.proxyking.net -- >
Anonymouse.org -- > Desired Web site. Biography
Aniruddha S. Deshpande
B.E. Information Technology
K.J.Somaiya College of Engineering