A combination of the words "internet" and "citizen."
Refers to individuals actively participating in online communities.
Implies interest in improving the internet as an intellectual and social resource.
Supports open access, net neutrality, and free speech.
Malware and Its Existence
Malware:
Malicious software installed through deceptive methods.
Symptoms include slow system performance, unknown processes, unsolicited email sending, and random reboots.
Types of Malware
Spyware
Rootkit
Adware
Virus
Ransomware
Trojan Horse
Remote Access
Worm
Keylogger
Viruses
Code that attaches to a host application.
Activates and spreads when the host application is executed.
Payload:
Causes damage or delivers a message.
May add the computer to a botnet.
Often delayed to allow for spreading.
Polymorphic Malware
Mutates during replication.
May encrypt itself.
Designed to evade antivirus software.
Worms
Self-replicating malware.
Does not require a host application or user interaction.
Consumes network bandwidth.
Unlike viruses, don't need to be replicated.
Logic Bombs
Code that executes when a specific event occurs (e.g., a certain date).
Often planted by malicious insiders.
Payload may destroy data.
Backdoors
Allow unauthorized access to a system.
Sometimes included secretly in devices by manufacturers which is poor security practice.
Trojans
Disguised as legitimate programs but perform malicious actions.
Common in pirated software (games, apps, keygens, movies).
Rogue Antivirus ("Scareware")
Fake antivirus programs that exploit user's fear of malware.
Display virus alerts to scare users into purchasing the fake software.
Use professional-looking pop-ups, mimicking legitimate Windows alerts.
Mac Flashback Trojan
Targets macOS systems.
Disguised as an Adobe Flash installer.
Botnets
Infected computers ("bots" or "zombies") controlled by a "bot herder".
Bots connect to Command-and-Control (C&C) servers.
Used to:
Send spam.
Launch DDoS attacks.
Install keyloggers or other malware.
Ransomware
Encrypts user's files.
Demands a ransom for decryption.
Importance of data backups.
Rootkits
Malware that modifies system files.
Hides from users and antivirus software.
Conceals files, processes, and network connections.
Difficult to detect and remove.
May use hooks to intercept system-level function calls.
Spyware
Reports user activity to a remote server.
Actions:
Changing browser homepage.
Redirecting browser activity.
Installing browser toolbars.
Keylogging to steal passwords.
Often bundled with Trojans.
Adware
Displays pop-up ads.
Annoying but typically not malicious.
Pop-up blockers are commonly used as a countermeasure.
Some free software includes ads, which is not illegal.
Social Engineering
Methods:
Assuming a position of authority.
Encouraging risky actions.
Encouraging the revelation of sensitive information.
Impersonating authorized personnel.
Tailgating: Following someone into a secure area.
Impersonation
Wearing a uniform to impersonate a trusted role (e.g., phone repair technician, janitor).
Shoulder Surfing
Looking over someone's shoulder to view typed information (e.g., passwords).
Countermeasures:
Privacy screens.
Password masking (displaying dots instead of characters).
Virus Hoaxes
Scary email messages that recommend unwise actions (e.g., deleting system files).
Detection:
Consult antivirus vendor sites.
Check urban legend sites like snopes.com.
Tailgating and Mantraps
Tailgating: Following someone through a secure door.
Prevention: Use mantraps, turnstiles, or security guards.
Dumpster Diving
Searching through trash for useful documents.
Targets: Company directories, pre-approved credit card applications, Personally Identifiable Information (PII).
Countermeasures:
Shredding documents.
Burning documents.
Spam and Spam Filters
Much spam is malicious.
Contains malicious attachments and links.
Spam filters are useful at both network and end-user levels.
Phishing
Emails disguised as legitimate correspondence (e.g., from PayPal).
Trick users into logging into fake websites.
Used to distribute malware, validate email addresses, or solicit money.
Spear Phishing
Targeted phishing attacks aimed at specific individuals or groups with customized messages.
Often facilitated by database breaches that reveal email addresses.
Example: Targeting CCSF employees with emails related to accreditation and layoffs.
Whaling
Targeting high-level executives with phishing attacks.
Spam over Instant Messaging (SPIM)
Can be reduced by whitelisting in the IM client.
Vishing
Using free, untraceable VoIP (Voice over IP) phone calls.
Spoofing Caller ID.
Attempting to trick targets into revealing sensitive information (credit card numbers, SSN, birthday).
Privilege Escalation
Gaining elevated access from "User" to "Administrator".
Unnecessary if the user is already logged in as "Administrator" (Windows XP or earlier).
Protection Against Malware
Mail servers should scan emails for malicious attachments.
Antivirus software on all workstations and servers.
Web security gateways block malicious files and sites at network boundaries or firewalls.
Antivirus Software
Detects viruses, Trojans, worms, spyware, rootkits, and adware.
Real-time protection: Checks every accessed file and device.
Scheduled and manual scans of the file system.
Signature-based Detection
Signature files (data definition files) contain patterns that match known viruses.
Signature files must be updated frequently.
When a matching file is detected, it is deleted.
Heuristic-based Detection
Detects suspicious behavior.
Similar to anomaly-based detection in Intrusion Detection Systems (IDS).
Runs questionable code in a virtualized environment.
Detects "viral activities".
Prone to false positives.
Checking File Integrity
Detects system file alterations.
Records hash values of system files and detects changes.
Included in some Host-based Intrusion Detection Systems (HIDS) and antivirus software.
Pop-Up Blockers
Included in web browsers.
Often use whitelisting to allow pop-ups from trusted domains.
Effective against adware.
Anti-spyware Software
Some overlap with antivirus software.
Examples: Ad-Aware, Windows Defender, Spybot—Search and Destroy.
Educating Users
Security awareness training is essential.
Security Awareness
Keep users informed about new viruses, phishing attacks, and zero-day exploits.
Safe Computing Habits
Avoid clicking links or opening attachments in emails from unknown sources.
Be cautious of free downloads.
Limit information posted on social media.
Back up data regularly.
Install updates and patches.
Keep antivirus software up-to-date.
Why Social Engineering Works
Scarcity: Convincing the target that it's their last chance to get something good.
Urgency: Creating a sense of urgency, e.g., Cryptolocker countdown.
Familiarity/Liking: Building rapport with the target before asking for a favor.
Trust: Building a trusting relationship with the target.
Security Holes and Security Patches
Security holes are discovered in antivirus software and other applications.
Vendors issue patches (fixes or security updates) to address these flaws.
Microsoft releases frequent patches due to the popularity of its software as a target.
Other applications requiring frequent patching: Firefox, QuickTime, RealPlayer, Adobe Reader, Adobe Flash Player, Sun Java Runtime Environment.
White Hat Search Engine Optimization (SEO)
SEO tactics that comply with the terms and conditions of major search engines like Google.
Improves search rankings while maintaining website integrity.
Examples:
Offering quality content and services.
Fast site loading times and mobile-friendliness.
Using descriptive, keyword-rich meta tags.
Making the site easy to navigate.
Current and Full-Time Threats
Top Risks:
Ransomware
Phishing
Data leakage
Hacking
Insider threat
Hackers and Hacker's Tools
Computer hackers are experts who use their technical knowledge to achieve a goal or overcome an obstacle within a computerized system by non-standard means.
Top Hacker Tools and Techniques:
Reconnaissance: Gathering basic information about systems (e.g., Netcraft, PCHels).
Network Exploration: Identifying host systems and services (e.g., NMap).
Probe Tools: Identifying system vulnerabilities (e.g., LANguard Network Scanner).
Scanners: Determining open ports that can be exploited (e.g., AET Network Scanner 10, FPort 1.33, Super Scan 3).
Password Cracker: Cracking weak passwords (e.g., LC5, John The Ripper, iOpus Password Recovery XP, LastBit).
Remote Administration Tools: Taking control of the victim's computer (e.g., AntiLamer, NetSlayer).
Backdoor: Exploiting vulnerabilities to access systems (e.g., KrAIMer, Troj/Zinx-A).
Denial of Service (DoS): Overloading a system with tools (e.g., Coldlife, Flooder).
Recover Deleted Files: Tools like Deleted File Analysis Utility.
Website Tools: Website indexing tools (e.g. Access Diver and IntelliTamper)
IP Spoofing
A technique used to gain unauthorized access to computers by sending messages with a forged IP address.
The attacker uses a trusted IP address as its source, bypassing access controls.
IP Spoofing Techniques:
Using an IP address within the range of trusted IP addresses.
Using an authorized external IP address that is trusted.
Uses for IP Spoofing:
Injection of malicious data or commands into an existing stream of data.
Changing the routing tables to point to the spoofed IP address.
Why IP Spoofing Is Easy
Routers primarily look at destination addresses.
Authentication is often based only on source addresses.
It's easy to change the source address field in the IP header.
Spoofing Attacks
Non-Blind Spoofing:
The attacker is on the same subnet as the target and can see the sequence and acknowledgment of packets.
Used to interfere with a connection by sending spoofed packets.
Blind Spoofing:
The attacker is outside the subnet and cannot see sequence and acknowledgment numbers.
Attackers send packets to the target machine to sample sequence numbers.
Used to interfere with a connection or create a new one.
Man in the Middle Attack
Also known as connection hijacking
A malicious party intercepts a legitimate communication between two hosts.
Controls communication flow and alters information without the participants' knowledge.
Denial of Service Attack:
Conducting the attack, the attackers spoof source IP addresses to make tracing and stopping the DoS as difficult as possible.
IP spoofing is almost always used in denial of service attacks (DoS)
Detection of IP Spoofing
Monitor packets for inconsistencies (e.g., packets with both source and destination IP addresses in the local domain).
Compare process accounting logs between internal systems to identify discrepancies in remote access initiation.
Prevention of IP Spoofing
Install a filtering router that restricts input to the external interface.
Filter outgoing packets to prevent source IP spoofing attacks originating from your site.