Ranveer Project

8/7/2019 Ranveer Project

http://slidepdf.com/reader/full/ranveer-project 1/31

1

INTRODUCTION

Computer crimes range from the catastrophic to the merely annoying. A case of

computer-driven espionage might wreak devastating losses to national security. A

case of commercial computer theft might drive a company out of business. A

racket¶s prank might not actually cause damage at all--but might cause a video

game company or another computer user some annoyance. Some computer crimes

are perpetrated for kicks, and some for social or political causes; others are the

serious business of professional criminals. There is perhaps no other form of crime

that cuts so broadly across the types of criminals and the severity of their offenses.

Some are truly crimes, and others are not. Whether a particular attack is viewed as

being a full-fledged crime or is simply dismissed as being a prank will depend upon



2

the motives of the attacker, the type of organization and data attacked, and other

aspects of the situation that can't be neatly summarized in a chapter of this kind.

The attacks are those in which the computer itself--or, more likely, the information it

stores--is the target of the crime. We do not cover crimes in which the computer is

simply used by the perpetrators in their criminal enterprises (for example, drug deals

in which a syndicate keeps computerized records). We also do not cover the larceny

of computers and computer components.

There are many ways to categorize computer crimes. You might divide them

according to who commits them and what their motivation might be (e.g.,

professional criminals looking for financial gain, angry ex-employees looking for

revenge, crackers looking for intellectual challenge). Or, you might divide these

crimes by how they are perpetrated (e.g., by physical means such as arson, by

software modifications, etc.). In this chapter, we have chosen to divide computer

attacks (remember that some of these attacks are not crimes in the legal sense, but

annoyances) by the types of computer security that ought to prevent them

y Physical security

o Protection of the physical building, computer, related equipment, and

media (e.g., disks and tapes).

y Personnel security

o Protection of the people who work in any organization, and protection

of computer equipment and data from these people and others outside

the organization.

y Communications security

o Protection of software and data, especially as it passes from computer

to computer.

y Operations security

o Protection of the procedures used to prevent and detect security

breaches, and the development of methods of prevention and

detection.



3

o In some cases, the boundaries between these categories may be

rather fuzzy, and some attacks may overlap several categories.

Breaches of Physical Security

y physical security is concerned with physical protection of the computer,

computer equipment, computer media, and the overall physical facility

from natural disasters, accidents of various kinds, and intentional

attacks. That chapter describes the basics of what is being protected,

and provides guidelines that will help keep your facility physically

secure.

y Terrorist bombings on buildings housing computer equipment, arson,

and theft and destruction of computer equipment fall into this category.

You may not realize that less obvious attacks, like turning off the

electricity in a computer room, spilling soda on a keyboard, and

throwing sensitive papers in the trash may also invite disaster. This

section describes some of these less obvious breaches.

.

Wiretapping

There are a number of ways that physical methods can breach networks and

communications. Telephone and network wiring is often not protected as well

as it should be, both from intruders who can physically damage it and from

wiretaps that can pick up the data flowing across the wires.

Criminals sometimes use wiretapping methods to eavesdrop on

communications. It's unfortunately quite easy to tap many types of network

cabling. For example, a simple induction loop coiled around a terminal wire

can pick up most voice and RS232 communications. More complex types of

eavesdropping can be set up as well., Communications Security, it's

important to physically secure all network cabling to protect it both from

interception and from vandalism.



4

Telephone fraud has always been a problem among crackers, but with the

increasing use of cellular phones, phone calling cards, and the ordering of

merchandise over the phone using credit cards, this problem has increased

dramatically in recent years.

Breaches of Personnel Security

To some extent, nearly all of the attacks we discuss in this chapter could be

considered in the realm of personnel security--after all, people commit the offenses

and people ultimately detect them. In fact, many of the crimes we talk about in terms

of computer security happen whether or not computers are involves--bribery,

subversion, extortion, and malicious mischief of all kinds. Only the targets and the

media may differ.

Masquerading

Masquerading occurs when one person uses the identity of another to gain

access to a computer. This may be done in person or remotely. We describe

basic masquerading in this section, but masquerading is an attack that spansthe boundaries of the categories we've identified in this chapter. Because

operations security methods should be in place to prevent and detect

masquerading.

Social Engineering

Social engineering is the name given a category of attacks in which someone

anipulates others into revealing information that can be used to steal data or

subvert systems. Such attacks can be very simple or very complex. In one

low-tech case we know about, a man posing as a magazine writer was able to

get valuable information over the telephone from the telephone company

simply by asking for it--supposedly for his story. He then used that information

to steal more than a million dollars in telephone company equipment.



5

.

Harassment

A particularly nasty kind of personnel breach we've seen lately is harassment

on the Internet. Sending threatening email messages and slandering people

on bulletin board systems and newsgroups is all too common. In a recent

harassment case, a student from the University of Michigan was indicted for

posting a icularly graphic story about a sex murder on an Internet newsgroup.

Because he used the name of an actual female student at Michigan, his

activities were initially considered to be harassment. (The case was

eventually dismissed.)

These kinds of attacks are not new, and personally threatening remarks can

as easily be sent by letter or posted on a wall, as they can be sent over the

Internet. But the electronic audience is a much larger one, and such

messages, sent out from an organization's network domain, may damage the

reputation of the organization as well as that of the particular perpetrator.

Software Piracy

Software piracy is an issue that spans the category boundaries and may be

enforced in some organizations and not in others. Pirated computer programs

are big business. Copying and selling off-the-shelf application programs in

violation of the copyrights costs software vendors many millions of dollars.

The problem is an international one, reaching epidemic proportions in some

countries. (As we've said, software piracy was a major issue in the 1995

Clinton trade agreement with China.) Too many people don't take copyrights

seriously. Law-abiding people everywhere think nothing of copying games to

share with friends, or office software for home use.

Bulletin board systems often make pirated software available for downloading

or swapping. In a recent case, an MIT student was accused of running a BBS

that was used in this way. Charges against him were eventually dropped,

however, on the theory that the federal wire fraud statute did not apply to a



6

case involving copyright infringements. Only the copyright statute would

apply, and it was not applicable where the infringing person did not intend to

profit from his conduct.

The stealing of proprietary programs is also a major business problem. A

company may spend millions of dollars to develop a specialized program,

only to find that its competitor has the same program--and the competitor

hasn't had to invest in the development costs! Remember from Chapter 1 the

fear that Apple Computer had that the source code for its Macintosh

computers may have been compromised. Had this happened, then Macintosh

clones could be manufactured anywhere in the world.

Breaches of Communications and Data Security

In this category we include attacks on computer software and on the data itself. The

other categories we've discussed in this chapter are more focused on physical

equipment, people, and procedures.

y Data Attacks

o There are many types of attacks on the confidentiality, integrity, and

availability of data. Confidentiality keeps data secret from those not

authorized to see it. Integrity keeps data safe from modification by

those not authorized to change it. Availability, as we discussed under

"Denial or Degradation of Service" above, keeps data available for

use.

o The theft, or unauthorized copying, of confidential data is an obvious

attack that falls into this category. Espionage agents steal national

defense information. Industrial spies steal their competitors' productinformation. Crackers steal passwords or other kinds of information on

breaking into systems.

o Two terms you'll hear in the context of data attacks are inference and

leakage. With inference, a user legitimately views a number of small

pieces of data, but by putting those small pieces together is able to



7

deduce some piece of non-obvious and secret data. With leakage, a

user gains access to a flow of data via an unauthorized access route

(e.g., through eavesdropping).

o We've talked about wiretapping and monitoring electronic emanations

in "Breaches of Physical Security" above. In this section, we discuss

attacks on the integrity of the data itself.

y Unauthorized Copying of Data

o Software piracy, which we discussed in "Breaches of Personnel

Security" above, is another attack that spans the categories we've

identified in this chapter. In some sense, piracy is just another

example of the unauthorized copying of data. The methods for

detecting and preventing such a crime are the same whether the

copied data is national defense plans, commercial software, or

sensitive corporate or personal data.

o Preventing and detecting this type of attack requires coordinated

policies among the different categories of computer security. In terms

of personnel security, user education is vital. In terms of operations

security, automated logging and auditing software can play a part as

well.y Traffic Analysis

o Sometimes, the attacks on data might not be so obvious. Even data

that appears quite ordinary may be valuable to a foreign or industrial

spy. For example, travelitineraries for generals and other dignitaries

help terrorists plan attacks against their victims. Accounts payable

files tell outsiders what an organization has been purchasing and

suggest what its future plans for expansion may be. Even the fact that

two people are communicating--never mind what they are saying to

each other--may give away a secret. Traffic analysis is the name

given to this type of analysis of communications.

o In one industrial espionage case, a competitor monitored a company's

use of online data services to find out what questions it had and what



8

information it was collecting on certain types of metallurgy. The

information allowed the competitor to monitor the company's progress

on a research and development project and to use this information in

developing its own similar product. That product reached the market

several weeks before the original developer was able to. The original

company's research and development investment and its potential

share of the market--many millions--were all but lost.

y Covert Channels

o One somewhat obscure type of data leakage is called a covert

channel. A clever insider can hide stolen data in otherwise innocent

output. For example, a filename or the contents of a report could be

changed slightly to include secret information that is obvious only to

someone who is looking for it. A password, a launch code, or the

location of sensitive information might be conveyed in this way. Even

more obscure are the covert channels that convey information based

on a system clock or other timed event. Information could, in theory,

be conveyed by someone who controls system processing in such a

way that the elapsed time of an event itself conveys secret

information.

Software Attacks

We've talked so far in this section about attacks on data. There are also attacks that

subvert software.

y Trap Doors

o One classic software attack is the trap door or back door. A trap door is

a quick way into a program; it allows program developers to bypass all

of the security built into the program now or in the future.



9

o To a programmer, trap doors make sense. If a programmer needs to

modify the program sometime in the future, he can use the trap door

instead of having to go through all of the normal, customer-directed

protocols just to make the change. Trap doors of course should be

closed or eliminated in the final version of the program after all testing

is complete, but, intentionally or unintentionally, some are left in place.

Other trap doors may be introduced by error and only later discovered

by crackers who are roaming around, looking for a way into system

programs and files. Typical trap doors use such system features as

debugging tools, program exits that transfer control to privileged areas

of memory, undocumented application calls and parameters, and many

others.

o For example, in 1993 and 1994, an unknown group of computer

criminals repetitively broke into systems on the Internet using

passwords captured by password sniffers. Once on the system, they

exploited software flaws to gain privileged access. They installed

modified login and network programs that allowed them reentry even if

the original passwords were changed.

o The detection of trap doors is an operations security problem--

checking to see if the trap doors are there in the first place, and

whether they exist and operations are correct on an ongoing basis.

y Session Hijacking

o Session hijacking is a relatively new type of attack in the

communications category. Some types of hijacking have been around

a long time. In the simplest type, an unauthorized user gets up from his

terminal to go get a cup of coffee. Someone lurking nearby--probably a

coworker who isn't authorized to use this particular system--sits down

to read or change files that he wouldn't ordinarily be able to access.

o Some systems don't disconnect immediately when a session is

terminated. Instead, they allow a user to re-access the interrupted

program for a short period. A cracker with a good knowledge of



10

telephone and telecommunications operations can take advantage of

this fact to reconnect to the terminated session.

o Sometimes, an attacker will connect a covert computer terminal to a

line between the authorized terminal and the computer. The criminal

waits until the authorized terminal is on line but not in use, and then

switches control to the covert terminal. The computer thinks it is still

connected to the authorized user, and the criminal has access to the

same files and data as the authorized user. Other types of hijacking

occur when an authorized user doesn't log out properly so the

computer still expects a terminal to be connected. Call forwarding from

an authorized number to an unauthorized number is another method of

getting access.

y Tunneling

o Technically sophisticated tunneling attacks fall into this category as

well. Tunneling uses one data transfer method to carry data for another

method. Tunneling is an often legitimate way to transfer data over

incompatible networks, but it is illegitimate when it is used to carry

unauthorized data in legitimate data packets.

y

Timing Attacks o Timing attacks are another technically complex way to get

unauthorized access to software or data. These include the abuse of

race conditions and asynchronous attacks. In race conditions, there is

a race between two processes operating on a system; the outcome

depends on who wins the race. Although such conditions may sound

theoretical, they can be abused in very real ways by attackers who

know what they're doing. On certain types of UNIX systems,[2] for

example, attackers could exploit a problem with files known as setuid

shell files to gain superuser privileges. They did this by establishing

links to a setuid shell file, then deleting the links quickly and pointing

them at some other file of their own. If the operation is done quickly



11

enough, the system can be made to run the attacker's file, not the real

file.

o A skilled programmer can figure out how to penetrate the queue and

modify the data that is waiting to be processed or printed. He might

use his knowledge of the criteria to place his request in front of others

waiting in the queue. He might change a queue entry to replace

someone else's name or data with his own, or to subvert that user's

data by replacing it. Or he could disrupt the entire system by changing

commands so that data is lost, programs crash, or information from

different programs is mixed as the data is analyzed or printed.

Viruses and Worms

People often confuse viruses and worms, so we try to differentiate them in this

section. Indeed, they have many similarities, and both can be introduced into

systems via Trojan horses.

The easiest way to think of a computer virus is in terms of a biological virus. A

biological virus is not strictly alive in its own right, at least in the sense that lay

people usually view life. It needs a living host in order to operate. Viruses infect

healthy living cells and cause them to replicate the virus. In this way, the virus

spreads to other cells. Without the living cell, a virus cannot replicate.

In a computer, a virus is a program which modifies other programs so they

replicate the virus. In other words, the healthy living cell becomes the original

program, and the virus affects the way the program operates. How? It inserts a

copy of itself in the code. Thus, when the program runs, it makes a copy of the

virus. This happens only on a single system. (Viruses don't infect networks in theway worms do, as we'll explain below.) However, if a virus infects a program

which is copied to a disk and transferred to another computer, it could also infect

programs on that computer. This is how a computer virus spreads.



12

NOTE: An important distinction between worms and viruses: A worm

operates over a network, but in order to infect a machine, a virus must be

physically copied.

Computer Viruses Types:

Computer Virus is a kind of malicious software written intentionally to enter a computer

without the user¶s permission or knowledge, with an ability to replicate itself, thus

continuing to spread. Some viruses do little but replicate others can cause severe harm

or adversely effect program and performance of the system. A virus should never be

assumed harmless and left on a system. Most common types of viruses are mentioned

below:

y Boot Sector viruses:

o A boot sector virus infects diskettes and hard drives. All disks and hard

drives contain smaller sections called sectors. The first sector is called

the boot. The boot carries the Mater Boot Record (MBR). MBR functions

to read and load the operating system. So, if a virus infects the boot or

MBR of a disk, such as a floppy disk, your hard drive can become

infected, if you re-boot your computer while the infected disk is in the

drive. Once your hard drive is infected all diskettes that you use in your

computer will be infected. Boot sector viruses often spread to other

computers by the use of shared infected disks and pirated software



13

applications. The best way to disinfect your computer of the boot sector

virus is by using antivirus software.

y Program viruses:

o A program virus becomes active when the program file (usually with

extensions .BIN, .COM, .EXE, .OVL, .DRV) carrying the virus is opened.

Once active, the virus will make copies of itself and will infect other

programs on the computer.

y Multipartite viruses:

o A multipartite virus is a hybrid of a Boot Sector and Program viruses. It

infects program files and when the infected program is active it will affect

the boot record. So the next time you start up your computer it'll infect

your local drive and other programs on your computer.

.

y Macro Viruses:

o A macro virus is programmed as a macro embedded in a document.

Many applications, such as Microsoft Word and Excel, support macro

languages. Once a macro virus gets on to your computer, every

document you produce will become infected. This type of virus is

relatively new and may slip by your antivirus software if you don't havethe most recent version installed on your computer. .

y Active X and Java Control:

o Some users do not know how to manage and control their web browser

to allow or prohibit certain functions to work, such as enabling or

disabling sound, pop ups, and so on. Leaving your computer in danger of

being targeted by unwanted software or adware floating in cyberspace.

y Direct Action Viruses

o The main purpose of this virus is to replicate and take action when it is

executed. When a specific condition is met, the virus will go into action

and infect files in the directory or folder that it is in and in directories that

are specified in the AUTOEXEC.BAT file PATH. This batch file is always



14

located in the root directory of the hard disk and carries out certain

operations when the computer is booted.

y Overwrite Viruses

o Virus of this kind is characterized by the fact that it deletes the

information contained in the files that it infects, rendering them

partially or totally useless once they have been infected. The only way

to clean a file infected by an overwrite virus is to delete the file

completely, thus losing the original content. Examples of this virus

include: Way, Trj.Reboot, Trivial.88.

y Directory Virus

o Directory viruses change the paths that indicate the location of a file.

By executing a program (file with the extension .EXE or .COM) which

has been infected by a virus, you are unknowingly running the virus

program, while the original file and program have been previously

moved by the virus. Once infected it becomes impossible to locate the

original files.

y File Infectors

o This type of virus infects programs or executable files (files with an

.EXE or .COM extension). When one of these programs is run, directlyor indirectly, the virus is activated, producing the damaging effects it is

programmed to carry out. The majority of existing viruses belong to

this category, and can be classified depending on the actions that

they carry out.

y Worms

o A worm is a program very similar to a virus; it has the ability to self-

replicate, and can lead to negative effects on your system and most

importantly they are detected and eliminated by antiviruses. Examples

of worms include: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D,

Mapson.Trojans or Trojan Horses Another unsavory breed of

malicious code are Trojans or Trojan horses, which unlike viruses do



15

not reproduce by infecting other files, nor do they self-replicate like

worms

y Logic Bombs

o Logic bombs may also find their way into computer systems by way of

Trojan horses. A typical logic bomb tells the computer to execute a set

of instructions at a certain date and time or under certain specified

conditions. The instructions may tell the computer to display "I gotcha"

on the screen, or it may tell the entire system to start erasing itself.

Logic bombs often work in tandem with viruses. Whereas a simple

virus infects a program and then replicates when the program starts to

run, the logic bomb does not replicate - it merely waits for some pre-

specified event or time to do its damage.



16

y Trojan horse

o A Trojan Horse is full of as much trickery as the mythological Trojan

Horse it was named after. The Trojan Horse, at first glance will appear to

be useful software that can cause damage to your but will actually do

damage once installed or run on your computer. Those on the receiving

end of a Trojan Horse are usually tricked into opening them because they

appear to be receiving legitimate software or files from a legitimate

source. When a Trojan is activated on your computer, the results can

vary. Some Trojans are designed to be more annoying than malicious

(like changing your desktop computer , but there are differences among

the three,, adding silly active desktop icons) or they can cause serious

damage by deleting files and destroying information on your system.

Trojans are also known to create a backdoor and knowing those

differences can help you to bette on your computer that gives malicious

users access to your system, possibly allowing confidential or personal

information to be compromised. Unlike viruses and worms, Trojans do not

reproduce by infecting other files nor do they self-replicate.

y Blended Threats

o

Added into the mix, we also have what is called abl

ended threat . Ablended threat is a more sophisticated attack that bundles some of the

worst aspects of viruses, worms, Trojan horses and malicious code into

one single threat. Blended threats can use server and Internet

vulnerabilities to initiate, then transmit and also spread an attack.

Characteristics of blended threats are that they cause harm to the

infected system or network, they propagates using multiple methods, the

attack can come from multiple points, and blended threats also exploit

vulnerabilities.

How are viruses spread?

When you execute program code that's infected by a virus, the virus codewill also run

and try to infect other programs, either on the same computeror on other computers



17

connected to it over a network . And the newlyinfected programs will try to infect yet

more programs.

When you share a copy of an infected file with other computer users,running the file

may also infect their computers; and files from thosecomputers may spread the infection

to yet more computers.If your computer is infected with a boot sector virus, the virus

tries towrite copies of itself to the system areas of floppy disks and hard disks.

Then the infected floppy disks may infect other computers that boot fromthem, and the

virus copy on the hard disk will try to infect still morefloppies.

Some viruses, known as 'multipartite' viruses, can spread both by infecting

files and by infecting the boot areas of floppy disks.

Damaged done by viruses:

y Rendering a Computer Useless

o Some viruses can prevent you from being able to use your computer at all.

The CIH virus of 1999, named after its Taiwanese creator, Chen IngHau,

activated on its creator's birthday. It made computers virtually useless by

overwriting a critical part of the computer's memory called the basic input

output system (BIOS), which handles even the most basic tasks, such as

starting the computer. Users had to have a chip in their computer replaced

before the computer would function again.

y Physical Damage

o Other viruses damage specific parts of your computer. One virus, a Trojan

virus called WinFixer, coerced users into installing it by telling them there

was something wrong with their computers. It was capable of physically

damaging the mechanism used to open and close the CD drive,

preventing users from inserting or removing discs. Some viruses for



18

Amiga computers damaged the mechanism used to read and write from

the hard disk, requiring that the hard disk be replaced.

y Deletion of Files

o Some viruses delete your files to cause havoc. One variant of the Mydoom

worm, for instance, periodically searched the drives of infected computers

for files with extensions like .doc (Microsoft Word documents), .xls

(Microsoft) and .jpg (JPG images). Then, it randomly deleted the files it

found with a different probability for each type. For instance, there was a

60 percent chance that Excel spreadsheets would be deleted, and a 40

percent chance that Word documents would be deleted.

y Disabling Functionality

o To further spread and to evade removal, some viruses can disable

programs that deliver updates and remove viruses. As of April 2009,

variants of the Kido worm, also known as Conficker and Downadup, check

once per second for running antivirus programs. If an antivirus program is

running, it is closed immediately. The worm also disables the Windows

Update service and blocks access to antivirus websites, preventing many

users from removing the worm from their computers.

y

Doing Nothing o Finally, some viruses do nothing harmful at all. There have been many

viruses that simply spread themselves about without doing anything

dangerous. They are, however, still considered viruses, because they

enter computers without the user's consent.

Viruses Prevention:

The threat of computer-killing viruses is very real. Every year, thousands of computers

are infected with viruses that severely limit functionality and almost always crash the

computer. Fortunately, there are a number of ways that you can protect your computer

from these viruses and lower your risk of possible infection.



19

1. Security Basics

a. To adequately understand how to protect your PC from viruses, it is

important to know a few security basics. The first is that the biggest threat

to your computer is the Internet. Because modern broadband connections

are always on, there are constant security threats. However, the secondthing to remember about PC security is that almost all virus attacks can be

prevented. With proper anti-virus and firewall software, PC viruses can be

prevented. And yes, it can be done for free.

2. Anti-virus Software

a. Anti-virus software is your computer's first line of defense against any

intruding program or file that may contain malicious applications. The role

of anti-virus software is twofold: it monitors activity and downloaded

content, and also scans your hard drive for any files it may have missed.

Avast! is a free anti-virus program, and a link to its homepage is in the

Resources section.

3. Firewall

a. A firewall is a connection management tool that limits access to your

networked information by third parties. A firewall is an essential tool to

keep websites and third parties from gathering information about you from

files you have stored on your computer. Firewalls also keep you protected

from third parties downloading unintended files, such as viruses, to your

computer. See the Rsources section for a link to Comodo, which is a free

firewall application.



20

4. Monitor Your E-mail

a. One of the biggest ways that viruses and spyware are transmitted is

through e-mail. It is essential to have a virus scan that checks attachments

and messages for potentially harmful scripts and files. Most modern web-

based e-mail servers (like Yahoo! and MSN) have their own anti-virus

software, but if you use a program like Microsoft Outlook to gather your

mail, it is good to have another e-mail-focused anti-virus program that can

scan your messages as they are received.

5. Visit only Trustworthy Sites

a. Although this seems like common sense, search engines like Google and

Yahoo! make it easy to click on a website that you have never heard of.

Always make sure to only visit sites you trust, and if the site is flagged by

a search engine, don't go near it.

Breaches of Operations Security:

Because operations security includes the setting up of procedures to prevent and

detect all type of attacks on systems and personnel, we've discusses elements of

operations security in most of the other preceding sections. Here, we describe a few

special kinds of breaches of operations security.

Data Diddling

Data diddling, sometimes called false data entry, involves modifying data

before or after it is entered into the computer. Consider situations in which

employees are able to falsify time cards before the data contained on the

cards is entered into the computer for payroll computation. A timekeeping

clerk in a 300-person company noticed that, although the data entered into

the company's timekeeping and payroll systems included both the name and

the employee number of each worker, the payroll system used only the

employee's number to process payroll checks. There were no external



21

safeguards or checks to audit the integrity of the data. She took advantage of

this vulnerability and filled out forms for overtime hours for employees who

usually worked overtime. The cards had the hardworking employees' names,

but the time clerk's number. Payment for the overtime was credited to her,

In another case, two employees of a utility company found that there was a

time lapse of several days between when meter readings were entered into

the computer and when the bills were printed. By changing the reading during

this period, they were able to substantially reduce their electric bills and the

bills of some of their friends and neighbors.

Why do we discuss these very simple attacks in the context of operations

security? Because these attacks should not occur. Operations should be set

up in any organization to prevent and detect this type of crime--safeguards on

data modification, audits of changed data to be sure it was modified with

authorization, and so on.

IP Spoofing

In "Breaches of Personnel Security" above, we introduced masquerading

attacks, particularly those involving one person pretending to be another. But

there are some more complex masquerading attacks that can be prevented

only by strong operations security.

A method of masquerading that we're seeing in various Internet attacks today

is known as IP spoofing (IP stands for Internet Protocol, one of the

communications protocols that underlies the Internet). Certain UNIX programs



22

grant access based on IP addresses; essentially, the system running the

program is authenticated, rather than the individual user. The attacker forges

the addresses on the data packets he sends so they look as if they came

from inside a network on which systems trust each other. Because the

attacker's system looks like an inside system, he is never asked for a

password or any other type of authentication. In fact, the attacker is using this

method to penetrate the system from the outside. (This is the method used in

the attack on Tsutomu Shimomura's system,

How can an operations security program prevent IP spoofing attacks. Two

good ways are to require passwords in all cases and to prevent trust

relationships among systems.

Password Sniffing

Password sniffers are able to monitor all traffic on areas of a network.

Crackers have installed them on networks used by systems that they

especially want to penetrate, like telephone systems and network providers.

Password sniffers are programs that simply collect the first 128 or more bytes

of each network connection on the network that's being monitored. When auser types in a user name and a password--as required when using certain

common Internet services like FTP (which is used to transfer files from one

machine to another) or Telnet (which lets the user log in remotely to another

machine)--the sniffer collects that information. Additional programs sift

through the collected information, pull out the important pieces (e.g., the user

names and passwords), and cover up the existence of the sniffers in an

automated way. Best estimates are that in 1994 as many as 100,000 sites

were affected by sniffer attacks.

One-time passwords and encrypted passwords are good ways to keep

password sniffing attacks from compromising systems.



23

Scanning

A technique often used by novice crackers, called scanning or war dialing,

also is one that ought to be prevented by good operations security.

Remember the 1983 movie War Games, in which the high school cracker programmed his computer to dial telephone number after telephone number

until it found one that connected to a modem?

With scanning, a program known as a war dialer or demon dialer processes a

series of sequentially changing information, such as a list of telephone

numbers, passwords, or telephone calling card numbers. It tries each one in

turn to see which ones succeed in getting a positive response, In War

Games, for example, the program dialed all of the telephone numbers in aparticular region sequentially; if the number was answered by a tone, it was

recorded for later experimentation. The computer doing the calling can make

hundreds of telephone calls within several hours.

The programs used for scanning, called war dialers or demon dialer

programs, are available from many bulletin board systems (BBSs).

Successful scanners often post the telephone numbers they've identified on

bulletin boards and in cracker publications.

Ways of Detecting Common Attacks

This section provides a quick summary of how you might be able to anticipate or

detect the most common types of attacks we've discussed in this chapter. Note that

this listing is not exhaustive; too many of the attacks don't fall into neat categories,and too many require a good deal of technical understanding to anticipate and

detect.

This section briefly summarizes:



24

� Potential offenders--what type of individual (e.g., a programmer, a spy)

might commit a crime of this type.

� Methods of detection--how such crimes are found out (e.g., tracing

equipment of various kinds, analyzing log files).

� Evidence--trails that might be left by the intruders and that might help in

detection (e.g., system logs, telephone company records).

Dumpster Diving:

Potential Offenders

1. System users.

2. Anyone able to access the trash area.

3. Anyone who has access to computer areas or areas used to store

backups.

Methods of Detection

1. Tracing proprietary information back to its source (e.g., memos with

company names or logos).

2. Observation (guards may actually see intruders in action).

3. Testing an operating system to discover data left over after job

execution.

Evidence

1. Computer output media (e.g., may contain vendor name or identifying

page numbers).

2. Similar information produced in suspected ways in the same form.

3. Characteristics of printout or other media (e.g., type fonts or logos).

Wiretapping and Eavesdropping :

Potential Offenders

1. Communications technicians and engineers.



25

2. Agents for competitors.

3. Communications employees, former employees, vendors, and

contractors.

4. Agents for foreign intelligence services.


1. Voice wiretapping methods.

2. Tracing where the equipment used in the crime came from (e.g.,

monitoring equipment).

3. Tracing computer output (e.g., disks and tapes) to their source.

4. Observation.

5. Discovery of stolen information.

Evidence

1. Voice wiretapping as evidence.

2. Computer output forms.

3. Computer audit logs.

4. Computer storage media.

5. Characteristics of printout or other media (e.g., type fonts or logos).

6. Manual after-hours signin/signout sheets.

Masquerading :

Potential Offenders

Potentially everyone.


1. Analysis of audit logs and journals (e.g., a log shows that an

authorized user apparently logged in, but it is known that the person

was away at that time).

2. Observation (e.g., an eyewitness saw an intruder at an authorized

user's terminal).



26

3. Password violations (e.g., a log shows repeated failed attempts to use

an invalid password).

4. Report by the person who has been impersonated (e.g., the authorized

person logs in, and the system tells him that he has had six

unsuccessful logins since the last time he knows he actually logged in).

Evidence

1. Backups.

2. System audit logs.

3. Telephone company records (pen register and dialed number recorder

(DNR) records).

4. Violation reports from access control packages.

5. Notes and documents found in the possession of suspects.

6. Witnesses.

7. Excessively large phone bills (excessive message units may indicate

that someone is using resources).

Software Piracy :

Potential Offenders

1. Purchasers and users of commercial software.

2. Software pirates.

3. Employees who steal proprietary software.


1. Observation.

2. Testimony of legitimate purchasers of software.

3. Search of users' facilities and computers.

Evidence

1. Pictures of computer screens where pirated software is being

executed.



27

2. The contents of memory in computers containing pirated software.

3. Copies of media on which pirated software is found.

4. Printouts produced by pirated software.

Trap Doors :

Potential Offenders

1. Systems programmers.

2. Applications programmers.


1. Exhaustive testing.2. Specific testing based on evidence.

3. Comparison of specifications to performance.

Evidence

1. Programs that perform tasks not specified for them.

2. Output reports that indicate that programs are performing tasks not

specified for them.

Timing Attacks :

Potential Offenders

1. Advanced system analysts.

2. Advanced computer programmers.


1. System testing of suspected attack methods.

2. Complaints from system users that their jobs are not being performed

efficiently.

3. Repeat execution of a job under normal and safe conditions.



28

Evidence

1. Output that deviates from normally expected output of logs.

2. Computer operations logs.

Trojan Horses, Viruses, Worms and Logic Bombs:

Potential Offenders

1. Programmers who have detailed knowledge of a program.

2. Employees or former employees.

3. Vendor or contractor programmers.

4. Financial system programmers.

5. Computer users.

6. Computer operators.


1. Comparison of program code with backup copies of the program.

2. Tracing of unexpected events of possible gain from the act to

suspected perpetrators.3. Detailed data analysis, including analysis of program code (e.g., you

may detect a virus because a file increases in size when it is modified

or because disk space decreases).

4. Observation of financial activities of possible suspects (especially for

salami attacks).

5. Testing of suspect programs.

6. Examination of computer audit logs for suspicious programs or

pertinent entries (e.g., log entries that show that many programs were

updated at the same time) (especially for viruses).

7. Transaction audits.

Evidence

1. Output reports.



29

2. Unexpected results of running programs.

3. Computer usage and file request journals.

4. Undocumented transactions.

5. Analysis test program results.

6. Audit logs.

Data Diddling:

Potential Offenders

1. Participants in transactions being entered or updated.

2. Suppliers of source data.

3. Preparers of data.

4. Nonparticipants with access.


1. Comparison of data.

2. Manual controls.

3. Analysis of computer validation reports.

4. Integrity tests.

5. Validation of documents.

6. Analysis of audit logs.

7. Analysis of computer output.

Evidence

1. Data documents for source data, transactions, etc.

2. Manual logs, audit logs, journals, etc.

3. Backups and other computer media (e.g., tapes and disks).

4. Incorrect computer output control violation alarms.



30

Scanning :

Potential Offenders

1. Malicious intruders.

2. Spies attempting to access systems for targeted data.

3. Criminals intent on committing fraud.


1. Computer logs that show when telephone calls were received by the

computer and when attempts were made.

2. Loss of data or transfer of funds or other assets.

3. Telephone company records.

Evidence

1. Telephone company records (pen register and dialed number recorder

(DNR) records).

2. Possession of war dialing programs.

3. Computer logs.

4. Possession of information compromised as a result of scanning,including lists of telephone numbers.

.



Bibliography:

y www.wikipedia.com

y www.antivirusabout.com

y www.essortment.com

y Computer Viruses for Dummies - Peter H. Gregory - Melody Layne

y The Little Black Book of Computer Virus

y

www.myacrobatpdf

.com/computer-virus-identification-and-

prevention.html

Ranveer Project

Documents