Don't know your ARP from your Elbow?
Sun Tzu said in "The Art of War":
"If you know the enemy and know yourself, you need not
fear the results of a hundred battles"
"If you know yourself but not the enemy, for every victory gained you will also suffer a defeat"
"If you know neither the enemy nor yourself, you will succumb in every battle"
The purpose of this document is to explain, in plain English, many of the terms routinely used by Hackers, Crackers (and even IT Security professionals) when talking about the varied threats, potential attacks and types of malign software faced by today's computer users. It does not describe how to carry out any attacks, nor does it tell you how to protect yourself against them, but it does try to provide a simple explanation of what these threats actually are, so that you at least understand what it is that you need to protect yourself against!
If you'd like a professionally printed book version of this document, you can order one below:
See Zero day.
Otherwise known as an Advanced Fee Fraud, the 419 scam takes its name from the section of Nigerian law which legislates for this kind of illegal activity, although the perpetrators of such scams are by no means any longer confined to Nigeria. There are several variations on the theme but the scam is generally conducted via the spamming of potential victims by email. These emails will often purport to come from a legal firm, financial institution, or perhaps the relative of a deceased political leader or wealthy businessman for example. The email will spin a beguiling story about the existence of a vast fortune which is tied up in some kind of legal or financial limbo but which can be liberated, so the scammers claim, with the victim's assistance (often the provision of details of a bank account in the victim's home country into which the fortune will supposedly be deposited). As a reward for their help the victim is promised that they can keep a substantial share of the loot! However, at some point during the proceedings the scammers will contact the victim claiming some kind of administrative problem which can be overcome if the victim will send them a sum of money to grease the wheels - this is where the "advanced fee" fraud comes in. If the victim falls for this the scammers will continue to make similar requests, often teasing the victim by claiming that just one more payment will be enough to liberate the fortune. Of course there is no fortune and the victim has lost their money!
ActiveX is a set of Microsoft technologies designed to enable the sharing of information between different applications. ActiveX controls are an implementation of these technologies and are generally intended to facilitate the addition of feature rich, dynamic and/or interactive content to web pages. Unlike Java applets, which often perform a similar function, ActiveX controls have full access to a computer's Operating System and are thus far more powerful - and potentially dangerous. An ActiveX control designed with malicious intent could completely compromise or disable a victim's system.
Faking a web browser's address bar with images and text so that it appears to display a legitimate URL when the browser is in fact displaying a different page entirely. Thus, a browser's address bar may seem to read http://www.mybank.com when in fact the website being displayed is http://www.fakebank.com.
See 419 scam.
A generic term referring to a class of software that causes a victim's web browser to display annoying pop-up advertisements and advertising banners. Sometimes adware may be installed in conjunction with a companion spyware program. Whilst the spyware program tracks and reports on the user's web browsing behaviour, the adware program provides targeted advertisements based on that behaviour.
A feature of a file system that permits a normal, visible file or directory to be linked to an almost totally hidden file area which may be used for a variety of malicious purposes. They may be used as covert communications channels or to hide information for later retrieval, or they may be used to conceal executable virus or Trojan data from antivirus software. Additionally, as there is no limit to the amount of data an Alternate Data Stream can contain, a malicious program could be used to write large quantities of invisible data into one, eventually filling up the computer's hard disk and causing a denial of service. Although simple to create and use, Alternate Data Streams can only be detected using specialised software and are completely invisible to the standard tools like Windows Explorer. They can not be deleted independently of their parent files and an Alternate Data Stream attached to the root directory of a drive can not be deleted at all. This feature was possibly included in the Windows NTFS file system specification in order to maintain compatibility with the data/resource fork feature used by Macintosh computers, but it also provides NTFS with several advanced features such as the storage of distributed link tracking Object Identifiers (OID's), indexable file content summaries and thumbnail images.
The reprogramming of the keyboard (on any system which has MS-DOS as the underlying Operating System and that has ANSI.SYS loaded) so that pressing a reprogrammed key has an unexpected and possibly undesirable effect! An ANSI Bomb could, for example, reformat the victim's hard drive when they press the Enter key. ANSI stands for American National Standards Institute.
Anti DNS pinning:
Modern web browsers employ a technique called DNS pinning in which the name of a particular website is tied to its IP address for the duration of the browser session. Unfortunately, it is possible to force the web browser to perform a new DNS lookup and redirect the browser to an attacker's website instead. This technique is called Anti DNS pinning.
ARP (Address Resolution Protocol) is used to map IP addresses to hardware addresses. By deliberately altering or "poisoning" the ARP cache of a computer, an attacker can ensure that data intended to be sent from one computer to another will actually be sent to a different computer instead, thereby jeopardising the authenticity, confidentiality and integrity of that data. ARP cache poisoning is often used in "Man in the Middle" attacks for example, whereby the attacker will intercept data intended for a different machine and perhaps modify it before sending it on to the intended recipient.
A generic term which refers to a, probably undocumented, method of gaining access to a computer and possibly without the owner's knowledge or consent. A backdoor may be a particular piece of malicious software specifically designed to allow an attacker access to a victim's computer by stealth, or a hidden setting in a legitimate piece of software intended to allow the software developers or support staff to make beneficial changes or to assist the user.
The act of observing the initial text displayed when connecting to a server in order to determine its type. For example, by default, various versions of HTTP, FTP or SMTP server software will display a "welcome" message when you connect to them, often declaring the make and version of the software that is in use. This information is obviously very useful to an attacker for formulating a plan of attack. Banner grabbing is a type of fingerprinting.
A small program installed as an add-on component to Microsoft's Internet Explorer web browser and designed to customise its behaviour in some way. BHO's may often provide useful extra functionality such as the inclusion of a specialised toolbar for instance, but sometimes they are installed without the user's knowledge and may have undesirable effects such as tracking and reporting on browsing habits, forcing the use of particular search engines or preventing access to certain websites. Many BHO's fall into the spyware, adware and/or browser hijacker categories.
See File binding.
The act of breaking into a computer network using a Blackberry device.
A term which refers to a type of malware which combines a variety of traditionally separate attack techniques. For example, a spam email containing links to a phishing website and perhaps also carrying a virus or Trojan horse payload would be regarded as a blended threat.
A "blue box" is an electronic device, often home made, which emits telephone dialling tones that can trick telephone network equipment into granting the user access to services to which they are not entitled such a free, long-distance calls for example. Blue boxes are used in phreaking (see below).
The practice of making covert Bluetooth connections to other compatible Bluetooth devices (mobile telephones, PDA's, etc.) for the purpose of stealing data from them. Bluesnarfing is distinct from Bluejacking, which is the practice of "discovering" nearby compatible Bluetooth devices and sending prank messages to them to startle or surprise their owners. Bluejacking is generally regarded as harmless fun, whilst Bluesnarfing, like most other forms of malicious hacking, is illegal.
An abbreviation of robot, bot traditionally refers to a tiny program which traverses the Internet gathering information about the websites it discovers which it then reports back to its masters. In this respect a bot is synonymous with a spider or web crawler and performs a very useful purpose, enabling Internet search engines for instance to provide accurate and up to date lists of websites in response to search queries. However, bot is also a term used to describe a small, malicious program that can be planted on a computer which is then used to attack another victim computer or website.
A collection of computers that have been infected with maliciously programmed bots which are then used to launch a co-ordinated attack against a victim's computer or website, most often resulting in a denial of service. A botnet is also referred to as a zombie network.
A generic term referring to any piece of software which, against the user's wishes and perhaps even without their knowledge, detrimentally affects the functioning of their web browser. Often a browser hijacker will change a user's Home page and Search settings and put various mechanisms in place to prevent the user from undoing those changes.
The act of attempting to crack passwords (for the purpose of gaining access to a computer system) or encryption keys (for the purpose of decrypting encrypted messages) by testing them against every possible permutation of upper case and lower case letters, numbers, punctuation marks and other characters. When attempting to crack passwords, a determined attacker may attempt a brute force attack if a so-called "dictionary attack" fails to reveal the passwords they require. A good password with a high degree of complexity may take several years to crack by this method, even with a quite powerful computer. For information on creating strong passwords resistant to brute force attacks, see the Strong Password Generator page.
Also known as a buffer overflow. In a software program a buffer is an amount of memory set aside so that the program can remember something for later use, such as the data a user has typed into a box on a website form for example. Ideally the programmer will have specifically defined the size of the buffer (or the amount of memory) that can be used for this purpose, in which case the user will not be able to enter more data (i.e. overrun the buffer) than this defined limit. Where no such limit has been defined the program may be vulnerable to a buffer overrun attack. In this case the attacker is able to overwrite the program's code held in memory with their own code in order to make the program perform a different function. Often the aim is to get a command prompt or shell prompt on the victim's computer, whereupon the attacker has effectively taken control of (or "owns") the machine!
See ARP Cache Poisoning and DNS Cache Poisoning.
A term which covers the various activities involved in the cracking, reverse engineering and/or reading of credit card magnetic strips or smartcard chips for example.
Christmas tree attack/scan:
Sending TCP network packets to a computer in which all the control flags are set on. The control flags in TCP packets are used to control the two-way communication between participating computers thus:
SYN (S) = Synchronise, or request the establishment of a new connection
ACK (A) = Acknowledge a SYN packet
FIN (F) = Finish, or gracefully close a connection
RST (R) = Reset, or instantly drop a connection in both directions
PSH (P) = Push, or force delivery of data without waiting for buffering
URG (U) = Urgent data
Clearly, combinations of these flags are mutually exclusive and no legitimate packet should ever have all of the flags set. By monitoring the way in which a computer responds to a Christmas tree attack, a potential intruder can fingerprint the system, determining the type of Operating System that the computer is running, for example. Other combinations of flags may also be used. For example, the opposite of the Christmas tree attack is the "TCP Null scan" in which none of the flags are set. A "TCP SYN (half-open) scan" is one in which the scanning computer does not complete the three-way handshake required to complete a network connection (see SYN flood below for an explanation of this.)
attack / Preimage attack:
A popular method of determining the integrity of a program file, word processing document or email message for example, is for the originator to provide a cryptographic "hash" or "message digest" of their original data. The hash is created by inputting the original data into an algorithm that produces a unique sequence of a relatively few characters as the output and which serve as a fingerprint of the original input data. Even a minute change in the input data produces a vastly different hash. So, the recipient of the data can run it through the same hashing algorithm as used by the originator and, if the data has not been tampered with, the output hash will be identical to the originator's. Hashing algorithms are developed in such a way that, in theory at least, the probability of two different sets of input data producing the identical output hash is infinitesimally small. Where two different input messages do produce the same hash, this is known as a collision, and a collision attack is the act of discovering techniques to reliably determine the different input messages to a particular hashing algorithm that produce the same output hash. A preimage attack works the other way around. Here, the attacker takes the hash and attempts to find input data (not necessarily the original input data) that will produce that particular hash.
See File combining.
A text file created on a computer by a website when a user first visits the site and which is used to store information that the website can use during the user's current and perhaps subsequent visits. The information stored in a cookie may include preferences in the way that the website works that the visitor has specified, or may keep track of a user's "shopping cart" or "basket" on a website from which goods or services may be ordered for example. Cookies are sometimes essential for the correct operation of a website. Cookie information may also be used to provide targeted pop-up advertising and in some cases the information can be read by other applications or websites which may have a malign intent.
A means by which the communication of data between computers is deliberately concealed by using methods outside of the normal specifications for such communication. For example, in the IP protocol used by the majority of computers and networks, communication is achieved by using "packets" of data. Each packet contains a specific data area and also a "header" which is divided up into a number of separate fields intended to provide information about the packet, such as its size, where it has come from and where it is going to for instance. Although data is meant to be stored in the designated data area, a covert communications channel can be set up by deliberately hiding data in the header fields.
Traditionally what is now usually and incorrectly referred to as a hacker. Originally, a hacker was a person who enjoyed obtaining an in-depth knowledge of the intricacies of computer operation, software and communications, whilst a cracker was somebody who used such knowledge for malicious or nefarious purposes.
Crackz are small programs designed to patch or modify other target programs. Such modification usually involves illegally removing copyright information, removing the requirement to officially register the target program, or the conversion of a shareware/trial program with limited functionality into a fully functioning version. Target programs which have been "cracked" are known as "warez" or "wares". It's possible, though not always the case, that crackz may have some other malign intent or undesirable effects apart from just patching their target.
CR (Carriage Return) and LF (Line Feed) are traditionally commands you may recognize from using typewriters and printers. Carriage Return would send the print head back to the start of the current line, whilst Line Feed moved the paper up one line. So, after completing one line of typing/printing both CR and LF commands would need to be issued to begin printing a new line. CR and/or LF are also used in computer systems for the same purpose and applications that use these commands but do not correctly sanitize their input may be subject to so-called CRLF Injection attacks. Just one example commonly cited is an application that generates a log file where each entry is separated by a CRLF. If the CRLF is not correctly stripped off as a legitimate entry is made, an additional, fake entry may be appended (or injected) immediately afterwards, thereby compromising the integrity of the log file.
Cross-Site request forgery:
A mechanism often used in conjunction with Cross-Site scripting that can fool a user's web browser into sending requests for actions to occur on a website in the context of the logged on user. So, for example, if a user is logged into their web-based email account and also encounters a malicious site that performs cross-site request forgery, it's possible that the malicious site could automatically send emails from the user's account.
A method by which an attacker can use a website to exploit a vulnerability in the software employed by another website to attack a computer. For example, an attacker can create his own, malicious website, containing a specially crafted hyperlink to another website which employs software vulnerable to a cross-site scripting attack. When a victim clicks the hyperlink on the malicious site, the vulnerability in the other website's software is exploited to inject some form of harmful content into the legitimate content of the vulnerable site. This is then downloaded to and executed on the victim's computer via their web browser.
A method by which an attacker can exploit a vulnerability in order to force the execution of malicious code in the context of a security zone other than the one in which it should be executed. For example, the security options within Microsoft's Internet Explorer browser show four distinct zones: Internet, Local Intranet, Trusted Sites and Restricted Sites. The specific security settings for each of these zones are different and Internet Explorer will permit or deny the execution of certain code based on these settings. There is also a fifth zone which is not displayed in the Internet Explorer security settings window called the My Computer zone and which is the least restrictive of all by default. The ultimate goal of an attacker attempting a cross-zone scripting attack is to force the execution of harmful code in the context of My Computer rather than one of the other, more restrictive zones in which it ought to be run.
See Cross-Site Request forgery.
See Domain hijacking.
The act of sending so much data to a computer that its hard disk drive space is exhausted, causing it to become unresponsive or crash. An attacker may attempt this by sending the target very large email messages or by uploading large files via FTP (File Transfer Protocol) for example.
In its most malign form a data miner is a type of spyware which gathers information from the computer on which it is installed and which sends this information back to an attacker. Such information might include users' logon details or credit card information typed into website forms for example. Other data miners record users' Internet browsing habits which may be employed for legitimate marketing purposes or might be harnessed by an adware program to provide targeted pop-up advertising for example. Data miners are sometimes referred to as tracking cookies.
(Distributed Denial of Service
An orchestrated denial of service attack launched from multiple computers against one (or relatively few) targets. The attacking computers are usually co-ordinated into a botnet or zombie network so that, en masse, they have a far greater effect than if the attack was launched from a single computer.
The act of hacking or breaking into a web server and deliberately vandalizing its contents, often so that the web pages show a derogatory, political or social message of some kind, or sometimes to highlight a known vulnerability in the software used by the website or in its implementation by the website's owners.
A program which establishes a dial-up networking connection from a local computer to a remote computer. In its malign form, a dialler may be installed without the user's knowledge and its installation routine may also involve replacing the computer's existing dial-up networking connection to the user's preferred ISP. Diallers are often programmed to dial long distance or premium rate numbers and the user may not be aware that their connection has been modified until they receive the telephone bill. Dialler programs are often used for the purposes of connecting a computer to adult themed websites.
The act of attempting to crack passwords by testing them against a list of dictionary words. With today's powerful computers, an attacker can combine one of many available automated password cracking utilities with several large dictionaries or "wordlists" and crack huge numbers of such passwords in a matter of minutes. Any password based on any dictionary word is vulnerable to such an attack, including those based on the dictionary words of foreign and even fictitious languages such as Klingon and Elvish! For information on creating strong passwords resistant to brute force attacks, see the Strong Password Generator page.
Normally, this is simply the act of moving up and down through the directory tree (or folder structure) of a computer's file system. However, it also specifically relates to a type of attack against a poorly configured web server in which an attacker is able to enter a specially crafted URL into the address bar of a web browser and change directory out of the area from which the web pages are being served and into the directories containing the server's system files or other sensitive information.
Denial of Service attacks:
See DoS, DDoS and DRDoS attacks.
DNS (Domain Name System) is used to map host names to IP addresses. By deliberately altering or "poisoning" the DNS cache of a computer, an attacker can ensure that data intended to be sent from one computer to another will actually be sent to a different computer instead, thereby jeopardising the authenticity, confidentiality and integrity of that data. DNS cache poisoning is often used to direct a web browser to a fake website rather than the legitimate one.
The act of analysing discovered documents and extracting information from them by "breaking them open / grinding them up". This goes way beyond simply opening the document in the application used to create it and reading its contents. For example, an intruder may discover a document on a target system and then, using special tools, "grind it up" in order to reveal interesting information in the document's headers which might not normally be accessible. Also, the technique is used by Google Hackers to find out interesting information from documents discovered on the Internet through search engines.
Broadly speaking, the act of assuming or taking over a domain name, not necessarily illegally. Some definitions of domain hijacking include what has come to be known as cyber-squatting. Here, someone registers - perhaps entirely innocently and with no ill-intent - an available domain name that nevertheless relates to or may be closely associated with some other person or organisation. Obviously there may be a conflict of interest if the other party should subsequently want to use the domain name for themselves. More seriously, a person or organisation who has previously registered and is actively using a domain name may subsequently forget to renew it. If the domain name is not renewed, it becomes available for anybody else to register and may thus be hijacked by a malicious cyber-squatter who may demand payment to relinquish the hijacked domain. Most seriously, it is the act of fooling the domain registrars into either performing a DNS transfer (in which web browser requests for the domain's web site and its email traffic, for example, will be directed to the wrong servers) or transferring a domain name away from the current, legitimate registrant to someone else.
(Denial of Service attack):
An attack whereby the target is deliberately prevented from providing or receiving a particular service. For example, a very common DoS attack involves preventing a company's web servers from serving web pages, thereby preventing customers from visiting the company's website. DoS attacks are usually accomplished by bombarding the target with more data than it can handle, or by exploiting a weakness in the software employed by the target to cause the service to fail or perhaps to continually crash the computer.
(Distributed Reflection Denial of Service
This is a variation of the DDoS (Distributed Denial of Service attack) theme, but it has important differences. In a DRDoS attack, the attack does not appear to originate from a single attacking computer (as in a simple DoS attack), nor does it even appear to originate from multiple computers that have been compromised to form a botnet or zombie network (as in a DDoS attack). Rather, it is akin to a very large scale smurf attack (see below for a description of this). For example, let's say an attacker sends lots of network packets to a large number of the Internet's most powerful and well-connected machines (like some of the high-level routers for instance) all of which are asking for a new network connection to be established (SYN flag set). The source IP address (i.e. the origin of the request) of these packets has been spoofed by the attacker to be that of the intended target! The result will be that all of these powerful, high-bandwidth machines will respond en masse to the target, flooding it with more data than it can possibly handle, causing it to become unresponsive or even crash and thereby effecting a denial of service. So without actually compromising any of those high-level routers, the attacker has nevertheless achieved his aim by "reflecting" his attack off them, magnifying its effect.
The act of stealthily and automatically installing software on a user's computer when they simply visit a particular web page. Spyware and adware programs are frequently installed on a computer by way of drive-by downloading.
A program designed to extract other files from within its own code. Droppers are frequently used as a means of installing Trojan horse programs.
The act of rummaging through the rubbish thrown out by commercial businesses or private residents searching for items of value. From an IT security point of view, an attacker may find all sorts of valuable information from the likes of discarded letterheads, utility bills, old credit card receipts, printouts and reports etc. which may be of great assistance to them in a potential attack.
The act of obtaining more privileges on a computer than those for which the currently logged on user should be permitted, thereby enabling a malicious user to execute more powerful code than they're normally allowed to. The ultimate goal of someone attempting elevation of privilege is to obtain all the rights and privileges of the Administrator account or Root user. Elevation of privilege is usually accomplished by exploiting a weakness in a piece of vulnerable software.
A denial of service attack in which a user's email account is targeted by bombarding it with more email messages than it can handle, thereby curtailing or even preventing the acceptance and delivery of legitimate email messages. In some cases an entire email server may be targeted, thereby denying service to all the mail accounts on the server.
A feature of an email server which allows it to process messages on behalf of an external client. Spammers abuse this feature by hunting for email servers on which this feature has been left enabled ("open relays") and then using these servers to mass mail their junk messages to all and sundry at the owners' expense. The source of such relayed messages appears to be the owner of the open relay, a fact not overlooked by malicious attackers who can use the open relay to send out messages that could easily damage the owner's reputation for example. A properly configured email server will therefore usually have this capability disabled.
Simply, to count. Prior to an attack against a particular organisation or even an individual computer, an attacker is likely to enumerate the target for the number of open ports, IP addresses, DNS names, vulnerable services etc. before finally deciding on a specific attack vector.
A fake wireless access point or hot-spot, set up to masquerade as a legitimate one, usually with the purpose of stealing data from computers that connect to it in error. The technique is also sometimes referred to as WiPhishing.
As a noun, an "exploit" is a piece of malicious code specifically written to deliberately take advantage of a known vulnerability in a particular piece of software. Or, as a verb, it is to take advantage of a known vulnerability in a particular piece of software.
Binding files allows two different programs to be launched from the same application. An attacker may bind a malicious program (such as a Trojan horse) to a game program for example. When an unsuspecting user runs the game program, the Trojan horse program bound to it is also executed and may be silently installed in the background.
Combining allows a file of one format to be merged into a file of a different format. Changing the extension of the host file opens only the content associated with it. For example, a Microsoft Word document (document.doc) could be combined with a Microsoft Excel spreadsheet (sheet.xls) into a single file called document.doc. Opening document.doc will display the contents of the Microsoft Word document whilst the Microsoft Excel spreadsheet (sheet.xls) remains hidden. Changing the file extension from .doc to .xls will allow the Microsoft Excel spreadsheet data in sheet.xls to be displayed whilst hiding the content of the Microsoft Word document. Thus, file combining can be employed to hide data of one particular format within the format of another file.
File infector virus:
The art of modifying a file to hide the data it contains by making it difficult to read. There are several simple methods of mangling files, for example changing the file extension to one associated with a different application or modifying the Registry so that all files of a particular extension are associated with the wrong application and therefore appear to not open correctly.
Finger is a UNIX command that displays information about users on a computer. Obviously such information is useful to intruders as well as system administrators. On some computers, the finger command can be passed through from one machine to another. This is very useful for an intruder because it makes it appear as though the finger command has come from the last computer in the chain before the target, and not the originating computer, thus aiding the attacker to cover their tracks. Also, by malforming the finger command, a finger bomb can be constructed in which the target computer is instructed to finger itself repeatedly until its memory is exhausted and it stops responding, resulting in a denial of service.
From an attacker's point of view, this is to identify certain tell-tale characteristics of a potential target system in order to determine its Operating System or web and database server software for example so that an attack vector can be formulated. From an IT security perspective, fingerprinting involves identifying the tell-tale characteristics of a perceived attack so that the appropriate countermeasures can be deployed.
In a software program written in the C programming language, "format strings" are used to tell certain functions (like printf for example) within the program how they should read particular characters. A program which does not properly sanitize such characters before they are parsed by the program may be vulnerable to a so-called "format string attack". By inputting specially formatted commands to such a vulnerable program, an attacker can overwrite the program's code held in memory with their own code. By doing this, the attacker may be able to cause the program to crash, thereby creating a denial of service, or they may be able to glean information from locations in the computer's memory to which they would not normally have access, or (as with a buffer overrun attack) they may be able overwrite the program's code held in memory with their own code in order to make the program perform a different function.
This is very similar to the so-called "Smurf attack" (see below) except that it uses UDP rather than ICMP.
Do you happen to recall from Gerry Anderson's famous Thunderbirds TV show how the International Rescue organisation managed to actually construct their fabulous machines without anybody realising what was going on? They sourced all the various components from different manufacturers who delivered all the bits and pieces individually and only when all the parts had arrived at their destination were they assembled into their final form. Well, when data is sent across the network between computers it must adhere to certain rules set by the network protocols involved, one of which usually determines the maximum size of the packages of data that can be transmitted. If an amount of data is sent that is larger than this pre-defined limit it can be broken up into smaller pieces, transmitted, and then re-assembled at its destination. By deliberately fragmenting or segmenting data in unusual ways, an attacker can sneak malicious code past some defences such as Intrusion Detection Systems because the individual pieces are not recognised as being threatening. Only when they are automatically re-assembled at their destination (probably the target computer) does the threat become apparent!
A program which attempts to input all possible (or a selected range of) unexpected values into a target system with the purpose of identifying vulnerabilities in that system. An attacker might use a fuzzer to reveal a buffer overrun vulnerability in a piece of software, for example.
To use the advanced and less well known features of the Google search engine to reveal sensitive data about a particular target or to identify potential targets for attack. Often, potential victims (or "googledorks") are blissfully unaware that such sensitive data has "leaked" onto the Internet from within their organisations and that it can be found by anyone who knows how to construct the more advanced search engine queries. Although originally confined to the Google search engine, Google hacking now applies to other search engines also.
I dare say that everyone who's ever used a web browser has seen an HTTP Error 404 (Page not found) before. A less well known HTTP error code is 302 (Moved temporarily). Web servers send clients (web browsers) an HTTP Error 302 when the web page that the browser is requesting appears to have been temporarily redirected to a different URL. Along with the HTTP Error 302, the web server also sends the client the new URL and the client browser is expected to go to this new URL straight away. Now, consider that, in certain circumstances, many Internet Search engines try to avoid indexing web pages that seem to contain the same content. They will (in an HTTP Error 302 situation for example) try not to index both the original web page and the one to which it has been temporarily redirected. Googlejacking is a method of exploiting this behaviour so that a web page in a search engine's listing is linked in the search engine's database to a URL that is not on the domain of the original page. For example, http://www.originalwebsite/content.htm could be Googlejacked so that anyone clicking on a link to this page in the search engine's listing is actually redirected to http://www.h-spot.net/content.htm. The original website description and title remain the same in the listing, but the link will be different. The upshot of this is that the original website's listing in the search engine is removed and is replaced with the Googlejacker's page which then gains the benefit of the increased traffic, whilst using the original website's content!
See Document grinding.
Traditionally a hacker was a person who enjoyed obtaining an in-depth knowledge of the intricacies of computer operation, software and communications. Nowadays, the term hacker has become synonymous with what used to be referred to as a cracker i.e. somebody who uses such knowledge for malicious or nefarious purposes. However, to help identify the good from the bad, hackers now sometimes affiliate themselves with one of three camps -
White Hat hackers are the good guys. People who enjoy finding out about how computers operate in depth and who will share their knowledge with Security professionals when they uncover potential weaknesses and vulnerabilities and help programmers and developers build better and more secure systems. In theory at least, a White Hat hacker wouldn't even dream of using their knowledge for illegal purposes.
The bad guys. No more or less skilled than the White Hats, Black Hats are unlikely to have any compunction about using their knowledge for personal gain, perhaps breaking into systems and stealing data, selling their knowledge and skills to criminals, perhaps deliberately damaging or breaking systems through some political or social motivation, or otherwise using their knowledge in some illegal fashion.
Grey Hats do not affiliate themselves with either White Hats or Black Hats. Whilst they may not necessarily use their own skills and knowledge for personal gain as a matter of course, they may nonetheless associate with the Black Hats on occasion. Equally, they may well assist the White Hats, the IT Security community and programmers and developers when they see fit. On occasion, they may even break into systems and damage or disable them if they feel that such an action is justified.
A variety of buffer overrun affecting a buffer contained within a memory object called a "heap". The heap is the memory space dynamically allocated to a program when it is launched and in which the program runs. When a buffer in the heap is overrun, it is known as a heap overflow.
A fake alert sent by email usually warning about a fictitious virus or some other bogus threat for the purposes of generating a panic. The chain-reaction of recipients forwarding the hoax to all the people in their address books causes email systems to become congested thereby slowing down or even preventing the delivery of legitimate mail.
A text file on a computer which maps host names to IP addresses. By deliberately entering false data into a hosts file, an attacker can force data to be sent to a computer other than the one for which it is intended, thereby jeopardising the authenticity, confidentiality and integrity of that data. Often, false Hosts file information is used to direct a web browser to a fake website rather than the legitimate one.
Hype and dump manipulation:
See Pump and dump scheme.
The fraudulent act of collecting sufficient personal information about an individual in order that their identity can be assumed for the purposes of carrying out some other illegal or malicious activity.
A small program written in the Java programming language which is usually intended to facilitate the addition of feature rich, dynamic and/or interactive content to web pages, although they can also be designed with malicious purposes. Java applets normally run within a "sandbox" i.e. they should not be able access local resources on the computer which is running them. However, it is not unknown for vulnerabilities to be discovered and exploited which can allow malign Java applets to break out of their sandboxes and from there potentially compromise or otherwise damage a victim's system.
Falsifying the "From" or "Reply to" headers of email messages to make it appear as though they originated somewhere else for the purposes of damaging the reputation of the owner of the falsified address, usually by making it appear as if they're sending spam.
A program which does not cause any actual damage to a computer but which is designed to frighten or embarrass the user in some way. Several joke programs are quite widespread and have been known to cause a quantifiable disruption to people's work and which can therefore be considered to have caused damage to employers' businesses. As such, many of the more common joke programs are detected by today's antivirus software, even though they are not viruses.
A small program designed to generate serial numbers / registration codes for another piece of software so that it can be used, illegally, without having to pay for it. It's possible, though by no means always the case, that keygen programs may have some other malign intent or undesirable effects.
A program which monitors and records keyboard activity. Although there are legitimate uses for keyloggers, an attacker can use a keylogger program to steal usernames, passwords, bank account and credit card details for example and then use these in a "replay attack". Keyloggers are often included within the payload of Trojan horse programs.
An attack in which information is stolen/leaked from a cryptographic system over a Subliminal channel (see below) using an asymmetric backdoor which does not compromise the private keys or confidentiality of the encrypted messages being sent by the systems legitimate users. Such attacks are likely only possible when the cryptographic system's designer builds such a backdoor into the system.
Sending TCP network packets to a computer in which the SYN flag is set and in which the source address and port number are identical to the destination address and port number. In effect, the target computer is instructed to talk to itself. Older or un-patched systems can crash on receiving such data resulting in a denial of service.
Leet (derived from the term "elite") is a simple from of cipher in which certain letters that would normally be used to correctly spell out a particular word are replaced with alternative keyboard characters which vaguely resemble them. So, for example, the letters "A" and "a" might be represented as "4" and "@". Sometimes, more complexity is introduced by using multiple alternative characters. For example the letter "H" might be shown with a pipe-dash-pipe combination like this "|-|" and the letter "F" might be replaced with "PH" or even with a pipe-equal sign combination like this "|=". Sometimes, combinations of letters may be replaced with a single alternative character. The letters "ck" for example are sometimes replaced with the letter "x". It's also not uncommon to CaPiTaLiSe CoNSoNaNTS. Thus, the word "hacker" might be represented like this in leet: "|-|@X0R". However, there are no hard and fast rules and different users tend to adopt their own variations on the theme. It is not entirely clear exactly where or when leet was developed, but a widely held belief is that it was originally designed to elude automated systems which checked plain text documents and messages for obscenities or other "illegal" content. The word "porn" for example is often rendered as "pr0n" in leet. Nowadays, leet is more of a cultural phenomenon (rather like the form of mobile phone text messaging adopted by teenagers) perhaps most widely used by the online gaming community. The general concept has also been adopted by spammers so that their junk mail messages are less likely to be identified and blocked by spam filters. The line below reads: "This is an example of a sentence written in leet".
7|-|15 15 @|\| 3><@|\/|p13 ()|= 4 53|\|73|\|(3 \/\/R1773|\| 1|\| 1337
A piece of malicious code contained within a legitimate program that is designed to execute should certain events occur. As an example, a programmer might write some software for his employer which includes a logic bomb to disable the software if he should have his contract terminated.
Easy prey. Systems or targets that are relatively simple to break into or crack. It's possible for an attacker to break into any system given sufficient time and resources, but hopefully after reading this document you'll be aware of the many threats that you need to protect your systems against so they'll not be considered low hanging fruit and an attacker will choose another target!
An item of software which is tightly interwoven with the TCP/IP network protocols used for communications between Windows computers. LSP's have the capability to access and modify all data entering or leaving a computer. Whilst LSP's have many legitimate uses, they are also becoming a firm favourite with the authors of malicious spyware.
The act of generating very large amounts of network traffic with randomly spoofed MAC addresses in order to exhaust the MAC address tables of the network's switches. This can have a number of beneficial effects from an attacker's perspective. Every device on a network has a MAC (Media Access Control) address which uniquely identifies it. The switches (which connect the network together) send any data that they receive to specific recipients based on the MAC addresses of the different devices which they have learned and which they hold in a table. If an attacker can exhaust the space available in the MAC address table of a switch, the switch may simply stop adding any new entries to its address table (which may lead to a denial of service) or it may "fail open" and start behaving like a hub instead of a switch. In the latter case, the switch will not send data to a specific recipient, but will send it to all the devices attached to it. This greatly aids an attacker who wishes to "sniff" all the data passing through the switch rather than just that destined for one particular machine.
See Email bomb.
An attack in which data communications between genuine parties are intercepted and compromised by an intruder, or "man-in-the-middle", without their knowledge or consent. This has a number of serious implications from a security point of view. Most obviously, the man-in-the-middle has compromised the confidentiality of any data passing between the legitimate parties. Secondly, the man-in-the-middle can actually pretend to be (or spoof) one or more of the legitimate parties so that the source and destination of the data can not be authenticated. Thirdly, the man-in-the-middle may modify the data he has intercepted before sending it on to the intended recipient(s) which means that the integrity of the data can not be trusted.
A generic term referring to any piece of software written with malicious intent or which has a malign purpose. Adware, spyware, viruses and Trojan horse programs, for example, are all types of malware.
See File mangling.
See 419 scam.
NOP Slide /
A common component of a buffer overrun attack in which many "NOP's" or Null Operations (often represented by the characters 0x90 in hexadecimal format) are inserted into the buffer prior to the malign code that the attacker wishes the vulnerable program to execute.
Own / Owns /
After an attacker has successfully broken into a computer and taken control of it, or has exploited a vulnerability in a web server to deface a website for example, he may claim that he "owns" it rather than the legitimate administrators or owners of the system.
Sometimes referred to as protocol analyzers, packet sniffers are programs designed to capture and record network traffic, ostensibly for diagnostic purposes. However, an attacker can use a packet sniffer to capture packets perhaps containing passwords, bank details, credit card numbers or other confidential or valuable information. A feature of packet sniffers is that they have the ability to switch the network adaptor of the host computer into promiscuous mode. With the network card in promiscuous mode, the packet sniffer can see all the network traffic on the segment of the network to which the host computer is connected and not just traffic destined for that particular machine.
The specific actions carried out by any item of malware or even a joke program once it has propagated to and/or successfully been installed on a host computer.
Pharming is similar to phishing, except that the fraud does not rely on bogus emails to entice recipients to visit a fake website. Instead, the fraudsters use cache poisoning or domain hijacking to direct users' web browsers straight to the fake website. Any details entered into the fake site may then be used by the fraudsters for identity theft.
The fraudulent act of sending bogus, spam emails (which appear to originate from a legitimate organisation) which entice the recipients to visit a fake website (which is an almost exact replica of the organisation's genuine site) for the purposes of gathering personal or sensitive financial information from them. For example, a phishing email might look exactly like a legitimate email from the recipient's bank and may request that the recipient confirm some personal details or visit the website to carry out some sort of transaction. On clicking the hyperlink in the email to take them to what they believe is their bank's real website, the email recipient will actually be directed to the bogus, phishing site, where any details they enter will be collected by the fraudsters and may subsequently be used for identity theft.
The act of breaking into a telephone network, often for the purpose of making free calls or to charge calls to another person's account, for example.
To ping a target computer with a very large number of packets, or with packets of a very large size, which the target computer can not handle effectively, therefore causing a denial of service.
The act of stealing data by connecting an Apple iPod to a network and copying information from the various network resources into the iPod's internal memory. The same technique can be used with many similar portable devices which nowadays feature increasingly large amounts of memory such as MP3 players, digital cameras and USB memory keys.
A supplementary and often unwanted window which is spawned by a script or active content on a website or perhaps by a process running on the host machine. In their malign form, pop-ups may contain undesirable or otherwise unwelcome content and may have design elements that make them difficult or impossible to close.
You've probably all seen the films where somebody needs to knock on a door with a special sequence of knocks (a "secret knock") in order to gain entry to some clandestine meeting. Port knocking is essentially the same idea except that it is used to access a computer which is not listening on any ports. Although the technique is not necessarily malign and is in fact used by many programs for legitimate security purposes, it is also increasingly being used by Trojan horse and backdoor programs. For example, a Remote Access Trojan (RAT) which uses port knocking lies dormant on the target computer which, for good security reasons, may have no ports open. But by supplying a series of connection attempts to specific closed ports in a specific order (the "secret knock") the Trojan wakes up, becomes active and starts listening on another port which is then opened, allowing an attacker to connect from a remote machine.
A program designed to rapidly search a range of IP addresses and report on the status of a particular port (horizontal port scanning) or to search and report on the status of a range of ports on a particular machine (vertical port scanning). A port is basically a connection address (defined between 0 and 65535 for both the TCP and UDP protocols) which allows programs on different computers to communicate with one another. For example, client web browsers will usually connect to web servers on port 80. A port can be in one of three states - "open", in which case it will allow a connection to the target computer; "closed", in which case it will not allow a connection but the target computer reports it as such; and "stealth", where the target computer does not respond on the status of the port at all and is effectively invisible to the port scanner on that port. Identifying open ports with a port scanner is often a potential intruder's first step in formulating an attack.
See Collision attack / Preimage attack.
A small piece of exploit code released to prove the existence of a newly discovered vulnerability in a piece of software.
See Packet sniffer.
Pump and dump scheme:
A scam whereby fraudsters make deliberately over-hyped and misleading statements about the potential worth of a certain financial market stock in order to encourage investors to buy and therefore "pump up" the share price. The fraudsters then quickly sell (or "dump") their cheaply obtained stock and make a large profit. At this point the share price often falls and other investors who fell for the scam lose their money. This type of scam is frequently perpetrated via spam emails.
In its simplest form, this is where two processes in a software program access a shared resource on a computer at the same time but are dependent upon each other to complete their task. Obviously they can't both complete their task first and so neither of them will, possibly causing the application or the computer to become unstable or crash. Such conditions often arise as a result of a mistake or oversight in the programming of the software and might present a potential vulnerability that an attacker may seek to exploit.
See Trojan horse.
Many websites have statistics pages which show things like how many visitors have looked at the site, how much bandwidth has been consumed, what the most popular pages are, and so on. They also show the URL's of sites that visitors have come from (referrers). Many websites leave these pages open for public viewing and they may also be indexed by search engines. Referrer spam is the name given to bogus referrer entries in legitimate websites' statistics pages. These bogus entries are deliberately generated by the owners of malicious or otherwise disreputable websites for the purposes of increasing their search engine rankings and thereby enticing more visitors to those sites.
The act of replaying captured data, such as logon credentials previously recorded with a keylogger program for example, in order to fool a system into authenticating an intruder as a legitimate user.
The practice of taking something to pieces to see how it works and then re-assembling it in a different way to form a variation of the original product or item. For example, large corporations may attempt to reverse engineer a competitor's product in order to discover the competitor's clever solution to a tricky problem, or a military organisation may attempt to discover how an adversary's new weapon works by reverse engineering it so that it can develop its own version. From the perspective of threats to Information Technology, reverse engineering often applies to original pieces of copyrighted software which may be "cracked" by reverse engineering them and reassembling them without the copyright/registration components so that they can be used free of charge, albeit illegally. Many so-called "crackz" or "warez" software have been reverse engineered in this way. It should also be borne in mind that such reverse engineered software may also have had some malicious components added.
Reverse social engineering:
Whereas social engineering (see below) relies on an attacker identifying and approaching potential victims, reverse social engineering involves the attacker creating an assumed air of authority or knowledge such that potential victims will actually approach him. For example, an attacker might be aware that a potential victim is investigating the purchase of a particular product or technology. If the attacker pretends to be a supplier or consultant with expertise in that particular area, it's possible that the victim may approach him for help or advice and thus be less guarded in divulging information that will be useful in the attack.
The term "root" has a number of different meanings. As a noun, it can mean the topmost level of a directory tree, but, more importantly from a security point of view, "root" is the name given to the ultimate administrative account on UNIX/Linux type computers. Sometimes called the Superuser, the root account is the single most powerful account on the machine. As a verb, "root" means to break into a computer and take control of it as though you were the administrator or root account user. A computer which has been compromised in this way may be said to have been "rooted".
Traditionally, a set of software utilities designed to run on specifically UNIX/Linux type computers and assume control of them as the root user without the knowledge or permission of the owner. More recently, the term has been broadened to encompass kits of software utilities that are able to hide files, folders, programs or processes on any type of computer and allow them to evade detection by the computer operator. In its more recent sense, at least four different types of rootkit have been identified by Windows specialists, Sysinternals:
Activates automatically without user intervention every time the system boots or a user logs in and stores its code in some permanent location such as the file system or Registry.
Does not store its code in a permanent location and therefore does not survive a reboot.
Avoids detection by a variety of techniques, such as intercepting various API calls and modifying their output. For example, a user-mode rootkit might intercept a command to list the contents of a directory and modify its output so that files which might alert the user to the rootkit's presence are removed from the listing.
Have the ability to avoid detection by directly manipulating kernel-mode data. For example, a kernel-mode rootkit might avoid detection by removing its own entry from the kernel's list of active processes. Thus, it will not be revealed by tools such as Windows Task Manager for example.
For those that remember the movie Superman III, this is akin to the crime that Gus Gorman (Richard Pryor) committed when defrauding his employers. In relation to financial IT systems, it involves rounding-down very tiny amounts of money (excess fractions of a penny, say) from multiple accounts in the anticipation that no one will notice. All the proceeds from the rounding-down exercise are then deposited in a single, separate "dummy" account which can then be cleaned out by the fraudster.
Sometimes referred to as "screen grabbing" or "screen capturing", this refers to taking a snapshot image of whatever is being displayed on a computer's monitor. Being able to take a snapshot of a computer screen obviously has legitimate uses, but lately these techniques are being increasingly adopted by the authors of malicious software in the attempt to steal sensitive or confidential data, often for the purposes of identity theft.
An incompetent hacker or cracker who relies on code that has been pre-built into software programs or scripts by others so that it can be run at the click of a button. Script kiddies do not have the skill to develop any code for themselves and, more so, probably do not even understand the concepts involved.
Whereby an attacker commandeers a TCP Session from a legitimate user after the legitimate user has achieved authentication, thereby removing the need for the attacker to authenticate himself.
A short segment of assembly language, used by an attacker as part of an exploit, in order to instruct the target system to perform some action. For example, an attacker will likely employ shellcode in a buffer overrun attack on a particular software program so that the shellcode is executed in place of the program's own code.
The act of peering over someone's shoulder whilst they are typing sensitive information into a computer or cash dispenser for example, in order to learn that information. Such information might include logon details or account numbers, for example.
More recently this term has been used to describe the act of illicitly reading the information from an RFID tag (contained in a modern passport or smartcard, for example) from a distance. The term has also been used to describe the act of making a copy of the information contained in the magnetic stripes of items such as credit cards for the purposes of cloning them. Also see Carding.
An attack in which large volumes of ICMP Echo Requests (pings) are broadcast to all the other machines on the network and in which the source address of the broadcast has been spoofed to appear as though they came from the target computer. When all the machines that received the broadcast reply, the target can become flooded with more data than it can handle and a denial of service may result. Also see Fraggle attack.
In its simplest sense, snarfing is the copying of a large amount of data across a network from one computer to another. However, the term is very often applied when such copying is performed without the owner's consent in order to steal the data. "Pod slurping" and "Bluesnarfing" are both forms of snarfing activity.
See Packet Sniffer.
Whereby an attacker will engender a sense of trust in a potential victim, lulling them into a false sense of security so that they voluntarily reveal information or perform some action that will be useful in the attack. For example, an attacker might call an organisation's Help Desk pretending to be a legitimate user and ask for his password to be reset, thereby enabling him to log straight in to the organisation's system without the need to break in. Also see Reverse social engineering.
The act of the originator (or source) specifying the exact route that packets of data will take across the network. Normally, when data is sent across the Internet for example, intermediate devices known as routers will determine the path that the data should take on its way to its destination. With source routed packets, the sender specifies this path. Although source routing is not malign in itself, an attacker can use the technique to his advantage in a number of ways. For example, a target computer may not normally be reachable from the attacker's location, but may be reachable from another, intermediate device. By source routing the packets via the intermediate device, the attacker can reach his target. The technique can also be used to make it appear that the target computer is communicating with one particular machine when, in fact, it is communicating with the attacker.
The electronic equivalent of junk mail or, as a verb, the sending of such. Thanks to the availability of huge email address databases and the relatively small cost of sending emails (particularly when open relays are used), spam is a lucrative business and now accounts for the majority of all email messages! Recent evidence suggests that some spammers have now teamed-up with virus writers so that even more spam can be sent, using the infected computer to send spam to all the email addresses contained in a user's address book for example. Spam gets its name from the Monty Python sketch and associated song: "Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam..."
over Instant Messaging):
Spam sent via instant messenger type programs rather than via email.
over Internet Telephony):
Spam sent via Voice over IP (VoIP) telephony systems rather than via email.
Splog (Spam Blog):
A fake blog, often containing a mixture of nonsense text and/or articles "scraped" from legitimate sites, used to advertise and link to affiliate websites for the purposes of increasing traffic to those sites and improving their search engine rankings which in turn will help to generate income for the owner of the splog. Splogs may also be used to advertise malicious websites, enticing potential victims to visit them.
To falsify one's identity or the identity of a computer. For example, an intruder may spoof the IP address of the computer from which he is launching an attack in order to cover his tracks or to make it appear that another, innocent party is responsible. Often, spammers will spoof the email address from which their junk mails are being sent so that they are more difficult to track down or take action against.
A generic term referring to a class of software that monitors a user's actions, perhaps tracking which web sites the user visits, for example, and which logs and reports this behaviour. Sometimes, spyware will be installed with a companion adware program. Whilst the spyware program logs and reports on the user's activity, the adware program will display targeted pop-up advertisements and advertising banners based on that activity.
The act of entering malformed or unexpected data (perhaps into a front-end web form or front-end application for example) so that the back-end SQL database running behind the website or application executes SQL commands that the programmer never intended to permit, possibly allowing an intruder to break into or damage the database.
A common variety of buffer overrun affecting a buffer contained within a memory data structure called a "stack". The stack can literally be thought of as a waiting-list of processes that need to be carried out. The processes are dealt with on a LIFO (Last In First Out) basis. Processes that are lower down in the stack are dependent upon those higher up to complete their designated tasks. As such, new processes are "pushed" onto the top of the stack, acted upon, and then "popped" off, whereupon the next process in the queue reaches the top of the stack so that it, in turn, can be dealt with. When a buffer in the stack is overrun, it is known as a stack overflow. An attack of this nature is sometimes referred to as "smashing the stack".
The art of concealing a hidden message within some other medium. Unlike cryptography (where the presence of an encrypted message is obvious to everyone, but its meaning is obfuscated) with steganography the very existence of the message itself is obscured. The basic concepts of steganography were first written about by Aeneas the Tactician over 2000 years ago but a good example we're probably all familiar with today is that illustrated in lots of the old wartime spy movies of the 30's and 40's: A secret agent receives some written communication such as a letter, newspaper article or book, for example, which appears at first glance to be entirely innocent; but by placing a special template over the writing, much of the text is masked leaving only some of the letters revealed and which spell out a secret message. From an IT perspective, steganographic techniques can be used to hide data inside otherwise innocent looking files. Steganography is not a malicious practice in itself of course and it has many legitimate uses, but it is worth considering that a person with malicious intent could use such techniques to form a covert communications channel and attackers could use similar methods to hide malicious code inside other, apparently harmless files. Steganography is sometimes referred to as "steg" for short. The practice of attempting to detect steganography is known as steganalysis.
A type of Covert communications channel (see above) that specifically refers to sending data into or out of a cryptographic system.
An attack which compromises the process by which computers establish a two-way connection. The normal process is known as a three-way handshake and works like this: Computer A attempts to connect to Computer B by sending it a TCP network packet in which the SYN (Synchronise) flag is set. Computer B replies with a packet containing flags which acknowledge (ACK flag set) the SYN from Computer A and which also has its own SYN flag set, thereby asking Computer A to synchronise with it in the opposite direction. Computer A then completes the three way handshake by sending a packet which acknowledges (ACK flag set) Computer B's SYN. Thus both computers have synchronised with and acknowledged each other and two-way communication is established. In a SYN flood attack, the attacking computer sends multiple SYN packets to the target (which responds with a SYN / ACK) but it never completes the three-way handshake with the final ACK. If sufficient numbers of SYN packets can be sent to the target fast enough, a denial of service may result because other legitimate traffic may not be able to reach the flooded computer.
As a noun, this is a device which monitors the transmission of data along network lines or, as a verb, the use of such a device. Just like telephone "wiretapping", the device is usually secreted somewhere on the network in between the computers which are communicating with one another. There are several different types of tap:
One in which a physical connection exists between the tap and the network to which it is listening or in which the network connection needs to be momentarily broken in order to install the tap.
One in which no physical connection exists between the tap and the network to which it is listening or in which the tap can be installed whilst the network is live, with no need to make a momentary break in communications. Data may instead be picked up by the use of an induction loop or antenna which can detect the electrical signals passing along the network cables, for example. This type of tap is also sometimes referred to as a vampire tap.
One which simply listens to and logs the received data without affecting the transmissions in any way.
One which listens to and logs the original data and also alters the transmitted signal in some way.
See Christmas tree attack/scan.
As mentioned above in Fragment/Segment attack, it is sometimes necessary to break up large packets of data into smaller fragments before they can be sent across the network. Each of these fragments contains information that describes their position in the original, unfragmented packet, so that when the fragmented data arrives at its destination it can all be re-assembled in the proper order. In a teardrop attack, that positional information is deliberately falsified so that the fragments overlap. This can make some machines crash, thereby causing a denial of service. Also see Unnamed attack.
See Data Miner.
A program which has some hidden, malign purpose, other than the one it purports to have. For example, a program which claimed to be a game but which also secretly installed some spyware or adware components on a user's computer would be considered to be a Trojan horse program, because the real purpose of the program was to install the malware and not to provide an entertaining game for the user. Commonly, a so-called Remote Access Trojan (or RAT) may open a backdoor on a computer allowing an intruder to connect without the user's knowledge or consent. The name is taken from the legend in which the Greeks built a large wooden horse with the pretence that it was a peace offering for their foes, the Trojans. The Trojans accepted the gift and carried it into their, erstwhile impregnable, city of Troy. Little did they realise, until it was too late, that the wooden horse was hollow and that the Greek army was concealed inside!
UDP (User Datagram Protocol) is one of the main protocols used for sending data across the Internet. Unlike TCP (Transmission Control Protocol) it does not provide any means of checking that packets of data have arrived at their destination. By sending UDP packets with deliberately malformed information in the headers, some types of UNIX computers can be made to "panic" and crash. By sending large volumes of such packets (a UDP bomb) a vulnerable computer can be caused to reboot constantly thereby causing a denial of service.
The strangely titled "unnamed attack" is very similar to the "Teardrop attack" described above, except that in this case the positional information required to re-assemble the fragmented packets is deliberately falsified so that there are gaps between the fragments, rather than overlaps.
The act of forcing a web browser to display a URL other than the correct one for the website which the browser is actually displaying. For example, clicking on a specially crafted hyperlink in a phishing email might not only open the phishing site itself (which could look just like the genuine website) but it may also cause the web browser to show the genuine site's URL in the address bar, making it even less likely that the user will realise they are not viewing the legitimate site.
The mechanism by which an attack is propagated.
Traditionally, "a program that is able to infect other programs by modifying them to include a possibly evolved copy of itself" - Dr. Frederick Cohen. A virus may do little more than replicate itself in this way, although it is more likely to contain some form of malicious payload. Nowadays, the term "virus" is generally used to cover many different forms of malicious software, including true viruses, worms, Trojan horse programs and even some types of spyware and adware. Today, many different categories of virus have been defined, including:
A virus which infects the boot sector or partition table of a disk. Computers are most often infected with this type of virus after being started with an infected boot floppy or CD.
Also known as a "Satellite" virus, this does not actually modify the code of the target program, but is hosted by an infected copy of the target which is placed ahead of it on the execution path. This is achieved by giving the infected version the same name as the target program, but with a file extension of higher priority. For example, if the user of a PC running Microsoft Windows attempts to run a file called myprogram, the computer will look to run a file called myprogram.bat or myprogram.com or myprogram.exe in that order. Therefore, a companion virus which targets the myprogram.exe file would create an infected copy called myprogram.bat or myprogram.com so that it gets run instead of the real program.
A virus that uses asymmetric encryption techniques and includes a public key in its payload. Usually, the private key of the asymmetric key pair will be retained by the virus author/attacker so that only he can decrypt the data that was encrypted with the corresponding public key contained in the virus. The concept could equally be applied to Worms or Trojan horse programs giving us "Cryptoworms" and "Cryptotrojans" respectively. Such malware would commonly be used for extortion, whereby data on a victim's hard disk is encrypted and held to ransom.
The traditional type of virus which infects .com .exe or other executable files.
A virus, very often written in Visual Basic, which is triggered when a parent application performs some action on an infected document. A macro virus contained in a .doc file might be triggered when the parent application (Microsoft Word, say) opens, closes or saves the file, for example.
A virus which has the capability to infect a computer's boot sector, partition table and/or its executable programs. It therefore has the characteristics of both "boot sector" and "file infector" viruses.
A virus which has the ability to alter its appearance. The body of a polymorphic virus has two basic parts - the executable part (which is encrypted) and the decryptor (which is used to decrypt the executable part so that it can be run). By using a variety of techniques the appearance (but importantly, not the basic functionality) of the decryptor can be altered, greatly assisting the virus in evading detection by antivirus software.
Vishing (Voice Phishing):
Similar to phishing (see above), vishing involves enticing victims to ring a telephone number and hand over personal information which is recorded by fraudsters and may subsequently be used to steal the victim's identity.
A flaw, bug or programming error in a piece of software which may be exploitable by an attacker to carry out some malicious act.
Just as many utility companies, prior to undertaking some act of maintenance, place temporary chalk markings on buildings, roadways and pavements etc. to signify the location of telephone/electricity cables or gas/water mains for example, war chalking is the malicious act of marking similar symbols which signify to others the nearby presence of an unsecured wireless network access point, beacon or hotspot. Such resources may then be the subject of attack or be used to obtain free network resources or Internet access, for example.
A program designed to automatically call a range of telephone numbers and log those that respond in a given way so that an attacker can identify potential entry points to computer or telecoms systems. A phreaker, for example, could use a war dialler to identify PBX (Private Branch Exchange) telephone numbers by the tones with which they respond when they receive the call.
The act of driving around in a car with a laptop (or even handheld/palmtop) computer configured to discover wireless access points/beacons/hotspots. Once a list of access points has been discovered, they may become subject to further attack, often for the purposes of obtaining free network resources such as Internet access, but sometimes (especially where corporate organisations are concerned) for the purposes of breaking into the network to perform some other malicious act.
Software products which have been illegally cracked or reverse engineered to produce fully-functioning versions which can then be used without the requirement to register or pay for them. Whilst it might seem tempting to use such products, it should be borne in mind that they may have had other modifications made to them, such as the addition of a backdoor component for example, which may have undesirable effects.
See Evil twin.
A program which copies itself between computers across a network. Unlike viruses, worms exist as stand-alone programs in their own right and do not infect other, "host" programs in order to replicate. A worm may do nothing more than make copies of itself, but frequently it will also carry some type of harmful payload. Nowadays, worms most commonly propagate via email and are often used to distribute spam, phishing emails, viruses, Trojan horse programs and other forms of malware.
See Christmas Tree attack.
See Cross-Site request forgery.
See Cross-Site scripting.
When a vulnerability in a piece of software is announced at the same time as the relevant exploit code is made available. Traditionally it was common for there to be a gap of several weeks or even months before code appeared to exploit a previously announced vulnerability, allowing vendors a period of grace in which to develop a fix and for end-users to patch their systems. More recently, that time difference has been eroded until, now, there is often no difference at all, or "zero days".
A computer which has been taken over by an intruder and which can be used to attack other computers or websites, all without the knowledge or consent of the owner. A zombie might exist as an individual computer or be just one machine in a whole zombie network (or botnet) containing multiple computers which can be wielded en masse to perform a distributed denial of service attack for example. Sometimes, there may be several tiers of zombie computers, where relatively few higher level computers (or zombie masters) are used to control the many zombies below them.
DNS (Domain Name System) is used to map host names to IP addresses. Where an organisation has only one DNS server for example, that server will hold records for both public machines and those on the organisation's internal, private network. An attacker targeting such a server may attempt a Zone Transfer in which all the DNS information held by the server can be downloaded. If this is successful, the attacker will learn a great deal of information about the structure of the organisation's internal, private network.
© J. R. Haythorne, 2000-2017. All Rights Reserved