Security Attacks

Now that we understand basic security concepts, let's talk about various forms of security attacks.

The simplest of the attacks work by getting hold of the password of an account on a computer system. Recall that password is a shared secret used by the computer system to authenticate the account holder. Once the attacker has the password he can do everything the account holder can do. Common techniques to “steal” passwords include:

• Guessing— People select passwords that are easy to remember, most often names of their children, spouse, friends or a dictionary word that is easy to guess.

• Wiretapping— A number of protocols send password information over the wire in clear text. These can be captured by anyone having access to a computer connected to the same network through automated programs.

• Spoofing— A clever program can, under the control of an attacker, spoof real application or website prompting the user to enter the password and hence “trick” the user to give away the password.

• Cracking— Most of the systems store encrypted passwords. Once the attacker has access to the encrypted passwords, he or she can try cracking the passwords by applying the encryption of different words from a dictionary and some combination of these to get the passwords. This attack has been found to be quite effective in practice.

• Social Engineering— In its most simple incarnation, this refers to asking the administrator or technical support person to either give away the password or change it, posing as the legitimate user. A former hacker and now a well-known security consultant on social engineering, Kevin Mitnick writes in his book The Art of Deception: “It's human nature to trust our fellow men, especially when the request meets the test of being reasonable. Social engineers use this knowledge to exploit their victims and to achieve their goals.”

Not all accounts have the same privilege on a system. For example, an ISP (Internet Service Provider) may have thousands of user accounts on a single machine, each with access to only limited resources. It may appear that a single compromised account is not a big deal. However, an attacker often uses a normal account as a stepping-stone to get access to a super user account, known as a root on UNIX systems. Once the super user account is compromised, the attacker gains complete control of the system and could also get into other machines on the same network.

It is possible for an attacker to get entry into a system even without knowing the account name and the password. The trick is to somehow run a piece of code on the target system that can accept network connection from the attacker or can connect back to the attacker's system and present a command shell. This form of attack is more common than it may first appear. As we soon see, a class of vulnerabilities in software systems can be exploited to achieve this kind of attack.

A compromised system can be used to access unauthorized information, modify the information content or carry out illegal transactions for financial benefit. Getting hold of customer data and their credit card numbers falls into the first category. Website defacements are common examples of unauthorized modifications. Transferring money from one account to another would be an example of an illegal transaction.

A somewhat less common attack is a “person-in-the-middle” attack. In this attack, the attacker is able to capture all the data traffic between two communicating systems. Imagine receiving an e-mail having a hyperlink with the name of your bank's website as anchor text. You click on the hyperlink, assuming that it will take you to the bank's site. And indeed it does so. Under the hood, the hyperlink was associated with a URL pointing to the attacker's system. The attacker's system acts as an intermediary, forwarding your requests to your bank and bank's response to your browser, keeping a copy of each message for later analysis.

Another category of attack involves malicious code. Malicious code refers to viruses (a code segment that replicates by attaching copies of itself to a host program, executing itself whenever the host is executed), worms (a self-replicating program that is self-contained and commonly uses network services for propagation), Trojan Horses (a program that performs a desired task but also includes unexpected and undesirable functions), logic bombs (programs with code to activate undesirable actions when a particular condition is met), and other uninvited software. These can cause loss of data, system outages and in some cases, loss of control of the system to an outside attacker. At the least, they waste computing resources and take time to cleanup, hampering productivity.

Another form of attack, known as DoS (Denial of Service) attack, floods the target system with so many requests that the system is not able to process legitimate requests. A particularly virulent form of this attack, known as DDoS (Distributed Denial of Service) attack, employs thousands of systems at different locations, possibly compromised by the attackers, to bombard the target system with superfluous requests and make it unavailable for normal operations.

Most of these attacks exploit vulnerabilities in existing systems.