Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Dictionary
- ●
- Rainbow tables
- ●
- Social engineering
- Brute Force The application of computing and network resources to try every possible
- password combination is called a brute force password attack. If attackers can narrow the
- field of target accounts, they can devote more time and resources to these accounts. This is one
- reason to always change the password of the manufacturer’s default administrator account.
- Brute force password attacks are rarely successful against systems that have adopted the
- manufacturer’s recommended security practices. Controls that limit the number of unsuc-
- cessful access attempts within a certain time are very effective against brute force attacks.
- As shown in Table 2-3, the strength of a password determines its ability to withstand a
- brute force attack. Using best practice policies like the 10.3 password rule and systems that
- allow case-sensitive passwords can greatly enhance their strength.
- 66 Chapter 2
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 2
- Dictionary Attacks The dictionary password attack, or simply dictionary attack, is a
- variation of the brute force attack that narrows the field by using a dictionary of com-
- mon passwords and includes information related to the target user, such as names of
- relatives or pets, and familiar numbers such as phone numbers, addresses, and even
- Social Security numbers. Organizations can use similar dictionaries to disallow pass-
- words during the reset process and thus guard against passwords that are easy to guess.
- In addition, rules requiring numbers and special characters in passwords make the dic-
- tionary attack less effective.
- Espionage or Trespass 67
- Case-Insensitive Passwords Using a Standard Alphabet Set (No Numbers or Special Characters)
- Password length Odds of cracking: 1 in (based on number of
- characters ^ password length):
- Estimated time to crack*
- 8 208,827,064,576 1.9 seconds
- 9 5,429,503,678,976 50.8 seconds
- 10 141,167,095,653,376 22.0 minutes
- 11 3,670,344,486,987,780 11.1 hours
- 12 95,428,956,661,682,200 10.3 days
- 13 2,481,152,873,203,740,000 268.6 days
- 14 64,509,974,703,297,200,000 19.1 years
- 15 1,677,259,342,285,730,000,000 497.4 years
- 16 43,608,742,899,428,900,000,000 12,932.8 years
- Case-Sensitive Passwords Using a Standard Alphabet Set with Numbers and 20 Special Characters
- Password length Odds of cracking: 1 in (based on number of
- characters ^ password length):
- Estimated time to crack*
- 8 2,044,140,858,654,980 5.2 hours
- 9 167,619,550,409,708,000 18.14 days
- 10 13,744,803,133,596,100,000 4.1 years
- 11 1,127,073,856,954,880,000,000 334.3 years
- 12 92,420,056,270,299,900,000,000 27,408.5 years
- 13 7,578,444,614,164,590,000,000,000 2,247,492.6 years
- 14 621,432,458,361,496,000,000,000,000 184,294,395.9 years
- 15 50,957,461,585,642,700,000,000,000,000 15,112,140,463.3 years
- 16 4,178,511,850,022,700,000,000,000,000,000 1,239,195,517,993.3 years
- Table 2-3 Password Power
- *Estimated Time to Crack is based on an average 2013-era Intel i7 PC (3770K) chip performing 109,924 Dhrystone MIPS (million
- instructions per second) at 3.9 GHz.
- © Cengage Learning 2015
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- Rainbow Tables A far more sophisticated and potentially much faster password attack
- is possible if the attacker can gain access to an encrypted password file, such as the Security
- Account Manager (SAM) data file. While these password files contain hashed represen-
- tations of users’ passwords—not the actual passwords, and thus cannot be used by
- themselves—the hash values for a wide variety of passwords can be looked up in a database
- known as a rainbow table. These plain text files can be quickly searched, and a hash value
- and its corresponding plaintext value can be easily located. Chapter 8, “Cryptography,”
- describes plaintext, ciphertext, and hash values in greater detail.
- Did you know that a space can change how a word is used? For example, plaintext is
- a special term from the field of cryptography that refers to textual information a
- cryptosystem will transmit securely. It is plaintext when it starts and plaintext when
- delivered, but it is ciphertext in between. However, the phrase plain text is a term from the
- field of information systems that differentiates the text characters you type from the
- formatted text you see in a document. For more information about cryptosystems and
- cryptography, see Chapter 8.
- Social Engineering Password Attacks While social engineering is discussed in
- detail later in the section called “Human Error or Failure,” it is worth mentioning here as a
- mechanism to gain password information. Attackers posing as an organization’s IT profes-
- sionals may attempt to gain access to systems information by contacting low-level employees
- and offering to help with their computer issues. After all, what employee doesn’t have issues
- with computers? By posing as a friendly helpdesk or repair technician, the attacker asks
- employees for their usernames and passwords, then uses the information to gain access to
- organizational systems. Some even go so far as to actually resolve the user’s issues. Social
- engineering is much easier than hacking servers for password files.
- Forces of Nature
- Forces of nature, sometimes called acts of God, can present some of the most dangerous
- threats because they usually occur with little warning and are beyond the control of
- people. These threats, which include events such as fires, floods, earthquakes, and light-
- ning as well as volcanic eruptions and insect infestations, can disrupt not only people’s
- lives but the storage, transmission, and use of information. Severe weather was suspected
- in three 2008 outages in the Mediterranean that affected Internet access to the Middle
- East and India. Knowing a region’s susceptibility to certain natural disasters is a critical
- planning component when selecting new facilities for an organization or considering the
- location of off-site data backup.
- Because it is not possible to avoid threats from forces of nature, organizations must implement
- controls to limit damage and prepare contingency plans for continued operations, such as
- disaster recovery plans, business continuity plans, and incident response plans. These threats
- and plans are discussed in detail in Chapter 5, “Planning for Security.” Protection mechanisms
- are discussed in additional detail in Chapter 9, “Physical Security.”
- Another term you may encounter, force majeure, can be translated as “superior force,” which
- includes forces of nature as well as civil disorder and acts of war.
- 68 Chapter 2
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 2
- Fire
- A structural fire can damage a building with computing equipment that comprises all or part
- of an information system. Damage can also be caused by smoke or by water from sprinkler
- systems or firefighters. This threat can usually be mitigated with fire casualty insurance or
- business interruption insurance.
- Floods
- Water can overflow into an area that is normally dry, causing direct damage to all or part of
- the information system or the building that houses it. A flood might also disrupt operations
- by interrupting access to the buildings that house the information system. This threat can
- sometimes be mitigated with flood insurance or business interruption insurance.
- Earthquakes
- An earthquake is a sudden movement of the earth’s crust caused by volcanic activity or the
- release of stress accumulated along geologic faults. Earthquakes can cause direct damage to
- the information system or, more often, to the building that houses it. They can also disrupt
- operations by interrupting access to the buildings that house the information system. In
- 2006, a large earthquake just off the coast of Taiwan severed several underwater communi-
- cations cables, shutting down Internet access for more than a month in China, Hong Kong,
- Taiwan, Singapore, and other countries throughout the Pacific Rim. Losses due to earth-
- quakes can sometimes be mitigated with casualty insurance or business interruption insur-
- ance, but earthquakes usually are covered by a separate policy.
- Lightning
- Lightning is an abrupt, discontinuous natural electric discharge in the atmosphere. Lightning
- usually damages all or part of the information system and its power distribution components.
- It can also cause fires or other damage to the building that houses the information system,
- and it can disrupt operations by interfering with access to those buildings. Damage from
- lightning can usually be prevented with specialized lightning rods placed strategically on and
- around the organization’s facilities and by installing special circuit protectors in the organiza-
- tion’s electrical service. Losses from lightning may be mitigated with multipurpose casualty
- insurance or business interruption insurance.
- Landslides or Mudslides
- The downward slide of a mass of earth and rock can directly damage the information system
- or, more likely, the building that houses it. Landslides or mudslides also disrupt operations
- by interfering with access to the buildings that house the information system. This threat
- can sometimes be mitigated with casualty insurance or business interruption insurance.
- Tornados or Severe Windstorms
- A tornado is a rotating column of air that can be more than a mile wide and whirl at
- destructively high speeds. Usually accompanied by a funnel-shaped downward extension of
- a cumulonimbus cloud, tornados can directly damage all or part of the information system
- or, more likely, the building that houses it. Tornadoes can also interrupt access to the build-
- ings that house the information system. Wind shear is a much smaller and linear wind effect,
- Forces of Nature 69
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- but it can have similar devastating consequences. These threats can sometimes be mitigated
- with casualty insurance or business interruption insurance.
- Hurricanes, Typhoons, and Tropical Depressions
- A severe tropical cyclone that originates in equatorial regions of the Atlantic Ocean or
- Caribbean Sea is referred to as a hurricane, and one that originates in eastern regions of the
- Pacific Ocean is called a typhoon. Many hurricanes and typhoons originate as tropical
- depressions—collections of multiple thunderstorms under specific atmospheric conditions.
- Excessive rainfall and high winds from these storms can directly damage all or part of the
- information system or, more likely, the building that houses it. Organizations in coastal or
- low-lying areas may suffer flooding as well. These storms may also disrupt operations by
- interrupting access to the buildings that house the information system. This threat can some-
- times be mitigated with casualty insurance or business interruption insurance.
- Tsunamis
- A tsunami is a very large ocean wave caused by an underwater earthquake or volcanic eruption.
- These events can directly damage the information system or the building that houses it. Organiza-
- tions in coastal areas may experience tsunamis. They may also disrupt operations through inter-
- ruptions in access or electrical power to the buildings that house the information system. This
- threat can sometimes be mitigated with casualty insurance or business interruption insurance.
- To read about technology used to save lives after tsunamis, visit the Web site of NOAA’s National
- Weather Service Pacific Tsunami Warning Center. From there you can find out how state-
- of-the-art satellite, computer, and network systems are used to notify people in the Pacific Rim
- about emergency tsunami events. You can see the Web page at ptwc.weather.gov/.
- Electrostatic Discharge
- Electrostatic discharge (ESD), also known as static electricity, is usually little more than a
- nuisance. However, the mild static shock we receive when walking across a carpet can be
- costly or dangerous when it ignites flammable mixtures and damages costly electronic com-
- ponents. An employee walking across a carpet on a cool, dry day can generate up to 12,000
- volts of electricity. Humans cannot detect static electricity until it reaches around 1,500 volts.
- When it comes into contact with technology, especially computer hard drives, ESD can be
- catastrophic; damage can be caused by as little as 10 volts. 18
- Static electricity can draw dust into clean-room environments or cause products to stick
- together. The cost of ESD-damaged electronic devices and interruptions to service can be mil-
- lions of dollars for critical systems. ESD can also cause significant loss of production time in
- information processing. Although ESD can disrupt information systems, it is not usually an
- insurable loss unless covered by business interruption insurance.
- Dust Contamination
- Some environments are not friendly to the hardware components of information systems.
- Accumulation of dust and debris inside systems can dramatically reduce the effectiveness
- of cooling mechanisms and potentially cause components to overheat. Some specialized
- technology, such as CD or DVD optical drives, can suffer failures due to excessive dust
- contamination. Because it can shorten the life of information systems or cause unplanned
- downtime, this threat can disrupt normal operations.
- 70 Chapter 2
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 2
- Human Error or Failure
- This category includes acts performed without intent or malicious purpose or in ignorance by
- an authorized user. When people use information systems, mistakes happen. Similar errors
- happen when people fail to follow established policy. Inexperience, improper training, and
- incorrect assumptions are just a few things that can cause human error or failure. Regardless
- of the cause, even innocuous mistakes can produce extensive damage. For example, a simple
- keyboarding error can cause worldwide Internet outages:
- In April 1997, the core of the Internet suffered a disaster. Internet service provi-
- ders lost connectivity with other ISPs due to an error in a routine Internet router-
- table update process. The resulting outage effectively shut down a major portion
- of the Internet for at least twenty minutes. It has been estimated that about
- 45 percent of Internet users were affected. In July 1997, the Internet went
- through yet another more critical global shutdown for millions of users. An acci-
- dental upload of a corrupt database to the Internet’s root domain servers
- occurred. Since this provides the ability to address hosts on the net by name
- (i.e., eds.com), it was impossible to send e-mail or access Web sites within the
- .com and .net domains for several hours. The .com domain comprises a majority
- of the commercial enterprise users of the Internet. 19
- One of the greatest threats to an organization’s information security is its own employees,
- as they are the threat agents closest to the information. Because employees use data and
- information in everyday activities to conduct the organization’s business, their mistakes
- represent a serious threat to the confidentiality, integrity, and availability of data—even,
- as Figure 2-9 suggests, relative to threats from outsiders. Employee mistakes can easily
- Human Error or Failure 71
- Elite Skillz,
- wannabe hacker
- Harriett Allthumbs,
- confused the copier with the shredder
- when preparing the annual sales report
- Tommy Twostory,
- convicted burglar
- Figure 2-9 The biggest threat—acts of human error or failure
- Source: © iStockphoto/BartCo, © iStockphoto/sdominick, © iStockphoto/mikkelwilliam.
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- lead to revelation of classified data, entry of erroneous data, accidental deletion or modifi-
- cation of data, storage of data in unprotected areas, and failure to protect information.
- Leaving classified information in unprotected areas, such as on a desktop, on a Web site,
- or even in the trash can, is as much a threat as a person who seeks to exploit the informa-
- tion, because the carelessness can create a vulnerability and thus an opportunity for an
- attacker. However, if someone damages or destroys data on purpose, the act belongs to a
- different threat category.
- In 2014, New York’s Metro-North railroad lost power when one of the two power supply
- units was taken offline for repairs. Repair technicians apparently failed to note the intercon-
- nection between the systems, resulting in a two-hour power loss.
- Human error or failure often can be prevented with training, ongoing awareness activities,
- and controls. These controls range from simple activities, such as requiring the user to type a
- critical command twice, to more complex procedures, such as verifying commands by a sec-
- ond party. An example of the latter is the performance of key recovery actions in PKI systems.
- Many military applications have robust, dual-approval controls built in. Some systems that
- have a high potential for data loss or system outages use expert systems to monitor human
- actions and request confirmation of critical inputs.
- Humorous acronyms are commonly used when attributing problems to human error. They
- include PEBKAC (problem exists between keyboard and chair), PICNIC (problem in chair,
- not in computer), and ID-10-T error (idiot).
- Social Engineering
- Key Terms
- advance-fee fraud (AFF) A form of social engineering, typically conducted via e-mail, in which an
- organization or some third party indicates that the recipient is due an exorbitant amount of money
- and needs only a small advance fee or personal banking information to facilitate the transfer.
- phishing A form of social engineering in which the attacker provides what appears to be a
- legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects
- the reply to a third-party site in an effort to extract personal or confidential information.
- pretexting A form of social engineering in which the attacker pretends to be an authority figure
- who needs information to confirm the target’s identity, but the real object is to trick the target
- into revealing confidential information. Pretexting is commonly performed by telephone.
- social engineering The process of using social skills to convince people to reveal access credentials
- or other valuable information to an attacker.
- spear phishing Any highly targeted phishing attack.
- In the context of information security, social engineering is used by attackers to gain system
- access or information that may lead to system access. There are several social engineering
- techniques, which usually involve a perpetrator posing as a person who is higher in the orga-
- nizational hierarchy than the victim. To prepare for this false representation, the perpetrator
- already may have used social engineering tactics against others in the organization to collect
- seemingly unrelated information that, when used together, makes the false representation
- more credible. For instance, anyone can check a company’s Web site or even call the main
- switchboard to get the name of the CIO; an attacker may then obtain even more information
- by calling others in the company and falsely asserting his or her authority by mentioning the
- 72 Chapter 2
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 2
- CIO’s name. Social engineering attacks may involve people posing as new employees or as
- current employees requesting assistance to prevent getting fired. Sometimes attackers
- threaten, cajole, or beg to sway the target. The infamous hacker Kevin Mitnick, whose
- exploits are detailed earlier in this chapter, once stated:
- People are the weakest link. You can have the best technology; firewalls, intrusion-
- detection systems, biometric devices … and somebody can call an unsuspecting
- employee. That’s all she wrote, baby. They got everything. 20
- Advance-fee Fraud Another social engineering attack called the advance-fee fraud
- (AFF), internationally known as the 4-1-9 fraud, is named after a section of the Nigerian
- penal code. The perpetrators of 4-1-9 schemes often use the names of fictitious companies,
- such as the Nigerian National Petroleum Company. Alternatively, they may invent other
- entities, such as a bank, government agency, long-lost relative, lottery, or other nongovern-
- mental organization. See Figure 2-10 for a sample letter used for this type of scheme.
- Human Error or Failure 73
- Figure 2-10 Example of a Nigerian 4-1-9 fraud letter
- © Cengage Learning 2015
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- The scam is notorious for stealing funds from credulous people, first by requiring them to par-
- ticipate in a proposed money-making venture by sending money up front, and then by soliciting
- an endless series of fees. These 4-1-9 schemes are even suspected to involve kidnapping, extor-
- tion, and murder. According to the Secret Service, the schemes have bilked over $100 million
- from unsuspecting Americans lured into disclosing personal banking information.
- For more information on AFF, go to the Advance Fee Fraud Coalition’s Web site at
- http://affcoalition.org.
- Phishing Many other attacks involve social engineering. One such attack is described by
- the Computer Emergency Response Team/Coordination Center (CERT/CC):
- CERT/CC has received several incident reports concerning users receiving requests
- to take an action that results in the capturing of their password. The request could
- come in the form of an e-mail message, a broadcast, or a telephone call. The latest
- ploy instructs the user to run a “test” program, previously installed by the
- intruder, which will prompt the user for his or her password. When the user exe-
- cutes the program, the user’s name and password are e-mailed to a remote site.
- These messages can appear to be from a site administrator or root. In reality,
- they may have been sent by an individual at a remote site, who is trying to gain
- access or additional access to the local machine via the user’s account. 21
- While this attack may seem crude to experienced users, the fact is that many e-mail users
- have fallen for it (refer to CERT Advisory CA-91.03). These tricks and similar variants are
- called phishing attacks. They gained national recognition with the AOL phishing attacks
- that were widely reported in the late 1990s, in which attackers posing as AOL technicians
- attempted to get logon credentials from AOL subscribers. The practice became so wide-
- spread that AOL added a warning to all official correspondence that no AOL employee
- would ever ask for password or billing information. Variants of phishing attacks can lever-
- age their purely social engineering aspects with a technical angle, such as that used in
- pharming, spoofing, and redirection attacks, as discussed later in this chapter.
- Another variant is spear phishing. While normal phishing attacks target as many recipients
- as possible, a spear phisher sends a message to a small group or even one person. The mes-
- sage appears to be from an employer, a colleague, or other legitimate correspondent. This
- attack sometimes targets users of a certain product or Web site.
- Phishing attacks use two primary techniques, often in combination with one another: URL
- manipulation and Web site forgery. In Uniform Resource Locator (URL) manipulation,
- attackers send an HTML embedded e-mail message or a hyperlink whose HTML code opens
- a forged Web site. For example, Figure 2-11 shows an e-mail that appears to have come from
- Regions Bank. Phishers typically use the names of large banks or retailers because potential
- targets are more likely to have accounts with them. In Figure 2-12, the link appears to be to
- RegionsNetOnline, but the HTML code actually links the user to a Web site in Poland. This
- is a very simple example; many phishing attackers use sophisticated simulated Web sites in
- their e-mails, usually copied from actual Web sites. Companies that are commonly used in
- phishing attacks include AOL, Bank of America, Microsoft, and Wachovia.
- In the forged Web site shown in Figure 2-12, the page looks legitimate; when users click
- either of the bottom two buttons—Personal Banking Demo or Enroll in RegionsNet—they
- 74 Chapter 2
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 2
- Human Error or Failure 75
- Figure 2-11 Phishing example: lure
- Figure 2-12 Phishing example: fake Web site
- © Cengage Learning 2015
- © Cengage Learning 2015
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- are directed to the authentic bank Web page. The Access Accounts button, however, links to
- another simulated page that looks just like the real bank login Web page. When victims type
- their banking ID and password, the attacker records that information and displays a
- message that the Web site is now offline. The attackers can use the recorded credentials to
- perform transactions, including fund transfers, bill payments, or loan requests.
- People can use their Web browsers to report suspicious Web sites that might have been used
- in phishing attacks. Figure 2-13 shows the method to report these suspicious sites using
- Microsoft’s Internet Explorer.
- Pretexting, sometimes referred to as phone phishing, is pure social engineering. The attacker
- calls a potential victim on the telephone and pretends to be an authority figure in order to
- gain access to private or confidential information, such as health, employment, or financial
- records. The attacker may impersonate someone who is known to the potential victim only
- by reputation. Pretexting is generally considered pretending to be a person you are not,
- whereas phishing is pretending to represent an organization via a Web site or HTML
- e-mail. This can be a blurry distinction.
- Information Extortion
- Key Term
- information extortion The act of an attacker or trusted insider who steals information from a
- computer system and demands compensation for its return or for an agreement not to disclose
- the information. Also known as cyberextortion.
- 76 Chapter 2
- Figure 2-13 Microsoft’s unsafe Web site reporting feature in Internet Explorer
- Source: Microsoft. Used with permission.
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 2
- Information extortion, also known as cyberextortion, is common in the theft of credit card
- numbers. For example, Web-based retailer CD Universe was victimized by a theft of data
- files that contained customer credit card information. The culprit was a Russian hacker
- named Maxus who hacked the online vendor and stole several hundred thousand credit card
- numbers. When the company refused to pay the $100,000 blackmail, he posted the card num-
- bers to a Web site, offering them to the criminal community. His Web site became so popular
- he had to restrict access. 22
- Another incident of extortion occurred in 2008 when pharmacy benefits manager Express
- Scripts, Inc. fell victim to a hacker who demonstrated that he had access to 75 customer
- records and claimed to have access to millions more. The perpetrator demanded an undis-
- closed amount of money. The company notified the FBI and offered a $1 million reward
- for the arrest of the perpetrator. Express Scripts notified the affected customers, as
- required by various state laws. The company was obliged to pay undisclosed expenses for
- the notifications, and was required to buy credit monitoring services for its customers in
- some states. 23
- In 2010, Anthony Digati allegedly threatened to conduct a spam attack on the insurance com-
- pany New York Life. He reportedly sent dozens of e-mails to company executives threatening
- to conduct a negative image campaign by sending over 6 million e-mails to people throughout
- the country. He then demanded approximately $200,000 to stop the attack, and next threat-
- ened to increase the demand to more than $3 million if the company ignored him. His arrest
- thwarted the spam attack.
- In 2012, a programmer from Walachi Innovation Technologies allegedly broke into the orga-
- nization’s systems and changed the access passwords and codes, locking legitimate users out
- of the system. He then reportedly demanded $300,000 in exchange for the new codes.
- A court order eventually forced him to surrender the information to the organization. In
- Russia, a talented hacker created malware that installed inappropriate materials on an un-
- suspecting user’s system, along with a banner threatening to notify the authorities if a bribe
- was not paid. At 500 rubles (about $17), victims in Russia and other countries were more
- willing to pay the bribe than risk prosecution by less considerate law enforcement. 24
- Sabotage or Vandalism
- This category of threat involves the deliberate sabotage of a computer system or business, or
- acts of vandalism to destroy an asset or damage the image of an organization. These acts can
- range from petty vandalism by employees to organized sabotage against an organization.
- Although they might not be financially devastating, attacks on the image of an organization
- are serious. Vandalism to a Web site can erode consumer confidence, diminishing an organiza-
- tion’s sales, net worth, and reputation. For example, in the early hours of July 13, 2001, a
- group known as Fluffi Bunni left its mark on the front page of the SysAdmin, Audit, Net-
- work, Security (SANS) Institute, a cooperative research and education organization. This
- event was particularly embarrassing to SANS Institute management because the organization
- provides security instruction and certification. The defacement read, “Would you really trust
- these guys to teach you security?” 25 At least one member of the group was subsequently
- arrested by British authorities.
- Sabotage or Vandalism 77
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- Online Activism
- Key Terms
- cyberactivist See Hacktivist.
- cyberterrorist A hacker who attacks systems to conduct terrorist activities via networks or
- Internet pathways.
- cyberwarfare Formally sanctioned offensive operations conducted by a government or state
- against information or systems of another government or state.
- hacktivist A hacker who seeks to interfere with or disrupt systems to protest the operations,
- policies, or actions of an organization or government agency.
- There are innumerable reports of hackers accessing systems and damaging or destroying crit-
- ical data. Hacked Web sites once made front-page news, as the perpetrators intended. The
- impact of these acts has lessened as the volume has increased. The Web site that acts as the
- clearinghouse for many hacking reports, Attrition.org, has stopped cataloging all Web site
- defacements because the frequency of such acts has outstripped the ability of the volunteers
- to keep the site up to date. 26
- Compared to Web site defacement, vandalism within a network is more malicious in intent
- and less public. Today, security experts are noticing a rise in another form of online vandal-
- ism, hacktivist or cyberactivist operations. For example, in November 2009, a group calling
- itself “anti-fascist hackers” defaced the Web site of Holocaust denier and Nazi sympathizer
- David Irving. They also released his private e-mail correspondence, secret locations of events
- on his speaking tour, and detailed information about people attending those events, among
- them members of various white supremacist organizations. This information was posted on
- the Web site WikiLeaks, an organization that publishes sensitive and classified information
- provided by anonymous sources. 27
- Figure 2-14 illustrates how Greenpeace, a well-known environmental activist organization,
- once used its Web presence to recruit cyberactivists.
- Cyberterrorism and Cyberwarfare A much more sinister form of hacking is
- cyberterrorism. The United States and other governments are developing security measures
- intended to protect critical computing and communications networks as well as physical
- and power utility infrastructures.
- In the 1980s, Barry Collin, a senior research fellow at the Institute for Security
- and Intelligence in California, coined the term “cyberterrorism” to refer to the
- convergence of cyberspace and terrorism. Mark Pollitt, special agent for the FBI,
- offers a working definition: “Cyberterrorism is the premeditated, politically moti-
- vated attacks against information, computer systems, computer programs, and
- data which result in violence against noncombatant targets by subnational
- groups or clandestine agents.” 28
- Cyberterrorism has thus far been largely limited to acts such as the defacement of NATO
- Web pages during the war in Kosovo. Some industry observers have taken the position that
- cyberterrorism is not a real threat, but instead is merely hype that distracts from more con-
- crete and pressing information security issues that do need attention.
- 78 Chapter 2
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 2
- However, further instances of cyberterrorism have begun to surface. According to
- Dr. Mudawi Mukhtar Elmusharaf at the Computer Crime Research Center, “on Oct. 21,
- 2002, a distributed denial-of-service (DDoS) attack struck the 13 root servers that provide
- the primary road map for all Internet communications. Nine servers out of these thirteen
- were jammed. The problem was taken care of in a short period of time.” 29 While this attack
- was significant, the results were not noticeable to most users of the Internet. A news report
- shortly after the event noted that “the attack, at its peak, only caused 6 percent of domain
- name service requests to go unanswered [… and the global] DNS system normally responds
- almost 100 percent of the time.” 30
- Internet servers were again attacked on February 6, 2007, with four Domain Name System
- (DNS) servers targeted. However, the servers managed to contain the attack. It was reported
- that the U.S. Department of Defense was on standby to conduct a military counterattack if
- the cyberattack had succeeded. 31
- Government officials are concerned that certain foreign countries are “pursuing cyberwea-
- pons the same way they are pursuing nuclear weapons.” 32 Some of these cyberterrorist
- Sabotage or Vandalism 79
- Figure 2-14 Cyberactivists wanted
- © Cengage Learning 2015
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- attacks are aimed at disrupting government agencies, while others seem designed to create
- mass havoc with civilian and commercial industry targets. However, the U.S. government
- conducts its own cyberwarfare actions, having reportedly targeted overseas efforts to
- develop nuclear enrichment plants by hacking into and destroying critical equipment. 33
- For more information about the evolving threat of cyberwarfare, visit a leading think tank,
- the Rand Corporation, to read research reports and commentary from leaders in the field
- (www.rand.org/topics/cyber-warfare.html.)
- Positive Online Activism Not all online activism is negative. Social media outlets,
- such as Facebook, MySpace, Twitter, and YouTube, are commonly used to perform fund-
- raising, raise awareness of social issues, gather support for legitimate causes, and promote
- involvement. Modern business organizations try to leverage social media and online activism
- to improve their public image and increase awareness of socially responsible actions.
- Software Attacks
- Deliberate software attacks occur when an individual or group designs and deploys software
- to attack a system. This attack can consist of specially crafted software that attackers trick
- users into installing on their systems. This software can be used to overwhelm the processing
- capabilities of online systems or to gain access to protected systems by hidden means.
- Malware
- Key Terms
- adware Malware intended to provide undesired marketing and advertising, including popups
- and banners on a user’s screens.
- boot virus Also known as a boot sector virus, a type of virus that targets the boot sector or
- Master Boot Record (MBR) of a computer system’s hard drive or removable storage media.
- macro virus A type of virus written in a specific macro language to target applications that use
- the language. The virus is activated when the application’s product is opened. A macro virus
- typically affects documents, slideshows, e-mails, or spreadsheets created by office suite
- applications.
- malicious code See Malware.
- malicious software See Malware.
- malware Computer software specifically designed to perform malicious or unwanted actions.
- memory-resident virus A virus that is capable of installing itself in a computer’s operating system,
- starting when the computer is activated, and residing in the system’s memory even after the host
- application is terminated. Also known as a resident virus.
- non-memory-resident virus A virus that terminates after it has been activated, infected its host
- system, and replicated itself. NMR viruses do not reside in an operating system or memory after
- executing. Also known as a non-resident virus.
- polymorphic threat Malware (a virus or worm) that over time changes the way it appears to
- antivirus software programs, making it undetectable by techniques that look for preconfigured
- signatures.
- spyware Any technology that aids in gathering information about people or organizations
- without their knowledge.
- 80 Chapter 2
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 2
- Trojan horse A malware program that hides its true nature and reveals its designed behavior
- only when activated.
- virus A type of malware that is attached to other executable programs. When activated, it
- replicates and propagates itself to multiple systems, spreading by multiple communications
- vectors. For example, a virus might send copies of itself to all users in the infected system’s e-mail
- program.
- virus hoax A message that reports the presence of a nonexistent virus or worm and wastes
- valuable time as employees share the message.
- worm A type of malware that is capable of activation and replication without being attached to
- an existing program.
- Malware is referred to as malicious code or malicious software. Other attacks that use software,
- like redirect attacks and denial-of-service attacks, also fall under this threat. These software com-
- ponents or programs are designed to damage, destroy, or deny service to targeted systems.
- Malicious code attacks include the execution of viruses, worms, Trojan horses, and active
- Web scripts with the intent to destroy or steal information. The most state-of-the-art mali-
- cious code attack is the polymorphic worm, or multivector worm. These attack programs
- use up to six known attack vectors to exploit a variety of vulnerabilities in common informa-
- tion system devices.
- Other forms of malware include covert software applications—bots, spyware, and adware—
- that are designed to work out of users’ sight or be triggered by an apparently innocuous user
- action. Bots are often the technology used to implement Trojan horses, logic bombs, back
- doors, and spyware. 34 Spyware is placed on a computer to secretly gather information about
- the user and report it. One type of spyware is a Web bug, a tiny graphic that is referenced
- within the Hypertext Markup Language (HTML) content of a Web page or e-mail to collect
- information about the user viewing the content. Another form of spyware is a tracking cookie,
- which is placed on users’ computers to track their activity on different Web sites and create a
- detailed profile of their behavior. 35 Each of these hidden code components can be used to col-
- lect user information that could then be used in a social engineering or identity theft attack.
- For more information about current events in malware, visit the U.S. Computer Emergency
- Readiness Team (US-CERT) Web site and go to its Current Activity page, www.us-cert.gov/ncas/
- current-activity. US-CERT is part of the Department of Homeland Security.
- Table 2-4 draws on two recent studies to list some of the malware that has had the biggest
- impact on computer users to date.
- Virus A computer virus consists of code segments (programming instructions) that perform
- malicious actions. This code behaves much like a virus pathogen that attacks animals and
- plants, using the cell’s own replication machinery to propagate the attack beyond the initial
- target. The code attaches itself to an existing program and takes control of the program’s
- access to the targeted computer. The virus-controlled target program then carries out the
- virus plan by replicating itself into additional targeted systems. Often, users unwittingly help
- viruses get into a system. Opening infected e-mail or some other seemingly trivial action can
- cause anything from random messages appearing on a user’s screen to the destruction of
- entire hard drives. Just as their namesakes are passed among living bodies, computer viruses
- Software Attacks 81
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- are passed from machine to machine via physical media, e-mail, or other forms of computer
- data transmission. When these viruses infect a machine, they may immediately scan it for
- e-mail applications or even send themselves to every user in the e-mail address book.
- One of the most common methods of virus transmission is via e-mail attachment files. Most
- organizations block e-mail attachments of certain types and filter all e-mail for known
- viruses. Years ago, viruses were slow-moving creatures that transferred viral payloads
- through the cumbersome movement of diskettes from system to system. Now computers
- are networked, and e-mail programs prove to be fertile ground for computer viruses unless
- suitable controls are in place. The current software marketplace has several established
- vendors, such as Symantec Norton AntiVirus, Kaspersky Antivirus, AVG AntiVirus, and
- McAfee VirusScan, which provide applications to help control computer viruses. Microsoft’s
- Malicious Software Removal Tools is freely available to help users of Windows operating
- systems remove viruses and other types of malware. Many vendors are moving to software
- suites that include antivirus applications and provide other malware and nonmalware
- protection, such as firewall protection programs.
- Viruses can be classified by how they spread themselves. Among the most common types of
- information system viruses are the macro virus, which is embedded in automatically execut-
- ing macro code used by word processors, spreadsheets, and database applications, and the
- boot virus, which infects the key operating system files in a computer’s boot sector. Viruses
- can also be described by how their programming is stored and moved. Some are found as
- 82 Chapter 2
- Malware Type Year
- Estimated number of
- systems infected
- Estimated
- financial damage
- MyDoom Worm 2004 2 million $38 billion
- Klez (and variants) Virus 2001 7.2% of Internet $19.8 billion
- ILOVEYOU Virus 2000 10% of Internet $5.5 billion
- Sobig F Worm 2003 1 million $3 billion
- Code Red (and CR II) Worm 2001 400,000 servers $2.6 billion
- SQL Slammer, a.k.a.
- Sapphire
- Worm 2003 75,000 $950 million to $1.2 billion
- Melissa Macro virus 1999 Unknown $300 million to $600 million
- CIH, a.k.a. Chernobyl Memory-resident
- virus
- 1998 Unknown $250 million
- Storm Worm Trojan horse virus 2006 10 million Unknown
- Conficker Worm 2009 15 million Unknown
- Nimda Multivector worm 2001 Unknown Unknown
- Sasser Worm 2004 500,000 to 700,000 Unknown
- Nesky Virus 2004 Under 100,000 Unknown
- Leap-A/Oompa-A Virus 2006 Unknown (Apple) Unknown
- Table 2-4 The Most Dangerous Malware Attacks to Date 36,37
- © Cengage Learning 2015
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- 2
- binary executables, including .exe or .com files; or as interpretable data files, such as com-
- mand scripts or a specific application’s document files; or both.
- Alternatively, viruses may be classified as memory-resident viruses or non-memory-resident
- viruses, depending on whether they persist in a computer system’s memory after they have
- been executed. Resident viruses are capable of reactivating when the computer is booted
- and continuing their actions until the system is shut down, only to restart the next time the
- system is booted.
- In 2002, the author of the Melissa virus, David L. Smith of New Jersey, was convicted in
- U.S. federal court and sentenced to 20 months in prison, a $5,000 fine, and 100 hours of
- community service upon release. 38
- For more information on computer criminals and their crimes and confections, visit http://en.
- wikipedia.org and search on “List of Computer Criminals.”
- Viruses and worms can use several attack vectors to spread copies of themselves to net-
- worked peer computers, as illustrated in Table 2-5.
- Worms Named for the tapeworm in John Brunner’s novel The Shockwave Rider, worms
- can continue replicating themselves until they completely fill available resources, such as
- memory, hard drive space, and network bandwidth. Read the nearby Offline feature about
- Robert Morris to learn how much damage a worm can cause. Code Red, Sircam, Nimda
- (“admin” spelled backwards), and Klez are examples of a class of worms that combine mul-
- tiple modes of attack into a single package. Figure 2-15 shows sample e-mails that contain
- the Nimda and Sircam worms. These newer worm variants contain multiple exploits that
- Software Attacks 83
- Vector Description
- IP scan and attack The infected system scans a random or local range of IP addresses and targets several
- vulnerabilities known to hackers or left over from previous exploits, such as Code Red,
- Back Orifice, or PoizonBox.
- Web browsing If the infected system has write access to any Web pages, it makes all Web content files
- infectious, including .html, .asp, .cgi, and other files. Users who browse to those pages
- infect their machines.
- Virus Each affected machine infects common executable or script files on all computers to
- which it can write, which spreads the virus code to cause further infection.
- Unprotected shares Using vulnerabilities in file systems and in the way many organizations configure them,
- the infected machine copies the viral component to all locations it can reach.
- Mass mail By sending e-mail infections to addresses found in the address book, the affected
- machine infects many other users, whose mail-reading programs automatically run the
- virus program and infect even more systems.
- Simple Network
- Management Protocol
- (SNMP)
- SNMP is used for remote management of network and computer devices. By using the
- widely known and common passwords that were employed in early versions of this
- protocol, the attacking program can gain control of the device. Most vendors have
- closed these vulnerabilities with software upgrades.
- Table 2-5 Attack Replication Vectors
- © Cengage Learning 2015
- Copyright 2016 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s).
- Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
- can use any predefined distribution vector to programmatically distribute the worm. (See the
- section on polymorphic threats later in this chapter for more details.)
- The outbreak of Nimda in September 2001 used five of the six vectors shown in Table 2-5
- to spread itself with startling speed. TruSecure Corporation, an industry source for informa-
- tion security statistics and solutions, reports that Nimda spread to span the Internet address
- space of 14 countries in less than 25 minutes. 39
- The Klez worm, shown in Figure 2-16, delivers a double-barreled payload: It has an attach-
- ment that contains the worm, and if the e-mail is viewed on an HTML-enabled browser, it
- attempts to deliver a macro virus. News-making attacks, such as MyDoom and Netsky, are
- variants of the multifaceted attack worms and viruses that exploit weaknesses in leading
- operating systems and applications.
- The complex behavior of worms can be initiated with or without the user downloading or
- executing the file. Once the worm has infected a computer, it can redistribute itself to all
- e-mail addresses found on the infected system. Furthermore, a worm can deposit copies of
- itself onto all Web servers that the infected system can reach; users who subsequently visit
- those sites become infected. Worms also take advantage of open shares found on the net-
- work in which an infected system is located. The worms place working copies of their code
- onto the server so that users of the open shares are likely to become infected.
- In 2003, Jeffrey Lee Parson, an 18-year-old high school student from Minnesota, was
- arrested for creating and distributing a variant of the Blaster worm called W32.Blaster-B.
- He was sentenced to 18 months in prison, 3 years of supervised release, and 100 hours of
- community service. 40 The original Blaster worm was reportedly created by a Chinese
- hacker group.
- Trojan Horses Trojan horses are frequently disguised as helpful, interesting, or neces-
- sary pieces of software, such as the readme.exe files often included with shareware or free-
- ware packages. Like their namesake in Greek legend, once Trojan horses are brought into a
- 84 Chapter 2
- Nimda—note
- garbage in the
- subject
- Sircam—note
- stilted text
- Figure 2-15 Nimda and Sircam worms
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement