Common Attacks
Computers can be attacked in many different ways. A determined hacker can target your company for a low-tech social-engineering attack or attempt a very advanced technique such as a cross-site scripting attack. Depending on what their motives are, they can do a huge amount of damage if they are successful.
Keystroke Logging
Keystroke logging is an attack that is accomplished with software or hardware devices. These devices can record everything a person types, including usernames, passwords, and account information. The hardware version of these devices is usually installed while users are away from their desks. Hardware keystroke loggers are completely undetectable except for their physical presence. Even then, they can be overlooked because they resemble a balum or extension. How many people do you know who pay close attention to the plugs on the back of their computer? Who even looks back there?
The software version of this device is basically a shim that sits between the operating system and the keyboard. Most of these software programs are very simple, but some are more complex and can even email the logged keystrokes back to a preconfigured address. What they all have in common is that they operate in stealth mode and can be a serious threat to confidentiality.
Before you attempt any type of keystroke monitoring, be sure to check with your organization's legal department. Most states and federal law require that each user using the computer be notified of such activities. Otherwise, you could be breaking some laws. |
Wiretapping
Closely related to keystroke logging, wiretapping is used to eavesdrop on voice calls. A variety of tools is available for attackers to accomplish thiseven scanners that no longer support cordless phone sniffing can be hacked or rewired to add such functionality. Wiretapping is illegal in the United States without a court order. Another related type of passive attack is the practice of sniffing. Sniffing operates on the same principle as wiretapping but is performed on data lines. The danger of both wiretapping and sniffing is that they are hard to detect.
A traffic-analysis attack is a form of sniffing attack in which the data is encoded. By observing the victim's activities and analyzing traffic patterns, the attacker might be able to make certain assumptions. For example, if an attacker observes one financially strong company sending large amounts of communication to a financially weak company, the attacker might infer that they are discussing a merger. |
Spoofing Attacks
Spoofing attacks take advantage of the fact that an attacker is changing his identity to avoid capture or to trick someone into believing he is someone else. Some examples are described here:
- IP spoofing The intruder puts a wrong IP address in the source IP address field of the packets he sends out. It's a common practice when DoS tools are used to help the attacker mask his identity.
- DNS spoofing This trusting protocol can be spoofed to point victims to the wrong domain. These attacks are possible because the client takes the domain name and queries the IP address. The returned IP address is trusted. If an attacker can control this mapping, he can establish the validity of any system under a given logical address.
- ARP spoofing Normally, ARP works to resolve known IP addresses to unknown physical addresses. This information is used to address the Ethernet frame. After the two-step ARP process takes place, the results are stored in a cache for a short period of time. The ARP cache contains hardware-to-IP mapping information. The information maintained in the ARP cache can be corrupted if a hacker sends a bogus ARP response with his hardware address and an assumed IP address of a trusted host. Packets from the target are now routed to your hardware address. The target believes that your machine is the trusted host.
ARP spoofing is considered a local area network (LAN) attack because hardware addresses do not pass through routers.
- Hijacking This more advanced spoof attack works by subverting the TCP connection between a client and a server. If the attacker learns the initial sequence numbers and can get between the client and the server, he can use this information to hijack the already-established connection. At this point, the attacker has a valid connection to the victim's network and is authenticated with the victim's credentials.
Manipulation Attacks
Manipulation attacks can use different methods, but they have the same goal: manipulating data to steal money, embezzle funds, or change values. Some common forms of these attacks include the following:
- Shopping cart attacks Hackers compromise shopping carts by tampering with the forms used to pass dollar values to e-commerce servers. This allows the attackers to get huge discounts on goods and services. This is possible if the victims use the GET method for their forms or if they use hidden input tags in the order forms. Hackers save these pages to their hard drive, alter the price listed in the URL or the hidden tag, and then submit the order to the victim's site for processing.
- Salami attacks This form of attack works by systematically whittling away assets in accounts or other records with financial value. The small amounts are deducted from balances regularly and routinely, and might not be noticed, allowing the attacker to amass large amounts of funds.
- Data diddling This type of attack occurs when the attacker enters a system or captures network traffic and makes changes to selected files or packets. He doesn't delete the fileshe merely edits and corrupts the data in some fashion. This attack can do a lot of damage but might not be quick or easy to uncover.
Social Engineering
Social engineering predates the computer era. Social engineering is much like an old-fashioned con game, in that the attacker uses the art of manipulation to trick a victim into providing private information or improper access. P. T. Barnum once said, "There's a sucker born every minute"unfortunately, he was right.
One common social-engineering attack has targeted e-Bay, Hotmail, PayPal, and Citibank users. The attacker sends an official-sounding email asking users to verify their Internet password via return mail. When they do so, their passwords are sent to the attacker, who can then access the accounts at will. Another common social-engineering hack is to call an organization's help desk and pretend to be a high-ranking officer. The lowly help desk employee can often be bullied or scared into giving out a password or other important information.
The best defense against social engineering is to educate your users and staff to never give out passwords and user IDs over the phone, via email, or to anyone who isn't positively verified as being who they say the are. Training can go a long way toward teaching employees how to spot these scams.
Dumpster Diving
Plenty of valuable information can be stolen the low-tech way. One popular technique is to retrieve passwords and other information by dumpster diving and looking for scraps of paper used to write down important numbers and then thrown in the trash. Although this is not typically illegal, it is considered an unethical practice.
Figure 10.1. Dumpster diving.
Dumpster diving might not be considered illegal, but it is considered unethical. |