4.2 network attacks

Question 1

what every attack has in common

Answer 1

• Every attack (or exploit) ever invented has one thing in common with every other attack ever invented: Every attack takes something (or some things) that exists for perfectly valid reasons and misuses it in invalid, malicious ways. Always!

Question 2

5 phases of an attack

Answer 2

1. Reconnaissance involves identifying assets that might be a target for exploitation. Recon is primarily a passive exercise using tools such as Google to research the target organization. Go through and find the employee about us page then see their LinkedIn and see who they’re friends with and so on. You can find email addresses as well,
2. Scanning can be used to identify vulnerable assets that are candidates for compromise. The attack moves from passive to active when you begin scanning publicly available IP addresses for open ports. Part of this phase includes enumerating the operating systems of visible computers and the specific software and version running on any open ports. Let’s say you know from recon that an organization has 10 public IP and you use tools to scan them and see that they’re a web and email ports – then I can launch a script and connect to your port 80 web surver and show us you’re running a patchy web server software and then you start looking for vulnerabilities for that web server
   a. At this point you know which IP addresses are active, what ports are open on those IPs, the software on those ports, and the OS on those IPs
   b. At that point unless your patching program is perfect, you can find something to take advantage of
   c. If there is 0-day exploit, even if you have a perfect patching system it doesn’t matter
3. Gaining access may be via the network, the operating system, or one of the applications. The information obtained in phases 1 and 2 should provide enough information to find something the attacker can take advantage of. NOTE: There is usually a 3.5 step required as well. In most cases, initial access is to a non-privileged account. To move to the next two phases, the attacker must escalate their privileges to Administrator or Root
4. Maintaining access involves installing tools that permit the attacker to return undetected. Maintaining access also involves phase 5, covering tracks.
5. Covering tracks refers to those activities undertaken by the attacker to hide (or mask) the activities associated with the compromise. The better they accomplish this phase, the better the attacker can maintain access as described in phase 4. You can do things like deleting log entries to cover tracks, but you do this to mantain access (phase 4) so these two phases are very closely associated

It is also important to note that this is an iterative process or what some like to call a “shampoo process.” If you ever read the instructions on a bottle of shampoo, they say, “wash, rinse, repeat.” The example applies here because as soon as you gain access to an organizations system, other systems become visible. Perhaps from the internet, you were only able to observe three public IP addresses. As soon as you gain access to one of those, 20 more become visible to you. Meaning your very next step is to move back to recon, scanning, and so on to repeat the process on the newly visible targets.

Question 3

Cyber Kill Chain

Answer 3

• There is another well-known and widely referenced “attack model.” It comes from Lockheed Martin and is called the Cyber Kill Chain®. The chain shows the typical actions of the attacker:
  o 1. Reconnaissance: Harvest publicly available information
  o 2. Weaponization: Couple an exploit/backdoor into a payload
  o 3. Delivery: Deliver the weaponized bundle
  o 4. Exploitation: Exploit an existing vulnerability
  o 5. Installation: Install malware on compromised system (via backdoor placed in prior steps)
  o 6. Command & Control (C2): Establish a Command and Control channel for remote manipulation
  o 7. Actions on Objectives: With C2 “hands on keyboard” access, intruder accomplishes their goals
• The most important aspect of the Cyber Kill Chain® is that it is indeed a chain. If you break any link of the chain by disrupting those activities, you thwart the attack. For example, the attacker might make it all the way to step number 5, installation. If you configure your systems in such a way that the attacker cannot perform that step, then the attacker cannot move further along the chain. Even if the attacker makes it as far as step 6 (Command & Control), if you can prevent them from issuing instructions to the compromised system, then you have still broken the chain. The attacker is unable to do step 7 and Act on their Objectives.

Question 4

Robots.txt

Answer 4

• The robots.txt file is a world readable ASCII text file found on a web server. It constitutes a polite request to search engine spiders used by Google, BING, and others to please not make these directories searchable. It is a polite request that the search engine can choose to ignore. Google and BING both honor the request, but there are a few search engines that ignore it.
• To view a robots.txt file, simply enter www.someurl.com/robots.txt as you see in the graphic on the slide (we have hidden the company name as a courtesy. By looking at the robots.txt file above, we see they’ve disallowed crawling of multiple directories, including the top-level directory.
• Please understand that having a robots.txt file on your web server is a good thing. There are directories that you must have on your server and you do not want them indexed. The directory named cgi-bin is a good example of this. However, an attacker might use this to poke and prod in areas that your normal website visitors didn’t even know existed. A line like “Disallow: /salesfigures/” might suggest that http://www.company.com/salesfigures/ might be worth a look. Or, looking at the file displayed above, what might be found in /Admin?
• Be careful, though—entries in robots.txt may point to directories that, if accessed, set off alarms or may even lock you out of their website entirely. Indeed, attempting to access some of these directories may violate the law in certain jurisdictions.

Question 5

Google dorks

Answer 5

• Google is a far more powerful tool than many people realize. With advanced search operators, you can search in incredibly powerful ways. With the use of a site operator, you can limit those powerful searches to the potential victim’s domain
• For example, to identify an admin page for websites built with Python Django framework, you would use the following search string (called a Google Dork): intitle: “Django site admin” inurl:admin -site:stackoverflow.com -site:github.com To determine if the netip.com domain, in particular, is susceptible, you would add “site:netip.com” to the beginning of the search string. It would now look like this: site:netip.com intitle:”Django site admin” inurl:admin -site:stackoverflow.com -site:github.com This and thousands of other searches are freely available via the Google Hacking Database, maintained by the folks at the company Offensive Security. This is the same company that creates and maintains the Kali Linux penetration testing distribution. They call the search strings maintained at this site “Google Dorks”

Question 6

Social engineering
- direct and indirect

Answer 6

• Social engineering is the most lucrative attack category ever invented. If done well, it will always work. This is because the attacker targets the “weak link” in security: Specifically, you and me. The human being. If the attacker understands human nature well enough and manipulates the victim in the right way, the victim actually becomes happy to help the attacker.
• One of the dangers of social engineering is that it can defeat any security measure. Sometimes, it does so because the attacker learns what they need to know to defeat the measure. More commonly, social engineering renders the security measure moot because the victim simply gives the attacker the information they are
• Now for the bad news. There is no effective defense against social engineering. About the only thing you can do is good awareness training, then more awareness training, and then more and more and more. Even after all that training, a determined and skilled social engineer can succeed.
  o 1. Direct social engineering involves the phone call or in-person meeting. The risk to the social engineer is higher with the in-person meeting, but sometimes the chance of success is higher.
  o Indirect social engineering is most commonly done through phishing scams on email. Indirect can also involve pop-ups on websites and other technological ploys to trick an unsuspecting user
  o Spear phishing is the most common and most successful specific attack today. For that reason, we take a closer look at spear phishing later in this section
• Every social engineering attack is different. That is part of why they are so difficult to defend against. We can make some general statements about them, though. In many cases, the attacker assumes a position of trust and employs pretexting. Examples include: “This is the help desk, and your account is broken so I need …” None of which is true of course, but “the help desk” is a position of trust. Your account being broken is a reason given in justification that is not the real reason, which is the definition of pretexting. These two combined can be a powerful combination when done well. In fact, the most successful social engineer will make the victim want to help them. The victim is even happy to do so, thinking they have done exactly the right thing

Question 7

Spearpishing, vishing, social engineering - physical

Answer 7

• Spear phishing is, by some accounts, the most common and most successful attack today. It is simply a highly targeted phishing email. Typically, the attacker finds out about an interest of the victim through a variety of means (often including social media). The scenario plays out something like that on the slide. If the targeting is done well, it has a high chance of success. It does not have to target work interests either. If I find out you have an intense interest in classic cars or any other topic, that could be the opening I need.
• Today, any discussion of Spear Phishing should include a discussion of Business Email Compromise (BEC). According to the FBI’s 2019 Internet Crime Report, BEC is now the most common type of complaint they receive. As the chart above shows, the financial losses attributed to this are growing at a rapid pace
• The scenario on the Spear Phishing slide lays out the basics of how the attack normally plays out, but the attack becomes more sophisticated over time. In 2013/2014, these attacks almost always involved email coming from a compromised executive’s email account and they still can today. But in 2019, it was increasingly common to see compromised personal email accounts, compromised vendor accounts, compromised law firm accounts
• n the United States, the FBI has established the Recovery Assets Team (RAT) to help victims recover funds. They cannot be successful in 100% of cases, but in 2019, the RAT recovered 79% of the funds lost in BEC incidents. Of course, if you don’t report the BEC incident to the ic3.gov website, then there is very little chance you will see your funds again!
• This point is commonly misunderstood, so we wanted to give a bit more-detailed explanation between the category of attack versus the specific attack. Social engineering is the most common and most lucrative attack category and has been for centuries. Spear Phishing is the most common and most lucrative specific attack and has been for decades. Spear Phishing is a form of social engineering, and that is part of what continues to drive social engineering as the most common category of attack
• Phishing is such a popular attack vector in that it is successful and quick. As you can see in the slide above, 25% of link clicks happen within 10 minutes of the phishing campaign starting (the median average is 1 hour).

Vishing
* Another form of social engineering that is gaining in popularity is sometimes referred to as vishing. It is essentially phishing via telephone. One common vishing scenario that is making its way around the country is listed on the slide. Another is that you get a call at 3 a.m. after checking into a hotel room. The “girl at the front desk” says there is a problem with your credit card. You either have to give them new credit card information or leave the hotel immediately with the police officers she has waiting with her at the front desk

Social Engineering : Physical
* Social engineering will also often defeat physical security. “Tailgating” through a secure door is often extremely easy to do, especially if you appear to belong. Masquerading as service technicians, UPS delivery people, or pizza delivery people, and the list continues
* Dumpster diving is not social engineering; it is a social engineer’s gold mine. Successful dumpster diving often yields information valuable to the social engineer. Think about the value of the company phone directory. In his younger days, Keven Mitnick had the name, position, and office phone number of almost all PacBell managers memorized. If someone were to call you and say, “Hi, I work for John Smith, director of marketing. You can call him at 123-7895 to verify that. He wanted me to find out …” You check the company phone book and find that the information provided is indeed accurate.

Question 8

Social engineering: prevention

Answer 8

• The simple truth is, you cannot prevent Social Engineering. Because it targets the human emotion, no technology exists to stop it. With that understood, it is absolutely possible to make successful social engineering attacks less common. Doing this requires a good repetitive awareness training strategy – also known as an Awareness Campaign
• In an effective awareness program, the security team has identified their top human risks and the behaviors that manage those risks. They then communicate to engage and train their workforce to change and exhibit those secure behaviors. As a result, a mature awareness program is one of the most effective ways an organization can manage their human risk
• Also, notice the use of the word “campaign” which we will define as “To work in an organized way toward a particular goal, usually over a long period of time”. In other words, security awareness is not a once-and-done prospect

Question 9

Spoofing
- IP address spoofing
- ARP cache poisining
- Email address falsification
- picture on page 110

Answer 9

• Spoofing (as applied to networking and communications) refers to the practice of falsifying information to gain an advantage. In reviewing the characteristics of some of the protocols used in IPv4 (for example, IP, TCP, UDP, ARP, and ICMP), we see that there are no built-in integrity checks within the protocols
• Typical examples of spoofing can include the following:
  o * IP address spoofing: A number of tools can be used to craft packets that have a spoofed source address. This is one of the key aspects of an attack such as a SYN flood.
  o * ARP cache poisoning: When an attacker sends unsolicited ARP Reply packets to place incorrect information in an ARP Cache (also called ARP Spoofing).
  o * Email address falsification: It’s fairly easy to modify the From: field to make the message appear to have come from someone other than the sender.
• If the 1.1 machine sends a packet to 1.2 machine but the source IP is spoofed to say it came from 1.3 then 1.2 will always respond back to 1.3 not 1.1
  o Denial of service, I get 10 thousand computers saying the packet came from 1.3 then it overwelhms its bandwidth

Question 10

The man-in-the-middle

Answer 10

• Man-in-the-Middle attacks are a favorite ploy of attackers. The condition exists anytime the attacker has all data packets flowing through them (or a point that they control, such as a computer). MitM attacks require eavesdropping on and controlling all communication traffic between two parties. Attackers love MitM because it is an extremely powerful and insidious capability.
• Once an attacker establishes a MitM, their capability is limited only by their imagination and their knowledge. If they can think up something malicious and know how to do it, they can do it.
• How does an attacker become a Man-in-the-Middle? There are many ways discussed elsewhere in this course, including rogue access points and ARP cache poisoning. There are many other ways as well. For example, if I can take control of a router, I am a Man-in-the-Middle for all traffic flowing through that device. If you think about it, your Internet Service Provider is a Man-in-the-Middle since all of your Internet traffic flows through them (sure they are fine people, but have they been hacked?).

Question 11

ARP cache poisining
- picture on page 112

Answer 11

• It utilizes the “unsolicited ARP reply” which has a valid purpose but misuses it to create a Man-in-the-Middle (MitM) situation. In other words, it redirects all the victim’s network traffic through the attacker’s computer. When all the traffic flows through the attacker’s system, they can manipulate that traffic in any way they desire.
  o Erronesouly gives attacker’s MAC address as matching the victim’s IP address
  o Tricks systems into sending their traffic through attacker’s machine
• In the diagram on the left, we see a normal switched network operation. The client PC (192.168.1.1) sends an ARP request to the default gateway (192.168.1.254) and receives a reply. The client PC updates its ARP table and knows that 192.168.1.254 is found at MAC address BB. If traffic is flowing in both directions, the gateway also has its MAC table updated, showing that 192.168.1.1 is at MAC address AA. The traffic flows from the client to the gateway through the switch, exactly as we have been describing.
• In the diagram on the right, we see how an attacker can manipulate the process. The client PC and default gateway have each exchanged ARP requests and replies, so they have each other’s IP address and MAC address combinations in their ARP caches.
• The attacker at the bottom of the diagram sends an unsolicited ARP reply to the client PC, saying that IP address 192.168.1.254 is at MAC address FF (the MAC of the attacker’s computer). The PC updates its ARP cache with this new information. Likewise, the attacker sends an unsolicited ARP reply to the gateway, saying that 192.168.1.1 is found at MAC address FF (again, the MAC of the attacker’s computer). The gateway updates its ARP cache with the new information.
• When the client PC needs to send a packet outside the network, it creates an Ethernet header containing a destination MAC address of FF. The switch does exactly as it is supposed to do and forwards the packet to that MAC address. The attacker runs software such as Ettercap, which removes the original Ethernet header and replaces it with a new Ethernet header containing a destination MAC address of BB (the gateway) and forwards the packet.
• When a response packet comes back into the local network, it arrives at the gateway. That router checks its ARP cache and sees that it does have an entry for 192.168.1.1, which says that system’s MAC address is FF. It creates a hardware header containing that destination MAC address, which the switch forwards to the attacker. The attacker’s software replaces the Ethernet (or hardware) header with a new one, this time with a destination hardware MAC address of AA (the client PC
• The attacker is now a MitM. All the client PCs (the victim’s) traffic flows through the attacker’s computer. At that point, there are few limits on what the attacker can do to the victim. At the absolute minimum, the attacker can see all the traffic to and from the victim. The attacker can choose not to forward traffic, creating a Denial-of-Service (DoS), or edit the traffic to change its meaning, or … pretty much anything else the attacker can think of doing. The limit here is the attacker’s imagination. Do note that ARP traffic is limited to the local network, so the ARP cache poisoning attack is also limited to the local network only. In other words, the victim, the gateway, and the attacker all have to be connected to the same switch. They all have to be on the same network

Question 12

Water hole attack

Answer 12

• There is an attack growing in frequency referred to as a “watering hole attack.” These attacks are especially prevalent when the target company does an excellent job of security
• The attacker first researches the target organization using the typical methods of Facebook, Twitter, Google, and others. The attacker learns via research that employees of the target frequent a particular website that is outside the organization’s control and therefore not secured by the target organization. The attacker breaks into the external website and plants malware. When the target organization’s employees visit the site, their computers become infected. The infection gives the attackers remote control of the employee’s computers. The attacker just became an “external insider.”
• An excellent watering hole at many companies is their job search site. This is the site that prospective employees go to in search of positions they might be hired for. It is also the site current employees go to in search of positions they might get promoted to. Meaning that sooner or later, everyone in the company will visit that site.
  o The lion doesn’t have to go hunting for the gazelle, it can just wait by the water and sit back and wait for them to show up

Question 13

Drive-by download
- picture on page 114

Answer 13

• Another widespread type of attack is called the “Drive-By Download.” Essentially, firewalls improved significantly. If you have a modern well-configured firewall, it is remarkably difficult to hack your way through it. Attackers had to change their tactics to continue being successful. Hence, the Drive-By Download, or sometimes referred to as a type of “application level attack”, was born
• Before we get to the details of the attack, there is something you have to understand before the attack will make sense. If your computer is behind a firewall and you surf the web, then the firewall MUST allow your computer to send a request for the web page and MUST allow the web server to return that page. In other words, the firewall must allow outgoing requests and allow their responses back in. Also, as you will see in the upcoming web security section, it is completely common for your computer to connect to many different locations on the internet each time you load a webpage. The firewall has to allow all of that communication as well
• The attack begins when an attacker defaces a legitimate website. In days gone by, when someone defaced a site, they changed the words and pictures in an attempt to embarrass the site owner. While that type of attack still happens, it is less common than it once was. Today, attackers are careful not to change the look and feel of the site. Instead, they plant malicious code on the site. When a visitor to the website downloads the webpage, the malicious code will execute on their local computer. There are many possibilities for an attacker once that is in place. Drive-By Downloads are just one favorite possibility
  o The user types in the URL of a legitimate but defaced website. The browser connects to that web server.
  o The web server downloads the requested webpage. A part of that page is the malicious code placed by the attacker during the defacement. That code indicates to the browser that to load additional components of the webpage, it must connect to another server (in this case, one owned by the attacker).
  o The browser follows the instructions of the downloaded code and connects to the attacker’s server. The browser asks for the additional elements needed to create the webpage—not knowing what those elements genuinely are.
  o The attacker’s server downloads malware to the unsuspecting user’s computer. The browser executes the code received from the attacker’s site, installing the malware.
  o The malware establishes a connection out to the attacker and grants them full remote-control access to the user’s computer. The attacker now has what we call a “Command and Control channel ” or a “C2 channel” running over that outgoing connection. Via the C2 channel, the attacker is able to control the compromised system and instruct it to launch attacks against other systems on its own network.

Question 14

moving laterally, pivoting, island hopping

Answer 14

• Most of the time, the initial system compromised by an attacker does not contain the information they are looking for. It was simply a target of opportunity. It was either compromised because it was visible from the internet (a public access system such as a web server or mail server), or it was compromised via a drive-by download, a watering hole attack, or something similar.
• Once the attacker has access to that initial computer, other internal systems on that network are now visible. The attacker begins methodically working their way through machines, compromising one after another. In other words, they move laterally through your network – or they pivot from one machine to another.
• Each time a system is compromised, the attacker looks to see what they might have just gained access to. Eventually, the attacker exploits the system that contains the “gold mine” of information the attacker was after to begin with. At that point, data exfiltration begins
• Island Hopping According to the same Carbon Black report, “Moving Laterally or Pivoting”, about half of cyberattacks today use the victim primarily for “island hopping”. This is extremely similar to moving laterally. The difference is the lateral movement happens within a single company’s LAN. Island hopping occurs between two or more different company’s networks.
  o For example, * The attacker cannot find anything to exploit on your corporate headquarters LAN * Via the first phase of an attack, reconnaissance, they discover you have a business partner * Scanning that company’s network shows unpatched systems * The attacker compromises one of their systems and moves laterally through their network * Eventually, the attacker discovers a system on the business partner’s network with a trust relationship to a computer on your network * They then “island hop” from the partner’s network to your network * Much like an attacker moving within your network, but between two networks

Question 15

Buffer overflow
- picture on page 115

Answer 15

• Another attack we have been dealing with for many years is called a Buffer Overflow (or often just, BO’s). It is possible on any type of software, whether that be an operating system or an application.
• All buffer overflow attacks: * are highly targeted against a very specific version of a very specific software * make a piece of software do something it was never intended to do
• Normal Operation: On the left side of the slide, we see a greatly simplified explanation of how software works without any attacks. You see five lines of computer code instructing the computer to do various things. Each line of code is at a particular address in RAM (Random Access Memory) that we learned about earlier. Memory addresses are pretty long in reality, but we truncate them to simply A, B, C, etc. As you read down through those instructions, notice that the code at memory address C tells the computer to read some data from a buffer found at memory address Q. The buffer or variable might be any number of things, but let’s say it is your name. You entered that information into a software field on the screen so the computer can add your name to a database. Following the data is a “return pointer,” in this case telling the computer to return to memory address D to read more instructions. The computer code at memory address D will process the address data by storing your name in a database. Following are the steps that occur:
• Buffer Overflow: On the right side of the slide, you see the abnormal operation that happens when a buffer overflow attack occurs. Everything about the setup is identical to regular function. There are five lines of code at memory address A through E, with line C reading data at address Q and line D processing that data. Before we get into the specific steps, we need to talk about a particular computer instruction. It is called a “NoOp” (pronounced No-Op). It is short for No Operation and is a perfectly valid computer instruction that means, “do nothing.” It is essentially a placeholder in software
  o Note that the attacker already filled memory address Z with their attack code. For simplicity, we will say that code will “Do Bad Things.” * The software reads through the NoOps at address Q and hits the return pointer, “Return to Z.” * The software dutifully goes to address Z and executes the Do Bad Things code. * Following the attacker’s code is a new return pointer, directing the software to memory address M. You may recall, earlier the attacker placed the original data (your name) in that location. * The software goes to address M, reads the data, and then hits the Return to D pointer. * The software returns to address D, adding your name to the database, and continues along
• When the hacker’s Do Bad Things code executes, the software does something it is not intended to do, which is the real goal of any BO attack. The question is, what might “Do Bad Things” be? The answer is, there are thousands of buffer overflow attacks and just as many answers to that question. But a typical example might be that the BO exploit adds an unknown Administrative level account to the system. BO’s are one method attackers use to escalate their privileges from a non-privileged account to an administrator level account
• Windows 10 now included memory address randomnization which randomizes the lines of code and consequently this has dropped off in popularity because no one can perform these attacks

Question 16

Denial of service

Answer 16

• Denial-of-service, or DoS, is one of the most common attacks in use today. It works just like it sounds: It denies useful service to a system or network. DoS attacks aim at preventing a computer or network from performing its normal duties. It can take the form of crashing a computer, but more often, it takes the form of flooding the network or computer with millions of information or service requests. The victim computer quickly is overwhelmed and can’t handle the load. When this happens, service is denied to legitimate users because they can’t seem to get the server’s attention. DoS attacks don’t need to come from the network, either. A malicious (or just badly programmed) application can begin to spawn new processes over and over until the resources of the machine are exhausted
• DoS attacks are appealing to attackers for a number of reasons. First, they are extremely simple to do. The wide variety of methods for performing a DoS attack is not that difficult to learn or perform; we’ve seen several examples so far. Second, depending on how you perform the DoS, all you are doing is preventing legitimate traffic from getting to the server. You do not necessarily have to crash the machine or ruin any of the server’s resources
• Extortion DDoS : we deny service and your company is now offline, all you have to for me to stop is to pay me a certain amount
• Popularity DDoS : is also very real – your website just got too popular – also called accidental DDoS

Question 17

SYN flooding

Answer 17

• Another common attack exploits the three-way handshake that TCP/IP computers use to establish a TCP session. While the three-way handshake is in progress, the server needs some way to keep track of the fact that there is a pending TCP connection. To do this, the server has a “backlog queue” of some number of slots. For example, some Windows versions default to 400 slots in the backlog queue. Note that each open port typically has its own queue.
• No one can connect to your server as long as I keep that backlog full
• The SYN Flood attack takes advantage of this and, as you might guess, floods the backlog queue.
• This diagram shows how SYN floods actually work in practice. The attacker sends a huge number of SYN packets to the victim. Each of these packets come from unassigned IP addresses (in other words, IP addresses not assigned to any computer in the world). The victim server sends the SYN/ACK to the unused IP address. Because it is an unassigned IP address, no computer ever receives it. Therefore, the third step of the handshake never happens
• Unfortunately, this is a difficult attack to mitigate. There is a “solution” called SYN-Cookies that makes this attack impossible. Unfortunately, SYN-Cookies are so computationally expensive, it is actually easier to DoS a system by crashing it than it is to perform the SYN Flood attack. High-end firewalls work but are super expensive, you just have to wait it out since it’s cheaper to wait out the DoS

Question 18

Distributed denial of service

Answer 18

• Classic network DoS attacks occur when a single system floods your system or network with packets. You can stop the attack by instructing your routers or firewalls not to accept packets from that system. However, a different breed of DoS attack makes this type of simple protection all but useless; the Distributed Denial-of-Service, or DDoS. In DDoS attacks, the attack does not come from a single system or network; it comes from a wide distribution of computers from all over the internet, sometimes seemingly at random.
• A typical DDoS attack has a number of roles and components. On the roles side is the attacker, the victim, and a number of “innocent” third parties called bots that play an unwilling role in the attack. The attacker breaks into each of the bots (either manually or, more likely, using an automated tool, a worm, or spyware) and plants a program that can perform a DoS attack against the victim. There can be hundreds, thousands, or even millions of bots in a single botnet.
• When the attacker is ready to launch the attack, he contacts the bot herder and tells it who the real victim is, how long the attack should last, and any other information the bots need. The bot herder then relays that information to the bots, and off they go. What the victim sees is a DDoS attack from many different sites all coming at once
• What makes DDoS attacks so unique and powerful is that they use the diversity of the internet to amplify the attack. The attack seems to be coming from everywhere at once, and because TCP/IP connections have no authentication, there is no way to tell the real origin of the attack.
• In addition to DDoS botnets, are also used as ‘spam blasters’ and ‘cryptocurrency mints’

Question 19

Domain attacks (DNS)

Answer 19

• The Domain Name System (DNS) is critical to the smooth operation and usability of the internet, yet it has no built-in security mechanisms. There is no authentication of either the user, the requesting computer, or the DNS server. And there is no verification that the machine name or IP address the DNS server gives as a reply to a query is, in fact, correct
• Attacks against DNS involve attempts to control traffic destined for a domain on the internet.
• Cache Poisoning In a DNS Cache Poisoning attack, the attacker wants to direct browsers attempting to reach www.victim.com to their server www.attacker.com. The attacker creates a false authoritative DNS record in the attacker.com name server, which maps the name www.victim.com to the IP address of www.attacker.com. Next, they query www.victim.com, asking the victim’s DNS server to get DNS records for the attacker.com domain. Those records include the false entry for www.victim.com. Assuming that the victim’s DNS server does not have any protections against DNS poisoning, their DNS server now contains a bad entry for their web server, which redirects any queries for www.victim.com to the www.attacker.com website.
• Domain Hijacking The second form of DNS hijacking involves no greater technical skill than the ability to use email or a fax machine. Many domain registrars do little to verify the authority of those who request changes to their domain information. If an attacker can send a convincing-looking email or fax to the appropriate DNS registrar asking to change the IP information for victim.com to now point to attacker.com’s systems, many registrars blindly implement the request without much (if any) verification. Some of the larger, more established registrars now perform stricter authentication of DNS change requests using such methods as mail header checking, passwords, or encrypted and signed mail, but there are still a surprising number that do nothing. Why would an attacker want to hijack a domain? The attacker could put up a bogus web server such as www.xyz.com and advertise that XYZ Corp was giving away millions of dollars’ worth of free merchandise or that XYZ Corp was announcing massive layoffs in the coming months. Because users have no way of distinguishing false information from real information (after all, they typed www.xyz.com into their browser), this type of activity can have serious consequences for the victim of a domain hijacking attack.
• There are some things your organization can do to help minimize attacks against your domain. The first is to ensure that your DNS servers don’t accept any information that isn’t relevant to the query being made. You should also keep your account contact information up-to-date and keep track of the expiration dates of your domain. Many domain hijackers simply wait for domain names to expire and then register them for themselves in the hopes of selling them back to the original company. By keeping your contact info updated and not missing the expiration deadlines, you can prevent this from happening. The next thing you can do is to place a registrar lock on your domain. This can help prevent it from being transferred, modified, or deleted by a third party. Finally, you should use only established, well-known registrars for your critical domain name business. Use a vendor that has been around for a while and has good security and authentication mechanisms in place for handling name change requests

Question 20

Keystroke capture

Answer 20

• Keystroke capture does exactly what it sounds like. It captures every keystroke the user types on a keyboard (and in some cases, even more). This is a double-edged sword. These techniques can be used by attackers to capture keystrokes including username/password combinations, and, of course, the actual data. It is also used by many companies to monitor employee activity. Per one report from ABC News, 78% of the Fortune 500 companies capture all employee keystrokes.
• There are external devices you plug the keyboard in to. (You see them above and more pictures are on the next slide.) These cost $20 to $200 and can capture millions of keystrokes. They store the keystrokes using exactly the same technology as a USB thumb drive. There is also software that can be installed on the system. Quite often, the software will capture keystrokes, but also screen captures of whatever is currently displayed on the screen when a mouse is clicked, for example.
• Cheater software : spouses use this to catch their spouse doing something they shouldn’t do
• WFH is causing more and more monitoring software