Monday, July 18, 2022

Principle of Information Security: Module 2 The Need for Information Security (Part 15)

Back Doors

Using a known or newly discovered access mechanism, an attacker can gain access to a system or network resource through a back door. Viruses and worms can have a payload that installs a back door or trap door component in a system, allowing the attacker to access the system at will with special privileges. Examples of such payloads include Subseven and Back Orifice.

Sometimes these doors are left behind by system designers or maintenance staff; such a door is referred to as a maintenance hook. More often, attackers place a back door into a system or network they have compromised, making their return to the system that much easier the next time. A trap door is hard to detect because the person or program that places it often makes the access exempt from the system’s usual audit logging features and makes every attempt to keep the back door hidden from the system’s legitimate owners.

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks

In a denial-of-service (DoS) attack, the attacker sends a large number of connection or information requests to a target (see Figure 2-16). So many requests are made that the target system becomes overloaded and cannot respond to legitimate requests for service. The system may crash or simply become unable to perform ordinary functions. In a distributed denial-of-service (DDoS) attack, a coordinated stream of requests is launched against a target from many locations at the same time. Most DDoS attacks are preceded by a preparation phase in which many systems, perhaps thousands, are compromised. The compromised machines are turned into bots or zombies, machines that are directed remotely by the attacker (usually via a transmitted command) to participate in the attack. DDoS attacks are more difficult to defend against, and currently there are no controls that any single organization can apply. There are, however, some cooperative efforts to enable DDoS defenses among groups of service providers; an example is the “Consensus Roadmap for Defeating Distributed Denial of Service Attacks.” To use a popular metaphor, DDoS is considered a weapon of mass destruction on the Internet. The MyDoom worm attack in February 2004 was intended to be a DDoS attack against, the Web site of a vendor for a UNIX operating system. Allegedly, the attack was payback for the SCO Group’s perceived hostility toward the open-source Linux community.

Any system connected to the Internet and providing TCP-based network services (such as a Web server, FTP server, or mail server) is vulnerable to DoS attacks. DoS attacks can also be launched against routers or other network server systems if these hosts enable other TCP services, such as echo.

Prominent in the history of notable DoS attacks are those conducted by Michael Calce (a.k.a. Mafiaboy) on,,,,,, and in February 2000. These software-based attacks lasted approximately four hours and reportedly resulted in millions of dollars in lost revenue. The British ISP CloudNine is believed to be the first business “hacked out of existence” by a DoS attack in January 2002. This attack was similar to the DoS attacks launched by Mafiaboy. In January 2016, a group calling itself New World Hacking attacked the BBC’s Web site. If the scope of the attack is verified, it would qualify as the largest DDoS attack in history, with an attack rate of 602 Gbps (gigabits per second). The group also hit Donald Trump’s campaign Web site on the same day.

In October 2016, a massive DDoS attack took down several Web sites, including Airbnb, Etsy, Github, Netflix, Reddit, Spotify, Twitter, and Vox, by attacking their common DNS service provider. While the initial attack only lasted hours, the sites experienced issues for the rest of the day.

E-Mail Attacks

While many consider spam a trivial nuisance rather than an attack, it has been used as a means of enhancing malicious code attacks. In March 2002, there were reports of malicious code embedded in MP3 files that were included as attachments to spam. The most significant consequence of spam, however, is the waste of computer and human resources. Many organizations attempt to cope with the flood of spam by using e-mail filtering technologies. Other organizations simply tell users of the mail system to delete unwanted messages.

A form of e-mail attack that is also a DoS attack is called a mail bomb. It can be accomplished using traditional e-mailing techniques or by exploiting various technical flaws in the Simple Mail Transport Protocol (SMTP). The target of the attack receives an unmanageably large volume of unsolicited e-mail. By sending large e-mails with forged header information, attackers can take advantage of poorly configured e-mail systems on the Internet and trick them into sending many e-mails to an address of the attackers’ choice. If many such systems are tricked into participating, the target e-mail address is buried under thousands or even millions of unwanted e-mails.

Although phishing attacks occur via e-mail, they are much more commonly associated with a method of social engineering designed to trick users to perform an action, rather than simply making the user a target of a DoS e-mail attack.

Communications Interception Attacks

Common software-based communications attacks include several subcategories designed to intercept and collect information in transit. These types of attacks include sniffers, spoofing, pharming, and man-in-the-middle attacks. The emergence of the Internet of Things (IoT)—the addition of communications and interactivity to everyday objects—increases the possibility of these types of attacks. Our automobiles, appliances, and entertainment devices have joined our smartphones in being interconnected and remotely controlled. The security of these devices has not always been a primary concern. IoT devices are now integrated intimately into our everyday lives and are proving to be difficult to secure, because they are often difficult or impossible to update and may not allow embedded passwords to be changed. The use of IoT devices poses significant privacy risks when they cannot be properly secured.

A packet sniffer (or simply sniffer) can monitor data traveling over a network. Sniffers can be used both for legitimate network management functions and for stealing information. Unauthorized sniffers can be extremely dangerous to a network’s security because they are virtually impossible to detect and can be inserted almost anywhere. This feature makes them a favorite weapon in the hacker’s arsenal. Sniffers often work on TCP/IP networks. Sniffers add risk to network communications because many systems and users send information on local networks in clear text. A sniffer program shows all the data going by, including passwords, the data inside files (such as word-processing documents), and sensitive data from applications.

Attackers want to mask their sources, so they frequently use some sort of spoofing to hide themselves. In IP spoofing, hackers use a variety of techniques to obtain trusted IP addresses and then modify packet headers (see Figure 2-17) to insert these forged addresses. Newer routers and firewall arrangements can offer protection against IP spoofing.

Pharming attacks often use Trojans, worms, or other virus technologies to attack an Internet browser’s address bar so that the valid URL the user types is modified to be that of an illegitimate Web site. A form of pharming called Domain Name System (DNS) cache poisoning targets the Internet DNS system, corrupting legitimate data tables.

The key difference between pharming and phishing is that the latter requires the user to actively click a link or button to redirect to the illegitimate site, whereas pharming attacks modify the user’s traffic without the user’s knowledge or active participation.

In the well-known man-in-the-middle attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network. In a TCP hijacking attack, also known as session hijacking, the attacker uses address spoofing to impersonate other legitimate entities on the network. It allows the attacker to eavesdrop as well as to change, delete, reroute, add, forge, or divert data. A variant of TCP hijacking involves the interception of an encryption key exchange, which enables the hacker to act as an invisible man in the middle—that is, an eavesdropper—on encrypted communications. Figure 2 dash 18 illustrates these attacks by showing how a hacker uses public and private encryption keys to intercept messages. You will learn more about encryption keys in Module 10.


Post a Comment