Published on Tue 27 March 2012 by Gary Hall in Security with tag(s): threats
Many security threats access the targeted computer system via the networks they are connected to. Many of these threats use features of the internet protocol (IP). These computer network-based threats can be passive or active.
Passive computer network based threats include the following:
This pre-dates computers, having been used since the early days of telephone networks and it involves listening in to data being transmitted over a network. Traditionally, this involved a physical connection to a wired network but, more recently, it is typically done by listening into Wifi networks that use radio communication.
Wifi networks should be encrypted so that only users who know the key to access the network can join it, but it may be possible to crack a WiFi key or obtain it through social engineering techniques.
An attack may use techniques such as ARP spoofing and software such as Wireshark to view data sent over the network.
This is a method of probing a computer's network ports to see if any of them are open andwhat services are running on the system. This is not an attack, as such, but a would-be attacker can use this information to potentially exploit vulnerabilities in the services that are running.
This is a form of port scanning where the attacking computer does not have any direct interaction with the computer it is scanning. The attacking computer uses another computer called a Zombie to scan the target computers ports. The benefits to the attacker of using this method is that there is no trace of the attacking computers address on the target machine.
There are also many computer network-based threats which can be classified as active threats:
Denial of service (DoS) attack
Involves sending requests to a web server that the server is overwhelmed and cannot respond to legitimate requests. This has the effect of taking the website hosted on the target machine off-line.
In most cases, the sender IP address of the machine launching the attack is forged so the source of the attack cannot be easily identified. There are a variety o different versions of the DoS attack.
In order to send sufficient requests to overwhelm a powerful web server, a distributed denial of service (DDoS) attack can be used, where a botnet of many computers can be used to launch the attack.
This is a technique used in many types of attack (such as DoS attacks) in which the source address of an attacking computer is hidden.
For example, it is possible to create IP data packets with a forged sender IP address. This helps to hide the identity of the computer launching the attack.
This type of attack involves listening in to, and potentially modifying, data exchanges between two computers. Man-in-the-middle (MITM) is a type of eavesdropping and could be used, for example, on an unencrypted WiFi connection to view data being sent by people over the network.
Address resolution protocol (ARP) poisoning
The ARP is used to map fixed physical hardware addresses (MAC addresses) to IP addresses (which are dynamically allocated to devices by routers or servers) on a LAN.
In this type of attack, faked ARP messages are sent which are intended to fool other devices that the attacker's computer is actually another device, such as the network default gateway (where messages which have destinations outside of the LAN are sent. This allows the attacker to intercept messages that were not intended for their computer. This is a type of MITM attack.
This is a type of DDoS attack. It utilises a feature of the internet control message protocol (ICMP), whereby, when a computer receives an ICMP message, it replies to the source IP address in the ICMP message, confirming that the message was received.
The original intention of this feature was to test if devices were connected and working. However, an attacker can send an ICMP message with a faked source IP address of the computer to be attacked.
If this message is sent to the broadcast address on a network then every device on that network will reply, sending its message to the computer that is being attacked (the broadcast address is a special IP address. Messages addressed to it are sent to every host on the localnetwork).
In a large network, so many ICMP messages could be sent that the attacked computer would be overwhelmed. To avoid this kind of attack, most modern devices no longer respond to ICMP messages sent to the broadcast address and so are not vulnerable to this type of attack.
This is an example of a vulnerability that can affect legitimate programs running on a system which can be of benefit to an attacker. A buffer is a memory area allocated by a program to store input data. The program will allocate a certain amount of memory but, if the input is larger than the buffer, an overflow can occur.
There are a number of ways in which this can be exploited by cyberattackers and they all require an advanced understand of programming techniques. Essentially, this involves forcing the program to execute code provided by the attacker rather than the intended code.
This is a type of buffer overflow. In operating system memory management systems, the heap is a term used to refer to those areas of memory that can be allocated to programs for them to use.
By corrupting application data held in the heap in a particular way, the attacker's code can be executed.
Format string attack
This is another type of attack that can target poorly written programs that use the C family of programming languages. The attack targets code used to format input data. Carefully designed input causes this code to behave in a way that can be of benefit to the attacker.
For example, it might allow the attacker to execute their own code. A detailed understanding of programming is required to exploit this vulnerability.
Structured Query Language (SQL) injection
SQL injection is a widely used method of attack that targets SQL databases and is often used against web-based database applications. This attack involves using certain types of input that can change the way the application works via a web page. It provides the attacker with the ability to access data in the database in a way that the application did not intend.
There are a number of other similar ways that search string inputs can be used to manipulate SQL statements. By sending improperly formatted SQL statements that generate errors, the error messages shown can tell the attacker a lot about the software the web server is using, such as the type and version of database system in use. This information is useful in that it helps the attacker to exploit vulnerabilities which exist in particular software and versions of that software.
SQL injection can allow attackers access to large amounts of data which may be confidential, for example customer details. Applications should be written in such a way as to prevent this kind of attack using proper input validation and error checking, but many older applications are not protected in this way and are vulnerable to attack.
An attack against a specific organisation or government using any of the methods used above. Cyberwarfare is becoming increasingly common and many governments have prepared themselves to defend against these attacks.