Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Threat Environment
Attack and Attackers Learning Objectives
Define the term threat environment.
Use basic security terminology.
Describe threats from employees and ex-employees.
Describe threats from malware writers.
Describe traditional external hackers and their attacks, including break-in processes,
social engineering, and denial-of-service attacks.
Know that criminals have become the dominant attackers today, describe the types of
attacks they make, and discuss their methods of cooperation.
Distinguish between cyberwar and cyberterror.
1-2
1-3 1-4
1-5 1-6
1
20/9/2017
1-7 1-8
1-9 1-10
1.1: The Sony Data Breaches 1.1: The Sony Data Breaches
The First Attack The Second Attack
April 17-19, 2011 May 1st, 2011 Sony Online Entertainment
Attacks happened a few weeks after the large earthquake, tsunami, and reactor meltdowns Similar SQL injection attack used to steal additional 24.6 million accounts
Used SQL injection to steal 77 million accounts Turned off access to all Sony Online Entertainment servers
Turned off access to PlayStation Network (PSN) CEO, Kazuo Hirai, issues written response to US Congress (May 4th) about steps to prevent future
Publicly acknowledges intrusion a week after the intrusion, on April 26 th attacks
CEO, Kazuo Hirai, issues public apology Some PSN services start to come online on May 15th
Hacking group Anonymous is suspected
1-11 1-12
2
20/9/2017
1-13 1-14
1.1: The Sony Data Breaches 1.1: The Sony Data Breaches
SQL injection is an attack that involves sending modified SQL statements to a web SQL statement below shows parameters passed to a database for a legitimate login
application that will, in turn, modify a database.
Attackers can send unexpected input through their web browser which will enable
them to read from, write to, and even delete entire databases.
SELECT FROM Users WHERE username=boyle02 AND password=12345678;
1-15 1-16
1.1: The Sony Data Breaches 1.1: The Sony Data Breaches
Malformed SQL statement below shows SQL injection by passing unexpected parameters The attackers
through a Web interface Members of both LulzSec and Anonymous are involved
Will always return a true value Just before attacks on Sony, Anonymous announced the launch of operation #OpSony
for lawsuits against George Hotz
George Hotz was being sued by Sony for jailbreaking PlayStation 3
Cody Kretsinger was arrested on Sept. 22, 2011 and pled guilty for his involvement in the
Sony attacks
SELECT FROM Users WHERE username=boyle02 AND password=whatever or 1=1--;
Hector Monsegur, facing 122 years in prison, was key informant who identified other
attackers
1-17 1-18
3
20/9/2017
1-19 1-20
1.2: Employee and Ex-Employee Threats 1.2: Employee and Ex-Employee Threats
1-21 1-22
1.2: Employee and Ex-Employee Threats 1.2: Employee and Ex-Employee Threats
1-23 1-24
4
20/9/2017
1.2: Employee and Ex-Employee Threats 1.2: Employee and Ex-Employee Threats
Internet Abuse Carelessness
Downloading pornography, which can lead to sexual harassment lawsuits and viruses Loss or theft of computers or data media containing sensitive information
Downloading pirated software, music, and video, which can lead to copyright violation penalties Other Internal Attackers
Excessive personal use of the Internet at work Contract workers
Workers in contracting companies
1-25 1-26
1-27 1-28
1-29 1-30
5
20/9/2017
1.3: Classic Malware: Viruses and Worms 1.3: Classic Malware: Viruses and Worms
ILOVEYOU virus source code: Worms
Full programs that do not attach themselves to other programs
Like viruses, can spread by e-mail, instant messaging, and file transfers
1-31 1-32
1.3: Classic Malware: Viruses and Worms 1.3: Classic Malware: Viruses and Worms
Worms Blended Threats
Malware propagates in several wayslike worms, viruses, compromised webpages containing
In addition, direct-propagation worms can jump from one computer to another without human mobile code, etc.
intervention on the receiving computer Payloads
Pieces of code that do damage
Computer must have a vulnerability for direct propagation to work
Implemented by viruses and worms after propagation
Direct-propagation worms can spread extremely rapidly because they do not have to wait for Malicious payloads are designed to do heavy damage
users to act
1-33 1-34
1.3: Trojan Horses and Rootkits 1.3: Trojan Horses and Rootkits
Nonmobile Malware Trojan Horses
Must be placed on the users computer through one of a growing number of attack A program that replaces an existing system file, taking its name
techniques Trojan Horses
Placed on computer by hackers Remote Access Trojans (RATs)
Placed on computer by virus or worm as part of its payload Remotely control the victims PC
The victim can be enticed to download the program from a website or FTP site Downloaders
Mobile code executed on a webpage can download the nonmobile malware Small Trojan horses that download larger Trojan horses after the downloader is installed
1-35 1-36
6
20/9/2017
1.3: Trojan Horses and Rootkits 1.3: Trojan Horses and Rootkits
Trojan Horses Trojan Horses
Spyware Rootkits
Programs that gather information about you and make it available to the adversary
Cookies that store too much sensitive personal information Take control of the super user account (root, administrator, etc.)
Keystroke loggers Can hide themselves from file system detection
Password-stealing spyware Can hide malware from detection
Data mining spyware
Extremely difficult to detect (ordinary antivirus programs find few rootkits)
1-37 1-38
1-39
1-42
7
20/9/2017
1-44
New Attacks
Njw0rm Dorkbot
a VBS worm that spreads through removable drives, malicious email attachments is another new worm that made a noticeable impact.
and drive-by downloads. However, Dorkbot is also able to spread itself
The worm has backdoor capabilities and is essentially designed to steal information by posting malicious links in instant messages and
from victims. social media sites.
1-45 1-46
1-47 1-48
8
20/9/2017
Whats Next?
1.1 Introduction & Terminology
1.2 Employee and Ex-Employee Threats
1.3 Malware
1.4 Hackers and Attacks
1.5 The Criminal Era
1.6 Competitor Threats
1.7 Cyberwar and Cyberterror
1-49 1-50
1.4: Traditional External Attackers: Hackers 1.4: Traditional External Attackers: Hackers
1-51 1-52
1.4: Probe and Exploit Attack Packets 1.4: Traditional External Attackers: Hackers
Anatomy of a Hack
The exploit
The specific attack method that the attacker uses to break into the computer is called the attackers
exploit
The act of implementing the exploit is called exploiting the host
1-53 1-54
9
20/9/2017
1-55 1-56
1-59 1-60
10
20/9/2017
1.4: Traditional External Attackers: Hackers 1.4: Traditional External Attackers: Hackers
Skill Levels Skill Levels
Expert attackers are characterized by strong technical skills and dogged persistence Script kiddies use these scripts to make attacks
Expert attackers create hacker scripts to automate some of their work Script kiddies have low technical skills
Scripts are also available for writing viruses and other malicious software Script kiddies are dangerous because of their large numbers
1-61 1-62
1-63 1-64
1-65 1-66
11
20/9/2017
1-67 1-68
1-69 1-70
1-71 1-72
12
20/9/2017
1-73 1-74
1-75 1-76
1-77
13