4.

3 PHISHING
PHISHING:

“Phishing” refers to an attack using mail programs to deceive Internet users into
disclosing confidential information that can be then exploited for illegal purposes.It
is believed that Phishing is an alternative spelling of “fishing,” as in “to fish for
information.”
 The first documented use of the word “Phishing” was in 1996
 These messages look authentic and attempt to get users to reveal their
personal information.
 HOW PHISHING WORKS

1. Planning: Criminals, usually called as phishers, decide the target.

2. Setup: Once phishers know which business/business house to spoof and who
their victims.
3. Attack: the phisher sends a phony message that appears to be from a reputable
source.

4. Collection: Phishers record the information of victims entering into webpages

or pop- up windows.
5. Identity theft and fraud: Phishers use the information that they have gathered
to make illegal purchases or commit fraud.
 4.4 PASSWORD CRACKING

 Password is like a key to get an entry into computerized systems like a lock.

 Password cracking is a process of recovering passwords from data that have been
stored in or transmitted by a computer system.
 Usually, an attacker follows a common approach – repeatedly making guesses for
the password.
 The purpose of password cracking is as follows:
1. To recover a forgotten password.

2. As a preventive measure by system administrators to check for easily crackable

passwords.

3. To gain unauthorized access to a system.

PASSWORD CRACKING ATTACKS CAN BE CLASSIFIED UNDER THREE CATEGORIES :
 OFFLINE ATTACKS.

 ONLINE ATTACKS

 NON-ELECTRONIC ATTACKS (e.g., social engineering, shoulder surfing and dumpster diving).

OFFLINE ATTACKS
 Mostly offline attacks are performed from a location other than the target (i.e.,
either a computer system or while on the network) where these passwords reside
or are used.
 Offline attacks usually require physical access to the computer and copying the
password file from the system onto removable media.
 ONLINE ATTACKS
 The most popular online attack is man-in-the middle (MITM) attack, also termed
as “bucket- brigade attack”
 It is a form of active stealing in which the attacker establishes a connection
between a victim and the server to which a victim is connected.
 When a victim client connects to the fraudulent server, the MITM server intercepts
the call, hashes the password and passes the connection to the victim server (e.g.,
an attacker within reception range of an unencrypted Wi-Fi wireless access point
can insert himself as a man-in- the-middle).
 This type of attack is used to obtain the passwords for E-Mail accounts on public
websites such as Yahoo, Hotmail and Gmail and can also used to get the
passwords for financial websites that would like to gain the access to banking
websites.
PASSWORD GUIDELINES.

 Passwords used for business E-Mail accounts, personal E-Mail

accounts and banking/financial user accounts should be kept separate.
 Passwords should be of minimum eight alphanumeric characters.
 Passwords should be changed every 30/45 days.
 Passwords should not be shared with relatives and/or friends.
 Passwords should not be stored under mobile phones/PDAs, as these
devices are also prone to cyberattacks.
 In case E-Mail accounts/user accounts have been hacked, respective
agencies/institutes should be contacted immediately.
 KEY LOGGERS
 Keystroke logging, often called keylogging, is the practice of
noting (or logging) the keys strokes on a keyboard, typically in a
covert manner so that the person using the keyboard is unaware
that such actions are being monitored.
 Keystroke logger or keylogger is quicker and easier way of
capturing the passwords and monitoring the victims’ IT savvy
behavior.
SOFTWARE KEYLOGGERS
 Software keyloggers are software programs installed on the computer systems

which usually are located between the OS and the keyboard hardware, and

every keystroke is recorded. Cybercriminals always install such tools on the

insecure computer systems available in public places (i.e., cybercafés, etc)

and can obtain the required information about the victim very easily.
 A keylogger usually consists of two files that get installed in the same directory:

a dynamic link library (DLL) file and an Executable (EXE) file that installs the

DLL file and triggers it to work. DLL does all the recording of keystrokes
 HARDWARE KEYLOGGERS

 Hardware keyloggers are small hardware devices.

 These are connected to the PC and/or to the keyboard and save every
keystroke into a file or in the memory of the hardware device.
 Cybercriminals install such devices on ATM machines to capture ATM
Cards’ PINs.
 Each keypress on the keyboard of the ATM gets registered by these
keyloggers.
 These keyloggers look like an integrated part of such systems; hence,
bank customers are unaware of their presence.
 Software key-loggers : Software key-loggers are the computer programs which are developed to
steal password from the victims computer. However key loggers are used in IT organizations to
troubleshoot technical problems with computers and business networks.

1. JavaScript based key logger

2. Form Based Key loggers

 Hardware Key-loggers : These are not dependent on any software as these are hardware key-
loggers. keyboard hardware is a circuit which is attached in a keyboard itself that whenever the key of
that keyboard pressed it gets recorded.

1. USB keylogger – There are USB connector key-loggers which has to be connected to a computer and
steals the data. Also some circuits are built into a keyboard so no external wire is used or shows on
the keyboard.

2. Smartphone sensors – Some cool android tricks are also used as key loggers such as android
accelerometer sensor which when placed near to the keyboard can sense the vibrations and the
graph then used to convert it to sentences, this technique accuracy is about 80
Prevention from key-loggers : These are following below-
1.Anti-Key-logger – As the name suggest these are the software which are
anti / against key loggers and main task is to detect key-logger from a
computer system.
2.Anti-Virus – Many anti-virus software also detect key loggers and delete
them from the computer system. These are software anti-software so these
can not get rid from the hardware key-loggers.
3.Automatic form filler – This technique can be used by the user to not fill
forms on regular bases instead use automatic form filler which will give a
shield against key-loggers as keys will not be pressed .
4.One-Time-Passwords – Using OTP’s as password may be safe as every
time we login we have to use a new password.
5.Patterns or mouse-recognition – On android devices used pattern as a
password of applications and on PC use mouse recognition, mouse program
uses mouse gestures.
ANTI KEYLOGGER
Antikeylogger is a tool that can detect the keylogger installed on the computer system and can
remove the tool.
Advantages of using antikeylogger are as follows:
 Firewalls cannot detect the installations of keyloggers on the systems; hence, antikeyloggers can
detect installations of keylogger.
 This software does not require regular updates of signature bases to work effectively such as
other antivirus and antispy programs; if not updated, it does not serve the purpose, which makes
the users at risk.
 Prevents Internet banking frauds.
 It prevents ID theft.
 It secures E-Mail and instant messaging/chatting
 SPYWARE
 Spyware is a type of malware (i.e., malicious software) that is installed on computers

which collects information about users without their knowledge.

 Spywares are powerful tools that can be used to protect your digital assets. They allow you

to take control of the online world by keeping a close eye on what is happening in it, both

for personal and professional use

 Parental Control is one of the main advantages of Spyware

 Spyware is a powerful tool that can do many things for you, including monitoring your

computer usage, capturing screenshots of your activity, and tracking your location

 Sometimes, however, Spywares such as keyloggers are installed by the owner of a

shared, corporate or public computer on purpose to secretly monitor other users.

 4.6 VIRUS and WORMS
 Computer virus is a program that can “infect” programs by modifying them to

include a possibly “evolved” copy of itself.

 Computer virus has the ability to copy itself and infect the system.
 Viruses spread themselves, without the knowledge or permission of the users, to

potentially large numbers of programs on many machines.

 Viruses may also contain malicious instructions that may cause damage. Viruses can

often spread without any readily visible symptoms.

 A virus can start on event-driven effects (e.g., triggered after a specific number of

executions), time-driven effects (e.g., triggered on a specific date, such as Friday ) or

can occur at random.

VIRUSES CAN TAKE SOME TYPICAL ACTIONS:
 Display a message to prompt an action
 delete files inside the system into which viruses enter;
 scramble data on a hard disk, cause erratic screen

behavior;
 halt the system (PC),just replicate themselves to

propagate further harm.

 4.7 TROJAN HORSES AND BACKDOORS

 Trojan Horse is a program in which malicious or harmful code is contained

inside apparently harmless programming or data in such a way that it can get
control and cause harm, for example, ruining the file allocation table on the
hard disk.
 The term Trojan Horse comes from Greek mythology about the Trojan War.

 Like Spyware and Adware, Trojans can get into the system in a number of
ways, including from a web browser, via E-Mail.
 Unlike viruses or worms, Trojans do not replicate themselves but they can be
equally destructive.
 BACKDOOR
 A backdoor is a means of access to a computer program that bypasses
security mechanisms. A programmer may sometimes install a
backdoor so that the program can be accessed for troubleshooting or
other purposes.
 However, attackers often use backdoors that they detect or install
themselves as part of an exploit.
 a worm is designed to take advantage of a backdoor created by an
earlier attack.
 A backdoor works in background and hides from the user.
 FOLLOWING ARE SOME FUNCTIONS OF BACKDOOR:

1. It allows an attacker to create, delete, rename, copy or edit any file, execute various

commands; change any system settings; alter the Windows registry; run, control and

terminate applications; install arbitrary software and parasites.

2. It allows an attacker to control computer hardware devices, modify related settings,

shutdown or restart a computer without asking for user permission.

3. It steals sensitive personal information, logs user activity and tracks web browsing habits.

4. It records keystrokes that a user types on a computer’s keyboard and captures

screenshots.
steps to protect your systems from Trojan Horses and backdoors:

1. Stay away from suspect websites/weblinks.

2. Surf on the Web cautiously.

3. Install antivirus/Trojan remover software.

 4.8 STEGANOGRAPHY

 Steganography is the practice of concealing (hiding) a file, message, image,

or video within another file, message, image, or video. The word

steganography combines the Greek words steganos , meaning "covered,

concealed, or protected", and graphein meaning "writing".

 It is a method that attempts to hide the existence of a message or communication.

 The different names for steganography are data hiding, information hiding

and digital watermarking.

 STEGANALYSIS

Steganalysis is the art and science of detecting messages that are

hidden in images, audio/video files using steganography.
The goal of steganalysis is to identify suspected packages and to
determine whether or not they have a payload encoded into them,
and if possible recover it.
 Automated tools are used to detect such steganographed
data/information hidden in the image and audio and/or video files
 4.9 DOS AND DDOS ATTACKS
A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable
to its intended users.

A denial-of-service (DoS) attack is a cyber attack that aims to make a

machine or network resource unavailable to its intended users.

In this type of criminal act, the attacker floods the bandwidth of the victim’s
network or fills his E-Mail box with Spam mail depriving him of the services he is
entitled to access or provide.
The attackers typically target sites or services hosted on high-profile web servers
such as banks, credit card payment gateways, mobile phone networks and even root
name servers.Buffer overflow technique is employed to commit such kind of criminal
A DoS attack may do the following:
 Flood a network with traffic,
 Disrupt connections between two systems, thereby

preventing access to a service.

 Prevent a particular individual from accessing a

service.
 Disrupt service to a specific system or person.
CLASSIFICATION OF DOS ATTACKS

1. Bandwidth attacks: Loading any website takes certain time. Loading means
complete webpage appearing on the screen and system is awaiting user’s input.
2. Logic attacks: These kind of attacks can exploit vulnerabilities in network
software such as web server or TCP/IP .
3. Protocol attacks: Protocols here are rules that are to be followed to send data
over network.
4. Unintentional DoS attack : This is a scenario where a website ends up denied
not due to a attack by a single individual or group of individuals, but simply
due to a sudden enormous spike in popularity
HOW TO PROTECT FROM DOS/DDOS ATTACKS

1. Implement router filters. This will lessen your exposure to certain DoS attacks.
2. Disable any unused or inessential network service.

3. Observe your system’s performance and establish baselines for ordinary activity.
4. Invest in redundant and fault-tolerant network configurations.

5. Establish and maintain regular backup schedules

6. Establish and maintain appropriate password policies

 4.10 SQL INJECTION

• SQL injection, is a code injection technique that allows hackers

to insert malicious SQL statements into a database.
 SQL injection is a code injection technique that exploits a

security vulnerability occurring in the database layer of an

application.
 SQL injection attacks are also known as SQL insertion attacks.

 Attackers target the SQL servers

•The single quote character ' and look for errors or other

anomalies.

•Some SQL-specific syntax that evaluates to the original value of

the entry point, and to a different value,

•look for systematic differences in the application responses.

•Boolean conditions such as OR 1=1 and look for differences in

the application's responses.

Some common SQL injection examples include:
•Retrieving hidden data, where you can modify a SQL query to return
additional results.
•Subverting application logic, where you can change a query to interfere
with the application's logic.
•UNION attacks, where you can retrieve data from different database
tables.
•Blind SQL injection, where the results of a query you control are not
returned in the application's responses.
 STEPS FOR SQL INJECTION ATTACK
 . The attacker looks for the webpages that allow submitting data, that is, login

page, search page, feedback, etc.

 To check the source code of any website, right click on the webpage and click

on “view source” – source code is displayed in the notepad. The attacker checks

the source code of the HTML, and look for “FORM” tag in the HTML code.
 Everything between the <FORM> and </FORM> have potential

parameters that might be useful to find the vulnerabilities.

 <FORM action=Search/search.asp method=post>
 </FORM>
STEPS FOR SQL INJECTION ATTACK

. The attacker inputs a single quote under the text box provided on the webpage

to accept the username and password. This checks whether the user-input

variable is interpreted literally by the server. If the response is an error message

such as use “a” = “a” then the website is found to be susceptible to an SQL

injection attack.


Similar SQL commands may allow bypassing of a login and may return many rows in
a table or even an entire database table because the SQL server is interpreting the terms
literally. The double dashes near the end of the command tell SQL to ignore the rest of the
command as a comment.
BLIND SQL INJECTION

 Blind SQL injection is used when a web application is vulnerable to

an SQL injection but the results of the injection are not visible to the
attacker.
 The page with the vulnerability may not be the one that displays
data; however, it will display differently depending on the results of
a logical statement injected into the legitimate SQL statement called
for that page.
 HOW TO PREVENT SQL INJECTION ATTACKS

SQL injection attacks occur due to poor website administration and coding..
 Input validation
 Replace all single quotes to two single quotes.

 sanitize the input: User input needs to be checked and cleaned of any

characters or strings that could possibly be used maliciously. For example,

character sequences such as ; , --, select, insert

 Numeric values should be checked while accepting a query string value.

 Keep all text boxes and form fields as short as possible to limit the length of

user input.
HOW TO PREVENT SQL INJECTION ATTACKS
 Use Stored Procedure, Not Dynamic SQL.
 Use Prepared Statements.
 Least Privilege.
 Input Validation.
 Character Escaping.
 Vulnerability Scanners.
 Use Web Application Firewall.
 Modify error reports: SQL errors should not be displayed to outside users

 Isolate database server and web server.

 4.11 BUFFER OVERFLOW
 Buffer overflow, or buffer overrun, is an anomaly where a process

stores data in a buffer outside the memory the programmer has set

aside for it.

 Buffer overflows can be triggered by inputs that are designed to

execute code or alter the way the program operates.

 They are, thus, the basis of many software vulnerabilities and can

be maliciously exploited. Bounds checking can prevent buffer

 Programming languages commonly associated with buffer overflows include C and
C++, which provide no built-in protection against accessing or overwriting data in
any part of memory and do not automatically check that data written to an array.

 The knowledge of C, C++ or any other high-level computer language (i.e.,

assembly language) is essential to understand buffer overflow.For example,
int main () { int buffer[10];

buffer[20] = 10;}
 However, the program attempts to write beyond the allocated memory for the
buffer, which might result in an unexpected behavior.
 Types of Buffer Overflow

 Stack-Based Buffer Overflow

 Stack buffer overflow occurs when a program writes to a memory

address on the program’s call stack outside the intended data structure –

usually a fixed length buffer.

 “Stack” is a memory space in which automatic variables (and often

function parameters) are allocated.

 Function parameters are allocated on the stack and are not automatically

initialized by the system, so they usually have garbage in them until they

are initialized.
 Heap Buffer Overflow
 Heap buffer overflow occurs in the heap data area and may be introduced

accidentally by an application programmer, or it may result from a deliberate

exploit.
 “Heap” is a “free store” that is a memory space, where dynamic objects are

allocated.

Memory on the heap is dynamically allocated by the application at run-time

and normally contains program data. Exploitation is performed by corrupting

this data in specific ways to cause the application to overwrite internal

structures such as linked list pointers.

How to Minimize Buffer Overflow

Assessment of secure code manually: Buffer overflow occurs

when a program or process tries to store more data in a buffer

than it was intended to hold.

Disable stack execution

Compiler tools: Over the years, compilers have become more

and more aggressive in optimizations

Dynamic run-time checks
 4.12 Attacks on Wireless Networks

 Wireless networks are generally composed of two basic

elements
o access points (APs) and
o other wireless-enabled devices, such as laptops radio
transmitters and receivers to communicate or “connect”
with each other.
 APs are connected through physical wiring to a conventional
network, and they broadcast signals with which a wireless
 The following are different types of “mobileworkers”:

1. Remote worker: This is considered to be an employee who generally remains at a

single point of work, but is remote to the central company systems.

2. Roaming user: This is either an employee who works in an environment (e.g.,

warehousing, shop floor, etc.) or in multiple areas (e.g., meeting rooms).

3. Nomad: This category covers employees requiring solutions in semi-tethered

(connected) environments where modem use frequently.

4. Road warrior: This is the ultimate mobile user and spends little time in the office;
Traditional Techniques of Attacks on Wireless Networks

In security breaches, penetration of a wireless network through

unauthorized access is termed as wireless cracking. There are

various methods that demand high level of technological skill

and knowledge, and availability of numerous software tools

made it less sophisticated with minimal technological skill to

crack WLANs.
 Denial of service (DoS
 Sniffing: The attacker usually installs the sniffers remotely on the
victim’s system and conducts activities such as Passive scanning of
wireless network
 Spoofing: The attacker often launches an attack on a wireless network
by simply creating a new network
 Man-in-the-middle attack (MITM

 Encryption cracking: Hence, the second step is to use a long and

highly randomized encryption key; this is very important. It is a little
pain to remember long random encryption; however, at the same time
these keys are much harder to crack.