1.2 Compare and contrast types of attacks.

Question 1

Clickjacking

Answer 1

Normal web page underneath

• Invisible layer on the top

Question 2

Clickjacking your phone

Answer 2

Invisible information drawn over the screen

• Monitor keystrokes and record user input

Question 3

Cookies

Answer 3

Information stored on your computer by the browser
• Used for tracking, personalization, session management
• Not executable, not generally a security risk
• Unless someone gets access to them
• Could be considered be a privacy risk

Question 4

Session IDs

Answer 4

Maintains sessions across multiple browser sessions

Question 5

Header manipulation

Answer 5

Information gathering
• Wireshark, Kismet
• Exploits
• Cross-site scripting
• Modify headers
• Tamper, Firesheep, Scapy
• Modify cookies
• Cookies Manager+ (Firefox add-on)

Question 6

Prevent session hijacking

Answer 6

Encrypt end-to-end
• They can’t capture your session ID if they can’t see it
• Additional load on the web server (HTTPS)
• Firefox extension: HTTPS Everywhere, Force-TLS

Question 7

• Encrypt end-to-somewhere

Answer 7

At least avoid capture over a local wireless network
• Still in-the-clear for part of the journey
• Personal VPN (OpenVPN, VyprVPN, etc.)

Question 8

• Use session ID monitors

Answer 8

Blacksheep

• Application-specific

Question 9

Malware hide-and-go seek

Answer 9

There are still ways to infect and hide
• It’s a constant war
• Zero-day attacks, new attack types, etc.

Question 10

drivers

Answer 10

The interaction between the hardware and
your operating system
Hardware interactions contain sensitive information
• Video, keyboard, mouse

Question 11

Shimming

Answer 11

Filling in the space between two objects
• A middleman
• Windows includes it’s own shim
• Backwards compatibility with previous Windows versions
• Application Compatibility Shim Cache
• Malware authors write their own shims
• Get around security (like UAC)

Question 12

Refactoring

Answer 12

Metamorphic malware
• A different program each time it’s downloaded
• Make it appear different each time
• Add NOP instructions
• Loops, pointless code strings
• Can intelligently redesign itself
• Reorder functions
• Modify the application flow
• Reorder code and insert unused data types
• Difficult to match with signature-based detection
• Use a layered approach

Question 13

Spoofing

Answer 13

Pretend to be something you aren’t
• Fake web server, fake DNS server, etc.
Email address spoofing
• Caller ID spoofing

Question 14

Man-in-the-middle attacks

Answer 14

The person in the middle of the conversation

pretends to be both endpoints

Question 15

MAC spoofing

Answer 15

• Very difficult to detect
Circumvent MAC-based ACLs
• Fake-out a wireless address filter

Question 16

IP address spoofing

Answer 16

• Take someone else’s IP address
• Pretend to be somewhere you are not. Easier to identify than MAC address spoofing
• Actual device ARP poisoning
• DNS amplification / DDoS

Question 17

IP address spoofing prevention

Answer 17

Apply rules to prevent invalid traffic,enable switch security

Question 18

Wired vs. wireless replay

Answer 18

Similar to a wired replay attacks
• Wireless doesn’t change those attacks
• Wireless adds some additional capabilities
• This is a big concern
for the security professional
• Much easier to capture the data
• Hotspots are generally in the clear
• Just like tuning in to a radio station

Question 19

Cracking WEP - Wired Equivalent Privacy

Answer 19

• A broken security protocol
• Could not stop the replay of 802.11 packets
• ARP request replay attack
• Cracking WEP requires thousands of
Initialization Vector (IV) packets
• Wait all day to collect IV information
• Or replay a ton of ARPs and collect the IV packets
• Now you have many thousands of IV packets
• You can crack WEP in seconds

Question 20

Rogue Access Points

Answer 20

• A significant potential backdoor
• Huge security concerns
• Very easy to plug in a wireless AP
• Or enable wireless sharing in your OS

Question 21

Rogue Access Points prevention

Answer 21

• Schedule a periodic survey
• Walk around your building/campus
• Use third-party tools / WiFi Pineapple
• Consider using 802.1X (Network Access Control)
• You must authenticate, regardless
of the connection type

Question 22

Wireless Evil Twins

Answer 22

• Buy a wireless access point
• -Less than $100 US
• Configure it exactly the same way as an existing network
Overpower the existing access points
• -May not require the same physical location

Question 23

Wireless Evil Twins prevention

Answer 23

• You encrypt your communication, right?

* -Use HTTPS and a VPN

Question 24

Radio frequency (RF) jamming

Answer 24

Denial of Service
• Jamming is intentional
• Someone wants your network to not work
• Prevent wireless communication
• Transmit interfering wireless signals
• Decrease the signal-to-noise ratio at
the receiving device
• The receiving device can’t hear the good signal

Question 25

Wireless jamming

Answer 25

• Many different types
• Constant, random bits / Constant, legitimate frames
• Data sent at random times
• Random data and legitimate frames
• Needs to be somewhere close
• Difficult to be effective from a distance
• Time to go fox hunting
• You’ll need the right equipment to hunt down the jam
• Directional antenna, attenuator

Question 26

Reactive jamming

Answer 26

• Only when someone else tries to communicate

Question 27

Using WPS

Answer 27

• Wi-Fi Protected Setup
• Originally called Wi-Fi Simple Config
• Allows “easy” setup of a mobile device
• A passphrase can be complicated to a novice

Question 28

Other WPS Attacks

Answer 28

• Walk up to the access point
• Default PIN may be written on the device
• Or just push the WPS button on the front

Question 29

Bluejacking

Answer 29

Sending of unsolicited messages to
another device via Bluetooth
• No mobile carrier required!

Question 30

Bluesnarfing

Answer 30

• Access a Bluetooth-enabled device and transfer data
• Contact list, calendar, email, pictures, video, etc.
• Serious security issue
• If you know the file, you can
download it without authentication

Question 31

RFID Attacks

Answer 31

• Data capture
• View communication
• Replay attack
• Spoof the reader
• Write your own data to the tag
• Denial of service
• Signal jamming

Question 32

Near field communication (NFC)

Answer 32

• Two-way wireless communication
• Builds on RFID, which was one-way
• Payment systems

Question 33

NFC Security Concern

Answer 33

• Remote capture
• It’s a wireless network
• 10 meters for active devices
• Frequency jamming
• Denial of service
• Relay / Replay attack
• Man in the middle
• Loss of RFC device control
• Stolen/lost phone

Question 34

It started as a normal day

Answer 34

Surfing along on your wireless network
• And then you’re not - intermittent 
• You may not be able to stop it
• There’s (almost) nothing you can do
• Time to get a long patch cable

Question 35

• Wireless disassociation

Answer 35

• A significant wireless denial of service (DoS) attack

Question 36

802.11 management frames

Answer 36

• Frames that make everything work
• Important for the operation of 802.11 wireless
• How to find access points, manage QoS, associate/
disassociate with an access point, etc.
• Original wireless standards did not add
protection for management frames
• Sent in the clear w/ No authentication or validation

Question 37

Cryptographic attacks

Answer 37

The bad guy doesn’t have the combination (the key)
• So they break the safe (the cryptography)
• Finding ways to undo the security
• There are many potential
cryptographic shortcomings

Question 38

Birthday attack

Answer 38

A hash collision is the same hash value
for two different plaintexts
• Find a collision through brute force
• The attacker will generate multiple versions of
plaintext to match the hashes
• Protect yourself with a large hash output size

Question 39

Known plaintext attack (KPA)

Answer 39

• Attacker has both the plaintext and the encrypted data
• If you know the original plaintext, you may be able to
find a “wedge” that is revealed in the ciphertext
• The known plaintext is the crib

Question 40

Rainbow tables

Answer 40

An optimized, pre-built set of hashes
• Doesn’t need to contain every hash
• The calculations have already been done
• Remarkable speed increase
• Especially with longer password lengths
• Need different tables for different hashing methods
• Windows is different than MySQL
• Rainbow tables won’t work with salted hashes
• Additional random value added to the original hash

Question 41

Dictionary attacks

Answer 41

People use common words as passwords
• You can find them in the dictionary
• If you’re using brute force, you should start
with the easy ones
Many common wordlists available on the ‘net
• Some are customized by language or line of work

Question 42

Brute force

Answer 42

The password is the key
• Secret phrase
• Stored hash

Question 43

Brute force attacks - Online

Answer 43

Keep trying the login process
• Very slow
• Most accounts will lockout after a number of failed attempts

Question 44

Brute force the hash - Offline

Answer 44

• Obtain the list of users and hashes
• Calculate a password hash, compare it to a stored hash
• Large computational resource requirement

Question 45

The password file

Answer 45

Different across operating systems

• Different hash methods

Question 46

Collisions

Answer 46

Hash digests are supposed to be unique
• Different input data should never
create the same hash

Question 47

• MD5 hash

Answer 47

Message Digest Algorithm 5
• First published in April 1992
• Collisions identified in 1996

Question 48

Replay attacks

Answer 48

• Some cryptographic algorithms are more susceptible
than others to a replay attack
• A hash with no salt, no session ID tracking, no encryption
• Replay countermeasure may be part of the cryptography
• Kerberos and Kerberos derivatives include time stamps
• Anything after the time to live (TTL) is discarded

Question 49

Weak implementations

Answer 49

Weak encryption
• One weak link breaks the entire chain
• 802.11 WEP
• The RC4 key can be recovered by gathering enough packets
• The algorithm didn’t sufficiently protect the key
• DES - Data Encryption Standard
• Relatively small 56-bit keys
• Modern systems can brute force this pretty quickly