4. Threats Categorization
Four main areas:
• leakage: information leaving system.
• tampering: unauthorized information altering.
• resource stealing: illegal use of resources.
• vandalism: disturbing correct system operation.
• denial of service: disrupting legitimate system use.
Used to specify what the system is secure against.
4
5. Threats
Leakage denotes the disclosure of information to unauthorised subjects.
• Baazi hacking into a CAD System of Rolls Royce in order to obtain the latest
design RR's jet engines.
• Although fatal in this case, leakage is probably the category that causes the
least damage of the above.
Tampering denotes the unauthorized modification of data.
• We would have a case of tampering, if you hacked into the School's database in
order to alter the marks of your Distributed System course works
5
6. Threats
Resource stealing identifies the illegal use of resources and not paying, e.g
CPU time, Bandwidth, Air time of mobiles
• A case of resource stealing has occurred when hackers hacked into
computers of telephone companies and managed to have their phone calls
charged to other customer's accounts.
Vandalism denotes the disturbance of correct system operation.
• The security of CS Dept. in Milan was broken and super user privileges
were acquired and then the system's hard disks were formatted. This caused
serious damage to the departmental operations for a session.
6
7. Methods of Passive Attack
Eavesdropping: Obtaining message copies without authority.
Masquerading (Spoofing): Using identity of another principle without
authority.
Message tampering: Intercepting and altering messages.
Replaying: Storing messages and sending them later.
Flooding: sending too many messages
7
8. Active Attacks associated with message passing
Integrity Check
Authenticity Attack
Denial Attack
Delay Attack
Reply Attack
8
9. 1-9
Active Attacks
Virus
• infection by receiving
object (e.g., e-mail
attachment), actively
executing
• self-replicating:
propagate itself to other
hosts, users
Worm:
infection by passively receiving
object that gets itself executed
Eg. Internet worm attack by R.T
Morris
Rsh UNIX, Finger, sendmail
self- replicating: propagates to
other hosts, users
10. Worms vs. viruses
Viruses require other programs to run
Worms are self-running (separate process)
The 1988 Internet Worm
Consisted of two programs
Bootstrap to upload worm
The worm itself
Exploited bugs in sendmail and finger
Next replicated itself on new machines
10
11. A logic bomb is a piece of Code intentionally inserted into a software
System that will set off a malicious function when specified conditions
are met.
Condition: Time, Date, Program parameters etc
Installed by insider. E.g Delete some critical code upon termination
Eg. Roger Duronio, UBS PaineWebber system administrator
Sentenced for 8 years
logic bomb
11
12. Programs that must be installed or executed by a user to be effective.
Helpful or entertaining Programs, OS patches, games
Unintended Actions, Open ports for later intruderAccess
Replacing certain files with malicious one
Time Bombs Trojans that activate on certain dates
Trojan horses
12
13. 1-13
Denial of service attacks
Attackers make resources (server, bandwidth) unavailable to
legitimate traffic by overwhelming resource with bogus traffic
1. select target
2. break into hosts around
the network (collectively,
known as botnet)
3. send packets toward target
from compromised hosts target
14. Spyware:
Infection by downloading web page with spyware
Records keystrokes, web sites visited, upload info to collection site
Adware, Tracking cookies key logger
Solution: Anti Spy ware like PC Tool, Spyware Doctor
Proxy Server
Intermediary between Client and Server
Filter Requests
Provide security to Network
14
15. Intrusion detection system
Device or software
Monitor Network Traffic or system activities
Two types
Network IDS:
Monitor traffic to and from all the devices
Matches traffic to the library of known attacks
Generate alerts if found an attack
15
16. Host IDS:
Run on individual Host or devices
Inbound and outbound packets from the device only
Alert admin if suspicious activity is found
Snap shot of existing system and match it with the previous
16