CHAPTER 1

INTRODUCTION

1.1 INFORMATION SECURITY

Information security means protecting information and information systems from

unauthorized access, use, disclosure, disruption, modification or destruction.

The terms information security, computer security and information assurance are
frequently incorrectly used interchangeably. These fields are interrelated often and
share the common goals of protecting the confidentiality, integrity and availability of
information; however, there are some subtle differences between them.

These differences lie primarily in the approach to the subject, the methodologies used,
and the areas of concentration. Information security is concerned with the
confidentiality, integrity and availability of data regardless of the form the data may
take: electronic, print, or other forms.

Computer security can focus on ensuring the availability and correct operation of a
computer system without concern for the information stored or processed by the
computer.

Governments, military, corporations, financial institutions, hospitals, and private

business amass a great deal of confidential information about their employees,
customers, products, research, and financial status. Most of this information is now
collected, processed and stored on electronic computers and transmitted across
networks to other computers.

Should confidential information about a business' customers or finances or new

product line fall into the hands of a competitor, such a breach of security could lead to
lost business, law suits or even bankruptcy of the business. Protecting confidential
information is a business requirement, and in many cases also an ethical and legal
requirement.

For the individual, information security has a significant effect on privacy, which is
viewed very differently in different cultures.

The field of information security has grown and evolved significantly in recent years.
As a career choice there are many ways of gaining entry into the field. It offers many
areas for specialization including: securing network(s) and allied infrastructure,
securing applications and databases, security testing, information systems auditing,
business continuity planning and digital forensics science, to name a few, which are
carried out by Information Security Consultants.

This article presents a general overview of information security and its core concepts.

1
 Components: or qualities, i.e., Confidentiality, Integrity and
Information Security Components:
Availability (CIA). Information Systems are decomposed in three main portions,
hardware, software and communications with the purpose to identify and apply
information security industry standards, as mechanisms of protection and prevention,
at three levels or layers: Physical, Personal and Organizational. Essentially,
procedures or policies are implemented to tell people (administrators, users and
operators) how to use products to ensure information security within the
organizations.

2
 CHAPTER 2

HISTORY

Since the early days of writing, heads of state and military commanders understood
that it was necessary to provide some mechanism to protect the confidentiality of
written correspondence and to have some means of detecting tampering.

Julius Caesar is credited with the invention of the Caesar cipher c50 B.C., which was
created in order to prevent his secret messages from being, read should a message fall
into the wrong hands.

World War II brought about much advancement in information security and marked
the beginning of the professional field of information security.

The end of the 20th century and early years of the 21st century saw rapid
advancements in telecommunications, computing hardware and software, and data
encryption. The availability of smaller, more powerful and less expensive computing
equipment made electronic data processing within the reach of small business and the
home user. These computers quickly became interconnected through a network
generically called the Internet or World Wide Web.

The rapid growth and widespread use of electronic data processing and electronic
business conducted through the Internet, along with numerous occurrences of
international terrorism, fuelled the need for better methods of protecting the
computers and the information they store, process and transmit. The academic
disciplines of computer security, information security and information assurance
emerged along with numerous professional organizations - all sharing the common
goals of ensuring the security and reliability of information systems.

3
 CHAPTER 3

BASIC PRINCIPLES

3.1 KEY CONCEPTS

For over twenty years, information security has held confidentiality, integrity and
availability (known as the CIA triad) to be the core principles of information security.

There is continuous debate about extending this classic trio. Other principles such as
Accountability have sometimes been proposed for addition – it has been pointed out
that issues such as Non-Repudiation do not fit well within the three core concepts, and
as regulation of computer systems has increased (particularly amongst the Western
nations) Legality is becoming a key consideration for practical security installations.

In 2002, Donn Parker proposed an alternative model for the classic CIA triad that he
called the six atomic elements of information. The elements are confidentiality,
possession, integrity, authenticity, availability, and utility. The merits of the Parkerian
hexad are a subject of debate amongst security professionals.

3.1.1 CONFIDENTIALITY

Confidentiality is the term used to prevent the disclosure of information to

unauthorized individuals or systems. For example, a credit card transaction on the
Internet requires the credit card number to be transmitted from the buyer to the
merchant and from the merchant to a transaction processing network. The system
attempts to enforce confidentiality by encrypting the card number during
transmission, by limiting the places where it might appear (in databases, log files,
backups, printed receipts, and so on), and by restricting access to the places where it is
stored. If an unauthorized party obtains the card number in any way, a breach of
confidentiality has occurred.

Breaches of confidentiality take many forms. Permitting someone to look over your
shoulder at your computer screen while you have confidential data displayed on it
could be a breach of confidentiality. If a laptop computer containing sensitive
information about a company’s employees is stolen or sold, it could result in a breach
of confidentiality. Giving out confidential information over the telephone is a breach
of confidentiality if the caller is not authorized to have the information.

Confidentiality is necessary (but not sufficient) for maintaining the privacy of the
people whose personal information a system holds.

4
3.1.2 INTEGRITY

In information security, integrity means that data cannot be modified without

authorization. This is not the same thing as referential integrity in databases. Integrity
is violated when an employee accidentally or with malicious intent deletes important
data files, when a computer virus infects a computer, when an employee is able to
modify his own salary in a payroll database, when an unauthorized user vandalizes a
web site, when someone is able to cast a very large number of votes in an online poll,
and so on.

There are many ways in which integrity could be violated without malicious intent. In
the simplest case, a user on a system could mis-type someone’s address. On a larger
scale, if an automated process is not written and tested correctly, bulk updates to a
database could alter data in an incorrect way, leaving the integrity of the data
compromised. Information security professionals are tasked with finding ways to
implement controls that prevent errors of integrity.

3.1.3 AVAILABILITY

For any information system to serve its purpose, the information must be available
when it is needed. This means that the computing systems used to store and process
the information, the security controls used to protect it, and the communication
channels used to access it must be functioning correctly. High availability systems
aim to remain available at all times, preventing service disruptions due to power
outages, hardware failures, and system upgrades. Ensuring availability also involves
preventing denial-of-service attacks.

3.1.4 AUTHENTICITY

In computing, e-Business and information security it is necessary to ensure that the

data, transactions, communications or documents (electronic or physical) are genuine.
It is also important for authenticity to validate that both parties involved are who they
claim they are.

3.1.5 NON-REPUDIATION

In law, non-repudiation implies one’s intention to 5fulfil their obligations to a

contract. It also implies that one party of a transaction cannot deny having received a
transaction nor can the other party deny having sent a transaction.

Electronic commerce uses technology such as digital signatures and encryption to

establish authenticity and non-repudiation.

5
3.1.6 RISK MANAGEMENT

A comprehensive treatment of the topic of risk management is beyond the scope of

this article. However, a useful definition of risk management will be provided as well
as some basic terminology and a commonly used process for risk management.

The CISA Review Manual 2006 provides the following definition of risk
management: "Risk management is the process of identifying vulnerabilities and
threats to the information resources used by an organization in achieving business
objectives, and deciding what countermeasures, if any, to take in reducing risk to an
acceptable level, based on the value of the information resource to the organization."

There are two things in this definition that may need some clarification. First, the
process of risk management is an ongoing iterative process. It must be repeated
indefinitely. The business environment is constantly changing and new threats and
vulnerability emerge every day. Second, the choice of countermeasures (controls)
used to manage risks must strike a balance between productivity, cost, effectiveness
of the countermeasure, and the value of the informational asset being protected.

Risk is the likelihood that something bad will happen that causes harm to an
informational asset (or the loss of the asset). Vulnerability is a weakness that could be
used to endanger or cause harm to an informational asset. A threat is anything (man
made or act of nature) that has the potential to cause harm.

The likelihood that a threat will use a vulnerability to cause harm creates a risk. When
a threat does use a vulnerability to inflict harm, it has an impact. In the context of
information security, the impact is a loss of availability, integrity, and confidentiality,
and possibly other losses (lost income, loss of life, loss of real property). It should be
pointed out that it is not possible to identify all risks, nor is it possible to eliminate all
risk. The remaining risk is called residual risk.

A risk assessment is carried out by a team of people who have knowledge of specific
areas of the business. Membership of the team may vary over time as different parts
of the business are assessed. The assessment may use a subjective qualitative analysis
based on informed opinion, or where reliable dollar figures and historical information
is available, the analysis may use quantitative analysis.

The ISO/IEC 27002:2005 Code of practice for information security management

recommends the following be examined during a risk assessment:

• Security policy,
• Organization of information security,
• Asset management,
• Human resources security,
• Physical and environmental security,
• Communications and operations management,
• Access control,
• Information systems acquisition, development and maintenance,
• Information security incident management,
• Business continuity management, and

6
3.2 CONTROLS

When Management chooses to mitigate a risk, they will do so by implementing one or

more of three different types of controls.

3.2.1 ADMINISTRATIVE

Administrative controls (also called procedural controls) consist of approved written

policies, procedures, standards and guidelines. Administrative controls form the
framework for running the business and managing people. They inform people on
how the business is to be run and how day to day operations are to be conducted.
Laws and regulations created by government bodies are also a type of administrative
control because they inform the business. Some industry sectors have policies,
procedures, standards and guidelines that must be followed – the Payment Card
Industry (PCI) Data Security Standard required by Visa and Master Card is such an
example. Other examples of administrative controls include the corporate security
policy, password policy, hiring policies, and disciplinary policies.

Administrative controls form the basis for the selection and implementation of logical
and physical controls. Logical and physical controls are manifestations of
administrative controls. Administrative controls are of paramount importance.

3.2.2 LOGICAL

Logical controls (also called technical controls) use software and data to monitor and
control access to information and computing systems. For example: passwords,
network and host based firewalls, network intrusion detection systems, access control
lists, and data encryption are logical controls.

An important logical control that is frequently overlooked is the principle of least

privilege. The principle of least privilege requires that an individual, program or
system process is not granted any more access privileges than are necessary to
perform the task. A blatant example of the failure to adhere to the principle of least
privilege is logging into Windows as user Administrator to read Email and surf the
Web. Violations of this principle can also occur when an individual collects additional
access privileges over time. This happens when employees’ job duties change, or they
are promoted to a new position, or they transfer to another department. The access
privileges required by their new duties are frequently added onto their already existing
access privileges which may no longer be necessary or appropriate.

3.2.3 PHYSICAL

Physical controls monitor and control the environment of the work place and
computing facilities. They also monitor and control access to and from such facilities.
For example: doors, locks, heating and air conditioning, smoke and fire alarms, fire
suppression systems, cameras, barricades, fencing, security guards, cable locks, etc.
Separating the network and work place into functional areas are also physical
controls.

7
An important physical control that is frequently overlooked is the separation of
duties. Separation of duties ensures that an individual can not complete a critical task
by himself. For example: an employee who submits a request for reimbursement
should not also be able to authorize payment or print the check. An applications
programmer should not also be the server administrator or the database administrator-
these roles and responsibilities must be separated from one another.

3.2.4 ACCESS CONTROL

Access to protected information must be restricted to people who are authorized to

access the information. The computer programs, and in many cases the computers that
process the information, must also be authorized. This requires that mechanisms be in
place to control the access to protected information. The sophistication of the access
control mechanisms should be in parity with the value of the information being
protected – the more sensitive or valuable the information the stronger the control
mechanisms need to be. The foundation on which access control mechanisms are built
start with identification and authentication.

Identification is an assertion of who someone is or what something is. If a person

makes the statement “Hello, my name is John Doe.” They are making a claim of who
they are. However, their claim may or may not be true. Before John Doe can be
granted access to protected information it will be necessary to verify that the person
claiming to be John Doe really is John Doe.

Authentication is the act of verifying a claim of identity. When John Doe goes into a
bank to make a withdrawal, he tells the bank teller he is John Doe (a claim of
identity). The bank teller asks to see a photo ID, so he hands the teller his driver’s
license. The bank teller checks the license to make sure it has John Doe printed on it
and compares the photograph on the license against the person claiming to be John
Doe. If the photo and name match the person, then the teller has authenticated that
John Doe is who he claimed to be.

There are three different types of information that can be used for authentication:
something you know, something you have, or something you are. Examples of
something you know include such things as a PIN, a password, or your mother’s
maiden name. Examples of something you have include a driver’s license or a
magnetic swipe card. Something you are refers to biometrics. Examples of biometrics
include palm prints, finger prints, voice prints and retina (eye) scans. Strong
authentication requires providing information from two of the three different types of
authentication information. For example, something you know plus something you
have. This is called two factor authentications.

On computer systems in use today, the Username is the most common form of
identification and the Password is the most common form of authentication.
Usernames and passwords have served their purpose but in our modern world they are
no longer adequate. Usernames and passwords are slowly being replaced with more
sophisticated authentication mechanisms.

After a person, program or computer has successfully been identified and

authenticated then it must be determined what informational resources they are

8
permitted to access and what actions they will be allowed to perform (run, view,
create, delete, or change). This is called authorization.

Authorization to access information and other computing services begins with

administrative policies and procedures. The policies prescribe what information and
computing services can be accessed, by whom, and under what conditions. The access
control mechanisms are then configured to enforce these policies.

Different computing systems are equipped with different kinds of access control
mechanisms – some may even offer a choice of different access control mechanisms.
The access control mechanism a system offers will be based upon one of three
approaches to access control or it may be derived from a combination of the three
approaches.

The non-discretionary approach consolidates all access control under a centralized

administration. The access to information and other resources is usually based on the
individuals function (role) in the organization or the tasks the individual must
perform. The discretionary approach gives the creator or owner of the information
resource the ability to control access to those resources. In the Mandatory access
control approach, access is granted or denied basing upon the security classification
assigned to the information resource.

Examples of common access control mechanisms in use today include Role-based

access control available in many advanced Database Management Systems, simple
file permissions provided in the UNIX and Windows operating systems, Group Policy
Objects provided in Windows network systems, Kerberos, RADIUS, TACACS, and
the simple access lists used in many firewalls and routers.

To be effective, policies and other security controls must be enforceable and upheld.
Effective policies ensure that people are held accountable for their actions. All failed
and successful authentication attempts must be logged, and all access to information
must leave some type of audit trail.

3.2.5 CRYPTOGRAPHY

Information security uses cryptography to transform usable information into a form

that renders it unusable by anyone other than an authorized user; this process is called
encryption. Information that has been encrypted (rendered unusable) can be
transformed back into its original usable form by an authorized user, who possesses
the cryptographic key, through the process of decryption. Cryptography is used in
information security to protect information from unauthorized or accidental disclosure
while the information is in transit (either electronically or physically) and while
information is in storage.

Cryptography provides information security with other useful applications as well

including improved authentication methods, message digests, digital signatures, non-
repudiation, and encrypted network communications. Older less secure application
such as telnet and ftp are slowly being replaced with more secure applications such as
ssh that use encrypted network communications. Wireless communications can be
encrypted using protocols such as WPA/WPA2 or the older (and less secure) WEP.

9
3.3 DEFENSE IN DEPTH

Information security must protect information throughout the life span of the
information, from the initial creation of the information on through to the final
disposal of the information. The information must be protected while in motion and
while at rest. During its life time, information may pass through many different
information processing systems and through many different parts of information
processing systems. There are many different ways the information and information
systems can be threatened. To fully protect the information during its lifetime, each
component of the information processing system must have its own protection
mechanisms. The building up, layering on and overlapping of security measures is
called defense in depth. The strength of any system is no greater than its weakest link.
Using a defense in depth strategy, should one defensive measure fail there are other
defensive measures in place that continue to provide protection.

Recall the earlier discussion about administrative controls, logical controls, and
physical controls. The three types of controls can be used to form the basis upon
which to build a defense-in-depth strategy. With this approach, defense-in-depth can
be conceptualized as three distinct layers or planes laid one on top of the other.
Additional insight into defense-in- depth can be gained by thinking of it as forming
the layers of an onion, with data at the core of the onion, people as the outer layer of
the onion, and network security, host-based security and application security forming
the inner layers of the onion. Both perspectives are equally valid and each provides
valuable insight into the implementation of a good defense-in-depth strategy.

10
3.4 LAWS AND REGULATIONS

Below is a partial listing of European, United Kingdom, Canadian and USA

governmental laws and regulations that have, or will have, a significant effect on data
processing and information security. Important industry sector regulations have also
been included when they have a significant impact on information security.

• UK Data Protection Act 1998 makes new provisions for the regulation of the
processing of information relating to individuals, including the obtaining,
holding, use or disclosure of such information. The European Union Data
Protection Directive (EUDPD) requires that all EU members must adopt
national regulations to standardize the protection of data privacy for citizens
throughout the EU.
• The Computer Misuse Act 1990 is an Act of the UK Parliament making
computer crime (e.g. cracking - sometimes incorrectly referred to as hacking)
a criminal offence. The Act has become a model upon which several other
countries including Canada and the Republic of Ireland have drawn inspiration
when subsequently drafting their own information security laws.
• The Family Educational Rights and Privacy Act (FERPA) is a USA Federal
law that protects the privacy of student education records. The law applies to
all schools that receive funds under an applicable program of the U.S.
Department of Education. Generally, schools must have written permission
from the parent or eligible student in order to release any information from a
student's education record.
• Health Insurance Portability and Accountability Act (HIPAA) of 1996
requires the adoption of national standards for electronic health care
transactions and national identifiers for providers, health insurance plans, and
employers. And, it requires health care providers, insurance providers and
employers to safeguard the security and privacy of health data.
• Gramm-Leach-Bliley Act of 1999 (GLBA), also known as the Financial
Services Modernization Act of 1999, protects the privacy and security of
private financial information that financial institutions collect, hold, and
process.
• Sarbanes-Oxley Act of 2002 (SOX). Section 404 of the act requires publicly
traded companies to assess the effectiveness of their internal controls for
financial reporting in annual reports they submit at the end of each fiscal year.
Chief information officers are responsible for the security, accuracy and the
reliability of the systems that manage and report the financial data. The act
also requires publicly traded companies to engage independent auditors who
must attest to, and report on, the validity of their assessments.

11
 CHAPTER 4

HOW INFORMATION CAN BE STOLEN?

A typical approach in an attack on Internet-connected system is:

1. Network enumeration: Discovering information about the intended target.

2. Vulnerability analysis: Identifying potential ways of attack.
3. Exploitation: Attempting to compromise the system by employing the
vulnerabilities found through the vulnerability analysis.

In order to do so, there are several recurring tools of the trade and techniques used by
computer criminals and security experts.

12
4.1 SECURITY EXPLOIT

4.1.1 INTRODUCTION

A security exploit is a prepared application that takes advantage of a known

weakness. Common examples of security exploits are SQL injection, Cross Site
Scripting and Cross Site Request Forgery which abuse security holes that may result
from substandard programming practice. Other exploits would be able to be used
through FTP, HTTP, PHP, SSH, Telnet and some web-pages. These are very common
in website/domain hacking.

4.1.2 EXPLANATION

An exploit (from the same word in the French language, meaning "achievement", or
"accomplishment") is a piece of software, a chunk of data, or sequence of commands
that take advantage of a bug, glitch or vulnerability in order to cause unintended or
unanticipated behavior to occur on computer software, hardware, or something
electronic (usually computerized). This frequently includes such things as gaining
control of a computer system or allowing privilege escalation or a denial of service
attack.

4.1.2.1 CLASSIFICATION

There are several methods of classifying exploits. The most common is by how the
exploit contacts the vulnerable software. A 'remote exploit' works over a network and
exploits the security vulnerability without any prior access to the vulnerable system.
A 'local exploit' requires prior access to the vulnerable system and usually increases
the privileges of the person running the exploit past those granted by the system
administrator. Exploits against client applications also exist, usually consisting of
modified servers that send an exploit if accessed with client application. Exploits
against client applications may also require some interaction with the user and thus
may be used in combination with social engineering method. This is the hacker way
of getting into computers and websites for stealing data.

Another classification is by the action against vulnerable system: unauthorized data

access, arbitrary code execution, denial of service.

Many exploits are designed to provide super-user-level access to a computer system.

However, it is also possible to use several exploits, first to gain low-level access, then
to escalate privileges repeatedly until one reaches root.

Normally a single exploit can only take advantage of specific software vulnerability.
Often, when an exploit is published, the vulnerability is fixed through a patch and the
exploit becomes obsolete for newer versions of the software. This is the reason why
some blackhat hackers do not publish their exploits but keep them private to
themselves or other crackers. Such exploits are referred to as 'zero day exploits' and to

13
obtain access to such exploits is the primary desire of unskilled attackers, often
nicknamed script kiddies.

4.1.2.2 TYPES

Exploits are commonly categorized and named by these criteria:

• The type of vulnerability they exploit (See the article on vulnerabilities for a
list)
• Whether they need to be run on the same machine as the program that has the
vulnerability (local) or can be run on one machine to attack a program running
on another machine (remote).
• The result of running the exploit (EoP, DoS, Spoofing, etc...)

4.1.2.3 PIVOTING

Pivoting refers to method used by penetration testers that uses compromised system
to attack other systems on the same network to avoid restrictions such as firewall
configurations, which may prohibit direct access to all machines. For example, an
attacker compromises a web server on a corporate network; the attacker can then use
the compromised web server to attack other systems on the network. These types of
attacks are often called multi-layered attacks. Pivoting is also known as island
hopping.

Pivoting can further be distinguished into proxy pivoting and VPN pivoting:

• Proxy pivoting generally describes the practice channeling traffic through a

compromised target using a proxy payload on the machine and launching
attacks from this computer. This type of pivoting is restricted to certain TCP
and UDP ports that are supported by the proxy.
• VPN pivoting enables the attacker to create an encrypted layer 2 tunnel into
the compromised machine to route any network traffic through that target
machine, for example to run a vulnerability scan on the internal network
through the compromised machine, effectively giving the attacker full network
access as if she were behind the firewall.

Typically, the proxy or VPN applications enabling pivoting are executed on the target
computer as the payload (software) of an exploit.

14
4.2 VULNERABILITY SCANNER

4.2.1 INTRODUCTION

A vulnerability scanner is a tool used to quickly check computers on a network for

known weaknesses. Hackers also commonly use port scanners. These check to see
which ports on a specified computer are "open" or available to access the computer,
and sometimes will detect what program or service is listening on that port, and its
version number. (Note that firewalls defend computers from intruders by limiting
access to ports/machines both inbound and outbound, but can still be circumvented.)

4.2.2 EXPLANATION

A vulnerability scanner is a computer program designed to assess computers,

computer systems, networks or applications for weaknesses. There are a number of
types of vulnerability scanners available today, distinguished from one another by a
focus on particular targets. While functionality varies between different types of
vulnerability scanners, they share a common, core purpose of enumerating the
vulnerabilities present in one or more targets. Vulnerability scanners are a core
technology component of vulnerability management.

4.2.2.1 TYPES OF VULNERABILITY SCANNERS

• Port Scanner
• Network Enumerator
• Network Vulnerability Scanner
• Web Application Security Scanner
• Computer Worm

Friendly types of vulnerability scanners:

• CGI Scanner (usually restricted to banner checking; cgi scanners can find
vulnerable scripts but usually don't exploit them)

4.2.2.2 NETWORK RECONNAISSANCE

Part of the server log, showing attempts to find the administration page.
220.128.235.XXX - - [26/Aug/2010:03:00:09 +0200] "GET /db/db/main.php HTTP/1.0" 404 - "-
" "-"
220.128.235.XXX - - [26/Aug/2010:03:00:09 +0200] "GET /db/myadmin/main.php HTTP/1.0" 404
- "-" "-"
220.128.235.XXX - - [26/Aug/2010:03:00:10 +0200] "GET /db/webadmin/main.php HTTP/1.0"
404 - "-" "-"
220.128.235.XXX - - [26/Aug/2010:03:00:10 +0200] "GET /db/dbweb/main.php HTTP/1.0" 404 -
"-" "-"
220.128.235.XXX - - [26/Aug/2010:03:00:11 +0200] "GET /db/websql/main.php HTTP/1.0" 404
- "-" "-"
220.128.235.XXX - - [26/Aug/2010:03:00:11 +0200] "GET /db/webdb/main.php HTTP/1.0" 404 -
"-" "-"

15
 220.128.235.XXX - - [26/Aug/2010:03:00:13 +0200] "GET /db/dbadmin/main.php HTTP/1.0" 404
- "-" "-"
220.128.235.XXX - - [26/Aug/2010:03:00:13 +0200] "GET /db/db-admin/main.php HTTP/1.0"
404 - "-" "-"
220.128.235.XXX - - [26/Aug/2010:03:00:14 +0200] "GET /db/phpmyadmin2/main.php HTTP/1.0"
404 - "-" "-"
220.128.235.XXX - - [26/Aug/2010:03:00:14 +0200] "GET /db/phpMyAdmin2/main.php HTTP/1.0"
404 - "-" "-"
220.128.235.XXX - - [26/Aug/2010:03:00:15 +0200] "GET /db/phpMyAdmin-2/main.php
HTTP/1.0" 404 - "-" "-"
220.128.235.XXX - - [26/Aug/2010:03:00:15 +0200] "GET /db/php-my-admin/main.php
HTTP/1.0" 404 - "-" "-"
220.128.235.XXX - - [26/Aug/2010:03:00:17 +0200] "GET /db/phpMyAdmin-2.2.3/main.php
HTTP/1.0" 404 - "-" "-"
220.128.235.XXX - - [26/Aug/2010:03:00:17 +0200] "GET /db/phpMyAdmin-2.2.6/main.php
HTTP/1.0" 404 - "-" "-"
220.128.235.XXX - - [26/Aug/2010:03:00:18 +0200] "GET /db/phpMyAdmin-2.5.1/main.php
HTTP/1.0" 404 - "-" "-"
220.128.235.XXX - - [26/Aug/2010:03:00:18 +0200] "GET /db/phpMyAdmin-2.5.4/main.php
HTTP/1.0" 404 - "-" "-"
(..)

A vulnerability scanner can be used to conduct network reconnaissance, which is

typically carried out by a remote attacker attempting to gain information or access to a
network on which it is not authorized or allowed. Network reconnaissance is
increasingly used to exploit network standards and automated communication
methods. The aim is to determine what types of computers are present, along with
additional information about those computers—such as the type and version of the
operating system. This information can be analyzed for known or recently discovered
vulnerabilities that can be exploited to gain access to secure networks and computers.
Network reconnaissance is possibly one of the most common applications of passive
data analysis. Early generation techniques, such as TCP/IP passive fingerprinting,
have accuracy issues that tended to make it ineffective. Today, numerous tools exist
to make reconnaissance easier and more effective.

16
4.3 PASSWORD CRACKING

4.3.1 INTRODUCTION

Password cracking is the process of recovering passwords from data that has been
stored in or transmitted by a computer system. A common approach is to repeatedly
try guesses for the password.

4.3.2 EXPLANATION

Password cracking is the process of recovering passwords from data that has been
stored in or transmitted by a computer system. A common approach is to repeatedly
try guesses for the password. The purpose of password cracking might be to help a
user recover a forgotten password (though installing an entirely new password is less
of a security risk, but involves system administration privileges), to gain unauthorized
access to a system, or as a preventive measure by system administrators to check for
easily crackable passwords. On a file-by-file basis, password cracking is utilized to
gain access to digital evidence for which a judge has allowed access but the particular
file's access is restricted.

4.3.2.1 PRINCIPAL ATTACK METHODS

4.3.2.1.1 WEAK ENCRYPTION

If a system uses a poorly designed password hashing scheme to protect stored

passwords, an attacker can exploit any weaknesses to recover even 'well-chosen'
passwords. One example is the LM hash that Microsoft Windows XP and previous
versions use by default to store user passwords of less than 15 characters in length.
LM hash converts the password into all uppercase letters then breaks the password
into two 7-character fields which are hashed separately—which allows each half to be
attacked individually.

Password encryption schemes that use stronger hash functions likeMD5, SHA-512
PA, SHA-1, and RIPEMD-160 can still be vulnerable to brute-force and
precomputation attacks. Such attacks do not depend on reversing the hash function.
Instead, they work by hashing a large number of words or random permutations and
comparing the result of each guess to a user's stored password hash. Modern schemes
such as MD5-crypt and bcrypt use purposefully slow algorithms so that the number of
guesses that an attacker can make in a given period of time is relatively low. Salting,
described below, greatly increases the difficulty of such precomputation attacks,
perhaps sufficiently to resist all attacks; every instance of its use must be evaluated
independently, however.

Because progress in analyzing existing cryptographic hash algorithms is always

possible, a hash which is effectively invulnerable today may become vulnerable
tomorrow. Both MD5 and SHA-1, long thought secure, have been shown vulnerable
to less than brute force efficiency attacks. For encryption algorithms (rather different

17
than cryptographic hashes) the same has been true. DES has been broken (in the sense
of more efficient than brute force attacks being discovered), and computers have
become fast enough that its short key (56 bits) is clearly and publicly insecure against
even brute force attacks. Passwords protected by these measures against attack will
become vulnerable, and passwords still in use thereby exposed. Historical records are
not always and forever irrelevant to today's security problems.

4.3.2.1.2 GUESSING, DICTIONARY AND BRUTE FORCE ATTACKS

The distinction between guessing, dictionary and brute force attacks is not strict. They
are similar in that an attacker goes through a list of candidate passwords one by one;
the list may be explicitly enumerated or implicitly defined, can incorporate knowledge
about the victim, and can be linguistically derived. Each of the three approaches,
particularly 'dictionary attack', is frequently used as an umbrella term to denote all the
three attacks and the spectrum of attacks encompassed by them.

4.3.2.1.2.1 GUESSING

Passwords can sometimes be guessed by humans with knowledge of the user's

personal information. Examples of guessable passwords include:

• blank (none)
• the words "password", "passcode", "admin" and their derivatives
• a row of letters from the qwerty keyboard—qwerty itself, asdf, or qwertyuiop)
• the user's name or login name
• the name of a significant other, a friend, relative or pet
• their birthplace or date of birth, or a friend's, or a relative's
• their automobile license plate number, or a friend's, or a relative's
• their office number, residence number or most commonly, their mobile
number.
• a name of a celebrity they like
• a simple modification of one of the preceding, such as suffixing a digit,
particularly 1, or reversing the order of the letters.
• a swear or curse word

Personal data about individuals are now available from various sources, many on-line.
Attackers who know the user may have information as well. For example, if a user
chooses the password "YaleLaw78" because he graduated from Yale Law School in
1978, a disgruntled business partner might be able to guess the password.

Guessing is particularly effective with systems that employ self-service password

reset. For example, in September 2008, the Yahoo e-mail account of Governor of
Alaska and Vice President of the United States nominee Sarah Palin was accessed
without authorization by someone who was able to research answers to two of her
security questions, her zip code and date of birth and was able to guess the third,
where she met her husband.

18
4.3.2.1.2.2 DICTIONARY ATTACKS

Users often choose weak passwords. Examples of insecure choices include the above
list, plus single words found in dictionaries, given and family names, any too short
password (usually thought to be 6 or 7 characters or less), or any password meeting a
too restrictive and so predictable, pattern (eg, alternating vowels and consonants).
Repeated research over some 40 years has demonstrated that around 40% of user-
chosen passwords are readily guessable by sophisticated cracking programs armed
with dictionaries and, perhaps, the user's personal information.

In one survey of MySpace passwords obtained by phishing, 3.8 percent of those

passwords were a single word findable in a dictionary, and another 12 percent were a
word plus a final digit; two-thirds of the time that digit was 1.

Some users neglect to change the default password that came with their computer
system account. And some administrators neglect to change default account
passwords provided by the operating system vendor or hardware supplier. An
infamous example is the use of FieldService as a user name with Guest as the
password. If not changed at system configuration time, anyone familiar with such
systems will have 'cracked' an important password; such service accounts often have
higher access privileges than do a normal user accounts. Lists of default passwords
are available on the Internet. Gary McKinnon, accused by the United States of
perpetrating the "biggest military computer hack of all time", has claimed that he was
able to get into the military's networks simply by using a Perl script that searched for
blank passwords; in other words his report suggests that there were computers on
these networks with no passwords at all.

Cracking programs exist which accept personal information about the user being
attacked and generate common variations for passwords suggested by that
information.

4.3.2.1.2.3 BRUTE FORCE ATTACKS

A last resort is to try every possible password, known as a brute force attack. In
theory, if there is no limit to the number of attempts, a brute force attack will always
be successful since the rules for acceptable passwords must be publicly known; but as
the length of the password increases, so does the number of possible passwords. This
method is unlikely to be practical unless the password is relatively short; however
techniques using parallel processing can reduce the time to find the password in
inverse proportion to the number of computer devices (CPUs) in use. This depends
heavily on whether the prospective attacker has access to the hash of the password as
well as the hashing algorithm, in which case the attack is called an offline attack (it
can be done without connection to the protected resource) or not, in which case it is
called an online attack. Offline attack is generally much easier, because testing a
password is reduced to a mathematical computation of the hash of the password to be
tried and comparison with the hash of the real password. In an online attack the
attacker has to try to authenticate himself with all the possible passwords, and rules
and delays can be imposed by the system and the attempts can be logged.

19
A common password length recommendation is eight or more randomly chosen
characters combining letters, numbers, and special characters (punctuation, etc). This
recommendation makes sense for systems using stronger password hashing
mechanisms such as md5-crypt and the Blowfish-based bcrypt, but is inappropriate
for many Microsoft Windows systems because they store a legacy LAN Manager
hash which splits the password into two seven character halves. On these systems, an
eight character password is converted into a seven character password and a one
character password. For better security, LAN Manager password storage should be
disabled if it will not break supported legacy systems. Systems which limit passwords
to numeric characters only, or upper case only, or generally those which limit the
range of possible password character choices, also make brute force attacks easier.
Using longer passwords in these cases (if possible) can compensate for the limited
allowable character set. Of course, even with an adequate range of character choice,
users who limit themselves to an obvious subset of the available characters (e.g., use
only upper case alphabetic characters, or only digits) make brute force attacks against
their accounts much easier.

Generic brute-force search techniques are often successful, but smart brute-force
techniques, which exploit knowledge about how people tend to choose passwords,
pose an even greater threat. NIST SP 800-63 (2) provides further discussion of
password quality, and suggests, for example, that an 8 character user-chosen
password may provide somewhere between 18 and 30 bits of entropy (randomness),
depending on how it is chosen. For example 24 binary digits of randomness is
equivalent to 3 randomly chosen bytes, or approximately 5 random characters if they
are restricted to upper case alphabetic characters, or 2 words selected from a 4000
word vocabulary. This amount of entropy is far less than what is generally considered
safe for an encryption key.

How small is too small for offline attacks thus depends partly on an attacker's
ingenuity and resources (e.g. available time and computing power). The second of
these will increase as computers get faster. Most commonly used hashes can be
implemented using specialized hardware, allowing faster attacks. Large numbers of
computers can be harnessed in parallel, each trying a separate portion of the search
space. Unused overnight and weekend time on office computers can also be used for
this purpose.

4.3.2.1.3 PRECOMPUTATION

In its most basic form, precomputation involves hashing each word in the dictionary
(or any search space of candidate passwords) and storing the word and its computed
hash in a way that enables lookup on the list of computed hashes. This way, when a
new encrypted password is obtained, password recovery is instantaneous.
Precomputation can be very useful for a dictionary attack if salt is not used properly
(see below), and the dramatic decrease in the cost of mass storage has made it
practical for fairly large dictionaries.

Advanced precomputation methods exist that are even more effective. By applying a
time-memory tradeoff, a middle ground can be reached - a search space of size N can
be turned into an encrypted database of size O(N2/3) in which searching for an
encrypted password takes time O(N2/3). The theory has recently been refined into a

20
practical technique. Another example cracks alphanumeric Windows LAN Manager
passwords in a few seconds. This is much faster than brute force attacks on the
obsolete LAN Manager, which uses a particularly weak method of hashing the
password. Windows systems prior to Windows Vista/Server 2008 compute and store a
LAN Manager hash by default for backwards compatibility.

A technique similar to precomputation, known generically as memoization, can be

used to crack multiple passwords at the cost of cracking just one. Since encrypting a
word takes much longer than comparing it with a stored word, a lot of effort is saved
by encrypting each word only once and comparing it with each of the encrypted
passwords using an efficient list search algorithm. The two approaches may of course
be combined: the time-space tradeoff attack can be modified to crack multiple
passwords simultaneously in a shorter time than cracking them one after the other.

4.3.2.1.4 SALTING

The benefits of precomputation and memoization can be nullified by randomizing the

hashing process. This is known as salting. When the user sets a password, a short,
random string called the salt is suffixed to the password before encrypting it; the salt
is stored along with the encrypted password so that it can be used during verification.
Since the salt is usually different for each user, the attacker can no longer construct
tables with a single encrypted version of each candidate password. Early UNIX
systems used a 12-bit salt. Attackers could still build tables with common passwords
encrypted with all 4096 possible 12-bit salts. However, if the salt is long enough,
there are too many possibilities and the attacker must repeat the encryption of every
guess for each user. Modern methods such as md5-crypt and bcrypt use salts of 48
and 128 bits respectively.

4.3.2.1.5 EARLY UNIX PASSWORD VULNERABILITY

Early UNIX implementations limited passwords to 8 characters and used a 12-bit salt,
which allowed for 4096 possible salt values. While 12 bits was conventionally
considered good enough for most purposes in the 1970s, by 2005 disk storage had
become cheap enough that an attacker could precompute the hashes of millions of
common passwords, including all 4096 possible salt variations for each password, and
store the precomputed values on a single portable hard drive. An attacker with a larger
budget can build a disk farm with all 6 character passwords and the most common 7
and 8 character passwords stored in encrypted form, for all 4096 possible salts. And
when several thousand passwords are being cracked at once, memoization still offers
some benefit. Since there is little downside to using a longer salt, and because they
render any precomputation or memoization hopeless, modern implementations choose
to do so.

4.3.2.2 PREVENTION

The best method of preventing password cracking is to ensure that attackers cannot
get access even to the encrypted password. For example, on the UNIX operating
system, encrypted passwords were originally stored in a publicly accessible file
/etc/passwd. On modern Unix (and similar) systems, on the other hand, they are
stored in the file /etc/shadow, which is accessible only to programs running with

21
enhanced privileges (ie, 'system' privileges). This makes it harder for a malicious user
to obtain the encrypted passwords in the first instance. Unfortunately, many common
network protocols transmit passwords in cleartext or use weak challenge/response
schemes.

Modern UNIX systems have replaced traditional DES-based password hashing with
stronger methods based on MD5 and Blowfish. Other systems have also begun to
adopt these methods. For instance, the Cisco IOS originally used a reversible
Vigenere cipher to encrypt passwords, but now uses md5-crypt with a 24-bit salt
when the "enable secret" command is used. These newer methods use large salt values
which prevent attackers from efficiently mounting offline attacks against multiple
user accounts simultaneously. The algorithms are also much slower to execute which
drastically increases the time required to mount a successful offline attack.

Solutions like a security token give a formal proof answer by constantly shifting
password. Those solutions abruptly reduce the timeframe for brute forcing (attacker
needs to break and use the password within a single shift) and they reduce the value of
the stolen passwords because of its short time validity.

4.3.2.3 SOFTWARE

There are many password cracking software tools, but the most popular are Cain and
Abel, John the Ripper, Hydra, ElcomSoft and Lastbit. Many litigation support
software packages also include password cracking functionality. Most of these
packages employ a mixture of cracking strategies, with brute force and dictionary
attacks proving to be the most productive.

22
4.4 PACKET SNIFFER

4.4.1 INTRODUCTION

A packet sniffer is an application that captures data packets, which can be used to
capture passwords and other data in transit over the network.

4.4.2 EXPLANATION

A packet analyzer (also known as a network analyzer, protocol analyzer or sniffer

or for particular types of networks, an Ethernet sniffer or wireless sniffer) is a
computer program or a piece of computer hardware that can intercept and log traffic
passing over a digital network or part of a network. As data streams flow across the
network, the sniffer captures each packet and, if needed, decodes and analyzes its
content according to the appropriate RFC or other specifications.

4.4.2.1 CAPABILITIES

On wired broadcast LANs, depending on the network structure (hub or switch), one
can capture traffic on all or just parts of the network from a single machine within the
network; however, there are some methods to avoid traffic narrowing by switches to
gain access to traffic from other systems on the network (e.g. ARP spoofing). For
network monitoring purposes it may also be desirable to monitor all data packets in a
LAN by using a network switch with a so-called monitoring port, whose purpose is to
mirror all packets passing through all ports of the switch when systems (computers)
are connected to a switch port.

On wireless LANs, one can capture traffic on a particular channel.

On wired broadcast and wireless LANs, to capture traffic other than unicast traffic
sent to the machine running the sniffer software, multicast traffic sent to a multicast
group to which that machine is listening, and broadcast traffic, the network adapter
being used to capture the traffic must be put into promiscuous mode; some sniffers
support this, others don't. On wireless LANs, even if the adapter is in promiscuous
mode, packets not for the service set for which the adapter is configured will usually
be ignored. To see those packets, the adapter must be in monitor mode.

The captured information is decoded from raw digital form into a human-readable
format that permits users of the protocol analyzer to easily review the exchanged
information. Protocol analyzers vary in their abilities to display data in multiple
views, automatically detect errors, determine the root causes of errors, generate timing
diagrams, etc.

Some protocol analyzers can also generate traffic and thus act as the reference device;
these can act as protocol testers. Such testers generate protocol-correct traffic for
functional testing, and may also have the ability to deliberately introduce errors to test
for the DUT's ability to deal with error conditions.
23
4.4.2.2 USES

The versatility of packet sniffers means they can be used to:

• Analyze network problems

• Detect network intrusion attempts
• Detect network misuse by internal and external users
• Documenting regulatory compliance through logging all perimeter and
endpoint traffic
• Gain information for effecting a network intrusion
• Isolate exploited systems
• Monitor WAN bandwidth utilization
• Monitor network usage (including internal and external users and systems)
• Monitor data-in-motion
• Monitor WAN and endpoint security status
• Gather and report network statistics
• Filter suspect content from network traffic
• Serve as primary data source for day-to-day network monitoring and
management
• Spy on other network users and collect sensitive information such as
passwords (depending on any content encryption methods which may be in
use)
• Reverse engineer proprietary protocols used over the network
• Debug client/server communications
• Debug network protocol implementations
• Verify adds, moves and changes
• Verify internal control system effectiveness (firewalls, access control, Web
filter, Spam filter, proxy)

4.4.2.3 NOTABLE FREE PACKET ANALYZERS

• Capsa Free
• Cain and Abel
• dSniff
• ettercap
• Microsoft Network Monitor
• ngrep Network Grep
• snoop
• tcpdump
• Wireshark (formerly known as Ethereal)

4.4.2.4 NOTABLE COMMERCIAL PACKET ANALYZERS

• Capsa Enterprise
• Carnivore
• Clarified Analyzer
• Congruity Inspector Software
• Fluke Lanmeter
• NetScout Sniffer Global Analyzer
• NetScout Sniffer Portable Professional Analyzer

24
• Network Instruments Observer
• Niksun NetDetector
• OPNET Technologies ACE Analyst
• SkyGrabber
• WildPackets OmniPeek(old name AiroPeek, EtherPeek)

25
4.5 SPOOFING ATTACK

4.5.1 INTRODUCTION

A spoofing attack involves one program, system, or website successfully

masquerading as another by falsifying data and thereby being treated as a trusted
system by a user or another program. The purpose of this is usually to fool programs,
systems, or users into revealing confidential information, such as user names and
passwords, to the attacker.

4.5.2 EXPLANATION

In the context of network security, a spoofing attack is a situation in which one

person or program successfully masquerades as another by falsifying data and thereby
gaining an illegitimate advantage.

4.5.2.1 MAN-IN-THE-MIDDLE ATTACK AND INTERNET PROTOCOL

SPOOFING

An example from cryptography is the man-in-the-middle attack, in which an attacker

spoofs Alice into believing the attacker is Bob, and spoofs Bob into believing the
attacker is Alice, thus gaining access to all messages in both directions without the
trouble of any cryptanalytic effort.

The attacker must monitor the packets sent from Alice to Bob and then guess the
sequence number of the packets. Then the attacker knocks out Alice with a SYN
attack and injects his own packets, claiming to have the address of Alice. Alice's
firewall can defend against some spoof attacks when it has been configured with
knowledge of all the IP addresses connected to each of its interfaces. It can then detect
a spoofed packet if it arrives at an interface that is not known to be connected to the IP
address.

Many carelessly designed protocols are subject to spoof attacks, including many of
those used on the Internet.

4.5.2.2 URL SPOOFING AND PHISHING

Another kind of spoofing is "webpage spoofing," also known as phishing. In this

attack, a legitimate web page such as a bank's site is reproduced in "look and feel" on
another server under control of the attacker. The main intent is to fool the users into
thinking that they are connected to a trusted site, for instance to harvest usernames
and passwords.

This attack is often performed with the aid of URL spoofing, which exploits web
browser bugs in order to display incorrect URLs in the browsers location bar; or with
DNS cache poisoning in order to direct the user away from the legitimate site and to

26
the fake one. Once the user puts in their password, the attack-code reports a password
error, and then redirects the user back to the legitimate site.

4.5.2.3 REFERRER SPOOFING

Some websites, especially pornographic paysites, allow access to their materials only
from certain approved (login-) pages. This is enforced by checking the referrer header
of the HTTP request. This referrer header however can be changed (known as
"referrer spoofing" or "Ref-tar spoofing"), allowing users to gain unauthorized access
to the materials.

4.5.2.4 POISONING OF FILE-SHARING NETWORKS

"Spoofing" can also refer to copyright holders placing distorted or unlistenable

versions of works on file-sharing networks, to discourage downloading from these
sources.

4.5.2.5 CALLER ID SPOOFING

In public telephone networks, it has for a long while been possible to find out who is
calling you by looking at the Caller ID information that is transmitted with the call.
There are technologies that transmit this information on landlines, on cellphones and
also with VoIP. Unfortunately, there are now technologies (especially associated with
VoIP) that allow callers to lie about their identity, and present false names and
numbers, which could of course be used as a tool to defraud or harass. Because there
are services and gateways that interconnect VoIP with other public phone networks,
these false Caller IDs can be transmitted to any phone on the planet, which makes the
whole Caller ID information now next to useless. Due to the distributed geographic
nature of the Internet, VoIP calls can be generated in a different country to the
receiver, which means that it is very difficult to have a legal framework to control
those who would use fake Caller IDs as part of a scam.

4.5.2.6 E-MAIL ADDRESS SPOOFING

The sender information shown in e-mails (the "From" field) can be spoofed easily.
This technique is commonly used by spammers to hide the origin of their e-mails and
leads to problems such as misdirected bounces (i.e. e-mail spam backscatter).

E-mail address spoofing is done in quite the same way as writing a forged return
address using snail mail. As long as the letter fits the protocol, (i.e. stamp, postal
code) the SMTP protocol will send the message. It can be done using a mail server
with telnet.

27
4.6 ROOTKIT

4.6.1 INTRODUCTION

A rootkit is designed to conceal the compromise of a computer's security, and can

represent any of a set of programs which work to subvert control of an operating
system from its legitimate operators. Usually, a rootkit will obscure its installation
instal and
attempt to prevent its removal through a subversion of standard system security.
Rootkits may include replacements for system binaries so that it becomes impossible
for the legitimate user to detect the presence of the intruder on the system by looking
at process tables.

4.6.2 EXPLANATION

A rootkit is software that enables continued privileged access to a computer, while

actively hiding its presence from administrators by subverting standard operating
system functionality or other applications. Typically,
Typically, an attacker installs a rootkit on a
computer after first obtaining root-level
root level access, either by exploiting a known
vulnerability or cracking a password. Once a rootkit is installed, it allows an attacker
to mask the active intrusion and to gain privileged
privileged access to a computer by
circumventing normal authentication and authorization mechanisms. Although
rootkits can serve a variety of ends, they have gained notoriety primarily as malware,
hiding applications that appropriate computing resources or steal passwords without
the knowledge of administrators and users of affected systems. Rootkits can target
firmware, a hypervisor, the kernel or, most commonly, user-mode
user mode applications.

The term rootkit is a concatenation of the “root” user account in UNIX operating
systems and the word "kit", which refers to the software components that implement
the tool. The term has negative connotations through its association with malware.

4.6.2.1 HISTORY

ootkitRevealer, showing the files hidden by the Extended Copy

Screenshot of RootkitRevealer,
Protection rootkit.

The very first, documented computer virus to target the PC platform in 1986 used
cloaking techniques to hide itself; the Brain virus intercepted attempts to read the boot
sector,, and redirected these to elsewhere on the disk where a copy of the original boot

28
sector was kept. Over time, DOS cloaking methods became more sophisticated, with
advanced techniques including the hooking of interrupt 13 API calls in order to hide
modifications to files.

The term rootkit or root kit originally referred to a maliciously modified set of
administrative tools for a UNIX-like operating system, which granted "root" access. If
an intruder could replace the standard administrative tools on a system with a rootkit,
the intruder could obtain root access over the system whilst simultaneously
concealing these activities from the legitimate system administrator. These early
rootkits were trivial to detect by using uncompromised tools to access the same
information. Lane Davis and Steven Dake appear to have written the earliest known
rootkit in 1990 for Sun OS 4.1.1. An earlier exploit equivalent to a rootkit was
perpetrated by Ken Thompson of Bell Labs against a naval laboratory in California to
settle a wager. To achieve this, Thompson subverted the C compiler in a UNIX
distribution and discussed the exploit in the lecture he gave upon receiving the Turing
award in 1983.

The first malicious rootkit for the Windows NT operating system appeared in 1999
with a Trojan called NTRootkit created by Greg Hoglund, followed by
HackerDefender in 2003.

In 2005, Sony BMG included a rootkit program called Extended Copy Protection
(XCP) – created by First 4 Internet – on many of its music CDs, in an attempt to
enforce DRM. Sony BMG at that time included an application on some of their CD's
that ostensibly played music CD's, but that silently installed a rootkit without
informing or requesting a user's permission. In addition to the intentional
unauthorized modifications made to the target computer, the Sony BMG rootkit
would automatically hide any file whose name started with "$sys$". Malware soon
appeared that started to take advantage of the free cloaking provided by the Sony
BMG permutation, in order to hide from antivirus software. Noted software engineer
and architect Mark Russinovich, created a tool called RootkitRevealer, with which he
was able to discover Sony BMG's rootkit. Russinovich published this information in
his blog, consequently leading to a highly-publicized scandal that subsequently raised
the public's awareness of rootkits. The public relations fallout for Sony BMG was
compared by one analyst to the Tylenol Scare. In light of adverse publicity, Sony
BMG released patches to remedy the breaches, but initial attempts failed to remove
the flow-on, security vulnerabilities that the rootkit had either created or that were
indirectly attributable to it. A resultant class action lawsuit was eventually brought
against Sony BMG, in the United States.

4.6.2.2 USES

Modern rootkits for the Windows platform do not elevate access, but rather are used
to make some other software payload undetectable by adding stealth capabilities.
Most rootkits are classified as malware because the payloads they are bundled with
are malicious, for example to covertly steal user passwords, credit card information,
computing resources, or to conduct other unauthorized activities. A small number are
legitimate utility applications—an example of the latter is a rootkit that provides CD-
ROM emulation capability allowing video game users to defeat anti-piracy features
that require the original installation media.

29
Rootkits and their payloads have many uses, mostly nefarious:

• Provide an attacker with full access

acc via a back door so the attacker can for
example, steal or falsify documents. One of the ways to carry this out is to
subvert the login mechanism (such as the /bin/login program on UNIX-like
systems or GINA on Windows) The replacement appears to function functio as
normal, but also accepts secret login combination that allows an attacker direct
access with administrative privileges to a system, bypassing standard
authentication and authorization mechanisms.
• Conceal other malware,
malware notably password-stealing key loggers and computer
viruses.
• Conceal cheating in online games from software like Warden.
• Appropriate the compromised machine as a zombie computer for attacks on
other computers. (The attack originates from the compromised system (or
network) instead of the attacker's.) "Zombie" computers are typically members
of large botnets that can launch denial-of-service attacks and distribute e-mail
spam.
• Detect attacks, for example in a honeypot.
• Enhance emulation software and security software. Alcohol 120% and
Daemon Tools are commercial examples of non-hostile
non hostile rootkits that are used
to defeat copy-protection
protection mechanisms such as SafeDisc and SecuROM.
Kaspersky antivirus software also uses techniques resembling rootkits to
protect itself from malicious actions.
actions. It loads its own drivers to intercept
system activity and then prevents other processes from doing harm to itself. Its
processes are not hidden, but cannot be terminated by standard methods.
• Anti-theft
theft protection.
• Enforcement of DRM.

4.6.2.3 TYPES

ere are at least five types of rootkit, ranging from those at the lowest level in
There
firmware (with the highest privileges), through to the least privileged user-based
user
variants that operate in Ring 3.
3. Hybrid combinations of these may occur spanning, for
example,
le, user mode and kernel mode.

4.6.2.3.1 USER-MODE

30
Computer security rings (Note that Ring-1 is not shown)

User-mode rootkits run in Ring 3 as user rather than low-level system processes. They
have a number of possible installation vectors in order to intercept and modify the
standard behavior of APIs. Some inject a library (DLL) in other processes, and are
thereby able to execute inside any target process in order to spoof it; others with
sufficient privileges simply overwrite the memory of a target application. Injection
mechanisms include:

• Use of vendor-supplied application extensions. For example, Windows

Explorer has public interfaces that allow third parties to extend its
functionality.
• Interception of messages
• Debuggers
• Exploitation of security vulnerabilities
• Function hooking or patching of commonly used API's, for example to mask a
running process or file that resides on a filesystem.

"...since user mode applications all run in their own memory space, the rootkit needs
to perform this patching in the memory space of every running application. In
addition, the rootkit needs to monitor the system for any new applications that execute
and patch those programs’ memory space before they fully execute."

4.6.2.3.2 KERNEL-MODE

Kernel-mode rootkits run with the highest operating system privileges (Ring 0) by
adding additional code or replacing portions of the core operating system, including
both the kernel and associated device drivers. Most operating systems support kernel-
mode device drivers which execute with the same privileges as the operating system
itself. As such, many kernel mode rootkits are developed as device drivers or loadable
modules, such as loadable kernel modules in Linux or device drivers in Microsoft
Windows. This class of rootkit has unrestricted security access, but is more difficult to
write. The complexity makes bugs common, and any bugs in code operating at the
kernel level may seriously impact system stability, leading to discovery of a rootkit.
One of the first widely known kernel rootkits was developed for Windows NT 4.0 and
released in Phrack in the mid-1990s by Greg Hoglund.

Kernel rootkits can be especially difficult to detect and remove, because they operate
at the same security level as the operating system itself, and are thus able to intercept
or subvert operating system operations. Any software, such as antivirus software,
running on the compromised system is equally subvertible. In this situation no part of
the system can be trusted.

A rootkit can modify data structures in the kernel (direct kernel object modification);
it can hook kernel functions in the System Service Descriptor Table (SSDT) or
modify the gates between user mode and kernel mode in order to implement its
cloaking.

31
4.6.2.3.3 BOOT LOADER LEVEL (BOOTKIT)

A kernel-mode rootkit variant called a bootkit is used predominantly to attack full

disk encryption systems, for example as in the "Evil Maid Attack". The term bootkit
itself was coined by Indian security researchers (Nitin Kumar & Vipin Kumar) who
presented it at Blackhat Europe 2007. A bootkit replaces the legitimate boot loader
with one controlled by an attacker; typically the malware loader persists through the
transition to protected mode when the kernel has loaded. For example, the "Stoned
Bootkit" subverts the system by using a compromised boot loader to intercept
encryption keys and passwords. Apart from preventing unauthorized physical access
to machines (a particular problem for portable machines), a Trusted Platform Module,
configured to protect the boot path, is the only known defense against this attack.

4.6.2.3.4 HYPERVISOR LEVEL

Rootkits have been created as Type II Hypervisors in academia only as proofs of

concept. By exploiting hardware features such as Intel VT or AMD-V, this type of
rootkit runs in Ring -1 and hosts the target operating system as a virtual machine,
thereby enabling the rootkit to intercept all hardware calls made by the original
operating system. Unlike normal hypervisors, they do not have to load before the
operating system, but can load into an operating system before promoting it into a
virtual machine. A hypervisor rootkit does not have to make any modifications to the
kernel of the target in order to subvert it—however that does not mean to say that it
cannot be detected by the guest operating system, as timing differences may for
example be detectable in CPU instructions. The "SubVirt" laboratory rootkit,
developed jointly by Microsoft and University of Michigan researchers, is an
academic example of a virtual machine based rootkit (VMBR), while Blue Pill is
another.

In 2009, researchers from Microsoft and North Carolina State University

demonstrated a hypervisor-layer anti-rootkit called Hooksafe that provides generic
protection against kernel-mode rootkits.

4.6.2.4 HARDWARE/FIRMWARE

A firmware rootkit uses device or platform firmware to create a persistent malware

image in hardware such as a network card, hard drive or the system BIOS. The rootkit
hides in firmware, because it is not usually inspected for code integrity. John
Heasman demonstrated the viability of firmware rootkits in both ACPI firmware
routines and in a PCI expansion card ROM.

In October 2008, criminals tampered with European credit card reading machines
before they were installed. The devices intercepted and transmitted credit card details
via a mobile phone network. In March 2009, researchers Alfredo Ortega and Anibal
Sacco published details of a BIOS-level Windows rootkit that was able to survive disk
replacement and OS re-installation.

A few months later they found that some laptop BIOSes come with a legitimate
preinstalled rootkit known as Computrace LoJack. This is an anti–theft technology
system that, as the researchers showed can be turned to malicious purposes.

32
4.6.2.5 INSTALLATION AND CLOAKING

Rootkits employ a variety of techniques to gain control of a system; the type of rootkit
will also influence the attack vector that is chosen. The most common is to leverage
security vulnerabilities. Another approach is to become a Trojan horse, deceiving a
computer user into trusting the rootkit's installer as benign—in this case, social
engineering convinces a user that the rootkit is beneficial. The installation task is
made easier if the principle of least privilege is not applied, since the rootkit then does
not have to explicitly request elevated (administrator-level) privileges. Other classes
of rootkits can be installed only by someone with physical access to the target system.

The installation of rootkits is commercially driven, with a Pay-Per-Install (PPI)

compensation method for distributors.

Once installed, a rootkit takes active measures to obscure its presence within the host
system through subversion or evasion of standard operating system security tools and
API’s used for diagnosis, scanning and monitoring. Rootkits achieve this by
modifying the behavior of core parts of an operating system by loading code into
other processes, the installation or modification of drivers or kernel modules.
Obfuscation techniques include concealing running processes from system monitoring
mechanisms and hiding system files and other configuration data. It is not uncommon
for a rootkit to disable the event logging capacity of an operating system in an attempt
to hide evidence of an attack. Rootkits can in theory subvert any operating system
activities except CPU scheduling. The "perfect rootkit" can be thought of as similar to
a "perfect crime", one that nobody realizes has taken place.

In addition to installing more commonly into Ring 0 (kernel-mode) where they have
complete access to a system, rootkits also take a number of measures to ensure their
survival against detection and cleaning by antivirus software. These include
polymorphism, stealth techniques, regeneration and disabling anti-malware software.

4.6.2.6 DETECTION

The fundamental problem with rootkit detection is that if the operating system has
been subverted, particularly by a kernel-level rootkit, it cannot be trusted to find
unauthorized modifications to itself or its components. Actions such as requesting a
list of running processes, or a list of files in a directory, cannot be trusted to behave as
expected. In other words, rootkit detectors that work while running on infected
systems are only effective against rootkits that have some defect in their camouflage,
or that run with lower user-mode privileges than detection software in the kernel. As
with computer viruses, the detection and elimination of rootkits is an ongoing struggle
between both sides of this conflict.

Detection can take a number of different approaches, including signatures (e.g.

antivirus software), integrity checking (e.g. digital signatures), difference-based
detection (comparison of expected vs. actual results) and behavioral detection (e.g.
monitoring CPU usage or network traffic).

Several products detect some rootkits. UNIX offerings include Zeppoo, chkrootkit,
rkhunter and OSSEC. For Windows, free detection tools include Microsoft

33
Sysinternals Rootkit Revealer, Avast Antivirus, Sophos Anti-Rootkit, F-Secure
Blacklight (the first rootkit detector), and Radix. Any rootkit detectors that prove
effective ultimately contribute to their own ineffectiveness as malware authors adapt
and test their code to escape detection by well-used tools.

4.6.2.7 ALTERNATIVE TRUSTED MEDIUM

The best and most reliable method for operating system-level rootkit detection is to
shut down the computer suspected of infection, and then to check its storage by
booting from an alternative trusted medium (e.g. a rescue CD-ROM or USB flash
drive). The technique is effective because a rootkit cannot actively hide its presence if
it is not running.

4.6.2.7.1 BEHAVIORAL-BASED

This approach attempts to infer the presence of a rootkit by looking for rootkit-like
behavior. For example, by profiling a system, differences in the timing and frequency
of API calls or in overall CPU utilization can be attributed to a rootkit. The method is
complex and is hampered by a high incidence of false positives. Defective rootkits
can sometimes introduce very obvious changes, for example the Alureon rootkit
which crashed Windows systems after a security update was applied.

4.6.2.7.2 SIGNATURE-BASED

Antivirus products rarely catch all viruses in public tests, even though security
software vendors incorporate rootkit detection into their products. Should a rootkit
attempt to hide during an antivirus scan, a stealth detector may notice; if the rootkit
attempts to temporarily unload itself from the system, fingerprint (or signature)
detection can still find it. This combined approach forces attackers to implement
counter-attack mechanisms ("retro" routines) that attempt to terminate antivirus
programs. Signature-based detection methods can be effective against well-published
rootkits, but less so against specially crafted, custom root rootkits.

4.6.2.7.3 DIFFERENCE-BASED

Another method that can detect rootkits compares "trusted" raw data with "tainted"
content returned by an API. For example, binaries present on disk can be compared
with their copies within operating memory, or the results returned from file system or
Registry APIs can be checked against raw structures on the underlying physical
disks—however in the case of the former, some valid differences can be introduced
by operating system mechanisms, e.g., memory relocation or shimming. This was the
method used by Mark Russinovich's RootkitRevealer tool to find the Sony DRM
rootkit.

34
4.6.2.7.4 INTEGRITY CHECKING

The Rkhunter utility uses sha-1

sha hashes to verify the integrity of system files.
files

A cryptographic hash function can be used to compute a "fingerprint" or digital

signature that can help to detect subsequent unauthorized changes to on-disk
on code
libraries. However, unsophisticated schemes check only whether the code has been
modified since release by the "publisher"; subversion prior to that time is not
detectable. The fingerprint must be re-established
re established each time changes are made to the
system. The fingerprinting process creates a message digest dependent on every bit in
each file being fingerprinted.
erprinted. By recalculating and comparing the message digest at
regular intervals, changes in the system can be detected and monitored as long as the
original baseline was not created when the malware was already present. More
sophisticated rootkits are able
able to subvert the verification process by presenting an
unmodified copy of the file for inspection, or by making modifications in memory
rather than on disk. The technique is therefore effective only against the earlist forms
of rootkit that simply replaced
replace UNIX commands like "1s"" in order to mask the
presence of a file.

Similarly, detection in firmware can be achieved by computing a cryptographic hash

of firmware and comparing hash values to a whitelist of expected values, or by
extending the hash value into in TPM (Trusted Platform Module)) configuration
registers, which are later compared to a whitelist of expected values. Code that
performs hash, compare, and/or extend operations must also be protected. The notion
of an immutable root-of-trust
trust ensures that a rootkit (or more specifically a bootkit)
does not compromise the system at its most fundamental level. A method of rootkit
detection using a TPM is described by the Trusted Computing Group.

4.6.2.7.5 MEMORY
EMORY DUMPS

Forcing a kernel or complete memory dump will capture an active kernel-mode

kernel or
user-mode rootkit in the resulting dump file, allowing offline analysis to be performed
with a debugger and without the rootkit being able to take any measures to cloak
itself. This technique is highly specialized, and may require access to non-public
non

35
source code or symbols. Memory dumps cannot be used to detect a hypervisor-based
rootkit, which is able to intercept and subvert the lowest-level attempts to read
memory.

4.6.2.8 REMOVAL

Most rootkits install hooks in user-mode processes; those that operate at the lowest
level of the OS (Ring 0), have system privileges, so booting into Safe Mode on a
Windows machine will not usually allow removal. Given the stealth nature of rootkits,
some experts believe that the only reliable way to remove them is to re-install the
operating system from trusted media.

A number of vendors of security software offer tools to automatically detect and

remove rootkits, typically as part of an antivirus suite. As of 2005, Microsoft's
monthly Malicious Software Removal Tool is able to detect and remove some
rootkits.

Manual removal is often too difficult for a typical computer user. Conversely,
antivirus and malware removal tools running on an untrusted system may be
ineffective against well-written kernel-mode rootkits. Booting an alternate operating
system from trusted media can allow an infected system volume to be mounted and
potentially safely cleaned, critical data to be copied off, or alternatively, a forensic
examination performed. Lightweight operating systems such as Windows PE,
Windows Recovery Console, Windows Recovery Environment, BartPE or Live
Distros can be used for this purpose, allowing the system to be cleaned.

Some antivirus scanners can bypass file system APIs, which are vulnerable to
manipulation by a rootkit. They access raw file system structures directly and use this
information to validate the results from system APIs to identify any differences that
may be caused by a rootkit that has subverted the system.

More often, manual repair is impractical. Even if its type and nature are known, re-
installing the operating system and applications is simpler and quicker. Re-installation
time can be greatly reduced by modern drive imaging software, especially when the
source image includes necessary hardware drivers and software applications. This is
true even if the rootkit is well-known and can be completely removed.

4.6.2.9 PUBLIC AVAILABILITY

Like much malware used by attackers, many rootkit implementations are shared and
are easily available on the Internet. It is not uncommon to see a compromised system
in which a sophisticated publicly available rootkit hides the presence of
unsophisticated worms or attack tools that appear to have been written by
inexperienced programmers.

Most of the rootkits available on the Internet are constructed as an exploit or academic
"proof of concept" to demonstrate varying methods of hiding things within a
computer system and of taking unauthorized control. Since these are often not fully
optimized for stealth, they sometimes leave unintended evidence of their presence.
Even so, when such rootkits are used in an attack they are often effective.

36
4.7 SOCIAL ENGINEERING

4.7.1 INTRODUCTION

Social Engineering is the art of getting persons to reveal sensitive information about a
system. This is usually done by impersonating someone or by convincing people to
believe you have permissions to obtain such information.

4.7.2 EXPLANATION

Social engineering is the act of manipulating people into performing actions or

divulging confidential information, rather than by breaking in or using technical
cracking techniques; essentially a fancier, more technical way of lying. While similar
to a confidence trick or simple fraud, the term typically applies to trickery or
deception for the purpose of information gathering, fraud, or computer system access;
in most cases the attacker never comes face-to-face with the victim.

"Social engineering" as an act of psychological manipulation was popularized by

hacker-turned-consultant Kevin Mitnick. The term had previously been associated
with the social sciences, but its usage has caught on among computer professionals.

4.7.2.1 SOCIAL ENGINEERING TECHNIQUES AND TERMS

All social engineering techniques are based on specific attributes of human decision-
making known as cognitive biases. These biases, sometimes called "bugs in the
human hardware," are exploited in various combinations to create attack techniques,
some of which are listed here:

4.7.2.1.1 PRETEXTING

Pretexting is the act of creating and using an invented scenario (the pretext) to engage
a targeted victim in a manner that increases the chance the victim will divulge
information or perform actions that would be unlikely in ordinary circumstances. It is
more than a simple lie, as it most often involves some prior research or setup and the
use of priori information for impersonation (e.g., date of birth, Social Security
Number, last bill amount) to establish legitimacy in the mind of the target.

This technique can be used to trick a business into disclosing customer information as
well as by private investigators to obtain telephone records, utility records, banking
records and other information directly from junior company service representatives.
The information can then be used to establish even greater legitimacy under tougher
questioning with a manager, e.g., to make account changes, get specific balances, etc.
Pretexting has been an observed law enforcement technique, under the auspices of
which, a law officer may leverage the threat of an alleged infraction to detain a
suspect for questioning and conduct close inspection of a vehicle or premises.

37
Pretexting can also be used to impersonate co-workers, police, bank, tax authorities,
or insurance investigators — or any other individual who could have perceived
authority or right-to-know in the mind of the targeted victim. The pretexter must
simply prepare answers to questions that might be asked by the victim. In some cases
all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to
think on one's feet.

4.7.2.1.2 DIVERSION THEFT

Diversion theft, also known as the "Corner Game" or "Round the Corner Game",
originated in the East End of London.

In summary, diversion theft is a "con" exercised by professional thieves, normally

against a transport or courier company. The objective is to persuade the persons
responsible for a legitimate delivery that the consignment is requested elsewhere —
hence, "round the corner".

With a load/consignment redirected, the thieves persuade the driver to unload the
consignment near to, or away from, the consignee's address, in the pretense that it is
"going straight out" or "urgently required somewhere else".

The "con" or deception has many different facets, which include social engineering
techniques to persuade legitimate administrative or traffic personnel of a transport or
courier company to issue instructions to the driver to redirect the consignment or load.

Another variation of diversion theft is stationing a security van outside a bank on a

Friday evening. Smartly dressed guards use the line "Night safe's out of order Sir". By
this method shopkeepers etc. are gulled into depositing their takings into the van.
They do of course obtain a receipt but later this turns out to be worthless. A similar
technique was used many years ago to steal a Steinway grand piano from a radio
studio in London "Come to overhaul the piano guv" was the chat line. Nowadays ID
would probably be asked for but even that can be faked.

The social engineering skills of these thieves are well rehearsed, and are extremely
effective. Most companies do not prepare their staff for this type of deception.

4.7.2.1.3 PHISHING

Phishing is a technique of fraudulently obtaining private information. Typically, the

phisher sends an e-mail that appears to come from a legitimate business — a bank, or
credit card company — requesting "verification" of information and warning of some
dire consequence if it is not provided. The e-mail usually contains a link to a
fraudulent web page that seems legitimate — with company logos and content — and
has a form requesting everything from a home address to an ATM card's PIN.

For example, 2003 saw the proliferation of a phishing scam in which users received e-
mails supposedly from eBay claiming that the user's account was about to be
suspended unless a link provided was clicked to update a credit card (information that
the genuine eBay already had). Because it is relatively simple to make a Web site
resemble a legitimate organization's site by mimicking the HTML code, the scam

38
counted on people being tricked into thinking they were being contacted by eBay and
subsequently, were going to eBay's site to update their account information. By
spamming large groups of people, the "phisher" counted on the e-mail being read by a
percentage of people who already had listed credit card numbers with eBay
legitimately, who might respond.

4.7.2.1.4 IVR OR PHONE PHISHING

This technique uses a rogue Interactive Voice Response (IVR) system to recreate a
legitimate-sounding copy of a bank or other institution's IVR system. The victim is
prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll
free) number provided in order to "verify" information. A typical system will reject
log-ins continually, ensuring the victim enters PINs or passwords multiple times,
often disclosing several different passwords. More advanced systems transfer the
victim to the attacker posing as a customer service agent for further questioning.

One could even record the typical commands ("Press one to change your password,
press two to speak to customer service" ...) and play back the direction manually in
real time, giving the appearance of being an IVR without the expense.

Phone phishing is also called vishing.

4.7.2.1.5 BAITING

Baiting is like the real-world Trojan Horse that uses physical media and relies on the
curiosity or greed of the victim.

In this attack, the attacker leaves a malware infected floppy disk, CD ROM, or USB
flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot),
gives it a legitimate looking and curiosity-piquing label, and simply waits for the
victim to use the device.

For example, an attacker might create a disk featuring a corporate logo, readily
available from the target's web site, and write "Executive Salary Summary Q2 2010"
on the front. The attacker would then leave the disk on the floor of an elevator or
somewhere in the lobby of the targeted company. An unknowing employee might find
it and subsequently insert the disk into a computer to satisfy their curiosity, or a good
samaritan might find it and turn it in to the company.

In either case as a consequence of merely inserting the disk into a computer to see the
contents, the user would unknowingly install malware on it, likely giving an attacker
unfettered access to the victim's PC and perhaps, the targeted company's internal
computer network.

Unless computer controls block the infection, PCs set to "auto-run" inserted media
may be compromised as soon as a rogue disk is inserted.

39
4.7.2.1.6 QUID PRO QUO

Quid pro quo means something for something:

• An attacker calls random numbers at a company claiming to be calling back

from technical support. Eventually they will hit someone with a legitimate
problem, grateful that someone is calling back to help them. The attacker will
"help" solve the problem and in the process have the user type commands that
give the attacker access or launch malware.

• In a 2003 information security survey, 90% of office workers gave researchers

what they claimed was their password in answer to a survey question in
exchange for a cheap pen. Similar surveys in later years obtained similar
results using chocolates and other cheap lures, although they made no attempt
to validate the passwords.

4.7.2.2. OTHER TYPES

Common confidence tricksters or fraudsters also could be considered "social

engineers" in the wider sense, in that they deliberately deceive and manipulate people,
exploiting human weaknesses to obtain personal benefit. They may, for example, use
social engineering techniques as part of an IT fraud.

A very recent type of social engineering techniques include spoofing or hacking IDs
of people having popular e-mail IDs such as Yahoo!, GMail, HotMail, etc. Among the
many motivations for deception are:

• Phishing credit-card account numbers and their passwords.

• Hacking private e-mails and chat histories, and manipulating them by using
common editing techniques before using them to extort money and creating
distrust among individuals.
• Hacking websites of companies or organizations and destroying their
reputation.
• Computer virus hoaxes.

4.7.2.3 NOTABLE SOCIAL ENGINEERS

4.7.2.3.1 KEVIN MITNICK

Reformed computer criminal and later security consultant Kevin Mitnick popularized
the term "social engineering", pointing out that it is much easier to trick someone into
giving a password for a system than to spend the effort to crack into the system. He
claims it was the single most effective method in his arsenal.

4.7.2.3.2 THE BADIR BROTHERS

Brothers Ramy, Muzher, and Shadde Badir—all of whom were blind from birth—
managed to set up an extensive phone and computer fraud scheme in the village of
Kafr Kassem outside Tel Aviv, Israel in the 1990s using social engineering, voice
impersonation, and Braille-display computers.

40
4.7.2.4 UNITED STATES LAW

The examples and perspective in this article deal primarily with USA
and do not represent a worldwide view of the subject.

In common law,, pretexting is an invasion of privacy tort of appropriation.

4.7.2.4.1 PRETEXTING OF TELEPHONE RECORDS

In December 2006, United States Congress approved a Senate sponsored bill making
the pretexting of telephone records a federal felony with fines of up to $250,000 and
ten years in prison for individuals (or fines of up to $500,000 for companies). It was
signed by President George W. Bush on January 12, 2007.

4.7.2.4.2 FEDERAL
EDERAL LEGISLATION

The 1999 “GLBA” is a U.S. Federal law that specifically addresses pretexting of
banking records as an illegal act punishable under federal statutes. When a business
entity such as a private investigator, SIU insurance investigator,
investigator, or an adjuster
conducts any type of deception, it falls under the authority of the Federal Trade
Commission (FTC). This federal agency has the obligation and authority to ensure
that consumers are not subjected to any unfair or deceptive business practices.
practic US
Federal Trade Commission Act, Section 5 of the FTCA states, in part: "Whenever the
Commission shall have reason to believe that any such person, partnership, or
corporation has been or is using any unfair method of competition or unfair or
deceptive act or practice in or affecting commerce, and if it shall appear to the
Commission that a proceeding by it in respect thereof would be to the interest of the
public, it shall issue and serve upon such person, partnership, or corporation a
complaint statingg its charges in that respect."

The statute states that when someone obtains any personal, non-public
non public information
from a financial institution or the consumer, their action is subject to the statute. It
relates to the consumer's relationship with the financial institution. For example, a
pretexter using false pretenses either to get a consumer's address from the consumer's
bank, or to get a consumer to disclose the name of his or her bank, would be covered.
The determining principle is that pretexting only occurs when information is obtained
through false pretenses.

While the sale of cell telephone records has gained significant media attention, and
telecommunications records are the focus of the two bills currently before the United
States Senate, many other types of private records are being bought and sold in the
public market. Alongside many advertisements for cell phone records, wireline
records and the records associated with calling cards are advertised. As individuals
shift to VoIP telephones, it is safe to assume that those records will be offered for sale
as well. Currently, it is legal to sell telephone records, but illegal to obtain them.

41
4.7.2.4.3 1st SOURCE INFORMATION SPECIALISTS

U.S. Rep. Fred Upton (R-Kalamazoo, Michigan), chairman of the Energy and
Commerce Subcommittee on Telecommunications and the Internet, expressed
concern over the easy access to personal mobile phone records on the Internet during
Wednesday's E&C Committee hearing on "Phone Records For Sale: Why Aren't
Phone Records Safe From Pretexting?" Illinois became the first state to sue an online
records broker when Attorney General Lisa Madigan sued 1st Source Information
Specialists, Inc., on 20 January, a spokeswoman for Madigan's office said. The
Florida-based company operates several Web sites that sell mobile telephone records,
according to a copy of the suit. The attorneys general of Florida and Missouri quickly
followed Madigan's lead, filing suit on 24 January and 30 January, respectively,
against 1st Source Information Specialists and, in Missouri's case, one other records
broker - First Data Solutions, Inc.

Several wireless providers, including T-Mobile, Verizon, and Cingular filed earlier
lawsuits against records brokers, with Cingular winning an injunction against First
Data Solutions and 1st Source Information Specialists on January 13. U.S. Senator
Charles Schumer (D-New York) introduced legislation in February 2006 aimed at
curbing the practice. The Consumer Telephone Records Protection Act of 2006 would
create felony criminal penalties for stealing and selling the records of mobile phone,
landline, and Voice over Internet Protocol (VoIP) subscribers.

4.7.2.4.4 HEWLETT PACKARD

Patricia Dunn, former chairman of Hewlett Packard, reported that the HP board hired
a private investigation company to delve into who was responsible for leaks within
the board. Dunn acknowledged that the company used the practice of pretexting to
solicit the telephone records of board members and journalists. Chairman Dunn later
apologized for this act and offered to step down from the board if it was desired by
board members. Unlike Federal law, California law specifically forbids such
pretexting. The four felony charges brought on Dunn were dismissed.

4.7.2.5 IN POPULAR CULTURE

• In the film Hackers, the protagonist used pretexting when he asked a security
guard for the telephone number to a TV station's modem while posing as an
important executive.
• In Jeffrey Deaver's book The Blue Nowhere, social engineering to obtain
confidential information is one of the methods used by the killer, Phate, to get
close to his victims.
• In the movie Live Free or Die Hard, Justin Long is seen pretexting that his
father is dying from a heart attack to have a BMW Assist representative start
what will become a stolen car.
• In the movie Sneakers, one of the characters poses as a low level security
guard's superior in order to convince him that a security breach is just a false
alarm.
• In the movie The Thomas Crown Affair, one of the characters poses over the
telephone as a museum guard's superior in order to move the guard away from
his post.

42
• In the James Bond movie Diamonds are Forever, Bond is seen gaining entry to
the Whyte laboratory with a then-state-of-the-art card-access lock system by
"tailgating". He merely waits for an employee to come to open the door, then
posing himself as a rookie at the lab, fakes inserting a non-existent card while
the door is unlocked for him by the employee.

43
4.8 TROJAN HORSE

4.8.1 INTRODUCTION

A Trojan horse is a program which seems to be doing one thing, but is actually doing
another. A Trojan horse can be used to set up a back door in a computer system such
that the intruder can gain access later. (The name refers to the horse from the Trojan
War, with conceptually similar function of deceiving defenders into bringing an
intruder inside.)

4.8.2 EXPLANATION

A Trojan horse, or Trojan, is malware that appears to perform a desirable function

for the user prior to run or install but instead facilitates unauthorized access of the
user's computer system. "It is a harmful piece of software that looks legitimate. Users
are typically tricked into loading and executing it on their systems", as Cisco
describes. The term is derived from the Trojan Horse story in Greek mythology.

4.8.2.1 PURPOSE AND OPERATION

4.8.2.1.1 ADWARE

A horse may modify the user's computer to display advertisements in undesirable

places, such as the desktop or in uncontrollable pop-ups, or it may be less notorious,
such as installing a toolbar on to the user's Web browser without prior notice. This
can create the author of the Trojan revenue, despite it being against the Terms of
Service of most major Internet advertising networks, such as Google AdSense.

4.8.2.1.2 SECURITY

Trojan horses may allow a hacker remote access to a target computer system. Once a
Trojan horse has been installed on a target computer system, a hacker may have
access to the computer remotely and perform various operations, limited by user
privileges on the target computer system and the design of the Trojan horse.

Operations that could be performed by a hacker on a target computer system include:

• Use of the machine as part of a botnet (e.g. to perform automated spamming or

to distribute denial-of-service attacks)
• Data theft (e.g. retrieving passwords or credit card information)
• Installation of software, including third-party malware
• Downloading or Uploading of files on the user's computer
• Modification or deletion of files
• Keystroke logging
• Watching the users screen
• Crashing the Computer

44
Trojan horses in this way require interaction with a hacker to fulfill their purpose,
though the hacker need not be the individual responsible for distributing the Trojan
horse. It is possible for individual hackers to scan computers on a network using a
port scanner in the hope of finding one with a malicious Trojan horse installed, which
the hacker can then use to control the target computer.

4.8.2.2 INSTALLATION AND DISTRIBUTION

Trojan horses can be installed through the following methods:

• Software downloads
• Bundling (e.g. a Trojan horse included as part of a software application
downloaded from a file sharing network)
• Email attachments
• Websites containing executable content (e.g., a Trojan horse in the form of an
ActiveX control)
• Application exploits (e.g., flaws in a Web browser, media player, instant-
messaging client, or other software that can be exploited to allow installation
of a Trojan horse)

Some users, particularly those in the Warez scene, may create and distribute software
with or without knowing that a Trojan has been embedded inside. Compilers and
higher-level software makers can be written to attach malicious software when the
author compiles his code to executable form.

4.8.2.2.1 SELF-REPLICATION

A Trojan horse may itself be a computer virus, either by asking other users on a
network, such as an instant-messaging network, to install the said software, or by
spreading itself through the use of application exploits.

4.8.2.3 REMOVAL

Antivirus software is designed to detect and delete Trojan horses and prevent them
from ever being installed. Although it is possible to remove a Trojan horse manually,
it requires a full understanding of how that particular Trojan horse operates. In
addition, if a Trojan horse has possibly been used by a hacker to access a computer
system, it will be difficult to know what damage has been done and what other
problems have been introduced. In situations where the security of the computer
system is critical, it is advisable to simply erase all data from the hard disk and
reinstall the operating system and required software.

4.8.2.4 CURRENT USE

Due to the popularity of botnets among hackers and the availability of advertising
services that permit authors to violate their users' privacy, Trojan horses are becoming
more common. According to a survey conducted by BitDefender from January to
June 2009, "Trojan-type malware is on the rise, accounting for 83-percent of the
global malware detected in the world".

45
4.9 VIRUS

4.9.1 INTRODUCTION

A virus is a self-replicating program that spreads by inserting copies of itself into

other executable code or documents. Therefore, a computer virus behaves in a way
similar to a biological virus, which spreads by inserting itself into living cells.

While some are harmless or mere hoaxes most computer viruses are considered
malicious.

4.9.2 EXPLANATION

A computer virus is a computer program that can copy itself and infect a computer.
The term "virus" is also commonly but erroneously used to refer to other types of
malware, including but not limited to adware and spyware programs that do not have
the reproductive ability. A true virus can spread from one computer to another (in
some form of executable code) when its host is taken to the target computer; for
instance because a user sent it over a network or the Internet, or carried it on a
removable medium such as a floppy disk, CD, DVD, or USB drive.

Viruses can increase their chances of spreading to other computers by infecting files
on a network file system or a file system that is accessed by another computer.

As stated above, the term "computer virus" is sometimes used as a catch-all phrase to
include all types of malware, even those that do not have the reproductive ability.
Malware includes computer viruses, computer worms, Trojan horses, most rootkits,
spyware, dishonest adware and other malicious and unwanted software, including true
viruses. Viruses are sometimes confused with worms and Trojan horses, which are
technically different. A worm can exploit security vulnerabilities to spread itself
automatically to other computers through networks, while a Trojan horse is a program
that appears harmless but hides malicious functions. Worms and Trojan horses, like
viruses, may harm a computer system's data or performance. Some viruses and other
malware have symptoms noticeable to the computer user, but many are surreptitious
or simply do nothing to call attention to themselves. Some viruses do nothing beyond
reproducing themselves.

4.9.2.1 HISTORY

4.9.2.1.1 ACADEMIC WORK

The first academic work on the theory of computer viruses (although the term
"computer virus" was not invented at that time) was done by John von Neumann in
1949 who held lectures at the University of Illinois about the "Theory and
Organization of Complicated Automata". The work of von Neumann was later
published as the "Theory of self-reproducing automata". In his essay von Neumann
postulated that a computer program could reproduce.
46
In 1972 Veith Risak published his article "Selbstreproduzierende Automaten mit
minimaler Informationsübertragung" (Self-reproducing automata with minimal
information exchange). The article describes a fully functional virus written in
assembler language for a SIEMENS 4004/35 computer system.

In 1980 Jürgen Kraus wrote his diplom thesis "Selbstreproduktion bei Programmen"
(Self-reproduction of programs) at the University of Dortmund. In his work Kraus
postulated that computer programs can behave in a way similar to biological viruses.

In 1984 Fred Cohen from the University of Southern California wrote his paper
"Computer Viruses - Theory and Experiments". It was the first paper to explicitly call
a self-reproducing program a "virus"; a term introduced by his mentor Leonard
Adleman.

An article that describes "useful virus functionalities" was published by J.B. Gunn
under the title "Use of virus functions to provide a virtual APL interpreter under user
control" in 1984.

4.9.2.1.2 SCIENCE FICTION

The Terminal Man, a science fiction novel by Michael Crichton (1972), told (as a
sideline story) of a computer with telephone modem dialing capability, which had
been programmed to randomly dial phone numbers until it hit a modem that is
answered by another computer. It then attempted to program the answering computer
with its own program, so that the second computer would also begin dialing random
numbers, in search of yet another computer to program. The program is assumed to
spread exponentially through susceptible computers.

The actual term 'virus' was first used in David Gerrold's 1972 novel, When HARLIE
Was One. In that novel, a sentient computer named HARLIE writes viral software to
retrieve damaging personal information from other computers to blackmail the man
who wants to turn him off.

4.9.2.1.3 VIRUS PROGRAMS

The Creeper virus was first detected on ARPANET, the forerunner of the Internet, in
the early 1970s. Creeper was an experimental self-replicating program written by Bob
Thomas at BBN Technologies in 1971. Creeper used the ARPANET to infect DEC
PDP-10 computers running the TENEX operating system. Creeper gained access via
the ARPANET and copied itself to the remote system where the message, "I'm the
creeper, catch me if you can!" was displayed. The Reaper program was created to
delete Creeper.

A program called "Elk Cloner" was the first computer virus to appear "in the wild" —
that is, outside the single computer or lab where it was created. Written in 1981 by
Richard Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread
via floppy disk. This virus, created as a practical joke when Skrenta was still in high
school, was injected in a game on a floppy disk. On its 50th use the Elk Cloner virus
would be activated, infecting the computer and displaying a short poem beginning
"Elk Cloner: The program with a personality."

47
The first PC virus in the wild was a boot sector virus dubbed ©Brain, created in 1986
by the Farooq Alvi Brothers in Lahore, Pakistan, reportedly to deter piracy of the
software they had written.

Before computer networks became widespread, most viruses spread on removable

media, particularly floppy disks. In the early days of the personal computer, many
users regularly exchanged information and programs on floppies. Some viruses spread
by infecting programs stored on these disks, while others installed themselves into the
disk boot sector, ensuring that they would be run when the user booted the computer
from the disk, usually inadvertently. PCs of the era would attempt to boot first from a
floppy if one had been left in the drive. Until floppy disks fell out of use, this was the
most successful infection strategy and boot sector viruses were the most common in
the wild for many years.

Traditional computer viruses emerged in the 1980s, driven by the spread of personal
computers and the resultant increase in BBS, modem use, and software sharing.
Bulletin board driven software sharing contributed directly to the spread of Trojan
horse programs, and viruses were written to infect popularly traded software.
Shareware and bootleg software were equally common vectors for viruses on BBS's.

Macro viruses have become common since the mid-1990s. Most of these viruses are
written in the scripting languages for Microsoft programs such as Word and Excel and
spread throughout Microsoft Office by infecting documents and spreadsheets. Since
Word and Excel were also available for Mac OS, most could also spread to Macintosh
computers. Although most of these viruses did not have the ability to send infected e-
mail, those viruses which did take advantage of the Microsoft Outlook COM
interface.

Some old versions of Microsoft Word allow macros to replicate themselves with
additional blank lines. If two macro viruses simultaneously infect a document, the
combination of the two, if also self-replicating, can appear as a "mating" of the two
and would likely be detected as a virus unique from the "parents".

A virus may also send a web address link as an instant message to all the contacts on
an infected machine. If the recipient, thinking the link is from a friend (a trusted
source) follows the link to the website, the virus hosted at the site may be able to
infect this new computer and continue propagating.

Viruses that spread using cross-site scripting were first reported in 2002, and were
academically demonstrated in 2005. There have been multiple instances of the cross-
site scripting viruses in the wild, exploiting websites such as MySpace and Yahoo.

4.9.2.2. INFECTION STARATEGIES

In order to replicate itself, a virus must be permitted to execute code and write to
memory. For this reason, many viruses attach themselves to executable files that may
be part of legitimate programs. If a user attempts to launch an infected program, the
virus' code may be executed simultaneously. Viruses can be divided into two types
based on their behavior when they are executed. Nonresident viruses immediately
search for other hosts that can be infected, infect those targets, and finally transfer

48
control to the application program they infected. Resident viruses do not search for
hosts when they are started. Instead, a resident virus loads itself into memory on
execution and transfers control to the host program. The virus stays active in the
background and infects new hosts when those files are accessed by other programs or
the operating system itself.

4.9.2.2.1 NONRESIDENT VIRUSES

Nonresident viruses can be thought of as consisting of a finder module and a

replication module. The finder module is responsible for finding new files to infect.
For each new executable file the finder module encounters, it calls the replication
module to infect that file.

4.9.2.2.2 RESIDENT VIRUSES

Resident viruses contain a replication module that is similar to the one that is
employed by nonresident viruses. This module, however, is not called by a finder
module. The virus loads the replication module into memory when it is executed
instead and ensures that this module is executed each time the operating system is
called to perform a certain operation. The replication module can be called, for
example, each time the operating system executes a file. In this case the virus infects
every suitable program that is executed on the computer.

Resident viruses are sometimes subdivided into a category of fast infectors and a
category of slow infectors. Fast infectors are designed to infect as many files as
possible. A fast infector, for instance, can infect every potential host file that is
accessed. This poses a special problem when using anti-virus software, since a virus
scanner will access every potential host file on a computer when it performs a system-
wide scan. If the virus scanner fails to notice that such a virus is present in memory
the virus can "piggy-back" on the virus scanner and in this way infect all files that are
scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of
this method is that infecting many files may make detection more likely, because the
virus may slow down a computer or perform many suspicious actions that can be
noticed by anti-virus software. Slow infectors, on the other hand, are designed to
infect hosts infrequently. Some slow infectors, for instance, only infect files when
they are copied. Slow infectors are designed to avoid detection by limiting their
actions: they are less likely to slow down a computer noticeably and will, at most,
infrequently trigger anti-virus software that detects suspicious behavior by programs.
The slow infector approach, however, does not seem very successful.

4.9.2.3 VECTORS AND HOSTS

Viruses have targeted various types of transmission media or hosts. This list is not
exhaustive:

• Binary executable files (such as COM files and EXE files in MS-DOS,
Portable Executable files in Microsoft Windows, the Mach-O format in OSX,
and ELF files in Linux)
• Volume Boot Records of floppy disks and hard disk partitions
• The master boot record (MBR) of a hard disk

49
 • General-purpose script files (such as batch files in MS-DOS and Microsoft
Windows, VBScript files, and shell script files on UNIX-like platforms).
• Application-specific script files (such as Telix-scripts)
• System specific autorun script files (such as Autorun.inf file needed by
Windows to automatically run software stored on USB Memory Storage
Devices).
• Documents that can contain macros (such as Microsoft Word documents,
Microsoft Excel spreadsheets, AmiPro documents, and Microsoft Access
database files)
• Cross-site scripting vulnerabilities in web applications (see XSS Worm)
• Arbitrary computer files. An exploitable buffer overflow, format string, race
condition or other exploitable bug in a program which reads the file could be
used to trigger the execution of code hidden within it. Most bugs of this type
can be made more difficult to exploit in computer architectures with protection
features such as an execute disable bit and/or address space layout
randomization.

PDFs, like HTML, may link to malicious code. PDFs can also be infected with
malicious code.

In operating systems that use file extensions to determine program associations (such
as Microsoft Windows); the extensions may be hidden from the user by default. This
makes it possible to create a file that is of a different type than it appears to the user.
For example, an executable may be created named "picture.png.exe", in which the
user sees only "picture.png" and therefore assumes that this file is an image and most
likely is safe, yet when opened runs the executable on the client machine.

An additional method is to generate the virus code from parts of existing operating
system files by using the CRC16/CRC32 data. The initial code can be quite small
(tens of bytes) and unpack a fairly large virus. This is analogous to a biological
"prion" in the way it works but is vulnerable to signature based detection. This attack
has not yet been seen "in the wild".

4.9.2.4 METHODS TO AVOID DETECTION

In order to avoid detection by users, some viruses employ different kinds of

deception. Some old viruses, especially on the MS-DOS platform, make sure that the
"last modified" date of a host file stays the same when the file is infected by the virus.
This approach does not fool anti-virus software; however, especially those which
maintain and date Cyclic redundancy checks on file changes.

Some viruses can infect files without increasing their sizes or damaging the files.
They accomplish this by overwriting unused areas of executable files. These are
called cavity viruses. For example, the CIH virus, or Chernobyl virus, infects Portable
Executable files. Because those files have many empty gaps, the virus, which was 1
KB in length, did not add to the size of the file.

Some viruses try to avoid detection by killing the tasks associated with antivirus
software before it can detect them.

50
As computers and operating systems grow larger and more complex, old hiding
techniques need to be updated or replaced. Defending a computer against viruses may
demand that a file system migrate towards detailed and explicit permission for every
kind of file access.

4.9.2.4.1 AVOIDING BAIT FILES AND OTHER UNDESIRABLE HOSTS

A virus needs to infect hosts in order to spread further. In some cases, it might be a
bad idea to infect a host program. For example, many anti-virus programs perform an
integrity check of their own code. Infecting such programs will therefore increase the
likelihood that the virus is detected. For this reason, some viruses are programmed not
to infect programs that are known to be part of anti-virus software. Another type of
host that viruses sometimes avoid is bait files. Bait files (or goat files) are files that
are specially created by anti-virus software, or by anti-virus professionals themselves,
to be infected by a virus. These files can be created for various reasons, all of which
are related to the detection of the virus:

• Anti-virus professionals can use bait files to take a sample of a virus (i.e. a
copy of a program file that is infected by the virus). It is more practical to
store and exchange a small, infected bait file, than to exchange a large
application program that has been infected by the virus.
• Anti-virus professionals can use bait files to study the behavior of a virus and
evaluate detection methods. This is especially useful when the virus is
polymorphic. In this case, the virus can be made to infect a large number of
bait files. The infected files can be used to test whether a virus scanner detects
all versions of the virus.
• Some anti-virus software employs bait files that are accessed regularly. When
these files are modified, the anti-virus software warns the user that a virus is
probably active on the system.

Since bait files are used to detect the virus, or to make detection possible, a virus can
benefit from not infecting them. Viruses typically do this by avoiding suspicious
programs, such as small program files or programs that contain certain patterns of
'garbage instructions'.

A related strategy to make baiting difficult is sparse infection. Sometimes, sparse

infectors do not infect a host file that would be a suitable candidate for infection in
other circumstances. For example, a virus can decide on a random basis whether to
infect a file or not, or a virus can only infect host files on particular days of the week.

4.9.2.4.2 STEALTH

Some viruses try to trick antivirus software by intercepting its requests to the
operating system. A virus can hide itself by intercepting the antivirus software’s
request to read the file and passing the request to the virus, instead of the OS. The
virus can then return an uninfected version of the file to the antivirus software, so that
it seems that the file is "clean". Modern antivirus software employs various
techniques to counter stealth mechanisms of viruses. The only completely reliable
method to avoid stealth is to boot from a medium that is known to be clean.

51
4.9.2.4.3 SELF MODIFICATION

Most modern antivirus programs try to find virus-patterns inside ordinary programs
by scanning them for so-called virus signatures. A signature is a characteristic byte-
pattern that is part of a certain virus or family of viruses. If a virus scanner finds such
a pattern in a file, it notifies the user that the file is infected. The user can then delete,
or (in some cases) "clean" or "heal" the infected file. Some viruses employ techniques
that make detection by means of signatures difficult but probably not impossible.
These viruses modify their code on each infection. That is, each infected file contains
a different variant of the virus.

4.9.2.4.4 ENCRYPTION WITH A VARIABLE KEY

A more advanced method is the use of simple encryption to encipher the virus. In this
case, the virus consists of a small decrypting module and an encrypted copy of the
virus code. If the virus is encrypted with a different key for each infected file, the only
part of the virus that remains constant is the decrypting module, which would (for
example) be appended to the end. In this case, a virus scanner cannot directly detect
the virus using signatures, but it can still detect the decrypting module, which still
makes indirect detection of the virus possible. Since these would be symmetric keys,
stored on the infected host, it is in fact entirely possible to decrypt the final virus, but
this is probably not required, since self-modifying code is such a rarity that it may be
reason for virus scanners to at least flag the file as suspicious.

An old, but compact, encryption involves XORing each byte in a virus with a
constant, so that the exclusive-or operation had only to be repeated for decryption. It
is suspicious for a code to modify itself, so the code to do the encryption/decryption
may be part of the signature in many virus definitions.

4.9.2.4.5 POLYMORPHIC CODE

Polymorphic Code was the first technique that posed a serious threat to virus
scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an
encrypted copy of itself, which is decoded by a decryption module. In the case of
polymorphic viruses, however, this decryption module is also modified on each
infection. A well-written polymorphic virus therefore has no parts which remain
identical between infections, making it very difficult to detect directly using
signatures. Antivirus software can detect it by decrypting the viruses using an
emulator, or by statistical pattern analysis of the encrypted virus body. To enable
polymorphic code, the virus has to have a polymorphic engine (also called mutating
engine or mutation engine) somewhere in its encrypted body. See Polymorphic code
for technical detail on how such engines operate.

Some viruses employ polymorphic code in a way that constrains the mutation rate of
the virus significantly. For example, a virus can be programmed to mutate only
slightly over time, or it can be programmed to refrain from mutating when it infects a
file on a computer that already contains copies of the virus. The advantage of using
such slow polymorphic code is that it makes it more difficult for antivirus
professionals to obtain representative samples of the virus, because bait files that are
infected in one run will typically contain identical or similar samples of the virus.

52
This will make it more likely that the detection by the virus scanner will be unreliable,
and that some instances of the virus may be able to avoid detection.

4.9.2.4.6 METAMORPHIC CODE

To avoid being detected by emulation, some viruses rewrite themselves completely

each time they are to infect new executables. Viruses that utilize this technique are
said to be metamorphic. To enable metamorphism, a metamorphic engine is needed.
A metamorphic virus is usually very large and complex. For example, W32/Simile
consisted of over 14000 lines of Assembly Language code, 90% of which is part of
the metamorphic engine.

4.9.2.5 VULNERABILITY AND COUNTERMEASURES

4.9.2.5.1 THE VULNERABILITY OF OPERATING SYSTEMS TO VIRUSES

Just as genetic diversity in a population decreases the chance of a single disease

wiping out a population, the diversity of software systems on a network similarly
limits the destructive potential of viruses. This became a particular concern in the
1990s, when Microsoft gained market dominance in desktop operating systems and
office suites. The users of Microsoft software (especially networking software such as
Microsoft Outlook and Internet Explorer) are especially vulnerable to the spread of
viruses. Microsoft software is targeted by virus writers due to their desktop
dominance, and is often criticized for including many errors and holes for virus
writers to exploit. Integrated and non-integrated Microsoft applications (such as
Microsoft Office) and applications with scripting languages with access to the file
system (for example Visual Basic Script (VBS), and applications with networking
features) are also particularly vulnerable.

Although Windows is by far the most popular target operating system for virus
writers, viruses also exist on other platforms. Any operating system that allows third-
party programs to run can theoretically run viruses. Some operating systems are more
secure than others. Unix-based operating systems (and NTFS-aware applications on
Windows NT based platforms) only allow their users to run executables within their
own protected memory space.

An Internet based experiment revealed that there were cases when people willingly
pressed a particular button to download a virus. Security analyst Didier Stevens ran a
half year advertising campaign on Google AdWords which said "Is your PC virus-
free? Get it infected here!” The result was 409 clicks.

As of 2006, there are relatively few security exploits targeting Mac OS X (with a
Unix-based file system and kernel). The number of viruses for the older Apple
operating systems, known as Mac OS Classic, varies greatly from source to source,
with Apple stating that there are only four known viruses, and independent sources
stating there are as many as 63 viruses. Many Mac OS Classic viruses targeted the
HyperCard authoring environment. The difference in virus vulnerability between
Macs and Windows is a chief selling point, one that Apple uses in their Get Mac
advertising. In January 2009, Symantec announced the discovery of a trojan that
targets Macs. This discovery did not gain much coverage until April 2009.

53
While Linux, and UNIX in general, has always natively blocked normal users from
having access to make changes to the operating system environment, Windows users
are generally not. This difference has continued partly due to the widespread use of
administrator accounts in contemporary versions like XP. In 1997, when a virus for
Linux was released – known as "Bliss" – leading antivirus vendors issued warnings
that UNIX-like systems could fall prey to viruses just like Windows. The Bliss virus
may be considered characteristic of viruses – as opposed to worms – on UNIX
systems. Bliss requires that the user run it explicitly and it can only infect programs
that the user has the access to modify. Unlike Windows users, most UNIX users do
not log in as an administrator user except to install or configure software; as a result,
even if a user ran the virus, it could not harm their operating system. The Bliss virus
never became widespread, and remains chiefly a research curiosity. Its creator later
posted the source code to Usenet, allowing researchers to see how it worked.

4.9.2.5.2 THE ROLE OF SOFTWARE DEVELOPMENT

Because software is often designed with security features to prevent unauthorized use
of system resources, many viruses must exploit software bugs in a system or
application to spread. Software development strategies that produce large numbers of
bugs will generally also produce potential exploits.

4.9.2.5.3 ANTI-VIRUS SOFTWARE AND OTHER PREVENTIVE MEASURES

Many users install anti-virus software that can detect and eliminate known viruses
after the computer downloads or runs the executable. There are two common methods
that an anti-virus software application uses to detect viruses. The first, and by far the
most common method of virus detection is using a list of virus signature definitions.
This works by examining the content of the computer's memory (its RAM, and boot
sectors) and the files stored on fixed or removable drives (hard drives, floppy drives),
and comparing those files against a database of known virus "signatures". The
disadvantage of this detection method is that users are only protected from viruses
that pre-date their last virus definition update. The second method is to use a heuristic
algorithm to find viruses based on common behaviors. This method has the ability to
detect novel viruses that anti-virus security firms have yet to create a signature for.

Some anti-virus programs are able to scan opened files in addition to sent and
received e-mails "on the fly" in a similar manner. This practice is known as "on-
access scanning". Anti-virus software does not change the underlying capability of
host software to transmit viruses. Users must update their software regularly to patch
security holes. Anti-virus software also needs to be regularly updated in order to
recognize the latest threats.

One may also minimize the damage done by viruses by making regular backups of
data (and the operating systems) on different media, that are either kept unconnected
to the system (most of the time), read-only or not accessible for other reasons, such as
using different file systems. This way, if data is lost through a virus, one can start
again using the backup (which should preferably be recent).

If a backup session on optical media like CD and DVD is closed, it becomes read-
only and can no longer be affected by a virus (so long as a virus or infected file was

54
not copied onto the CD/DVD). Likewise, an operating system on a bootable CD can
be used to start the computer if the installed operating systems become unusable.
Backups on removable media must be carefully inspected before restoration. The
Gammima virus, for example, propagates via removable flash drives.

4.9.2.5.4 RECOVERY METHODS

Once a computer has been compromised by a virus, it is usually unsafe to continue

using the same computer without completely reinstalling the operating system.
However, there are a number of recovery options that exist after a computer has a
virus. These actions depend on severity of the type of virus.

4.9.2.5.5 VIRUS REMOVAL

One possibility on Windows ME, Windows XP, Windows Vista and Windows 7 is a
tool known as System Restore, which restores the registry and critical system files to
a previous checkpoint. Often a virus will cause a system to hang, and a subsequent
hard reboot will render a system restore point from the same day corrupt. Restore
points from previous days should work provided the virus is not designed to corrupt
the restore files or also exists in previous restore points. Some viruses, however,
disable System Restore and other important tools such as Task Manager and
Command Prompt. An example of a virus that does this is CiaDoor. However, many
such viruses can be removed by rebooting the computer, entering Windows safe
mode, and then using system tools.

Administrators have the option to disable such tools from limited users for various
reasons (for example, to reduce potential damage from and the spread of viruses). A
virus can modify the registry to do the same even if the Administrator is controlling
the computer; it blocks all users including the administrator from accessing the tools.
The message "Task Manager has been disabled by your administrator" may be
displayed, even to the administrator.

Users running a Microsoft operating system can access Microsoft's website to run a
free scan, provided they have their 20-digit registration number. Many websites run
by anti-virus software companies provide free online virus scanning, with limited
cleaning facilities (the purpose of the sites is to sell anti-virus products). Some
websites allow a single suspicious file to be checked by many antivirus programs in
one operation.

4.9.2.5.6 OPERATING SYSTEM REINSTALLATION

Reinstalling the operating system is another approach to virus removal. It involves

either reformatting the computer's hard drive and installing the OS and all programs
from original media, or restoring the entire partition with a clean backup image. User
data can be restored by booting from a Live CD, or putting the hard drive into another
computer and booting from its operating system with great care not to infect the
second computer by executing any infected programs on the original drive; and once
the system has been restored precautions must be taken to avoid reinfection from a
restored executable file.

55
These methods are simple to do, may be faster than disinfecting a computer, and are
guaranteed to remove any malware. If the operating system and programs must be
reinstalled from scratch, the time and effort to reinstall, reconfigure, and restore user
preferences must be taken into account. Restoring from an image is much faster,
totally safe, and restores the exact configuration to the state it was in when the image
was made, with no further trouble.

56
4.10 WORM

4.10.1 INTRODUCTION

Like a virus, a worm is also a self-replicating program. A worm differs from a virus in
that it propagates through computer networks without user intervention. Unlike a
virus, it does not need to attach itself to an existing program. Many people conflate
the terms "virus" and "worm", using them both to describe any self-propagating
program.

4.10.2 EXPLANATION

A computer worm is a self-replicating malware computer program. It uses a

computer network to send copies of itself to other nodes (computers on the network)
and it may do so without any user intervention. This is due to security shortcomings
on the target computer. Unlike a virus, it does not need to attach itself to an existing
program. Worms almost always cause at least some harm to the network, if only by
consuming bandwidth, whereas viruses almost always corrupt or modify files on a
targeted computer.

4.10.2.1 PAYLOADS

Many worms that have been created are only designed to spread, and don't attempt to
alter the systems they pass through. However, as the Morris worm and Mydoom
showed, the network traffic and other unintended effects can often cause major
disruption. A "payload" is code designed to do more than spread the worm–it might
delete files on a host system (e.g., the ExploreZip worm), encrypt files in a cryptoviral
extortion attack, or send documents via e-mail. A very common payload for worms is
to install a backdoor in the infected computer to allow the creation of a "zombie"
computer under control of the worm author. Networks of such machines are often
referred to as botnets and are very commonly used by spam senders for sending junk
email or to cloak their website's address. Spammers are therefore thought to be a
source of funding for the creation of such worms, and the worm writers have been
caught selling lists of IP addresses of infected machines. Others try to blackmail
companies with threatened DoS attacks.

Backdoors can be exploited by other malware, including worms. Examples include

Doomjuice, which spreads better using the backdoor opened by Mydoom, and at least
one instance of malware taking advantage of the rootkit and backdoor installed by the
Sony/BMG DRM software utilized by millions of music CDs prior to late 2005.

4.10.2.2 WORMS WITH GOOD INTENT

Beginning with the very first research into worms at Xerox PARC, there have been
attempts to create useful worms. The Nachi family of worms, for example, tried to
download and install patches from Microsoft's website to fix vulnerabilities in the
host system–by exploiting those same vulnerabilities. In practice, although this may

57
have made these systems more secure, it generated considerable network traffic,
rebooted the machine in the course of patching it, and did its work without the consent
of the computer's owner or user.

Some worms, such as XSS worms, have been written for research to determine the
factors of how worms spread, such as social activity and change in user behavior,
while other worms are little more than a prank, such as one that sends the popular
image micro of an owl with the phrase "O RLY?" to a print queue in the infected
computer. Another research proposed what seems to be the first computer worm that
operates on the second layer of the OSI model (Data link Layer), it utilizes topology
information such as Content-addressable memory (CAM) tables and Spanning Tree
information stored in switches to propagate and probe for vulnerable nodes until the
enterprise network is covered.

Most security experts regard all worms as malware, whatever their payload or their
writers' intentions.

4.10.2.3 PROTECTING AGAINST DANGEROUS COMPUTER WORMS

Worms spread by exploiting vulnerabilities in operating systems. Vendors with

security problems supply regular security updates (see "Patch Tuesday"), and if these
are installed to a machine then the majority of worms are unable to spread to it. If
vulnerability is disclosed before the security patch released by the vendor, a Zero-day
attack is possible.

Users need to be wary of opening unexpected email, and should not run attached files
or programs, or visit web sites that are linked to such emails. However, as with the
ILOVEYOU worm, and with the increased growth and efficiency of phishing attacks,
it remains possible to trick the end-user into running a malicious code.

Anti-virus and anti-spyware software are helpful, but must be kept up-to-date with
new pattern files at least every few days. The use of a firewall is also recommended.

In the April-June, 2008, issue of IEEE Transactions on Dependable and Secure

Computing, computer scientists describe a potential new way to combat internet
worms. The researchers discovered how to contain the kind of worm that scans the
Internet randomly, looking for vulnerable hosts to infect. They found that the key is
for software to monitor the number of scans that a machine on a network sends out.
When a machine starts sending out too many scans, it is a sign that it has been
infected, allowing administrators to take it off line and check it for viruses.

4.10.2.4 MITIGATION TECHNIQUES

• TCPWrapper/libwrap enabled network service daemons

• ACLs in routers and switches
• Packet-filters
• Nullrouting

58
4.10.2.5 HISTORY

The actual term "worm"' was first used in John Brunner's 1975 novel, The Shockwave
Rider. In that novel, Nichlas Haflinger designs and sets off a data-gathering worm in
an act of revenge against the powerful men who run a national electronic information
web that induces mass conformity. "You have the biggest-ever worm loose in the net,
and it automatically sabotages any attempt to monitor it... There's never been a worm
with that tough a head or that long a tail!"

On November 2, 1988, Robert Tappan Morris, a Cornell University computer science

graduate student, unleashed what became known as the Morris worm, disrupting
perhaps 10% of the computers then on the Internet and prompting the formation of the
CERT Coordination centre and Phage mailing list. Morris himself became the first
person tried and convicted under the 1986 Computer Fraud and Abuse Act.

59
4.11 KEY LOGGERS

4.11.1 INTRODUCTION

A keylogger is a tool designed to record ('log') every keystroke on an affected

machine for later retrieval. Its purpose is usually to allow the user of this tool to gain
access to confidential information typed on the affected machine, such as a user's
password
ssword or other private data. Some key loggers uses virus-,
virus trojan-,, and rootkit-like
rootkit
methods to remain active and hidden. However, some key loggers are used in
legitimate ways and sometimes to even enhance computer security. As an example, a
business mightt have a key logger on a computer that was used as at a Point of Sale
and data collected by the key logger could be use for catching employee fraud.

4.11.2 EXPLANATION

Keystroke logging (often called keylogging)) is the action of tracking (or logging) the
keys struck on a keyboard, typically in a covert manner so that the person using the
keyboard is unaware that their actions are being monitored. There are numerous
keylogging methods, ranging from hardware and software-based
software based approaches to
electromagnetic and acoustic analysis.

4.11.2.1 APPLICATION

4.11.2.1.1 SOFTWARE-BASED
BASED KEYLOGGERS

based keylogger.
A logfile from a software-based

A screen capture from a software-based

software keylogger.

These are software programs designed to work on the target computer’s operating
system. From a technical perspective there are five categories:

60
 • Hypervisor-based: The keylogger can theoretically reside in a malware
hypervisor running underneath the operating system, which remains
untouched. It effectively becomes a virtual machine. Blue Pill is a conceptual
example.
• Kernel based: This method is difficult both to write and to combat. Such
keyloggers reside at the kernel level and are thus difficult to detect, especially
for user-mode applications. They are frequently implemented as rootkits that
subvert the operating system kernel and gain unauthorized access to the
hardware, making them very powerful. A keylogger using this method can act
as a keyboard driver for example, and thus gain access to any information
typed on the keyboard as it goes to the operating system.
• API-based: These keyloggers hook keyboard APIs; the operating system then
notifies the keylogger each time a key is pressed and the keylogger simply
records it. APIs such as GetAsyncKeyState (), GetForegroundWindow (), etc.
are used to poll the state of the keyboard or to subscribe to keyboard events.
These types of keyloggers are the easiest to write, but where constant polling
of each key is required, they can cause a noticeable increase in CPU usage,
and can also miss the occasional key. A more recent example simply polls the
BIOS for preboot authentication PINs that have not been cleared from
memory.
• Form Grabber based: Form Grabber-based keyloggers log web form
submissions by recording the web browsing onSubmit event functions. This
records form data before it is passed over the internet and bypasses https
encryption.
• Packet-analyzers: This involves capturing network traffic associated with
HTTP POST events to retrieve unencrypted passwords.

4.11.2.1.1.1 REMOTE ACCESS SOFTWARE KEYLOGGERS

These are local software keyloggers programmed with an added feature to transmit
recorded data from the target computer to a monitor at a remote location. Remote
communication is facilitated by one of four methods:

• Data is uploaded to a website, database or an FTP account.

• Data is periodically emailed to a pre-defined email address.
• Data is wirelessly transmitted by means of an attached hardware system.
• The software enables a remote login to the local machine via the internet or
ethernet, for data logs stored on the target machine to be accessed.

4.11.2.1.1.2 RELATED FEATURES

Software Keyloggers may be augmented with features that capture user information
without relying on keyboard key presses as the sole input. Some of these features
include:

• Clipboard logging. Anything that has been copied to the clipboard can be
captured by the program.
• Screen logging. Screenshots are taken in order to capture graphics-based
information. Applications with screen logging abilities may take screenshots
of the whole screen, just one application or even just around the mouse cursor.

61
 They may take these screenshots periodically or in response
response to user behaviors
(for example, when a user has clicked the mouse). A practical application used
by some keyloggers with this screen logging ability is to take small
screenshots around where a mouse has just clicked; these defeat web-based
web
keyboards (for example, the web-based
web based screen keyboards that are often used
by banks) and any web-based
web on-screen
screen keyboard without screenshot
protection.
• Programmatically capturing the text in a control. The Microsoft Windows API
allows programs to request the text 'value' in some controls. This means that
some passwords may be captured, even if they are hidden behind password
masks (usually asterisks).
• The recording of every program/folder/window opened including a screenshot
of each and every website visited, also including a screenshot of each.
• The recording of search engines queries, Instant Messenger Conversations,
FTP Downloads and other internet based activities (including the bandwidth
used).
• In some advanced software keyloggers, sound can be recorded from a user's
microphone and video from a user's webcam.

4.11.2.1.2 HARDWARE--BASED KEYLOGGERS

based keylogger.
A hardware-based

based keylogger.
A connected hardware-based

Hardware-based
based keyloggers do not depend upon any software being installed as they
exist at a hardware level in a computer system.

• Firmware-based: BIOS-level
BIOS firmware that handles keyboard events can be
modified to record these events as they are processed. Physical and/or root-
level access is required to the machine, and the software loaded into the
t BIOS
needs to be created for the specific hardware that it will be running on.
• Keyboard hardware: Hardware keyloggers are used for keystroke logging by
means of a hardware circuit that is attached somewhere in between the

62
 computer keyboard and the computer, typically inline with the keyboard's
cable connector. More stealthy implementations can be installed or built into
standard keyboards, so that no device is visible on the external cable. Both
types log all keyboard activity to their internal memory, which can be
subsequently accessed, for example, by typing in a secret key sequence. A
hardware keylogger has an advantage over a software solution: it is not
dependent on being installed on the target computer's operating system and
therefore will not interfere with any program running on the target machine or
be detected by any software. However its physical presence may be detected
if, for example, it is installed outside the case as an inline device between the
computer and the keyboard. Some of these implementations have the ability to
be controlled and monitored remotely by means of a wireless communication
standard.

4.11.2.1.2.1 WIRELESS KEYBOARD SNIFFERS

These passive sniffers collect packets of data being transferred from a wireless
keyboard and its receiver. As encryption may be used to secure the wireless
communications between the two devices, this may need to be cracked beforehand if
the transmissions are to be read.

4.11.2.1.2.2 KEYBOARD OVERLAYS

Criminals have been known to use keyboard overlays on ATMs to capture people's
PINs. Each keypress is registered by the keyboard of the ATM as well as the
criminal's keypad that is placed over it. The device is designed to look like an
integrated part of the machine so that bank customers are unaware of its presence.

4.11.2.1.2.3 ACOUSTIC KEYLOGGERS

Acoustic cryptanalysis can be used to monitor the sound created by someone typing
on a computer. Each character on the keyboard makes a subtly different acoustic
signature when stroked. It is then possible to identify which keystroke signature
relates to which keyboard character via statistical methods such as frequency analysis.
The repetition frequency of similar acoustic keystroke signatures, the timings between
different keyboard strokes and other context information such as the probable
language in which the user is writing are used in this analysis to map sounds to letters.
A fairly long recording (1000 or more keystrokes) is required so that a big enough
sample is collected.

4.11.2.1.2.4 ELECTROMAGNETIC EMISSIONS

It is possible to capture the electromagnetic emissions of a wired keyboard from up to

20 metres (66 ft) away, without being physically wired to it. In 2009, Swiss
researches tested 11 different USB, PS/2 and laptop keyboards in a semi-Anechoic
chamber and found them all vulnerable, primarily because of the prohibitive cost of
adding shielding during manufacture. The researchers used a wide-band receiver to
tune into the specific frequency of the emissions radiated from the keyboards.

63
4.11.2.1.3 OTHER

4.11.2.1.3.1 OPTICAL SURVEILLANCE

Optical surveillance, while not a keylogger in the classical sense, is nonetheless an

approach that can be used to capture passwords or PINs. A strategically placed
camera, such as a hidden surveillance camera at an ATM, can allow a criminal to
watch a PIN or password being entered.

4.11.2.2 HISTORY

An early keylogger was written by Perry Kivolowitz and posted to the Usenet news
group net.unix-wizards,net.sources on November 17, 1983. The posting seems to be a
motivating factor in restricting access to /dev/kmem on UNIX systems. The User-
mode program operated by locating and dumping character lists (clists) as they were
assembled in the UNIX kernel.

4.11.2.3 CRACKING

Writing simple software applications for keylogging can be trivial, and like any
nefarious computer program, can be distributed as a trojan horse or as part of a virus.
What is not trivial for an attacker, however, is installing a covert keystroke logger
without getting caught and downloading data that has been logged without being
traced. An attacker that manually connects to a host machine to download logged
keystrokes risks being traced. A Trojan that sends keylogged data to a fixed e-mail
address or IP address risks exposing the attacker.

4.11.2.3.1 TROJAN

Young and Yung devised several methods for solving this problem and presented
them in their 1997 IEEE Security & Privacy paper (their paper from '96 touches on it
as well). They presented a deniable password snatching attack in which the keystroke
logging trojan is installed using a virus or worm. An attacker that is caught with the
virus or worm can claim to be a victim. The cryptotrojan asymmetrically encrypts the
pilfered login/password pairs using the public key of the trojan author and covertly
broadcasts the resulting ciphertext. They mentioned that the ciphertext can be
steganographically encoded and posted to a public bulletin board such as Usenet.

4.11.2.3.2 CIPHERTEXT

Young and Yung also mentioned having the cryptotrojan unconditionally write the
asymmetric ciphertexts to the last few unused sectors of every writable disk that is
inserted into the machine. The sectors remain marked as unused. This can be done
using a USB token. So, the Trojan author may be one of dozens or even thousands of
people that are given the stolen information. Only the Trojan author can decrypt the
ciphertext because only the author knows the needed private decryption key. This
attack is from the field known as crptovirology.

64
4.11.2.3.2.1 USE BY LAW ENFORCEMENT

In 2000, the FBI used a keystroke logger to obtain the PGP passphrase of Nicodemo
Scarfo, Jr., son of mob boss Nicodemo Scarfo. Also in 2000, the FBI lured two
suspected Russian cyber criminals to the US in an elaborate ruse, and captured their
usernames and passwords with a keylogger that was covertly installed on a machine
that they used to access their computers in Russia. The FBI then used these
credentials to hack into the suspects' computers in Russia in order to obtain evidence
to prosecute them.

4.11.2.4 COUNTERMEASURES

The effectiveness of countermeasures varies, because keyloggers use a variety of

techniques to capture data and the countermeasure needs to be effective against the
particular data capture technique. For example, an on-screen keyboard will be
effective against hardware keyloggers, transparency will defeat some screenloggers -
but not all - and an anti-spyware application that can only disable hook-based
keyloggers will be ineffective against kernel-based keyloggers.

Also, keylogger software authors may be able to update the code to adapt to
countermeasures that may have proven to be effective against them.

4.11.2.4.1 LIVE CD/USB

Rebooting the computer using a Live CD or Live USB is a possible countermeasure

against software keyloggers if the CD is clean of malware and the operating system
contained on it is secured and fully patched so that it cannot be infected as soon as it
is started. Booting a different operating system does not impact the use of a hardware
keylogger.

4.11.2.4.2 ANTI-SPYWARE

Many anti-spyware applications are able to detect software keyloggers and

quarantine, disable or cleanse them. These applications are able to detect software-
based keyloggers based on patterns in executable code, heuristics and keylogger
behaviors (such as the use of hooks and certain APIs).

No software-based anti-spyware application can be 100% effective against all

keyloggers. Also, software-based anti-spyware cannot defeat non-software keyloggers
(for example, hardware keyloggers attached to keyboards will always receive
keystrokes before any software-based anti-spyware application).

However, the particular technique that the anti-spyware application uses will
influence its potential effectiveness against software keyloggers. As a general rule,
anti-spyware applications with higher privileges will defeat keyloggers with lower
privileges. For example, a hook-based anti-spyware application cannot defeat a
kernel-based keylogger (as the keylogger will receive the keystroke messages before
the anti-spyware application), but it could potentially defeat hook- and API-based
keyloggers.

65
4.11.2.4.3 NETWORK MONITORS

Network monitors (also known as reverse-firewalls) can be used to alert the user
whenever an application attempts to make a network connection. This gives the user
the chance to prevent the keylogger from "phoning home" with his or her typed
information.

4.11.2.4.4 AUTOMATIC FORM FILLER PROGRAMS

Automatic form-filling programs may prevent keylogging by removing the

requirement for a user to type personal details and passwords using the keyboard.
Form fillers are primarily designed for web browsers to fill in checkout pages and log
users into their accounts. Once the user's account and credit card information has been
entered into the program, it will be automatically entered into forms without ever
using the keyboard or clipboard, thereby reducing the possibility that private data is
being recorded. However someone with physical access to the machine may still be
able to install software that is able to intercept this information elsewhere in the
operating system or while in transit on the network. (Transport Layer Security
prevents the interception of data in transit by network sniffers and proxy tools.)

4.11.2.4.5 ONE-TIME PASSWORDS (OTP)

Using one-time passwords may be keylogger-safe, as each password is invalidated as

soon as it's used. This solution may be useful for someone using a public computer;
however an attacker who has remote control over such a computer can simply wait for
the victim to enter his/her credentials before performing unauthorized transactions on
their behalf while their session is active.

One-time passwords also prevent replay attacks where an attacker uses the old
information to impersonate. One example is online banking where one-time
passwords are implemented to protect accounts from keylogging attacks as well as
replay attacks. KYPS is a service that gives OTP access to websites that normally do
not offer OTP access.

4.11.2.4.6 SECURITY TOKENS

Use of smart cards or other security tokens may improve security against replay
attacks in the face of a successful keylogging attack, as accessing protected
information would require both the (hardware) security token as well as the
appropriate password/passphrase. Knowing the keystrokes, mouse actions, display,
clipboard etc used on one computer will not subsequently help an attacker gain access
to the protected resource. Some security tokens work as a type of hardware assisted
one time password system, and others implement a cryptographic challenge-response
authentication, which can improve security in a manner conceptually similar to one
time passwords. Smartcard readers and their associated keypads for PIN entry may be
vulnerable to keystroke logging through a so called supply chain attack where an
attacker substitutes the card reader/PIN entry hardware for one which records the
user's PIN.

66
4.11.2.4.7 ON-SCREEN KEYBOARDS

Most on screen keyboards (such as the onscreen keyboard that comes with Microsoft
Windows XP) send normal keyboard event messages to the external target program to
type text. Every software keylogger can log these typed characters sent from one
program to another. Additionally, keylogging software can take screenshots of what is
displayed on the screen (periodically, and/or upon each mouse click).

4.11.2.4.8 KEYSTROKE INTERFERENCE SOFTWARE

Keystroke Interference software is also available. These programs attempt to trick

keyloggers by introducing random keystrokes, although this simply results in the
keylogger recording more information than it needs to. An attacker has the task of
extracting the keystrokes of interest—the security of this mechanism, specifically how
well it stands up to cryptanalysis, is unclear.

4.11.2.4.9 SPEECH RECOGNITION

Similar to on-screen keyboards, speech-to-text conversion software can also be used

against keyloggers, since there are no typing or mouse movements involved. The
weakest point of using voice-recognition software may be how the software sends the
recognized text to target software after the recognition took place.

4.11.2.4.10 HANDWRITING RECOGNITION AND MOUSE GESTURES

Also, many PDAs and lately Tablet PCs can already convert pen (also called stylus)
movements on their touchscreens to computer understandable text successfully.
Mouse gestures utilize this principle by using mouse movements instead of a stylus.
Mouse gesture programs convert these strokes to user-definable actions, such as
typing text. Similarly, graphic tablets and light pens can be used to input these
gestures; however these are less common everyday.

The same potential weakness of speech recognition applies to this technique as well.

4.11.2.4.11 MACRO EXPANDERS/RECORDERS

With the help of many Freeware/Shareware programs, a seemingly meaningless text

can be expanded to a meaningful text and most of the time context-sensitively, e.g.
"we" can be expanded "en.Wikipedia.org" when a browser window has the focus. The
biggest weakness of this technique is that these programs send their keystrokes
directly to the target program. However, this can be overcome by using the
‘alternating’ technique described below, i.e. sending mouse clicks to non-responsive
areas of the target program, sending meaningless keys, sending another mouse click to
target area (e.g. password field) and switching back and forth.

67
4.11.2.4.12 NON-TECHNOLOGICAL METHODS

Alternating between typing the login credentials and typing characters somewhere
else in the focus window can cause a keylogger to record more information than they
need to, although this could easily be filtered out by an attacker. Similarly, a user can
move their cursor using the mouse during typing, causing the logged keystrokes to be
in the wrong order e.g. by typing a password beginning with the last letter and then
using the mouse to move the cursor for each subsequent letter. Lastly, someone can
also use context menus to remove, copy, cut and paste parts of the typed text without
using the keyboard. An attacker who is able to capture only parts of a password will
have a smaller key space to attack if he chose to execute a brute force attack.

Another very similar technique utilizes the fact that any selected text portion is
replaced by the next key typed. E.g. if the password is "secret", one could type "s",
then some dummy keys "asdfsd". Then these dummies could be selected with mouse,
and next character from the password "e" is typed, which replaces the dummies
"asdfsd".

These techniques assume incorrectly that keystroke logging software cannot directly
monitor the clipboard, the selected text in a form, or take a screenshot everytime a
keystroke or mouse click occurs. They may however be effective against some
hardware keyloggers.

68
 CHAPTER 5

HOW TO SECURE INFORMATION?

5.1 SECURING YOUR WIRELESS NETWORK

These days wireless networking products are so ubiquitous and inexpensive that just
about anyone can set up a WLAN in a matter of minutes with less than $100 worth of
equipment. This widespread use of wireless networks means that there may be
dozens of potential network intruders lurking within range of your home or office
WLAN.

What can I do?

Most WLAN hardware has gotten easy enough to set up that many users simply plug
it in and start using the network without giving much thought to
security. Nevertheless, taking a few extra minutes to configure the security features
of your wireless router or access point is time well spent. Here are some of the things
you can do to protect your wireless network:

1) Secure your wireless router or access point administration interface

Almost all routers and access points have an administrator password that's needed to
log into the device and modify any configuration settings. Most devices use a weak
default password like "password" or the manufacturer's name, and some don't have a
default password at all. As soon as you set up a new WLAN router or access point,
your first step should be to change the default password to something else. You may
not use this password very often, so be sure to write it down in a safe place so you
can refer to it if needed. Without it, the only way to access the router or access point
may be to reset it to factory default settings which will wipe away any configuration
changes you've made.

2) Don't broadcast your SSID

Most WLAN access points and routers automatically (and continually) broadcast the
network's name, or SSID (Service Set Identifier). This makes setting up wireless
clients extremely convenient since you can locate a WLAN without having to know
what it's called, but it will also make your WLAN visible to any wireless systems
within range of it. Turning off SSID broadcast for your network makes it invisible to
your neighbours and passers-by (though it will still be detectible by WLAN
"sniffers").

3) Enable WPA encryption instead of WEP

802.11's WEP (Wired Equivalency Privacy) encryption has well-known weaknesses

69
that make it relatively easy for a determined user with the right equipment to crack
the encryption and access the wireless network. A better way to protect your WLAN
is with WPA (Wi-Fi Protected Access). WPA provides much better protection and is
also easier to use, since your password characters aren't limited to 0-9 and A-F as
they are with WEP. WPA support is built into Windows XP (with the latest Service
Pack) and virtually all modern wireless hardware and operating systems. A more
recent version, WPA2, is found in newer hardware and provides even stronger
encryption, but you'll probably need to download an XP patch in order to use it.

4) Remember that WEP is better than nothing

If you find that some of your wireless devices only support WEP encryption (this is
often the case with non-PC devices like media players, PDAs, and DVRs), avoid the
temptation to skip encryption entirely because in spite of its flaws, using WEP is still
far superior to having no encryption at all. If you do use WEP, don't use an
encryption key that's easy to guess like a string of the same or consecutive
numbers. Also, although it can be a pain, WEP users should change encryption keys
often-- preferably every week.

5) Use MAC filtering for access control

Unlike IP addresses, MAC addresses are unique to specific network adapters, so by

turning on MAC filtering you can limit network access to only your systems (or those
you know about). In order to use MAC filtering you need to find (and enter into the
router or AP) the 12-character MAC address of every system that will connect to the
network, so it can be inconvenient to set up, especially if you have a lot of wireless
clients or if your clients change a lot. MAC addresses can be "spoofed" (imitated) by
a knowledgeable person, so while it's not a guarantee of security, it does add another
hurdle for potential intruders to jump.

6) Reduce your WLAN transmitter power

You won't find this feature on all wireless routers and access points, but some allow
you lower the power of your WLAN transmitter and thus reduce the range of the
signal. Although it's usually impossible to fine-tune a signal so precisely that it won't
leak outside your home or business, with some trial-and-error you can often
limit how far outside your premises the signal reaches, minimizing the opportunity
for outsiders to access your WLAN.

7) Disable remote administration

Most WLAN routers have the ability to be remotely administered via the Internet.
Ideally, you should use this feature only if it lets you define a specific IP address or
limited range of addresses that will be able to access the router. Otherwise, almost
anyone anywhere could potentially find and access your router. As a rule, unless you
absolutely need this capability, it's best to keep remote administration turned off.
(It's usually turned off by default, but it's always a good idea to check.)

70
5.2 SOME OTHER COMMON METHODS

Always make backups of your files and folders and store them in a separate place
than your computer.

Make sure you have a good firewall. This will prevent worms, Trojan viruses and
spy ware from infecting your system. Some applications require that you disable your
firewall, so use good judgement.

Review your browser and email setting for security. Make sure to constantly erase
your "cookies" folder. Cookies pose almost no threat for damaging computers
however; they do track your daily actions online. Set your "internet zone" for high
and your "trusted sites" for medium low security.

Watch out for Active-X and JavaScript files as hackers can plant viruses and other
harmful elements in your programs.

Norton is the way to go!

Install some kind of antivirus software and make sure to set it for automatic updates.
New viruses are found everyday, so make sure you update regularly.

Don't open attachments!

Don't open unknown email attachments, many of these contain viruses and allow
hackers to get into your system.

Only run and download programs from places you trust. Never send these files to
friends and co-workers due to the high virus risks.

Turn off your computer and disconnect from the internet. Hackers can't get into
your system if your computer is off.

71
 CHAPTER 6

CONCLUSION

There is no such thing as 100 percent security, IT environment keep changing, new
security risks can occur at any time. The amount of effort applied to implementing a
safe and secure working environment should be based on how much of an impact a
security problem could cause to the business.
However, implementing good security does not necessarily mean investing large
amount of time and expense. For example raising awareness, recognizing the risks
that can occur and taking sensible precautions can be achieved with little effort.
Amount of protection required depends on how likely a security risk may occur and
how big an impact it would have if it occurs. Protection is achieved through a
combination of technical and non technical safeguards. For large enterprises
protection will be a major task with a layered series of safeguards such as physical
security measures, background checks, user identifiers, passwords, smart cards,
biometrics and firewalls.
In the ever-changing technological environment, security that is state of the art today
may be obsolete tomorrow. Therefore security protection must keep pace with these
changes.
“Information security provides the management processes, technology and assurance
to allow business management to ensure business transactions can be trusted; ensure
IT services are usable and can resist and recover from failures due to error, attacks or
disaster; and ensure critical confidential information is withheld from those who
should not have access to it”.

72