Tutorial 1
April 6, 2015
I. Basic Notions
Review Questions Chapter 2 & 3
Fill-in the blank
Multiple-choice
Chapter 2
Example
A _____ attack exploits previously unknown vulnerabilities.
a. virus resource
b. shock and awe
c. surprise
d. zero day
Example
Which from the following attacks exploit previously unknown vulnerabilities.
a. virus resource
b. shock and awe
c. surprise
d. zero day
Example
Which from the following attacks exploit previously unknown vulnerabilities.
a. virus resource
b. shock and awe
c. surprise
zero day
d
Malware That Conceals
• Rootkits
• Removal of a rootkit can be difficult
– Reformat hard drive and reinstall operating system
Malware That Profits
• Spyware
– Software that gathers information without user consent
– Usually used for:
• Advertising
• Collecting personal information
• Changing computer configurations
9
Malware That Profits (cont’d.)
• Keyloggers
– Program that captures user’s keystrokes
– Information later retrieved by attacker
– Attacker searches for useful information
• Passwords
• Credit card numbers
• Personal information
10
Malware That Profits (cont’d.)
• Keyloggers (cont’d.)
– Can be a small hardware device
• Inserted between computer keyboard and connector
• Unlikely to be detected
• Attacker physically removes device to collect information
11
12
Figure 2-6 Hardware keylogger © Cengage Learning 2012
Malware That Profits (cont’d.)
Malware That Profits (cont’d.)
• Botnets
– Computer is infected with program that allows it to be remotely controlled by attacker
• Often payload of Trojans, worms, and viruses
– Infected computer called a zombie
– Groups of zombie computers together called botnet
• Early botnet attackers used Internet Relay Chat to remotely control zombies
– HTTP is often used today
13
Social Engineering Attacks
• Spam – Unsolicited e-mail
– Primary vehicles for distribution of malware
– Sending spam is a lucrative business
• Spim: targets instant messaging users
• Image spam – Uses graphical images of text
– Circumvents text-based filters
– Often contains nonsense text
14
Social Engineering Attacks (cont’d.)
• Spammer techniques – GIF layering
• Image spam divided into multiple images
• Layers make up one complete legible message
– Word splitting • Horizontally separating words
• Can still be read by human eye
– Geometric variance • Uses speckling and different colors so no two emails
appear to be the same
15
Social Engineering Attacks (cont’d.)
• Hoaxes
– False warning or claim
– May be first step in an attack
16
Chapter 3
18
Figure 3-2 Web application security © Cengage Learning 2012
Traditional network security devices ignore the content of HTTP
traffic, which is the vehicle of Web application attacks.
Application Attacks
• Attacks that target applications
– Category continues to grow
– Web application attacks
– Client-side attacks
– Buffer overflow attacks
• Zero day attacks
– Exploit previously unknown vulnerabilities
– Victims have no time to prepare or defend
19
II. Familiar Problems Solving
SQL Injection
• Forgotten password example
– This submitted e-mail address is compared to an address that is stored with the user’s profile
– If the submitted e-mail address matches with the stored e-mail address, a password is e-mailed to the submitted address
21
SQL Injection (cont’d). • Forgotten password example (cont’d.)
SELECT fieldlist
FROM table
WHERE field =‘ ’;
SELECT fieldlist
FROM table
WHERE field =‘ ’;
22
SQL Injection (cont’d).
• Forgotten password example (cont’d.) – If the message “e-mail address is
unknown” is displayed, it indicates that user input is being properly filtered and a SQL attack cannot be rendered on the site
23
SQL Injection (cont’d).
• Forgotten password example (cont’d.) – However, if the message “server failure” is displayed,
it means that the user input is not being filtered
– Instead, all user input is sent directly to the database
– Armed with the knowledge that input is sent unfiltered to the database, the attacker can begin his SQL attack on the site.
(the SQL parser found the extra quote mark ’ and aborted
with a syntax error; the exact message form depends on the application’s internal error-recovery procedures)
24
• Directory traversal attack : Takes advantage of vulnerability in the Web application program or the Web server software – Attacker moves from root directory to restricted
directories
• Command injection : The ability to move to another directory could allow: – Unauthorized user to view confidential files
– Inject commands to execute on a server
25
Directory Traversal /Command Injection
Directory Traversal /Command Injection(Cont’d.)
• Example: a browser requesting a dynamic page
(dynamic.asp) from a Web server (www.server.net) to retrieve a file (display.html) in order to display it, would
generate the request using the URL http://www.server.net/dynamic.asp?view=dis
play.html.
• However, vulnerability in the application code could allow an attacker to launch a directory traversal attack
• The attacker could create the URL http://www.server.net/dynamic.asp?view=../
../../../../document.docx
• This could display the contents of document
26
III. Unfamiliar Problems Solving