Computer Security

Chapter Two

Computer Threat

1
Outline
 Malicious code  Program flaws
Buffer overflows
Viruses
Time-of-check to time-of-use flaws
Trojan horses Incomplete mediation
Worms
Spy-wares, etc.  Controls to protect against program
flaws in execution
 Class of Attacks Operating system support and
administrative controls
Reconnaissance
Access  Program Security Defenses
Denial of Service, etc. Software development controls
and Testing techniques
Database management systems
security

2
 Threat
 Threat:- It is any circumstance or event with the potential to
harmfully impact an assets through unauthorized access,
destruction, disclosure, modification of data, and/or denial of
service.

 A computer threat can be "intentional" such as hacking or

"accidental" such as physical damage.

 Threats are classified as physical and non-physical.

 1.Physical threats:- cause harm to hardware or theft to system or

hard disk that holds critical data. It is event that could result in data
loss or physical damage. It can be classified as:- 3
 Cont.…
 Internal:- Short circuit, fire, non-stable supply of power,
hardware failure due to excess humidity, etc.

 External:- Disasters such as floods, earthquakes, landscapes,

etc.

 Human:- destructions of infrastructures like hardware thefts,

and unintentional/intentional errors.

 2. Non-physical threats:- It target the data and the software

on the computer systems by corrupting the data or by
exploiting the errors in the software. 4
 Cont.…
 A non-physical threat is a potential source of an incident that
could result in:-
 Hindering of the business operations that depend on computer
systems.
 Sensitive data or information loss.

 Keeping track of other’s computer system activities illegally.

 Hacking id & passwords of the users, etc.

 Non-physical threads can be commonly caused by the

following:-

5
 Cont.…
 (i) Malware:- Malware (“malicious software”) is a type of
computer program that penetrates and damages systems without
the users’ knowledge. It hides itself inside the system. You may
notice that your system is processing at a slower rate than usual.

 (ii) Virus:- It is a program that replicates itself and infects your

computer’s files and programs.

 It is a type of malware that spreads by inserting a copy of itself

into and becoming part of another program. It spreads with the
help of software or documents.
6
 Cont.…
 They are embedded with software and documents and then
transfer from one computer to another using the network, a disk,
file sharing, or infected e-mail. It usually appear as an
executable file.

 It reside in a computer‘s memory and activates themselves while

the program that is attached starts running .

 It modify itself after the infection phase like they source codes,
extensions, new files, etc. so it is harder for an antivirus to detect
them.
7
 Cont.…
 It always try to hide itself in the operating systems in the
following ways. Encrypts itself into cryptic symbols, and it
decrypt itself when they replicate or execute.

 A Virus is a code fragment that copies itself into a larger program,

modifying that program.

 It is dependent program that depends upon a host program, which

it infects. A virus executes only when its host program begins to
run.

 Virus then replicates itself, infecting other programs as it

reproduces. 8
 Cont.…

 A virus might start reproduce, or it might lie dormant for some

time, until it’s triggered by a particular event.

 A virus may infect memory, a floppy disk, a hard drive, a backup

tape, or any other type of storage.

9
 Types of Virus

 Several types of computer viruses have been identified.

 Boot Sector Infectors.

 Multipartite Viruses.

 Stealth Viruses.

 Encrypted Viruses.

 Polymorphic Viruses.

10
 Cont.…

 Boot Sector Infector:- The boot sector is the part of a disk used
to boot the system or mount a disk.

 Code in that sector is executed when the system "sees" the disk
for the first time.

 When the system boots, or the disk is mounted, any virus in that
sector is executed. (The actual boot code is moved to another
place, possibly another sector.)

 A boot sector infector is a virus that inserts itself into the

boot sector of a disk.
11
 Cont.…

 Executable Infectors:-It is called exe viruses because they infect

programs with those extensions. It infects executable programs.

 A multipartite virus:- is one that can infect either boot sectors

or applications.

 Stealth viruses:- are viruses that hide the corrupted files.

 It avoid detection by modifying parts of the system that could be

used to detect it.

 Encrypted virus:-An encrypted virus is one that enciphers all of

the virus code except for a small decryption routine.
12
 Cont.…

 Polymorphic Virus:- is a virus that changes its form each

time when it inserts itself into another program.

 Therefore known sequences of instructions will not detect the

virus.

 (iii) Spyware:- It is a type of computer program that tracks,

records, and reports a user’s activity (offline and online) without
their permission for the purpose of profit or data theft. Spyware
can be acquired from a variety of sources, including websites,
instant chats, and emails.
13
 Cont.…
 Adware is a type of spyware that is primarily utilized by
advertising. When you go online, it keeps track of your web
browsing patterns in order to compile data on the types of
websites you visit.

 Spyware is installed on a computing device without the end user's

knowledge. It invades the device, steals sensitive information and
internet usage data, and relays it to advertisers, data firms or
external users.

 It can be downloaded without the user's authorization.

14
 Cont.…
 Spyware is like cookie used by a website to record a few brief facts about
your visit to that website, or it is like a key loggers.

 Cookie a text file that your browser creates and stores on your hard drive that a
website you have visited downloads to your machine and uses to recognize you
when you return to the site.

 (iv) Worms:- It is similar to viruses that replicate themselves and propagates

itself until they completely fill available resources, such as memory, hard
drive space, and network bandwidth without having to attach itself to a
host.

 Unlike viruses, which spread by infecting a host file, worms are freestanding
programs that do not require a host program or human assistance to multiply.
15
 Cont.…
 Worms don’t change programs; instead, they replicate
themselves over and over.

 Worms are also self-replicating and self-spreading code like

viruses but do not require any further action to do so. Once a
computer worm has arrived on your device, these malicious
threats can execute entirely on their own without any assistance
from a user-run program.

16
 Virus and Worms
 Viruses and worms can be used to infect a system and modify
a system to allow a hacker to gain access.
 A virus and a worm are similar in that they’re both forms of
malicious software (malware).
 A virus infects another executable and uses this carrier
program to spread itself. The virus code is injected into the
previously kind program and is spread when the program is run.
 A worm is similar to a virus in many ways but does not need a
carrier program. A worm can self-replicate and move from
infected host to another host.
 A worm spreads from system to system automatically, but
a virus needs another program in order to spread.

17
 Cont.…
 (v) Trojan horse:- It is malicious software that looks like as a
useful host program. When it run, it performs a harmful/unwanted
action.

 A Trojan is a computer program that is designed to disrupt, steal,

or otherwise harm your data or network. These threats cannot self-
replicate or spread autonomously. However, their malicious
payload could contain viruses, worms, or any other code.

 Trojan horse tricks a user into running a program, often an

attractive or helpful one. When the unsuspecting user runs the
18
 Types of Trojans
 The most common types of Trojans.

 Remote Access Trojans (RATs) Used to gain remote access to a system.

 Data-Sending Trojans Used to find data on a system and deliver data to a

hacker.

 Destructive Trojans Used to delete or corrupt files on a system.

 Denial-of-Service Trojans Used to launch a denial-of-service attack.

 Proxy Trojans Used to tunnel traffic or launch hacking attacks via other
systems.

 FTP Trojans Used to create an FTP server in order to copy files onto a
system. 19
 Cont.…

(vi) Denial of Service Attacks:-It tries to prohibit legitimate users

from obtaining information or services. An attacker tries to make a
system or network resource unavailable to its intended users. The web
servers of large organizations such as banking, commerce, trading
organizations, etc. are the victims.

(vii) Phishing:- It is used to obtain sensitive information from users,

such as login credentials and credit card details. They cheat users to
give critical information, such as bank and credit card information, or
access to personal accounts, by sending spam, malicious Web sites,
email messages, and instant chats.
20
 Cont.…
 (viii) Key-Loggers:- Keyloggers can monitor a user’s computer
activity in real-time. Keylogger is a program that runs in the
background and records every keystroke made by a user, then
sends the data to a hacker with the intent of stealing passwords
and financial information.

 Key loggers are programs that record every keystroke you

make on your keyboard. This spyware then logs your
keystrokes to the spy’s file. The most common use of a key logger
is to capture usernames and passwords. And can capture
every document you type, as well as anything else you might 21
 Cont.…

 This data can be stored in a small file hidden on your machine

for later extraction or sent out in TCP packets to some
predetermined address.

 Wait until after hours to upload this data to some server or to use
your own email to send the data to an anonymous email
address.

 There are also some key loggers that take periodic screenshots
from your machine.

22
 Other Forms of Malicious Logic

 Logic Bombs.

 Backdoors.

 Spam.

 DDoS.

 Spoofing.

 Sniffer.

 Social Engineering.

 Hardware Threats ….
23
 Logic Bomb

 A logic bomb is a type of malware that executes its malicious

purpose when a specific criteria is met. The most common
factor is date/time

 Logic bomb might delete files on a certain date/time.

 Types of Bomb

1. A bomb that’s set to go off on a particular date or after some

period of time has elapsed is called a time bomb.

2. A bomb that’s set to go off when a particular event occurs is

called a logic bomb.
24
 Cont.…

 Backdoors:- It is a program that a hacker installs on a target

system to allow access to the system at a later time.

 A backdoor can be embedded in a malicious Trojan.

 The objective of installing a backdoor on a system is to give hackers

access into the system at a time of their choosing.

 Spam:- is unwanted email. Spam is email that is sent out to

multiple parties, that is unwanted.

 Often it is used for marketing purposes, but it can be used for much
more malicious goals.
25
 Cont.…

 Can be used to spread a virus or worm.

 also used to send emails inviting recipients to visit

phishing websites in order to steal the recipient’s
identity.

 Essentially, spam is a getway for spyware, viruses, worms, and

phishing attacks.

 Distributed denial of service (DDoS):- is an attack in which a

coordinated stream of requests is launched against a target from
many locations at the same time.
26
 Cont.…
 Spoofing:- is a technique used to gain unauthorized access to
computers, where in the intruder sends messages with a source IP
address that has been forged to indicate that the messages are
coming from a trusted host. Routers and firewall arrangements can
offer protection against IP spoofing.

 Zombie:- A corrupted computer that is waiting for instructions and

commands from its master, the attacker.

 Man-in-the-middle:- or TCP hijacking attack, an attacker

monitors (or sniffs) packets from the network, modifies them,
and inserts them back into the network.
27
 Cont.…

 It allows the attacker to eavesdrop as well as to change,

delete, reroute, add, forge, or divert data.

 Sniffer:- is a program that can monitor data traveling over a

network. Sniffers can be used both for legitimate network

management functions and for stealing information.

 Sniffers add risk to the network, because many systems and users
send information on local networks in clear text.

28
 Cont.…

 A sniffer program shows all the data going by, including

passwords, the data inside files such as word-processing
documents and screens full of sensitive data from applications.

 Social Engineering:- is the process of using social skills to

convince people to reveal access credentials or other
valuable information to the attacker.

29
 Hardware Threats

 Power Faults:- Sudden power failure, voltage spikes and

brownout and frequency shifts causes damages to system.

 System Life:- System gets worn-out over a period of time.

 Equipment Incompatibilities:-These occur due to improperly

installed devices.

 Problems with Magnets:- Magnetic fields due to floppy disk,

monitors and telephone can damage stored data.

30
 How to make your system secure?
 In order to keep your system data secure and safe, you should
take the following measures:-
1. Always keep a backup of your data.
2. Install firewall software and keep it updated every time.
3. Make use of strong and difficult to crack passwords (having capital
& small alphabets, numbers, and special characters).
4. Install antivirus/ anti-spyware and keep it updated every time.
5. Timely scan your complete system.
6. Before installing any program, check whether it is safe to install it
(using Antivirus Software).
7. Take extra caution when reading emails that contain attachments.
8. Always keep your system updated.

31
 Malicious code.
 Malicious code:- is harmful computer program scripts designed
to create or exploit system vulnerabilities. This code is designed
by a threat actor to cause unwanted changes, damage, or
ongoing access to computer systems.

 Malicious logic is a set of instructions that cause a site's

security policy to be violated.

 Most malicious code today is concerned not only with trashing

your machine, but also in using your machine to infect others.

 A classic example is the software used to create a DDoS attack.

32
 Cont.…
 After hiding itself in your computer, modern malware typically
seeks information from you to use to infect others, and it
usually finds it in your address book or by robbing your local area
network.

 The malware then stalks its new victims, often by sending an

email in your name and infects them as well.

33
 Class of Attacks

 The three common classes of attack are access,

reconnaissance, and DoS.

1. Reconnaissance attacks.

2. Access attacks.

3. Denial of service (DoS) attacks.

 Each class has various more-specific subcategories of attack

methods that will be covered in detail.

34
 Cont.…

 1. Reconnaissance Attacks:- It is gathering important

information about an area of interest. The hacker surveys a
network and collects data for a future attack. Important
information that can be compiled during a reconnaissance attack
includes the following:-
 Ports open on a server.

 Ports open on a firewall.

 IP addresses on the host network.

 Host names associated with the IP addresses.

35
 Cont.…

 There are four common tools or methods for gathering network data
are:-

i. Packet sniffers (also known as network monitors).

ii. Ping sweeps.

iii. Port scans.

iv. Information queries.

 Packet Sniffers:- It may be either a software program or a piece of

hardware with software installed in it that captures traffic sent over
the network. A common software program available today is
Wireshark, formerly known as Ethereal. 36
 Cont.…

 Ping Sweeps:- ping enables you to validate that an IP address

exists and can accept requests by sending an echo request and

then waiting for an echo reply.

 A ping sweep tool can send an echo request to numerous host IP

addresses at the same time to see which host responds with an

echo reply.

 Port Scans:- It is a software program that surveys a host network

for open ports.

37
 Cont.…

 Information Queries:- Information queries can be sent via the

Internet to resolve host names from IP addresses or vice versa.
 One of the most commonly used queries is nslookup. You can use
nslookup by opening a Windows or Linux command prompt (CMD)
window on your computer and entering nslookup followed by the
IP address or host name that you are attempting to resolve.
 Here are a couple sample CMD commands:-
 C: nslookup www.cisco.com
 C: nslookup 198.133.219.25

38
 Cont.…

 Reconnaissance attacks are general knowledge gathering

attacks. These attacks can happen in both logical and physical
approaches.
 Whether the information is gathered via probing the network or
through social engineering and physical surveillance, these
attacks can be preventable as well. other common
examples of reconnaissance attacks include phishing, social
engineering and internet information queries.
 We can examine these further by breaking them into the two
categories. These are logical and physical. 39
 Cont.…

A. Logical Reconnaissance:- refers to anything that is done in

the digital spectrum and doesn‘t require a human on the other
side to complete the reconnaissance attack.
 Example:- Ping sweeps and port scans.

B. Physical Reconnaissance:- There are elements that will

never be protected fully like locations as well as security
elements like cameras, mantraps, door locks or guards. However,
these can play into physically securing a network.

40
 Cont.…

 For example, bank security may be limited to stop an

extremely well-organized attempt to what that security team
has prepared for.
 But simple fact that a bank has security in place creates the
potential to prevent most lower to mid-level criminals who
would
make the attempt.
 Reconnaissance, as we have established, is the collection of
information from any available sources.
41
 Cont.…

 Solution:-Try to limit the company‘s information.

 Be sure that network admin or company representatives are
trained up on how to spot social engineering attacks and
extended to all employees.

 2. Access Attacks:-an attempt to access another user account or

network device through improper means.

 Unauthorized attacks are attempted via four means, all of which

try to bypass some facet of the authentication process:-
password attacks, trust exploitation, port redirection, and
42
 Cont.…
 Trust Exploitation:- Trust exploitation can occur in one of two ways:-

 Reliance on the trust a client has in a server.

 Reliance on the trust the server has in the client.

 Servers that communicate from the trusted machine may have a trust
relationship established. An attacker can then compromise the trusted
server and initiate a connection to the internal network.

 Port Redirection:- It is a form of trust exploitation in which

untrustworthy source uses a machine with access to the internal network
to pass traffic through a port on the firewall or access control list (ACL).

43
 Cont.…
 Man-in-the-Middle Attacks:- happens when a hacker listens for network
traffic and intercepts a data transmission. hacker capture credentials, hijack
a session, or instigate a DoS attack.

 Proper data encryption, with the use of an encryption protocol, makes the
captured data useless.

 Access attack is similar to reconnaissance in that both are either logical or

physical, logical being over the network and physical usually leaning more
towards social engineering.

 A. Logical Access:- Testing passwords on the network by rainbow tables or

dictionary attacks tend to create a ton of traffic on the network.
44
 Cont.…

B. Physical access:- Access to the hardware or access to the

people.
 Social engineering is very dangerous and hard to defend
against simply because your users are usually the weakest link
in cybersecurity.
 The easiest type of social engineering attack involves sending
out phishing emails designed to hook someone that way or
getting a key logger on a person inside‘s computer to gain
credentials that may escalate privileges of the attacker.
45
 Cont.…
3. Denial of Service (DoS) Attacks:- This can happen by flooding
the network with junk traffic that blocks the network‘s ability to
function.

 Distributed DoS (DDoS):- multiple systems are compromised to

send a DoS attack to a specific target. The compromised systems
are commonly called zombies or slaves.

 As a result of the attack, the targeted system denies service to valid

users.

 Solution:- maximizing bandwidth allocation to network isolation

based on traffic types. 46
 Program Flows
 Program flaws:- A term flaw used to describe a problem that exists
in a software program. A flaw is a security risk, cause the
program to crash, or cause other issues.
 Programmers occasionally commit mistakes unintentionally. These
mistakes do cause any damage to the program.
 However, there are certain mistakes if we ignore can cause serious
negative implications on the program.
 Three such common non malicious programming errors are: Buffer
overflows, Time-of-check and incomplete mediation.

47
 Cont.…

 A. Buffer Overflows:- A buffer-overflow occurs when a

memory reference which is beyond the declared boundary
occurs. When an array/ string is declared, a finite memory is
reserved for
that variable.
 E.g., int arr [5] will reserve five memory slots. When a reference
like arr [5] =22; the subscript is out of bounds. Some compiler
checks for such errors while some don‘t (e.g., C compiler).
 Now, for those which don‘t check such errors, the question
arises as to Where 22 went since no Buffer Overflow error 48
 Cont.…

 The answer to that lies as to what is adjacent to arr [4] (the last
element of array). The number 22‘ will be written in adjacent
block of arr [4]. If that location contained any user‘ data- that
data will be over-written.
 If at the same spot any program is located (system or user), an
attacker can create a fake overflow and place his own
software(code) at that location next to arr [4].
 In such manner, an attacker can gain privileges or full control of
the OS.
49
 Cont.…

 B. Time-of-check to time-of-use flaws:- This often occurs

between the time a whole or part of the system gets
checked and the time it starts to be used.
 Programs that are shared by multiple processes are
vulnerable to these kinds of flaws. Unix systems are more
exposed to TOCTOU (time-of-check to time-of-use) bugs.
 Consider the following example code for Unix systems: The
victim code does two things: checks the if statement and then
opens a file or use it.
50
 Cont.…

An attacker, on the other hand, can run a symlink

(symbolic link) function to make the file point to a password
database after the victim checks the condition. Then, we victim
starts writing, they actually write to the password file.

51
 Cont.…

 Incomplete Mediation:- Mediation means checking the

process of intervening to confirm an actor‘s authorization
before
it takes an intended action.
 Verifying that the subject is authorized to perform the operation
on an object is called mediation. Incomplete mediation is a
security problem that has been with us for decades. Forgetting
to ask Who goes there? before allowing.
 In the same way, attackers exploit incomplete mediation to
cause security problems. Consider the following URL. 52
 Cont.…

 In addition to a web address, it contains two parameters, so

you can think of it as input to a program:

 http://www.somesite.com/subpage/userinput.asp?
parm1=(808)555-1212&parm2=2015Jan17
As a security professional trying to find and fix problems before
they occur, you might examine the various parts of the URL to
determine what they mean and how they might be exploited.

53
 Cont.…

 For instance, the parameters parm1 and parm2 look like a

telephone number and a date, respectively. Probably the
client‘s (user‘s) web browser enters those two values in their
specified format for
easy processing on the server‘s side.

But what would happen if parm2 were submitted as 1800Jan01?

Or 1800Feb30? Or 2048Min32? Or 1Aardvark2Many? Something
in the program or the system with which it communicates would
likely fail.

54
 Cont.…

 Controls to protect against program flaws in execution:-

The following are the major controls that need to be taken to
control program flaws in the execution:-
 Proper input validation Preserve Operating System
command structure Properly handling race conditions in a
program.
 Limiting operations within the boundaries of a memory
buffer.
 Protecting external control of file name, path, and data.
55
 Cont.…

Effectively controlling code generation also known as code injection,

Properly initialization of variables in a program Applying proper error
handling in a program Beyond these, programmers should also put into
consideration the following counter measures to ensure program flaws.
 Apply software engineering techniques.

 Use Information hiding and encapsulation.

 Apply Modularity.

56
 Cont.…

 Operating system support and administrative controls.

 All operating systems must protect themselves from security
breaches, such as denial of service, memory-access violations, stack
overflow violations, the launching of programs with excessive
privileges, and many others.
 Software development controls and Testing techniques:-

 The goal of utilizing numerous testing methodologies in your software

development process is to make sure your software can successfully
operate in multiple environments and across different platforms.

57
 Cont.…

 These can typically be broken down between functional and

non-functional testing. Functional testing methods are usually
conducted in order and include:-
 Unit testing.

 Integration testing.

 System testing.

 Acceptance testing.

58
 Cont.…

 Non-functional testing methods incorporate all test types

focused on the operational aspects of a piece of software.
 These includes:-

 Performance testing.

 Security testing.

 Usability testing.

 Compatibility testing.

59
 Cont.…
 The goal of security testing is to find gaps and security risks in the
system that could result in unauthorized access by probing the
application weaknesses. There are multiple types of this testing method,
each of which aimed at verifying six basic principles of security:-
 Integrity.

 Confidentiality.

 Authentication.

 Authorization.

 Availability.

 Non-repudiation.
60
 Cont.…
 Database Management Systems Security:- Company databases
always contain sensitive information that must be protected from
vulnerabilities and exploits. The following are some of the threats related to
databases:-
o Default or weak passwords.

o SQL injection.

o Excessive user and group privileges.

o Unnecessary DBMS features enabled.

o Buffer overflows.

o Denial of service.

o Un-patched RDBMS.
61
End.

62