1.2 Compare and contrast types of attacks. Flashcards

1
Q

Clickjacking

A

Normal web page underneath

• Invisible layer on the top

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Clickjacking your phone

A

Invisible information drawn over the screen

• Monitor keystrokes and record user input

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Cookies

A

Information stored on your computer by the browser
• Used for tracking, personalization, session management
• Not executable, not generally a security risk
• Unless someone gets access to them
• Could be considered be a privacy risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Session IDs

A

Maintains sessions across multiple browser sessions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Header manipulation

A
Information gathering
• Wireshark, Kismet
• Exploits
• Cross-site scripting
• Modify headers
• Tamper, Firesheep, Scapy
• Modify cookies
• Cookies Manager+ (Firefox add-on)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Prevent session hijacking

A

Encrypt end-to-end
• They can’t capture your session ID if they can’t see it
• Additional load on the web server (HTTPS)
• Firefox extension: HTTPS Everywhere, Force-TLS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

• Encrypt end-to-somewhere

A

At least avoid capture over a local wireless network
• Still in-the-clear for part of the journey
• Personal VPN (OpenVPN, VyprVPN, etc.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

• Use session ID monitors

A

Blacksheep

• Application-specific

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Malware hide-and-go seek

A

There are still ways to infect and hide
• It’s a constant war
• Zero-day attacks, new attack types, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

drivers

A

The interaction between the hardware and
your operating system
Hardware interactions contain sensitive information
• Video, keyboard, mouse

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Shimming

A
Filling in the space between two objects
• A middleman
• Windows includes it’s own shim
• Backwards compatibility with previous Windows versions
• Application Compatibility Shim Cache
• Malware authors write their own shims
• Get around security (like UAC)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Refactoring

A

Metamorphic malware
• A different program each time it’s downloaded
• Make it appear different each time
• Add NOP instructions
• Loops, pointless code strings
• Can intelligently redesign itself
• Reorder functions
• Modify the application flow
• Reorder code and insert unused data types
• Difficult to match with signature-based detection
• Use a layered approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Spoofing

A

Pretend to be something you aren’t
• Fake web server, fake DNS server, etc.
Email address spoofing
• Caller ID spoofing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Man-in-the-middle attacks

A

The person in the middle of the conversation

pretends to be both endpoints

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

MAC spoofing

A

• Very difficult to detect
Circumvent MAC-based ACLs
• Fake-out a wireless address filter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

IP address spoofing

A
  • Take someone else’s IP address
  • Pretend to be somewhere you are not. Easier to identify than MAC address spoofing
  • Actual device ARP poisoning
  • DNS amplification / DDoS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

IP address spoofing prevention

A

Apply rules to prevent invalid traffic,enable switch security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Wired vs. wireless replay

A
Similar to a wired replay attacks
• Wireless doesn’t change those attacks
• Wireless adds some additional capabilities
• This is a big concern
for the security professional
• Much easier to capture the data
• Hotspots are generally in the clear
• Just like tuning in to a radio station
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Cracking WEP - Wired Equivalent Privacy

A

• A broken security protocol
• Could not stop the replay of 802.11 packets
• ARP request replay attack
• Cracking WEP requires thousands of
Initialization Vector (IV) packets
• Wait all day to collect IV information
• Or replay a ton of ARPs and collect the IV packets
• Now you have many thousands of IV packets
• You can crack WEP in seconds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Rogue Access Points

A
  • A significant potential backdoor
  • Huge security concerns
  • Very easy to plug in a wireless AP
  • Or enable wireless sharing in your OS
21
Q

Rogue Access Points prevention

A
• Schedule a periodic survey
• Walk around your building/campus
• Use third-party tools / WiFi Pineapple
• Consider using 802.1X (Network Access Control)
• You must authenticate, regardless
of the connection type
22
Q

Wireless Evil Twins

A

• Buy a wireless access point
• -Less than $100 US
• Configure it exactly the same way as an existing network
Overpower the existing access points
• -May not require the same physical location

23
Q

Wireless Evil Twins prevention

A
  • You encrypt your communication, right?

* -Use HTTPS and a VPN

24
Q

Radio frequency (RF) jamming

A
Denial of Service
• Jamming is intentional
• Someone wants your network to not work
• Prevent wireless communication
• Transmit interfering wireless signals
• Decrease the signal-to-noise ratio at
the receiving device
• The receiving device can’t hear the good signal
25
Q

Wireless jamming

A
  • Many different types
  • Constant, random bits / Constant, legitimate frames
  • Data sent at random times
  • Random data and legitimate frames
  • Needs to be somewhere close
  • Difficult to be effective from a distance
  • Time to go fox hunting
  • You’ll need the right equipment to hunt down the jam
  • Directional antenna, attenuator
26
Q

Reactive jamming

A

• Only when someone else tries to communicate

27
Q

Using WPS

A
  • Wi-Fi Protected Setup
  • Originally called Wi-Fi Simple Config
  • Allows “easy” setup of a mobile device
  • A passphrase can be complicated to a novice
28
Q

Other WPS Attacks

A
  • Walk up to the access point
  • Default PIN may be written on the device
  • Or just push the WPS button on the front
29
Q

Bluejacking

A

Sending of unsolicited messages to
another device via Bluetooth
• No mobile carrier required!

30
Q

Bluesnarfing

A

• Access a Bluetooth-enabled device and transfer data
• Contact list, calendar, email, pictures, video, etc.
• Serious security issue
• If you know the file, you can
download it without authentication

31
Q

RFID Attacks

A
  • Data capture
  • View communication
  • Replay attack
  • Spoof the reader
  • Write your own data to the tag
  • Denial of service
  • Signal jamming
32
Q

Near field communication (NFC)

A
  • Two-way wireless communication
  • Builds on RFID, which was one-way
  • Payment systems
33
Q

NFC Security Concern

A
  • Remote capture
  • It’s a wireless network
  • 10 meters for active devices
  • Frequency jamming
  • Denial of service
  • Relay / Replay attack
  • Man in the middle
  • Loss of RFC device control
  • Stolen/lost phone
34
Q

It started as a normal day

A
Surfing along on your wireless network
• And then you’re not - intermittent 
• You may not be able to stop it
• There’s (almost) nothing you can do
• Time to get a long patch cable
35
Q

• Wireless disassociation

A

• A significant wireless denial of service (DoS) attack

36
Q

802.11 management frames

A

• Frames that make everything work
• Important for the operation of 802.11 wireless
• How to find access points, manage QoS, associate/
disassociate with an access point, etc.
• Original wireless standards did not add
protection for management frames
• Sent in the clear w/ No authentication or validation

37
Q

Cryptographic attacks

A

The bad guy doesn’t have the combination (the key)
• So they break the safe (the cryptography)
• Finding ways to undo the security
• There are many potential
cryptographic shortcomings

38
Q

Birthday attack

A

A hash collision is the same hash value
for two different plaintexts
• Find a collision through brute force
• The attacker will generate multiple versions of
plaintext to match the hashes
• Protect yourself with a large hash output size

39
Q

Known plaintext attack (KPA)

A

• Attacker has both the plaintext and the encrypted data
• If you know the original plaintext, you may be able to
find a “wedge” that is revealed in the ciphertext
• The known plaintext is the crib

40
Q

Rainbow tables

A

An optimized, pre-built set of hashes
• Doesn’t need to contain every hash
• The calculations have already been done
• Remarkable speed increase
• Especially with longer password lengths
• Need different tables for different hashing methods
• Windows is different than MySQL
• Rainbow tables won’t work with salted hashes
• Additional random value added to the original hash

41
Q

Dictionary attacks

A

People use common words as passwords
• You can find them in the dictionary
• If you’re using brute force, you should start
with the easy ones
Many common wordlists available on the ‘net
• Some are customized by language or line of work

42
Q

Brute force

A

The password is the key
• Secret phrase
• Stored hash

43
Q

Brute force attacks - Online

A

Keep trying the login process
• Very slow
• Most accounts will lockout after a number of failed attempts

44
Q

Brute force the hash - Offline

A
  • Obtain the list of users and hashes
  • Calculate a password hash, compare it to a stored hash
  • Large computational resource requirement
45
Q

The password file

A

Different across operating systems

• Different hash methods

46
Q

Collisions

A

Hash digests are supposed to be unique
• Different input data should never
create the same hash

47
Q

• MD5 hash

A

Message Digest Algorithm 5
• First published in April 1992
• Collisions identified in 1996

48
Q

Replay attacks

A

• Some cryptographic algorithms are more susceptible
than others to a replay attack
• A hash with no salt, no session ID tracking, no encryption
• Replay countermeasure may be part of the cryptography
• Kerberos and Kerberos derivatives include time stamps
• Anything after the time to live (TTL) is discarded

49
Q

Weak implementations

A

Weak encryption
• One weak link breaks the entire chain
• 802.11 WEP
• The RC4 key can be recovered by gathering enough packets
• The algorithm didn’t sufficiently protect the key
• DES - Data Encryption Standard
• Relatively small 56-bit keys
• Modern systems can brute force this pretty quickly