![Page 1: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/1.jpg)
Hans Hedbom
Attacks on Computer Systems
![Page 2: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/2.jpg)
Attacks
“Non-Technical” attacksExample
Social engineeringPhishing
CauseLow user awareness or missing policies/routines
Technical attacksExample
See following slides
CauseTransitive trustBugs and configuration errors in apps and OSVulnerabilities in protocols and Network Infrastructure2
![Page 3: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/3.jpg)
Threats to confidentiality
Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010
![Page 4: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/4.jpg)
NETWORK ATTACKS
![Page 5: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/5.jpg)
SYN-Attacks
The attacker sends a large amount of SYN-packets to the serverfills-up the SYN-bufferserver is unable to accept more connections Denial of
Service
5
Client ServerSYN
SYN,ACK
ACK
Timeout ~4 min.
TCP event diagram
![Page 6: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/6.jpg)
IP Fragmentation Attack
Intentional fragmentation of IP-packets may confuse routers, firewalls and servers
6
Data
IP-packet
Header
Fragment 1 Fragment 2Header Data DataH
Offset 0 Offset 20 Offset 16
Data
IP-packet
Header
Original
Fragmented
Assembled
Overlap!
![Page 7: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/7.jpg)
Sniffer Attacks
Eavesdropping on a network segment.
7
TelnetClient
Telnet ServerIP Network
Attacker
Telnet (password in the clear)
Telnet
![Page 8: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/8.jpg)
Passwords over the Net
8
Telnet FTP
Rlogin Rexec
POP SNMP
NFS SMB
HTTP
![Page 9: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/9.jpg)
IP-Spoofing
Counterfeiting of IP-sender-addresses when using UDP and TCP
9
NFSClient
NFSServerIP Network
Attacker
NFS-request
NFS-response SYN-attack
![Page 10: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/10.jpg)
Session Hijacking
Attacker hijacks a session between a client and a serverit could for example be an administrator using telnet for remote
login
10
Telnet client
Telnet serverIP Network
Attacker
Telnet traffic
SYN-attack IP-Spoofing
![Page 11: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/11.jpg)
DNS Cache Poisoning
DNS = Domain Name Serviceis primarily used to translate names into IP-addresses
e.g. ”www.sunet.se” to ”192.36.125.18”
data injection into the DNS server
cross checking an address might help
11
![Page 12: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/12.jpg)
OS (SOFTWARE) ATTACKS
![Page 13: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/13.jpg)
Race Condition Attacks
Explores software that performs operations in an improper sequence. e.g. psrace (Solaris 2.x).
13
Application Create file
Store data
Use data
Set SUID
Remove file
Create link/usr/bin/ps
/tmp/ps_data
/tmp/sh
![Page 14: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/14.jpg)
Buffer overflows
Buffer overflow accounts for 50 % of the security bugs (Viega and McGraw)
Data is stored in allocated memory called buffer. If too much data need to be stored the additional bytes have to go somewhere. The buffer overflows and data are written past the bounds.
![Page 15: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/15.jpg)
WEB ATTACKS
![Page 16: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/16.jpg)
Browser Vulnerabillities
Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010
![Page 17: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/17.jpg)
Window of Exposure
Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010
![Page 18: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/18.jpg)
Phishing
Phishing (only works with predictable or time invariant values)Trick the user to access a forged web page.
1. Username
2. Ask for login credentials
3. Give login credentials
4.Ok alt Deny (error code)
SSL/TLS Forged Web Page
![Page 19: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/19.jpg)
Phishing
Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010
![Page 20: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/20.jpg)
Phishing
Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010
![Page 21: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/21.jpg)
Pharming
2.Username
3.Chalange
5.Chalange
6. Responce
8.Responce
9.Ok alt Deny
1.Username
4.Chalange
7 .Responce
9.Ok alt Deny
![Page 22: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/22.jpg)
XSS
xss_selling_platform_v2.0.swf
![Page 23: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/23.jpg)
What is SQL Injection?
$name = $HTTP_POST_VARS["name"];
$passwd = $HTTP_POST_VARS[“passwd"];
$query = “select name from users where name = ‘”.$name.”’ and passwd = ‘”.$passwd.”’” ;
$result = mysql_query($query);
![Page 24: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/24.jpg)
What is SQL Injection?
![Page 25: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/25.jpg)
BOT-NETS
![Page 26: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/26.jpg)
Bot-nets
A bot-net is a large collection of compromised computers under the control of a command and control server.A bot-net consists of bots (the malicious program), drones (the hijacked computers) and (one or more) C&C server.A bot is usually a combination of a worm and a backdoor.IRC and HTTP are the primary communication protocols in today's bot-nets.Bots are usually self spreding and modular.
26
![Page 27: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/27.jpg)
Uses of bot-nets
Bot-nets could be used for the following:Click Fraud
Making drones click on specific advertisements on the web.DDoS
For financial gain or blackmail.Keyloging
For financial gain and identity theft.Warez
Collecting, spreading and storingSpam
For financial gain.
And of course as a private communication network.27
![Page 28: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/28.jpg)
Detecting and preventing bot-nets
Detection is all about finding the C&C server.Look for suspicious traffic patterns in firewall logs and other logs.Take note of servers whit a high number of incoming connections.Monitor the suspicious C&C and inform the owner and the authorities when you are sure that it is a bot-net controller.
PreventionAll the usual rules apply: patch and protect. Do egress filtering in firewalls as well as ingress. This will stop infections from spreading and could block outgoing traffic from drones within the intranet.
ProblemsSome bot-nets are encrypted.Tracking the C&C to the real bot-net owner can be hard.
28
![Page 29: Hans Hedbom Attacks on Computer Systems. Attacks “Non-Technical” attacks Example Social engineering Phishing Cause Low user awareness or missing policies/routines](https://reader036.vdocument.in/reader036/viewer/2022062801/56649e175503460f94b02339/html5/thumbnails/29.jpg)
Bot activity
Table from: Symantec Global Internet Security Threat Report Trends for 2009Volume XV, Published April 2010