Cyber Security Notes

Netizen

  • A combination of the words "internet" and "citizen."
  • Refers to individuals actively participating in online communities.
  • Implies interest in improving the internet as an intellectual and social resource.
  • Supports open access, net neutrality, and free speech.

Malware and Its Existence

  • Malware:
    • Malicious software installed through deceptive methods.
    • Symptoms include slow system performance, unknown processes, unsolicited email sending, and random reboots.

Types of Malware

  • Spyware
  • Rootkit
  • Adware
  • Virus
  • Ransomware
  • Trojan Horse
  • Remote Access
  • Worm
  • Keylogger

Viruses

  • Code that attaches to a host application.
  • Activates and spreads when the host application is executed.
  • Payload:
    • Causes damage or delivers a message.
    • May add the computer to a botnet.
    • Often delayed to allow for spreading.

Polymorphic Malware

  • Mutates during replication.
  • May encrypt itself.
  • Designed to evade antivirus software.

Worms

  • Self-replicating malware.
  • Does not require a host application or user interaction.
  • Consumes network bandwidth.
  • Unlike viruses, don't need to be replicated.

Logic Bombs

  • Code that executes when a specific event occurs (e.g., a certain date).
  • Often planted by malicious insiders.
  • Payload may destroy data.

Backdoors

  • Allow unauthorized access to a system.
  • Sometimes included secretly in devices by manufacturers which is poor security practice.

Trojans

  • Disguised as legitimate programs but perform malicious actions.
  • Common in pirated software (games, apps, keygens, movies).

Rogue Antivirus ("Scareware")

  • Fake antivirus programs that exploit user's fear of malware.
  • Display virus alerts to scare users into purchasing the fake software.
  • Use professional-looking pop-ups, mimicking legitimate Windows alerts.

Mac Flashback Trojan

  • Targets macOS systems.
  • Disguised as an Adobe Flash installer.

Botnets

  • Infected computers ("bots" or "zombies") controlled by a "bot herder".
  • Bots connect to Command-and-Control (C&C) servers.
  • Used to:
    • Send spam.
    • Launch DDoS attacks.
    • Install keyloggers or other malware.

Ransomware

  • Encrypts user's files.
  • Demands a ransom for decryption.
  • Importance of data backups.

Rootkits

  • Malware that modifies system files.
  • Hides from users and antivirus software.
  • Conceals files, processes, and network connections.
  • Difficult to detect and remove.
  • May use hooks to intercept system-level function calls.

Spyware

  • Reports user activity to a remote server.
  • Actions:
    • Changing browser homepage.
    • Redirecting browser activity.
    • Installing browser toolbars.
    • Keylogging to steal passwords.
    • Often bundled with Trojans.

Adware

  • Displays pop-up ads.
  • Annoying but typically not malicious.
  • Pop-up blockers are commonly used as a countermeasure.
  • Some free software includes ads, which is not illegal.

Social Engineering

  • Methods:
    • Assuming a position of authority.
    • Encouraging risky actions.
    • Encouraging the revelation of sensitive information.
    • Impersonating authorized personnel.
    • Tailgating: Following someone into a secure area.

Impersonation

  • Wearing a uniform to impersonate a trusted role (e.g., phone repair technician, janitor).

Shoulder Surfing

  • Looking over someone's shoulder to view typed information (e.g., passwords).
  • Countermeasures:
    • Privacy screens.
    • Password masking (displaying dots instead of characters).

Virus Hoaxes

  • Scary email messages that recommend unwise actions (e.g., deleting system files).
  • Detection:
    • Consult antivirus vendor sites.
    • Check urban legend sites like snopes.com.

Tailgating and Mantraps

  • Tailgating: Following someone through a secure door.
  • Prevention: Use mantraps, turnstiles, or security guards.

Dumpster Diving

  • Searching through trash for useful documents.
  • Targets: Company directories, pre-approved credit card applications, Personally Identifiable Information (PII).
  • Countermeasures:
    • Shredding documents.
    • Burning documents.

Spam and Spam Filters

  • Much spam is malicious.
  • Contains malicious attachments and links.
  • Spam filters are useful at both network and end-user levels.

Phishing

  • Emails disguised as legitimate correspondence (e.g., from PayPal).
  • Trick users into logging into fake websites.
  • Used to distribute malware, validate email addresses, or solicit money.

Spear Phishing

  • Targeted phishing attacks aimed at specific individuals or groups with customized messages.
  • Often facilitated by database breaches that reveal email addresses.
  • Example: Targeting CCSF employees with emails related to accreditation and layoffs.

Whaling

  • Targeting high-level executives with phishing attacks.

Spam over Instant Messaging (SPIM)

  • Can be reduced by whitelisting in the IM client.

Vishing

  • Using free, untraceable VoIP (Voice over IP) phone calls.
  • Spoofing Caller ID.
  • Attempting to trick targets into revealing sensitive information (credit card numbers, SSN, birthday).

Privilege Escalation

  • Gaining elevated access from "User" to "Administrator".
  • Unnecessary if the user is already logged in as "Administrator" (Windows XP or earlier).

Protection Against Malware

  • Mail servers should scan emails for malicious attachments.
  • Antivirus software on all workstations and servers.
  • Web security gateways block malicious files and sites at network boundaries or firewalls.

Antivirus Software

  • Detects viruses, Trojans, worms, spyware, rootkits, and adware.
  • Real-time protection: Checks every accessed file and device.
  • Scheduled and manual scans of the file system.

Signature-based Detection

  • Signature files (data definition files) contain patterns that match known viruses.
  • Signature files must be updated frequently.
  • When a matching file is detected, it is deleted.

Heuristic-based Detection

  • Detects suspicious behavior.
  • Similar to anomaly-based detection in Intrusion Detection Systems (IDS).
  • Runs questionable code in a virtualized environment.
  • Detects "viral activities".
  • Prone to false positives.

Checking File Integrity

  • Detects system file alterations.
  • Records hash values of system files and detects changes.
  • Included in some Host-based Intrusion Detection Systems (HIDS) and antivirus software.

Pop-Up Blockers

  • Included in web browsers.
  • Often use whitelisting to allow pop-ups from trusted domains.
  • Effective against adware.

Anti-spyware Software

  • Some overlap with antivirus software.
  • Examples: Ad-Aware, Windows Defender, Spybot—Search and Destroy.

Educating Users

  • Security awareness training is essential.

Security Awareness

  • Keep users informed about new viruses, phishing attacks, and zero-day exploits.

Safe Computing Habits

  • Avoid clicking links or opening attachments in emails from unknown sources.
  • Be cautious of free downloads.
  • Limit information posted on social media.
  • Back up data regularly.
  • Install updates and patches.
  • Keep antivirus software up-to-date.

Why Social Engineering Works

  • Scarcity: Convincing the target that it's their last chance to get something good.
  • Urgency: Creating a sense of urgency, e.g., Cryptolocker countdown.
  • Familiarity/Liking: Building rapport with the target before asking for a favor.
  • Trust: Building a trusting relationship with the target.

Security Holes and Security Patches

  • Security holes are discovered in antivirus software and other applications.
  • Vendors issue patches (fixes or security updates) to address these flaws.
  • Microsoft releases frequent patches due to the popularity of its software as a target.
  • Other applications requiring frequent patching: Firefox, QuickTime, RealPlayer, Adobe Reader, Adobe Flash Player, Sun Java Runtime Environment.

White Hat Search Engine Optimization (SEO)

  • SEO tactics that comply with the terms and conditions of major search engines like Google.
  • Improves search rankings while maintaining website integrity.
  • Examples:
    • Offering quality content and services.
    • Fast site loading times and mobile-friendliness.
    • Using descriptive, keyword-rich meta tags.
    • Making the site easy to navigate.

Current and Full-Time Threats

  • Top Risks:
    • Ransomware
    • Phishing
    • Data leakage
    • Hacking
    • Insider threat

Hackers and Hacker's Tools

  • Computer hackers are experts who use their technical knowledge to achieve a goal or overcome an obstacle within a computerized system by non-standard means.
  • Top Hacker Tools and Techniques:
    • Reconnaissance: Gathering basic information about systems (e.g., Netcraft, PCHels).
    • Network Exploration: Identifying host systems and services (e.g., NMap).
    • Probe Tools: Identifying system vulnerabilities (e.g., LANguard Network Scanner).
    • Scanners: Determining open ports that can be exploited (e.g., AET Network Scanner 10, FPort 1.33, Super Scan 3).
    • Password Cracker: Cracking weak passwords (e.g., LC5, John The Ripper, iOpus Password Recovery XP, LastBit).
    • Remote Administration Tools: Taking control of the victim's computer (e.g., AntiLamer, NetSlayer).
    • Backdoor: Exploiting vulnerabilities to access systems (e.g., KrAIMer, Troj/Zinx-A).
    • Denial of Service (DoS): Overloading a system with tools (e.g., Coldlife, Flooder).
    • Recover Deleted Files: Tools like Deleted File Analysis Utility.
    • Website Tools: Website indexing tools (e.g. Access Diver and IntelliTamper)

IP Spoofing

  • A technique used to gain unauthorized access to computers by sending messages with a forged IP address.
  • The attacker uses a trusted IP address as its source, bypassing access controls.

IP Spoofing Techniques:

  • Using an IP address within the range of trusted IP addresses.
  • Using an authorized external IP address that is trusted.
  • Uses for IP Spoofing:
    • Injection of malicious data or commands into an existing stream of data.
    • Changing the routing tables to point to the spoofed IP address.

Why IP Spoofing Is Easy

  • Routers primarily look at destination addresses.
  • Authentication is often based only on source addresses.
  • It's easy to change the source address field in the IP header.

Spoofing Attacks

  1. Non-Blind Spoofing:
  • The attacker is on the same subnet as the target and can see the sequence and acknowledgment of packets.
  • Used to interfere with a connection by sending spoofed packets.
  1. Blind Spoofing:
  • The attacker is outside the subnet and cannot see sequence and acknowledgment numbers.
  • Attackers send packets to the target machine to sample sequence numbers.
  • Used to interfere with a connection or create a new one.
  1. Man in the Middle Attack
  • Also known as connection hijacking
    • A malicious party intercepts a legitimate communication between two hosts.
    • Controls communication flow and alters information without the participants' knowledge.
  1. Denial of Service Attack:
  • Conducting the attack, the attackers spoof source IP addresses to make tracing and stopping the DoS as difficult as possible.
  • IP spoofing is almost always used in denial of service attacks (DoS)

Detection of IP Spoofing

  1. Monitor packets for inconsistencies (e.g., packets with both source and destination IP addresses in the local domain).
  2. Compare process accounting logs between internal systems to identify discrepancies in remote access initiation.

Prevention of IP Spoofing

  1. Install a filtering router that restricts input to the external interface.
  2. Filter outgoing packets to prevent source IP spoofing attacks originating from your site.
  3. Avoid using source address authentication.
  4. Implement cryptographic authentication system-wide.
  5. Configure the network to reject packets claiming to originate from a local address.
  6. Implement ingress and egress filtering on border routers with ACLs.
  7. Enable encryption sessions at the router for trusted host connections.

Tools Used By Internet Spammers

  1. X-?????
  • Automated tool for registering and posting profile links to online forums.
  • Results in IP bans due to misuse.
  1. ?????Box
  • Blog mass-commenter used for posting comments to thousands of blogs.
  1. ??Nuke-?
  • Powerful automated promotion tool with a built-in database of forums and social networks.
  • Creates multiple online personas to post links and articles.
  1. Proxies & Decaptcha Services
  • Used to hide IP addresses and solve captchas accurately.
  1. Spin Text
  • Automatically alters content slightly to avoid detection.

Cyberbullies

  • Cyberbullying or cyber-harassment is a form of bullying or harassment using electronic means.
  • Cyberbullying and cyber-harassment are also known as online bullying.
  • It has become increasingly common, especially among teenagers, as the digital sphere has expanded and technology has advanced.

Online Reputation Attacks

  • Reputations are vulnerable to digital attacks.
  • Attackers create negative content to damage a person, business, or entity.
  • Attackers can be journalists, bloggers, consumers, competitor businesses, or anyone.

Cyber stalkers

  • Cyberstalking is the use of the Internet or other electronic means to stalk or harass an individual, group, or organization.
  • It may include false accusations, defamation, slander and libel.
  • It may also include monitoring, identity theft, threats, vandalism, solicitation for physical favors, doxing, or blackmail.