Don't know your ARP from your Elbow? |
Sun Tzu said in "The Art of War":
"If you know the enemy and know yourself, you need not
fear the results of a hundred battles"
"If you know yourself but not the enemy, for every victory gained
you will also suffer a defeat"
"If you know neither the enemy nor yourself, you will succumb in
every battle"
The purpose of this document is to explain, in plain English, many of the terms routinely used by Hackers, Crackers (and even IT Security professionals) when talking about the varied threats, potential attacks and types of malign software faced by today's computer users. It does not describe how to carry out any attacks, nor does it tell you how to protect yourself against them, but it does try to provide a simple explanation of what these threats actually are, so that you at least understand what it is that you need to protect yourself against!
If you'd like a professionally
printed book version of this document, you can order one below:
0day:
See Zero day.
419
scam:
Otherwise known as an Advanced Fee Fraud, the 419 scam
takes its name from the section of Nigerian law which legislates
for this kind of illegal activity, although the perpetrators of
such scams are by no means any longer confined to Nigeria.
There are several variations on the theme but the scam is generally
conducted via the spamming of potential victims by email.
These emails will often purport to come from a legal firm,
financial institution, or perhaps the relative of a deceased
political leader or wealthy businessman for example. The
email will spin a beguiling story about the existence of a vast
fortune which is tied up in some kind of legal or financial limbo
but which can be liberated, so the scammers claim, with the
victim's assistance (often the provision of details of a bank
account in the victim's home country into which the fortune will
supposedly be deposited). As a reward for their help
the victim is promised that they can keep a substantial share of
the loot! However, at some point during the proceedings the
scammers will contact the victim claiming some kind of
administrative problem which can be overcome if the victim will
send them a sum of money to grease the wheels - this is where the
"advanced fee" fraud comes in. If the victim falls for this
the scammers will continue to make similar requests, often teasing
the victim by claiming that just one more payment will be enough to
liberate the fortune. Of course there is no fortune and the
victim has lost their money!
ActiveX
control:
ActiveX is a set of Microsoft technologies designed to
enable the sharing of information between different
applications. ActiveX controls are an implementation of these
technologies and are generally intended to facilitate the
addition of feature rich, dynamic and/or interactive content to web
pages. Unlike Java applets, which often perform a
similar function, ActiveX controls have full access to a computer's
Operating System and are thus far more powerful - and potentially
dangerous. An ActiveX control designed with malicious intent
could completely compromise or disable a victim's
system.
Address bar
spoofing:
Faking a web browser's address bar with images and text
so that it appears to display a legitimate URL when the browser is
in fact displaying a different page entirely. Thus, a
browser's address bar may seem to read http://www.mybank.com when
in fact the website being displayed is
http://www.fakebank.com.
Advanced fee
fraud:
See 419 scam.
Adware:
A generic term referring to a class of software
that causes a victim's web browser to display annoying pop-up
advertisements and advertising banners. Sometimes adware may
be installed in conjunction with a companion spyware program.
Whilst the spyware program tracks and reports on the user's web
browsing behaviour, the adware program provides targeted
advertisements based on that behaviour.
Alternate data
stream:
A feature of a file system that permits a normal, visible
file or directory to be linked to an almost totally hidden file
area which may be used for a variety of malicious
purposes. They may be used as covert communications
channels or to hide information for later retrieval, or they may be
used to conceal executable virus or Trojan data from antivirus
software. Additionally, as there is no limit to the amount of
data an Alternate Data Stream can contain, a malicious program
could be used to write large quantities of invisible data into one,
eventually filling up the computer's hard disk and causing a denial
of service. Although simple to create and use, Alternate Data
Streams can only be detected using specialised software and are
completely invisible to the standard tools like Windows
Explorer. They can not be deleted independently of their
parent files and an Alternate Data Stream attached to the root
directory of a drive can not be deleted at all. This feature
was possibly included in the Windows NTFS file system specification
in order to maintain compatibility with the data/resource fork
feature used by Macintosh computers, but it also provides NTFS with
several advanced features such as the storage of distributed link
tracking Object Identifiers (OID's), indexable file content
summaries and thumbnail images.
ANSI
bomb:
The reprogramming of the keyboard (on any system which
has MS-DOS as the underlying Operating System and that has ANSI.SYS
loaded) so that pressing a reprogrammed key has an unexpected and
possibly undesirable effect! An ANSI Bomb could, for example,
reformat the victim's hard drive when they press the Enter
key. ANSI stands for American National Standards
Institute.
Anti DNS pinning:
Modern web browsers
employ a technique called DNS pinning in which the name of a particular website
is tied to its IP address for the duration of the browser session.
Unfortunately, it is possible to force the web browser to perform a new DNS
lookup and redirect the browser to an attacker's website instead. This
technique is called Anti DNS pinning.
ARP cache
poisoning:
ARP (Address Resolution Protocol) is used to map IP
addresses to hardware addresses. By deliberately altering or
"poisoning" the ARP cache of a computer, an attacker can ensure
that data intended to be sent from one computer to another will
actually be sent to a different computer instead, thereby
jeopardising the authenticity, confidentiality and integrity of
that data. ARP cache poisoning is often used in "Man in the
Middle" attacks for example, whereby the attacker will intercept
data intended for a different machine and perhaps modify it before
sending it on to the intended recipient.
Backdoor:
A generic term which refers to a, probably
undocumented, method of gaining access to a computer and possibly
without the owner's knowledge or consent. A backdoor may be a
particular piece of malicious software specifically designed to
allow an attacker access to a victim's computer by stealth, or a
hidden setting in a legitimate piece of software intended to allow
the software developers or support staff to make beneficial changes
or to assist the user.
Banner
grabbing:
The act of observing the initial text displayed when
connecting to a server in order to determine its type. For
example, by default, various versions of HTTP, FTP or SMTP server
software will display a "welcome" message when you connect to them,
often declaring the make and version of the software that is in
use. This information is obviously very useful to an attacker
for formulating a plan of attack. Banner grabbing is a type
of fingerprinting.
Batch
script:
See Script.
BHO (Browser
Helper Object):
A small program installed as an add-on component to
Microsoft's Internet Explorer web browser and designed to customise
its behaviour in some way. BHO's may often provide useful
extra functionality such as the inclusion of a specialised toolbar
for instance, but sometimes they are installed without the user's
knowledge and may have undesirable effects such as tracking and
reporting on browsing habits, forcing the use of particular search
engines or preventing access to certain websites. Many BHO's
fall into the spyware, adware and/or browser hijacker
categories.
Binding:
See File
binding.
Black
Hat:
See Hacker.
Blackjacking:
The act of breaking
into a computer network using a Blackberry device.
Blended
threat:
A term which refers to a type of malware which combines a
variety of traditionally separate attack techniques. For
example, a spam email containing links to a phishing
website and perhaps also carrying a virus or Trojan
horse payload would be regarded as a blended threat.
Blue Boxing:
A "blue box" is an
electronic device, often home made, which emits telephone dialling tones
that can trick telephone network equipment into granting the user access to
services to which they are not entitled such a free, long-distance calls for
example. Blue boxes are used in phreaking (see below).
Bluesnarfing:
The practice of making covert Bluetooth
connections to other compatible Bluetooth devices (mobile
telephones, PDA's, etc.) for the purpose of stealing data from
them. Bluesnarfing is distinct from Bluejacking, which is the
practice of "discovering" nearby compatible Bluetooth devices and
sending prank messages to them to startle or surprise their
owners. Bluejacking is generally regarded as harmless fun,
whilst Bluesnarfing, like most other forms of malicious hacking, is
illegal.
Boot sector
virus:
See Virus.
Bot:
An abbreviation of robot, bot traditionally refers
to a tiny program which traverses the Internet gathering
information about the websites it discovers which it then reports
back to its masters. In this respect a bot is synonymous with
a spider or web crawler and performs a very useful purpose,
enabling Internet search engines for instance to provide accurate
and up to date lists of websites in response to search
queries. However, bot is also a term used to describe a
small, malicious program that can be planted on a computer which is
then used to attack another victim computer or website.
Botnet:
A collection of computers that have been
infected with maliciously programmed bots which are then used to
launch a co-ordinated attack against a victim's computer or
website, most often resulting in a denial of service. A botnet is also referred to as a zombie network.
Browser
hijacker:
A generic term referring to any piece of software which,
against the user's wishes and perhaps even without their knowledge,
detrimentally affects the functioning of their web browser.
Often a browser hijacker will change a user's Home page and Search
settings and put various mechanisms in place to prevent the user
from undoing those changes.
Brute Force
attack:
The act of attempting to crack passwords (for the purpose of
gaining access to a computer system) or encryption keys (for the
purpose of decrypting encrypted messages) by testing them against
every possible permutation of upper case and lower case letters,
numbers, punctuation marks and other characters. When
attempting to crack passwords, a determined attacker may attempt a
brute force attack if a so-called "dictionary attack" fails to
reveal the passwords they require. A good password with a
high degree of complexity may take several years to crack by this
method, even with a quite powerful computer. For information on creating
strong passwords resistant to brute force attacks, see the
Strong Password
Generator page.
Buffer
overrun:
Also known as a buffer overflow. In a software
program a buffer is an amount of memory set aside so that the
program can remember something for later use, such as the data a
user has typed into a box on a website form for example.
Ideally the programmer will have specifically defined the size of
the buffer (or the amount of memory) that can be used for this
purpose, in which case the user will not be able to enter more data
(i.e. overrun the buffer) than this defined limit. Where no
such limit has been defined the program may be vulnerable to a
buffer overrun attack. In this case the attacker
is able to overwrite the program's code held in memory with their
own code in order to make the program perform a different
function. Often the aim is to get a command prompt or shell
prompt on the victim's computer, whereupon the attacker has
effectively taken control of (or "owns") the machine!
Cache
poisoning:
See ARP Cache Poisoning and DNS Cache
Poisoning.
Carding:
A term which covers the various activities
involved in the cracking, reverse engineering and/or reading of
credit card magnetic strips or smartcard chips for
example.
Christmas tree attack/scan:
Sending TCP network packets to a computer in which all the
control flags are set on. The control flags in TCP packets
are used to control the two-way communication between participating
computers thus:
SYN (S) = Synchronise, or request the establishment of a new connection
ACK (A) = Acknowledge a SYN packet
FIN (F) = Finish, or gracefully close a connection
RST (R) = Reset, or instantly drop a connection in both directions
PSH (P) = Push, or force delivery of data without waiting for buffering
URG (U) = Urgent data
Clearly, combinations of these flags are mutually exclusive and no legitimate packet should ever have all of the flags set. By monitoring the way in which a computer responds to a Christmas tree attack, a potential intruder can fingerprint the system, determining the type of Operating System that the computer is running, for example. Other combinations of flags may also be used. For example, the opposite of the Christmas tree attack is the "TCP Null scan" in which none of the flags are set. A "TCP SYN (half-open) scan" is one in which the scanning computer does not complete the three-way handshake required to complete a network connection (see SYN flood below for an explanation of this.)
Collision
attack / Preimage attack:
A popular method of determining the
integrity of a program file, word processing document or
email message for example, is for the originator to provide a
cryptographic "hash" or "message digest" of their original
data. The hash is created by inputting the original data into
an algorithm that produces a unique sequence of a relatively few
characters as the output and which serve as a fingerprint of the
original input data. Even a minute change in the input data
produces a vastly different hash. So, the recipient of the
data can run it through the same hashing algorithm as used by the
originator and, if the data has not been tampered with, the output
hash will be identical to the originator's. Hashing
algorithms are developed in such a way that, in theory at least,
the probability of two different sets of input data producing the
identical output hash is infinitesimally small. Where two
different input messages do produce the same hash, this is
known as a collision, and a collision attack is the act of
discovering techniques to reliably determine the different input
messages to a particular hashing algorithm that produce the same
output hash. A preimage attack works the other way
around. Here, the attacker takes the hash and attempts to
find input data (not necessarily the original input data) that will
produce that particular hash.
Combining:
See File
combining.
Companion virus:
See Virus.
Cookie:
A text file created on a computer by a website
when a user first visits the site and which is used to store
information that the website can use during the user's current and
perhaps subsequent visits. The information stored in a cookie
may include preferences in the way that the website works that the
visitor has specified, or may keep track of a user's "shopping
cart" or "basket" on a website from which goods or services may be
ordered for example. Cookies are sometimes essential for the
correct operation of a website. Cookie information may also
be used to provide targeted pop-up advertising and in some cases
the information can be read by other applications or websites which
may have a malign intent.
Covert
communications channel:
A means by which the communication of data between computers
is deliberately concealed by using methods outside of the normal specifications
for such communication. For example, in the IP protocol used by the
majority of computers and networks, communication is achieved by using "packets"
of data. Each packet contains a specific data area and also a "header"
which is divided up into a number of separate fields intended to provide
information about the packet, such as its size, where it has come from and where
it is going to for instance. Although data is meant to be stored in the
designated data area, a covert communications channel can be set up by
deliberately hiding data in the header fields.
Cracker:
Traditionally what is now usually and incorrectly
referred to as a hacker. Originally, a hacker was a person
who enjoyed obtaining an in-depth knowledge of the intricacies of
computer operation, software and communications, whilst a cracker
was somebody who used such knowledge for malicious or nefarious
purposes.
Crackz(s):
Crackz are small programs designed to
patch or modify other target programs. Such modification
usually involves illegally removing copyright information, removing
the requirement to officially register the target program, or the
conversion of a shareware/trial program with limited functionality
into a fully functioning version. Target programs which have
been "cracked" are known as "warez" or "wares". It's
possible, though not always the case, that crackz may have some
other malign intent or undesirable effects apart from just patching
their target.
CRLF injection:
CR (Carriage Return)
and LF (Line Feed) are traditionally commands you may recognize from using
typewriters and printers. Carriage Return would send the print head back
to the start of the current line, whilst Line Feed moved the paper up one
line. So, after completing one line of typing/printing both CR and LF
commands would need to be issued to begin printing a new line. CR and/or
LF are also used in computer systems for the same purpose and applications that
use these commands but do not correctly sanitize their input may be subject to
so-called CRLF Injection attacks. Just one example commonly cited is an
application that generates a log file where each entry is separated by a CRLF.
If the CRLF is not correctly stripped off as a legitimate entry is made, an
additional, fake entry may be appended (or injected) immediately afterwards,
thereby compromising the integrity of the log file.
Cross-Site request forgery:
A mechanism often
used in conjunction with Cross-Site scripting that can fool a user's web browser
into sending requests for actions to occur on a website in the context of the
logged on user. So, for example, if a user is logged into their web-based
email account and also encounters a malicious site that performs cross-site
request forgery, it's possible that the malicious site could automatically send
emails from the user's account.
Cross-Site
scripting:
A method by which an attacker can use a website to
exploit a vulnerability in the software employed by another website
to attack a computer. For example, an attacker can create his own,
malicious website, containing a specially crafted hyperlink to
another website which employs software vulnerable to a cross-site
scripting attack. When a victim clicks the hyperlink on the
malicious site, the vulnerability in the other website's software
is exploited to inject some form of harmful content into the
legitimate content of the vulnerable site. This is then
downloaded to and executed on the victim's computer via their web
browser.
Cross-Zone
scripting:
A method by which an attacker can exploit a vulnerability in order to
force the execution of malicious code in the context of a security zone other
than the one in which it should be executed. For example, the security
options within Microsoft's Internet Explorer browser show four distinct zones:
Internet, Local Intranet, Trusted Sites and Restricted Sites. The specific
security settings for each of these zones are different
and Internet Explorer will permit or deny the execution of certain
code based on these settings. There is also a fifth zone
which is not displayed in the Internet Explorer security settings
window called the My Computer zone and which is the least
restrictive of all by default. The ultimate goal of an
attacker attempting a cross-zone scripting attack is to force the
execution of harmful code in the context of My Computer rather than
one of the other, more restrictive zones in which it ought to be
run.
Cryptotrojan:
See Virus.
Cryptovirus:
See Virus.
Cryptoworm:
See Virus.
CSRF:
See Cross-Site Request
forgery.
Cyber-squatting:
See Domain
hijacking.
Data
flood:
The act of sending so much data to a computer that its hard
disk drive space is exhausted, causing it to become unresponsive or
crash. An attacker may attempt this by sending the target
very large email messages or by uploading large files via FTP (File
Transfer Protocol) for example.
Data
miner:
In its most
malign form a data miner is a type of spyware which gathers
information from the computer on which it is installed and which
sends this information back to an attacker. Such information
might include users' logon details or credit card information typed
into website forms for example. Other data miners record
users' Internet browsing habits which may be employed for
legitimate marketing purposes or might be harnessed by an adware
program to provide targeted pop-up advertising for example.
Data miners are sometimes referred to as tracking
cookies.
DDoS attack
(Distributed Denial of Service
attack):
An orchestrated denial of service attack launched from
multiple computers against one (or relatively few) targets.
The attacking computers are usually co-ordinated into a botnet or
zombie network so that, en masse, they have a far greater effect
than if the attack was launched from a single computer.
Defacement:
The act of hacking or breaking into a web
server and deliberately vandalizing its contents, often so that the
web pages show a derogatory, political or social message of some
kind, or sometimes to highlight a known vulnerability in the
software used by the website or in its implementation by the
website's owners.
Dialler:
A program which establishes a dial-up
networking connection from a local computer to a remote
computer. In its malign form, a dialler may be installed
without the user's knowledge and its installation routine may also
involve replacing the computer's existing dial-up networking
connection to the user's preferred ISP. Diallers are often
programmed to dial long distance or premium rate numbers and the
user may not be aware that their connection has been modified until
they receive the telephone bill. Dialler programs are often
used for the purposes of connecting a computer to adult themed
websites.
Dictionary
attack:
The act of attempting to crack passwords by testing them
against a list of dictionary words. With today's powerful
computers, an attacker can combine one of many available automated
password cracking utilities with several large dictionaries or
"wordlists" and crack huge numbers of such passwords in a matter of
minutes. Any password based on any dictionary word is
vulnerable to such an attack, including those based on the
dictionary words of foreign and even fictitious languages such as
Klingon and Elvish! For information on creating
strong passwords resistant to brute force attacks, see the
Strong Password
Generator page.
Directory
traversal:
Normally, this is simply the act of moving up and down
through the directory tree (or folder structure) of a computer's
file system. However, it also specifically relates to a type
of attack against a poorly configured web server in which an
attacker is able to enter a specially crafted URL into the address
bar of a web browser and change directory out of the area from
which the web pages are being served and into the directories
containing the server's system files or other sensitive
information.
Distributed
Denial of Service attacks:
See DoS, DDoS and DRDoS
attacks.
DNS cache
poisoning:
DNS (Domain Name System) is used to map host names to IP
addresses. By deliberately altering or "poisoning" the DNS
cache of a computer, an attacker can ensure that data intended to
be sent from one computer to another will actually be sent to a
different computer instead, thereby jeopardising the authenticity,
confidentiality and integrity of that data. DNS cache
poisoning is often used to direct a web browser to a fake website
rather than the legitimate one.
Document
grinding:
The act of analysing discovered documents and extracting
information from them by "breaking them open / grinding them
up". This goes way beyond simply opening the document in the
application used to create it and reading its contents.
For example, an intruder may discover a document on a target system
and then, using special tools, "grind it up" in order to
reveal interesting information in the document's headers which
might not normally be accessible. Also, the technique is used
by Google Hackers to find out interesting information from
documents discovered on the Internet through search
engines.
Domain
hijacking:
Broadly speaking, the act of assuming or taking over a
domain name, not necessarily illegally. Some definitions of
domain hijacking include what has come to be known as
cyber-squatting. Here, someone registers - perhaps
entirely innocently and with no ill-intent - an available domain
name that nevertheless relates to or may be closely associated with
some other person or organisation. Obviously there may be a
conflict of interest if the other party should subsequently want to
use the domain name for themselves. More seriously, a person
or organisation who has previously registered and is actively using
a domain name may subsequently forget to renew it. If the
domain name is not renewed, it becomes available for anybody else
to register and may thus be hijacked by a malicious cyber-squatter
who may demand payment to relinquish the hijacked domain.
Most seriously, it is the act of fooling the domain registrars into
either performing a DNS transfer (in which web browser requests for
the domain's web site and its email traffic, for example, will be
directed to the wrong servers) or transferring a domain name away
from the current, legitimate registrant to someone
else.
DoS attack
(Denial of Service attack):
An attack whereby the target is
deliberately prevented from providing or receiving a particular
service. For example, a very common DoS attack involves
preventing a company's web servers from serving web pages, thereby
preventing customers from visiting the company's website. DoS
attacks are usually accomplished by bombarding the target with more
data than it can handle, or by exploiting a weakness in the
software employed by the target to cause the service to fail or
perhaps to continually crash the computer.
DRDoS attack
(Distributed Reflection Denial of Service
attack):
This is a variation of the DDoS (Distributed Denial of
Service attack) theme, but it has important differences. In a
DRDoS attack, the attack does not appear to originate from a single
attacking computer (as in a simple DoS attack), nor does it even
appear to originate from multiple computers that have been
compromised to form a botnet or zombie network (as in a DDoS
attack). Rather, it is akin to a very large scale smurf
attack (see below for a description of this). For example,
let's say an attacker sends lots of network packets to a large
number of the Internet's most powerful and well-connected machines
(like some of the high-level routers for instance) all of which are
asking for a new network connection to be established (SYN flag
set). The source IP address (i.e. the origin of the request)
of these packets has been spoofed by the attacker to be that of the
intended target! The result will be that all of these
powerful, high-bandwidth machines will respond en masse to the
target, flooding it with more data than it can possibly handle,
causing it to become unresponsive or even crash and thereby
effecting a denial of service. So without actually
compromising any of those high-level routers, the attacker has
nevertheless achieved his aim by "reflecting" his attack off them,
magnifying its effect.
Drive-by
downloading:
The act of stealthily and automatically installing
software on a user's computer when they simply visit a particular
web page. Spyware and adware programs are frequently
installed on a computer by way of drive-by downloading.
Dropper:
A program designed to extract other files from
within its own code. Droppers are frequently used as a means
of installing Trojan horse programs.
Dumpster
Diving:
The act of rummaging through the rubbish thrown out by
commercial businesses or private residents searching for items of
value. From an IT security point of view, an attacker may
find all sorts of valuable information from the likes of discarded
letterheads, utility bills, old credit card receipts, printouts and
reports etc. which may be of great assistance to them in a
potential attack.
Elevation of
privilege:
The act of obtaining more privileges on a computer than
those for which the currently logged on user should be permitted,
thereby enabling a malicious user to execute more powerful code
than they're normally allowed to. The ultimate goal of
someone attempting elevation of privilege is to obtain all the
rights and privileges of the Administrator account or Root
user. Elevation of privilege is usually accomplished by
exploiting a weakness in a piece of vulnerable software.
Email
bomb:
A denial of service attack in which a user's email
account is targeted by bombarding it with more email messages than
it can handle, thereby curtailing or even preventing the acceptance
and delivery of legitimate email messages. In some cases an
entire email server may be targeted, thereby denying service to all
the mail accounts on the server.
Email
relaying:
A feature of an email server which allows it to process
messages on behalf of an external client. Spammers abuse this
feature by hunting for email servers on which this feature has been
left enabled ("open relays") and then using these servers to mass
mail their junk messages to all and sundry at the owners'
expense. The source of such relayed messages appears to be
the owner of the open relay, a fact not overlooked by malicious
attackers who can use the open relay to send out messages that
could easily damage the owner's reputation for example. A
properly configured email server will therefore usually have this
capability disabled.
Enumeration:
Simply, to count. Prior to an attack
against a particular organisation or even an individual computer,
an attacker is likely to enumerate the target for the number of
open ports, IP addresses, DNS names, vulnerable services etc.
before finally deciding on a specific attack vector.
Evil
twin:
A fake wireless access point or hot-spot, set up to
masquerade as a legitimate one, usually with the purpose of
stealing data from computers that connect to it in error. The
technique is also sometimes referred to as WiPhishing.
Exploit:
As a noun, an "exploit" is a piece of malicious
code specifically written to deliberately take advantage of a known
vulnerability in a particular piece of software. Or, as a
verb, it is to take advantage of a known vulnerability in a
particular piece of software.
File
Binding:
Binding files allows two
different programs to be launched from the same application.
An attacker may bind a malicious program (such as a Trojan horse)
to a game program for example. When an unsuspecting user runs
the game program, the Trojan horse program bound to it is also
executed and may be silently installed in the
background.
File
Combining:
Combining allows a
file of one format to be merged into a file of a different
format. Changing the extension of the host file opens only
the content associated with it. For example, a Microsoft Word
document (document.doc) could be combined with a Microsoft Excel
spreadsheet (sheet.xls) into a single file called
document.doc. Opening document.doc will display the contents
of the Microsoft Word document whilst the Microsoft Excel
spreadsheet (sheet.xls) remains hidden. Changing the file
extension from .doc to .xls will allow the Microsoft Excel
spreadsheet data in sheet.xls to be displayed whilst hiding the
content of the Microsoft Word document. Thus, file combining
can be employed to hide data of one particular format within the
format of another file.
File infector virus:
See Virus.
File
Mangling:
The art of modifying a
file to hide the data it contains by making it difficult to
read. There are several simple methods of mangling files, for
example changing the file extension to one associated with a
different application or modifying the Registry so that all files
of a particular extension are associated with the wrong application
and therefore appear to not open correctly.
Finger
bomb:
Finger is a UNIX command that displays information about users
on a computer. Obviously such information is useful to
intruders as well as system administrators. On some
computers, the finger command can be passed through from one
machine to another. This is very useful for an intruder
because it makes it appear as though the finger command has come
from the last computer in the chain before the target, and not the
originating computer, thus aiding the attacker to cover their
tracks. Also, by malforming the finger command, a finger bomb
can be constructed in which the target computer is instructed to
finger itself repeatedly until its memory is exhausted and it stops
responding, resulting in a denial of service.
Fingerprint:
From an attacker's point of view, this is to
identify certain tell-tale characteristics of a potential target
system in order to determine its Operating System or web and
database server software for example so that an attack vector can
be formulated. From an IT security perspective,
fingerprinting involves identifying the tell-tale characteristics
of a perceived attack so that the appropriate countermeasures can
be deployed.
Format String
attack:
In a software program written in the C programming
language, "format strings" are used to tell certain functions (like
printf for example) within the program how they should read
particular characters. A program which does not properly
sanitize such characters before they are parsed by the program may
be vulnerable to a so-called "format string attack". By
inputting specially formatted commands to such a vulnerable
program, an attacker can overwrite the program's code held in
memory with their own code. By doing this, the attacker may
be able to cause the program to crash, thereby creating a denial of
service, or they may be able to glean information from locations in
the computer's memory to which they would not normally have access,
or (as with a buffer overrun attack) they may be able overwrite the
program's code held in memory with their own code in order to
make the program perform a different function.
Fraggle attack:
This is very similar
to the so-called "Smurf attack" (see below) except that it uses UDP
rather than ICMP.
Fragment/Segment
attack:
Do you happen to recall from Gerry Anderson's famous
Thunderbirds TV show how the International Rescue
organisation managed to actually construct their fabulous machines
without anybody realising what was going on? They sourced all
the various components from different manufacturers who delivered
all the bits and pieces individually and only when all the parts
had arrived at their destination were they assembled into their
final form. Well, when data is sent across the network
between computers it must adhere to certain rules set by the
network protocols involved, one of which usually determines the
maximum size of the packages of data that can be transmitted.
If an amount of data is sent that is larger than this pre-defined
limit it can be broken up into smaller pieces, transmitted, and
then re-assembled at its destination. By deliberately
fragmenting or segmenting data in unusual ways, an attacker can
sneak malicious code past some defences such as Intrusion Detection
Systems because the individual pieces are not recognised as being
threatening. Only when they are automatically re-assembled at
their destination (probably the target computer) does the threat
become apparent!
Fuzzer:
A program which
attempts to input all possible (or a selected range of) unexpected
values into a target system with the purpose of identifying
vulnerabilities in that system. An attacker might use a
fuzzer to reveal a buffer overrun vulnerability in a piece of
software, for example.
Google
hacking:
To use the advanced and less well known features of the
Google search engine to reveal sensitive data about a particular
target or to identify potential targets for attack. Often,
potential victims (or "googledorks") are blissfully unaware that
such sensitive data has "leaked" onto the Internet from within
their organisations and that it can be found by anyone who knows
how to construct the more advanced search engine queries.
Although originally confined to the Google search engine, Google
hacking now applies to other search engines also.
Googlejacking:
I dare say that everyone who's ever used a
web browser has seen an HTTP Error 404 (Page not found)
before. A less well known HTTP error code is 302 (Moved
temporarily). Web servers send clients (web browsers) an HTTP
Error 302 when the web page that the browser is requesting appears
to have been temporarily redirected to a different URL. Along
with the HTTP Error 302, the web server also sends the client the
new URL and the client browser is expected to go to this new URL
straight away. Now, consider that, in certain circumstances,
many Internet Search engines try to avoid indexing web pages that
seem to contain the same content. They will (in an HTTP Error
302 situation for example) try not to index both the original web
page and the one to which it has been temporarily
redirected. Googlejacking is a method of exploiting this
behaviour so that a web page in a search engine's listing is linked
in the search engine's database to a URL that is not on the domain
of the original page. For example,
http://www.originalwebsite/content.htm could be Googlejacked so
that anyone clicking on a link to this page in the search engine's
listing is actually redirected to
http://www.h-spot.net/content.htm. The original website
description and title remain the same in the listing, but the link
will be different. The upshot of this is that the original
website's listing in the search engine is removed and is replaced
with the Googlejacker's page which then gains the benefit of the
increased traffic, whilst using the original website's
content!
Grey
Hat:
See Hacker.
Grinding:
See Document grinding.
Hacker:
Traditionally a hacker was a person who enjoyed
obtaining an in-depth knowledge of the intricacies of computer
operation, software and communications. Nowadays, the term
hacker has become synonymous with what used to be referred to as a
cracker i.e. somebody who uses such knowledge for malicious or
nefarious purposes. However, to help identify the good from
the bad, hackers now sometimes affiliate themselves with one of
three camps -
White Hats:
White Hat hackers are the good guys. People who enjoy finding out about how computers operate in depth and who will share their knowledge with Security professionals when they uncover potential weaknesses and vulnerabilities and help programmers and developers build better and more secure systems. In theory at least, a White Hat hacker wouldn't even dream of using their knowledge for illegal purposes.
Black Hats:
The bad guys. No more or less skilled than the White Hats, Black Hats are unlikely to have any compunction about using their knowledge for personal gain, perhaps breaking into systems and stealing data, selling their knowledge and skills to criminals, perhaps deliberately damaging or breaking systems through some political or social motivation, or otherwise using their knowledge in some illegal fashion.Grey Hats:
Grey Hats do not affiliate themselves with either White Hats or Black Hats. Whilst they may not necessarily use their own skills and knowledge for personal gain as a matter of course, they may nonetheless associate with the Black Hats on occasion. Equally, they may well assist the White Hats, the IT Security community and programmers and developers when they see fit. On occasion, they may even break into systems and damage or disable them if they feel that such an action is justified.
Heap
overflow:
A variety of buffer overrun affecting a buffer contained
within a memory object called a "heap". The heap is the
memory space dynamically allocated to a program when it is launched
and in which the program runs. When a buffer in the heap is
overrun, it is known as a heap overflow.
Hoax:
A fake alert sent by email usually warning about a
fictitious virus or some other bogus threat for the purposes of
generating a panic. The chain-reaction of recipients
forwarding the hoax to all the people in their address books causes
email systems to become congested thereby slowing down or even
preventing the delivery of legitimate mail.
Hosts
file:
A text file on a computer which maps host names to IP
addresses. By deliberately entering false data into a hosts
file, an attacker can force data to be sent to a computer other
than the one for which it is intended, thereby jeopardising the
authenticity, confidentiality and integrity of that data.
Often, false Hosts file information is used to direct a web browser
to a fake website rather than the legitimate one.
Hype and dump manipulation:
See Pump and dump
scheme.
Identity
theft:
The fraudulent act of collecting sufficient personal
information about an individual in order that their identity can be
assumed for the purposes of carrying out some other illegal or
malicious activity.
Java
applet:
A small program written in the Java programming language
which is usually intended to facilitate the addition of feature
rich, dynamic and/or interactive content to web pages, although
they can also be designed with malicious purposes. Java
applets normally run within a "sandbox" i.e. they should not be
able access local resources on the computer which is running
them. However, it is not unknown for vulnerabilities to be
discovered and exploited which can allow malign Java applets to
break out of their sandboxes and from there potentially compromise
or otherwise damage a victim's system.
JavaScript:
See Script.
Joe jobbing:
Falsifying the "From" or "Reply to" headers of email messages to make it appear as though they originated somewhere else for the purposes of damaging the reputation of the owner of the falsified address, usually by making it appear as if they're sending spam.
Joke
program:
A program which does not cause any actual damage to a
computer but which is designed to frighten or embarrass the user in
some way. Several joke programs are quite widespread and have
been known to cause a quantifiable disruption to people's work and
which can therefore be considered to have caused damage to
employers' businesses. As such, many of the more common joke
programs are detected by today's antivirus software, even though
they are not viruses.
Keygen:
A small program designed to generate serial
numbers / registration codes for another piece of software so that
it can be used, illegally, without having to pay for it. It's
possible, though by no means always the case, that keygen programs
may have some other malign intent or undesirable
effects.
Keylogger:
A program which monitors and records keyboard
activity. Although there are legitimate uses for keyloggers,
an attacker can use a keylogger program to steal usernames,
passwords, bank account and credit card details for example and
then use these in a "replay attack". Keyloggers are
often included within the payload of Trojan horse
programs.
Kleptographic attack:
An attack in which
information is stolen/leaked from a cryptographic system over a Subliminal
channel (see below) using an asymmetric backdoor which does not compromise
the private keys or confidentiality of the encrypted messages being sent by the
systems legitimate users. Such attacks are likely only possible when the
cryptographic system's designer builds such a backdoor into the system.
Land
attack:
Sending TCP network packets to a computer in which the
SYN flag is set and in which the source address and port number are
identical to the destination address and port number. In
effect, the target computer is instructed to talk to itself.
Older or un-patched systems can crash on receiving such data
resulting in a denial of service.
Leet /
Leetspeak:
Leet (derived from the
term "elite") is a simple from of cipher in which certain letters
that would normally be used to correctly spell out a particular
word are replaced with alternative keyboard characters which
vaguely resemble them. So, for example, the letters "A" and
"a" might be represented as "4" and "@". Sometimes, more
complexity is introduced by using multiple alternative characters.
For example the letter "H" might be shown with a pipe-dash-pipe
combination like this "|-|" and the letter "F" might be replaced
with "PH" or even with a pipe-equal sign combination like this
"|=". Sometimes, combinations of letters may be replaced with
a single alternative character. The letters "ck" for example are
sometimes replaced with the letter "x". It's also not
uncommon to CaPiTaLiSe CoNSoNaNTS. Thus, the word "hacker"
might be represented like this in leet: "|-|@X0R". However,
there are no hard and fast rules and different users tend to adopt
their own variations on the theme. It is not entirely clear
exactly where or when leet was developed, but a widely held belief
is that it was originally designed to elude automated systems which
checked plain text documents and messages for obscenities or other
"illegal" content. The word "porn" for example is often
rendered as "pr0n" in leet. Nowadays, leet is more of a
cultural phenomenon (rather like the form of mobile phone text
messaging adopted by teenagers) perhaps most widely used by the
online gaming community. The general concept has also been
adopted by spammers so that their junk mail messages are less
likely to be identified and blocked by spam filters. The line
below reads: "This is an example of a sentence written in
leet".
7|-|15 15 @|\| 3><@|\/|p13 ()|= 4 53|\|73|\|(3 \/\/R1773|\| 1|\| 1337
Logic
bomb:
A piece of malicious code contained within a legitimate
program that is designed to execute should certain events
occur. As an example, a programmer might write some software
for his employer which includes a logic bomb to disable the
software if he should have his contract terminated.
Low hanging
fruit:
Easy prey. Systems or targets that are relatively simple
to break into or crack. It's possible for an attacker to
break into any system given sufficient time and resources, but
hopefully after reading this document you'll be aware of the many
threats that you need to protect your systems against so they'll
not be considered low hanging fruit and an attacker will choose
another target!
LSP (Layered
Service Provider):
An item of software which is tightly interwoven
with the TCP/IP network protocols used for communications between
Windows computers. LSP's have the capability to access and
modify all data entering or leaving a computer. Whilst LSP's
have many legitimate uses, they are also becoming a firm favourite
with the authors of malicious spyware.
MAC
flood:
The act of generating very large amounts of network traffic
with randomly spoofed MAC addresses in order to exhaust the MAC
address tables of the network's switches. This can have a
number of beneficial effects from an attacker's perspective.
Every device on a network has a MAC (Media Access Control) address
which uniquely identifies it. The switches (which connect the
network together) send any data that they receive to specific
recipients based on the MAC addresses of the different devices
which they have learned and which they hold in a table. If an
attacker can exhaust the space available in the MAC address table
of a switch, the switch may simply stop adding any new entries to
its address table (which may lead to a denial of service) or it may
"fail open" and start behaving like a hub instead of a
switch. In the latter case, the switch will not send data to
a specific recipient, but will send it to all the devices attached
to it. This greatly aids an attacker who wishes to "sniff"
all the data passing through the switch rather than just that
destined for one particular
machine.
Macro
virus:
See Virus.
Mail
bomb:
See Email bomb.
Man-in-the-middle attack:
An attack in which data communications
between genuine parties are intercepted and compromised by an
intruder, or "man-in-the-middle", without their knowledge or
consent. This has a number of serious implications from a
security point of view. Most obviously, the man-in-the-middle
has compromised the confidentiality of any data passing between the
legitimate parties. Secondly, the man-in-the-middle can
actually pretend to be (or spoof) one or more of the legitimate
parties so that the source and destination of the data can not be
authenticated. Thirdly, the man-in-the-middle may modify the
data he has intercepted before sending it on to the intended
recipient(s) which means that the integrity of the data can not be
trusted.
Malware:
A generic term referring to any piece of
software written with malicious intent or which has a malign
purpose. Adware, spyware, viruses and Trojan horse programs,
for example, are all types of malware.
Mangling:
See File
mangling.
Multi-partite
virus:
See Virus.
Nigerian
scam:
See 419 scam.
NOP Slide /
Sled:
A common component of a buffer overrun attack in which many
"NOP's" or Null Operations (often represented by the characters
0x90 in hexadecimal format) are inserted into the buffer prior to
the malign code that the attacker wishes the vulnerable program to
execute.
Own / Owns /
Owned:
After an attacker has successfully broken into a computer
and taken control of it, or has exploited a vulnerability in a web
server to deface a website for example, he may claim that he "owns"
it rather than the legitimate administrators or owners of the
system.
Packet
sniffer:
Sometimes referred to as protocol analyzers, packet
sniffers are programs designed to capture and record network
traffic, ostensibly for diagnostic purposes. However, an
attacker can use a packet sniffer to capture packets perhaps
containing passwords, bank details, credit card numbers or other
confidential or valuable information. A feature of packet
sniffers is that they have the ability to switch the network
adaptor of the host computer into promiscuous mode. With the
network card in promiscuous mode, the packet sniffer can see
all the network traffic on the segment of the network to
which the host computer is connected and not just traffic destined
for that particular machine.
Payload:
The specific actions carried out by any item of
malware or even a joke program once it has propagated to and/or
successfully been installed on a host computer.
Pharming:
Pharming is similar to phishing, except
that the fraud does not rely on bogus emails to entice recipients
to visit a fake website. Instead, the fraudsters use cache
poisoning or domain hijacking to direct users' web browsers
straight to the fake website. Any details entered into the
fake site may then be used by the fraudsters for identity
theft.
Phishing:
The fraudulent act of sending bogus, spam
emails (which appear to originate from a legitimate organisation)
which entice the recipients to visit a fake website (which is an
almost exact replica of the organisation's genuine site) for the
purposes of gathering personal or sensitive financial information
from them. For example, a phishing email might look exactly
like a legitimate email from the recipient's bank and may request
that the recipient confirm some personal details or visit the
website to carry out some sort of transaction. On clicking
the hyperlink in the email to take them to what they believe is
their bank's real website, the email recipient will actually be
directed to the bogus, phishing site, where any details they enter
will be collected by the fraudsters and may subsequently be used
for identity theft.
Phreaking:
The act of breaking into a telephone network, often for
the purpose of making free calls or to charge calls to another
person's account, for example.
Ping of
Death:
To ping a target computer with a very large number of
packets, or with packets of a very large size, which the target
computer can not handle effectively, therefore causing a denial of
service.
Pod
slurping:
The act of stealing data by connecting an Apple iPod to a
network and copying information from the various network resources
into the iPod's internal memory. The same technique can be
used with many similar portable devices which nowadays feature
increasingly large amounts of memory such as MP3 players, digital
cameras and USB memory keys.
Polymorphic
virus:
See Virus.
Pop-up:
A supplementary and often unwanted window which is
spawned by a script or active content on a website or perhaps by a
process running on the host machine. In their malign form,
pop-ups may contain undesirable or otherwise unwelcome content and
may have design elements that make them difficult or impossible to
close.
Port
knocking:
You've probably all seen the films where somebody needs
to knock on a door with a special sequence of knocks (a "secret
knock") in order to gain entry to some clandestine meeting.
Port knocking is essentially the same idea except that it is used
to access a computer which is not listening on any ports.
Although the technique is not necessarily malign and is in fact
used by many programs for legitimate security purposes, it is also
increasingly being used by Trojan horse and backdoor
programs. For example, a Remote Access Trojan (RAT) which
uses port knocking lies dormant on the target computer which, for
good security reasons, may have no ports open. But by
supplying a series of connection attempts to specific closed ports
in a specific order (the "secret knock") the Trojan wakes up,
becomes active and starts listening on another port which is then
opened, allowing an attacker to connect from a remote
machine.
Port
scanner:
A program designed to rapidly search a range of IP
addresses and report on the status of a particular port (horizontal
port scanning) or to search and report on the status of a range of
ports on a particular machine (vertical port scanning). A
port is basically a connection address (defined between 0 and 65535
for both the TCP and UDP protocols) which allows programs on
different computers to communicate with one another. For
example, client web browsers will usually connect to web servers on
port 80. A port can be in one of three states - "open", in
which case it will allow a connection to the target computer;
"closed", in which case it will not allow a connection but the
target computer reports it as such; and "stealth", where the target
computer does not respond on the status of the port at all and is
effectively invisible to the port scanner on that port.
Identifying open ports with a port scanner is often a potential
intruder's first step in formulating an attack.
Preimage
attack:
See Collision attack / Preimage attack.
Proof of
concept:
A small piece of exploit code released to prove the
existence of a newly discovered vulnerability in a piece of
software.
Protocol
analyzer:
See Packet sniffer.
Pump and dump scheme:
A scam whereby
fraudsters make deliberately over-hyped and misleading statements about the
potential worth of a certain financial market stock in order to encourage
investors to buy and therefore "pump up" the share price. The
fraudsters then quickly sell (or "dump") their cheaply obtained stock
and make a large profit. At this point the share price often falls and
other investors who fell for the scam lose their money. This type of scam
is frequently perpetrated via spam emails.
Race
condition:
In its simplest form, this is where two processes in a
software program access a shared resource on a computer at the same
time but are dependent upon each other to complete their
task. Obviously they can't both complete their task first and
so neither of them will, possibly causing the application or the
computer to become unstable or crash. Such conditions often
arise as a result of a mistake or oversight in the programming of
the software and might present a potential vulnerability that an
attacker may seek to exploit.
RAT (Remote
Access Trojan):
See Trojan horse.
Referrer spam:
Many websites have
statistics pages which show things like how many visitors have looked at the
site, how much bandwidth has been consumed, what the most popular pages are, and
so on. They also show the URL's of sites that visitors have come from
(referrers). Many websites leave these pages open for public viewing and
they may also be indexed by search engines. Referrer spam is the name
given to bogus referrer entries in legitimate websites' statistics pages.
These bogus entries are deliberately generated by the owners of malicious or
otherwise disreputable websites for the purposes of increasing their search
engine rankings and thereby enticing more visitors to those sites.
Replay
attack:
The act of replaying captured data, such as logon credentials
previously recorded with a keylogger program for example, in order
to fool a system into authenticating an intruder as a legitimate
user.
Reverse
engineering:
The practice of taking something to pieces to see how it
works and then re-assembling it in a different way to form a
variation of the original product or item. For example, large
corporations may attempt to reverse engineer a competitor's product
in order to discover the competitor's clever solution to a tricky
problem, or a military organisation may attempt to discover how an
adversary's new weapon works by reverse engineering it so that it
can develop its own version. From the perspective of
threats to Information Technology, reverse engineering often
applies to original pieces of copyrighted software which may be
"cracked" by reverse engineering them and reassembling them without
the copyright/registration components so that they can be used free
of charge, albeit illegally. Many so-called "crackz" or
"warez" software have been reverse engineered in this way. It
should also be borne in mind that such reverse engineered software
may also have had some malicious components added.
Reverse social engineering:
Whereas social
engineering (see below) relies on an attacker identifying and approaching potential victims,
reverse social engineering involves the attacker creating an assumed air of authority or knowledge such that potential victims will actually approach him. For example, an attacker might be aware that a potential victim is investigating the purchase of a particular product or technology. If the attacker pretends to be a supplier or consultant with expertise in that particular area, it's possible that the victim may approach him for help or advice and thus be less guarded in divulging information that will
be useful in the attack.
Root:
The term "root" has a number of different
meanings. As a noun, it can mean the topmost level of a
directory tree, but, more importantly from a security point of
view, "root" is the name given to the ultimate administrative
account on UNIX/Linux type computers. Sometimes called the Superuser, the root account is the single most powerful account on
the machine. As a verb, "root" means to break into a computer
and take control of it as though you were the administrator or root
account user. A computer which has been compromised in this
way may be said to have been "rooted".
Rooted:
See Root.
Rootkit:
Traditionally, a set of software utilities designed
to run on specifically UNIX/Linux type computers and assume control
of them as the root user without the knowledge or permission of the
owner. More recently, the term has been broadened to
encompass kits of software utilities that are able to hide files,
folders, programs or processes on any type of computer and allow
them to evade detection by the computer operator. In its
more recent sense, at least four different types of rootkit have
been identified by Windows specialists, Sysinternals:
Persistent:
Activates automatically without user intervention every time the system boots or a user logs in and stores its code in some permanent location such as the file system or Registry.
Memory-based:
Does not store its code in a permanent location and therefore does not survive a reboot.
User-mode:
Avoids detection by a variety of techniques, such as intercepting various API calls and modifying their output. For example, a user-mode rootkit might intercept a command to list the contents of a directory and modify its output so that files which might alert the user to the rootkit's presence are removed from the listing.
Kernel-mode:
Have the ability to avoid detection by directly manipulating kernel-mode data. For example, a kernel-mode rootkit might avoid detection by removing its own entry from the kernel's list of active processes. Thus, it will not be revealed by tools such as Windows Task Manager for example.
Salami
slicing:
For those that remember the movie Superman III, this is
akin to the crime that Gus Gorman (Richard Pryor) committed
when defrauding his employers. In relation to financial IT
systems, it involves rounding-down very tiny amounts of money
(excess fractions of a penny, say) from multiple accounts in the
anticipation that no one will notice. All the proceeds from
the rounding-down exercise are then deposited in a single, separate
"dummy" account which can then be cleaned out by the
fraudster.
Satellite virus:
See Virus.
Screenscraping:
Sometimes referred to as "screen
grabbing" or "screen capturing", this refers to taking a snapshot
image of whatever is being displayed on a computer's monitor.
Being able to take a snapshot of a computer screen obviously has
legitimate uses, but lately these techniques are being increasingly
adopted by the authors of malicious software in the attempt to
steal sensitive or confidential data, often for the purposes of
identity theft.
Script:
An ordered list of instructions that would normally be
entered one by one, but saved to an executable file so that they
are automatically carried out in sequence when the file is
run. There are many different types of script. Batch
scripts and Shell scripts are those containing essentially a
sequence of command line instructions, VBScripts are those written
using Microsoft's Visual Basic scripting language, whilst
JavaScripts are written in a scripting language developed by
Netscape. A script might be used as part of the payload in a
malware program.
Script
kiddie:
An incompetent hacker or cracker who relies on code that
has been pre-built into software programs or scripts by others so
that it can be run at the click of a button. Script kiddies
do not have the skill to develop any code for themselves and, more
so, probably do not even understand the concepts
involved.
Session hijacking:
Whereby an attacker commandeers a TCP Session from a legitimate user
after the legitimate user has achieved authentication, thereby removing the need for the attacker to authenticate himself.
Shellcode:
A short segment of assembly language, used
by an attacker as part of an exploit, in order to instruct the
target system to perform some action. For example, an
attacker will likely employ shellcode in a buffer overrun attack on
a particular software program so that the shellcode is executed in
place of the program's own code.
Shell
script:
See
Script.
Shoulder
surfing:
The act of peering over someone's shoulder whilst they are
typing sensitive information into a computer or cash dispenser for
example, in order to learn that information. Such information
might include logon details or account numbers, for
example.
Skimming:
More recently this
term has been used to describe the act of illicitly reading the information from
an RFID tag (contained in a modern passport or
smartcard, for example) from a distance. The term has also been used to describe the
act of making a copy of the information contained in the magnetic stripes of
items such as credit cards for the purposes of cloning them. Also see
Carding.
Smurf
attack:
An attack in which large volumes of ICMP Echo Requests
(pings) are broadcast to all the other machines on the network and
in which the source address of the broadcast has been spoofed to
appear as though they came from the target computer. When all
the machines that received the broadcast reply, the target can
become flooded with more data than it can handle and a denial of
service may result. Also see Fraggle attack.
Snarf:
In its simplest sense, snarfing is the copying
of a large amount of data across a network from one computer to
another. However, the term is very often applied when such
copying is performed without the owner's consent in order to steal
the data. "Pod slurping" and "Bluesnarfing" are both forms of
snarfing activity.
Sniffer:
See Packet
Sniffer.
Social
engineering:
Whereby an attacker will engender a sense of trust in a
potential victim, lulling them into a false sense of security
so that they voluntarily reveal information or perform some action
that will be useful in the attack. For example, an attacker
might call an organisation's Help Desk pretending to be a
legitimate user and ask for his password to be reset, thereby
enabling him to log straight in to the organisation's system
without the need to break in. Also see Reverse social engineering.
Source
routing:
The act of the originator (or source) specifying the exact
route that packets of data will take across the network.
Normally, when data is sent across the Internet for example,
intermediate devices known as routers will determine the path that
the data should take on its way to its destination. With
source routed packets, the sender specifies this path.
Although source routing is not malign in itself, an attacker can
use the technique to his advantage in a number of ways. For
example, a target computer may not normally be reachable from the
attacker's location, but may be reachable from another,
intermediate device. By source routing the packets via the
intermediate device, the attacker can reach his target. The
technique can also be used to make it appear that the target
computer is communicating with one particular machine when, in
fact, it is communicating with the attacker.
Spam:
The electronic equivalent of junk
mail or, as a verb, the sending of such. Thanks to the
availability of huge email address databases and the relatively
small cost of sending emails (particularly when open relays are
used), spam is a lucrative business and now accounts for the
majority of all email messages! Recent evidence suggests that
some spammers have now teamed-up with virus writers so that even
more spam can be sent, using the infected computer to send spam to
all the email addresses contained in a user's address book for
example. Spam gets its name from the Monty Python sketch and
associated song: "Spam, Spam, Spam, Spam, Spam, Spam, Spam,
Spam..."
Spim (Spam
over Instant Messaging):
Spam sent via instant messenger type programs
rather than via email.
Spit (Spam
over Internet Telephony):
Spam sent via Voice over IP (VoIP)
telephony systems rather than via email.
Splog (Spam Blog):
A fake blog, often containing a mixture of nonsense text and/or
articles "scraped" from legitimate sites, used to advertise and link to
affiliate websites for the purposes of increasing traffic to those sites and
improving their search engine rankings which in turn will help to
generate income for the owner of the splog. Splogs may also be used to
advertise malicious websites, enticing potential victims to visit them.
Spoof:
To falsify one's identity or the identity of a
computer. For example, an intruder may spoof the IP address
of the computer from which he is launching an attack in order to
cover his tracks or to make it appear that another, innocent party
is responsible. Often, spammers will spoof the email address
from which their junk mails are being sent so that they are more
difficult to track down or take action against.
Spyware:
A generic term referring to a class of software
that monitors a user's actions, perhaps tracking which web sites
the user visits, for example, and which logs and reports this
behaviour. Sometimes, spyware will be installed with a
companion adware program. Whilst the spyware program logs and
reports on the user's activity, the adware program will display
targeted pop-up advertisements and advertising banners based on
that activity.
SQL
injection:
The act of entering malformed or unexpected data (perhaps
into a front-end web form or front-end application for example) so
that the back-end SQL database running behind the website or
application executes SQL commands that the programmer never
intended to permit, possibly allowing an intruder to break
into or damage the database.
Stack
overflow:
A common variety of buffer overrun affecting a buffer
contained within a memory data structure called a
"stack". The stack can literally be thought of as a
waiting-list of processes that need to be carried out. The
processes are dealt with on a LIFO (Last In First Out) basis.
Processes that are lower down in the stack are dependent upon those
higher up to complete their designated tasks. As such, new
processes are "pushed" onto the top of the stack, acted upon, and
then "popped" off, whereupon the next process in the queue reaches
the top of the stack so that it, in turn, can be dealt with.
When a buffer in the stack is overrun, it is known as a stack
overflow. An attack of this nature is sometimes referred to
as "smashing the stack".
Steganography:
The art of concealing a hidden message
within some other medium. Unlike cryptography (where the
presence of an encrypted message is obvious to everyone, but
its meaning is obfuscated) with steganography the very existence of
the message itself is obscured. The basic concepts of
steganography were first written about by Aeneas the Tactician over
2000 years ago but a good example we're probably all familiar with
today is that illustrated in lots of the old wartime spy movies of
the 30's and 40's: A secret agent receives some written
communication such as a letter, newspaper article or book, for
example, which appears at first glance to be entirely innocent; but
by placing a special template over the writing, much of the text is
masked leaving only some of the letters revealed and which spell
out a secret message. From an IT perspective, steganographic
techniques can be used to hide data inside otherwise innocent
looking files. Steganography is not a malicious practice in
itself of course and it has many legitimate uses, but it is worth
considering that a person with malicious intent could use such
techniques to form a covert communications channel and attackers
could use similar methods to hide malicious code inside other,
apparently harmless files. Steganography is sometimes referred
to as "steg" for short. The practice of attempting to detect
steganography is known as steganalysis.
Subliminal channel:
A type of Covert
communications channel (see above) that specifically refers to sending data
into or out of a cryptographic system.
SYN
flood:
An attack which compromises the process by which
computers establish a two-way connection. The normal process
is known as a three-way handshake and works like this:
Computer A attempts to connect to Computer B by sending it a TCP
network packet in which the SYN (Synchronise) flag is set.
Computer B replies with a packet containing flags which acknowledge
(ACK flag set) the SYN from Computer A and which also has its own
SYN flag set, thereby asking Computer A to synchronise with it in
the opposite direction. Computer A then completes the three
way handshake by sending a packet which acknowledges (ACK flag set)
Computer B's SYN. Thus both computers have synchronised with
and acknowledged each other and two-way communication is
established. In a SYN flood attack, the attacking computer
sends multiple SYN packets to the target (which responds with a SYN
/ ACK) but it never completes the three-way handshake with the
final ACK. If sufficient numbers of SYN packets can be sent
to the target fast enough, a denial of service may result because
other legitimate traffic may not be able to reach the flooded
computer.
Tap:
As a noun, this is a device which monitors the transmission
of data along network lines or, as a verb, the use of such a
device. Just like telephone "wiretapping", the device is
usually secreted somewhere on the network in between the computers
which are communicating with one another. There are several
different types of tap:
Invasive:
One in which a physical connection exists between the tap and the network to which it is listening or in which the network connection needs to be momentarily broken in order to install the tap.
Non-invasive:
One in which no physical connection exists between the tap and the network to which it is listening or in which the tap can be installed whilst the network is live, with no need to make a momentary break in communications. Data may instead be picked up by the use of an induction loop or antenna which can detect the electrical signals passing along the network cables, for example. This type of tap is also sometimes referred to as a vampire tap.
Passive:
One which simply listens to and logs the received data without affecting the transmissions in any way.
Active:
One which listens to and logs the original data and also alters the transmitted signal in some way.
TCP
attack/scan:
See Christmas tree attack/scan.
Teardrop attack:
As mentioned above in Fragment/Segment
attack, it is sometimes necessary to break up large packets of data into
smaller fragments before they can be sent across the network. Each of
these fragments contains information that describes their position in the
original, unfragmented packet, so that when the fragmented data arrives at its
destination it can all be re-assembled in the proper order. In a teardrop
attack, that positional information is deliberately falsified so that the
fragments overlap. This can make some machines crash, thereby causing a
denial of service. Also see Unnamed attack.
Tracking
cookie:
See Data Miner.
Trojan
horse:
A program which has some hidden, malign purpose, other
than the one it purports to have. For example, a program
which claimed to be a game but which also secretly installed some
spyware or adware components on a user's computer would be
considered to be a Trojan horse program, because the real
purpose of the program was to install the malware and not to
provide an entertaining game for the user. Commonly, a
so-called Remote Access Trojan (or RAT) may open a backdoor on a
computer allowing an intruder to connect without the user's
knowledge or consent. The name is taken from the legend in
which the Greeks built a large wooden horse with the pretence that
it was a peace offering for their foes, the Trojans. The
Trojans accepted the gift and carried it into their, erstwhile
impregnable, city of Troy. Little did they realise, until it
was too late, that the wooden horse was hollow and that the
Greek army was concealed inside!
UDP
bomb:
UDP (User Datagram Protocol) is one of the main protocols used
for sending data across the Internet. Unlike TCP
(Transmission Control Protocol) it does not provide any means of
checking that packets of data have arrived at their
destination. By sending UDP packets with deliberately malformed
information in the headers, some types of UNIX computers
can be made to "panic" and crash. By sending large volumes of
such packets (a UDP bomb) a vulnerable computer can be caused to
reboot constantly thereby causing a denial of
service.
Unnamed attack:
The strangely titled
"unnamed attack" is very similar to the "Teardrop attack"
described above, except that in this case the positional information required to
re-assemble the fragmented packets is deliberately falsified so that there are
gaps between the fragments, rather than overlaps.
URL
spoofing/cloaking:
The act of forcing a web browser to display a URL
other than the correct one for the website which the browser is
actually displaying. For example, clicking on a specially
crafted hyperlink in a phishing email might not only open the
phishing site itself (which could look just like the genuine
website) but it may also cause the web browser to show the genuine
site's URL in the address bar, making it even less likely that the
user will realise they are not viewing the legitimate
site.
VBScript:
See Script.
Vector:
The mechanism by
which an attack is propagated.
Virus:
Traditionally, "a program that is able to
infect other programs by modifying them to include a possibly
evolved copy of itself" - Dr. Frederick Cohen. A
virus may do little more than replicate itself in this way,
although it is more likely to contain some form of malicious
payload. Nowadays, the term "virus" is generally used to
cover many different forms of malicious software, including true
viruses, worms, Trojan horse programs and even some types of
spyware and adware. Today, many different categories of virus
have been defined, including:
Boot Sector:
A virus which infects the boot sector or partition table of a disk. Computers are most often infected with this type of virus after being started with an infected boot floppy or CD.
Companion:
Also known as a "Satellite" virus, this does not actually modify the code of the target program, but is hosted by an infected copy of the target which is placed ahead of it on the execution path. This is achieved by giving the infected version the same name as the target program, but with a file extension of higher priority. For example, if the user of a PC running Microsoft Windows attempts to run a file called myprogram, the computer will look to run a file called myprogram.bat or myprogram.com or myprogram.exe in that order. Therefore, a companion virus which targets the myprogram.exe file would create an infected copy called myprogram.bat or myprogram.com so that it gets run instead of the real program.Cryptovirus:
A virus that uses asymmetric encryption techniques and includes a public key in its payload. Usually, the private key of the asymmetric key pair will be retained by the virus author/attacker so that only he can decrypt the data that was encrypted with the corresponding public key contained in the virus. The concept could equally be applied to Worms or Trojan horse programs giving us "Cryptoworms" and "Cryptotrojans" respectively. Such malware would commonly be used for extortion, whereby data on a victim's hard disk is encrypted and held to ransom.
File infector:
The traditional type of virus which infects .com .exe or other executable files.
Macro:
A virus, very often written in Visual Basic, which is triggered when a parent application performs some action on an infected document. A macro virus contained in a .doc file might be triggered when the parent application (Microsoft Word, say) opens, closes or saves the file, for example.
Multi-partite:
A virus which has the capability to infect a computer's boot sector, partition table and/or its executable programs. It therefore has the characteristics of both "boot sector" and "file infector" viruses.
Polymorphic:
A virus which has the ability to alter its appearance. The body of a polymorphic virus has two basic parts - the executable part (which is encrypted) and the decryptor (which is used to decrypt the executable part so that it can be run). By using a variety of techniques the appearance (but importantly, not the basic functionality) of the decryptor can be altered, greatly assisting the virus in evading detection by antivirus software.
Vishing (Voice Phishing):
Similar to phishing (see above), vishing involves enticing victims to
ring a telephone number and hand over personal information which is recorded by
fraudsters and may subsequently be used to steal the victim's identity.
Vulnerability:
A flaw, bug or programming error in a piece of
software which may be exploitable by an attacker to carry out some
malicious act.
War
chalking:
Just as many utility companies, prior to undertaking some
act of maintenance, place temporary chalk markings on buildings,
roadways and pavements etc. to signify the location of
telephone/electricity cables or gas/water mains for example, war chalking is the malicious act of marking similar symbols which
signify to others the nearby presence of an unsecured wireless
network access point, beacon or hotspot. Such resources may
then be the subject of attack or be used to obtain free network
resources or Internet access, for example.
War
dialler:
A program designed to
automatically call a range of telephone numbers and log those that
respond in a given way so that an attacker can identify potential
entry points to computer or telecoms systems. A phreaker, for
example, could use a war dialler to identify PBX (Private Branch
Exchange) telephone numbers by the tones with which they respond
when they receive the call.
War
driving:
The act of driving around in a car with a laptop (or even
handheld/palmtop) computer configured to discover wireless access
points/beacons/hotspots. Once a list of access points has
been discovered, they may become subject to further attack, often
for the purposes of obtaining free network resources such as
Internet access, but sometimes (especially where corporate
organisations are concerned) for the purposes of breaking into the
network to perform some other malicious act.
Warez(s):
Software products which have been
illegally cracked or reverse engineered to produce
fully-functioning versions which can then be used without the
requirement to register or pay for them. Whilst it might seem
tempting to use such products, it should be borne in mind that they
may have had other modifications made to them, such as the addition
of a backdoor component for example, which may have undesirable
effects.
White
Hat:
See Hacker.
WiPhishing:
See Evil twin.
Worm:
A program which copies itself between computers
across a network. Unlike viruses, worms exist as stand-alone
programs in their own right and do not infect other, "host"
programs in order to replicate. A worm may do nothing more
than make copies of itself, but frequently it will also carry some
type of harmful payload. Nowadays, worms most commonly
propagate via email and are often used to distribute spam, phishing
emails, viruses, Trojan horse programs and other forms of
malware.
Xmas tree
attack/scan:
See Christmas Tree attack.
XSRF:
See Cross-Site request forgery.
XSS:
See Cross-Site
scripting.
Zero
day:
When a vulnerability in a
piece of software is announced at the same time as the relevant
exploit code is made available. Traditionally it was common
for there to be a gap of several weeks or even months before code
appeared to exploit a previously announced vulnerability, allowing
vendors a period of grace in which to develop a fix and for
end-users to patch their systems. More recently, that time
difference has been eroded until, now, there is often no difference
at all, or "zero days".
Zombie:
A computer which has been taken over by an
intruder and which can be used to attack other computers or
websites, all without the knowledge or consent of the owner.
A zombie might exist as an individual computer or be just one
machine in a whole zombie network (or botnet) containing multiple
computers which can be wielded en masse to perform a distributed
denial of service attack for example. Sometimes, there may be
several tiers of zombie computers, where relatively few higher
level computers (or zombie masters) are used to control the many
zombies below them.
Zone Transfer
attack:
DNS (Domain Name System) is used to map host names to IP addresses.
Where an organisation has only one DNS server for example, that server will hold
records for both public machines and those on the organisation's internal,
private network. An attacker targeting such a server may attempt a Zone
Transfer in which all the DNS information held by the server can be downloaded.
If this is successful, the attacker will learn a great deal of information about
the structure of the organisation's internal, private network.
© J. R. Haythorne, 2000-2017. All Rights Reserved |