This document summarizes key concepts related to online security threats such as malware, hacking, and cyberattacks. It discusses how hackers target individuals through spear phishing emails and how malware like ransomware and backdoors can infiltrate systems. The document also covers password security best practices like hashing, two-factor authentication, and password managers. Cyber threats like viruses, worms, and Trojans are defined as well as how techniques like brute force and dictionary attacks can be used to steal passwords. Overall, the document provides an overview of common online dangers and methods used by hackers to compromise information security.

1. Meeting #10
Block 2 (Part 7)
Dangerous Data
TM112: Introduction to Computing and
InformationTechnology
1
OU Materials, PPT prepared by Dr. Ahmad Mikati

2. Contents
2
• Introduction
• Online –The New Font Line
• Information Assets
• Authentication
• Malware
• Cyberwar
• Summary

3. 3
Introduction
• The term hacker has historically been a divisive one, sometimes being used
as a term of admiration for an individual who exhibits a high degree of skill,
as well as creativity in his or her approach to technical problems, and
sometimes (more commonly) applied to an individual who uses this skill for
illegal or unethical purposes.
• The explosion in goods and services available online, as well as our
society’s desire to socialize online, has made the internet an irresistible
target for people who wish to do us harm; ranging from criminals who
want to steal our money and our identities, to those who abuse
vulnerable people.
ethical hacker unethical hacker

4. 4
CIA
• The guiding principles behind information security can be summed up
in a three-letter acronym you are sure to remember: CIA, standing for
confidentiality, integrity and availability.
• We want our information to:
 only be read by the right people (confidentiality)
 remain unchanged so long as we’re not editing it (integrity)
 be available to read and use whenever we want (availability).
• It is important to be able to distinguish between these three aspects of
security.

5. 5
Spear Phishing:TheTargeted Attack
In late 2014, the US cybersecurity corporationCylance reported their
findings of a major hacking operation called Cleaver that broke into
numerous computer systems, extracted large amounts of sensitive
data and caused potentially serious damage.
• Instead of sending millions of messages in the hope of getting a few
responses, Cleaver’s operators targeted their phishing. The
attackers used information stolen in the first part of the operation
to identify and attack people and organizations of interest.
You have almost certainly received spam email supposedly coming
from a bank or another company telling you there is a problem with
your account.These emails are phishing for information.Their
senders hope you will respond and provide personal information that
can be used to commit fraud.

6. 6
Spear Phishing:TheTargeted
Attack
• This type of targeting is called a spear phishing attack. A 2012 estimate
(TrendLabs, 2012) suggested that 91% of targeted attacks used spear
phishing at some point. Spear phishing focused on senior
management, (who are most likely to have privileged access to
information), is known as whaling.
• Cleaver’s targets had received emails saying that they were being
considered for an important job. They were asked to complete a CV by
following a link to the website easyresumecreatorpro.com where they
could download a copy of a well-known tool called Easy Resume
Creator Pro.

7. 7
The Final Attack: Malicious Software
• Cleaver’s developers created a new, malicious version of the CV writing
application which could be downloaded from
easyresumecreatorpro.com.
• Just like the original, the application allowed users to create a new CV.
When complete, users were encouraged to upload their document so it
could be reviewed by potential employers. In fact, nothing was
uploaded; submitting the CV activated malicious software that had
been downloaded along with the application.
• This malicious software represented a persistent threat to the user. So
long as it was active on the user’s computer, Cleaver had access to that
machine and its data. This piece of malicious software is called
TinyZBot – an example of a backdoor, which is a gap in a computer’s
security that allows attackers to control the computer and/or steal
data.

8. 8
The Final Attack: Malicious Software
• Among its capabilities, TinyZBot could:
 log keystrokes: the program recorded which keys were pressed
on a keyboard, which is a common way for hackers to steal user
IDs and passwords from computers they have access to
 monitor clipboard activity: the clipboard is an area of memory in
an operating system used to store data that is being copied and
pasted
 capture screenshots: another way of stealing data, but it can also
be used by attackers to learn the layout of industrial plants from
on-screen displays
 detect security software: many malicious programs attempt to
either hide themselves or might disable the security features of
modern operating systems and antivirus software.

9. 9
Understanding CurrentThreats
• Now you have listed your information assets, it is necessary to
consider how they can be compromised.
• Any discussion of protecting assets uses three key terms:
 vulnerability: a point at which there is potential for
a security breach
 threat: some danger that can exploit a vulnerability
 countermeasure: an action to protect assets
against threats and vulnerabilities.

10. 10
Passwords
• Millions of people use online services every day, and it is crucial
that these systems prevent users from accessing each other’s
information. To do this, they need a way of uniquely identifying
each user in a way that prevents users from impersonating one
another. This way includes identification, authentication and
authorization.
• To better understand the difference between the three, consider
the real-life example of entering the AOU campus.

11. 11
Passwords
I. Identification. The process of claiming you are a particular
individual. In our example, when you hand over your AOU
university ID to the university campus security officer, you
identified yourself as an AOU student. Identification doesn’t
prove that you are telling the truth; although you presented a
UID, you might be using a false one.
II. Authentication. The process of proving your identification.
The security officer has to verify that this ID is genuine and
belongs to you and will authenticate your identity by
examining your ID and comparing your face against the
photograph in the ID.
III. Authorization. Follows the processes of identification and
authentication and provides access.
Finally, satisfied that the ID is genuine and that your
face indeed matches the photograph in the ID, you are
then authorized to enter the campus.

12. 12
Passwords
• With computers and computer systems, you most commonly
perform identification by providing a user ID and password,
authentication is performed by comparing the password you
provided with a password stored on the system for the user ID you
provided. If they match, authorization takes place. For instance,
authorization may result in you being able to access your email,
bank, shopping or other account

13. 13
What HappensWhenYou Enter A
Password?
• Imagine you had to create a computer password system for a
website. You might start off by having a user enter their password,
which is transmitted to the site’s server and compared to a stored
password.Only if the two match is the user allowed into the site.
• You can probably recognize a couple of potential vulnerabilities
with this approach.
1. The password is transmitted as plaintext.
If the password is 12345 and sent across the internet, it can be
intercepted by an attacker;
2. The password is also stored as plaintext on the server. An
attack on this server would not only reveal an individual user’s
password, but potentially expose every password belonging
to every user.

14. 14
What HappensWhenYou EnterA Password?
• Fortunately, countermeasures exist for both problems.
1. The first problem is overcome by encrypting
communications between the user and the server.
Encryption is a process that scrambles data so that it cannot
be read by unauthorized parties. (We will talk much more
about encryption in Block 3 Part 3)
2. The second problem is solved by obscuring passwords using a
technique known as hashing.
Hashing is an algorithm performed on data such as a file or message
to produce a checksum message called a hash .
The hash is used to verify that data is not modified, tampered with,
or corrupted.
For instance, using a hashing algorithm called MD5:
 The MD5 hash of ‘hello’ is always
5d41402abc4b2a76b9719d911017c592

15. 15
What HappensWhenYou Enter a Password?
Hashes have three crucial properties:
1. Every different piece of plaintext produces a unique hash. For example,
the hash for ‘hello’ is different from that for ‘Hello’. Despite the only
difference being that one word is capitalized and the other entirely in lower
case, not only are their hashes different, but there is no obvious resemblance
between the hashes.
2. Hashes are always the same length, no matter the length of the
original plaintext. The MD5 hashing algorithm always produces hashes that
are 128 bits long. The hash for a large chunk of Alice is exactly the same
length as that for ‘hello’; so it is impossible to determine the length of the
original text from the hash.
3. It is nearly impossible to transform the hash back into the original data.
Even if you obtain the MD5 hash of a password – e.g.
4a77060f0f04a1bcd2f3b7975f8e6d68 – there is no quick, simple way to
recover the original plaintext solely from the hash.

16. 16
Applying Hashing to Passwords
• When a user wants to log on to their account, their password is
hashed and sent over a secure internet connection. It is then
compared to a hashed password stored for that user. (If the stored
password is encrypted, the computer will first decrypt the hash.)
The user is granted access to the computer only if the two hashes
match.
• Even if the password file for every user is stolen, the attackers still
don’t know the actual passwords they need to enter in order to
access the computer.The users are not immediately at risk.

17. 17
Attacking Passwords
• Two common techniques are used to obtain passwords:
I. Brute-force attack: The simplest method of breaking passwords
is a brute-force attack, where a computer methodically attempts
to log on using all possible passwords, beginning with ‘A’, then
‘AA’, ‘AB’, and so on – trying each in turn until it stumbles upon an
actual password.
Brute-force attacks are time-consuming, but if enough computers
are employed, brute force will break enough passwords to justify
the time and expense of running the attack in the first place.
Fortunately, brute-force attacks can be easily defeated by
restricting the number of failed attempts that can be made to
access an account before it is locked.

18. 18
Attacking Passwords
II. Dictionary attack: An alternative to brute-force is to attempt to
find passwords that are also found in a dictionary. A dictionary
attack is usually performed on a copy of a stolen password file.
The attack itself is very simple: every password in the password
file is compared to every entry in a dictionary that may contain
popular names, birthdates, easy passwords, etc. Once a working
password is identified, an attacker can use it and the matching
user ID to log in to the hacked site, masquerading as the
legitimate user.

19. 19
Username Hashed password
Fadi2020 570a90bfbf8c7eab5dc5d4e26832d5b1
Plaintext Hash
samar 7294001ae51b8cdfd50eb4459ee28182
Fadi2020 570a90bfbf8c7eab5dc5d4e26832d5b1
12345678 c794890af6c9e1b6d9050e056abcc4d3
Aou123 aa2d6e4f578eb0cfaba23beef76c2194
2006199 d5aa1729c8c253e5d917a5264855eab8
qwerty daa759be97f37e5f7eff5883801aebed
Hashed dictionary
A record from a
Stolen password file
• Hence, hashing, alone, cannot protect passwords from dictionary attacks if
the original password can be found in a dictionary. Matching a hash in the
password file with one from the hashed dictionary means that they
represent the same piece of plaintext.

20. 20
Non-technical Attacks
• Rather than try to steal and break a password file, attackers may
risk stealing passwords from offices and other workplaces.
 Attackers may masquerade as office cleaners or couriers and steal
passwords written on pieces of paper or stuck to the computer itself.
 Attackers may try to strike lucky by trying obvious passwords such as
‘abc123’, ‘password’ or names of victims’ families, friends or pets.
 It takes only a few moments and a removable flash memory drive for
an attacker to install a keylogger program which captures passwords
as they are entered on the keyboard.

21. 21
Password Managers
• A password manager is a computer application that stores passwords in
an encrypted database.
• Most password managers can create new passwords; since computers can
generate and store arbitrarily long pieces of nonsense text – such as
MHpKQCvpYoouTAaPiiWuFKjpNe7qnsbwkrvq3s3cX – password managers
can produce passwords that are highly resistant to both brute-force and
dictionary attacks.

22. 22
Two-factor Authentication
• So, if one password isn’t secure enough, perhaps having two pieces
of information to perform authentication will be more secure? So-
called two-factor authentication will be familiar to you as you will
have used it to withdraw money from an ATM. Here, you must give
the bank two pieces of information:
 something you have
 something you know.
• In this case, the possession is the data stored on your bank card;
the information you know is your PIN. Individually, neither can
access your account, but when brought together they allow you to
withdraw money.

23. 23
Hardware SecurityTokens
• Many banks offer two-factor authentication to online banking
customers, with accounts accessed using a combination of a password
and a four- or six-digit number generated by a small hardware security
token that can be kept in a wallet or attached to a keychain.
• Each token uses a microchip containing a clock and a random number
generator to generate a new password every minute or so. (This type
of changing password is known as a one-time password.) The token is
synchronized with a master computer at the bank which is generating
identical passwords alongside the token.
• When a user logs in to their bank, they are asked to enter the token’s
one-time password into their browser. The bank’s computer will have
also generated the same number. The two values are compared by the
bank; if they match, the user is allowed into their account.

24. 24
How Big isTheThreat From
Malicious Software
• By 2014, nearly one million new pieces of malware (a contraction of
‘malicious software’) were released every day.
• Malware is capable of corrupting or erasing data and rendering
computers useless. It can create fake data; send spam emails; capture
credit card numbers, addresses and passwords; host and share child
pornography; fool users into visiting fraudulent sites; sabotage
industrial and medical machinery; attack government, business and
industrial computers. It can even commit blackmail.

25. 25
How Big isTheThreat From Malicious
Software
• Since 2013, a range of malware programs have targeted PCs; quietly
and quickly encrypting crucial data so that it can no longer be accessed
without paying a ransom. If this payment, sometimes running into
hundreds of pounds, is not paid, the data will be irretrievably lost.
• Some of this ransomware has been linked to organized crime. Just one
piece of ransomware, called Cryptolocker , is estimated to have
‘earned’ $27 million for its creators. In other cases, ransomware
appears to be primarily intended to cause disruption, such as the
WannaCry program which crippled computers in 150 countries during
May 2017, including those belonging to the NHS, O2, Nissan, FedEx
and Russian Railways.
• Ransomware is a type of malware that prevents a user from accessing
their computer either by locking the computer screen or by blocking
access to computer files until a ‘ransom’ is paid.

26. 26
What is Malware?
• Malware is a collective term for any type of software that attempts to
harm computers, or the data held on them. It is usually categorized
into three types:
i. viruses
ii. worms
iii. Trojans.
• However, as malware has evolved, the boundaries between the
different categories are beginning to blur.

27. 27
Viruses
• A virus is a program capable of making new copies of itself which are
inserted into applications, data or crucial areas of a computer’s hard
disk.
• Viruses are attached to specific applications on a computer and are
activated when that program first runs.
Most computer viruses are built from three main programming components:
 The infection mechanism
The part of the virus responsible for finding new targets by searching for files
on a disk or a new device to infect.
 The trigger
An event or condition that activates the virus. The trigger can include a
certain date or time, or an action.
 The payload
The destructive code that forms the heart of the virus, which can perform
such tasks as corrupting, destroying or encrypting a user’s data or damaging
the operating system.

28. 28
Worms
• Like a virus, a worm is a self-replicating program designed to make
copies of itself. Unlike a virus, a worm is a standalone application.
Most worms spread through network connections.
• Worms can use triggers to remain dormant on infected machines
until certain times or conditions whereupon their payload is
activated.

29. 29
Trojans
• Unlike viruses and worms, Trojans are not self-replicating; instead, they
are often distributed by email or pop-up adverts on websites,
masquerading as legitimate applications such as screensavers. The Trojan
might even work as advertised – a download accelerator might result in
(slightly) faster downloading, but the Trojan will also contain a destructive
payload.
• Trojans allow attackers to gain control of the computer, copy or delete
personal information, monitor keystrokes looking for passwords or credit
card numbers, or quietly spread to other computers using the PC’s email
software.

30. 30
OtherTypes of Malware
• In addition to the three types of malware described above and the
ransomware discussed earlier, you may see references to other forms of
malware, including the following.
• Adware
Forces users to view advertising and may report their internet use to
advertisers or its creators.
• Spyware
Attempts to access personal information by monitoring keystrokes
or patterns of activity.
• Rootkits
Hidden programs used by attackers to remotely control or access a
computer.
• Hijackers
Redirect browsers to unwanted websites, either to earn advertising
clicks or to download further malware. Some of the sites
masquerade as legitimate websites and are designed to harvest
personal information such as logins and credit card details.

31. 31
Botnets
• One strand of malware is concerned with recruiting computers into
an army of infected machines coordinated over the internet to
perform a malicious task. Affected machines are called zombies,
whilst their network is known as a botnet (or zombie army).
Individual botnets may consist of tens of thousands or even
millions of machines spread across the world, giving the owner of
the botnet enormous power to cause damage.
• Botnet malware infects computers just like other forms of
malicious software. Initially, it rarely damages the host computer,
but is more concerned with spreading further copies of itself across
a network. The newly infected computer is registered as a member
of the botnet and the malware waits for orders from the botnet’s
controllers.

32. 32
Botnets
Botnets Fall IntoTwo Broad Categories:
 Client–server (Figure 7.9a)
 These are the older type of botnet in which infected machines
are under the control of a remote command and control
server (sometimes called the controller).
 Once installed on a computer, the botnet malware contacts
its server via the internet using pre-existing channels such as
the Internet Relay Chat instant messaging program or web
connections. The server not only delivers instructions (such as
‘go to sleep’ or ‘wake up’), but it can deliver updates to ensure
the malware remains undetected.

33. 33
Botnets
• Botnets Fall IntoTwo Broad Categories:
 Peer-to-peer (Figure 7.9b)
 Individual zombies, each maintain a short list of known peers
with which they exchange information.
 Commands and updates are introduced to the botnet by so-
called commanders and propagate through the botnet as
peers communicate with one another. Peer-to-peer botnets
are much harder to disable than client-server botnets since
they can continue to function so long as a single commander
remains online.

34. 34
Botnets
• Botnets can also be used for the following:
• Spam email
Zombies can be used to send spam messages to every contact in
their address book.
• Click fraud
Most online advertising is paid for on a ‘per-click’ basis, with an
advertiser paying each time a user clicks on an advert. Click fraud
uses software to simulate clicking on an advert.
• Brute-force decryption
Passwords and other forms of secure data can be attacked by brute
force. Botnets share the task amongst many machines, allowing for
faster decryption.

35. 35
Botnets
• Bitcoin mining
Bitcoins are produced through a complex mathematical process
requiring huge amounts of computer power. Rather than invest in
their own computers, criminals can use botnets to create new
Bitcoins.
• Denial-of-service (DoS) attacks
DoS is a method of attacking computers by flooding their network
connections with spurious data that prevents legitimate traffic from
being sent or received. Denial of service can cripple online services if
sufficient traffic can be directed at one site.
Botnets allow thousands or even millions of zombies to collaborate
in an attack; since the attackers are spread across the internet, these
attacks are described as a Distributed denial-of-service (DDoS)
attack.

36. 36
Antivirus Software
• Antivirus software aims to detect, isolate and, if necessary, delete malware
on a computer before it can harm data. Antivirus software uses several
techniques to identify malware, the two most common are known as
signatures and heuristics.
• Signatures
 A signature is a unique pattern of data created by a malware
program in a computer’s memory or in a file. Antivirus programs
may run invisibly in the background, looking for malware
signatures in files either when they are downloaded or when they
are accessed by opening a file.
• Heuristics
 Heuristics are rules used to identify dangerous software based on
previous experience of known malware. The antivirus software will
‘decompile’ the suspicious program back to its source code and
examine it for instructions typical of malware – such as attempting
to replicate itself or overwriting key operating system files.

37. 37
Antivirus Software
 Unlike signatures, heuristics do not require specific knowledge
about individual types of malware; they detect new malware,
for which signatures do not exist, simply by their behaviour.
Unfortunately, since heuristics rely on previous experience to
identify dangerous software, radically new malware (which
appears all too regularly) can pass unnoticed.
 Many antivirus programs use a combination of signatures and
heuristics to offer maximum protection.

38. 38
Summary
• This part introduced you to cybersecurity, a topic relevant to you as
an individual as well as our society. Awareness of computer security
not only protects you, your family and your data; it is a key
academic skill for anyone wishing to work in the modern IT and
computing industries. It is no longer acceptable, or safe, for devices
and software to fail to include security features that affect their
usability or the safety of their users.
• You have met several key cybersecurity technologies, including
how passwords are processed by computers and how they can be
broken – a topic we will return to in Block 3 Part 3.
• You were then introduced to several different types of malware –
software especially designed to cause harm – and learned how they
spread, function and cause harm. You also learned about some of
the technologies used by antivirus companies to identify, contain
and destroy malware.