Page 1
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 1/31
1
INTRODUCTION
Computer crimes range from the catastrophic to the merely annoying. A case of
computer-driven espionage might wreak devastating losses to national security. A
case of commercial computer theft might drive a company out of business. A
racket¶s prank might not actually cause damage at all--but might cause a video
game company or another computer user some annoyance. Some computer crimes
are perpetrated for kicks, and some for social or political causes; others are the
serious business of professional criminals. There is perhaps no other form of crime
that cuts so broadly across the types of criminals and the severity of their offenses.
Some are truly crimes, and others are not. Whether a particular attack is viewed as
being a full-fledged crime or is simply dismissed as being a prank will depend upon
Page 2
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 2/31
2
the motives of the attacker, the type of organization and data attacked, and other
aspects of the situation that can't be neatly summarized in a chapter of this kind.
The attacks are those in which the computer itself--or, more likely, the information it
stores--is the target of the crime. We do not cover crimes in which the computer is
simply used by the perpetrators in their criminal enterprises (for example, drug deals
in which a syndicate keeps computerized records). We also do not cover the larceny
of computers and computer components.
There are many ways to categorize computer crimes. You might divide them
according to who commits them and what their motivation might be (e.g.,
professional criminals looking for financial gain, angry ex-employees looking for
revenge, crackers looking for intellectual challenge). Or, you might divide these
crimes by how they are perpetrated (e.g., by physical means such as arson, by
software modifications, etc.). In this chapter, we have chosen to divide computer
attacks (remember that some of these attacks are not crimes in the legal sense, but
annoyances) by the types of computer security that ought to prevent them
y Physical security
o Protection of the physical building, computer, related equipment, and
media (e.g., disks and tapes).
y Personnel security
o Protection of the people who work in any organization, and protection
of computer equipment and data from these people and others outside
the organization.
y Communications security
o Protection of software and data, especially as it passes from computer
to computer.
y Operations security
o Protection of the procedures used to prevent and detect security
breaches, and the development of methods of prevention and
detection.
Page 3
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 3/31
3
o In some cases, the boundaries between these categories may be
rather fuzzy, and some attacks may overlap several categories.
Breaches of Physical Security
y physical security is concerned with physical protection of the computer,
computer equipment, computer media, and the overall physical facility
from natural disasters, accidents of various kinds, and intentional
attacks. That chapter describes the basics of what is being protected,
and provides guidelines that will help keep your facility physically
secure.
y Terrorist bombings on buildings housing computer equipment, arson,
and theft and destruction of computer equipment fall into this category.
You may not realize that less obvious attacks, like turning off the
electricity in a computer room, spilling soda on a keyboard, and
throwing sensitive papers in the trash may also invite disaster. This
section describes some of these less obvious breaches.
.
Wiretapping
There are a number of ways that physical methods can breach networks and
communications. Telephone and network wiring is often not protected as well
as it should be, both from intruders who can physically damage it and from
wiretaps that can pick up the data flowing across the wires.
Criminals sometimes use wiretapping methods to eavesdrop on
communications. It's unfortunately quite easy to tap many types of network
cabling. For example, a simple induction loop coiled around a terminal wire
can pick up most voice and RS232 communications. More complex types of
eavesdropping can be set up as well., Communications Security, it's
important to physically secure all network cabling to protect it both from
interception and from vandalism.
Page 4
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 4/31
4
Telephone fraud has always been a problem among crackers, but with the
increasing use of cellular phones, phone calling cards, and the ordering of
merchandise over the phone using credit cards, this problem has increased
dramatically in recent years.
Breaches of Personnel Security
To some extent, nearly all of the attacks we discuss in this chapter could be
considered in the realm of personnel security--after all, people commit the offenses
and people ultimately detect them. In fact, many of the crimes we talk about in terms
of computer security happen whether or not computers are involves--bribery,
subversion, extortion, and malicious mischief of all kinds. Only the targets and the
media may differ.
Masquerading
Masquerading occurs when one person uses the identity of another to gain
access to a computer. This may be done in person or remotely. We describe
basic masquerading in this section, but masquerading is an attack that spansthe boundaries of the categories we've identified in this chapter. Because
operations security methods should be in place to prevent and detect
masquerading.
Social Engineering
Social engineering is the name given a category of attacks in which someone
anipulates others into revealing information that can be used to steal data or
subvert systems. Such attacks can be very simple or very complex. In one
low-tech case we know about, a man posing as a magazine writer was able to
get valuable information over the telephone from the telephone company
simply by asking for it--supposedly for his story. He then used that information
to steal more than a million dollars in telephone company equipment.
Page 5
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 5/31
5
.
Harassment
A particularly nasty kind of personnel breach we've seen lately is harassment
on the Internet. Sending threatening email messages and slandering people
on bulletin board systems and newsgroups is all too common. In a recent
harassment case, a student from the University of Michigan was indicted for
posting a icularly graphic story about a sex murder on an Internet newsgroup.
Because he used the name of an actual female student at Michigan, his
activities were initially considered to be harassment. (The case was
eventually dismissed.)
These kinds of attacks are not new, and personally threatening remarks can
as easily be sent by letter or posted on a wall, as they can be sent over the
Internet. But the electronic audience is a much larger one, and such
messages, sent out from an organization's network domain, may damage the
reputation of the organization as well as that of the particular perpetrator.
Software Piracy
Software piracy is an issue that spans the category boundaries and may be
enforced in some organizations and not in others. Pirated computer programs
are big business. Copying and selling off-the-shelf application programs in
violation of the copyrights costs software vendors many millions of dollars.
The problem is an international one, reaching epidemic proportions in some
countries. (As we've said, software piracy was a major issue in the 1995
Clinton trade agreement with China.) Too many people don't take copyrights
seriously. Law-abiding people everywhere think nothing of copying games to
share with friends, or office software for home use.
Bulletin board systems often make pirated software available for downloading
or swapping. In a recent case, an MIT student was accused of running a BBS
that was used in this way. Charges against him were eventually dropped,
however, on the theory that the federal wire fraud statute did not apply to a
Page 6
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 6/31
6
case involving copyright infringements. Only the copyright statute would
apply, and it was not applicable where the infringing person did not intend to
profit from his conduct.
The stealing of proprietary programs is also a major business problem. A
company may spend millions of dollars to develop a specialized program,
only to find that its competitor has the same program--and the competitor
hasn't had to invest in the development costs! Remember from Chapter 1 the
fear that Apple Computer had that the source code for its Macintosh
computers may have been compromised. Had this happened, then Macintosh
clones could be manufactured anywhere in the world.
Breaches of Communications and Data Security
In this category we include attacks on computer software and on the data itself. The
other categories we've discussed in this chapter are more focused on physical
equipment, people, and procedures.
y Data Attacks
o There are many types of attacks on the confidentiality, integrity, and
availability of data. Confidentiality keeps data secret from those not
authorized to see it. Integrity keeps data safe from modification by
those not authorized to change it. Availability, as we discussed under
"Denial or Degradation of Service" above, keeps data available for
use.
o The theft, or unauthorized copying, of confidential data is an obvious
attack that falls into this category. Espionage agents steal national
defense information. Industrial spies steal their competitors' productinformation. Crackers steal passwords or other kinds of information on
breaking into systems.
o Two terms you'll hear in the context of data attacks are inference and
leakage. With inference, a user legitimately views a number of small
pieces of data, but by putting those small pieces together is able to
Page 7
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 7/31
7
deduce some piece of non-obvious and secret data. With leakage, a
user gains access to a flow of data via an unauthorized access route
(e.g., through eavesdropping).
o We've talked about wiretapping and monitoring electronic emanations
in "Breaches of Physical Security" above. In this section, we discuss
attacks on the integrity of the data itself.
y Unauthorized Copying of Data
o Software piracy, which we discussed in "Breaches of Personnel
Security" above, is another attack that spans the categories we've
identified in this chapter. In some sense, piracy is just another
example of the unauthorized copying of data. The methods for
detecting and preventing such a crime are the same whether the
copied data is national defense plans, commercial software, or
sensitive corporate or personal data.
o Preventing and detecting this type of attack requires coordinated
policies among the different categories of computer security. In terms
of personnel security, user education is vital. In terms of operations
security, automated logging and auditing software can play a part as
well.y Traffic Analysis
o Sometimes, the attacks on data might not be so obvious. Even data
that appears quite ordinary may be valuable to a foreign or industrial
spy. For example, travelitineraries for generals and other dignitaries
help terrorists plan attacks against their victims. Accounts payable
files tell outsiders what an organization has been purchasing and
suggest what its future plans for expansion may be. Even the fact that
two people are communicating--never mind what they are saying to
each other--may give away a secret. Traffic analysis is the name
given to this type of analysis of communications.
o In one industrial espionage case, a competitor monitored a company's
use of online data services to find out what questions it had and what
Page 8
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 8/31
8
information it was collecting on certain types of metallurgy. The
information allowed the competitor to monitor the company's progress
on a research and development project and to use this information in
developing its own similar product. That product reached the market
several weeks before the original developer was able to. The original
company's research and development investment and its potential
share of the market--many millions--were all but lost.
y Covert Channels
o One somewhat obscure type of data leakage is called a covert
channel. A clever insider can hide stolen data in otherwise innocent
output. For example, a filename or the contents of a report could be
changed slightly to include secret information that is obvious only to
someone who is looking for it. A password, a launch code, or the
location of sensitive information might be conveyed in this way. Even
more obscure are the covert channels that convey information based
on a system clock or other timed event. Information could, in theory,
be conveyed by someone who controls system processing in such a
way that the elapsed time of an event itself conveys secret
information.
Software Attacks
We've talked so far in this section about attacks on data. There are also attacks that
subvert software.
y Trap Doors
o One classic software attack is the trap door or back door. A trap door is
a quick way into a program; it allows program developers to bypass all
of the security built into the program now or in the future.
Page 9
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 9/31
9
o To a programmer, trap doors make sense. If a programmer needs to
modify the program sometime in the future, he can use the trap door
instead of having to go through all of the normal, customer-directed
protocols just to make the change. Trap doors of course should be
closed or eliminated in the final version of the program after all testing
is complete, but, intentionally or unintentionally, some are left in place.
Other trap doors may be introduced by error and only later discovered
by crackers who are roaming around, looking for a way into system
programs and files. Typical trap doors use such system features as
debugging tools, program exits that transfer control to privileged areas
of memory, undocumented application calls and parameters, and many
others.
o For example, in 1993 and 1994, an unknown group of computer
criminals repetitively broke into systems on the Internet using
passwords captured by password sniffers. Once on the system, they
exploited software flaws to gain privileged access. They installed
modified login and network programs that allowed them reentry even if
the original passwords were changed.
o The detection of trap doors is an operations security problem--
checking to see if the trap doors are there in the first place, and
whether they exist and operations are correct on an ongoing basis.
y Session Hijacking
o Session hijacking is a relatively new type of attack in the
communications category. Some types of hijacking have been around
a long time. In the simplest type, an unauthorized user gets up from his
terminal to go get a cup of coffee. Someone lurking nearby--probably a
coworker who isn't authorized to use this particular system--sits down
to read or change files that he wouldn't ordinarily be able to access.
o Some systems don't disconnect immediately when a session is
terminated. Instead, they allow a user to re-access the interrupted
program for a short period. A cracker with a good knowledge of
Page 10
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 10/31
10
telephone and telecommunications operations can take advantage of
this fact to reconnect to the terminated session.
o Sometimes, an attacker will connect a covert computer terminal to a
line between the authorized terminal and the computer. The criminal
waits until the authorized terminal is on line but not in use, and then
switches control to the covert terminal. The computer thinks it is still
connected to the authorized user, and the criminal has access to the
same files and data as the authorized user. Other types of hijacking
occur when an authorized user doesn't log out properly so the
computer still expects a terminal to be connected. Call forwarding from
an authorized number to an unauthorized number is another method of
getting access.
y Tunneling
o Technically sophisticated tunneling attacks fall into this category as
well. Tunneling uses one data transfer method to carry data for another
method. Tunneling is an often legitimate way to transfer data over
incompatible networks, but it is illegitimate when it is used to carry
unauthorized data in legitimate data packets.
y
Timing Attacks o Timing attacks are another technically complex way to get
unauthorized access to software or data. These include the abuse of
race conditions and asynchronous attacks. In race conditions, there is
a race between two processes operating on a system; the outcome
depends on who wins the race. Although such conditions may sound
theoretical, they can be abused in very real ways by attackers who
know what they're doing. On certain types of UNIX systems,[2] for
example, attackers could exploit a problem with files known as setuid
shell files to gain superuser privileges. They did this by establishing
links to a setuid shell file, then deleting the links quickly and pointing
them at some other file of their own. If the operation is done quickly
Page 11
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 11/31
11
enough, the system can be made to run the attacker's file, not the real
file.
o A skilled programmer can figure out how to penetrate the queue and
modify the data that is waiting to be processed or printed. He might
use his knowledge of the criteria to place his request in front of others
waiting in the queue. He might change a queue entry to replace
someone else's name or data with his own, or to subvert that user's
data by replacing it. Or he could disrupt the entire system by changing
commands so that data is lost, programs crash, or information from
different programs is mixed as the data is analyzed or printed.
Viruses and Worms
People often confuse viruses and worms, so we try to differentiate them in this
section. Indeed, they have many similarities, and both can be introduced into
systems via Trojan horses.
The easiest way to think of a computer virus is in terms of a biological virus. A
biological virus is not strictly alive in its own right, at least in the sense that lay
people usually view life. It needs a living host in order to operate. Viruses infect
healthy living cells and cause them to replicate the virus. In this way, the virus
spreads to other cells. Without the living cell, a virus cannot replicate.
In a computer, a virus is a program which modifies other programs so they
replicate the virus. In other words, the healthy living cell becomes the original
program, and the virus affects the way the program operates. How? It inserts a
copy of itself in the code. Thus, when the program runs, it makes a copy of the
virus. This happens only on a single system. (Viruses don't infect networks in theway worms do, as we'll explain below.) However, if a virus infects a program
which is copied to a disk and transferred to another computer, it could also infect
programs on that computer. This is how a computer virus spreads.
Page 12
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 12/31
12
NOTE: An important distinction between worms and viruses: A worm
operates over a network, but in order to infect a machine, a virus must be
physically copied.
Computer Viruses Types:
Computer Virus is a kind of malicious software written intentionally to enter a computer
without the user¶s permission or knowledge, with an ability to replicate itself, thus
continuing to spread. Some viruses do little but replicate others can cause severe harm
or adversely effect program and performance of the system. A virus should never be
assumed harmless and left on a system. Most common types of viruses are mentioned
below:
y Boot Sector viruses:
o A boot sector virus infects diskettes and hard drives. All disks and hard
drives contain smaller sections called sectors. The first sector is called
the boot. The boot carries the Mater Boot Record (MBR). MBR functions
to read and load the operating system. So, if a virus infects the boot or
MBR of a disk, such as a floppy disk, your hard drive can become
infected, if you re-boot your computer while the infected disk is in the
drive. Once your hard drive is infected all diskettes that you use in your
computer will be infected. Boot sector viruses often spread to other
computers by the use of shared infected disks and pirated software
Page 13
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 13/31
13
applications. The best way to disinfect your computer of the boot sector
virus is by using antivirus software.
y Program viruses:
o A program virus becomes active when the program file (usually with
extensions .BIN, .COM, .EXE, .OVL, .DRV) carrying the virus is opened.
Once active, the virus will make copies of itself and will infect other
programs on the computer.
y Multipartite viruses:
o A multipartite virus is a hybrid of a Boot Sector and Program viruses. It
infects program files and when the infected program is active it will affect
the boot record. So the next time you start up your computer it'll infect
your local drive and other programs on your computer.
.
y Macro Viruses:
o A macro virus is programmed as a macro embedded in a document.
Many applications, such as Microsoft Word and Excel, support macro
languages. Once a macro virus gets on to your computer, every
document you produce will become infected. This type of virus is
relatively new and may slip by your antivirus software if you don't havethe most recent version installed on your computer. .
y Active X and Java Control:
o Some users do not know how to manage and control their web browser
to allow or prohibit certain functions to work, such as enabling or
disabling sound, pop ups, and so on. Leaving your computer in danger of
being targeted by unwanted software or adware floating in cyberspace.
y Direct Action Viruses
o The main purpose of this virus is to replicate and take action when it is
executed. When a specific condition is met, the virus will go into action
and infect files in the directory or folder that it is in and in directories that
are specified in the AUTOEXEC.BAT file PATH. This batch file is always
Page 14
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 14/31
14
located in the root directory of the hard disk and carries out certain
operations when the computer is booted.
y Overwrite Viruses
o Virus of this kind is characterized by the fact that it deletes the
information contained in the files that it infects, rendering them
partially or totally useless once they have been infected. The only way
to clean a file infected by an overwrite virus is to delete the file
completely, thus losing the original content. Examples of this virus
include: Way, Trj.Reboot, Trivial.88.
y Directory Virus
o Directory viruses change the paths that indicate the location of a file.
By executing a program (file with the extension .EXE or .COM) which
has been infected by a virus, you are unknowingly running the virus
program, while the original file and program have been previously
moved by the virus. Once infected it becomes impossible to locate the
original files.
y File Infectors
o This type of virus infects programs or executable files (files with an
.EXE or .COM extension). When one of these programs is run, directlyor indirectly, the virus is activated, producing the damaging effects it is
programmed to carry out. The majority of existing viruses belong to
this category, and can be classified depending on the actions that
they carry out.
y Worms
o A worm is a program very similar to a virus; it has the ability to self-
replicate, and can lead to negative effects on your system and most
importantly they are detected and eliminated by antiviruses. Examples
of worms include: PSWBugbear.B, Lovgate.F, Trile.C, Sobig.D,
Mapson.Trojans or Trojan Horses Another unsavory breed of
malicious code are Trojans or Trojan horses, which unlike viruses do
Page 15
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 15/31
15
not reproduce by infecting other files, nor do they self-replicate like
worms
y Logic Bombs
o Logic bombs may also find their way into computer systems by way of
Trojan horses. A typical logic bomb tells the computer to execute a set
of instructions at a certain date and time or under certain specified
conditions. The instructions may tell the computer to display "I gotcha"
on the screen, or it may tell the entire system to start erasing itself.
Logic bombs often work in tandem with viruses. Whereas a simple
virus infects a program and then replicates when the program starts to
run, the logic bomb does not replicate - it merely waits for some pre-
specified event or time to do its damage.
Page 16
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 16/31
16
y Trojan horse
o A Trojan Horse is full of as much trickery as the mythological Trojan
Horse it was named after. The Trojan Horse, at first glance will appear to
be useful software that can cause damage to your but will actually do
damage once installed or run on your computer. Those on the receiving
end of a Trojan Horse are usually tricked into opening them because they
appear to be receiving legitimate software or files from a legitimate
source. When a Trojan is activated on your computer, the results can
vary. Some Trojans are designed to be more annoying than malicious
(like changing your desktop computer , but there are differences among
the three,, adding silly active desktop icons) or they can cause serious
damage by deleting files and destroying information on your system.
Trojans are also known to create a backdoor and knowing those
differences can help you to bette on your computer that gives malicious
users access to your system, possibly allowing confidential or personal
information to be compromised. Unlike viruses and worms, Trojans do not
reproduce by infecting other files nor do they self-replicate.
y Blended Threats
o
Added into the mix, we also have what is called abl
ended threat . Ablended threat is a more sophisticated attack that bundles some of the
worst aspects of viruses, worms, Trojan horses and malicious code into
one single threat. Blended threats can use server and Internet
vulnerabilities to initiate, then transmit and also spread an attack.
Characteristics of blended threats are that they cause harm to the
infected system or network, they propagates using multiple methods, the
attack can come from multiple points, and blended threats also exploit
vulnerabilities.
How are viruses spread?
When you execute program code that's infected by a virus, the virus codewill also run
and try to infect other programs, either on the same computeror on other computers
Page 17
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 17/31
17
connected to it over a network . And the newlyinfected programs will try to infect yet
more programs.
When you share a copy of an infected file with other computer users,running the file
may also infect their computers; and files from thosecomputers may spread the infection
to yet more computers.If your computer is infected with a boot sector virus, the virus
tries towrite copies of itself to the system areas of floppy disks and hard disks.
Then the infected floppy disks may infect other computers that boot fromthem, and the
virus copy on the hard disk will try to infect still morefloppies.
Some viruses, known as 'multipartite' viruses, can spread both by infecting
files and by infecting the boot areas of floppy disks.
Damaged done by viruses:
y Rendering a Computer Useless
o Some viruses can prevent you from being able to use your computer at all.
The CIH virus of 1999, named after its Taiwanese creator, Chen IngHau,
activated on its creator's birthday. It made computers virtually useless by
overwriting a critical part of the computer's memory called the basic input
output system (BIOS), which handles even the most basic tasks, such as
starting the computer. Users had to have a chip in their computer replaced
before the computer would function again.
y Physical Damage
o Other viruses damage specific parts of your computer. One virus, a Trojan
virus called WinFixer, coerced users into installing it by telling them there
was something wrong with their computers. It was capable of physically
damaging the mechanism used to open and close the CD drive,
preventing users from inserting or removing discs. Some viruses for
Page 18
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 18/31
18
Amiga computers damaged the mechanism used to read and write from
the hard disk, requiring that the hard disk be replaced.
y Deletion of Files
o Some viruses delete your files to cause havoc. One variant of the Mydoom
worm, for instance, periodically searched the drives of infected computers
for files with extensions like .doc (Microsoft Word documents), .xls
(Microsoft) and .jpg (JPG images). Then, it randomly deleted the files it
found with a different probability for each type. For instance, there was a
60 percent chance that Excel spreadsheets would be deleted, and a 40
percent chance that Word documents would be deleted.
y Disabling Functionality
o To further spread and to evade removal, some viruses can disable
programs that deliver updates and remove viruses. As of April 2009,
variants of the Kido worm, also known as Conficker and Downadup, check
once per second for running antivirus programs. If an antivirus program is
running, it is closed immediately. The worm also disables the Windows
Update service and blocks access to antivirus websites, preventing many
users from removing the worm from their computers.
y
Doing Nothing o Finally, some viruses do nothing harmful at all. There have been many
viruses that simply spread themselves about without doing anything
dangerous. They are, however, still considered viruses, because they
enter computers without the user's consent.
Viruses Prevention:
The threat of computer-killing viruses is very real. Every year, thousands of computers
are infected with viruses that severely limit functionality and almost always crash the
computer. Fortunately, there are a number of ways that you can protect your computer
from these viruses and lower your risk of possible infection.
Page 19
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 19/31
19
1. Security Basics
a. To adequately understand how to protect your PC from viruses, it is
important to know a few security basics. The first is that the biggest threat
to your computer is the Internet. Because modern broadband connections
are always on, there are constant security threats. However, the secondthing to remember about PC security is that almost all virus attacks can be
prevented. With proper anti-virus and firewall software, PC viruses can be
prevented. And yes, it can be done for free.
2. Anti-virus Software
a. Anti-virus software is your computer's first line of defense against any
intruding program or file that may contain malicious applications. The role
of anti-virus software is twofold: it monitors activity and downloaded
content, and also scans your hard drive for any files it may have missed.
Avast! is a free anti-virus program, and a link to its homepage is in the
Resources section.
3. Firewall
a. A firewall is a connection management tool that limits access to your
networked information by third parties. A firewall is an essential tool to
keep websites and third parties from gathering information about you from
files you have stored on your computer. Firewalls also keep you protected
from third parties downloading unintended files, such as viruses, to your
computer. See the Rsources section for a link to Comodo, which is a free
firewall application.
Page 20
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 20/31
20
4. Monitor Your E-mail
a. One of the biggest ways that viruses and spyware are transmitted is
through e-mail. It is essential to have a virus scan that checks attachments
and messages for potentially harmful scripts and files. Most modern web-
based e-mail servers (like Yahoo! and MSN) have their own anti-virus
software, but if you use a program like Microsoft Outlook to gather your
mail, it is good to have another e-mail-focused anti-virus program that can
scan your messages as they are received.
5. Visit only Trustworthy Sites
a. Although this seems like common sense, search engines like Google and
Yahoo! make it easy to click on a website that you have never heard of.
Always make sure to only visit sites you trust, and if the site is flagged by
a search engine, don't go near it.
Breaches of Operations Security:
Because operations security includes the setting up of procedures to prevent and
detect all type of attacks on systems and personnel, we've discusses elements of
operations security in most of the other preceding sections. Here, we describe a few
special kinds of breaches of operations security.
Data Diddling
Data diddling, sometimes called false data entry, involves modifying data
before or after it is entered into the computer. Consider situations in which
employees are able to falsify time cards before the data contained on the
cards is entered into the computer for payroll computation. A timekeeping
clerk in a 300-person company noticed that, although the data entered into
the company's timekeeping and payroll systems included both the name and
the employee number of each worker, the payroll system used only the
employee's number to process payroll checks. There were no external
Page 21
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 21/31
21
safeguards or checks to audit the integrity of the data. She took advantage of
this vulnerability and filled out forms for overtime hours for employees who
usually worked overtime. The cards had the hardworking employees' names,
but the time clerk's number. Payment for the overtime was credited to her,
In another case, two employees of a utility company found that there was a
time lapse of several days between when meter readings were entered into
the computer and when the bills were printed. By changing the reading during
this period, they were able to substantially reduce their electric bills and the
bills of some of their friends and neighbors.
Why do we discuss these very simple attacks in the context of operations
security? Because these attacks should not occur. Operations should be set
up in any organization to prevent and detect this type of crime--safeguards on
data modification, audits of changed data to be sure it was modified with
authorization, and so on.
IP Spoofing
In "Breaches of Personnel Security" above, we introduced masquerading
attacks, particularly those involving one person pretending to be another. But
there are some more complex masquerading attacks that can be prevented
only by strong operations security.
A method of masquerading that we're seeing in various Internet attacks today
is known as IP spoofing (IP stands for Internet Protocol, one of the
communications protocols that underlies the Internet). Certain UNIX programs
Page 22
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 22/31
22
grant access based on IP addresses; essentially, the system running the
program is authenticated, rather than the individual user. The attacker forges
the addresses on the data packets he sends so they look as if they came
from inside a network on which systems trust each other. Because the
attacker's system looks like an inside system, he is never asked for a
password or any other type of authentication. In fact, the attacker is using this
method to penetrate the system from the outside. (This is the method used in
the attack on Tsutomu Shimomura's system,
How can an operations security program prevent IP spoofing attacks. Two
good ways are to require passwords in all cases and to prevent trust
relationships among systems.
Password Sniffing
Password sniffers are able to monitor all traffic on areas of a network.
Crackers have installed them on networks used by systems that they
especially want to penetrate, like telephone systems and network providers.
Password sniffers are programs that simply collect the first 128 or more bytes
of each network connection on the network that's being monitored. When auser types in a user name and a password--as required when using certain
common Internet services like FTP (which is used to transfer files from one
machine to another) or Telnet (which lets the user log in remotely to another
machine)--the sniffer collects that information. Additional programs sift
through the collected information, pull out the important pieces (e.g., the user
names and passwords), and cover up the existence of the sniffers in an
automated way. Best estimates are that in 1994 as many as 100,000 sites
were affected by sniffer attacks.
One-time passwords and encrypted passwords are good ways to keep
password sniffing attacks from compromising systems.
Page 23
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 23/31
23
Scanning
A technique often used by novice crackers, called scanning or war dialing,
also is one that ought to be prevented by good operations security.
Remember the 1983 movie War Games, in which the high school cracker programmed his computer to dial telephone number after telephone number
until it found one that connected to a modem?
With scanning, a program known as a war dialer or demon dialer processes a
series of sequentially changing information, such as a list of telephone
numbers, passwords, or telephone calling card numbers. It tries each one in
turn to see which ones succeed in getting a positive response, In War
Games, for example, the program dialed all of the telephone numbers in aparticular region sequentially; if the number was answered by a tone, it was
recorded for later experimentation. The computer doing the calling can make
hundreds of telephone calls within several hours.
The programs used for scanning, called war dialers or demon dialer
programs, are available from many bulletin board systems (BBSs).
Successful scanners often post the telephone numbers they've identified on
bulletin boards and in cracker publications.
Ways of Detecting Common Attacks
This section provides a quick summary of how you might be able to anticipate or
detect the most common types of attacks we've discussed in this chapter. Note that
this listing is not exhaustive; too many of the attacks don't fall into neat categories,and too many require a good deal of technical understanding to anticipate and
detect.
This section briefly summarizes:
Page 24
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 24/31
24
� Potential offenders--what type of individual (e.g., a programmer, a spy)
might commit a crime of this type.
� Methods of detection--how such crimes are found out (e.g., tracing
equipment of various kinds, analyzing log files).
� Evidence--trails that might be left by the intruders and that might help in
detection (e.g., system logs, telephone company records).
Dumpster Diving:
Potential Offenders
1. System users.
2. Anyone able to access the trash area.
3. Anyone who has access to computer areas or areas used to store
backups.
Methods of Detection
1. Tracing proprietary information back to its source (e.g., memos with
company names or logos).
2. Observation (guards may actually see intruders in action).
3. Testing an operating system to discover data left over after job
execution.
Evidence
1. Computer output media (e.g., may contain vendor name or identifying
page numbers).
2. Similar information produced in suspected ways in the same form.
3. Characteristics of printout or other media (e.g., type fonts or logos).
Wiretapping and Eavesdropping :
Potential Offenders
1. Communications technicians and engineers.
Page 25
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 25/31
25
2. Agents for competitors.
3. Communications employees, former employees, vendors, and
contractors.
4. Agents for foreign intelligence services.
Methods of Detection
1. Voice wiretapping methods.
2. Tracing where the equipment used in the crime came from (e.g.,
monitoring equipment).
3. Tracing computer output (e.g., disks and tapes) to their source.
4. Observation.
5. Discovery of stolen information.
Evidence
1. Voice wiretapping as evidence.
2. Computer output forms.
3. Computer audit logs.
4. Computer storage media.
5. Characteristics of printout or other media (e.g., type fonts or logos).
6. Manual after-hours signin/signout sheets.
Masquerading :
Potential Offenders
Potentially everyone.
Methods of Detection
1. Analysis of audit logs and journals (e.g., a log shows that an
authorized user apparently logged in, but it is known that the person
was away at that time).
2. Observation (e.g., an eyewitness saw an intruder at an authorized
user's terminal).
Page 26
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 26/31
26
3. Password violations (e.g., a log shows repeated failed attempts to use
an invalid password).
4. Report by the person who has been impersonated (e.g., the authorized
person logs in, and the system tells him that he has had six
unsuccessful logins since the last time he knows he actually logged in).
Evidence
1. Backups.
2. System audit logs.
3. Telephone company records (pen register and dialed number recorder
(DNR) records).
4. Violation reports from access control packages.
5. Notes and documents found in the possession of suspects.
6. Witnesses.
7. Excessively large phone bills (excessive message units may indicate
that someone is using resources).
Software Piracy :
Potential Offenders
1. Purchasers and users of commercial software.
2. Software pirates.
3. Employees who steal proprietary software.
Methods of Detection
1. Observation.
2. Testimony of legitimate purchasers of software.
3. Search of users' facilities and computers.
Evidence
1. Pictures of computer screens where pirated software is being
executed.
Page 27
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 27/31
27
2. The contents of memory in computers containing pirated software.
3. Copies of media on which pirated software is found.
4. Printouts produced by pirated software.
Trap Doors :
Potential Offenders
1. Systems programmers.
2. Applications programmers.
Methods of Detection
1. Exhaustive testing.2. Specific testing based on evidence.
3. Comparison of specifications to performance.
Evidence
1. Programs that perform tasks not specified for them.
2. Output reports that indicate that programs are performing tasks not
specified for them.
Timing Attacks :
Potential Offenders
1. Advanced system analysts.
2. Advanced computer programmers.
Methods of Detection
1. System testing of suspected attack methods.
2. Complaints from system users that their jobs are not being performed
efficiently.
3. Repeat execution of a job under normal and safe conditions.
Page 28
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 28/31
28
Evidence
1. Output that deviates from normally expected output of logs.
2. Computer operations logs.
Trojan Horses, Viruses, Worms and Logic Bombs:
Potential Offenders
1. Programmers who have detailed knowledge of a program.
2. Employees or former employees.
3. Vendor or contractor programmers.
4. Financial system programmers.
5. Computer users.
6. Computer operators.
Methods of Detection
1. Comparison of program code with backup copies of the program.
2. Tracing of unexpected events of possible gain from the act to
suspected perpetrators.3. Detailed data analysis, including analysis of program code (e.g., you
may detect a virus because a file increases in size when it is modified
or because disk space decreases).
4. Observation of financial activities of possible suspects (especially for
salami attacks).
5. Testing of suspect programs.
6. Examination of computer audit logs for suspicious programs or
pertinent entries (e.g., log entries that show that many programs were
updated at the same time) (especially for viruses).
7. Transaction audits.
Evidence
1. Output reports.
Page 29
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 29/31
29
2. Unexpected results of running programs.
3. Computer usage and file request journals.
4. Undocumented transactions.
5. Analysis test program results.
6. Audit logs.
Data Diddling:
Potential Offenders
1. Participants in transactions being entered or updated.
2. Suppliers of source data.
3. Preparers of data.
4. Nonparticipants with access.
Methods of Detection
1. Comparison of data.
2. Manual controls.
3. Analysis of computer validation reports.
4. Integrity tests.
5. Validation of documents.
6. Analysis of audit logs.
7. Analysis of computer output.
Evidence
1. Data documents for source data, transactions, etc.
2. Manual logs, audit logs, journals, etc.
3. Backups and other computer media (e.g., tapes and disks).
4. Incorrect computer output control violation alarms.
Page 30
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 30/31
30
Scanning :
Potential Offenders
1. Malicious intruders.
2. Spies attempting to access systems for targeted data.
3. Criminals intent on committing fraud.
Methods of Detection
1. Computer logs that show when telephone calls were received by the
computer and when attempts were made.
2. Loss of data or transfer of funds or other assets.
3. Telephone company records.
Evidence
1. Telephone company records (pen register and dialed number recorder
(DNR) records).
2. Possession of war dialing programs.
3. Computer logs.
4. Possession of information compromised as a result of scanning,including lists of telephone numbers.
.
Page 31
8/7/2019 Ranveer Project
http://slidepdf.com/reader/full/ranveer-project 31/31
Bibliography:
y www.wikipedia.com
y www.antivirusabout.com
y www.essortment.com
y Computer Viruses for Dummies - Peter H. Gregory - Melody Layne
y The Little Black Book of Computer Virus
y
www.myacrobatpdf
.com/computer-virus-identification-and-
prevention.html