Tutorial 1

April 6, 2015

I. Basic Notions

Review Questions Chapter 2 & 3

Fill-in the blank

Multiple-choice

Chapter 2

Example

A _____ attack exploits previously unknown vulnerabilities.

a. virus resource

b. shock and awe

c. surprise

d. zero day

Example

Which from the following attacks exploit previously unknown vulnerabilities.

a. virus resource

b. shock and awe

c. surprise

d. zero day

Example

Which from the following attacks exploit previously unknown vulnerabilities.

a. virus resource

b. shock and awe

c. surprise

zero day

d

Malware That Conceals

• Rootkits

• Removal of a rootkit can be difficult

– Reformat hard drive and reinstall operating system

Malware That Profits

• Spyware

– Software that gathers information without user consent

– Usually used for:

• Advertising

• Collecting personal information

• Changing computer configurations

9

Malware That Profits (cont’d.)

• Keyloggers

– Program that captures user’s keystrokes

– Information later retrieved by attacker

– Attacker searches for useful information

• Passwords

• Credit card numbers

• Personal information

10

Malware That Profits (cont’d.)

• Keyloggers (cont’d.)

– Can be a small hardware device

• Inserted between computer keyboard and connector

• Unlikely to be detected

• Attacker physically removes device to collect information

11

12

Figure 2-6 Hardware keylogger © Cengage Learning 2012

Malware That Profits (cont’d.)

Malware That Profits (cont’d.)

• Botnets

– Computer is infected with program that allows it to be remotely controlled by attacker

• Often payload of Trojans, worms, and viruses

– Infected computer called a zombie

– Groups of zombie computers together called botnet

• Early botnet attackers used Internet Relay Chat to remotely control zombies

– HTTP is often used today

13

Social Engineering Attacks

• Spam – Unsolicited e-mail

– Primary vehicles for distribution of malware

– Sending spam is a lucrative business

• Spim: targets instant messaging users

• Image spam – Uses graphical images of text

– Circumvents text-based filters

– Often contains nonsense text

14

Social Engineering Attacks (cont’d.)

• Spammer techniques – GIF layering

• Image spam divided into multiple images

• Layers make up one complete legible message

– Word splitting • Horizontally separating words

• Can still be read by human eye

– Geometric variance • Uses speckling and different colors so no two emails

appear to be the same

15

Social Engineering Attacks (cont’d.)

• Hoaxes

– False warning or claim

– May be first step in an attack

16

Chapter 3

18

Figure 3-2 Web application security © Cengage Learning 2012

Traditional network security devices ignore the content of HTTP

traffic, which is the vehicle of Web application attacks.

Application Attacks

• Attacks that target applications

– Category continues to grow

– Web application attacks

– Client-side attacks

– Buffer overflow attacks

• Zero day attacks

– Exploit previously unknown vulnerabilities

– Victims have no time to prepare or defend

19

II. Familiar Problems Solving

SQL Injection

• Forgotten password example

– This submitted e-mail address is compared to an address that is stored with the user’s profile

– If the submitted e-mail address matches with the stored e-mail address, a password is e-mailed to the submitted address

21

SQL Injection (cont’d). • Forgotten password example (cont’d.)

SELECT fieldlist

FROM table

WHERE field =‘ ’;

SELECT fieldlist

FROM table

WHERE field =‘ ’;

22

my.name@mymail.com’

my.name@mymail.com

SQL Injection (cont’d).

• Forgotten password example (cont’d.) – If the message “e-mail address is

unknown” is displayed, it indicates that user input is being properly filtered and a SQL attack cannot be rendered on the site

23

SQL Injection (cont’d).

• Forgotten password example (cont’d.) – However, if the message “server failure” is displayed,

it means that the user input is not being filtered

– Instead, all user input is sent directly to the database

– Armed with the knowledge that input is sent unfiltered to the database, the attacker can begin his SQL attack on the site.

(the SQL parser found the extra quote mark ’ and aborted

with a syntax error; the exact message form depends on the application’s internal error-recovery procedures)

24

• Directory traversal attack : Takes advantage of vulnerability in the Web application program or the Web server software – Attacker moves from root directory to restricted

directories

• Command injection : The ability to move to another directory could allow: – Unauthorized user to view confidential files

– Inject commands to execute on a server

25

Directory Traversal /Command Injection

Directory Traversal /Command Injection(Cont’d.)

• Example: a browser requesting a dynamic page

(dynamic.asp) from a Web server (www.server.net) to retrieve a file (display.html) in order to display it, would

generate the request using the URL http://www.server.net/dynamic.asp?view=dis

play.html.

• However, vulnerability in the application code could allow an attacker to launch a directory traversal attack

• The attacker could create the URL http://www.server.net/dynamic.asp?view=../

../../../../document.docx

• This could display the contents of document

26

III. Unfamiliar Problems Solving