Threats, Attacks, Vulnerabilities Flashcards
Social Engineering with a touch of spoofing
- Often delivered by email, text, etc
- Very remarkable when well done
Usually there’s something that is not quite right
-Spelling, fonts, graphics
How are they so successful?
-Digital slight of hand - it fools the best of us
Sending a false email pretending to be legitimate to steal valuable information from the user
Phishing
A type of URL hijacking
Typosquatting
Lying to get information
Attacker is a character in a situation they create
Hi, we’re calling from Visa regarding an automated payment to your utility service
Pretexting
Redirects a legit website to a bogus site
- Poisoned DNS server or client vulnerabilities
Harvest large groups of people
Difficult for anti-malware software to stop
Pharming
Voice phishing over the phone or voicemail
- Caller ID spoofing is common
- Fake security checks or bank updates
Attack through a phone or voice communications
Vishing
Done by text messages
- Spoofing is a problem here as well
- Forwards links or asks the personal information
Variations on a theme
- Fake check scam, phone verification code scam
- Boss/CEO scam, advance fee scam
Smishing
Gather information on the victim
Reconnaissance
Targeted phishing with inside information
- Makes the attack more believable
Attack that targets specific users
Spear Phishing
Spear Phishing the CEO
Attack on a powerful or wealthy individual
Whaling
Before the attack, the trap is set
- There’s an actor and a story
Attackers pretend to be someone they aren’t
- Halloween for fraudsters
Use some of those details from reconnaissance
Attack the victim as someone higher in rank
Throws tons of technical details around
Impersonation
Extracting information from the victim
- Victim doesn’t even realize this is happening
- Hacking the human
Often seen with vishing
- Can be easier to get this info over the phone
Well documented psychological techniques
Eliciting information
Your identity can be used by others
- Keep your personal information safe
Credit Card Fraud
- Open an account in your name, or use your credit card information
Bank Fraud
-Attacker gains access to your account of opens a new account
Loan Fraud
- Your infromation is used for a loan or lease
Government benefits fraud
- Attacker obtains benefits on your behalf
Identity Fraud
Mobile garage bin
Important information thrown out with trash
Gather details that can be used for a different attack
- Impersonate names, use phone numbers
Timing is important
- Just after end of month, end of quarter
- Based on pickup schedule
If it is in the trash, its open season
- Nobody owns it
Dumpsters on privact property or “No Trespassing” signs may be restricted
- You can’t break the law to get rubbish
Dumpster Diving
You have access to important information
- Many people want to see
- Curiosity, industrial espionage, competitive advantage
This is surprisingly easy
- Airports/Flights
- Hallway-Facing Monitors
- Coffee Shops
Surf from afar
- Binoculars/Telescopes
- Easy in the big city
- Webcam monitoring
To prevent
- Control your input
- Use privacy filters
- Keep your monitor out of sight
- Don’t sit in front of me on your flight
Shoulder Surfing
Threat that does not actually exist
- But seems like it could be real
Still often consume lots of resources
- Forwarded email messages, printed memorandums, wasted time
Often an email
- Or Facebook wall post, tweet, etc
Some will take your money
- But not through electronic means
Can waste as much time as a regular virus
Spam filters can help
If it sounds too good to be true…
Hoaxes
Have the mountain come to you
- This requires a bit of research
Determine which website the victim group uses
- Educated guess - Local coffee or sandwich shop
- Industry related sites
Infect one of these third party sites
- Site vulnerability
- Email attachments
Infect all visitors
- But you’re just looking for specific victims
Defense-in-depth
- Layered defense
- It’s never one things
Firewalls and IPS
- Stop the network traffic before things get bad
Anti-virus/Anti-malware signature updates
Watering Hole Attacks
Unsolicited messages
- Email, forums
- Spam over Instant Messaging (SPIM)
Various content
- Commercial advertising
- Phishing attempts
Significant technology issues
- Security concerns
- Resource utilization
- Storage costs
- Managing the spam
Unsolicitated email
- Stop it on the gateway before reaching user
- On-site or cloud based
Allowed list
- Only receive email from trusted senders
SMTP standards checking
- Block anything that doesn’t follow RFC standards
SPAM
Sway public opinion on political or social issues
Nation-state actors
- Divide, distract, and persuade
Advertising is an option
- Buy a voice for your opinion
Embedded through social media
- Creating, sharing, liking
- Amplification
Influence Campaigns
Military strategy
- A broad description of the techniques
- Wage war non-traditionally
Not a new concept
- The internet adds new methods
Cyberwarfare
- Attack an entity with technology
Influence with a military spin
- Influencing foreign elections
- Fake News
Hybrid Warfare
Use an authorized person to gain unauthorized access to a building
- Not an accident
No tech hacking
- Blend in with clothing
- 3rd-party with a legitimate reason
- Temporarily take up smoking
Once inside, little to stop attacker
- Most security stops at the border
Policy for visitors
- You should be able to identify anyone
One scan, on person
- A matter of policy or mechanically required
Mantrap/Airlock
- You don’t have a choice
Don’t be afraid to ask
- Who are you and why are you here?
Tailgaiting
Starts with a bit of spear phishing
- Attacker knows who pays the bills
Attacker sends a fake invoice
- Domain renewal, toner cartridges
- From: address is spoofed version of CEO
Accounting pays the invoice
- It was from the CEO after all
Might include a link to pay
- Now the attacker has payment details
Invoice Scams
Also called password harvesting
- Attacker collects login credentials
There are alot of stored credentials on your computer
- Chrome, Firefox, Outlook, etc
User received an email with malicious Word doc
- Opening document runs macro
- Macro downloads credential harvesting malware
User has no idea
- Everything happens in background
Credential Harvesting
The social engineer is in charge
- I’m calling from the help desk/office of the CEO/police
Authority - Social Engineering principle
There will be bad things if you don’t help
- If you don’t help me, the payroll checks won’t be processed
Intimidation - Social Engineering principle
Convince based on what’s normally expected
- Your coworker Jill did this for me last week
Consensus - Social Engineering principle
The situation will not be this way for long
- Must make the change before time expires
Scarcity - Social Engineering principle
Works alongside scarcity
Act quickly, don’t think
Urgency - Social Engineering principle
Someone you know, we have common friends
Familiarity - Social Engineering principle
Someone who is safe
- I’m from IT and here to help
Trust - Social Engineering principle
Operating system and browser based virus
Script virus
Stealth virus
- Does a good job of avoiding anti-virus detection
Operates in memory
- But never installed in a file or application
Steps:
1. User clicks on malicious website link
2. Website exploits a vulnerability
3. Launches Powershell and downloads payload in RAM
4. Runs PowerShell scripts and executables in memory
5. Adds an auto-start to registry
Fileless virus
Malware that self-replicates
- Doesn’t need you to do anything
- Uses the network as a transmission medium
- Self-propagates and spreads quickly
- Can take over many systems very quickly
Firewalls and IDS/IPS can mitigate many infestations
- Doesn’t help much once it gets inside
Steps:
1. Infected computer searches for vulnerable system
2. Vulnerable computer is exploited
3. Backdoor is installed and downloads this
A self-contained infection that can spread itself through networks, emails, and messages
Worms
Attackers want your money
- They’ll take your computer in the meantime
May be a fake ransom
- Locks your computer “by the police”
Ransom may be avoided
- A security professional may be able to remove these kinds of malware
Protection tips:
Always have a backup
- An offline backup, ideally
Keep your OS up to date
- Patch those vulnerabilities
Keep your application up to date
- Security patches
Keep your anti-virus/anti-malware signatures up to date
- New attacks every hour
Denies access to a computer system or data until a ransom is paid
Can be spread through a phishing email or unknowingly infected website
Ransomware
A newer generation of ransomware
- Your data is unavailable until you provide cash
Malware encrypts your data files
- Pictures, documents, music, movies, etc
- Your OS remains available
- They want you running, but not working
You must pay the bad guys to obtain the decryption key
- Untraceable payment system
- An unfortunate use of public-key cryptography
Malicious program that encrypts programs and files on the computer in order to extort money from the user
Crypto-malware
Software that pretends to be something else
- So it can conquer your computer
- Doesn’t really care much about replicating
Circumvents your existing security
- Anti-virus may catch it when it runs
- The better ones are built to avoid and disable AV
One it’s inside it has free reign
- And it may open the gates for other programs
Form of malware that pretends to be a harmless application
Trojans
Identified by anti-virus/anti-malware
- Potentially undesirable software
- Often installed along with other software
Overly aggressive browser toolbar
A backup utility that displays ads
Browser search engine hijacker
Potentially Unwanted Program (PUP)
Often placed on your computer through malware
- Some malware software can take advantage of this these created by other malware
Some software includes this
- Old Linux kernal included this
- Bad software can have this as part of app
Allows for full access to a system remotely
Backdoors
Remote Administration Tool
- The ultimate backdoor
- Administrative control of the device
Malware installs the server/service/host
- Attacker connects with the client software
Control a device
- Key logging
- Screen recording/screenshots
- Copy files
- Embed more malware
A remotely operated Trojan
Remote Access Trojans (RATs)
Originally a Unix technique
Modifies core system files
- Part of the kernel
Can be invincible in the OS
- Won’t see it in Task Manager
Also invisible to traditional anti-virus utilities
- If you can’t see it, you can’t stop it
Finding and removing:
Look for the unusual
- Anti-malware scans
Use a remover specific to this
- Usually built after this is discovered
Secure boot with UEFI
- Security in the BIOS
Backdoor program that allows full remote access to a system
Rootkits
Malware that spies on you
- Advertising, identity theft, affiliate fraud
Can trick you into installing
- Peer to peer, fake security software
Browser monitoring
- Capture surfing habits
Keyloggers - Capture every stroke
- Send it back to the mother ship
Protection:
Maintain your anti-virus/anti-malware
- Always have the latest signatures
Always know what you’re installing
- And watch your options during the installation
Where’s your backup?
- You might need it someday
Software that installs itself to spy on the infected machine, sends the stolen information over the internet back to the host machine
Spyware
Once the computer is infected, it becomes this
- You may not even know
How does it get on your computer?
- Trojan Horse
- You run a program that you thought was legit
- OS or application vulnerability
A day in the life
- Sit around and check in with the Command and Control (C&C) server and wait for instructions
AI that when inside an infected machine performs specific actions as part of a larger entity
Stopping these:
Prevent the initial infection
- OS and application patches
Anti-virus/anti-malware and updated signatures
Identify an existing infection
- On-demand scans, network monitoring
Prevent command and control (C&C)
- Block at the firewall
- Identify at the workstation with a host-based firewall or host-based IPS
Bot
Waits for a predefined event
- Often left by someone with a grudge
Time bomb
- Time or date
User event
Difficult to identify
- Difficult to recover if it goes off
Preventing these:
Difficult to recognize
- Each is unique
- No predefined signatures
Process and procedures
- Formal change control
Electronic monitoring
- Alert on changes
- Host-based intrusion detection, Tripwire, etc
Constant auditing
- An administrator can circumvent existing systems
A malicious program that lies dormant until a specific date or event occurs
Logic bombs
Try to login with an incorrect password
- Eventually you’re locked out
Attack an account with the top three (or more) passwords
- If they don’t work, move to the next account
- No lockouts, no alarms, no alerts
Spraying
Try every possible password combination until the hash is matched
Might take some time
- A strong hashing algorithm slows things down
Online:
Keep trying the login process
Very slow
Most accounts will lockout after a number of failed attempts
Offline:
Obtain the list of users and hashes
Calculate the password hash, compare it to a stored hash
Large computational resource requirement
Password-cracking program that tries every possible combination of characters A to Z
Brute Force
Use a dictionary to find common words
- Passwords are created by humans
Many common wordlists available on the ‘net
- Some are customized by language or line of work
The password crackers can substitute letters
This takes time
- Distributed cracking and GPU cracking is common
Discover passwords for common words
- This won’t discover random character passwords
Password attack that creates encrypted versions of common dictionary words and then compares them against those in a stolen password file
Guessing using a list of possible passwords
Dictionary attacks
Optimized, pre-built set of hashes
- Saves time and storage space
- Doesn’t need to contain every hash
- Contains pre-calculated hash chains
Remarkable speed increase
- Especially with longer password lengths
Need different tables for different hashing methods
- Windows is different from MySQL
Large pregenerated data sets of encrypted passwords used in password attacks
Rainbow tables
Stealing credit card information, usually during a normal transaction
- Copy data from the magnetic stripe
- Card number, expiration date, card holder’s name
Includes a small camera to watch for your pin
Attackers use the card information for other financial transactions
- Fraud is the responsibility of the seller
Always check before using card readers
Skimming
Get card details from a skimmer
- The clone needs an original
Create a duplicate of the card
- Looks and feels like the original
- Often includes the printed CVC
Can only be used with magnetic stripe cards
- The chip can’t be cloned
Cloned gift cards are common
- A magnetic stripe technology
Card cloning
Our computers are getting smarter
- They identify patterns in data and improve their predictions
This requires a lot of training data
- Face recognition requires analyzing a lot of faces
In use every day
- Stop spam
- Recommend products from an online retailer
- Prevents car accidents
Machine Learning
The chain contains many moving parts
- Raw materials, suppliers, manufacturers, distributors, customers, consumers
Attackers can infect any step along the way
- Infect different parts of the chain without suspicion
- People trust their suppliers
One exploit can infect the entire chain
Security:
Can you trust your new server/router/switch/firewall/software
Use a small supplier base
- Tighter control of vendors
Strict control over policy and procedures
- Ensure proper security is in place
Security should be part of the overall design
- There’s a limit to trust
Supply chain attacks
Centralized and costs less
- No dedicated hardware, no data center to secure
Data is in a secure environment
- No physical access to the data center
- Third-party may have access to the data
- Automated signature and security updates
- User must follow security best practices
Limited downtime
- Extensive fault-tolerance and 24/7/365 monitoring
Scalability security options
- One-click security deployments
- This may not be as customizable as necessary
Cloud Based
Put the security burden with the client
- Data center security and infrastructure costs
Customize your security posture
- Full control when everything is in-house
On-site IT team can manage security better
- The local team can ensure everything is secure
- A local team can be expensive and difficult to staff
Local team maintains uptime and availability
- System checks can occur at any time
- No phone calls for support
Security changes can take time
- New equipment, configurations, and additional costs
On-Premise
You’ve encrypted data and sent it to another person
The attacker does not have the combination or key
- So they break the safe
Finding ways to undo the security
- There are many potential shortcomings
- Problem is often the implementation
Cryptographic attacks
In a digital world, this is a hash collision
- A hash collision is the same hash value for two different plaintexts
- Find a collision through brute force
The attacker will generate multiple versions of plaintext to match the hashes
- Protect yourself with a large hash output size
Used to find collisions in hashes and allows the attacker to be able to create the same hash as the user. Exploits that if the same mathematical function is performed on two values ad the result is the same, then the original values are the same
Birthday attack
Hash digests are supposed to be unique
- Different input data should never create the same hash
When two different inputs produce the same hash value
Collisions
Instead of using perfectly good encryption, use something that’s not so great
- Force the systems to downgrade their security
Forces a system to lessen its security, this allows for the attacker to exploit the lesser security control. It is often associated with cryptographic attacks due to weak implementations of cipher suites. Example is TLS > SSL, a man-in-the-middle POODLE attack exploiting TLS v1.0 - CBC mode
Downgrade attack
Gain higher-level access to a system
- Exploit a vulnerability - Might be a bug or design flaw
Higher-level access means more capabilities
- This commonly is the highest-level access
- This is obviously a concern
These are high-priority vulnerability patches
- You want to get these holes closed very quickly
- Any user can be an administrator
Horizontal escalation
- User A can can access User B resources
Mitigating escalation:
Patch quickly
- Fix the vulnerability
Updated anti-virus/anti-malware software
- Block known vulnerabilities
Data Execution Prevention
- Only data in executable areas can run
Address space layout randomization
- Prevent a buffer overrun at a known memory address
An attack that exploits a vulnerability that allows them to gain access to resources that they normally would be restricted from accessing
Privilege Escalation
Information from one site could be shared with another
One of the most common web application development errors
- Takes advantage of the trust a user has for a site
- Complex and varied
Malware that uses JavaScript
Protection:
Be careful when clicking untrusted links
- Never blindly click in your email inbox
Consider disabling JavaScript
- Or control with an extension
- This offers limited protection
Keep your browser and applications updated
- Avoid the nasty browser vulnerabilities
Validate input
- Don’t allow users to add their own scripts to an input field
Found in web applications, allows for an attacker to inject client-side scripts in web pages
Cross-site scripting (XSS)
Web site allows scripts to run in user input
- Search box is a common source
Attacker emails a link that takes advantage of this vulnerability
- Runs a script that sends credentials/session IDs/cookies to the attacker
Script embedded in URL executes in the victim’s browser
- As if it came from the server
Attacker uses credentials/session IDs/cookies to steal victim’s information without their knowledge
- Very sneaky
Non-persistent (reflected) XSS attacks
Attacker posts a message to a social media network
- Includes the malicious payload
It’s now “persistent” - Everyone gets the payload
No specific target - All viewers to the page
For social networking, this can spread quickly
- Everyone who views the message can have it posted to their page
- Where someone else can view it and propagates it further
Persistent (stored) XSS attack
Adding your own information into a data stream
Enabled because of bad programming
- The application should properly handle input and output
So many different data types
HTML, SQL, XML, LDAP, etc
Code Injection
Modifying SQL requests
- Your application shouldn’t really allow this
Attack consisting of the insertion or injection of an SQL query via input
data from the client to a web application
Is prevented through input validation and using least
privilege when accessing a database
If you see ` OR 1=1; on the exam, it’s this
SQL Injection
Set of rules for data transfer and storage
Modifying XML requests
XML Injection
Created by the telephone companies
Now used by almost everyone
Modify LDAP requests to manipulate application results
LDAP Injection
A Windows library containing code and data
Many applications can use this library
Inject this and have an application run a program
- Runs as part of the target process
Allows for the running of outside code
DLL Injection
Overwriting a buffer of memory
- Spills over into other memory areas
Developers need to perform bounds checking
- Attackers spend a lot of time looking for openings
Not a simple exploit
- Takes times to avoid crashing things
- Takes time to make it do what you want
A really useful one of these is repeatable
- Which means that a system can be compromised
Too much data for the computer’s memory to buffer
A program attempts to wire more data that can be held in fixed block of memory
Buffer overflow
Useful information is transmitted over the network
- A crafty hacker will take advantage of this
Need access to the raw network data
- Network tap, ARP poisoning, malware on the victim computer
The gathered information may help the attacker
- Replay the data to appear as someone else
This is not an on-path attack
- The actual replay doesn’t require the original workstation
Avoid this type of attack with a salt
- Use a session ID with the password hash to create a unique authentication hash each time
This is a passive attack where the attacker captures wireless data, records it, and then sends it on to the original recipient without them being aware of the attacker’s presence
Replay Attacks
Client authenticates to the server with a username and hashed password
During authentication, the attacker captures the username and password hash
Attacker sends his own authentication request using the captured credentials
An authentication attack that captures and uses the hash of a password. The attacker then attempts to log on as the user with the stolen hash. This type of attack is commonly associated with the Microsoft NTLM protocol
Pass the Hash
Steps:
1. Victim authenticates to the server
2. Server provides a session id to the client
3. Attacker intercepts the session ID and uses it to access the server with the victim’s credentials
An attack in which an attacker attempts to impersonate the user by using their legitimate session token
Session hijacking
One click attack, session riding - XSRF, CSRF (sea surf)
Takes advantage of the trust that a web application has for the user
- The web site trusts the browser
- Requests are made without your consent or knowledge
- Attacker posts a Facebook status on your account
Significant web application development oversight
- The application should have anti-forgery techniques added
- Usually a cryptographic token to prevent a forgery
Steps:
1. Attacker creates a funds transfer request
2. Request is sent as a hyperlink to a user who may already be logged into the bank web site
3. Visitor clicks the link and unknowingly sends the transfer request to the bank web site
4. Bank validates the transfer and sends the visitor’s funds to the attacker
Unauthorized commands are send from a user that is trusted by the website.
Allows the attacker to steal cookies and harvest passwords
Cross-site request forgery
Attacker finds a vulnerable web application
- Sends requests to a web server
- Web server performs the request on behalf of the attacker
Caused by bad programming
- Never trust the user input
- Server should validate the input and the responses
- There are rate, but can have critical vulnerabilities
Steps:
1. Attacker sends a request that controls a web application
2. Web server sends request to another service, such as cloud file storage
3. Cloud storage sends response to Web Server
4. Web Server forwards response to attacker
Server-side request forgery (SSRF)
Traditional anti-virus is very good at identifying known attacks
- Checks the signature
- Block anything that matches
There are still ways to infect and hide
- It’s a constant war
- Zero-day attacks, new attack types, etc.
Your drivers are powerful
- The interaction between the hardware and your operating system
- They are often trusted
- Great opportunity for security issues
Hardware interactions contain sensitive information
- Video, keyboard, mouse
Driver manipulation
Filling in the space between two objects
- A middleman
Windows includes this
- Backward compatibility with previous Windows versions
- Application Compatibility Shim Cache
Malware authors write their own
- Get around security
The process of injecting alternate or compensation code into a system in order to alter its operations without changing the original or existing code
Shimming
Metamorphic malware
- A different program each time it’s downloaded
Make it appear different each time
- Add NOP instructions
- Loops, pointless code strings
Can intelligently redesign itself
- Reorder functions
- Modify the application flow
- Recorder code and insert unused data types
Difficult to match with signature-based detection
- Use a layered approach
Rewrites the internal processing of code without changing its behavior
Refactoring
Combines an on-path attack with a downgrade attack
- Difficult to implement, but big returns for the attacker
Attacker must sit in the middle of the conversation
- Must modify data between victim and web server
- Proxy server, ARP spoofing, rogue Wi-Fi hotspot, etc.
Victim does not see any significant problem
- Except the browser page isn’t encrypted
This is a client and server problem
- Works on SSL and TLS
SSL Striping
A programming conundrum
- Sometimes, things happen at the same time
- This can be bad if you’ve not planned for it
Time-of-check to time-of-use attack (TOCTOU)
- Check the system
- When do you use the results of your last check?
- Somethings might happen between the check and the use
The behavior of a software, electronic, or another system’s output is dependent on the timing, sequence of events, or factor out of the user’s control
Race Conditions
Unused memory is not properly released
Begins to slowly grow in size
Eventually uses all available memory
System crashes
Leaves the system unresponsive
Memory leak
Programming technique that references a portion of memory
Application crash, debug information displayed, DOS
Failed dereference can cause memory corruption and the application to crash
NULL Pointer dereference
Read files from a web server that are outside of the website’s file directory
Users shouldn’t be able to browse the Windows folder
Web server software vulnerability
- Won’t stop users from browsing past the web server root
Web application code vulnerability
- Take advantage of badly written code
Directory traversal
Errors happen
- And you should probably know about it
Messages should be just informational enough
- Avoid too much detail
- Network information, memory dump, stack traces, database dumps
This is an easy one to find and fix
- A development best-practice
The error messages display sensitive or private information that give the user too much data
Improper error handling
Many applications accept user input
- We put data in, we get data back
All input should be considered malicious
- Check everything. Trust nobody.
Allowing invalid can be devastating
- SQL injections, buffer overflow, denial of service, etc.
It takes a lot of work to find that can be used maliciously
- But they will find it
The system does not properly validate data, allows for an attacker to create an input that is no expected
Allows for parts of the system vulnerable to unintended data
Improper input handling
