COMPUTER SECURITY

Methods of attack

Viruses, worms and Trojan Horses

Social engineering is a common security threat which preys upon human

weakness to obtain desired results. In addition to social engineering, there are
other types of attacks which exploit the vulnerabilities in computer software.
Examples of these attack techniques include: viruses, worms and Trojan horses.
All of these are types of malicious software introduced onto a host. They can
damage a system, destroy data, as well as deny access to networks, systems, or
services. They can also forward data and personal details from unsuspecting PC
users to criminals. In many cases, they can replicate themselves and spread to
other hosts connected to the network. Sometimes these techniques are used in
combination with social engineering to trick an unsuspecting user into executing
the attack.

Viruses

A virus is a program that runs and spreads by modifying other programs or files.
A virus cannot start by itself; it needs to be activated. Once activated, a virus
may do nothing more than replicate itself and spread. Though simple, even this
type of virus is dangerous as it can quickly use all available memory and bring
a system to a halt. A more serious virus may be programmed to delete or corrupt
specific files before spreading. Viruses can be transmitted via email attachments,
downloaded files, instant messages or via diskette, CD or USB devices.

Worms and viruses propagate by exploiting vulnerabilities in services and other

weaknesses in operating systems. Host-based firewalls prevent this malware from
gaining access to servers. They can also help prevent the spread of worms and viruses
by controlling outbound traffic originating from a server.

Worms

A worm is similar to a virus, but unlike a virus does not need to attach itself to
an existing program. A worm uses the network to send copies of itself to any
connected hosts. Worms can run independently and spread quickly. They do not
necessarily require activation or human intervention. Self-spreading network
worms can have a much greater impact than a single virus and can infect large
parts of the Internet quickly.

Trojan Horses

1|Page
A Trojan horse is a non-self-replicating program that is written to appear like a
legitimate program, when in fact it is an attack tool. A Trojan horse relies upon
its legitimate appearance to deceive the victim into initiating the program. It may
be relatively harmless or can contain code that can damage the contents of the
computer's hard drive. Trojans can also create a back door into a system allowing
hackers to gain access.

Back Doors and Trojans

Back doors and Trojan Horses allow hackers to remotely gain access to servers on a
network. The software typically works by sending a message to let the hacker know of a
successful infection. It then provides a service that the hacker can use to gain access to
the system. Host-based firewalls can prevent a Trojan from sending a message by
limiting outbound network access. It can also prevent the attacker from connecting to
any services.

In addition to host-based firewalls, anti-virus software can be installed as a more

comprehensive security measure. Anti-virus software protects computer systems from
viruses, worms, spyware, malware, phishing, and even spam. Many ISPs offer customers
anti-virus software as part of their comprehensive security services. Not all anti-virus
software protects against the same threats. The ISP should constantly review which
threats the anti-virus software actually protects against and make recommendations
based on a threat analysis of the company. Many anti-virus software packages allow for
remote management. This includes a notification system that can alert the
administrator or support technician about an infection via email or pager. Immediate
notification to the proper individual can drastically reduce the impact of the infection.
Using anti-virus software does not diminish the number of threats to the network but
reduces the risk of being infected.

Occasionally infections and attacks still occur and can be very destructive. It is
important to have an incident management process to track all incidences and the
corresponding resolutions to help prevent the infection from reoccurring. Incident
management is required by ISPs that manage and maintain customer data, because the
ISP has committed to the protection and the integrity of the data they host for their
customers. For example, if the ISP network was the target of a hacker and, as a result,
thousands of credit card numbers that were stored in a database that the ISP manages
were stolen, the customer would need to be notified so that they could notify the card
holders.

2|Page
Denial of Service and Brute Force attacks

Sometimes the goal of an attacker is to shut down the normal operations of a

network. This type of attack is usually carried out with the intent to disrupt the
functions of an organization.

Denial of Service (DoS)

DoS attacks are aggressive attacks on an individual computer or groups of

computers with the intent to deny services to intended users. DoS attacks can
target end user systems, servers, routers, and network links. In general, DoS
attacks seek to flood a system or network with traffic to prevent legitimate
network traffic from flowing, Disrupt connections between a client and server to
prevent access to a service. There are several types of DoS attacks. Security
administrators need to be aware of the types of DoS attacks that can occur and
ensure that their networks are protected. Two common DoS attacks are:

SYN (synchronous) Flooding - a flood of packets are sent to a server requesting

a client connection. The packets contain invalid source IP addresses. The server
becomes occupied trying to respond to these fake requests and therefore cannot
respond to legitimate ones.

Ping of death: a packet that is greater in size than the maximum allowed by IP
(65,535 bytes) is sent to a device. This can cause the receiving system to crash.

Brute Force

Not all attacks that cause network outages are specifically DoS attacks. A Brute
force attack is another type of attack that may result in denial of services. With
brute force attacks, a fast computer is used to try to guess passwords or to
decipher an encryption code. The attacker tries a large number of possibilities in
rapid succession to gain access or crack the code. Brute force attacks can cause
a denial of service due to excessive traffic to a specific resource or by locking out
user accounts.

Spyware, tracking cookies, Adware and pop-ups

Not all attacks do damage or prevent legitimate users from having access to
resources. Many threats are designed to collect information about users which
can be used for advertising, marketing and research purposes. These include
Spyware, Tracking Cookies, Adware and Pop-ups. While these may not damage
a computer, they invade privacy and can be annoying.

3|Page
Spyware

Spyware is any program that gathers personal information from your computer
without your permission or knowledge. This information is sent to advertisers or
others on the Internet and can include passwords and account numbers.
Spyware is usually installed unknowingly when downloading a file, installing
another program or clicking a popup. It can slow down a computer and make
changes to internal settings creating more vulnerabilities for other threats. In
addition, spyware can be very difficult to remove.

Tracking Cookies

Cookies are a form of spyware but are not always bad. They are used to record
information about an Internet user when they visit websites. Cookies may be
useful or desirable by allowing personalization and other time saving techniques.
Many web sites require that cookies be enabled in order to allow the user to
connect.

Adware

Adware is a form of spyware used to collect information about a user based on

websites the user visits. That information is then used for targeted advertising.
Adware is commonly installed by a user in exchange for a "free" product. When
a user opens a browser window, Adware can start new browser instances which
attempt to advertize products or services based on a user's surfing practices. The
unwanted browser windows can open repeatedly, and can make surfing the
Internet very difficult, especially with slow Internet connections. Adware can be
very difficult to uninstall.

Pop-ups and pop-unders

Pop-ups and pop-unders are additional advertising windows that display when
visiting a web site. Unlike Adware, pop-ups and pop-unders are not intended to
collect information about the user and are typically associated only with the web-
site being visited.

Pop-ups: open in front of the current browser window.

Pop-unders: open behind the current browser window.

They can be annoying and usually advertise products or services that are
undesirable.

Spam

4|Page
Another annoying by-product of our increasing reliance on electronic
communications is unwanted bulk email. Sometimes merchants do not want to
bother with targeted marketing. They want to send their email advertising to as
many end users as possible hoping that someone is interested in their product
or service. This widely distributed approach to marketing on the Internet is called
spam. Spam is a serious network threat that can overload ISPs, email servers
and individual end-user systems. A person or organization responsible for
sending spam is called a spammer. Spammers often make use of unsecured
email servers to forward email. Spammers can use hacking techniques, such as
viruses, worms and Trojan horses to take control of home computers. These
computers are then used to send spam without the owner's knowledge. Spam
can be sent via email or more recently via Instant messaging software. It is
estimated that every user on the Internet receives over 3,000 spam emails in a
year. Spam consumes large amounts of Internet bandwidth and is a serious
problem that many countries now have laws governing spam use.

Social Engineering

One of the easiest ways for an intruder to gain access, whether internal or
external is by exploiting human behavior. One of the more common methods of
exploiting human weaknesses is called Social Engineering. Social engineering is
a term that refers to the ability of something or someone to influence the behavior
of a group of people. In the context of computer and network security Social
Engineering refers to a collection of techniques used to deceive internal users
into performing specific actions or revealing confidential information. With these
techniques, the attacker takes advantage of unsuspecting legitimate users to
gain access to internal resources and private information, such as bank account
numbers or passwords. Social engineering attacks exploit the fact that users are
generally considered one of the weakest links in security. Social engineers can
be internal or external to the organization, but most often do not come face-to-
face with their victims. Three of the most commonly used techniques in social
engineering are: pretexting, phishing, and vishing.

Pretexting

Pretexting is a form of social engineering where an invented scenario (the pretext)

is used on a victim in order to get the victim to release information or perform
an action. The target is typically contacted over the telephone. For pretexting to
be effective, the attacker must be able to establish legitimacy with the intended
target, or victim. This often requires some prior knowledge or research on the
part of the attacker. For example, if an attacker knows the target's social security

5|Page
number, they may use that information to gain the trust of their target. The
target is then more likely to release further information.

Phishing

Phishing is a form of social engineering where the phisher pretends to represent

a legitimate outside organization. They typically contact the target individual (the
phishee) via email. The phisher might ask for verification of information, such as
passwords or usernames in order prevent some terrible consequence from
occurring.

Vishing / Phone Phishing

A new form of social engineering that uses Voice over IP (VoIP) is known as
vishing. With vishing, an unsuspecting user is sent a voice mail instructing them
to call a number which appears to be a legitimate telephone-banking service, for
example. The call is then intercepted by a thief. Bank account numbers or
passwords entered over the phone for verification are then stolen.

Other methods include:

The enumeration of attack patterns provided in this section is not exhaustive,

as the patterns that are possible are limited only by the ingenuity of attackers.
It is important to understand these basic patterns as a precursor to examining
the software design principles presented afterwards, so that the purpose and
motivation of those principles can be appreciated. The attack patterns
presented here are not intended to be mutually exclusive or orthogonal. In fact,
many of them overlap or are related, and real attacks often fall into more than
one pattern or use multiple techniques in combination.

Below is a list of other common attacks:

Interception

Attacks that involve any form of subversive interception of information can be

categorized as either "eavesdropping" or "sniffing." The term "sniffing" usually
refers specifically to non-intrusive and often undetectable interception, such as
by reading information that is broadcast or by attaching a passive listener to a
communication channel. The term "eavesdropping" is a less technical term and
applies more broadly and loosely.

6|Page
This category of attacks often involves the use of a "covert channel." A covert
channel is any communication pathway that exists but was not intended by the
designers of the system and thereby violates the system’s security policy. A
covert channel need not be an actual mechanism intended for any form of
communication at all; for example, the technique of varying the load on a CPU
has been used as a covert channel for the binary encoded signaling of sensitive
information to another process in an undetected manner.

Notorious examples of eavesdropping or sniffing attacks include:

1. Sending ICMP packets in order to re-direct packets to flow through an

attacker's system, thereby allowing the attacker to read the data in the
packets.
2. Reading the mailbox message files in a POP server.
3. Installing a keyboard handler that silently listens to keystrokes.
4. Reading someone's screen on an X-Windows system or on a Windows system
via a program such as RealVNC.

When an application reads the information stored by another application, this is

often also referred to as "interference," especially if that information is then acted
upon in a subversive manner or is used to interfere with the operation of the
other application.

Man-in-the-Middle

When a party succeeds in interposing itself between two endpoints and is thereby
able to intercept and possibly modify the communication without either party
being aware, this is referred to as a "man-in-the-middle" (MiM) attack. MiM is
related to interception, but requires that the interception occurs as the result of
the interposition of a listener rather than strictly passive eavesdropping.

Replay

Replay involves the interception of information intended for a target system,

followed by sending that information—possibly with additional information
inserted—to the target system for the purpose of attacking the system. Replay is
a form of MiM attack in which the intercepted message is not modified, although
it may be augmented.

Replay often (but not always) involves the use of an intercepted bearer credential
of some kind, such as a password or session credential. If an attacker intercepts
information that is used to access a resource, such as credentials, the attacker
might be able to impersonate a trusted party and thereby access the resource.
In this scenario, the attacker "replays" the intercepted information, leading the
receiver to believe that the attacker is a trusted party. An example of this kind of

7|Page
replay is intercepting someone’s browser session cookie or authentication header
and using it to masquerade as the user’s session.

Modification in Place or in Transit

Many attacks rely on the ability to modify data in a persistent store or while it is
in transit. A credential store or password file is an obvious target for an attack,
as is a password on its way to an end user. In business computing environments,
it is far more common that persistent data sources are attacked rather than data
in transit because the latter requires network-level penetration, a higher level of
sophistication, and constitutes a MiM attack. Attacks against persistent stores
have been categorized by others as "File Manipulation" attacks.

The practice of modifying hidden tags in a Web form can be considered to be

modification in transit and is not a MiM attack because the client is usually the
attacker.

Interruption

If a system’s security depends on the completion of certain precursor processes,

and those processes can be interrupted such that the system assumes that they
completed, it might be possible to put the system into an insecure state by
interrupting the precursor processes. For example, overwhelming a logging
service such that it fails might be used to prevent a trace of intrusion activity
from being recorded. This is often considered to be a denial of service, but often
there is no service involved, merely an interconnected process, and so the term
"interruption" seems more appropriate. Denial of service also can be caused by
overwhelming an application, rather than by interrupting it.

Saturation and Delay

In some systems, security relies on the existence of a service that will detect
intrusion. In that case, all that is needed is to delay the response of the intrusion
detection system long enough to allow an attack to complete or to force the
service request to time out so that the requester uses cached data. This can often
be accomplished by overwhelming the service or intrusion detection system. This
is a type of attack that is commonly referred to as a denial of service, but the
actual technique is a saturation technique; denial of service is the immediate
effect on the service or intrusion detection system, and there is then a security
consequence as a result of the failure of the system to detect intrusion. The
intrusion detection system might not be specifically designed as an intrusion
detection system per se, but might merely be, for example, a normal service that
is designed to shut down if any anomalous behavior is detected; for example, if
packets with the same sequence number are received.

8|Page
Delay is a powerful technique because it takes time to identify an intruder, and
if delay can be achieved, the attacker has time to cover their tracks and leave
and possibly enter through another means or mount an attack from a different
compromised host location. Besides their use as a means of penetrating a
system, saturation and delay can be attack objectives in their own right.
Saturation or delay perpetrated for the purpose of making a system inaccessible
or unusable (i.e., making it "unavailable") is properly known as a denial of service
attack. However, note that denial of service can be achieved in other ways; for
example, by interfering with any process that is critical to an application.

Exploitation of Non-Atomicity

If a software process or thread of execution accesses objects or resources that

can be accessed by other processes or threads, or by other activities of the same
thread, there is a possibility that logically concurrent access by more than one
process, thread, or activity might interfere and make it possible to compromise
the state of the system.

NOTE

Non-atomicity is the underlying cause of a great many kinds of security

vulnerabilities. This is a result of the very design of the von Neumann computing
model that performs one computation at a time, instruction by instruction. As a
result of this processing paradigm, any form of non-hardware-supported
authorization check must be performed at discrete predetermined points in time
instead of continuously, whereas security attacks can be launched at
unexpected points in time.

Some languages, such as Java, provide low-level primitives for controlling

concurrent access to language objects. Databases provide locking mechanisms
for serializing concurrent access to file-based data. A proper design for a
concurrent system usually employs these mechanisms to ensure that
interference does not occur. This often means designing software routines that
access shared resources in such a way that the accesses are "atomic"—that is,
that their effect is all-or-nothing, and intermediate states are unobservable.

If there is non-atomicity in the system, it is sometimes possible to force the

system to perform steps out of sequence, thereby putting it into a state that was
not anticipated by its designers. This is often referred to as a "race condition." A
special case of this is when the interference is purpose- fully performed after a
resource access rule is checked but before the resource is accessed: During that
interval, a change is made to a critical context value, such as a user identity,
causing the system to perform a function in a different context than the context
that was authorized. This is referred to as a "time of check to time of use"
(TOCTTOU) attack. Attacks based on non-atomicity are often coupled with a

9|Page
denial of service attack that slows a system down and thereby "opens a window
of vulnerability."

Coordination Interference

Non-atomicity and delay pretty much cover attacks related to synchronization,

but a related class of attacks deserves its own consideration for systems that are
inherently asynchronous or independent and that depend on presumed event
sequences, timing, or timestamps. Independent systems that cooperate are
sometimes assumed to perform actions in a certain sequence or with certain
effects, and interference with one of these systems can result in inconsistent
effects that cause a failure in a different system. Delay is often used to achieve
this type of interference, for example, by interfering with or spoofing a timing
service. Interference with a messaging service can result in certain events not
being registered that are relied upon.

Forced Crash and Retrieval of Crash Artifacts

When systems fail, they often leave traces of their internal operation or leave
resources in an inconsistent and potentially unprotected or insecure (for
example, unencrypted) state. Access to protected information can, therefore,
sometimes be achieved by forcing a system to crash and then examining the
artifacts that remain.

A crash can sometimes be achieved by exploitation of incomplete validation of

inputs or exposure of internal objects that can be modified during an attack to
force the system into a state that causes failure. The most common type of
artifact left behind is a file containing an image of the process. Such an image
often contains sensitive data, such as unencrypted credentials or the details and
relative addresses of stack variables and program code.

Forced Restart, Forced Re-Install

One way of inserting malicious software into a system is by compromising a

system’s bootup or installation configuration. If the system is then caused to
crash or become unusable so that it will have to be re-started, or corrupt so that
it will have to be re-installed (with a compromised installation), the compromised
configuration will be started or installed, respectively.

This is an extremely powerful and subtle technique. It is unfortunately true that

"backup" resources are usually much less protected than primary resources.
Thus, by silently implanting a trojan horse in a backup resource (or in an
10 | P a g e
emergency response tool) and then merely forcing the primary resource to crash
or be crippled, the compromised backup resource will be installed.

Environmental Interference

The normal operation of programs usually presumes the availability of resources,

such as memory, threads, sockets, and file space. Software designers often do
not anticipate the failure conditions that can occur when these resources are
unavailable or are exhausted. This can result in certain functions not completing
that are expected to complete. If the system’s security depends on these
functions (for example, a system log) it might be possible to attack a system
without traceability or without intrusion detection completing.

Spoofing

Spoofing involves forging or corrupting (destroying the integrity of) a resource or

artifact for the purpose of pretending to be—i.e., for the purpose of masquerading
as—something or someone else. There are many variations on spoofing, and it
can be done at any level of a system, from the network level through the
application level. Some examples are:

 Forging IP packet source addresses.

 Forging ARP packets to fool a router into thinking that your machine has
someone else's IP address.
 Creating misleading Web pages that fool a user into thinking that they are at
a different site.
 Sending a name resolution request to a DNS server, forcing it to forward the
request to a more authoritative server, and then immediately sending a forged
response—causing the first DNS server to cache the forged response and
supply that address to its clients. (Attacks that use this technique as a
method of tricking users into accessing sites that mimick trusted sites, for
the purpose of obtaining user credentials or other personal identity
information, are often referred to as "pharming".)
 Replacing a trusted file or program with a file or program that mimics the
original one but that contains malicious data or code. This is also a kind of
"trusted resource attack"

NOTE

Spoofing of domain names may be made easier by the fact that names expressed
in international character sets might be allowed. It used to be the case that a
domain name had to consist of 7-bit ASCII characters. Unicode is now being
11 | P a g e
considered for domain names. Because many Unicode glyphs have the same
appearance, it is possible to have two domain names that look identical, but are
actually composed of different Unicode characters. For example, the character
glyph "a" represents the Unicode 16-bit hexadecimal value x0061 from the Basic
Latin set, but it also represents the value x0430 from the Cyrillic set. This means
that if you receive an email containing a link to "abc.com," you can no longer be
sure where the link might take you. This horribly regrettable situation will
hopefully be remedied by new browser and email program security features that
call attention to the use of links containing mixed or different character sets. A
Web site can also help by enabling the browser to authenticate it using SSL, but
that requires users to type "https" instead of "http."

Spoofing often exploits an unsophisticated end user. For example, many Web
users do not adequately understand or manage their browser security policies.
Common ways of exploiting weakly secured browsers to spoof users include
creating hidden windows from which attacks on other windows are launched, as
well as manipulating the appearance and contents of the window to make it
appear as if it were another kind of window, and modifying other windows that
show legitimate content.

Spoofing is especially effective when coupled with delay or interruption because

many spoofing schemes involve preventing a legitimate service from responding
before an illegitimate one does. It is also powerful in combination with a forced
restart or forced re-install or any kind of interference requiring an operator
emergency response. This is because diagnostic tools or incident response tools
can often be attacked more easily than the system itself. When users are in a
crisis, they usually do not question the integrity of tools they invoke to help them
respond to their crisis. Thus, the combination of attacking poorly-protected tools
or configurations, followed by an attack that forces the system to fail and the
tools to be used, is extremely powerful. This is in fact the very technique used
by the thieves in the movie Ocean’s Eleven: The thieves accomplish the removal
of the bank’s assets by carrying them away in the equipment bags of a spoofed
SWAT team, having compromised the 911 channel and thereby enabling the
spoof SWAT team to respond to the robbery. See also "Distraction and Diversity,"
discussed later in this chapter.

Hijacking

The term "hijacking" is usually used to refer to an attack that involves

disconnecting a server resource in some manner from a resource channel and
replacing it with a different server resource. Thus, the channel is "hijacked." This
is a variation of spoofing because users of the channel think that they are
accessing the intended resource, via the channel, but are "spoofed" by the
replacement resource.

Circumvention
12 | P a g e
Circumvention is any method by which an attacker bypasses intended controls,
access checks, or system pathways in order to gain access to or control of
protected resources. Circumvention can involve a covert channel or it can involve
incompletely protected resources. Many of the attacks discussed here represent
variations of circumvention.

Trap Door

A trap door is a mechanism embedded within a system that allows the normal
access paths or access checks of a system to be bypassed. This often takes the
form of a special password that is hard-coded into the software. It can also take
the form of a special diagnostic interface.

Exploit of Incomplete Traceability

If the system’s design is such that it fails to record the actions of users, this can
lead to a situation in which either appropriate or inappropriate actions are later
untraceable or unprovable. It is important to emphasize that this is a result of
the system’s design—not a result of an attack directed against its logging
mechanism. (An attack directed against the logging mechanism would most
likely be a trusted resource attack, which is discussed later.)

The ability of a party to deny having performed appropriate actions or aspects of

those actions (for example, the time at which they were performed) is known as
repudiation. For example, a user might deny that she performed a particular
transaction such as a purchase, and if there is no record that conclusively links
her to the transaction, her denial might be successful. Another example would
be denial that a message was received when in fact it was. The term non-
repudiation refers to the ability of a system to defeat repudiation attempts, for
example, by recording authenticated records (logs) of all transactions and by
using communication mechanisms that provide secure acknowledgment at both
endpoints.

Incomplete logs can also enable an intruder to perform inappropriate actions

without traceability. For example, if an attacker’s modification of sensitive files
is not recorded in a manner that identifies the attacker’s identity, the attack
cannot be traced to its source. A failure to log actions in a traceable manner,
therefore, represents a significant vulnerability.

Exploit of Incomplete Validation

If a software module does not fully check that its inputs fall within expected
ranges, it might be possible to invoke the module with inputs outside of those
ranges and thereby cause the program to do things that were not intended by
the software designer. This might enable an attacker to circumvent normal
system pathways or checks.
13 | P a g e
The infamous "buffer overflow" attack is a variation of incomplete validation,
although in a buffer overflow the validation failure can be considered to be within
the application framework (for example, language itself) rather than in the
application design because a secure application framework should prevent buffer
overflow as well as any other kind of type failure or range failure.

Exploit of Incomplete Authentication or Authorization

The design or configuration of a system might intentionally or unintentionally

omit certain checks, enabling an attacker to "slip through" access control or
authentication mechanisms and thereby obtain unauthorized access or control.
This is most likely to be possible if authorization decisions are interspersed
throughout the application code.

Exploit of Exposure of Internal State

Circumvention can also occur if resources expose their internal state, thereby
allowing a client module to read or modify the resource’s internal state in
unintended ways. Inappropriate reading of a resource’s internal state is a breach
of confidentiality because information that is intended to be private to the
resource is revealed to an unintended party. This is known as a containment
failure. Inappropriate writing of internal state is a breach of integrity. For
example, if a resource’s interface returns references ("aliases") for internal
objects instead of returning separate copies of those objects, any client of the
resource might be able to modify the internal objects because they can obtain
direct references to them. This kind of failure has been categorized by some as
an "integrity failure" resulting from an "aliasing error."

This form of attack is the motivation behind the security model embedded in
many browsers. In this model, often referred to as the "same origin" policy, Web
pages can only affect their own contents. However, there are loopholes in the
policy. For example, scripts can embed executable objects that do not adhere to
the security policy, but rather adhere to a different (possibly looser) security
policy.

Embedded Attack

The term "embedded attack" to refers to all attacks that rely on the placement of
attack software within a trusted software system. The act of setting up an
embedded attack is commonly referred to as planting, because a subversive
component is "planted" on the target system. Planting can be achieved using
other techniques, such as social engineering.

A very common form of embedded attack is known as a "trojan horse" attack. A

trojan horse is a trusted component that is imported or installed (somehow) into
the system but which contains a secret mechanism to facilitate a subsequent
14 | P a g e
attack. Generally the user has rights that the program’s author (i.e., the attacker)
does not, so the attacker obtains the user’s rights by "hiding" inside a trusted
component. This implies that the attacker has access to the trusted component,
has convinced the user that the component can be trusted, or has lured the user
into installing or enabling it.

A trojan horse program can be installed (planted) as a result of a computer

virus. An example of this delivery method is the "Troj/BankAsh" virus (2005),
which attempts to disable anti-virus software and then monitors the user’s
Internet access for banking Web sites, such as Barclays, Cahoot, Halifax, and
others. If a banking Web site is accessed, the program silently monitors the
user’s keystrokes in order to capture a login ID and password and other
account information and then FTPs this information to a remote site.

So-called "script injection" attacks are a special case of a trojan horse attack in
which a script (i.e., a program) is input in lieu of data and is then later
inadvertently interpreted (executed) by the application. A trojan horse can also
be used to execute a MiM attack by intercepting internal information "from the
inside" and using it maliciously. An embedded attack is sometimes implemented
as a "bomb." A time bomb is a subversive mechanism secretly embedded within
a trusted system for the purpose of initiating an attack at a later point in time.
A logic bomb is similar to a time bomb except that it is triggered by a sequence
of program events rather than by the passage of time.

Embedded attacks are especially effective when coupled with a forced crash. An
example is the compromise of a repair tool or boot script followed by causing the
system to fail so that it will have to be repaired or rebooted using the
compromised tool or script. This is particularly effective because "build-time"
components, such as tools and scripts, are often less stringently protected than
runtime systems.

Pattern Matching and Brute Force Guessing

Attacks that utilize sophisticated knowledge to derive or anticipate the state of a

system or credentials used for authentication are often referred to as "oracle"
attacks. These include deciphering, discovery of exploitable patterns, non-
randomness or predictable pseudo-randomness, and exploitation of algorithmic
weaknesses. A notorious example is the cracking of Netscape’s implementation
of SSL by taking advantage of a weakness in its random number generation.
Attacks that merely try every possibility until they succeed are known as "brute
force" or "exhaustive search" attacks. Encryption algorithms that are not
sufficiently strong or that use relatively short keys can often be cracked using
brute force: This is a result of the ever-decreasing cost of computing power.

Namespace Attack

15 | P a g e
Many attacks exploit weaknesses in the name resolution process used to identify
resources. These include the insertion of rogue components in a name-resolution
path as well as the insertion of components with similar names that are
equivalent. It is often the case that abbreviated names are used to identify
resources, and a failure to canonicalize a resource name can enable an attacker
to substitute other resources with the same abbreviated name but a different
canonical name.

Weak Link as Gateway

Attackers often reach their goal by following a circuitous path: entering a weak
point and then using that point as a point of trust from which to reach other
points. Human resources Web sites are famous examples of this. Those sites are
often poorly protected, but because they have the same domain as other
organization sites, they can be used as a launching point when compromised.

Virtual private networks (VPNs) represent another consideration. For example, if

a network is linked to a partner via a VPN and the partner’s network has a known
weakness, the partner’s network can first be penetrated and then used as a
gateway to the target network.

Trusted Resource Attack

An application can often be penetrated by attacking a resource on which the

application relies. Examples of this include:

 Attacking a DNS server’s zone files.

 Attacking an object lookup service, for example, by covertly embedding a
trojan horse within its code.
 Modifying the system time. (Some taxonomies identify this kind of attack as
a category in its own right.)
 Modifying files that are used by an application but that have insufficient
protection.
 Attacking log files that are used to record the actions of users.
 Attacking other programs that are poorly protected and that access (and
ideally modify) the same resources on which the application of interest relies.
Thus, this approach is transitive in that it involves attacking a trusted
resource, in order to attack another target that uses the trusted resource.
This particular pattern is an example of a "Weak Link as Gateway" attack.

This is how source code to Cisco Systems routers was stolen in 2004—by
planting a compromised version of the trusted SSH program on Cisco’s network
to act as a trojan horse by sending users’ passwords to the attacker.

16 | P a g e
An effective way to attack a protected resource is to subvert resources used by
those resources—with many levels of transitivity in between. This technique has
easy parallels in the non-computer world. There was a movie in the 1960s called
Kaleidoscope in which a professional card player stealthily entered the factory of
a playing card manufacturer and modified the very dies used to print a popular
brand of playing cards. He alone knew of the tiny modifications and was able to
play poker and win. This is an example of a two-level transitive attack: He
attacked a resource (the factory) used to produce the resources used by the
casinos (the cards). Thus, an effective way to attack a protected resource is to
subvert resources used by those resources. This includes emergency response
resources.

17 | P a g e