---

MODULE 15

Host Threats

---

Now that we have looked at the various principles of security, risk, and components of technical controls, such as encryption, let’s examine host security at a deeper level. In this module we are going to discuss threats that are centered on individual network-connected hosts. Remember that a host isn’t just a PC or a Mac; it can be a network device, a specialized piece of biomedical equipment connected to the network, or any other device that has an IP address and sends or receives network traffic. The primary threats we will focus on in this module are malware attacks and other host-based attacks; later on in the book we will talk about other threats, such as those that come from and adversely affect the network itself and those that specifically target users.

Host-based Threats and Vulnerabilities

Regardless of what attack methods are used, ultimately, hackers are usually targeting a host on a network. This is because hosts store the data they are after. The malicious hacker or insider wants to steal, alter, or even destroy that data—or at least deny others the use of it by disabling the host. Malicious entities may use various means at their disposal to get to a host; attack vectors may include network-based attacks, social engineering, or physical attacks that give the hacker direct access to a host. In any case, the target is the host, so that’s where this discussion centers.

Host attacks are successful because of vulnerabilities found on the host; these vulnerabilities are found in the operating system, the applications that run on them, and in the configuration of the host itself. Remember from our earlier discussions on risk that vulnerabilities are weaknesses. Specific threats target those weaknesses on a host with the goal of exploiting them, successfully penetrating the defenses of the host, accessing data, and otherwise compromising the host.

In later modules, we will discuss host defenses in detail. In the next several sections, however, we will explain and summarize some of the different threats that exploit vulnerabilities on a host, such as malware, e-mail attacks, privilege escalation, password attacks, and many others.

Malware

Malware is a term that evolved from the use of two other words: malicious software. Most people think of malware as simply different forms of computer virus, since the term often gets attention in the media and is incorrectly used to describe all types of malicious software. As a security professional, however, you need to know that malware is classified in several ways, depending upon characteristics that include method of propagation, what the malware does, what it targets on the system, and so on. In the next several sections we’ll break down the different types of malware and describe the differences between viruses, trojans, adware, and others.

Virus

A virus is a piece of malicious software that must be propagated through a definite user action. In other words, it normally cannot spread by itself, as other types of malware can. It requires a user to initiate, in some way, the execution of the virus. Sometimes this action is very subtle, and the unsuspecting user may not even know that his actions are executing a virus. For example, he may open an infected file or executable, spawning the virus. Normally, viruses are propagated via download from malicious Internet sites, through removable storage media (USB sticks, for example) passed along from person to person, or through the transmission of infected files from computer to computer via e-mail or file sharing.

Viruses have a variety of effects on computers and applications. These effects range from affecting performance by slowing down the system, filling up storage space, and slowing down the host’s network connections, to more serious impacts, such as recording passwords and other sensitive information, and rendering the host completely unusable or even unbootable. Some viruses infect files, while others, usually more serious ones, infect the boot sector of media, resulting in an infection that is sometimes difficult to detect and diagnose. A boot-sector virus is automatically executed in the computer’s memory when the host boots up; at that moment there is no OS-based antivirus software loaded to detect or eradicate it, so it has already done its damage by the time the OS loads. Usually, the only way to get rid of a boot-sector virus is to boot the host off of a known good (meaning clean and free of malware) media, such as a new hard drive, bootable CD/DVD disc, or a USB stick. The boot media should also have specialized antivirus software loaded on it to detect and clean the infection.

You might have wondered why it seems so easy for hackers to create viruses that can do so much damage; in fact, there are many programs on the Internet that help hackers create them with ease. Some require extensive programming skills, and others are simple graphical programs that require almost no knowledge at all. Figure 15-1 gives an example of just one such program, TeraBIT Virus Maker, but there are probably hundreds more out there.

Figure 15-1 TeraBIT Virus Maker, a virus creation program

Worm

A worm is very similar to a virus, in that it can cause disruptions to the host, slow down systems, and cause other problems. However, a worm is spread very differently from a virus. A worm is usually able to self-replicate and spread all over a network, usually through methods such as instant messaging, e-mail, and other types of network-based connections. The big difference between a virus and a worm is that a virus can’t spread itself; in other words, a virus requires a user action to replicate and spread. A worm doesn’t have this problem and can automatically replicate over an entire network with very little user intervention. This unfortunate characteristic of a worm is what causes it to be a significant problem in large networks. A virus limited to a single host, or one that can be spread only by a user inadvertently sending it to another host via an e-mail attachment or in an infected file on removable media, can be eradicated much easier than a worm. The virus depends upon human action, but a worm spreads automatically, so a host must be physically disconnected from the network and cleaned before it is reconnected. Even then, once a host rejoins the network, it can be reinfected by any remaining hosts on the network that still contain the worm. Examples of famous worm infections include MyDoom, Blaster, and the Win32Conficker worm.

Trojan

A trojan is a very specialized piece of malware. Named after the Greek Trojan horse of mythological fame, a trojan is a piece of software that seems to be of value to the user. It could be in the form of a game, utility, or other piece of useful software. In reality, however, it is malware and serves a specific function. Usually a trojan has the goal of collecting personal information from a user, including user credentials, financial information, and so on. It can also be used as a generic container used to spread viruses and worms.

Adware

Adware is the name given to malicious, and more often than not, annoying advertisements that come in the form of pop-up messages in a user’s browser or even on a user’s screen outside of a browser session. These messages usually want the user to visit a site, buy a product, or click the ad itself. At best, these messages can be irritating, interrupting a user’s activities with the pop-up message, but sometimes they are a real hindrance to productivity, often redirecting the user’s home pages in the browser or spawning several (sometimes dozens to hundreds) of pop-ups or web sites at once. Beyond their annoyance factor, adware can often disguise software with a more malicious intent. Adware can sometimes carry malware, such as trojans or viruses that appear as simply annoying advertisements.

Computers get adware infections pretty much the same way they get other types of malware. The user may click on a web link or download something that changes browser or other configuration settings on the host, resulting in the continuous stream of pop-ups. Adware can even be included with purposefully downloaded, seemingly unrelated applications. Sometimes the user is asked to allow the installation of an add-in or browser helper object (BHO) to view a certain file type or run a piece of browser-based software. Most of the time, unsuspecting users will allow the installation by default, opening the door to pop-ups, automatically spawned programs, and browser redirection. Most malware prevention and removal tools can also address adware issues, however, so they are cleaned the same way other types of malware are.

Spyware

Spyware is a type of malware with a specific purpose. In fact, it can actually be a virus or trojan in form, but we tend to classify spyware (and certain other types of malware) by its function rather than type. Spyware is used for the specific purpose of surreptitiously observing a user’s actions and recording them, as well as stealing sensitive data, such as passwords, credit card information, and so forth. Spyware has the ability to send data back to the attacker, quietly of course, so that the user can’t easily detect it. Spyware can also dump data into a file so an attacker can later retrieve it directly from the system if she has physical access. Spyware can affect hosts through various means, in usually the same way that other malware does.

Rootkits

A rootkit is a piece of malware that attempts to infect critical operating system files on the host. Often, antivirus software cannot easily detect rootkits, so they can reside on the system for quite a while before detection. Additionally, they can thwart antivirus software because they can send false system information to it, preventing it from detecting and eradicating not only itself but other viruses as well.

Backdoors

A backdoor is an entry method into a piece of software (application or operating system) that wasn’t intended to be used by normal users. Most backdoors are created as a maintenance entry point during software development, usually by the programmers creating the software. These maintenance backdoors should be closed prior to software release, but often they are either forgotten about or left open intentionally as a way to bypass security mechanisms later after the software is released, either by the programmer or a malicious entity.

Backdoors can also be created by hackers during an intrusion into a system; often their goal is to have a way back into the system if their primary entry point is taken away or secured. Again, backdoors usually bypass security mechanisms that normally require identification and authorization, so this is a serious security issue. Vulnerability testing can often detect these unauthorized entry points into a system, but sometimes more in-depth testing methods, such as penetration testing or application fuzzing, may be required to find them.

Logic Bomb

A logic bomb is not necessarily a form of malware—at least it’s not the kind that can easily be detected by anti-malware software. A logic bomb is often a script set to execute at a particular time or if certain events or circumstances take place on the system. It is designed to take malicious actions when it executes. An example of a logic bomb is a script that has been written to begin erasing file shares or disk storage at a certain time or date. Most logic bombs are timed to execute by including them as a scheduled event using the operating system’s event scheduling facility, such as the AT command in Windows or the cron utility in Linux-based systems.

Logic bombs are usually the result of a malicious insider or a disgruntled administrator; most of the logic bomb attacks recently sensationalized in the news media involved a rogue administrator dissatisfied with employers for whatever reason. Detecting a logic bomb can be troublesome; it usually requires examining any files, utilities, and scheduled jobs the malicious user had access to, as well as auditing the user’s actions and reviewing the access logs that recorded any use of his privileges.

Botnets

A botnet is a distributed type of malware attack that uses a remotely controlled piece of malware that has infected several different computers. The idea is to create a large robot-like network used to wage large-scale attacks on systems and networks. Once the malware is installed on the host, the attacker is able to control hosts remotely and send malicious commands to them to be carried out. The hosts are called bots, or zombies, simply because they obey only the orders of the attacker once the attack begins. Most botnet attacks are in the form of distributed denial-of-service (DDoS) attacks. Among the different attack methods that botnets can use is sending massive amounts of malware to different computers, sending large volumes of network traffic, and performing other methods designed to slow down or completely disable hosts and networks. Botnet attacks can spread rapidly once activated and can be very difficult to counter. In fact, one of the attack methods used during an attack is to infect other hosts and have them join the botnet.

Ransomware

Ransomware is an evil that has only recently begun to manifest itself. In this type of attack, a user either inadvertently downloads malware or an attacker successfully gets it on the user’s machine through some other method. When the malware executes, one of a few scenarios could happen. In the most common scenario, the ransomware locks the user out of the computer, preventing her from accessing anything on it or escaping from a restricted user interface. The interface presented to the user is one that offers only a few choices, and a message that warns the user that her data has been completely encrypted. The message further states that the user must pay a fee within a certain time period to get a copy of the decryption key, or the data will remain encrypted (and useless to the user) forever. Obviously, this motivates most users, who are scared of losing their data, to pay the fee to get their data back.

Another variant of this attack is sometimes called scareware, where, in pretty much the same scenario, the message states that the user has been caught doing something illegal, and that the computer’s files will be handed over to law enforcement authorities. The user must pay a fine to prevent this from happening, so it is a form of blackmail—although a false one if the user hasn’t really been doing anything illegal on the machine. In either scenario, the malware also prevents the user from simply rebooting the machine (often the user’s first reaction) in order to clear the message off the screen. Usually the ransomware has already modified the startup configuration so that the only thing the user can see or interact with is the pop-up restricted interface and message. In addition to using malware, hackers can use social engineering attacks to get scareware (and other types of malware) installed on the user’s system. For example, an attacker can socially engineer a user over the phone, pretending to be tech support or using some other pretext, and persuades the user to install the malware. Although these types of infections can certainly be cleaned, doing so can be difficult and usually requires the host to be wiped and reinstalled. If the data has been truly encrypted by the ransomware, the user will have lost it forever, unless she has maintained a separate backup of the data. Figure 15-2 shows an example of ransomware/scareware.

Figure 15-2 An example of ransomware

Polymorphic Malware

Polymorphic malware is a type of malware that is actually able to change itself every time it infects a new host. It does this is to avoid detection by anti-malware software. Because most malware has a particular signature, antivirus and other anti-malware solutions typically look for these unique signatures to identify a particular type of malware infection. If a polymorphic malware is on the host, it may have been able to change its signature, so it can’t be easily detected. Fortunately, anti-malware solutions are continually updated with new signatures, so it’s possible that they can eventually detect the change to the malware, depending upon how fast the polymorphic malware spreads and changes.

Polymorphic malware is similar to another type of malware that changes, called metamorphic malware. Metamorphic malware, however, changes itself upon different generations and versions, rather than upon each infection from host to host. It can also change different aspects of its construction and code so that it not only changes its signature, but its actions and its symptoms on the host.

Armored Virus

Armored viruses are like other typical viruses and cause the same types of damage, but they are different in one important way: They use advanced techniques to avoid detection and analysis. These techniques include changing its tactics and characteristics, such as the different types of files and locations it hides in; the use of encryption to avoid detection and analysis; and others. These types of viruses can also change their code by adding confusing and complex pieces to it. Armored viruses are very difficult to detect and analyze, simply because of these intelligent changes to their code. Because of the difficulty involved with the analysis, the virus has more time to spread and may further change in the interim. The downside for the virus, however, is that because of all of this complexity, the size of the virus executable is considerably larger than a normal virus. This may raise flags in other ways, because larger files sometimes can alert anti-malware to check a file more carefully.

Host Attacks

Beyond malware are attacks that use other vectors into a system. Some of these attacks use e-mail and the victim’s trust or lack of security awareness. Some target the host configuration itself, and some attack through user actions or routine computer functions. In the next few sections we’ll discuss some of these attacks, how they are executed, and what effect they can have on the security of the host.

Spam

Spam is nothing more than a large volume of e-mail that is sent to a recipient. Most of the time this e-mail is from advertisers that use mass e-mail programs to send spam to huge lists of people. For the most part, spam is fairly harmless, although it can clog your inbox and be generally annoying. Some types of low-level attacks send huge amounts of spam to one particular e-mail gateway, for example, causing denial-of-service (DoS) attacks on the gateway. However, most spam is harmless, with the exception of the large variety of phishing e-mail attacks that can come in the form of spam, as discussed next. Most e-mail programs can send large amounts of spam to the junk mail folder on the client side, although some will still inevitably get through to the inbox. On the server side, e-mail security software can filter large amounts of spam and restrict e-mail receipt by blacklisting certain known spam senders (through domain name and IP address, for example).

Phishing

Phishing is a social engineering attack usually communicated through e-mail. In a phishing attempt, the attacker tries to get the user to click a malicious link in the e-mail, usually through some false story or context, to trick the user into handing over sensitive information, such as usernames, passwords, financial information, and so forth. For example, the user might receive an e-mail that purports to be from his bank or credit card company. The e-mail may state that the user’s bank account is overdrawn, or even has been compromised. Instructions in the e-mail will direct the user to an embedded link in the message so that he can click it and go to the bank’s site and “confirm” his account information (credentials, account number, and so forth). The site that the e-mail directs the user to often looks very similar to the user’s normal banking site, and indeed it may have been copied from the original site, but it doesn’t actually connect to the bank; instead, it connects to the attacker’s server. So when the user enters his information into the input fields on the site, the attacker is actually receiving that information. The attacker can use this information to log into the user’s account on the legitimate banking site and perform transactions such as transferring money, changing the user’s password, and so forth. The measures used to prevent phishing attacks include spam filters, but the best method of prevention is user education, since this is really a social engineering attack.

Spim

The term “spim” is a play on two other terms, spam and instant messaging (IM), combined to describe a new form of spam that occurs over chat and IM services. Like the types of spam that come over e-mail, spim comes over the IM services that many of us use on mobile devices to communicate with someone. Obviously, these messages are unsolicited and can be simply advertisements, but they can also be used to wage phishing and other types of attacks. Spim often results when attackers take advantage of the fact that once they obtain a user’s contact list, anyone can send to the people on that contact list. One way users can help prevent spim is to make sure that only recognized people are on their contacts list, and that only contacts on their contacts list can send messages to them, so that all of the messages received from unknown contacts would be rejected.

Vishing

Yet another form of phishing attack occurs over the phone, or, more often, newer Voice-over-IP (VoIP) phone systems. In fact, that’s where vishing gets its name; the term is a combination of voice and phishing. Other than the method used (over the phone instead of through e-mail), this attack technique works the same way as a normal phishing attack. It’s primarily a social engineering attack, but some different technological techniques can be used, such as the use of auto-dialers to send unsolicited messages from fake phone numbers and VoIP IP addresses, voicemail, and other tools. The goal, of course, is to get the user to go visit a fake web site or call a fake number or call center to provide sensitive personal information over the phone.

Spear Phishing

Spear phishing is yet another phishing attack technique. However, this technique involves targeting particular users, who include those in key positions, such as security officers, network or system administrators, or even managers and executives. What distinguishes spear phishing from a regular type of phishing attack is that the attacker has usually done some background work to craft the phishing e-mail to lure a specific victim. For example, the attacker may use social engineering or do some research on the victim to discover personal details, including likes, hobbies, associates, and so on, so that these details can be included in the phishing e-mail to make it appear more legitimate. Once again, user education is probably the most effective deterrent against this type of attack. A very similar attack is called whaling; this type of attack uses the same techniques as spear phishing but targets senior executives in an organization.

Privilege Escalation

Privilege escalation is more of a general type of attack, usually perpetrated on hosts after the attacker has gained some sort of low-level access to the system. The attacker may gain privileged access to the system by using an ordinary user or guest account, which can’t really be used much to control the system or gain access to sensitive data. However, a privilege escalation attack perpetrated through several possible methods would enable an attacker to gain a higher level of privileges on the system, allowing her to control the system, broaden her attack, and gain access to sensitive data. Privilege escalation attacks might be carried out through exploiting the configuration settings on the host, taking advantage of weak encryption or authentication methods, or even exploiting software or operating system vulnerabilities, such as buffer overflow or input injection attacks. These types of attacks may allow the attacker to run arbitrary code on the system, resulting in privilege escalation. A comprehensive system hardening program can help prevent privilege escalation attacks; this involves keeping security patches current, locking down configuration settings, allowing only the least privileges required on the system, and so on.

Malicious Insider Threat

A malicious insider threat can be very complex to understand, detect, and prevent. Malicious insider threats can span several different attack methods, including social engineering, as well as more technical attacks. Malicious insiders can be responsible for erasing data, physically damaging systems, stealing data, and a wide variety of other negative events that can occur within the organization. Malicious insiders are motivated by different things: sometimes revenge against the organization, sometimes for profit or financial gain, and sometimes they have even purposefully gotten a job or position within the organization with the intention of carrying out an attack. Although any malicious insider can do damage to an organization, the insiders with normal user privileges may be able to do only a small amount of damage, since they don’t have the ability to perform sensitive functions. Malicious insiders with administrative privileges, on the other hand, are probably the worst type of malicious insider attack, since they essentially have the ability to do a lot of damage and affect a lot of different systems and data within the organization. The mitigations for malicious insider attacks include user education, security clearances and background checks to ensure trustworthiness, allowing only the least privilege necessary for users to do their jobs, and limited access to systems and data. Auditing is also the key to detecting malicious insider attacks, since user actions can be audited and they can be held accountable for those actions.

Pharming

Pharming is an attack in which the user is redirected to an attacker’s web site, regardless of the URL the user types into the browser or link he clicks in an e-mail. Although similar to a phishing attack, pharming usually involves an attacker with more technical expertise and requires configuration changes on a host or on another system that redirects the user to a different web site, typically a malicious site set up by the attacker. Once the user has been redirected to the web site, the attack pretty much functions as a normal phishing attack, getting information from the user who thinks he is on a legitimate web site, when in fact that is not the case.

DNS Poisoning

DNS poisoning is one of those attacks that has both network and host components to it. The Domain Name System (DNS) server (the host) holds the table that resolves Internet names to IP addresses. When network clients request name resolution from the DNS server, it directs them to the Internet site they want based upon the entries in the table. In a DNS poisoning attack, the entries in the table are compromised, substituting known good entries for a web site with bad ones. This has the effect of redirecting users to a malicious site, instead of the legitimate one. There are several ways to change the entries in a DNS server; usually they involve attacking servers that have not been patched against certain vulnerabilities or that do not authenticate with other DNS servers when they exchange DNS entries. To mitigate this risk, make sure that DNS servers are patched with the latest security updates, and configure them to accept updates only from servers with which they have authenticated.

ARP Poisoning

ARP poisoning involves sending false updates to a host, which it caches in its memory, resolving IP addresses to hardware, or media access control (MAC), addresses. Within their own subnetwork, hosts typically communicate using MAC addresses rather than IP addresses. Because Address Resolution Protocol (ARP) is a broadcast-based protocol, a host will broadcast out to the network, requesting resolution from its target for its MAC address. It then saves this information in a cache in its memory, which it uses for future communications for a short period of time. A malicious user can send false updates to the host’s ARP cache, which may cause it to communicate with the malicious host instead of the legitimate one.

Client-side Attacks

Client-side attacks target vulnerabilities that exist on hosts, including their configurations and applications. Examples include attacks that target client applications such as web browsers or connections between the client and server, looking for vulnerabilities in the client-side program used to make the network connection and transfer data between the two hosts. Client-side attacks normally are conducted remotely against the host, via the network, instead of by having physical access to the host. Most client-side attacks take place through active web content, such as scripts, applets, Active Server Pages (ASP), and so forth. Some of the more popular client-side attacks include cross-site scripting (XSS) attacks.

Transitive Access

Transitive access refers to passing on higher access privileges or permissions to a user. This might happen if you inadvertently configure access rules to be too broad or to have excessive privileges in them. Attackers often look for this transitive type of access to gain a foothold in the system, and then they either elevate privileges or jump to another system where a transitive trust exists between those systems or users.

XMAS Attack

An XMAS attack is conducted by using specific flags in a TCP communications session. When this particular combination of flags is turned on in a TCP segment by the attacker, the network traffic is sent to a host. Different hosts behave in various ways when they receive traffic with this particular combination of TCP flags (SYN, FIN, URG, and PSH) set, so this attack can be used to identify the type of host operating system on the target. An XMAS attack can be used in different ways to help avoid network intrusion detection systems (IDSs). The attack gets its name from the appearance of having most of its flags turned on, or “lit up like a Christmas tree.” Most modern firewalls and network IDSs can be configured to detect and stop this attack. Figure 15-3 shows how an XMAS attack is set up in the popular Nmap scanning tool.

Figure 15-3 An XMAS attack in Nmap

Password Attacks

Password attacks are very common and are used to attempt to gain access to a system by discovering the username and password combination for a valid user on the host. If the attacker can get a password, along with the corresponding username, she logs into the system as a valid user and from there attempts to escalate her privileges or access systems and data. There are several different types of password attacks that we will discuss, including brute-force, dictionary attacks, rainbow tables, and hybrid attacks.

Passwords are usually attacked in two ways: online or offline. In an online attack, the attacker attempts to log in as a user by guessing the user’s password. If the attacker has the password already, or a pretty good guess, this attack might work. However, this is usually the most ineffective type of attack, since most modern systems are configured to lock the user account automatically after so many incorrect login attempts. If systems are not configured this way, then, theoretically, the attacker could try as many times as he likes, possibly making a good guess and compromising a user’s account. In an offline attack, the database of user credentials (the SAM file in Windows, or the /etc/shadow file in Linux, for example) is usually stolen and attacked offline, outside of the normal online operating conditions of the system. Attackers are usually after the password hashes contained in the database, which are forms of the passwords subjected to cryptographic hashing algorithms. If the attacker can get the password hash, he can wage different attacks against it, such as brute-force or dictionary attacks, explained a bit later in the module.

Password attacks target the password hashes themselves, since most passwords are not stored in plaintext form; if they were, it would be game over fairly quickly! Remember that hashing is a form of cryptography, although it’s not really considered encryption since that implies also a decryption process as well. Hashing is a one-way function that is not intended to be decrypted. When users authenticate to the system, passwords aren’t exchanged across the network, but sometimes their hashes are, since hashes can’t be (easily) reversed to obtain their plaintext inputs. Also remember that hashes are unique in that it is mathematically difficult to find two different pieces of plaintext that, when subjected to the same hashing algorithm, produce the same identical hash. When this actually does occur (although extremely rare, it is theoretically possible), this is called a collision. Collisions can help an attacker determine how the underlying algorithm works and may give him insight as to how to further reverse hashes produced from the same algorithm. This actually leads to a discussion of a theoretical type of attack known as a birthday paradox.

Although this is a complicated type of mathematical attack against cryptography, it’s best explained using a simple analogy. This analogy states that if you have 23 people in a room, the probability that 2 or more of them share the same birthdate (without the year) is 50 percent. If you increase this to 70 people, there is a 99 percent probability that at least 2 of them share the same birthdate, and that with 367 people, there is a 100 percent probability (since there are only 366 days in a year, if you include leap years). Although this analogy may not seem to have too much to do with cryptography and password cracking, the same mathematical principles apply to attacks on passwords and hash collisions, although on a much larger and complex scale. Having said that, let’s discuss the different types of password attacks.

A brute-force attack is the most basic type of attack. In its simplest form, an attacker might repeatedly attempt to guess the user’s password. The attacker might use random words or phrases, but likely won’t be able to break the password that way. A more effective way would be to start at the beginning of the character set and length and repeatedly try all possible combinations, in order, until the attacker eventually finds the correct combination of characters and password length. So, she might start with simply the letter “a,” then “b,” and so forth, eventually getting through all of the different possible characters (all lowercase letters, all uppercase letters, numbers, and special characters), and slowly increase the password length as she goes. Obviously, this would take a very long time if human beings were doing this manually. However, the increases of hardware speed and efficiency, as well as the different types of software that can be used for password attacks, makes this a lot faster and easier than one human being could do. Even with very fast software and hardware, though, brute-force attacks could take, theoretically, several hundred or thousands of years to go through each and every single combination and arrive at the correct password. However, since they do go through every single combination, this method would be guaranteed to be 100-percent effective in cracking a password—if you could live long enough to wait for it to finish! Figure 15-4 shows a screen shot from Cain and Abel, a popular password-cracking tool, performing a brute-force password attack.

Figure 15-4 A brute-force attack, using Cain and Abel

Much more effective is the dictionary type of attack. In this type of attack, the attacker would use specially crafted dictionaries, or word lists, which include not only common words, but also very specific words used in areas such as medicine, religion, sports, and so on. Even foreign-language dictionaries can be used. Additionally, many of these dictionaries also include standard permutations of words, such as the use of the number “3” instead of the letter “E,” or the use of an “at sign” (@) instead of the letter “A,” so all these different combinations are taken into account in the dictionaries. Even if these permutations are not included in the word lists, most password-cracking software can also perform these permutations automatically, so even if the user thinks she’s being clever by using a dictionary word with 3’s and dollar signs for the letter “S,” the password can still be cracked. Figure 15-5 shows Cain and Abel attempting a dictionary attack on an unfortunately simple password.

Figure 15-5 Cain and Abel software conducting a dictionary attack

Dictionary attacks work simply by going through the entire word list, hashing each word in the list, comparing that hash to the one the attacker has from the credentials database, and seeing if they match. If the hashes match, the attacker knows he found the correct password. If not, he simply goes to the next word in the list and repeat the process. When the software finds hashes that match, the password attack is successful. Again, with modern hardware and software, even the dictionary list that has millions of words can be processed in a matter of seconds or just a few minutes. The advantage of a dictionary attack is that it is very fast and efficient, and as long as the password is one of the words in the list, the attack will be successful. However, once the word list is exhausted, the attack is over and unsuccessful if the password was not in the list. Where a brute-force attack will go on forever unless you stop it, normally a dictionary attack is over very quickly.

A hybrid attack is probably what we see most often in password attacks. This is simply where both brute-force and dictionary methods are used, leveraging both of their strengths to try to discover a password as intelligently and quickly as possible. Figure 15-6 shows an example of a “small” word list of only about 3 million entries!

Figure 15-6 A “simple” wordlist of about 3 million entries

A rainbow attack is a variation on a dictionary attack. It simply eliminates the step of having to hash each word in the list before comparing it to the hashes obtained from the credentials file. Rainbow tables are simply precomputed hashes, built by software that can go through massive word lists and hash each of the words, adding them to the rainbow tables file. There are also programs that can start the beginning of a character set and password length and create hashes based upon all the possible combinations of characters it can compute, much the way a brute-force attack works. These are also added into the rainbow tables, and then the attacker simply goes through the entire table, comparing hashes to the password hashes she obtained from the host’s credentials database.

It’s probably worth mentioning that there are also online versions of password-cracking tools that can accept passwords and produce corresponding hashes for you to check against. They can also accept hashes as well, allowing you to check to see if a particular hash has a corresponding plaintext password in its database. These online databases are useful when you want to see if a particular hash has been compromised or simply to obtain the hash of the plaintext password.

Typo Squatting/URL Hijacking

Another type of attack that can affect an organization makes use of incorrectly spelled or similar sounding URLs that the organization may use to promote its business. Typo squatting is a variant on an attack (called cybersquatting or URL hijacking) in which the attacker buys out domain names in different top-level domains (TLDs), knowing the company will eventually want to own them, and then charging an outrageous fee for them. Attackers may purchase similarly spelled web site names that users may be tricked into visiting, not noticing that the URL is spelled slightly different from the organization’s official web site. These types of attacks usually involve the attacker putting up content on the similar site that disparages the organization, that redirects the user to a competitor’s site, or that may be used in phishing attempts by posting similar looking but malicious content at the site. Some examples of popular sites that were victims of typo squatting and URL hijacking, creating very undesirable results for the users and organizations they represented, included variations on Intel Corporation’s web site, The White House web site, and even NASA’s web site, which were slightly misspelled or used slightly different URLs that redirected users to pornography sites. To counter this practice, many organizations actually buy all the different domains that could be associated with their primary web site, such as the .net, .org, and even the newer .xxx domains associated with their organizational brand, to prevent malicious users from creating similar sounding domain names. Because of new law and regulation changes, organizations are also now able to take legal action against the people that maintain those fake sites in some cases, often on the basis of trademark or copyright infringement as well as slander or damaged reputation and liability reasons. In the end, however, some organizations simply offer money to the offender to buy out the offending domain names or web sites.

Watering Hole Attack

A watering hole attack has both social engineering and technical components to it. In this type of attack, the attacker compromises a secondary system, such as a popular web site, for example. She compromises the system, knowing that eventually users will come to it for information or data, and then she can strike. The attacker may use social engineering techniques to determine that the user frequents that particular web site or system, or even to get the user to visit that particular site. For example, the attacker may compromise a web site that a business frequently uses to order supplies. Then the attacker simply waits for the business users to visit the site, before attempting to send malware down to the user’s hosts. To prevent this type of attack, user education on social engineering attacks is valuable, but also, on a more technical level, the use of the newer techniques of DNS firewalling and reputation-based protection may be used. These techniques usually involve a subscription to a real-time threat-management software or company, which continually examines web sites for malware infections and blocks users from accessing those sites through DNS filtering.

Module 15 Questions and Answers

Questions

1. Which of the following characteristics best describes a virus?

A. Script that executes at a certain time

B. Displays annoying pop-up advertisements

C. Unable to propagate itself

D. Is specifically used to capture a user’s personal information and send it back to the attacker

2. Which of the following types of malware appears to be a useful piece of software, but in fact is malicious in nature?

A. Worm

B. Trojan

C. Adware

D. Logic bomb

3. Which of the following types of malware infects critical operating system files, often replacing them with malicious ones?

A. Rootkit

B. Trojan

C. Boot sector virus

D. Ransomware

4. One of your users calls you in a panic because he has just seen a pop-up message on his computer screen that states that all of the files on the system are encrypted, and that he must pay to have them decrypted or lose them forever. You back up the user’s files on a daily basis and update the antivirus signatures every other day. What is the best course of action to take in this case?

A. Pay the fee the ransomware is asking for.

B. Notify the authorities at once and attempt to update the antivirus signature with the latest release.

C. Wipe the computer’s hard drives and restore the user’s files from backup.

D. Reboot the computer.

5. Which of the following methods of phishing attacks uses chat to target its victims?

A. Whaling

B. Vishing

C. Spam

D. Spim

6. Which of the following attacks involves sending false IP-to-MAC address mappings to a host, causing it to communicate with the attacker’s machine instead of the legitimate one?

A. XMAS attack

B. Pharming

C. DNS poisoning

D. ARP poisoning

7. All of the following statements about password attacks are true, except:

A. Brute-force attacks use word lists to attempt password guessing.

B. Dictionary attacks are generally faster than brute-force attacks.

C. Rainbow tables are word lists consisting of precomputed hashes.

D. Online attacks are usually mitigated by account lockout controls.

8. Which of the following best describes a birthday paradox attack?

A. A password attack that uses precomputed hashes in its word list.

B. Two unique pieces of plaintext can have the same hash value under certain circumstances.

C. In a room with 23 people, the odds of any 2 having the same birthdate is 50 percent.

D. A password attack that attempts every single possible combination of characters and password lengths to discover a password.

9. The URL http://www.microsoftsucks.com is an example of

A. Phishing

B. Cybersquatting

C. Watering hole attack

D. Vishing

10. In a watering hole type of attack, which web site is an attacker most likely to compromise?

A. An organization’s official web site

B. A site with a name very similar to the victim’s web site

C. A user’s social media site

D. A site frequented by the users of a victim organization

Answers

1. C. A virus, unlike a worm, is unable to self-replicate or propagate itself; it relies on user action to do so.

2. B. A trojan appears to be a useful piece of software but is malicious in nature.

3. A. A rootkit infects critical operating system files, often replacing them with malicious ones.

4. C. Because the user’s files are backed up daily, the best course of action is to wipe the computer’s hard drive and restore the user’s files from backup.

5. D. Spim is a form of phishing attack that uses instant messaging and chat to target its victims.

6. D. ARP poisoning involves sending false IP-to-MAC address mappings to a host, causing it to communicate with the attacker’s machine instead of the legitimate one.

7. A. Brute-force attacks do not use word lists, but dictionary attacks do.

8. C. In a room with 23 people, the odds of any 2 having the same birthdate is 50 percent.

9. B. The URL http://www.microsoftsucks.com is an example of cybersquatting on a domain name that attempts to disparage a legitimate domain.

10. D. In a watering hole attack, an attacker is most likely to compromise a site frequented by the users of a victim organization, in order to download malware to their computers.