A Report On Ethical Hacking & Network Defense Submitted in partial fulfillment for the B. Tech. Degree Submitted To :- Mr. Jitendra Purohit Asst.Professor Submitted By :- Karan Singh Sisodia B. Tech. IV year Information Technology Vyas Institute of Engineering &
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
A Report On Ethical Hacking & Network Defense
Submitted in partial fulfillment for the B. Tech. Degree
VYAS INSTITUTE OF ENGINEERING AND TECHNOLOGY
JODHPUR
Submitted To:-
Mr. Jitendra PurohitAsst.Professor CSE & IT Dept. Vyas Institute of Engineering & Technology
Submitted By:-
Karan Singh SisodiaB. Tech. IV yearInformation TechnologyVyas Institute of Engineering & Technology
COURSE TITLE
Ethical Hacking & Network Defense:
Why Information Security?
After the boom in Networking and Software jobs, the past two years have seen a
sharp rise in the field of Information Security. Information Security and Ethical
hacking is the latest buzzword in the industry. In the past five years, the
percentage of hacking crimes, data thefts, data losses, viruses and other cyber
crimes have increased exponentially. “NASSCOM predicts requirement of 1,
88,000 professionals by the year 2008. Currently the number of security
professionals in India is around 22,000.” The current demand for Information
Security jobs continue to grow. With information security increasingly
becoming a boardroom level concern, training and certification are becoming
increasingly important for candidates and companies like. Need for Information
Security in the Indian Market Security Compliance is must for all companies
with IT backbone. The requirement is high with organizations in IT / ITES
segment. Information workers lack of basic security knowledge. Information
Security Industry is going through an exponential growth rate, current
worldwide growth rate is billed at 21 %.
INDEX
1. Cover Page
2. Certificate
3. Institute Name
4. Course title
5. Index
6. Introduction to Ethical Hacking & Network Defense.
7. What is a Hacker
8. What are virus, worms, Backdoor Trojans.
9. What is Spyware
10. What is Firewall and Ports.
11. What is Registry
12. What is Group Policy Editor.
13. Proxy Servers
14. Hacking Attacks (Types)
15. Phishing
16. Email-Tracker
17. Password Cracking
18. Footprinting
19. SQL Injection
20. DoS Attack
21. Net Tools
22. Cryptography
23. Art of Googling
24. Data Recovery
25. Honeypot or Trapdoor
Introduction to Ethical Hacking & Network Defense
Ethical hackers
Employed by companies to perform penetration tests
Penetration test
Legal attempt to break into a company’s network to find its weakest link
Tester only reports findings, does not harm the company
Ethical hackers
Employed by companies to perform penetration tests
Penetration test
Legal attempt to break into a company’s network to find its weakest link
Tester only reports findings, does not harm the company
What is a Hacker?
Eric Raymond, compiler of The New Hacker's Dictionary, defines a hacker as a clever
programmer. A "good hack" is a clever solution to a programming problem and "hacking" is
the act of doing it. Raymond lists five possible characteristics that qualify one as a hacker,
which we paraphrase here:
A person who enjoys learning details of a programming language or system
A person who enjoys actually doing the programming rather than just theorizing about
it
A person capable of appreciating someone else's hacking
A person who picks up programming quickly
A person who is an expert at a particular programming language or system, as in
"Unix hacker"
Hacker classes
Black hats – highly skilled, malicious, destructive “crackers”
White hats – skills used for defensive security analysts
Gray hats – offensively and defensively; will hack for different
reasons, depends on situation.
Hactivism – hacking for social and political cause.
Ethical hackers – determine what attackers can gain access to, what they will
do with the information, and can they be detected.
Anatomy of an attack:
Gathering Data – attacker gathers information; can include social engineering.
Scanning – searches for open ports (port scan) probes target for vulnerabilities.
Gaining access – attacker exploits vulnerabilities to get inside system; used for
spoofing IP.
Maintaining access – creates backdoor through use of Trojans; once attacker gains
access makes sure he/she can get back in.
Covering tracks – deletes files, hides files, and erases log files. So that attacker
cannot be detected or penalized
Raymond deprecates the use of this term for someone who attempts to crack someone else's
system or otherwise uses programming or expert knowledge to act maliciously. He prefers
the term cracker for this meaning.
The term hacker is used in popular media to describe someone who attempts to break into
computer systems. Typically, this kind of hacker would be a proficient programmer or
engineer with sufficient technical knowledge to understand the weak points in a security
system
A cracker is someone who breaks into someone else's computer system, often on a network;
bypasses passwords or licenses in computer programs; or in other ways intentionally breaches
computer security. A cracker can be doing this for profit, maliciously, for some altruistic
purpose or cause, or because the challenge is there. Some breaking-and-entering has been
done ostensibly to point out weaknesses in a site's security system.
A program or piece of code that is loaded onto your computer without your knowledge and
runs against your wishes. Viruses can also replicate themselves. All computer viruses are
manmade. A simple virus that can make a copy of itself over and over again is relatively easy
to produce. Even such a simple virus is dangerous because it will quickly use all available
memory and bring the system to a halt. An even more dangerous type of virus is one capable
of transmitting itself across networks and bypassing security systems.
Since 1987, when a virus infected ARPANET, a large network used by the Defense
Department and many universities, many antivirus programs have become available. These
programs periodically check your computer system for the best-known types of viruses.
Some people distinguish between general viruses and worms. A worm is a special type of
virus that can replicate itself and use memory, but cannot attach itself to other programs.
What Is a Virus?
A computer virus attaches itself to a program or file enabling it to spread from one computer
to another, leaving infections as it travels. Like a human virus, a computer virus can range in
severity: some may cause only mildly annoying effects while others can damage your
hardware, software or files.
Almost all viruses are attached to an executable file, which means the virus may exist on your
computer but it actually cannot infect your computer unless you run or open the malicious
program. It is important to note that a virus cannot be spread without a human action, (such
as running an infected program) to keep it going.
People continue the spread of a computer virus, mostly unknowingly, by sharing infecting
files or sending e-mails with viruses as attachments in the e-mail.
What Is a Worm?
A worm is similar to a virus by design and is considered to be a sub-class of a virus. Worms
spread from computer to computer, but unlike a virus, it has the capability to travel without
any human action. A worm takes advantage of file or information transport features on your
system, which is what allows it to travel unaided
The biggest danger with a worm is its capability to replicate itself on your system, so rather
than your computer sending out a single worm, it could send out hundreds or thousands of
copies of itself, creating a huge devastating effect. One example would be for a worm to send
a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and
sends itself out to everyone listed in each of the receiver's address book, and the manifest
continues on down the line.
Due to the copying nature of a worm and its capability to travel across networks the end
result in most cases is that the worm consumes too much system memory
(or network bandwidth), causing Web servers, network servers and individual computers to
stop responding. In recent worm attacks such as the much-talked-about Blaster Worm, the
worm has been designed to tunnel into your system and allow malicious users to control your
computer remotely
What Is a Trojan horse?
A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named
after. The Trojan Horse, at first glance will appear to be useful software but will actually do
damage once installed or run on your computer. Those on the receiving end of a Trojan Horse
are usually tricked into opening them because they appear to be receiving legitimate software
or files from a legitimate source. When a Trojan is activated on your computer, the results
can vary. Some Trojans are designed to be more annoying than malicious (like changing your
desktop, adding silly active desktop icons) or they can cause serious damage by deleting files
and destroying information on your system. Trojans are also known to create a backdoor on
your computer that gives malicious users access to your system, possibly allowing
confidential or personal information to be compromised. Unlike viruses and worms, Trojans
do not reproduce by infecting other files nor do they self-replicate.
What Are Blended Threats?
Added into the mix, we also have what is called a blended threat. A blended threat is a more
sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses
and malicious code into one single threat. Blended threats can use server and Internet
vulnerabilities to initiate, then transmit and also spread an attack. Characteristics of blended
threats are that they cause harm to the infected system or network, they propagates using
multiple methods, the attack can come from multiple points, and blended threats also exploit
Vulnerabilities:
To be considered a blended thread, the attack would normally serve to transport multiple
attacks in one payload. For example it wouldn't just launch a DoS attack — it would also, for
example, install a backdoor and maybe even damage a local system in one shot. Additionally,
blended threats are designed to use multiple modes of transport. So, while a worm may travel
and spread through e-mail, a single blended threat could use multiple routes including e-mail,
IRC and file-sharing sharing networks.
Lastly, rather than a specific attack on predetermined .exe files, a blended thread could do
multiple malicious acts, like modify your exe files, HTML files and registry keys at the same
time — basically it can cause damage within several areas of your network at one time.
Blended threats are considered to be the worst risk to security since the inception of viruses,
as most blended threats also require no human intervention to propagate.
Combating Viruses, Worms and Trojan Horses:
The first step in protecting your computer from any malicious there is to ensure that your
operating system (OS) is up-to-date. This is essential if you are running a Microsoft Windows
OS. Secondly, you need to have anti-virus software installed on your system and ensure you
download updates frequently to ensure your software has the latest fixes for new viruses,
worms, and Trojan horses. Additionally, you want to make sure your anti-virus program has
the capability to scan e-mail and files as they are downloaded from the Internet, and you also
need to run full disk scans periodically. This will help prevent malicious programs from even
reaching your computer. You should also install a firewall as well.
A firewall is a system that prevents unauthorized use and access to your computer. A firewall
can be either hardware or software. Hardware firewalls
provide a strong degree of protection from most forms of attack coming from the outside
world and can be purchased as a stand-alone product or in broadband routers. Unfortunately,
when battling viruses, worms and Trojans, a hardware firewall may be less effective than a
software firewall, as it could possibly ignore embedded worms in out going e-mails and see
this as regular network traffic.
For individual home users, the most popular firewall choice is a software firewall. A good
software firewall will protect your computer from outside attempts to control or gain access
your computer, and usually provides additional protection against the most common Trojan
programs or e-mail worms. The downside to software firewalls is that they will only protect
the computer they are installed on, not a network.
It is important to remember that on its own a firewall is not going to rid you of your computer
virus problems, but when used in conjunction with regular operating system updates and a
good anti-virus scanning software, it will add some extra security and protection for your
computer or network.
Backdoor Trojans
Background Information:
Examples of backdoor trojans are Netbus or Back Orifice. They allow other people to control
your computer over the Internet. When you run a program that contains the Backdoor trojan,
it will copy itself to the Windows or Windows\System directory and add itself to the system's
registry. Trojans are usually claimed to be some sort of desirable program. For example, one
popular trojan wrapper is a game called "Whack a Mole". Another is a game call "Pie Bill
Gates". Once the program is in memory, it tries to hide itself on the task list. It doesn't show
any icon or indication that it is running. It listens on a port until someone connects. The
person who is controlling your computer uses a program that lets them record keystrokes,
view files, move the mouse, open and close the CD-ROM, etc. Sometimes, the trojan is
customized so that the person who planted it gets an e-mail when you run it.
Removal:
The trojan tries to make itself hard to remove. For Back Orifice, it uses a file with a name that
shows usually shows up as " .EXE" Sometimes it uses a name like "MSGSRV32.DRV".
Windows prevents deleting the trojan file while it is active. Some of the regular antivirus
software can find these trojans and delete them while Windows is not running. The antivirus
program should find at least one EXE or DRV file containing the trojan. If it finds a .DLL
file, then it is just an add-on to the trojan that provides extra features. If you decide to use a
single purpose trojan remover, then be cautious. Sometimes trojans are disguised as trojan
removers. For example, SynTax Back Orifice Remover and BOSniffer are all Back Orifice. A
program imitating Antigen named Trojan.Win32.Antigen claims to remove Back Orifice but
is actually a program that steals passwords. There are legitimate Anti-Trojan programs, but
make sure you get recommendations from people who have tried them and download them
directly from the author's site. You can also remove it from the registry manually. Click Start,
then Run, then type regedit in the text box, then click OK. Click
HKEY_LOCAL_MACHINE, then Software, then Microsoft, then Windows, then
CurrentVersion. Check under Run and RunServices for any suspicious-looking files. Some
files are Normally under this part of the registry. They are Rundll32.exe, systray.exe,
scanregw.exe, taskmon.exe, mstask.exe. There are also some other files that are legitimate
parts of the registry.
Why is it called "Spyware" ?
While this may be a great concept, the downside is that the advertising companies also install
additional tracking software on your system, which is continuously "calling home", using
your Internet connection and reports statistical data to the "mothership". While according to
the privacy policies of the companies, there will be no sensitive or identifying data collected
from your system and you shall remain anonymous, it still remains the fact, that you have a
"live" server sitting on your PC that is sending information about you and your surfing habits
to a remote location.....
Are all Adware products "Spyware"?
No, but the majority are. There are also products that do display advertising but do not install
any tracking mechanism on your system. These products are not indexed in our database.
Is Spyware illegal?
Even though the name may indicate so, Spyware is not an illegal type of software in any way.
However there are certain issues that a privacy oriented user may object to and therefore
prefer not to use the product. This usually involves the tracking and sending of data and
statistics via a server installed on the user's PC and the use of your Internet connection in the
background.
What's the hype about?
While legitimate adware companies will disclose the nature of data that is collected and
transmitted in their privacy statement (linked from our database), there is almost no way for
the user to actually control what data is being sent. The fact is that the technology is in theory
capable of sending much more than just banner statistics - and this is why many people feel
uncomfortable with the idea. On the other hand millions of people are using advertising
supported "spyware" products and could not care less about the privacy hype..., in fact some
"Spyware" programs are among the most popular downloads on the Internet.
Real spyware:
There are also many PC surveillance tools that allow a user to monitor all kinds of activity on
a computer, ranging from keystroke capture, snapshots, email logging, chat logging and just
about everything else. These tools are perfectly legal in mostplaces,but, just like an ordinary
tape recorder, if they are abused, they can seriously violate your privacy.
FIREWALL
A firewall is a secure and trusted machine that sits between a private network and a public
network. The firewall machine is configured with a set of rules that determine which network
traffic will be allowed to pass and which will be blocked or refused. In some large
organizations, you may even find a firewall located inside their corporate network to
segregate sensitive areas of the organization from other employees. Many cases of computer
crime occur from within an organization, not just from outside.
Firewalls can be constructed in quite a variety of ways. The most sophisticated arrangement
involves a number of separate machines and is known as a perimeter network. Two machines
act as "filters" called chokes to allow only certain types of network traffic to pass, and
between these chokes reside network servers such as a mail gateway or a World Wide Web
proxy server. This configuration can be very safe and easily allows quite a great range of
control over who can connect both from the inside to the outside, and from the outside to the
inside. This sort of configuration might be used by large organizations.
Typically though, firewalls are single machines that serve all of these functions. These are a
little less secure, because if there is some weakness in the firewall machine itself that allows
people to gain access to it, the whole network security
has been breached. Nevertheless, these types of firewalls are cheaper and easier to manage
than the more sophisticated arrangement just described.
The Linux kernel provides a range of built-in features that allow it to function quite nicely as
an IP firewall. The network implementation includes code to do IP filtering in a number of
different ways, and provides a mechanism to quite accurately configure what sort of rules
you'd like to put in place. The Linux firewall is flexible enough to make it very useful in
either of the configurations
PORT:
(1) An interface on a computer to which you can connect a device. Personal computers have
various types of ports. Internally, there are several ports for connecting disk drives, display
screens, and keyboards. Externally, personal computers have ports for connecting modems,
printers, mice, and other peripheral devices.
Almost all personal computers come with a serial RS-232C port or RS-422 port for
connecting a modem or mouse and a parallel port for connecting a printer. On PCs, the
parallel port is a Centronics interface that uses a 25-pin connector. SCSI (Small Computer
System Interface) ports support higher transmission speeds than do conventional ports and
enable you to attach up to seven devices to the same port.
(2) In TCP/IP and UDP networks, an endpoint to a logical connection. The port number
identifies what type of port it is. For example, port 80 is used for HTTP traffic. Also see
Well-Known TCP Port Numbers in the Quick Reference section of Webopedia.
(3) To move a program from one type of computer to another. To port an application, you
need to rewrite sections that are machine dependent, and then recompile the program on the
new computer. Programs that can be ported easily are said to be portable.
REGISTARY
This is a database used by Microsoft Windows to store configuration information about the
software installed on a computer. This information includes things like the desktop
background, program settings, and file extension.
The windows registry consist of six part:
HKEY_User - contains the user information for each user of the system.
HKEY_Current_User - has all the preferences for the current user.
HKEY_Current_Configuration - stores settings for the display and printers.
HKEY_Classes_Root - includes file associations and OLE information.
HKEY_Local_Machine - has the settings for the hardware, operating system, and
Installed applications.
How to Hide Run (all users):
1) open regedit (start menu > run, and type in regedit)
2) go to: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies/Explorer
3) Right Click on the Right Pane Select New-> DWORD -> change the String to "NoRun"
4) Select Properties and Change the Value to 1
5) Logoff the Windows, Login again, Run is Hidden.
How to Hide Search (all users):
1) open regedit (start menu > run, and type in regedit)
2) go to: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies/Explorer
3) Right Click on the Right Pane Select New-> DWORD -> change the String to "NoFind"
4) Select Properties and Change the Value to 1
5) Logoff the Windows, Login again, Run is Hidden.
How to Hide Desktop (all users):
1) open regedit (start menu > run, and type in regedit)
2) go to: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies/Explorer
3) Right Click on the Right Pane Select New-> DWORD -> change the String to
"NoDesktop"
4) Select Properties and Change the Value to 1
5) Logoff the Windows, Login again, Run is Hidden.
About the Group Policy Editor-
How it works?
Although the Group Policy Editor console (gpedit.msc) is mostly used by administrators of
networks and domains, it also has uses for a stand-alone home computer. One application is
to allow convenient and easy editing of the Registry so that a variety of tweaks or changes to
the system can be made. These settings are known as policies and are stored in a special
hidden folder %SystemRoot%\System32\GroupPolicy\ (For most home systems the
environment variable %SystemRoot% is C:\Windows.) Policies that apply to the machine are
stored in a sub-folder "Machine" and policies that apply to a user are stored in a sub-folder
"User". In each case the settings are in a file named "Registry.pol". Thus the settings for the
machine are in %SystemRoot%\System32\GroupPolicy\Machine\Registry.pol and in similar
fashion user settings are in User\Registry.pol. Policies are used to write to a special key of the
Registry and override any settings elsewhere in the Registry. Since only the administrator
account can access the policy settings, limited account users can be prevented from making
unwanted system changes.
Another useful application of the Group Policy Editor (GPE) is to provide for the automatic
running of scripts or programs whenever the computer is started up or shut down or when a
user logs on or off. This may be the application of most practical use to a typical home PC
user.
Using the Group Policy Editor:
Like many other management consoles, the GPE is not listed in Start-All Programs. To
open it, go to Start-Run and enter "gpedit.msc" (without quotes). Figure 1 shows one view
of the console. Note that there are entries for the
computer configuration and for the user configuration. Selecting either one then gives the
entries shown in the right panel of the figure. Clicking plus signs in the left panel will expand
the selections
Proxy Servers
A proxy server is a kind of buffer between your computer and the Internet resources you are
accessing. They accumulate and save files that are most often requested by thousands of
Internet users in a special database, called “cache”. Therefore, proxy servers are able to
increase the speed of your connection to the Internet. The cache of a proxy server may
already contain information you need by the time of your request, making it possible for the
proxy to deliver it immediately. The overall increase in performance may be very high. Also,
proxy servers can help in cases when some owners of the Internet resources impose some
restrictions on users from certain countries or geographical regions. In addition to that,
among proxy servers there are so called anonymous proxy servers that hide your IP address
thereby saving you from vulnerabilities concerned with it.
Anonymous Proxy Server:
Anonymous proxy servers hide your IP address and thereby prevent unauthorized access to
your computer through the Internet. They do not provide anyone with your IP address and
effectively hide any information about you and your reading interests. Besides that, they
don’t even let anyone know that you are surfing through a proxy server. Anonymous proxy
servers can be used for all kinds of Web-services, such as Web-Mail (MSN Hot Mail, Yahoo
mail), web-chat rooms, FTP archives, etc.
Why Should You Use Anonymous Proxy Servers?
Any web resource you access can gather personal information about you through your unique
IP address – your ID in the Internet. They can monitor your reading interests, spy upon you
and, according to some policies of the Internet resources, deny accessing any information you
might need. You might become a target for many marketers and advertising agencies who,
having information about your interests and knowing your IP address as well as your e-mail,
will be able to send you regularly their spam and junk e-mails.A web site can automatically
exploit security holes in your system using not-very-complex, ready-made, free hacking
programs. Some of such programs may just hang your machine, making you reboot it, but
other, more powerful ones, can get access to the content of your hard drive or RAM.
Everything a web site may need for that is only your IP address and some information about
your operating system. Using an anonymous proxy server you don't give anybody any chance
to find out your IP address and any information about you and use them in their own
interests.
The Solution:
Using an anonymous proxy server you don’t give anybody chance to find out your IP address
to use it in their own interests. We can offer you three ways to solve your IP problem:
1. Secure Tunnel - pay proxy server with plenty of features. Effective for personal use,
when your Internet activities are not involved in web site development, mass form
submitting, etc. The best solution for most of Internet users. Ultimate protection of privacy -
nobody can find out where you are engaged in surfing. Blocks all methods of tracking.
Provides an encrypted connection for all forms of web browsing, including http, news, mail,
and the especially vulnerable IRC and ICQ. Comes with special totally preconfigured
software.
2. ProxyWay Pro - multifunctional anonymous proxy surfing software which you can use
together with a wide variety of web applications (web browsers, Instant Messengers, Internet
Relay Chat (IRC), etc.) to ensure your anonymity. ProxyWay Pro provides an extended proxy
management system that enables you to search for, check proxy (multithreaded proxies checking),
analyze, validate proxy servers for speed, anonymity, type (HTTP/HTTPS/SOCKS), geographical location,
create proxy chains. Allows update proxy list automatically using scheduler. ProxyWay Pro lets you clear
history, block ads and popups, change User-Agent and Referrer fields, block harm code and much more. Also it
can be used as a simple local proxy server.
3. Our own small proxy list is also a good place to start with if you are a noviceThere are MANY
methods to change your IP address. Some methods will work for you but may not work for
someone else and vice versa. If your IP is static, then you CAN’T change your IP address
without contacting your ISP. If you have a long lease time on your IP then you won’t be able
to change your IP without cloning your MAC address, which I’ll explain later in this article.
Hacking Attack Types
1) Inside Jobs - Most security breeches originate inside the network that is under attack.
Inside jobs include stealing passwords (which hackers then use or sell), performing industrial
espionage, causing harm (as disgruntled employees), or committing simple misuse. Sound
policy enforcement and observant employees who guard their passwords and PCs can thwart
many of these security breeches.
2) Rogue Access Points - Rogue access points (APs) are unsecured wireless access points
that outsiders can easily breech. (Local hackers often advertise rogue APs to each other.)
Rogue APs are most often connected by well-meaning but ignorant employees.
3) Back Doors - Hackers can gain access to a network by exploiting back doors
administrative shortcuts, configuration errors, easily deciphered passwords, and unsecured
dial-ups. With the aid of computerized searchers (bots), hackers can probably find any
weakness in your network.
4) Viruses and Worms - Viruses and worms are self-replicating programs or code fragments
that attach themselves to other programs (viruses) or machines (worms). Both viruses and
worms attempt to shut down networks by flooding them with massive amounts of bogus
traffic, usually through e-mail.
5) Trojan Horses - Trojan horses, which are attached to other programs, are the leading
cause of all break-ins. When a user downloads and activates a Trojan horse, the hacked
software (SW) kicks off a virus, password gobbler, or remote-control SW that gives the
hacker control of the PC.
6) Denial of Service - DoS attacks give hackers a way to bring down a network without
gaining internal access. DoS attacks work by flooding the access routers with bogus traffic
(which can be e-mail or Transmission Control Protocol, TCP, packets).
Distributed DoSs (DDoS5) are coordinated DoS attacks from multiple sources. A DDoS is
more difficult to block because it uses multiple, changing, source IP addresses.
7) Anarchists, Crackers, and Kiddies - Who are these people, and why are they attacking I
your network?
Anarchists are people who just like to break stuff. They usually exploit any target of
opportunity.
Crackers are hobbyists or professionals who break passwords and develop Trojan horses or
other SW (called warez). They either use the SW themselves (for bragging rights) or sell it
for profit.
Script kiddies are hacker wannabes. They have no real hacker skills, so they buy or download
warez, which they launch.
Other attackers include disgruntled employees, terrorists, political operatives, or anyone else
who feels slighted, exploited, ripped off, or unloved.
8) Sniffing and Spoofing - Sniffing refers to the act of intercepting TCP packets. This
interception can happen through simple eavesdropping or something more sinister.
Spoofing is the act of sending an illegitimate packet with an expected acknowledgment
(ACK), which a hacker can guess, predict, or obtain by snooping.
As the cost of hacking attacks continues to rise, businesses have been forced to increase
spending on network security. However, hackers have also developed new skills that allow
them to break into more complex systems. Hacking typically involves compromising the
security of networks, breaking the security of application software, or creating malicious
programs such as viruses.
The most popular forms of network hacking are denial of service (DoS) attacks and mail
bombs. DoS attacks are designed to swamp a computer network, causing it to crash. Mail
bombs act in a similar fashion, but attack the network's mail servers. When eBay was
attacked in February 2000, its Web server was bombarded with fake requests for Web pages,
which overloaded the site and caused it to crash. Network hackers also try to break into
secure areas to find sensitive data. Once a network is hacked, files can be removed, stolen, or
erased. A group of teens in Wichita, Kansas, for example, hacked into AOL and stole credit
card numbers that they then used to buy video games.
Application hackers break security on application software-software including word
processing and graphics programs-in order to get it for free. One way they gain access to
software that requires a serial number for installation is by setting up a serial number
generator that will try millions of different combinations until a match is found. Application
hackers also sometimes attack the program itself in an attempt to remove certain security
features.
Hackers that create viruses, logic bombs, worms, and Trojan horses are involved in perhaps
the most malicious hacking activities. A virus is a program that has the potential to attack and
corrupt computer files by attaching itself to a file to replicate itself. It can also cause a
computer to crash by utilizing all of the computer's resources. For example, e-mail systems
were inundated with the "ILOVEYOU" and the "Love Bug" viruses in May of 2000, and the
damage to individuals, businesses, and institutions was estimated at roughly $10 billion.
Similar to viruses, logic bombs are designed to attack when triggered by a certain event like a
change in date. Worms attack networks in order to replicate and spread. In July of 2001, a
worm entitled "Code Red" began attacking Microsoft Internet Information Server (IIS)
systems. The worm infected servers running Windows NT 4, Windows 2000, Windows XP,
and IIS 4.0 and defaced Web sites, leaving the phrase "Welcome to www.worm.com Hacked
by Chinese!" Finally, a Trojan horse is a program that appears to do one thing, but really does
something else. While a computer system might recognize a Trojan horse as a safe program,
upon execution, it can release a virus, worm, or logic bomb.
PHISHING
Just like a lure might be dangled in front of a fish to trick it into thinking there’s a real worm
at the end of the hook, phishing is e-mail or instant messages that look like they’re from a
reputable company to get you to click a link. These messages can look like the real thing,
right down to a spoofed e-mail address (faking someone else’s e-mail address is known as
“spoofing”). When unsuspecting users click the link, they’re taken to an equally convincing
(and equally fake) Web page or pop-up window that’s been set up to imitate a legitimate
business. The phishing site will ask for the user’s personal information, which the phisher
then uses to buy things, apply for a new credit card, or otherwise steal a person’s identity.
What are the signs of phishing?
Spotting the imposters can be tricky since phishers go to great lengths to look like the real
thing:
Unsolicited requests for personal information. Most businesses aren’t going to ask you for
your personal information out of the blue—especially not an organization such as your bank
or credit card company, which should already have this information on file. If you do get a
request for personal information, call the company first and make sure the request is
legitimate.
Alarmist warnings. Phishers often attempt to get people to respond without thinking, and a
message that conveys a sense of urgency, perhaps by saying that an account will be closed in
48 hours if you don’t take immediate action, may cause you to do just that.
Mistakes. The little things can often reveal the biggest clues. Phishers often slip up on the
finer details and overlook typos, mistakes in grammar, and so on.
Addressed as “Customer.” If your bank, for example, regularly addresses you by name in
its correspondence and you get an e-mail addressed to “Dear Customer,” this may be a
phishing attempt.
The words “verify your account.” A legitimate business will not ask you to send
passwords, logon names, Social Security numbers, or other personally identifiable
information through e-mail. Be suspicious of a message that asks for personal information no
matter how authentic it looks.
The phrase “Click the link below to gain access to your account.” HTML-formatted
messages can contain links or forms that you can fill out just as you’d fill out a form on a
Web site. The links that you are urged to click may contain all or part of a real company's
name, but the link you see is actually taking you to a phony Web site.Trust your instincts. If
an e-mail message looks suspicious, it probably is.Another common technique that phishers
use is a Uniform Resource Locator (URL) that at first glance appears to be the name of a
well-known company but is slightly altered by intentionally adding, omitting, or transposing
letters. For example, the URL "www.microsoft.com" could appear instead as:
www.micosoft.com
www.verify-microsoft.com
MAIL TRACKER
Each email you receive comes with headers. The headers contain information about the
routing of the email and the originating IP of the email. Not all emails you receive can be
traced back to the originating point and depending on how you send emails etermines
whether or not they can trace the email back to you. The headers don't contain any personal
information. At most, you can get the originating IP and the computer name that sent the
email. The originating IP can be looked up to determine from where the email was sent. .
eMailTrackerPro can trace email back to it's true geographical location. You can also
use the spam filter in eMailTrackerPro to wipe out 90% of your daily spam in one go!
eMailTrackerPro is the only tool you will need to fight off SPAM. Not only can you track
email you have received to find the location, and more importantly, the relevant ISP in order
to report the SPAM but you can set up your eMail account with eMailTrackerPro to filter out
the SPAM before it even gets to your machine.
How does eMailTrackerPro trace email?
Using advanced header analysis and a world renown IP database eMailTrackerPro can pin
point the real IP address of the sender and track it down to the town/city the email came from.
How can eMailTrackerPro filter my SPAM?
eMailTrackerPro Advanced has a mail filtering feature. This is available to any user with a
POP account (SSL is supported). Once set up eMailTrackerPro will trace your emails whilst
they are still on your POP server, this alone can spot emails that have been misdirected and
then mark them as SPAM. Pre defined filters are already set up to check your email against
DNS Blacklists and foreign language filters to further wipe out SPAM.
You can cut your SPAM load by 90%
without having to do anything! (for this feature the advanced edition is needed)
Can I take further action against spammers?
eMailTrackerPro has an abuse reporting feature which automatically generates a report to be
sent to the ISP responsible for a particular SPAM email. We also provide the abuse address
for it to be sent to. All of this in just a couple of clicks.
Step A: Sender creates and sends an email
The originating sender creates an email in their Mail User Agent (MUA) and clicks 'Send'.
The MUA is the application the originating sender uses to compose and read email, such as
Eudora, Outlook, etc.
Step B: Sender's MDA/MTA routes the email
The sender's MUA transfers the email to a Mail Delivery Agent (MDA). Frequently, the
sender's MTA also handles the responsibilities of an MDA. Several of the most common
MTAs do this, including sendmail and qmail (which Kavi uses).
The MDA/MTA accepts the email, then routes it to local mailboxes or forwards it if it isn't
locally addressed.
In our diagram, an MDA forwards the email to an MTA and it enters the first of a series of
"network clouds," labeled as a "Company Network" cloud.
Step C: Network Cloud
An email can encounter a network cloud within a large company or ISP, or the largest
network cloud in existence: the Internet. The network cloud may encompass a multitude of
mail servers, DNS servers, routers, lions, tigers, bears (wolves!) and other devices and
services too numerous to mention. These are prone to be slow when processing an unusually
heavy load, temporarily unable to receive an email when taken down for maintenance, and
sometimes may not have identified themselves properly to the Internet through the Domain
Name System (DNS) so that other MTAs in the network cloud are unable to deliver mail as
addressed. These devices may be protected by firewalls, spam filters and malware detection
software that may bounce or even delete an email. When an email is deleted by this kind of
software, it tends to fail silently, so the sender is given no information about where or when
the delivery failure occurred.
Email service providers and other companies that process a large volume of email often have
their own, private network clouds. These organizations commonly have multiple mail servers,
and route all email through a central gateway server (i.e., mail hub) that redistributes mail to
whichever MTA is available. Email on these secondary MTAs must usually wait for the
primary MTA (i.e., the designated host for that domain) to become available, at which time
the secondary mail server will transfer its messages to the primary MTA.
Step D: Email Queue
The email in the diagram is addressed to someone at another company, so it enters an email
queue with other outgoing email messages. If there is a high volume of mail in the queue—
either because there are many messages or the messages are unusually large, or both—the
message will be delayed in the queue until the MTA processes the messages ahead of it.
Step E: MTA to MTA Transfer
When transferring an email, the sending MTA handles all aspects of mail delivery until the
message has been either accepted or rejected by the receiving MTA.
As the email clears the queue, it enters the Internet network cloud, where it is routed along a
host-to-host chain of servers. Each MTA in the Internet network cloud needs to "stop and ask
directions" from the Domain Name System (DNS) in order to identify the next MTA in the
delivery chain. The exact route depends
partly on server availability and mostly on which MTA can be found to accept email for the
domain specified in the address. Most email takes a path that is dependent on server
availability, so a pair of messages originating from the same host and addressed to the same
receiving host could take different paths. These days, it's mostly spammers that specify any
part of the path, deliberately routing their message through a series of relay servers in an
attempt to obscure the true origin of the message.
To find the recipient's IP address and mailbox, the MTA must drill down through the Domain
Name System (DNS), which consists of a set of servers distributed across the Internet.
Beginning with the root nameservers at the top-level domain (.tld), then domain nameservers
that handle requests for domains within that .tld, and eventually to nameservers that know
about the local domain.
DNS resolution and transfer process:
There are 13 root servers serving the top-level domains (e.g., .org, .com, .edu, .gov, .net, etc.).
These root servers refer requests for a given domain to the root name servers that handle
requests for that tld. In practice, this step is seldom necessary.
The MTA can bypass this step because it has already knows which domain name servers
handle requests for these .tlds. It asks the appropriate DNS server which Mail Exchange
(MX) servers have knowledge of the subdomain or local host in the email address. The DNS
server responds with an MX record: a prioritized list of MX servers for this domain.
An MX server is really an MTA wearing a different hat, just like a person who holds two jobs
with different job titles (or three, if the MTA also handles the responsibilities of an MDA).
To the DNS server, the server that accepts messages is an MX server. When is transferring
messages, it is called an MTA.
The MTA contacts the MX servers on the MX record in order of priority until it finds the
designated host for that address domain.
The sending MTA asks if the host accepts messages for the recipient's username at that
domain (i.e., [email protected]) and transfers the message.
Step F: Firewalls, Spam and Virus Filters
The transfer process described in the last step is somewhat simplified. An email may be
transferred to more than one MTA within a network cloud and is likely to be passed to at
least one firewall before it reaches it's destination.
An email encountering a firewall may be tested by spam and virus filters before it is allowed
to pass inside the firewall. These filters test to see if the message qualifies as spam or
malware. If the message contains malware, the file is usually quarantined and the sender is
notified. If the message is identified as spam, it will probably be deleted without notifying the
sender.
Spam is difficult to detect because it can assume so many different forms, so spam filters test
on a broad set of criteria and tend to misclassify a significant number of messages as spam,
particularly messages from mailing lists. When an email from a list or other automated source
seems to have vanished somewhere in the network cloud, the culprit is usually a spam filter at
the receiver's ISP or company.
Password Cracking
Password cracking is the process of recovering passwords from data that has been stored in
or transmitted by a computer system. A common approach is to repeatedly try guesses for the
password. The purpose of password cracking might be to help a user recover a forgotten
password (though installing an entirely new password is less of a security risk, but involves
system administration privileges), to gain unauthorized access to a system, or as a preventive
measure by system administrators to check for easily crackable passwords. On a file-by file
basis, password cracking is utilized to gain access to digital evidence for which a judge has
allowed access but the particular file's access is restricted.
Principal attack methods
Weak encryption
If a system uses a poorly designed password hashing scheme to protect stored passwords, an
attacker can exploit any weaknesses to recover even 'well-chosen' passwords. One example is
the LM hash that Microsoft Windows XP and previous versions use by default to store user
passwords of less than 15 characters in length. LM hash converts the password into all
uppercase letters then breaks the password into two 7-character fields which are hashed
separately—which allows each half to be attacked individually.
Password encryption schemes that use stronger hash functions like MD5, SHA-512, SHA-1,
and RIPEMD-160 can still be vulnerable to brute-force and precomputation attacks. Such
attacks do not depend on reversing the hash function. Instead, they work by hashing a large
number of words or random permutations and comparing the result of each guess to a user's
stored password hash. Modern schemes such as MD5-crypt and bcrypt use purposefully slow
algorithms so that the number of guesses that an attacker can make in a given period of time
is relatively low. Salting, described below, greatly increases the difficulty of such
precomputation attacks, perhaps sufficiently to resist all attacks; every instance of its use
must be evaluated independently, however.
Because progress in analyzing existing cryptographic hash algorithms is always possible, a
hash which is effectively invulnerable today may become vulnerable tomorrow. Both MD5
and SHA-1, long thought secure, have been shown vulnerable to less than brute force
efficiency attacks. For encryption algorithms (rather different than cryptographic hashes) the
same has been true. DES has been broken (in the sense of more efficient than brute force
attacks being discovered), and computers have become fast enough that its short key (56 bits)
is clearly and publicly insecure against even brute force attacks. Passwords protected by these
measures against attack will become vulnerable, and passwords still in use thereby exposed.
Historical records are not always and forever irrelevant to today's security problems.
Guessing, dictionary and brute force attacks
The distinction between guessing, dictionary and brute force attacks is not strict. They are
similar in that an attacker goes through a list of candidate passwords one by one; the list may
be explicitly enumerated or implicitly defined, can incorporate knowledge about the victim,
and can be linguistically derived. Each of the three approaches, particularly 'dictionary
attack', is frequently used as an umbrella term to denote all the three attacks and the spectrum
of attacks encompassed by them.
Guessing
Passwords can sometimes be guessed by humans with knowledge of the user's personal
information. Examples of guessable passwords include:
blank (none)
the words "password", "passcode", "admin" and their derivatives
a row of letters from the qwerty keyboard -- qwerty itself, asdf, or qwertyuiop)
the user's name or login name
the name of a significant other, a friend, relative or pet
their birthplace or date of birth, or a friend's, or a relative's
their automobile license plate number, or a friend's, or a relative's
their office number, residence number or most commonly, their mobile number.
a name of a celebrity they like
a simple modification of one of the preceding, such as suffixing a digit, particularly 1, or
reversing the order of the letters.
a swear word
Personal data about individuals are now available from various sources, many on-line, and
can often be obtained by someone using social engineering techniques, such as posing as an
opinion surveyor or a security control checker. Attackers who know the user may have
information as well. For example, if a user chooses the password "YaleLaw78" because he
graduated from Yale Law School in 1978, a disgruntled business partner might be able to
guess the password.
Guessing is particularly effective with systems that employ self-service password reset. For
example, in September 2008, the Yahoo e-mail account of Governor of Alaska and Vice
President of the United States nominee Sarah Palin was accessed without authorization by
someone who was able to research answers to two of her security questions, her zip code and
date of birth and was able to guess the third, where she met her husband.
Dictionary attacks
Users often choose weak passwords. Examples of insecure choices include the above list,
plus single words found in dictionaries, given and family names, any too short password
(usually thought to be 6 or 7 characters or less), or any password meeting a too restrictive and
so predictable, pattern (eg, alternating vowels and consonants). Repeated research over some
40 years has demonstrated that around 40% of user-chosen passwords are readily guessable
by sophisticated cracking programs armed with dictionaries and, perhaps, the user's personal
information.
In one survey of MySpace passwords obtained by phishing, 3.8 percent of those passwords
were a single word findable in a dictionary, and another 12 percent were a word plus a final
digit; two-thirds of the time that digit was 1.
Some users neglect to change the default password that came with their computer system
account. And some administrators neglect to change default account passwords provided by
the operating system vendor or hardware supplier. An infamous example is the use
of FieldService as a user name with Guest as the password. If not changed at system
configuration time, anyone familiar with such systems will have 'cracked' an important
password; such service accounts often have higher access privileges than do a normal user
accounts. Lists of default passwords are available on the Internet. Gary McKinnon, accused
by the United States of perpetrating the "biggest military computer hack of all time", has
claimed that he was able to get into the military's networks simply by using aPerl script that
searched for blank passwords; in other words his report suggests that there were computers
on these networks with no passwords at all.
Cracking programs exist which accept personal information about the user being attacked and
generate common variations for passwords suggested by that information.
Brute force attack
A last resort is to try every possible password, known as a brute force attack. In theory, if
there is no limit to the number of attempts, a brute force attack will always be successful
since the rules for acceptable passwords must be publicly known; but as the length of the
password increases, so does the number of possible passwords. This method is unlikely to be
practical unless the password is relatively short, however techniques using parallel processing
can reduce the time to find the password in inverse proportion to the number of computer
devices (CPUs) in use. This depends heavily on whether the prospective attacker has access
to the hash of the password as well as the hashing algorithm, in which case the attack is
called an offline attack (it can be done without connection to the protected resource) or not, in
which case it is called an online attack. Offline attack is generally much easier, because
testing a password is reduced to a mathematical computation of the hash of the password to
be tried and comparison with the hash of the real password. In an online attack the attacker
has to try to authenticate himself with all the possible passwords, and rules and delays can be
imposed by the system and the attempts can be logged.
A common password length recommendation is eight or more randomly chosen characters
combining letters, numbers, and special characters (punctuation, etc). This recommendation
makes sense for systems using stronger password hashing mechanisms such as md5-crypt and
the Blowfish-based bcrypt, but is inappropriate for many Microsoft Windows systems
because they store a legacy LAN Manager hash which splits the password into two seven
character halves. On these systems, an eight character password is converted into a seven
character password and a one character password. For better security, LAN Manager
password storage should be disabled if it will not break supported legacy systems. Systems
which limit passwords to numeric characters only, or upper case only, or generally those
which limit the range of possible password character choices, also make brute force attacks
easier. Using longer passwords in these cases (if possible) can compensate for the limited
allowable character set. Of course, even with an adequate range of character choice, users
who limit themselves to an obvious subset of the available characters (e.g., use only upper
case alphabetic characters, or only digits) make brute force attacks against their accounts
much easier.
Generic brute-force search techniques are often successful, but smart brute-force techniques,
which exploit knowledge about how people tend to choose passwords, pose an even greater
threat. NISTSP 800-63 (2) provides further discussion of password quality, and suggests, for
example, that an 8 character user-chosen password may provide somewhere between 18 and
30 bits of entropy (randomness), depending on how it is chosen. For example 24 binary digits
of randomness is equivalent to 3 randomly chosen bytes, or approximately 5 random
characters if they are restricted to upper case alphabetic characters, or 2 words selected from
a 4000 word vocabulary. This amount of entropy is far less than what is generally considered
safe for an encryption key.
How small is too small for offline attacks thus depends partly on an attacker's ingenuity and
resources (e.g. available time and computing power). The second of these will increase as
computers get faster. Most commonly used hashes can be implemented using specialized
hardware, allowing faster attacks. Large numbers of computers can be harnessed in parallel,
each trying a separate portion of the search space. Unused overnight and weekend time on
office computers can also be used for this purpose.
Precomputation
In its most basic form, precomputation involves hashing each word in the dictionary (or any
search space of candidate passwords) and storing the word and its computed hash in a way
that enables lookup on the list of computed hashes. This way, when a new encrypted
password is obtained, password recovery is instantaneous. Precomputation can be very useful
for a dictionary attack if salt is not used properly (see below), and the dramatic decrease in
the cost of mass storage has made it practical for fairly large dictionaries.
Advanced precomputation methods exist that are even more effective. By applying a time-
memory tradeoff, a middle ground can be reached - a search space of size N can be turned
into an encrypted database of size O(N2/3) in which searching for an encrypted password takes
time O(N2/3). The theory has recently been refined into a practical technique. Another
example cracks alphanumericWindows LAN Manager passwords in a few seconds. This is
much faster than brute force attacks on the obsolete LAN Manager, which uses a particularly
weak method of hashing the password. Windows systems prior to Windows Vista/Server
2008 compute and store a LAN Manager hash by default for backwards compatibility.
A technique similar to precomputation, known generically as memoization, can be used to
crack multiple passwords at the cost of cracking just one. Since encrypting a word takes
much longer than comparing it with a stored word, a lot of effort is saved by encrypting each
word only once and comparing it with each of the encrypted passwords using an efficient list
search algorithm. The two approaches may of course be combined: the time-space tradeoff
attack can be modified to crack multiple passwords simultaneously in a shorter time than
cracking them one after the other.
Salting
The benefits of precomputation and memoization can be nullified by randomizing the hashing
process. This is known as salting. When the user sets a password, a short, random string
called the salt is suffixed to the password before encrypting it; the salt is stored along with
the encrypted password so that it can be used during verification. Since the salt is usually
different for each user, the attacker can no longer construct tables with a single encrypted
version of each candidate password. Early Unix systems used a 12-bit salt. Attackers could
still build tables with common passwords encrypted with all 4096 possible 12-bit salts.
However, if the salt is long enough, there are too many possibilities and the attacker must
repeat the encryption of every guess for each user. Modern methods such as md5-crypt and
bcrypt use salts of 48 and 128 bits respectively.
Early Unix password vulnerability
Early Unix implementations limited passwords to 8 characters and used a 12-bit salt, which
allowed for 4096 possible salt values. While 12 bits was conventionally considered good
enough for most purposes in the 1970s, by 2005 disk storage had become cheap enough that
an attacker can precompute the hashes of millions of common passwords, including all 4096
possible salt variations for each password, and store the precomputed values on a single
portable hard drive. An attacker with a larger budget can build a disk farm with all 6
character passwords and the most common 7 and 8 character passwords stored in encrypted
form, for all 4096 possible salts. And when ] still offers some benefit. Since there is little
downside to using a longer salt, and because they render any precomputation or memoization
hopeless, modern implementations choose to do so.
Prevention
The best method of preventing password cracking is to ensure that attackers cannot get access
even to the encrypted password. For example, on the Unix operating system, encrypted
passwords were originally stored in a publicly accessible file /etc/passwd. On modern Unix
(and similar) systems, on the other hand, they are stored in the file /etc/shadow, which is
accessible only to programs running with enhanced privileges (ie, 'system' privileges). This
makes it harder for a malicious user to obtain the encrypted passwords in the first instance.
Unfortunately, many common network protocols transmit passwords in cleartext or use weak
challenge/response schemes.
Modern Unix systems have replaced traditional DES-based password hashing with stronger
methods based on MD5 and Blowfish. Other systems have also begun to adopt these
methods. For instance, the Cisco IOS originally used a reversible Vigenere cipher to encrypt
passwords, but now uses md5-crypt with a 24-bit salt when the "enable secret" command is
used. These newer methods use large salt values which prevent attackers from efficiently
mounting offline attacks against multiple user accounts simultaneously. The algorithms are
also much slower to execute which drastically increases the time required to mount a
successful offline attack.
Solutions like a security token give a formal proof answer by constantly shifting password.
Those solutions abruptly reduce the timeframe for brute forcing (attacker needs to break and
use the password within a single shift) and they reduce the value of the stolen passwords
because of its short time validity.
Software
There are many password cracking software tools, but the most popular are Cain and
Abel, John the Ripper, Hydra, ElcomSoft and Lastbit. Many litigation support
software packages also include password cracking functionality. Most of these packages
employ a mixture of cracking strategies, with brute force and dictionary attacks proving to be
the most productive.
Footprinting
Is the technique of gathering information about computer systems and the entities
they belong to. This is done by employing various computer security techniques, as:
DNS queries
Network enumeration
Network queries
Operating system identification
Organizational queries
Ping sweeps
Point of contact queries
Port Scanning
Registrar queries (WHOIS queries)
When used in the computer security lexicon, "footprinting" generally refers to one of
the pre-attack phases; tasks performed prior to doing the actual attack. Some of the
tools used for footprinting areSam Spade, nslookup, traceroute, Nmap and neotrace.
SQL injection
SQL injection is a code injection technique that exploits a security
vulnerability occurring in the database layer of an application. The vulnerability is
present when user input is either incorrectly filtered for string literal escape
characters embedded in SQL statements or user input is not strongly typed and
thereby unexpectedly executed. It is an instance of a more general class of
vulnerabilities that can occur whenever one programming or scripting language is
embedded inside another. SQL injection attacks are also known as SQL insertion
attacks. Forms of vulnerability
Incorrectly filtered escape characters
This form of SQL injection occurs when user input is not filtered for escape
characters and is then passed into a SQL statement. This results in the potential
manipulation of the statements performed on the database by the end user of the
application.
The following line of code illustrates this vulnerability:
statement = "SELECT * FROM users WHERE name = '" + userName + "';"
This SQL code is designed to pull up the records of the specified username from its
table of users. However, if the "userName" variable is crafted in a specific way by a
malicious user, the SQL statement may do more than the code author intended. For
example, setting the "userName" variable as
' or '1'='1
Or using comments to even block the rest of the query:
' or '1'='1';/*'
renders this SQL statement by the parent language:
SELECT * FROM users WHERE name = '' OR '1'='1';
If this code were to be used in an authentication procedure then this example could
be used to force the selection of a valid username because the evaluation of '1'='1' is
always true.
The following value of "userName" in the statement below would cause the deletion
of the "users" table as well as the selection of all data from the "userinfo" table (in
essence revealing the information of every user), using an API that allows multiple
statements:
a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't
This input renders the final SQL statement as follows:
SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM
userinfo WHERE 't' = 't';
While most SQL server implementations allow multiple statements to be executed
with one call in this way, some SQL APIs such as PHP's mysql_query() do not allow
this for security reasons. This prevents attackers from injecting entirely separate
queries, but doesn't stop them from modifying queries.
Incorrect type handling
This form of SQL injection occurs when a user supplied field is not strongly typed or
is not checked for type constraints. This could take place when a numeric field is to
be used in a SQL statement, but the programmer makes no checks to validate that
the user supplied input is numeric. For example:
statement := "SELECT * FROM userinfo WHERE id = " + a_variable + ";"
It is clear from this statement that the author intended a_variable to be a number
correlating to the "id" field. However, if it is in fact a string then the end user may
manipulate the statement as they choose, thereby bypassing the need for escape
characters. For example, setting a_variable to
1;DROP TABLE users
will drop (delete) the "users" table from the database, since the SQL would be
rendered as follows:
SELECT * FROM userinfo WHERE id=1;DROP TABLE users;
Vulnerabilities inside the database server
Sometimes vulnerabilities can exist within the database server software itself, as was
the case with the MySQL server's mysql_real_escape_string() function. This would
allow an attacker to perform a successful SQL injection attack based on bad Unicode
characters even if the user's input is being escaped. This bug was patched with the
release of version 5.0.22 (released on 24th May 06).
Blind SQL injection
Blind SQL Injection is used when a web application is vulnerable to an SQL injection
but the results of the injection are not visible to the attacker. The page with the
vulnerability may not be one that displays data but will display differently depending
on the results of a logical statement injected into the legitimate SQL statement called
for that page. This type of attack can become time-intensive because a new
statement must be crafted for each bit recovered. There are several tools that can
automate these attacks once the location of the vulnerability and the target
information has been established.
Conditional responses
One type of blind SQL injection forces the database to evaluate a logical statement
on an ordinary application screen.
SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND 1=1;
will result in a normal page while
SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND 1=2;
will likely give a different result if the page is vulnerable to a SQL injection. An
injection like this may suggest to the attacker that a blind SQL injection is possible,
leaving the attacker to devise statements that evaluate to true or false depending on
the contents of another column or table outside of the SELECT statement's column
list.
Conditional errors
This type of blind SQL injection causes an SQL error by forcing the database to
evaluate a statement that causes an error if the WHERE statement is true. For
example,
SELECT 1/0 FROM users WHERE username='Ralph';
the division by zero will only be evaluated and result in an error if user Ralph exists.
Time delays
Time Delays are a type of blind SQL injection that cause the SQL engine to execute
a long running query or a time delay statement depending on the logic injected. The
attacker can then measure the time the page takes to load to determine if the
injected statement is true.
Preventing SQL injection
To protect against SQL injection, user input must not directly be embedded in SQL
statements. Instead, parameterized statements must be used (preferred), or user
input must be carefully escaped or filtered.
Parameterized statements
With most development platforms, parameterized statements can be used that work
with parameters (sometimes called placeholders or bind variables) instead of
embedding user input in the statement. In many cases, the SQL statement is fixed,
and each parameter is a scalar, not a table. The user input is then assigned (bound)
to a parameter. This is an example using Java and the JDBC API:
PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS
WHERE USERNAME=? AND PASSWORD=?");
prep.setString(1, username);
prep.setString(2, password);
prep.executeQuery();
Enforcement at the database level
Currently only the H2 Database Engine supports the ability to enforce query
parameterization. However, one drawback is that query by example may not be
possible or practical because it's difficult to implement query by example using
parametrized queries.
Enforcement at the coding level
Using object-relational mapping libraries avoids the need to write SQL code. The
ORM library in effect will generate parameterized SQL statements from object-
oriented code.
Escaping
A straight-forward, though error-prone, way to prevent injections is to escape
characters that have a special meaning in SQL. The manual for an SQL DBMS
explains which characters have a special meaning, which allows creating a
comprehensive blacklist of characters that need translation. For instance, every
occurrence of a single quote (') in a parameter must be replaced by two single
quotes ('') to form a valid SQL string literal. In PHP, for example, it is usual to escape
parameters using the function mysql_real_escape_string before sending the SQL
query:
$query = sprintf("SELECT * FROM Users where UserName='%s' and
Password='%s'",
mysql_real_escape_string($Username),
mysql_real_escape_string($Password));
mysql_query($query);
This is error prone because it is easy to forget to escape a given string.
Real-world examples
On November 1, 2005, a high school student used SQL injection to break into the
site of a Taiwanese information security magazine from the Tech Target group and
steal customers' information.
On January 13, 2006, Russian computer criminals broke into a Rhode Island
government web site and allegedly stole credit card data from individuals who have
done business online with state agencies.
On March 29, 2006, Susam Pal discovered an SQL injection flaw in an official Indian
government tourism site.
On March 2, 2007, Sebastian Bauer discovered an SQL injection flaw in the knorr.de
login page.
On June 29, 2007, a computer criminal defaced the Microsoft U.K. website using
SQL injection. . U.K. website The Register quoted a Microsoft spokesperson
acknowledging the problem.
In January 2008, tens of thousands of PCs were infected by an automated SQL
injection attack that exploited a vulnerability in application code that uses Microsoft
SQL Server as the database store.
On April 13, 2008, the Sexual and Violent Offender Registry of Oklahoma shut down
its website for 'routine maintenance' after being informed that 10,597 Social Security
numbers from sex offenders had been downloaded via an SQL injection attack
In May 2008, a server farm inside China used automated queries to Google's search
engine to identify SQL server websites which were vulnerable to the attack of an
automated SQL injection tool.
In 2008, at least April through August, a sweep of attacks began exploiting the SQL
injection vulnerabilities of Microsoft's IIS web server and SQL Server database
server. The attack doesn't require guessing the name of a table or column, and
corrupts all text columns in all tables in a single request. A HTML string that
references a malware JavaScript file is appended to each value. When that database
value is later displayed to a website visitor, the script attempts several approaches at
gaining control over a visitor's system. The number of exploited web pages is
estimated at 500,000
On August 17, 2009, the United States Justice Department charged an American
citizen Albert Gonzalez and two unnamed Russians with the theft of 130 million
credit card numbers using an SQL injection attack. In reportedly "the biggest case of
identity theft in American history", the man stole cards from a number of corporate
victims after researching their payment processing systems. Among the companies
hit were credit card processor Heartland Payment Systems, convenience store chain
7-Eleven, and supermarket chain Hannaford Brothers.
In December 2009, an attacker breached a RockYou! plaintext database containing
the unencrypted usernames and passwords of about 32 million users using an SQL
injection attack
Forms of vulnerability
Incorrectly filtered escape characters
This form of SQL injection occurs when user input is not filtered for escape characters and is
then passed into a SQL statement. This results in the potential manipulation of the statements
performed on the database by the end user of the application.
The following line of code illustrates this vulnerability:
statement = "SELECT * FROM users WHERE name = '" + userName + "';"
This SQL code is designed to pull up the records of the specified username from its table of
users. However, if the "userName" variable is crafted in a specific way by a malicious user,
the SQL statement may do more than the code author intended. For example, setting the
"userName" variable as
' or '1'='1
Or using comments to even block the rest of the query:
' or '1'='1';/*'
renders this SQL statement by the parent language:
SELECT * FROM users WHERE name = '' OR '1'='1';
If this code were to be used in an authentication procedure then this example could be used to
force the selection of a valid username because the evaluation of '1'='1' is always true.
The following value of "userName" in the statement below would cause the deletion of the
"users" table as well as the selection of all data from the "userinfo" table (in essence revealing
the information of every user), using an API that allows multiple statements:
a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't
This input renders the final SQL statement as follows:
SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';
While most SQL server implementations allow multiple statements to be executed with one
call in this way, some SQL APIs such as PHP's mysql_query() do not allow this for security
reasons. This prevents attackers from injecting entirely separate queries, but doesn't stop
them from modifying queries.
Incorrect type handling
This form of SQL injection occurs when a user supplied field is not strongly typed or is not
checked for type constraints. This could take place when a numeric field is to be used in a
SQL statement, but the programmer makes no checks to validate that the user supplied input
is numeric. For example:
statement := "SELECT * FROM userinfo WHERE id = " + a_variable + ";"
It is clear from this statement that the author intended a_variable to be a number correlating
to the "id" field. However, if it is in fact a string then the end user may manipulate the
statement as they choose, thereby bypassing the need for escape characters. For example,
setting a_variable to
1;DROP TABLE users
will drop (delete) the "users" table from the database, since the SQL would be rendered as
follows:
SELECT * FROM userinfo WHERE id=1;DROP TABLE users;
Vulnerabilities inside the database server
Sometimes vulnerabilities can exist within the database server software itself, as was the case
with the MySQL server's mysql_real_escape_string() function. This would allow an attacker
to perform a successful SQL injection attack based on bad Unicode characters even if the
user's input is being escaped. This bug was patched with the release of version 5.0.22
(released on 24th May 06).
Blind SQL injection
Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the
results of the injection are not visible to the attacker. The page with the vulnerability may not
be one that displays data but will display differently depending on the results of a logical
statement injected into the legitimate SQL statement called for that page. This type of attack
can become time-intensive because a new statement must be crafted for each bit recovered.
There are several tools that can automate these attacks once the location of the vulnerability
and the target information has been established.
Conditional responses
One type of blind SQL injection forces the database to evaluate a logical statement on an
ordinary application screen.
SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND 1=1;
will result in a normal page while
SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND 1=2;
will likely give a different result if the page is vulnerable to a SQL injection. An injection like
this may suggest to the attacker that a blind SQL injection is possible, leaving the attacker to
devise statements that evaluate to true or false depending on the contents of another column
or table outside of the SELECT statement's column list.
Conditional errors
This type of blind SQL injection causes an SQL error by forcing the database to evaluate a
statement that causes an error if the WHERE statement is true. For example,
SELECT 1/0 FROM users WHERE username='Ralph';
the division by zero will only be evaluated and result in an error if user Ralph exists.
Time delays
Time Delays are a type of blind SQL injection that cause the SQL engine to execute a long
running query or a time delay statement depending on the logic injected. The attacker can
then measure the time the page takes to load to determine if the injected statement is true.
Preventing SQL injection
To protect against SQL injection, user input must not directly be embedded in SQL
statements. Instead, parameterized statements must be used (preferred), or user input must be
carefully escaped or filtered.
Parameterized statements
With most development platforms, parameterized statements can be used that work with
parameters (sometimes called placeholders or bind variables) instead of embedding user input
in the statement. In many cases, the SQL statement is fixed, and each parameter is a scalar,
not a table. The user input is then assigned (bound) to a parameter. This is an example using
Java and theJDBC API:
PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE USERNAME=? AND PASSWORD=?");prep.setString(1, username);prep.setString(2, password);prep.executeQuery();Enforcement at the database level
Currently only the H2 Database Engine supports the ability to enforce query
parameterization. However, one drawback is that query by example may not be possible or
practical because it's difficult to implement query by example using parametrized queries.
Enforcement at the coding level
Using object-relational mapping libraries avoids the need to write SQL code. The ORM
library in effect will generate parameterized SQL statements from object-oriented code.
Escaping
A straight-forward, though error-prone, way to prevent injections is to escape characters that
have a special meaning in SQL. The manual for an SQL DBMS explains which characters
have a special meaning, which allows creating a comprehensive blacklist of characters that
need translation. For instance, every occurrence of a single quote (') in a parameter must be
replaced by two single quotes ('') to form a valid SQL string literal. In PHP, for example, it is
usual to escape parameters using the function mysql_real_escape_string before sending the
SQL query:
$query = sprintf("SELECT * FROM Users where UserName='%s' and Password='%s'", mysql_real_escape_string($Username), mysql_real_escape_string($Password));mysql_query($query);
This is error prone because it is easy to forget to escape a given string.
Real-world examples
On November 1, 2005, a high school student used SQL injection to break into the site of a
Taiwanese information security magazine from the Tech Target group and steal
customers' information.
On January 13, 2006, Russian computer criminals broke into a Rhode Island government
web site and allegedly stole credit card data from individuals who have done business
online with state agencies.
On March 29, 2006, Susam Pal discovered an SQL injection flaw in an official Indian
government tourism site.
On March 2, 2007, Sebastian Bauer discovered an SQL injection flaw in
the knorr.de login page.
On June 29, 2007, a computer criminal defaced the Microsoft U.K. website using SQL
injection. . U.K. website The Register quoted a Microsoft spokesperson acknowledging
the problem.
In January 2008, tens of thousands of PCs were infected by an automated SQL injection
attack that exploited a vulnerability in application code that uses Microsoft SQL Server as
the database store.
On April 13, 2008, the Sexual and Violent Offender Registry of Oklahoma shut down its
website for 'routine maintenance' after being informed that 10,597 Social Security
numbers from sex offendershad been downloaded via an SQL injection attack
In May 2008, a server farm inside China used automated queries to Google's search
engine to identify SQL server websites which were vulnerable to the attack of an
automated SQL injection tool.
In 2008, at least April through August, a sweep of attacks began exploiting the SQL
injection vulnerabilities of Microsoft's IIS web server and SQL Server database server.
The attack doesn't require guessing the name of a table or column, and corrupts all text
columns in all tables in a single request. A HTML string that references a malware
JavaScript file is appended to each value. When that database value is later displayed to a
website visitor, the script attempts several approaches at gaining control over a visitor's
system. The number of exploited web pages is estimated at 500,000
On August 17, 2009, the United States Justice Department charged an American
citizen Albert Gonzalez and two unnamed Russians with the theft of 130 million credit
card numbers using an SQL injection attack. In reportedly "the biggest case of identity
theft in American history", the man stole cards from a number of corporate victims after
researching their payment processing systems. Among the companies hit were credit card
processor Heartland Payment Systems, convenience store chain 7-Eleven, and
supermarket chain Hannaford Brothers.
In December 2009, an attacker breached a RockYou! plaintext database containing the
unencrypted usernames and passwords of about 32 million users using an SQL injection
attack.
Denial-of-Service attack (DoS attack)
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack)
is an attempt to make a computer resource unavailable to its intended users. Although the
means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of
the concerted efforts of a person or people to prevent an Internet site or service from
functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks
typically target sites or services hosted on high-profile web servers such as banks, credit card
payment gateways, and even root nameservers. The term is generally used with regards to
computer networks, but is not limited to this field, for example, it is also used in reference to
CPU resource management.
One common method of attack involves saturating the target (victim) machine with external
communications requests, such that it cannot respond to legitimate traffic, or responds so
slowly as to be rendered effectively unavailable. In general terms, DoS attacks are
implemented by either forcing the targeted computer(s) to reset, or consuming its resources
so that it can no longer provide its intended service or obstructing the communication media
between the intended users and the victim so that they can no longer communicate
adequately.
Denial-of-service attacks are considered violations of the IAB's Internet proper use policy,
and also violate the acceptable use policies of virtually all Internet service providers. They
also commonly constitute violations of the laws of individual nations.
NET TOOLS
Net Tools is cutting-edge security and network monitoring software for the Internet and
Local Area Networks, providing clients with the ability and confidence to meet the
challenges of tomorrow's technology. Keeping pace with the industry trends, we offer
professional tools that support the latest standards, protocols, software, and hardware for both
wired and wireless networks. The main goal is the creation of high quality software. Net
Tools is a very strong combination of network scanning, security, file, system, and
administrator tools useful in diagnosing networks and monitoring your PC and
computer's network connections for system administrators. Next to the essential core tools it
includes a lot of extra valuable features. It’s a Swiss Army knife for everyone interested in a
set of powerful network tools for everyday use. This all-in-one toolkit includes also a lot of
handy file and system utilities next to the huge amount of network tools. The menus are fully
configurable, so in this way you won’t get lost in the extremely large amount of essential
tools. All the additional features will make this application a must have for all system
administrators. There are numerous constructive and valuable applications included in Net
Tools that can be used for a great amount of purposes. The latest version of Net Tools is
hybrid; it means that it’s capable of working together with applications that are made and
designed for Net Tools, so in this way more flexibility and user-friendliness is obtained. This
software is designed for the Microsoft Windows OS (Windows 98, NT, 2000, 2003, XP,
Vista). It’s entirely compatible and has thoroughly been tested on Windows XP. With the
175+ tools it is a great collection of useful tools for network users. The size of Net Tools
5.0.70 is approximately 25 Mb.
CRYPTOGRAPHY
Public-key cryptography is a cryptographic approach, employed by many cryptographic
algorithms and cryptosystems, whose distinguishing characteristic is the use of asymmetric
key algorithms instead of or in addition to symmetric key algorithms. Using the techniques of
public key-private key cryptography, many methods of protecting communications or
authenticating messages formerly unknown have become practical. They do not require a
secure initial exchange of one or more secret keys as is required when using symmetric key
algorithms. It can also be used to create digital signatures.
Public key cryptography is a fundamental and widely used technology around the world, and
is the approach which underlies such Internet standards as Transport Layer Security (TLS)
(successor to SSL), PGP and GPG.
The distinguishing technique used in public key-private key cryptography is use of
asymmetric key algorithms because the key used to encrypt a message is not the same as
the key used to decrypt it. Each user has a pair of cryptographic keys — a public key and a
private key. The private key is kept secret, whilst the public key may be widely distributed.
Messages are encrypted with the recipient's public key and can only be decrypted with the
corresponding private key. The keys are related mathematically, but the private key cannot be
feasibly (ie, in actual or projected practice) derived from the public key. It was the discovery
of such algorithms which revolutionized the practice of cryptography beginning in the middle
1970s.
In contrast, Symmetric-key algorithms, variations of which have been used for some
thousands of years, use a single secret key shared by sender and receiver (which must also be
kept private, thus accounting for the ambiguity of the common terminology) for both
encryption and decryption. To use a symmetric encryption scheme, the sender and receiver
must securely share a key in advance.
Because symmetric key algorithms are nearly always much less computationally intensive, it
is common to exchange a key using a key-exchange algorithm and transmit data using that
key and a symmetric key algorithm. PGP, and the SSL/TLS family of schemes do this, for
instance, and are called hybrid cryptosystems in consequence
ART OF GOOGLING
Here's a quick list of some of our most popular tools to help refine and improve your search. For additional help with
Google Web Search or any other Google product.
OPERATOR EXAMPLE FINDS PAGES CONTAINING...
Vacation hawaii the words vacation and Hawaii .
Maui OR Hawaii either the word Maui or the word Hawaii
"To each his own" the exact phrase to each his own
virus –computer the word virus but NOT the word computer
+sock Only the word sock, and not the plural or any tenses or synonyms
~auto loan loan info for both the word auto and its synonyms: truck, car, etc.
define:computer definitions of the word computer from around the Web.
red * blue the words red and blue separated by one or more words.
I'm Feeling Lucky Takes you directly to first web page returned for your query.
CALCULATOR OPERATORS MEANING TYPE INTO SEARCH BOX
+ Addition 45 + 39
- Subtraction 45 – 39
* multiplication 45 * 39
/ Division 45 / 39
% of percentage of 45% of 39
^ raise to a power 2^5
(2 to the 5th power)
ADVANCED OPERATORS MEANING WHAT TO TYPE INTO SEARCH BOX (& DESCRIPTION OF RESULTS)
site:Search only one
website
admission site:www.stanford.edu
(Search Stanford Univ. site for admissions info.)
[#]…[#]Search within a
range of numbers
DVD player $100..150
(Search for DVD players between $100 and $150)
link: linked pageslink:www.stanford.edu
(Find pages that link to the Stanford University website.)
info: Info about a pageinfo:www.stanford.edu
(Find information about the Stanford University website.)
related: Related pagesrelated:www.stanford.edu
(Find websites related to the Stanford University website.)
DATA RECOVERY
Data recovery is the retrieval of inaccessible or contaminated data from media that has been
damaged in some way. Data recovery is being increasingly used and is an important process
nowadays.
There has been a lot of progress in increasing the memory capacity of data storage devices.
Therefore data loss from any one incident also tends to be very high. The relevance of lost
data can vary greatly. Maybe you have had the experience of storing a homework assignment
on a floppy disk only to have it missing on the day the assignment in due.
Consider the fact that a large amount of businesses nowadays have vital organizational
related data stored on machines. Also hospitals store data on patients on computers. Large
amounts of websites nowadays use databases technology to enhance their websites and make
them more dynamic. Php and MySql use has been on the rise on the Internet. Database failure
is not uncommon and so it is not a fail proof method of storing information.
Companies have high reliance on computer technology to write and store data relevant to
their business operations. Thus the data being stored can have a great deal of impact on
personal lives and operations of companies.
There can be several causes of data loss.
Data loss can occur from unexpected incidences including national tragedies such as floods
and earthquakes.
Often power failure can cause loss of data from hard drives. Sudden power surges can also
cause a lot of damage to a computer’s hard drive.
Accidentally deleting a file or formatting a hard drive or floppy disk is a common reason for
data loss.
If you have accidentally lost any important documents there are several steps you can take.
Remember that if you have accidentally erased a file, it may not have vanished from your
computer. It may have left an imprint in a different format on the computer’s hard drive or
other storage devices. Recovering the data involves locating it and transforming it into human
readable form.
Not all data may be recoverable.
You can either hire professional service to help you solve your problem or attempt a recovery
on your own.
You can carry out data recovery operations on your own computer if you know what you are
doing. There is data recovery software widely available that can assist you in the process.
Data recovery can become complicated if you overwrite on the storage device that has the
lost data. Therefore if you do not know what you are doing, it is advisable to contact a
professional service firm.
Data recovery professionals are experts in recovering data from all sorts of media and from a
variety of damages done. There are many specialists out there who have years of experience
in the IT field. The kind of data recovery operation to use will depend a great deal on the
storage device and other variables such as the amount of damage done or the operation
system used such as Macintosh, Windows or Linux.
There are some cases where it may be impossible to recover any data. However do not fret as
the odds lie in your favor since a high percentage of data recovery operations are successful.
Preventing data loss
Of course the best way is to prevent data loss in the first place.
Data backup allows for restoring data if data loss occurs. Even ordinary pc users can set up
their computer to carry out regularly scheduled backup operations. In the event of a hard
drive crash or an unwise change in settings by an uninformed user, the restore tool can be
used to retrieve deleted data or to restore the computer’s settings from an earlier time.
For the back up process to be useful it should involve several reliable backup systems and
performing drills to make sure the data is being stored correctly. Additional protection
methods from data loss include making sure that the hard drive is protected from damages
from the external environment. This includes protection from sunlight and temperature
extremes.
Also plugging in your pc into a surge protector rather than an ordinary outlet can give your
computer a protection layer from electricity fluctuations. Keep your virus protection up to
date. Also remember to keep your backup data separate from your computer.
Nevertheless a lot of companies will go through a disaster and experience data loss. The best
thing to do is not to panic and also not to ignore the situation. The quicker you rectify the
situation the better. Counting on data loss will help you be prepared for any such event
.
Honeypot or Trap Door
In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner
counteract attempts at unauthorized use of information systems. Generally it consists of a
computer, data, or a network site that appears to be part of a network, but is actually isolated,
(un)protected, and monitored, and which seems to contain information or a resource of value
to attackers.
Function:
A honeypot is valuable as a surveillance and early-warning tool. While it is often a computer,
a honeypot can take other forms, such as files or data records, or even unused IP address
space. A honeypot that masquerades as an open proxy to monitor and record those using the
system is a sugarcane. Honeypots should have no production value, and hence should not see
any legitimate traffic or activity. Whatever they capture is therefore malicious or
unauthorized. One practical implication of this is honeypots that thwart spam by
masquerading as the type of systems abused by spammers. They categorize trapped material
100% accurately: it is all illicit.
Honeypots can carry risks to a network, and must be handled with care. If they are not
properly walled off, an attacker can use them to break into a system.
Victim hosts are an active network counter-intrusion tool. These computers run special
software, designed to appear to an intruder as being important and worth looking into. In
reality, these programs are dummies, and their patterns are constructed specifically to foster
interest in attackers. The software installed on, and run by, victim hosts is dual purpose. First,
these dummy programs keep a network intruder occupied looking for valuable information
where none exists, effectively convincing him or her to isolate themselves in what is truly an
unimportant part of the network. This decoy strategy is designed to keep an intruder from
getting bored and heading into truly security-critical systems. The second part of the victim
host strategy is intelligence gathering. Once an intruder has broken into the victim host, the
machine or a network administrator can examine the intrusion methods used by the intruder.
This intelligence can be used to build specific countermeasures to intrusion techniques,
making truly important systems on the network less vulnerable to intrusion.
Types:
Honeypots can be classified based on their deployment and based on their level of
involvement. Based on the deployment, honeypots may be classified as
1. Production Honeypots
2. Research Honeypots
1. Production honeypots are easy to use, capture only limited information, and are used
primarily by companies or corporations; Production honeypots are placed inside the
production network with other production servers by organization to improve their
overall state of security. Normally, production honeypots are low-interaction
honeypots, which are easier to deploy. They give less information about the attacks or
attackers than research honeypots do. The purpose of a production honeypot is to help
mitigate risk in an organization. The honeypot adds value to the security measures of
an organization.
2. Research honeypots are run by a volunteer, non-profit research organization or an
educational institution to gather information about the motives and tactics of the
Blackhat community targeting different networks. These honeypots do not add direct
value to a specific organization. Instead they are used to research the threats
organizations face, and to learn how to better protect against those threats. This
information is then used to protect against those threats. Research honeypots are
complex to deploy and maintain, capture extensive information, and are used
primarily by research, military, or government organizations.
Spam versions
Spammers abuse vulnerable resources such as open mail relays and open proxies. Some
system administrators have created honeypot programs that masquerade as these abusable
resources to discover spammer activity. There are several capabilities such honeypots provide
to these administrators and the existence of such fake abusable systems makes abuse more
difficult or risky. Honeypots can be a powerful countermeasure to abuse from those who rely
on very high volume abuse (e.g., spammers).
These honeypots can reveal the apparent IP address of the abuse and provide bulk spam
capture (which enables operators to determine spammers' URLs and response mechanisms).
For open relay honeypots, it is possible to determine the e-mail addresses ("dropboxes")
spammers use as targets for their test messages, which are the tool they use to detect open
relays. It is then simple to deceive the spammer: transmit any illicit relay e-mail received
addressed to that dropbox e-mail address. That tells the spammer the honeypot is a genuine
abusable open relay, and they often respond by sending large quantities of relay spam to that
honeypot, which stops it. The apparent source may be another abused system—spammers and
other abusers may use a chain of abused systems to make detection of the original starting
point of the abuse traffic difficult.
This in itself is indicative of the power of honeypots as anti-spam tools. In the early days of
anti-spam honeypots, spammers, with little concern for hiding their location, felt safe testing
for vulnerabilities and sending spam directly from their own systems. Honeypots made the
abuse less easy and safe.
Spam still flows through open relays, but the volume is much smaller than in 2001 to 2002.
While most spam originates in the U.S., spammers hop through open relays across political
boundaries to mask their origin. Honeypot operators may use intercepted relay tests to
recognize and thwart attempts to relay spam through their honeypots. "Thwart" may mean
"accept the relay spam but decline to deliver it." Honeypot operators may discover other
details concerning the spam and the spammer by examining the captured spam messages.
(However, open relay spam has declined significantly.[citation needed])
Open relay honeypots include Jackpot, written in Java, smtpot.py, written in Python, and
spamhole, written in C. The Bubblegum Proxypot is an open proxy honeypot (or proxypot).
E-mail trap
An e-mail address that is not used for any other purpose than to receive spam can also be
considered a spam honeypot. Compared with the term spamtrap, the term "honeypot" might
better be reserved for systems and techniques used to detect or counter attacks and probes.
Spam arrives at its destination "legitimately"—exactly as non-spam e-mail would arrive.
An amalgam of these techniques is Project Honey Pot. The distributed, open-source Project
uses honeypot pages installed on websites around the world. These honeypot pages hand out
uniquely tagged spamtrap e-mail addresses. E-mail address harvesting and Spammers can
then be tracked as they gather and subsequently send to these spamtrap e-mail addresses.
Database Honeypot
Databases often get attacked by intruders using so called SQL Injection. Because such
activities are not recognized by basic firewalls, companies often use so called database
firewalls. Some of the available SQL database firewalls provide/support honeypot
architectures to let the intruder run against a trap database while the web application still runs
as usual.
Detection
Just as honeypots are a weapon against spammers, honeypot detection systems are a
spammer-employed counter-weapon. As detection systems would likely use unique
characteristics of specific honeypots to identify them, a plethora of honeypots in use makes
the set of unique characteristics larger and more daunting to those seeking to detect and
thereby identify them. This is an unusual circumstance in software: a situation in which
"versionitis" (a large number of versions of the same software, all differing slightly from each
other) can be beneficial. There's also an advantage in having some easy-to-detect honeypots
deployed. Fred Cohen, the inventor of the Deception Toolkit, even argues that every system
running his honeypot should have a deception port that adversaries can use to detect the
honeypot. Cohen believes that this might deter adversaries.
Honeynets
Two or more honeypots on a network form a honeynet. Typically, a honeynet is used for
monitoring a larger and/or more diverse network in which one honeypot may not be
sufficient. Honeynets and honeypots are usually implemented as parts of larger network
intrusion-detection systems. A honeyfarm is a centralized collection of honeypots and
analysis tools.
The concept of the honeynet first began in 1999 when Lance Spitzner, founder of the
Honeynet Project, published the paper "To Build a Honeypot":
"A honeynet is a network of high interaction honeypots that simulates a production network
and configured such that all activity is monitored, recorded and in a degree, discretely
regulated."
Bibliography
Stuart McClure; Hacking Exposed: Network Security Secrets and Solutions, McGraw-Hill, 2009
Related Documents
