deck_2250368 Flashcards

Question

Q25: Your incident-handling team has determined your organization has been hit by a virus that takes advantage of a specific version of a PDF reader. Your team is gathering a list of potentially affected users based on your software inventory. What stage of the incident-handling process is occurring?

Answer 1

A25: Identification. There are many questions that need to be asked during the initial assessment of an incident in order to determine whether it is an actual incident or an event and to assess the severity of the incident. One way to determine the severity is to ask yourself how widely the affected application or system is deployed in your environment. Deciding if an application should be ported to another operating system is important in the recovery and lessons-learned phases. Jump bag contents should be decided upon early in the preparation phase and realizing what you have learned is the last step, the lessons-learned phase..

Answer 2

A26: Host perimeter. The host perimeter border can be monitored using personal firewalls and host-based intrusion prevention systems, local firewalls, and port sentry tools..

Answer 3

A27: TCP\/7777. Tini, a common Trojan horse backdoor remote command shell tool, listens on TCP port 7777 by default..

Answer 4

A29: Net start. At the command line, to get a list of running services, you could execute the following command: C: \\> net start..

Answer 5

A30: Routers. The network perimeter is monitored by firewalls, routers that generate logs, external-facing intrusion detection systems, intrusion prevention systems, and other machines on the DMZ. These systems can provide earlier warnings about attacks as they monitor your borders with the Internet and other external networks..

Answer 6

A31: Port sentry tools. The host perimeter is where you monitor activities across each host system's interface, analyze what the machine is sending out to, and receive from the network. This border can be monitored using personal firewalls and host-based intrusion prevention systems, local firewalls, and port sentry tools..

Answer 7

A32: Need to know. The minimum people with the absolute need to know about an incident stops the rumor mill and stops the legal ramifications and\/or tipping of a potential insider perpetrator..

Answer 8

A33: Out of band. Make sure to use out of band communications when dealing with an incident. If you use the same channels in which an incident occurred, you could tip off the perpetrator and\/or continue the incident by using compromised channels..

Answer 9

A34: Gather events, analyze them, and determine whether an incident exists.. The goal of the identification phase is to gather events, analyze them, and determine whether an incident exists..

Answer 10

A35: One. If one person is not in charge, no person is in charge. For an incident to be successfully managed, one person always needs to be in charge and accountable..

Answer 11

A36: Both people take notes, because two accounts of the incident are better than one.. During an incident, you should always take notes. Having an assistant take notes as well is important, but it does not relieve you of the responsibility..

Answer 12

A37: Dd. If possible, make a binary or bit-by-bit backup using dd..

Answer 13

A38: Both memory and file-system images. Grab an image of memory as well as the file system. The ideal image is the binary, bit-by-bit image; this gets everything on the disk, including deleted and fragmentary files..

Answer 14

A39: Eradication. After creating forensics images, you move onto the eradication phase when extended downtime is acceptable..

Answer 15

A40: Senior legal counsel. Your incident-handling team should have a senior member of management as its sponsor. This manager can help to clear out obstacles when you are under fire. To do that, you should strive to find a sympathetic senior manager, such as a chief information security officer (CISO), Chief information officer (CIO), senior legal counsel, or another related position that makes most sense in your organizational structure..

Answer 16

A41: Business unit. Containment (both short- and long-term) might stop the system from performing various business actions. Therefore, make sure you get approval before taking action that will impact business. Call the business unit teams before dropping a system..

Answer 17

A42: General category, criticality, and sensitivity. The FIRST organization distributes an incident case classification document that recommends characterizing incident based on three areas: (1) its general category, (2) the criticality of impacted systems and data, and (3) the sensitivity with which information about the case itself should be treated..

Answer 18

A43: Minimize the damage. The goal for containment is to stop the bleeding..

Answer 19

A44: Initial assumptions are often wrong and a handler needs cooperation at this phase of an investigation.. Often the facts change as more information becomes available during an incident. Early assumptions are often proved wrong. If you were to blame an individual and the facts later showed that the person was not at fault, your credibility would be lost, at least in that part of the organization..

Answer 20

A45: Short-term, system backup, and long-term. Containment includes three subphases: (1) short-term containment just to stop the damage, (2) system back-up, and (3) long-term containment to make sure the bad guy is denied access..

Answer 21

A46: Denial-of-service packet floods. ISPs are the only ones who can reliably stop a DoS attack before it hits your network since they are upstream..

Answer 22

A47: Sending an ICMP echo request to the source machine. Rookie incident handlers can be spotted a mile away with a network-logging system. They find an attack apparently coming from some IP address. So they ping the address, then they do an nslookup. Sometimes, they even Telnet to it..

Answer 23

A48: On-site handler. The only one that can or will write the report is the on-site handler. The handler submits the draft to the head of the incident handling team..

Answer 24

A49: Two weeks. The lessons-learned meeting should occur within two weeks of resuming production, while the events and report are still fresh in people's minds..

Answer 25

A50: Develop a report based on the incident.. The lessons-learned phase requires the person handling the incident to document the findings and issue a report. Everyone involved in handling the incident should sign off on the report, agreeing to its contents..

Answer 26

A51: To learn from our mistakes and provide continuous process improvement.. The main purpose of lessons learned is to learn from our mistakes and to improve the process of incident handling and report creation..

Answer 27

A52: Which additional systems may be affected by the incident. Trust model is a term used to refer to the set of permissions or trusts between systems. Which systems can the affected system access? Which systems can be used to access the affected system? Determining the trust model gives you an idea of the possible scope of the problem, as well as an idea of possible attack vectors..

Answer 28

A53: Find out how many users received the e-mail and spread the word that it is not to be installed.. It is important to not spread rumors or unnecessary information during an incident. If your users are all receiving e-mail such as this, they are all possible victims and they should all be warned. This is an example of when it is important to spread the word to avoid possible exploitation of users' workstations. For the record, Microsoft does not send out patches via e-mail. You should also educate your users to never install software or patches they receive in e-mails, no matter who the sources claim to be..

Answer 29

A54: Intellectual property. The physical differences between your organization and your competition are probably minimal. The trade secrets, marketing contacts, business plans and other intellectual property make all the difference. The odds are fairly high that these crown jewels are the target..

Answer 30

A55: Casual, nondestructive insider. Many casual threats come down to a lack of awareness on the employee's part. You must make sure your awareness activities deal with each of these aspects of security..

Answer 31

A56: Intentional, nondestructive. A casual threat usually stems from the employee's lack of understanding. The employee does not mean to cause any harm and if the employee realized his or her actions were causing harm, he or she would stop. Acts with a nondestructive intent are usually perpetrated by those that do not want to draw attention to the intrusion. They plan to gather data for a long period of time, may plant a backdoor for later use, and are careful to cover their tracks..

Answer 32

A57: Casual, destructive. Casual, destructive insider threats include disabling antivirus programs and downloading untrusted programs..

Answer 33

A58: Invent an acronym that does not actually exist and plant it into the document.. A great way to thumbprint critical files is to invent an acronym that does not actually exist and plant it into the document..

Answer 34

A59: Casual, nondestructive. Casual, nondestructive insider threats are the least harmful to an organization and generally include forwarding emails and\/or leaving doors open..

Answer 35

A60: Intentional, destructive. Examples of intentional, destructive insider threats include logic bombs, website defacement, and deleting data..

Answer 36

A61: Trusted insider. Almost every case of espionage prosecuted by the U.S. government involved a trusted insider..

Answer 37

A62: To preserve their integrity. By hashing (file integrity) your log files, you are preserving their integrity to ensure that they have not been altered..

Answer 38

A63: Whether the message came from inside or outside of the organization. In order to track down the sender of a message, and to determine the message's route into an organization, it is important to determine if it was generated internally or externally..

Answer 39

A64: Intentional threat. The intentional, nondestructive insider threat is the hardest to detect. The goal of this type of threat is usually theft of trade secrets\/proprietary information. The intentional, destructive threat is performed by a disgruntled employee and is considered purposeful sabotage. The casual threat usually stems from an employee's lack of understanding. The casual, nondestructive threat includes the "forgot to or did not realize I could not do that" threat. The casual, destructive threat includes not utilizing the latest virus detection file..

Answer 40

A65: Zone transfer. A zone transfer allows an attacker to connect with your DNS server and grab all records associated with a particular domain..

Answer 41

A66: The purpose is to search for all instances of the term wireless on the somecompany.net website.. The search wireless site: somecompany.net will produce a search result for the term wireless limited to the site somecompany.net..

Answer 42

A67: Hash and compare signatures.. Make sure you check the PGP signature as well as the MD5 and SHA-1 hashes from multiple mirrors when you download new or existing versions..

Answer 43

A68: www.uwhois.com. ARIN is the American Registry for Internet Numbers. RIPE NCC is the R\u00e9seaux IP Europ\u00e9ens Network Coordination Centre. APNIC is the Asia Pacific Network Information Centre. www.uwhois.com provides information for over 200 different countries..

Answer 44

A69: Robots.txt. To get Google to remove you, you not only have to request page removal using their form, you also have to alter the website's robots.txt file or alter the page's meta tag to indicate that you really want it removed..

Answer 45

A70: Nslookup. The nslookup command will reveal the IP address associated with a designated domain name..

Answer 46

A71: Nslookup. Nslookup is a program that can be used to interrogate DNS servers..

Answer 47

A72: Linux nslookup. In the latest versions of Linux nslookup, the command has been stripped so that it cannot perform zone transfers, a useful technique for getting a lot of information about a target domain..

Answer 48

A73: Whois database. One of the best tools to use for reconnaissance is a whois database, many of which exist on the Internet..

Answer 49

A74: You cannot really tell whether someone has looked you up.. The problem with identification is that you cannot really tell whether someone has looked you up..

Answer 50

A75: Common Vulnerabilities and Exposures. CVE is the Common Vulnerabilities and Exposures taxonomy established and maintained by MITRE. It is used to help identify particular attacks so we are using the same vernacular..

Answer 51

A76: Site. The site directive allows an attacker to search for pages on a single site or domain, narrowing down and focusing the search..

Answer 52

A77: Info. The info directive is not very useful. It returns a bunch of data, including results from link and related searches, as well as cached pages..

Answer 53

A78: Web spider. When a Web admin reviews Web logs an indication that someone has used a Web spider (also known as a Web crawler) to access every page on your site in a short period of time (say within 5 minutes) would show up easily..

Answer 54

A79: Scanning. Once a perpetrator has performed the appropriate level of reconnaissance on a site, his or her next steps are to scan, exploit the system by gaining access, and cover his or her tracks..

Answer 55

A80: UDP port 53. Normal DNS queries and responses use UDP port 53..

Answer 56

A81: TCP port 53. Zone transfers use TCP port 53..

Answer 57

A82: Driving around looking for wireless network access points with a laptop and suitable software. War driving is driving around with a computer and a wireless receiver while scanning for available wireless networking carriers. You can also scan while walking (war walking), biking (war biking), etc..

Answer 58

A83: THC-Scan Next Generation. THC-Scan Next Generation was written to allow for highly distributed war dialing attacks. An attacker can use a bot-net with 10, 100, 10,000 or more modems on victim machines to do the dialing now..

Answer 59

A84: Use the buddy system, where two or more people go into each office or cubicle.. When you do desk-to-desk checks, you should always employ the two-person rule (a.k.a. the buddy system). With an explicit two-person team checking for unwanted\/unregistered modems, you will not be subject to claims of unfairness or, worse yet, theft from people's desks. If a single person checks for modems late at night and something turns up missing from someone's desk, you may have significant problems..

Answer 60

A85: Modems. War dialers are looking for modem carriers or a secondary dial tone. Once the modem is located, further steps are required in order to exploit..

Answer 61

A86: Perform periodic war-dialing scans against the company's phone numbers.. An effective, nondisruptive way of protecting a network against entry points created by modems connected to computers within the corporate network is to perform periodic war-dialing scans against the company's phone numbers. In this way, an administrator will see the network from the perspective of someone attempting to compromise the network and be able to detect any rogue modems that exist on the network..

Answer 62

A87: Aircrack-ng. With tools like Aircrack-ng, the attacker needs to sniff about 50 to 100 megabytes of data, which can often be done in 10 to 30 minutes. After grabbing this data, the tool cracks the WEP key, and the attacker can view all data on the LAN recorded earlier and sent later, as long as the WEP key remains constant..

Answer 63

A88: SELF. WarVOX can be configured with SELF as the caller ID value, which will make it set the Caller ID value to the same number that it is dialing. This option can be used to bypass PIN authentication in some voice mail systems..

Answer 64

A89: Nudging. Nudging sends a predefined string of characters to a discovered modem.

Answer 65

A90: WarVOX. WarVOX will record an MP3 file associated with each number dialed and answered..

Answer 66

A91: Social engineering. War dialers dial a sequence of telephone numbers in an attempt to locate modem carriers or a secondary dial tone. Social engineering is one of the methods for obtaining phone numbers for war dialing..

Answer 67

A92: Demon dialers. Demon dialers dial a single number to conduct a brute-force attack against passwords..

Answer 68

A93: SSID cloaking. You can configure most access points to omit their SSIDs from their beacons, a feature known as SSID cloaking..

Answer 69

A94: Addresses can be spoofed.. While you could allow only traffic from registered MAC addresses, such security is deeply flawed. A MAC address can be easily spoofed (either by using the ifconfig command in Linux\/Unix or a free tool called Macshift.exe for Windows)..

Answer 70

A95: The name of a wireless LAN. The SSID is merely the access point(s) identifier. It is not a password, encryption key, or log-in. It helps avoid giving it away to unauthorized users, but it can be discovered easily in any case..

Answer 71

A96: Kismet. Of the tools listed here, Kismet is the best for the job because it runs in passive mode. This means it does not stimulate the network to get a response. Instead, it patiently waits for messages sent across the network and can detect the presence of an access point, as long as traffic is being sent over the wireless LAN. Netstumbler can also be used to find access points, but it is not passive. ASLEAP does not look for access points; it is used to exploit the Lightweight Extensible Authentication Protocol(LEAP)..

Answer 72

A97: Both contain source and destination ports. The TCP header includes the source and destination ports, as well as other elements that a port scanner will manipulate as it generates packets, such as the TCP control bits. The UDP packet header is simple. It includes the source port and destination port. No sequence numbers are included..

Answer 73

A98: ACK. Transmission Control Protocol (TCP) has multiple flags that specify how data is handled. The SYN flag is used for synchronization. The ACK flag is used for acknowledgement. The FIN flag is used to end a connection gracefully. The RESET flag is used to tear down a connection. The URG flag is used to send urgent data, and finally, the PUSH flag is used to push data through the TCP stack..

Answer 74

A99: TCP 0.0.0.0: 34567 0.0.0.0: 0 LISTENING. You will be able to observe the listening port using the netstat command: c: \\> netstat -na. More specifically, look for port 2222 using the netstat command: c: \\> netstat -na | find "34567". Since it is simply in a listening state, the addresses will be shown as 0.0.0.0. The lines with nc.exe are generated with the -nab netstat option that additionally shows the process ID and the executable to which it belongs..

Answer 75

A100: Source port. A source port-the User Datagram Protocol (UDP) has no three-way handshake, sequence numbers, acknowledgment numbers, or control bits; therefore it is a stateless protocol. The UDP packet header is simple. It includes the source port and destination port. No sequence numbers are included..

Answer 76

A101: It is sessionless. Transmission Control Protocol (TCP) is session-oriented, in that it applies sequence numbers to messages and tries to deliver them in an appropriate order and resends dropped messages. UDP (User Datagram Protocol) makes best-effort delivery, but messages may be dropped or delivered out of order. This makes UDP sessionless..

Answer 77

A102: The ACK bit set. All legitimate Transmission Control Protocol (TCP) connections (e.g. Telnet and FTP) are established through this three-way handshake. For the TCP three-way handshake, the client first sends a SYN flag. If the client receives the server's SYN and ACK, it sends a final, lone ACK. Once the server receives and accepts the ACK, the connection has been established..

Answer 78

A103: The ability to forward a file to another system. FTP proxy bounce attacks utilize an ancient feature of FTP servers. These servers allow a user to tell the server to send the file to another system. Using this capability, an attacker can bounce an Nmap port scan off of someone's FTP server, to help obscure the source of the attack. Make sure that you disable the FTP bounce capability from your public FTP servers..

Answer 79

A104: It is a stateless protocol.. The User Datagram Protocol (UDP) does not have a three-way handshake or sequence numbers; therefore, it is a stateless protocol..

Answer 80

A105: Fl0p. Fl0p focuses on passive layer 7 fingerprinting of attack patterns. It helps to identify manual interactions vs. automated attacks..

Answer 81

A106: sc config "Bonjour Service" start= disabled. The following command may be used to disable the 'Bonjour Service' on a Windows machine: sc config "Bonjour Service" start= disabled.

Answer 82

A107: FIN. The TCP FIN bit is used to cleanly end a TCP connection..

Answer 83

A108: ACK. A stateful packet filter remembers the outgoing SYNs, so it will only allow the incoming packet if it is tied to an earlier outgoing packet. Therefore, an ACK scan will not work through a properly configured stateful packet-filtering device..

Answer 84

A109: SYN. When Nmap is running without root privileges (UID 0), Nmap sends a SYN to port 80 instead of an ACK..

Answer 85

A110: ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request.. By default, to identify which addresses are in use, Nmap sends the following four packets to each address in the target range: (1) ICMP echo request, (2) TCP SYN to port 443, (3) TCP ACK to port 80, and (4) an ICMP timestamp request..

Answer 86

A111: Packet fragmentation. The IP identification field in the IP header is used for packet fragmentation..

Answer 87

A112: Control connection. The FTP control connection, from client to server, is used to send commands..

Answer 88

A113: Voice or video transmissions. UDP is useful for applications that value speed over reliable delivery, such as voice or video transmissions..

Answer 89

A114: Identify which hosts are on the same LAN.. ARP scans identify which hosts are on the same LAN as the machine running..

Answer 90

A115: Frag3. Different operating systems reassemble packets differently. The IDS does not necessarily know which method the end system will use, so it could get confused. For example, Snort reassembles packets in the same way as Linux, using the earlier Frag2 fragmentation preprocessor. In November 2004, the Frag3 preprocessor was released, which included multiple virtual defragmentation buffers, making Snort better at handling fragmentation attacks..

Answer 91

A116: Tiny fragment attack. Tiny fragment attacks attempt to bypass an IDS sensor by breaking up the packet into multiple fragments, the first being so tiny that it will not match any signatures on the IDS. This attack is detected by most IDS sensors today. The fragment overlap attack is another common fragmentation attack, which is not caught as often..

Answer 92

A117: Proxy. Proxy firewalls make a separate connection to the receiver and the packet header information is annihilated..

Answer 93

A118: All of the fragments. An intrusion detection system should reassemble the packet to determine if an attack is underway. To do this, they must have adequate resources to maintain the state of all sessions that may be fragmented..

Answer 94

A119: At the destination host. When IP packets are fragmented on a network, they are typically reassembled when they reach the destination host. The other devices listed typically allow the data to pass through fragmented..

Answer 95

A120: Firewalk. Firewalk is used to send packets through a packet filter device to determine which ports are open..

Answer 96

A121: Fragmentation offset. The fragmentation offset tells the IP where in the packet the fragment belongs. The offset indicates how far into the packet the fragment should be placed..

Answer 97

A122: -F3. Fragrouter uses the -F3 switch to send data in ordered, 8-byte IP fragments, with one fragment sent out of order. The other switches are actual switches used by Fragrouter, but they utilize different techniques for fragmenting IP packets..

Answer 98

A123: It determines the number of hops between the attacker and the filtering device. During the network discovery phase, Firewalk sends packets with incrementing TTLs to determine how many network hops exist between the tool and the firewall. When a packet reaches its maximum TTL (which is decremented by each hop), the final gateway sends back a time-to-live exceeded message. This is essentially the same function as traceroute, which is used to determine the hop count..

Answer 99

A124: Chkconfig. Redhat based versions of Linus leverage chkconfig to edit \/etc\/inetd.conf or \/etc\/xinetd.d, as well as your rc.d files..

Answer 100

A125: URL encoding. URL encoding converts the HTTP request into a different representation by changing ASCII characters into their hexadecimal or other values and prepending them with a % character..

Answer 101

A126: Dictionary. Enum performs rudimentary dictionary password attacks using a supplied password list..

Answer 102

A127: The privileges of the Web server that initiated the program. CGI\/ASP\/JSP programs usually have the privileges of the Web server that called them..

Answer 103

A128: Nikto. For websites that require basic authentication, Nikto offers guessing from a standard list of users and passwords as well as complete brute-force password guessing..

Answer 104

A129: It only detects vulnerabilities it knows about.. A vulnerability scanner, like antivirus software, can only detect those vulnerabilities that it knows about. This can sometimes give a false sense of security, due to the misconception that the scanner will provide 100% protection..

Answer 105

A130: Dictionary. An attacker can use Nikto to launch a password-guessing attack. Password guesses are based on a dictionary\/wordlist file. A hybrid attack is a mixture of a dictionary and brute-force attack. A brute-force attack tries to guess your password by trying every single combination of characters until your password is found..

Answer 106

A131: Netcat. Netcat can be used to set the route a packet will take at the source, and store that information along with the packet..

Answer 107

A132: Generate traffic with spoofed source IP address.. Spoofing datagram protocols is trivial because there is no concept of a session. An attacker can simply generate spoofed UDP or ICMP packets and send them into most networks, where they will be accepted by destination hosts that are waiting for the given UDP or ICMP packets. Of course, the attacker likely will not see the response to those packets, which will be routed to the address that the attacker spoofed..

Answer 108

A133: Have normal interactions with the victim while keeping a close record of how sequence numbers change with time. Recording sequence numbers of same sized packets from previous connections' TCP sequence numbers can be predicted by maintaining normal communications with the targeted host and watching how the sequence numbers are generated. That will make it easier to predict the upcoming sequence number..

Answer 109

A134: Router\/Firewall anti-spoof filter. An anti-spoof filter drops (and should log) all packets coming on one interface with source IP addresses found on the other interface. For containment on incoming spoofed packets, you can apply temporary filters explicitly blocking the incoming packets, if someone is spoofing your addresses on the Internet, or you can rely on your anti-spoof filters to catch the data..

Answer 110

A135: ACK. The TCP three-way handshake consists of three steps: 1) SYN, 2) ACK-SYN, and 3) ACK..

Answer 111

A136: Another remote host is considered trusted.. A new entry in the Unix \/etc\/hosts.equiv file means that another remote host is considered trusted. The hosts.equiv file will list the hosts that are trusted by the local machine..

Answer 112

A137: The attacker is inserted between the source and destination of a connection.. Monkey-in-the middle according to the dsniff README, refers to an attacker inserting himself between the source and destination of the packets to gather information..

Answer 113

A138: 00.80.AD.45.CD.47. A MAC address is a 48-bit globally unique address that is hard coded into the network card. A MAC address looks something like 00.80.AD.45.CD.47 and is used to tell one network card from another..

Answer 114

A139: 48 bits. A MAC address is 48 bits long and identifies each network card on the Internet..

Answer 115

A140: Promiscuous. When an Ethernet interface is gathering all traffic, it is said to be in promiscuous mode..

Answer 116

A141: Dsniff. "Dsniff" is an active network sniffer and will inject packets onto the network to redirect traffic back to the sniffer. An active sniffer, such as Dsniff, injects packets into the network to redirect traffic to it. Dsniff offers a variety of techniques for redirecting traffic..

Answer 117

A142: IP forwarding routes the packets intercepted by the attacker's machine to the desired destination.. An attacker can use dsniff's arpspoof component to inject spurious ARP responses into a LAN. This will redirect all traffic from its intended destination and forward it to the attacker running a sniffer. Then, if IP forwarding is activated, the packet will route through the attacker's machine and get forwarded to the true destination..

Answer 118

A143: Tcpkill. Tcpkill just injects resets into the conversation. It is not elegant, but it is highly useful. Using this tool, an attacker can drop live connections in a denial-of-service attack. More, interestingly, an attacker can drop a connection, forcing the victims into setting up a connection again. When they set up a new connection, they will likely reauthenticate, giving the attacker a chance to grab authentication information..

Answer 119

A144: Driftnet. Driftnet monitors HTTP looking for JPEG images, which it sniffs and reconstitutes on the screen. A commercial tool, Niksun, can reconstitute an entire browsing session (as well as numerous other application-layer interactions) from captured traffic..

Answer 120

A145: ARP cache poisoning. ARP cache poisoning or spoofing is a technique where an attacker sends fake Address Resolution Protocol (ARP) messages onto a Local Area Network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host (such as the default gateway), causing any traffic meant for that IP address to be sent to the attacker instead..

Answer 121

A146: Macof. Macof manipulates the MAC to physical plug mapping. It floods the switch with traffic containing many bogus MAC addresses..

Answer 122

A147: You can only capture traffic from the system in which you are sniffing.. One advantage to a non-switched network from a sniffing perspective is that all traffic is forwarded to all ports making all traffic visible to the sniffer. In a switched LAN, you can only capture traffic from the system in which the sniffer is running..

Answer 123

A148: Data link. The MAC address maps to the data link layer (layer 2) in the OSI Model..

Answer 124

A149: Activating port-level security on the switch.. Activating port-level security on a network's switch will help protect it against an ARP-spoofing attack generated by Dsniff..

Answer 125

A150: Hardware address. Hardware addresses are known as a MAC addresses; each Ethernet card is programmed with a unique MAC address value..

Answer 126

A151: The digital certificate was not signed by a trusted authority, and the name does not match.. The Internet Explorer warning message states: "The security certificate was issued by a company you have not chosen to trust" and "The name of the security certificate does not match the name of the site.".

Answer 127

A152: ARP on both Unix and Windows. Messed-up ARP entries could be a sign of sniffing on a switched network. To check from your local machine on Win32, type: c: \arp -a. To check from Unix, type: $ arp -a or $ arp -e depending on the Unix flavor..

Answer 128

A153: CAM table. A MAC table, filter table, or Content addressable memory (CAM) table refers to a dynamic table in a network switch that maps MAC addresses to ports..

Answer 129

A154: The user's session may have just been stolen.. The victim usually notices that his\/her session disappears. The user will likely just try to log in again, not knowing that his or her session was not dropped; it was just stolen. Session hijacking focuses on session-oriented applications such as Telnet, FTP, rlogin, or SSH. It does not work for protocols and services that have no session, such as DNS..

Answer 130

A155: Error messages from SSH clients.. Error messages from SSH clients can be used as a potential Indicator of Compromise (IOC) for session hijacking attacks against SSH clients..

Answer 131

A156: Ipconfig \/displaydns. The 'ipconfig \/displaydns' displays DNS content and command can be used to look for strange DNS cache entries on your Windows machines..

Answer 132

A157: SSH. Session hijacking focuses on session-oriented applications like telnet, ftp, rlogin, or ssh. It doesn't work for

Answer 133

A158: Sniffit. The ettercap tool is well organized, and quite reminiscent of Sniffit. However, Sniffit allows an attacker to only look at data whereas ettercap gives an attacker the option to take over a session..

Answer 134

A159: ARPWatch. To check for ARP attacks across the network, use ARPWatch..

Answer 135

A160: Sequence numbers. The TCP sequence numbers of the sessions are discovered by gathering data through sniffing on the network. These sequence numbers can be used together with spoofing to take over a session..

Answer 136

A161: An ACK storm will begin.. If an attacker takes over a session using a new set of sequence numbers, an ACK storm will begin while the two hosts squabble over what the correct sequence numbers should be..

Answer 137

A162: The attacker becomes a relay between both sides of a connection and allows only some traffic to pass.. The real Alice and Bob will not gather the data because it is destined for media access control (MAC) addresses other than their own. Eve, therefore, becomes a relay between Alice and Bob, allowing some traffic to pass and others to drop. Eve can alter the TCP sequence numbers inside the data that is being bridged, thereby avoiding ACK storms while injecting additional traffic..

Answer 138

A163: Gets. Bounds checking is any method of detecting whether a variable is within some bounds before it is used. Since the gets function has no bounds checking, it should always be avoided..

Answer 139

A164: DNS. The Domain Name System (DNS) is the process that translates (also called mapping) names to numbers so computers can understand them. Once that translation is done, another translation must be done to take the Internet Protocol (IP) address and turn it into the media access control (MAC) address..

Answer 140

A165: Flushing the DNS server's cache. After identifying the problem, you need to quickly get rid of the bad DNS entries. You can do this by rebooting the DNS server or using a process to flush the server's cache..

Answer 141

A166: Local name server. The local name server receives the query and if it has the information cached from a previous lookup, it will send a response..

Answer 142

A167: !exploitable. Microsoft released a tool in 2009 called "!exploitable" (pronounced bang "exploitable") that works with a debugger to analyze software crashes to determine whether they may be exploitable to run the code of an attacker's choosing on a target machine..

Answer 143

A168: It lets the data overflow into the neighboring memory space and eventually into the pointer space.. When programs do not check and limit the amount of data copied into a variable's assigned space, that variable's space can be overflowed. When that buffer is overflowed, the data placed in the buffer will go into the neighboring variable's space and eventually into the pointer's space..

Answer 144

A169: An attacker can send a spoofed DNS reply using the proper query ID without having seen the DNS query.. When DNS servers use a predictable sequence of query IDs when resolving recursive queries, an attacker may be able to determine the current sequence number and identify future sequence numbers. Knowledge of future sequence numbers helps an attacker flood a DNS server with spoofed responses to recursive queries..

Answer 145

A170: You push things onto the top of the stack and you pop things from the top of the stack.. A stack is a particular kind of abstract data type or collection in which the principal (or only) operations on the collection are the addition of an entity to the collection, known as push and removal of an entity, known as pop. You push things on the top of the stack and you pop things from the top of the stack..

Answer 146

A171: NOP sled, attacker machine code, and return pointer. The NOPs could be implemented using the standard instruction for the processor, which may be detected if it moves across the network. The package that contains the NOP sled, attacker machine code, and return pointer is called an egg..

Answer 147

A172: Meterpreter. The Meterpreter does not touch the hard drive, but it gives access purely by manipulating the memory..

Answer 148

A173: Encode the exploit.. To avoid null characters and any thing else the program may filter, this step may involve some creative assembly language programming and\/or some encoding of the instructions so that they do not get filtered! Attackers may need to encode the exploit to avoid filtering..

Answer 149

A174: Reverse shell. the reverse shell payload shovels a shell back to the attacker on a TCP port. The attacker will likely have a Netcat listener waiting to receive the shell..

Answer 150

A175: Transaction ID number. A DNS query ID, also known as a transaction ID, is a 16-field identifying a specific DNS transaction. The transaction ID is created by the message originator and is copied by the responder into its response message. Using the transaction ID, the DNS client can match responses to its requests..

Answer 151

A176: Instruction pointer. When running a program, the central processing unit fetches instructions from memory, one by one, and in sequence. The CPU contains a register called the instruction pointer, which tells it where to grab the next instruction for the running program. The processor grabs one program instruction from memory by using the instruction pointer to refer to a location in memory where the instruction is located..

Answer 152

A177: Query ID. Each DNS query has a query ID which is often predictable, based on earlier query IDs..

Answer 153

A178: It has three DNS servers-one that is internal only; one that is external only; and one that is for externally accessible internal\/DMZ hosts.. Split-split DNS involved three DNS servers-one that is internal only; one that is external only; and one that is for externally accessible internal\/DMZ hosts. The local name server and anything it is dependent on will only be able to resolve names for local systems, and will not respond to queries from outside machines. Outside machines must resolve names of local systems using an entirely different name server..

Answer 154

A179: Strcpy. Look for functions like strcpy, strncpy, strcat, sprintf, Scanf, fgets, gets, getws, memcpy, and memmove. These functions are known for not checking their own buffers. If you use them in your code, they could easily lead to buffer overflows..

Answer 155

A180: Split DNS. With a proper "split DNS" deployment, insider machines query an internal name server for internal names and outsiders query outside DNS for external domain names..

Answer 156

A181: Deploy non-executable system stacks.. Identifying buffer overflow attacks can be tricky. First, look for unusual server crashes. Also, you can use various non-executable system-stack features in Solaris, Windows, Linux, and HP-UX to alert you when someone tries to execute code out of the stack..

Answer 157

A182: Using a NOP sled. To improve the odds that the return pointer will be okay, attackers include NOPs in advance of the executable code. Then, if the pointer goes to the NOPs, nothing will happen. Execution will continue down the stack until it gets to your exploit..

Answer 158

A183: printf ("%s", buffer);. The correct usage of the printf statement to copy a string to a buffer is "printf ("%s", buffer);". The incorrect usage of the printf statement that will still compile but results in a format string attack vulnerability is "printf (buffer);". The syntax of "printf (%s, buffer);" and "printf ("s", buffer);" is incorrect as the string needs to be enclosed within double quotes, and the conversion of the string requires the string conversion identifier character "%"..

Answer 159

A184: 33. If you use a format string directive like %.255d, the snprintf call will think it printed 255 characters, plus our address, for a total of 259 characters. In this way, you can load the number 259 into a memory location of our choice. This could be done to obtain any other number. Therefore, a %.29d will print 29 plus 4, or the number 33..

Answer 160

A185: An NOP sled for the Intel processor. Note that 0x90 is the x86 NOP instruction. Also known as a NOP slide or NOP ramp, a NOP sled is a sequence of NOP (no-operation) instructions meant to "slide" the CPU's instruction execution flow to its final, desired, destination whenever the program branches to a memory address anywhere on the sled..

Answer 161

A186: By manipulating input to a vulnerable function call. Format strings can be exploited through the misuse of function calls..

Answer 162

A187: A programmer's failure to specify a format-string argument for a printf, snprintf, or sprintf instruction. By failing to include a format-string argument in a printf, snprintf or sprintf function, the function will assume, incorrectly, that the input data is actually the format-string argument. So the attack vector or vulnerability is created when the function accepts processing instructions via user-supplied input..

Answer 163

A188: 5. You can write five or greater anywhere in the memory on a 32-bit machine. The four comes from the 32-bit architecture. You add one because of the %d printing one character. If the machine is a 64-bit architecture, you could write any number greater than eight, (eight comes from the 64 bits for addresses, divided by eight for each ASCII character written by the printf family). Again you add one because of the %d printing one character. So, you can write nine or greater anywhere in the memory on a 64-bit machine..

Answer 164

A189: 4. Snprintf starts to scan the user\_input string for format information. It finds some information that was provided by the attacker. It finds numerous strange characters, \xc0\xfa\xff\xbf, and writes the four ASCII characters into the buffer. These are treated as four ASCII characters because snprintf interprets the \ character as an escape, and the x as an indication of a hexadecimal number..

Answer 165

A190: 124. The attacker can enter the directive %.[number]d into the variable that will be interpreted as the format string. This will cause the snprintf function to think that [number] of characters are written. Therefore, by using a format string directive like %.124d, the snprintf call will think it printed 124 characters, plus the address, for a total of 128 characters. In this way, the number 128 can be loaded into a memory location of your choosing. This could be done to obtain any other number..

Answer 166

A191: 5. With a format string attack, any value of five or greater can be written anywhere in the memory. If a format string directive like %.1d is used, the snprintf call will think it printed one character, plus the address, for a total of five characters, (no null characters in addresses)..

Answer 167

A192: The "x" characters. The printf function is supposed to include a format string as its argument. This format string specifies the way that printf is supposed to display the characters it is printing and is usually included in quotes as the first argument in the function call..

Answer 168

A193: Three hexadecimal values from the stack. The attacker types in %x %x %x, which gets loaded into the user input. When the program gets to the snprintf function call, these %x format string parameter's are sent to snprintf, which interprets the user\_input buffer as the format string. This format string says to print three hexadecimal numbers into the variable buffer. The program will dutifully fetch the next three values on the stack and load them into the variable buffer. If the variable buffer is later printed to the screen, the attacker will be able to see the contents of these next three values on the stack..

Answer 169

A194: Syslog. An rpc.statd attack passes user-supplied data from the network to the syslog daemon, syslog without a format string. The portmapper, mountd (NFS mount daemon) and named (the DNS name daemon) are not vulnerable to the rpc.statd attack..

Answer 170

A195: It loads the number 15 into storage9.. If a format string ever includes the directive %n, the printf function will store the number of characters it would have printed so far in its operation. For example, if it has printed 15 characters so far (Good day world!), it will store the number 15 in the storage9 variable..

Answer 171

A196: 0x00. The null character, 0x00, cannot be used as an input string to the functions printf, snprintf and sprintf functions or processing will stop. This, in effect, allows the attacker to write any value of five or greater anywhere in memory for a 32-bit architecture, or nine or greater for a 64-bit architecture..

Answer 172

A197: Edit the source code to the executable.. By altering the value stored at a memory address, an attacker can overwrite return pointers and redirect execution flow of a program, change parameters in a program, or manipulate an application-level userID. The attacker cannot, however, edit the source code to the executable..

Answer 173

A198: Incremental mode. Incremental mode in John the Ripper uses brute-force guessing. Wordlist mode leverages a wordlist (a text file containing one word per line) and some password files. Single crack mode will use the login names, "GECOS" \/ "Full Name" fields, and users' home directory names as candidate passwords, also with a large set of mangling rules applied. External mode leverages program code of some functions that John will use to generate the candidate passwords it tries..

Answer 174

A199: It encrypts passwords in the SAM.. SYSKEY allows 128-bit encryption of passwords in the SAM and should be installed on all domain controllers..

Answer 175

A200: Abel. Cain is highly interactive, with a fancy GUI offering all kinds of interesting attack functionality. Abel runs in the background, and can be remotely accessed to dump data from its host system..

Answer 176

A201: Two 7-character passwords. If LanMan hashing is enabled, the password hash is stored in two 7-character length "chunks", thereby reducing the strength of your password to seven characters. Passwords are padded with fixed padding to make them exactly 14 characters long..

Answer 177

A202: Level 3. At Level 3 Lan Manager Compatibility, clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it..

Answer 178

A203: Most people use common words.. Since most people use common dictionary words as passwords, by putting together a dictionary of words, you can easily guess someone's password..

Answer 179

A204: It can damage non-repudiation.. It is not a good idea to crack passwords to migrate users as it can seriously damage non-repudiation. If the security team at one point in time has everyone's password, a defendant can claim that he\/she is being framed..

Answer 180

A205: ARP cache poisoning for traffic redirection. Cain includes a lot of functionality, including an ARP cache poisoning tool for traffic redirection..

Answer 181

A206: Dictionary attack. The fastest method for cracking passwords is a dictionary attack. This is done by testing all the words in a dictionary or word file, against the password hashes. There are fewer possibilities with this method than with a brute-force or hybrid attack. Since most people use common dictionary words as passwords, by putting together a dictionary of words, you can easily guess someone's password. Why bother going through every possible combination of letters if you can guess 70% of the passwords on a system by just using a dictionary of 10,000 words? On most systems a dictionary attack can be completed in a short period of time (i.e., in minutes) compared to a brute-force attack (which might take years)..

Answer 182

A207: Alt. If a user adds characters to his\/her password using Alt characters (those characters you can create by holding down the Alt key), the amount of time to crack them increases significantly, now ranging from many months to years. According to Microsoft, if the password contains certain Alt characters, the system will also not be able to generate an LM hash..

Answer 183

A208: UID number. The UID number is used to determine what permissions an account has in accessing elements of the file system..

Answer 184

A209: 5. With a script or automated tool, password guessing is very slow, ranging in speed from one guess every three seconds to at most five guesses per second..

Answer 185

A210: Windows 2003. All WinNT\/2000\/XP\/2003 machines, by default, store two representations of each password: the LanMan hash and the NT hash. Windows Vista, 2008, and 7 do not include LanMan hashes in a default installation..

Answer 186

A211: Hybrid. The hybrid attack builds on the dictionary method by adding numeric and symbol characters to dictionary words. Many users choose passwords such as "bogus11" or "he11o!!" (where the letter l's are replaced by numeric ones). These passwords are just dictionary words slightly modified with additional numbers and symbols..

Answer 187

A212: DES. Within the LanMan hashes each 7-byte string is used as a DES key to encrypt a constant. Windows NT\/2000\/XP\/2003 all store the older, much weaker LanMan hashes along with the NT hashes..

Answer 188

A213: Password file. Password cracking is the process of trying to guess or determine someone's plain text password when you have only their encrypted password..

Answer 189

A214: Brute force. The most powerful cracking method is the brute force method. This method will always recover the password, no matter how complex. It is just a matter of time..

Answer 190

A215: John.potJohn.pswd. JCracked passwords are printed to the screen and stored in the file john.pot. If you ever run John the Ripper to evaluate the strength of passwords, make sure you delete the john.pot file when you are finished with the audit. Otherwise, you will leave cracked passwords sitting around for prying eyes to discover..

Answer 191

A216: \/etc\/shadow. Modern Linux systems typically store passwords in the \/etc\/shadow file..

Answer 192

A217: Encrypt files. Encrypt data on your hard drives using a file system encryption tool. That way, if your data is stolen by a worm or bot, attackers cannot read it, unless they also steal the key..

Answer 193

A218: Antivirus. Additionally, antivirus solutions help in thwarting these attacks. They detect many worms and bots, although a brand new piece of code could still fool them. You will also want to link your incident response capabilities with network management personnel. Include them on our incident response team, because you may need to cut off certain network segments of your network in real time..

Answer 194

A219: A bot. Many worms have a payload that consists of a bot. Bots are software programs that perform some action on behalf of a human, typically with little or no human intervention. Bots are specialized backdoors used for controlling systems en masse, with a single attacker controlling groups of bots numbering from a dozen to over a million infected machines..

Answer 195

A220: Through an IRC channel on standard ports. To send control information to a bot-net, attackers use a variety of protocols. One of the most common means remains using an IRC channel on a standard IRC port (TCP 6667 is very common)..

Answer 196

A221: XOR. The XOR function is used along with a random key to create polymorphic code. Malware authors sometimes use encryption methods, simplicity of implementing the algorithm, size limitations on the code, and pre-packed options (metasploit) offer these techniques. Often times there is no need as XOR techniques bypass most of the detection mechanisms already..

Answer 197

A222: White worm. An ethical or white worm is one mechanism for administrators to deploy patches quickly. Some feel that ethical worms are too risky given the limited benefits they can offer. In particular, the legal liability issues are paramount. Would you want to risk the wrath of thousands of lawyers sharpening their knives to sue you for an ethical worm gone awry, just to help spread some patches on the Internet? Most software companies would avoid taking that risk..

Answer 198

A223: Sadmind\/IIS. In May 2001, the Sadmind\/IIS worm mushroomed through the Internet, targeting Sun Solaris and Microsoft Windows. As its name implies, this worm exploited the Sadmind service used to coordinate remote administration of Solaris machines. From these victim machines, the worm spread to Microsoft's IIS Web server, where it spread further to other Solaris machines, continuing the cycle..

Answer 199

A224: Klez. In January 2002, the Klez worm spread via Microsoft Outlook e-mail and employed simple polymorphic techniques to evade e-mail spam filters. These filters look for a bunch of messages with the same subject sent to different users, a pretty reasonable sign of a spam message. Klez randomly altered the subject line of the e-mail it generated to evade the filters. While only a small piece of Klez (the subject line and even the attachment file type) was polymorphic it was a start down this road..

Answer 200

A225: A worm spreads across a network.. The defining characteristic of a worm is that it spreads across a network. A virus's defining characteristic is that it infects a host file, such as a document, e-mail, or executable. However, some malicious software is both a worm and a virus, because it propagates across a network and infects a host file..

Answer 201

A226: Nimda. To date, the most successful multi-exploit worm was Nimda in September 2001. Launched one week after the September 11, 2001 terrorist attacks, Nimda exploited Microsoft Windows systems in more than a dozen ways, including spreading via the Internet Explorer browser, IIS Web server, Outlook e-mail, and Windows file sharing. Nimda, with its quick spread using a large number of Windows exploitation techniques, gave a preview of worms to come..

Answer 202

A227: Double dash (--). The -- syntax acts as a comment delimiter, and can therefore be used to tell the database to ignore anything passed to it after the user's input..

Answer 203

A228: Close the browser, edit the cookie, and reopen the browser.. Some types of cookies (persistent cookies) are written to the local file system on the browser's machine. If persistent cookies are used, an attacker can simply close the browser, which will force a write of the cookies, edit the cookies with vi or notepad, and rerun the browser. By rerunning the browser, the cookie file will be read and the session ID will be modified..

Answer 204

A229: Jikto. Billy Hoffman wrote a tool called Jikto which is a series of browser scripts. When passed into a browser, they make the browser conduct a scan of other websites to determine whether they are hosting vulnerable Web server content, such as the PHP, CGI, ASP, and Cold Fusion scripts that are measured by the Nikto..

Answer 205

A230: A malformed packet attack. A malformed packet attack involves sending a single packet or a small stream of packets to a system and is formed in a way not anticipated by the developers of the target machine or application that will process the packet..

Answer 206

A231: FTP. The victim user's browser transmits the malicious code to the vulnerable script on the target site as a Web request..

Answer 207

A232: Resource starvation attack. The most common type of denial-of-service attacks is the packet flood. The attacker can remotely send more packets to a machine than it can handle, exhausting all of its resources. Packet flood examples include Smurf, SYN Flood, DDoS, etc..

Answer 208

A233: It is a field selector, allowing an attacker to retrieve a wide range of data.. An asterisk (\*) is a wildcard selector. By using it, an attacker can retrieve a wide range of data-it is a wildcard after all. An asterisk on its own is not a comment delimiter or query terminator..

Answer 209

A234: Percent (%). The percent (%) symbol matches any substring. The semicolon character is a statement terminator. The underscore character represents a single character to match a pattern from a word or string. The asterisk pattern character (also called "star") matches zero or more characters..

Answer 210

A235: A malformed packet attack. Examples of a malformed packet attack include sending packets that are too long, such as a ping of death, or strangely fragmented packets, such as a Teardrop attack..

Answer 211

A236: The application level. The session tracking information is at the application level. If the session ID is not handled properly, an attacker can still modify their session credential over the SSL pipe and become some other user. It is important to keep in mind that this technique of modifying session credentials is independent of the use of the Secure Socket Layer protocol..

Answer 212

A237: A session ID. If it is a valid user account and valid password, most applications will generate a session ID..

Answer 213

A238: Including JavaScript in the Web page to filter out unwanted characters sent through the Web page.. Many Web applications use JavaScript on the browser to filter out different characters that they do not want to be sent into the application. It is easy for an attacker to get around this. They could use a customized browser or they could use a proxy tool..

Answer 214

A239: Asterisk (\*). A semicolon (;) is a query terminator, an asterisk (\*) is a wildcard selector, and the percent (%) character matches any substring. The underscore character represents a single character to match a pattern from a word or string..

Answer 215

A240: A packet flood attack. Packet floods involve sending more packets to a machine than it can handle. The attacker either causes all available processing power of the target machine to be tied up or even exhausts all bandwidth of the connection to the target..

Answer 216

A241: Per-session cookies. Nonpersistent cookies (the cookies that are just stored in memory) are sometimes referred to as per-session cookies..

Answer 217

A242: Block the source IP address being exploited.. Blocking the source IP address and\/or account being exploited is an effective means of containing SQL injection..

Answer 218

A243: The certificate that the attacker's browser is using was not issued by a valid CA.. The Web browser itself will complain, saying, "This certificate I've got is bad, because it wasn't issued by a valid certificate authority." However, remember that the attacker using the proxy is also running the browser. Therefore, the attacker will get a warning message on the browser saying, "This certificate is bad. Do you want to continue?" Of course, the attacker will click to continue the session. The attacker can eliminate this warning by merely importing the proxy certificate into the browser. After all, the attacker is running both the browser and the proxy..

Answer 219

A244: A local denial-of-service attack. Local denial-of-service attacks are run from an account on the victim machine. These could be as simple as unplugging the power to consuming all network, CPU, or memory resources..

Answer 220

A245: A packet flood attack. The most common denial-of-service attack is a packet flood. It is so popular because the attack can be launched remotely, allowing the attacker to have distance between himself\/herself and the victim..

Answer 221

A246: Account harvesting. Account harvesting is the ability to discern valid user IDs based on how the application responds when the user tries to authenticate..

Answer 222

A247: Pulsing zombies periodically go dormant, while ISPs can easily trace an active flow of traffic.. Pulsing zombies bomb for about 10 minutes, go dormant for some period, and then go active again. It is easier to do a trace if a zombie is actively sending traffic, because an ISP can quickly identify the flow of traffic throughout their network in real-time, rather than having to consult a possibly nonexistent log..

Answer 223

A248: Blocking the source IP address. To contain a denial-of-service attack, you must block the source IP address. Most of the attacks built into these DoS Suites can be defended against by having up-to-date patches installed on the system. Also, if you shut down unnecessary services, they will not be able to be exploited with a malformed packet attack..

Answer 224

A249: In upstream routers or firewalls. Filtering ICMP packets at your network gateway (your router or firewall) would assist in reducing the likelihood of a Smurf flood attack..

Answer 225

A250: By consuming all link capacity or by filling the connection queue. SYN flooding can result in a denial-of-service in one of two ways: the attack can either exhaust the connection queue of the victim or suck up all link capacity..

Answer 226

A251: High-orbit ion cannon. SYN floods typically involve spoofed traffic and never complete the TCP three-way handshake. For identification of a DNS amplification attack, look for massive floods of traffic that are DNS responses (destination UDP port 53), typically with large DNS records in them. A Smurf attack will include ICMP or UDP traffic. It also has support for a feature called boosters, which are simply customizable JavaScript-based scripts that cause HOIC to access multiple pages on a target Web server, instead of just one page. The scriptable HOIC page request makes it harder to filter out HOIC traffic from normal Web surfing traffic, resulting in a tool that is harder for defenders to block than the earlier LOIC tool..

Answer 227

A252: Sending spoofed traffic. You should deploy egress anti-spoof filters at your border routers. These filters drop all outgoing packets that have a source address that is not located on your network. All packets leaving your network should have a source address associated with your network. If they do not either something is configured incorrectly or an attacker is launching spoofed packets..

Answer 228

A253: To the broadcast address of a network. With a Smurf attack, an attacker sends out a packet to the broadcast address of a network. All of the machines on that network will respond to the ping. However, the attacker will send the ping with a spoofed source IP address of the victim. Therefore, all responses to the ping will be sent to the victim machine, not back to the attacker. The network that responds to the broadcast address is called the Smurf amplifier..

Answer 229

A254: Call your upstream ISP and ask for help. For containment, if you are under a large flood, one option would be to call your upstream ISP or carrier to have them throttle the attack. This will sometimes involve them null routing (sometimes called black holing) of filtering traffic before it gets to your environment..

Answer 230

A255: Throttle an incoming connection with a load balancer.. A containment step in defending against Slowloris would be to throttle incoming connections with a load balancer. The other options are part of the preparation (apply vendor patches, if and when they are available), identification (IDS signatures for the attack across HTTP), or recovery (reset HTTP daemon\/service when attack is in progress) phases..

Answer 231

A256: The network that responds to the broadcast address. A network that responds to the ICMP directed broadcast traffic is called a Smurf amplifier..

Answer 232

A257: ICMP. Both Smurf and PapaSmurf rely on ICMP packets..

Answer 233

A258: Very little bandwidth is required.. The advantage for the attacker in a Slowloris attack is that it requires very little bandwidth for the attacker, unlike a packet flood..

Answer 234

A259: A DoS suite. Instead of launching each one of these individual attacks against a target, attackers have rolled together many individual DoS exploits into a suite. These suites try numerous different, individual malformed packet attacks just to see if one will crash the target..

Answer 235

A260: A Smurf attack. A Smurf attack is in the category of network-based denial-of-service attacks, focusing on creating a packet flood. The official name of this type of attack is a directed broadcast attack. It is more commonly referred to, though, as a Smurf attack, named after one of the first tools used to launch the attack..

Answer 236

A261: Application level Trojan horse backdoor. Sub7 and BO2K are both examples of evil applications that get installed at the application level, running on top of typical operating system applications. User mode, kernel level, BIOS level, and microcode all infect deeper into the system itself, while these applications run on top of the OS and system components that already exist..

Answer 237

A262: Netcat. Netcat is an application that can be used to create a backdoor listening service on a victim host computer. NetStumbler is used in discovering wireless networks. l0phtcrack is used for cracking passwords. Ethereal is a network sniffer and Nmap is used for scanning hosts on a network..

Answer 238

A263: S. Periodically, Setiri, running on the victim machine, surfs to the connection broker using an invisible browser. All access occurs through the personal firewall, network firewall, and anonymizer using S..

Answer 239

A264: A backdoor. A backdoor is a program that allows an attacker to access a system, bypassing security controls. A Trojan horse is a program that looks innocuous, but is really sinister. Rootkits, worms, and viruses often create backdoors, but technically speaking the backdoor is typically just one part of their payload..

Answer 240

A265: Upload, download, and execute programs. Setiri is a pretty scary backdoor tool written by two security consultants from South Africa - Rooelof Temmingh and Haroon Meer. The backdoor itself does not have many fancy functions; it can only upload files, execute programs, and download files. Still, for a backdoor, that is about all you need to accomplish any attack..

Answer 241

A266: Tracing back to the original attacker. With the Setiri architecture, many levels of indirection between the victim and the attacker. Tracing back to the attacker is incredibly difficult for this type of attack..

Answer 242

A267: Having problematic default security. VNC is free, very popular, and quite feature rich! It uses TCP port 5900 to send a GUI across the network. Several companies use it for legitimate remote administration. However, VNC's default security is problematic. It includes a password, but it has been subject to monkey-in-the-middle and buffer overflow attacks in the past. VNC can be properly secured, though especially when used in conjunction with SSH..

Answer 243

A268: Smart card security tokens. With a keystroke logger, the Trojan horse backdoor can write all of the users' keystrokes to the file system so that the attacker can later look at the contents of the file. The victim might use a very long, extremely secure passphrase, made up of a mixture of alphanumeric and special characters, which is used to protect the private key stored locally on a hard drive. If the attacker can get the victim to install a keystroke logging backdoor, the attacker can use the keystroke logger to grab the unguessable passphrase..

Answer 244

A269: Rootkit. A rootkit alters your operating system so that while it looks intact, it really gives control to an attacker. In this case, the intern specified a password known only to him, but had the ability to log in as any user..

Answer 245

A270: Trojan horse. A Trojan horse is a program that looks like it has some useful function, but is really sinister. It has some hidden capability used by the attacker..

Answer 246

A271: Fport. Fport is an application that will help determine whether a machine has been compromised by a backdoor application by mapping listening ports to running applications. Lsof is a Unix application that will perform the same task. TCP Wrappers is used as a defensive measure to protect a host from certain IP addresses. Nmap can be used to determine which ports are listening on a system, but will not map those ports to running processes or applications..

Answer 247

A272: Trojan horse. A Trojan horse is a program that looks like it has some useful function, but is really sinister..

Answer 248

A273: Running antivirus software. One of the best ways to determine whether a system is infected with an application-level Trojan backdoor is to run antivirus software on the system. Windows update will only update the system's software. Running applications in debug mode is rarely helpful in this situation and checking file sizes and performing memory dumps are much too time consuming to be effective in most cases..

Answer 249

A274: Setiri. While these are all backdoor Trojan applications, only Setiri utilizes an invisible browser window to communicate with an attacker and thus bypass personal firewalls, NAT, and stateful inspection firewalls..

Answer 250

A275: Sockets. The Sockets Volatility module will list open network sockets, showing the process ID using the socket, the port it uses, the protocol associated with the communication, and the date and time that the socket was opened..

Answer 251

A276: Pslist. The Pslist Volatility module shows a list of processes, including the PID, name, and Parent Process ID..

Answer 252

A277: FastDump. HBGary offers a free tool called FastDump for memory capture..

Answer 253

A278: Digital DNA. HBGary released the commercial Responder tool, which also analyzes memory dumps. One of its most interesting features is its Digital DNA technology to analyze code specimens to determine whether they are related to known malware found in the wild based on the functions they use and the behavior they exhibit..

Answer 254

A279: ManTech. The MemoryDD.bat script is part of Mandiant's free Memoryze suite. Alternatively, HBGary offers a free tool called fastdump for memory capture. Matthieu Suiche distributes a free program called win32dd, and ManTech offers the free mdd tool..

Answer 255

A280: Tasklist \/m \/fi "pid eq [pid]". For the list of DLLs loaded by a specific process, the following could be executed: 'tasklist \/m \/fi "pid eq [pid]"'.

Answer 256

A281: Pslist. The pslist module walks the doubly-linked list pointed to by PsActiveProcessHead and shows the offset, process name, process ID, the parent process ID, number of threads, numbers of handles, and date\/time when the process started and exited..

Answer 257

A282: Pslist. Use Volatility's connections module to determine which processes are communicating on the network. Then use the pslist Volatility module to cross- reference PIDs associated with established network connections. The will help you determine the name of each process associated with each connection..

Answer 258

A283: Modules. This modules Volatility module shows the device drivers loaded by the Windows machine from which the dump was created. It also reveals related SYS files..

Answer 259

A284: Python volatility connections -f 'path-to-image-file'. The Volatility command "Python volatility connections -f 'path-to-image-file'" will produce output similar to the "netstat -nao | find ""ESTABLISHED" command..

Answer 260

A285: Tasklist \/m. For the list of DLLs loaded by every running process, the following command could be used:

Answer 261

A286: MemoryDD. MemoryDD.bat script is part of Mandiant's free Memoryze suite..

Answer 262

A288: Wmic process get name,parentprocessid,processid. The following wmic command is similar to the Volatility pslist command:

Answer 263

A289: Echo. One way to detect the presence of a rootkit is to compare the output of the ls program with the output from "echo \*". The output should include exactly the same files. "echo \*" tells the shell to show the contents of the directory. "echo \*" is usually not Trojaned with a rootkit. Therefore, if the unaltered "echo \*" output differs from the "ls -la" command, you should be suspicious..

Answer 264

A290: Internet Storm Center Web interface to NSRL and Team Cymru databases. For a comprehensive set of MD5 and SHA-1 hashes, check the National Software Reference Library (NSRL) created and maintained by NIST. It is free for download across the Internet. Get it at http: \/\/www.nsrl.nist.gov. The Internet Storm Center has built a free website that allows users to search the NSRL by simply pasting in an MD5 or SHA1 hash into a Web form. The same search page also allows users to paste in an MD5 hash (not an SHA1 hash) of malware specimens, and it will search the Team Cymru hash registry to look for matching malware..

Answer 265

A291: AIDE. User-mode rootkit detection: AIDE is a free, open-source file integrity checker. Tripwire comes in free and commercial packages..

Answer 266

A292: It maintains root access to a system once initially obtained.. Contrary to what their name implies, rootkits do not allow an attacker to gain root access. Rootkits depend on an attacker already having root access. To accomplish these goals, Rootkits alter the existing operating system on the victim machine. Rather than adding a new application to the system like seen with application-level Trojan Horse backdoors, rootkits alter the existing programs on the machine..

Answer 267

A293: Debug right. On Windows, anyone with the debug right can inject a DLL into a running process..

Answer 268

A294: AFX. AFX consists of only one executable program, the AFX Windows Rootkit Configuration Console, which is used to configure and generate custom rootkits based on the attacker's needs..

Answer 269

A295: File. In essence, there are four categories of hiding tools: (1) process hiding, (2) network hiding, (3) file hiding, and (4) event hiding. For process hiding, LRK includes a replacement for ps, top, and pidof. For network hiding, the netstat command is changed to hide TCP and UDP ports in use by the attacker. Files are hidden by changing the ls and find commands so that they do not display the attacker's files. The du command is changed so that it omits the attacker's file from its disk usage calculation. Finally, the attacker modifies syslogd so that it will not record log events associated with the attacker's machine and\/or accounts on the victim box..

Answer 270

A296: Z2. The z2 tool (Zap2) erases utmp, wtmp and lastlog files..

Answer 271

A297: Posted on bulletin boards. The original rootkits were kept within the computer underground and distributed via bulletin boards and later Internet relay chat..

Answer 272

A298: LRK6. The LRK6 rootkit replaces sshd with a modified version that includes a backdoor root password. Because the backdoor password is stored in the binary sshd program, even if the system administrator alters the system's actual root password (or wipes the password file clean), the attacker can still login as root using the backdoor password..

Answer 273

A299: Ring 3. User mode applications operate in Ring 3..

Answer 274

A300: Init. KIS survives across reboot by altering an executable of the attacker's choice (usually init)..

Answer 275

A301: KIS. KIS is an example of a Unix kernel-level rootkit that can be used to compromise a Unix system. The other applications are all backdoor applications, not rootkits, and allow an attacker backdoor access to a system..

Answer 276

A302: KIS does not listen on a port. Kernel Intrusion System receives commands on the network using a sniffer, but does not listen on a port. It grabs all packets going to some arbitrary UDP port selected by the attacker..

Answer 277

A303: By using a graphical user interface (GUI). KIS is incredibly easy to use. The server configuration occurs through a graphical user interface (GUI). Additionally, the client contacts the server through the GUI. A GUI can be used to hide processes, unhide processes, start programs, and configure execution redirection..

Answer 278

A304: System kernel. To open a program file, the file system integrity checker has to make calls into the system kernel..

Answer 279

A305: NTLDR. During the boot process, a program called NTLDR verifies the integrity of Ntoskrnl.exe before the kernel is loaded into memory..

Answer 280

A306: Vitriol. The resulting Vitriol rootkit is implemented as a hypervisor underneath MacOS X running on Core Duo and Core 2 Duo chips (which offer the VT-x instruction set)..

Answer 281

A307: Buildkernel. You could use Bill Stearns' wonderful kernel-building package (called, appropriately enough "buildkernel"), at http: \/\/www.stearns.org\/buildkernel, which includes an option for creating a kernel that does not support modules..

Answer 282

A308: Ntoskrnl.exe and win32k.sys. The kernel functionality is built into Windows machines through the following files ntoskrnl.exe and win32k.sys. On Windows, an attacker would alter Ntoskrnl.exe or win32k.sys with modified software that provides a backdoor and hides an attacker's presence on the machine..

Answer 283

A309: It stole legitimate private keys issued by Microsoft to a legitimate software company and used them to sign malware.. Stuxnet was able to steal legitimate private keys issued by Microsoft to a legitimate software company and use them to sign malware. This technique was used in the Stuxnet worm, which relied on stolen signing keys issued to two legitimate companies..

Answer 284

A310: FU. The FU tool utilizes the system memory map object on Windows. The Super User Control Kit (SUCKit) patches the kernel in memory through \/dev\/kmem in Linux. Sumfuq is a SunOS 4.1.X rootkit. Buildkernel is a kernel-building package..

Answer 285

A311: System calls. To interact with the kernel, user mode processes rely on a concept termed "system calls". These system calls include functions for executing a program or opening a file..

Answer 286

A312: Vista. Starting with Windows Vista (and following with Windows 7 and Windows 2008), Microsoft required mandatory device driver signing for Windows kernel components..

Answer 287

A313: Ring 0. The kernel runs in Ring level 0 on both Linux and Windows operating systems..

Answer 288

A314: Loadable kernel modules. Loadable kernel modules is the most popular method for manipulating the kernel..

Answer 289

A315: An attacker can hide multiple files in a single file without disrupting the size or operability of the original file as reported by the dir command.. The Windows NT File System (NTFS) supports a feature known as file streaming. Each file acts similar to a chest of drawers and under the primary file, there can be an arbitrary number of data streams. When data is hidden in an alternate stream, Windows Explorer still only shows the name and size of the original file stream of data (the top drawer or original file)..

Answer 290

A316: Utmp. On a Unix system, the utmp file contains information about users who are currently logged on to the system. The btmp file contains information about bad log-in attempts. The wtmp file contains information about past, successful log-ins. There is no ctmp file by default..

Answer 291

A317: Use remove.c or other specialized tools to remove specific entries.. An attacker cannot simply edit the utmp, wtmp, btmp and lastlog files by hand since they are binary files. An attacker can choose from several tools including "remove", and "marry", and others to alter these files..

Answer 292

A318: The current directory. The "." entry in each directory is the current directory. Typing in "cd." changes you to the current directory..

Answer 293

A319: ..". Every directory on a Unix system contains the "." directory, which represents the current directory, and the ".." directory, which represents the parent directory..

Answer 294

A320: LADS. LADS, by Frank Heyne, is a tool for finding alternate data streams in Windows NT File System (NTFS)..

Answer 295

A321: \/r. With Windows Vista, Windows 2008 Server, and Windows 7, Microsoft added the \/r option to the dir command, which makes it display a list of ADSs included in the given directory..

Answer 296

A322: Smbclient. The Linux smbclient program can also read data from alternate data streams from a Windows share, but the attacker must know the stream name to be able to refer to it and pull out the data..

Answer 297

A323: \/dev. \/dev is a virtual directory, that is it doesn't exist anywhere on your disk. It contains special files (called device files) which work as an interface to the kernel. The files are automatically created and removed by the kernel..

Answer 298

A324: NTFS. File streaming applies only to NTFS partitions; it does not apply to FAT partitions..

Answer 299

A325: Id. The Linux id command can be used to print user identity. For example, it can be used to check user id (uid), group id (gid) and the current user's effective groups..

Answer 300

A326: Uname -a. The uname -a command can be used to check the kernel version of the system..

Answer 301

A327: wtmp. The wtmp file records all logins and logouts. Its format is exactly like utmp except that a null user name indicates a logout on the associated terminal..

Answer 302

A328: Utmp. The utmp file displays information about who is currently using the system. There may be more users currently using the system, because not all programs use utmp logging..

Answer 303

A329: \/tmp. On many Unix variants, the \/tmp file is emptied over a period of time and\/or during a reboot..

Answer 304

A330: \/etc. The \/etc directory, is often thought to be a bad place to store hidden files because it holds the configuration of the machine..

Answer 305

A331: Ptunnel. The differences between these tunneling tools are that Ptunnel carries TCP connections over ICMP echo and reply packets. Loki carries shell between its Linux client and Linux server software using ICMP echo and reply packets. ICMP Shell is just another Linux shell tool. PingChat is a Windows chat program that leverages ICMP and ICMP Cmd is a Windows shell tool that leverages ICMP..

Answer 306

A332: Reverse www shell. Reverse www shell is a Linux tool which, when installed on an internal host, can be used to allow an attacker external access to the internal network through the organization's firewall..

Answer 307

A333: Tunneling. One of the most common ways to hide information as it is transmitted across a network is to use a technique called tunneling. Tunneling will leverage a tunneling protocol when one network protocol (the delivery protocol) encapsulates a different payload protocol. By using tunneling one can (for example) carry a payload over an incompatible delivery-network, or provide a secure path through an untrusted network..

Answer 308

A334: A promiscuous sniffing backdoor can take action based on traffic that is not destined for the infected host, making it harder to determine which hosts have the backdoor installed.. The backdoor is not located at the destination of the backdoor traffic. If the sniffer is in promiscuous mode, it can gather packets with a destination address of other systems on the local area network (LAN)..

Answer 309

A335: Protocol. With tunneling, one protocol is carried inside of another protocol..

Answer 310

A336: Nushu. Nushu introduces an unusual anomaly when implementing this process. If investigators run a sniffer, such as tcpdump, on the victim machine, they will see the sequence numbers generated by the normal kernel code. They can then compare those local sequence numbers with the sequence numbers of supposedly the same packets sniffed from somewhere on the network between the victim and ultimate destination. By comparing these two sets of sequence numbers for what are supposed to be the same packets, they will see a difference! The sequence numbers in the packets sniffed locally vs. the packets sniffed from the network will be different by the offset for each session..

Answer 311

A337: Promiscuous sniffer. Non-promiscuous sniffing backdoors grab data destined only for one machine - the system where the backdoor itself is running. The promiscuous backdoor on the other host on the LAN receives the commands by sniffing them from the LAN. Both hosts are on the same LAN, so the packets can easily be sniffed. Now, here is the part that really throws off the investigators: when sending responses, the backdoor running on the other host on the LAN generates spoofed packets, which appear to be coming from the DNS server. Only later do they realize that the backdoor is not even on the DNS server. Instead, it is a promiscuous mode sniffing backdoor located on the other host on the LAN..

Answer 312

A338: ASCII files. Covert\_TCP itself only transfers ASCII files between systems. However, the exact concepts can be used to transport commands for a backdoor shell or any other movement of data across the network..

Answer 313

A339: No additional software must be installed.. No attacker software is required on the bounce server! All it needs is a TCP\/IP stack and network connectivity..

Answer 314

A340: Sneakin. Sneakin allows incoming shell access that looks like outgoing telnet. Sneakin is very confusing for firewalls that allow outgoing telnet..

Answer 315

A341: ICMP echo. Ptunnel is one of the most flexible tools in this genre. Written by Daniel St\u00f8dle, this free tool runs on Linux or Windows, carrying TCP connections inside of ICMP echo and ICMP echo reply packets..

Answer 316

A342: Reverse www shell. HTTP is often used as a reverse shell transport protocol because TCP: 80 outbound is commonly open on packet filtering devices. This can be used to pass commands and\/or interactive shells can be launched back from the destination machine to an attacker\/bot machine..

Answer 317

A343: Execute commands on your host. Approximately every three seconds, the reverse www shell program on the internal system surfs the Internet asking for commands from the attacker's external machine. The attacker types in commands at the external machine on the Internet and sends the commands back to the victim machine as HTTP responses. These commands are then executed on the internal network host. The results are pushed out with the next Web request..

Answer 318

A344: Client and proxy. Ptunnel is what's known as a CGI Proxy service. It leverages a website based proxy on and clients connect to it to retrieve websites..

Answer 319

A345: An MD5-based challenge\/response authentication algorithm. The Ptunnel proxy can be configured to authenticate the Ptunnel client using an MD5-based challenge\/response authentication algorithm..

Answer 320

A346: Least significant bit (LSB). Data can be embedded in an image file using a basic technique call LSB (which stands for least significant bit). With this technique, the least significant bits of the image file are replaced with data..

Answer 321

A347: The resulting executable's file size and behavior are the same as the original.. Hydan first encrypts the message with the blowfish encryption algorithm using your passphrase as a key. It then embeds the encrypted message inside the executable program. The result is a single executable that includes the hidden encrypted message. This executable is the same size as the original executable, and the exact same functionality..

Answer 322

A348: Blowfish. The tool first encrypts the message with the blowfish encryption algorithm using your passphrase as a key..

Answer 323

A349: Executable. Typical computer steganography techniques hide data in pictures or sounds. However, a tool called Hydan embeds data inside of computer executable programs, without altering the program's function or size!!.

Answer 324

A350: The histogram of encrypted data looks flat and has an even distribution of characters.. The histogram for encrypted text is flat while the histogram for normal text is nonuniform. It is easy for an automated program to distinguish between encrypted and unencrypted text..

Answer 325

A351: Image size. Another technique for hiding data in a file is substitution. Data in a host file can be replaced or substituted with the message to be hidden. If there is a small amount of text to be hidden, little change will occur to the host file. If a large amount of text is to be hidden, the host file could be degraded significantly. In order to make this technique undetectable to the human observer, substitution usually replaces insignificant data in the host file..

Answer 326

A352: Not as flat as the original. A normal bitmap image has few near-duplicate colors because of the inherent randomness in a photographic picture. Its color histogram is quite flat. A bitmap hiding embedded data has a larger number of near-duplicate colors and, therefore, will have a color histogram that looks different from a normal image..

Answer 327

A353: Secrecy. Cryptography (crypto) is a tool to protect confidentiality and integrity and provide nonrepudiation for the senders of data. However, despite all of these benefits, crypto does not guarantee the secrecy of your data. Stego can be used for a variety of reasons but most often it is used to conceal the fact that sensitive information is being sent or stored. It can also be used to disguise encrypted data. This helps prevent attacks on encrypted data or in scenarios where encrypted data is inappropriate for transmissions (e.g., in countries where encryption is against the law)..

Answer 328

A354: Overt message. Steganography, (stego) works by embedding a secret message within an open or overt message. Everyone will see the overt message, but will never know that it is a cover for the real message hidden inside..

Answer 329

A355: MP3Stego. MP3Stego hides data in Motion Pictures Experts Group (MPEG) audio files. Invisible Secrets hides data in banner ads that appear on websites. Stash hides data in a variety of image formats. S-Mail hides data in EXE and dynamic-linked library (DLL) files..

Answer 330

A356: StegDetect. The StegDetect tool can be used to identify steganography in use in JPEG images. It looks for data hidden using the JSteg, Jphide, Invisible Secrets, and Outguess programs, as well as other stego tools..

Answer 331

A357: 256. An 8-bit color image has 256 possible colors. This number can be generated by calculating 2 raised to the 8th power (2^8). S-Tools introduces other colors similar to those in the image (256). These new colors are undetectable to the human eye, but are used in conjunction with the existing colors to hide data..

Answer 332

A358: Substitution. In order to make the substitution technique undetectable to the human observer, substitution usually replaces insignificant data in the host file. With injection, data is added to a host file in such a way that a program reading the file ignores the added data. Generating a new file eliminates the need for a host file. The secret message itself can be used to generate a new file..

Answer 333

A359: Color look-up table. A normal bitmap image with 8 bits representing each color has 256 possible colors. These colors are represented in the color look-up table..

Answer 334

A360: Substitution. There are three different types or classifications of steganography. The first classification used hides a message within a file, by either injecting it or embedding it. This can and will increase the size of the file, thus making it noticeable to a trained eye. A second option may be to replace certain information in a file. This method would not increase the size and make it much harder to detect. This method is often referred to as substitution. A final method is the newest technique. It creates a new text file or image based on the secret information you want to hide..

Answer 335

A361: Up to one dollar per number. On the black market, an unused stolen credit card number typically sells for 50 cents to a dollar. Thus, with a heist of a million cards, the attacker could get upwards of a million dollars..

Answer 336

A362: California. When personally identifiable information for citizens of the state of California is exposed, those citizens must be informed, as a matter of California law..

Answer 337

A363: Authenticate the caller.. Be careful about revealing information about an account or believing what you are told. You could be experiencing a social engineering attack. Authenticate the user before proceeding..

Answer 338

A364: Regularly look for and remediate each vulnerability you find.. While the other steps are important, if you cannot detect an attack, you should prevent one from happening. Make sure that all software receives detailed security scrutiny through a vulnerability assessment or penetration tests, so that you can find vulnerabilities before attackers do..

Answer 339

A365: Review your SSH server log files.. Although diligent log reviews may not stop an attack entirely, it can allow you to discover the attacker early in the process, minimizing the damage to your reputation and finances..

Answer 340

A366: Speak with the admin over the phone to set a new password. You do not want passwords to become compromised by social engineering or because they are weak. Ideally, a phone call will let the admin authenticate the account holder. An e-mailed password could be intercepted or obtained by someone using social engineering. A weak password could be guessed. Employees should use their own accounts, not those of others, for auditing and accountability reasons..

Answer 341

A367: Install software to force strong password complexity. Configure systems with tools that force password complexity so that users and administrators cannot choose trivial-to-guess passwords..

Answer 342

A368: If required, retained for as short a time as possible. Storing credit card numbers or other sensitive data online for longer than is required is a major security risk. Most organizations have no need to retain credit card numbers at all, or, if they do, they only require the data for a maximum of several days to support returns and refunds..

Answer 343

A369: Require cryptographic authentication.. MAC address filtering at access points is a security measure that is easily bypassed by an attacker running Wellenreiter or any other wireless sniffer. Likewise, configuring access points to remove SSIDs from their beacons and disabling responses to probe requests with any SSID are only marginal increases in security, easily bypassed using these same tools. Rely instead on cryptographic authentication for access to their networks, using protocols such as 802.11i..

Answer 344

A370: Disable the service.. All services without a defined business need should be disabled, lest they offer an avenue for an attacker to gain access..

Answer 345

A371: A DNS server. DNS servers listen on port 53 for queries from DNS clients..

Answer 346

A372: InterNIC. InterNIC provides the public information regarding Internet domain name registration services for a particular domain\/website..