Confidentiality Attack Tactics

Question 1

Packet capture

Answer 1

Packet capture A packet-capture (also known as packet snif ing) utility such as Wireshark
(http://wireshark.org) can capture packets using a PC’s network interface card (NIC)
by placing the NIC in promiscuous mode. Some protocols, such as Telnet and HTTP,
are sent in plain text. Therefore, these types of captured packets can be read by an
attacker, perhaps allowing the attacker to see confidential information.

Question 2

port scan

Answer 2

port scan attack targets on a network. A ping sweep could be used to ping a series of IP
addresses. Ping replies might indicate to an attacker that network resources were
reachable at those IP addresses. After a collection of IP addresses is identified, the
attacker might scan a range of UDP or TCP ports to see what services are available
on the hosts at the specified IP addresses. Also, port scans often help attackers
identify the operating system running on a target system. These attacks are also
commonly referred to as reconnaissance attacks

Question 3

Dumpster

diving

Answer 3

Dumpster
diving
Because many companies throw away confidential information, without proper
shredding, some attackers rummage through company dumpsters in hopes of
discovering information that could be used to compromise network resources.

Question 4

Electromagnetic
interference
(EMI)

Answer 4

Electromagnetic
interference
(EMI)
interception
Because data is often transmitted over wire (for example, unshielded twisted pair),
attackers can sometimes copy information traveling over the wire by intercepting the
EMI being emitted by the transmission medium. These EMI emissions are sometimes
called emanations. Tempest was the name of a government project to study the
ability to understand the data over a network by listening to the emanations. Tempest
rooms are designed to keep emanations contained within that room to increase
security of data communications happening there.

Question 5

Wiretapping

Answer 5

Wiretapping If an attacker gains physical access to a wiring closet, he might physically tap into
telephone cabling to eavesdrop on telephone conversations, or he might insert a
shared media hub inline with a network cable, allowing an attacker to connect to the
hub and receive copies of packets flowing through the network cable.

Question 6

Man-in-themiddle (MitM)

Answer 6

Man-in-themiddle (MitM)
If an attacker can get in the direct path between a client and a server, the attacker can
then eavesdrop on their conversation. If cryptography is being used and the attacker
fools the client and server both into building VPNs to the attacker instead of to each
other, the attacker can see all the data in clear text. On a local Ethernet network,
methods such as Address Resolution Protocol (ARP) spoofing, ARP cache
poisoning, Dynamic Host Configuration Protocol (DHCP) spoofing, and Domain
Name System (DNS) spoofing are all mechanisms that may be used to redirect a
client’s traffic through the attacker, instead of directly to the server.

Question 7

Social

engineering

Answer 7

Social
engineering
Attackers sometimes use social techniques (which often leverage people’s desire to
be helpful) to obtain confidential information. For example, an attacker might pose as
a member of an organization’s IT department and ask a company employee for his
login credentials for the “IT staff to test the connection.”

Question 8

Sending
information
over overt
channels

Answer 8

Sending
information
over overt
channels
An attacker might send or receive confidential information over a network using an
overt channel. An example of using an overt channel is tunneling one protocol inside
another (for example, sending instant-messaging traffic via HTTP). Steganography is
another example of sending information over an overt channel. An example of
steganography is sending a digital image made up of millions of pixels with “secret”
information encoded in specific pixels, where only the sender and the receiver know
which pixels represent the encoded information.

Question 9

Sending
information
over covert
channels

Answer 9

Sending
information
over covert
channels
An attacker might send or receive confidential information over a network using a
covert channel, which can communicate information as a series of codes/events. For
example, binary data could be represented by sending a series of pings to a
destination. A single ping within a certain period of time could represent a binary 0,
and two pings within that same time period could represent a binary 1.

Question 10

Malware

Answer 10

Malware After a single machine in a company is compromised and is running malicious
software, the attacker can then use that single computer to proceed further into the
internal network using the compromised host as a pivot point. The malware may
have been implemented by an outside attacker or by an inside disgruntled employee.
Antivirus and antimalware should be run on all systems, and users should be given
very limited rights related to installation of any software on the computers they use.

Question 11

FTP bounce

Answer 11

FTP bounce FTP supports a variety of commands for setting up a session and managing file
transfers. One of these commands is the port command, and it can, in some cases, be
used by an attacker to access a system that would otherwise deny the attacker.
Specifically, an attacker connects to an FTP server using the standard port of 21.
However, FTP uses a secondary connection to send data. The client issues a port
command to specify the destination port and destination IP address for the data
transmission. Normally, the client would send its own IP address and an ephemeral
port number. The FTP server would then use a source port of 20 and a destination
port specified by the client when sending data to the client. However, an attacker
might issue a port command specifying the IP address of a device they want to
access, along with an open port number on that device. As a result, the targeted
device might allow an incoming connection from the FTP server’s IP address, while
a connection coming in from the attacker’s IP address would be rejected. Fortunately,
most modern FTP servers do not accept the port command coming from a device that
specifies a different IP address than the client’s IP address.

Question 12

Phishing

Answer 12

Phishing This variation of a social engineering attack sends an email to the user that appears
to be legitimate in an attempt to have that user input authentication information that is
then captured. For example, the email may provide a website link for Federal
Express in order to claim a package. The attacker constructs a website (at the false
address) that looks just like the actual Federal Express website.

Question 13

Denial of service

Answer 13

• Force a service to fail

* Overload the service

Question 14

Distributed Denial of Service (DDoS)

Answer 14

Distributed Denial of Service (DDoS)
• Launch an army of computers to bring down a service
• Use all the bandwidth or resources - traffic spike

Question 15

DDOS amplification

Answer 15

DDOS amplification
• Turn your small attack into a big attack
• Often reflected off another device or service

Question 16

Logic Bomb

Answer 16

Logic Bomb
• Waits for a predefined event
• Often left by someone with grudge

Question 17

Rogue access points

Answer 17

Rogue access points

• A significant potential backdoor

Question 18

Wireless evil twins

Answer 18

Wireless evil twins
• Buy a wireless access point
• Less than $100 US

Question 19

Wardriving

Answer 19

Wardriving
• Combine WiFi monitoring and a GPS
• Hop in your car and go!

Question 20

Spoofing

Answer 20

Spoofing
• Pretend to be something you aren’t
• Fake web server, fake DNS server, etc.
• Email address spoofing

Question 21

IP address spoofing

Answer 21

IP address spoofing
• Take someone else’s IP address
• Actual device
• Pretend to be somewhere you are not