Network security Module 1- Attacks on Computer & Computer Security

Module 1

Attacks on Computers and Computer Security:

Need for Security, Security Approaches, Principles of Security Types of Attacks

1.1 The Need for Security

1.1.1 Basic Concepts
 Initial computer applications had no, or very little security as the importance of data
was not realized then.
 When computer applications were developed to handle financial and personal data, the
need for security arose. With this realization, security began to gain prominence and
security mechanisms began to evolve.
 Examples of security mechanisms:
 Provide a user id and password to every user, and use that information to
authenticate a user
 Encode information stored in the databases, so that it is not visible to users who do
not have the right permissions.
 Organizations employed their own security mechanisms to provide basic security. As
technology improved, newer applications began to be developed and the basic security
measures were not sufficient.
 Further with the evolution of the biggest computer network, Internet, the need for right
security policy, technology implementations became very important.
 Example of information traveling from Client to server over the internet.

Fig 1.1 Information travelling from a client to a server over the internet

 From the user’s computer, the user details such as user id, order details such as order
id and item id and payment details such as credit card information travel across the

Swetha C M, Assistant Professor, STJIT, Ranebennur 1

Network security Module 1- Attacks on Computer & Computer Security

Internet to the merchant’s server. The merchant’s server stores these details in its
database.
 The various security holes in this are:
 An intruder can capture the credit card details as they travel from the client to the
server.
 Once the merchant receives the credit card details and validates them so as to
process the order and later obtain payments, the merchant stores the credit card
details into its database. An attacker can succeed in accessing this database and
gain access to all the credit card numbers stored there.

1.1.2 Modern Nature of attacks

The salient features of the modern nature of attacks are:

 Automating attacks: Humans dislike repetitive and difficult tasks. Automating them
can cause destruction more rapidly. Rather than producing fake currency on a mas
scale, modern thieves will excel in stealing a very low amount from million bank
accounts in a matter of a few minutes.
 Privacy concerns: Collecting information about people and later misusing it is turning
out to be a huge problem. The data mining applications gather, process and tabulate
all sorts of details about individuals. People can illegally sell this information.
 Distance does not matter: Thieves would earlier attack banks, as banks had money.
These days Money is in digital form and moves around using computer network. It is
easier for modern thief to attempt an attack on the computer system of the bank, sitting
at home.

1.2 Security Approaches

1.2.1 Trusted systems
 A trusted system is a computer system that can be trusted to a specified extent to enforce
a specified security policy.
 Trusted system uses the term reference monitor, an entity at the logical heart of the
computer system which is responsible for all decisions across controls.
 The reference monitor should be tamperproof, always be invoked and small enough so
that it can be independently tested.
 The mathematical foundation for trusted systems was provided by two independent, yet
interrelated works. In 1974, a technique called as Bell-LaPadula model was devised
which was a highly trustworthy computer system designed as a collection of objects
(files, disks and printers) and subjects (users, processes or threads)

Swetha C M, Assistant Professor, STJIT, Ranebennur 2

Network security Module 1- Attacks on Computer & Computer Security

1.2.2 Security Models

An organization can take several approaches to implement its security model. The various
approaches are:

a) No security: This is the simplest model with no security at all.

b) Security through obscurity: In this model, a system is secure simply because nobody
knows about its existence and contents. This approach cannot work for too long, as
there are many ways an attacker can come to know about it.

c) Host security: In this scheme, the security for each host is enforced individually. This
is a safe approach, but the complexity and diversity of modern sites/organizations
makes the task harder and difficult to scale.

d) Network security: Host security is tough to achieve as organization grows and becomes
more diverse. In this technique, the focus is to control network access to various hosts
and their services, rather than individual host security. This is a very efficient and
scalable model.

1.2.3 Security Management Practices

Good security management practices always have a good security policy which takes care
of 4 key aspects.
1) Affordability: How much money and efforts does this security implementation cost?
2) Functionality: What is the mechanism of providing security?
3) Cultural issues: Does the policy gel well with people’s expectations, working style
and beliefs?
4) Legality: Does the policy meet the legal requirements?
Once a security policy is in place, the following points should be ensured.
 Explanation of the policy to all concerned.
 Outline everybody’s responsibilities.
 Use simple language in all communications.
 Accountability should be established.
 Provide for exceptions and periodic reviews.

Swetha C M, Assistant Professor, STJIT, Ranebennur 3

Network security Module 1- Attacks on Computer & Computer Security

1.3 Principles of Security

The four chief principles of security are:

1) Confidentiality
2) Authentication
3) Integrity
4) Non repudiation

Two more principles that are linked to the overall system are:
5) Access control
6) Availability

1) Confidentiality
 The principle of confidentiality specifies that only the sender and the intended
recipient(s) should be able to access the contents of a message.

 Confidentiality gets compromised if an unauthorized person is able to access a message.

Example of compromising the confidentiality of a message is shown in Fig 1.2.

Fig 1.2 Loss of confidentiality

 Here the user of computer A sends a message to the user of computer B. Another user
C gets access to this message, which is not desired, and therefore, defeats the purpose
of confidentiality.
 Example:- A confidential email message sent by A to B, which is accessed by C without
the permission or knowledge of A and B. This type of attack is called as interception.
“Interception causes loss of message confidentiality”

Swetha C M, Assistant Professor, STJIT, Ranebennur 4

Network security Module 1- Attacks on Computer & Computer Security

2) Authentication:

 Authentication establishes proof of identities.

 The authentication process ensures that the origin of an electronic message or
document is correctly identified.
 For instance, suppose that user C sends an electronic document over the Internet to
user B, posing as user A. How would user B know that the message has come from user
C, who is posing as user A.

Fig 1.3 Absence of authentication

 Example: User C posing as user A, sends a funds transfer request (from A’s account to
C’s account) to bank B. The bank will transfer the funds from A’s account to C’s account,
thinking that user A has requested for the funds transfer. This type of attack is called
as fabrication.
 “Fabrication is possible in the absence of proper authentication mechanisms”

3) Integrity:
 When the contents of a message are changed after the sender sends it, but before it
reaches the intended recipient, the integrity of the message is lost.
 Example: Suppose you write a cheque for $100 to pay for the goods bought from the
store, but in the account statement it is observed that the cheque resulted in a payment
of $1000! This is the case of loss of message integrity.
 Fig 1.4 demonstrates loss of integrity. User C tampers (modifies) a message originally
sent by user A, which is actually destined for user B.
 User C somehow manages to access the message, change its contents and send the
changed message to user B. Neither A nor B knows that the contents of the message
were changed after user A had sent it. This type of attack is called as modification.
 “Modification causes loss of message integrity”

Swetha C M, Assistant Professor, STJIT, Ranebennur 5

Network security Module 1- Attacks on Computer & Computer Security

Fig 1.4 Loss of integrity

4) Non repudiation:
 There are situations where a user sends a message and later refuses that the message
was sent. This is repudiation (refuse to accept).
 Example: User A could send a fund transfer request to bank B over the internet. After
the bank performs the funds transfer as per A’s request, A could claim that he never
sent the fund transfer request to the bank.
 Thus, A repudiates, or denies the fund transfer instruction.
 The principle of non-repudiation defeats such possibilities of denying something,
having done it.
“Non repudiation does not allow the sender of a message to refuse the claim of not sending
that message”.

5) Access control:
 The principle of access control determines who should be able to access what.
 For instance, we should be able to specify that user A can view the records in a
database, but cannot update them. However, another user B might be allowed to make
updates as well. An access control mechanism can be set up to ensure this.
 Access control is broadly related to two areas: role management and rule management.
 Role management concentrates on the user side (which user can do what)
 Rule management focuses on the resources side (which resource is accessible, and
under what circumstances).
 Based on the decisions taken here, an access control matrix is prepared, which lists
the users against a list of items they can access (it can say that user A can write to file
X, but can only update files Y and Z).
 An access control list (ACL) is a subset of an access control matrix.
 “Access control specifies and controls who can access what.”

Swetha C M, Assistant Professor, STJIT, Ranebennur 6

Network security Module 1- Attacks on Computer & Computer Security

6) Availability:
 The principle of availability states that resources (information) should be available to
authorized parties at all times.

 Example: Due to the intentional actions of another unauthorized user C, an authorized

user A may not be able to contact a server computer B as shown in fig 1.5.
 This would defeat the principle of availability. Such an attack is called as interruption.
 “Interruption puts the availability of resources in danger”

Fig 1.5 Attack on availability

7) Ethical and Legal issues:

 The ethical issues in security systems are classified into four categories:
 Privacy – deals with the right of an individual to control personal information
 Accuracy – deals about the responsibility for the authenticity, fidelity and accuracy
of information.
 Property – talks about the owner of the information and about who controls access.
 Accessibility – deals with the issue of type of information an organization has the
right to collect.
 While dealing with legal issues, there is a hierarchy of regulatory bodies that govern
the legality of information security which can be classified as follows:
 International -e.g International Cybercrime Treaty
 Federal – e.g. FERPA, Patriot Act
 State – e.g. UCITA
 Organization – e.g. Computer use policy

Swetha C M, Assistant Professor, STJIT, Ranebennur 7

Network security Module 1- Attacks on Computer & Computer Security

1.4 Types of attacks

Attacks can be classified into two views : A common man’s view and technological view.
1.4.1 Attacks: A general view
Attacks can be classified into three categories:

 Criminal attacks –
In this, the aim of attackers is to maximize financial gain by attacking computer systems.
Some of the criminal attacks are listed below:

Attack Description
Fraud Modern fraud attacks concentrate on manipulating some aspects
of electronic currency, credit cards, electronic stock certificates,
cheques, letters of credit, purchase order, ATMs etc.
Scams Some forms of scams are sales of services, auctions, multi- level
marketing schemes, general merchandise and business
opportunities etc. People are tempted to send money in return of
great profits, but end up losing their money.
Destruction The main motive behind these attacks is some sort of grudge.
Example: Some unhappy employees attack their own
organization; terrorists strike at bigger levels
Identity theft An attacker does not steal anything from a legitimate user,
instead he becomes that legitimate user!
Example, it is much easier to manage to get the password of
someone else's bank account or to actually be able to get a
credit card on someone else's name. That privilege can be misused
until it gets detected.
Intellectual Intellectual property theft ranges from stealing companies' trade

property theft secrets, databases, digital music and videos, electronic

documents and books, Identity theft, Intellectual property theft
software and etc.

Swetha C M, Assistant Professor, STJIT, Ranebennur 8

Network security Module 1- Attacks on Computer & Computer Security

Brand theft It is quite easy to set up fake Web sites that look like real Web
sites. It is difficult for a common user to know if she is visiting the
real Bank site or an attacker's site?
Innocent users end up providing their secrets and personal
details on these fake sites to the attackers.
The attackers use these details to then access the real site,
causing an identity theft.

 Publicity Attacks
 Occurs because the attackers want to see their names appear on television news
channels and newspapers for publicity. These types of attackers are usually not
hardcore criminals.
 They are people such as students in universities or employees in large organizations,
who seek publicity by adopting a novel approach of attacking computer systems.

 Legal attacks
 This form of attack is quite novel and unique. The attacker tries to make the judge or
jury doubtful about the security of a computer system.
 The attacker attacks the computer system and the attacked party (Bank or
organization) manages to take the attacker to the court. The attacker tries to convince
the judge that there is inherent weakness in the computer security system and
exploits the weakness of the judge.

1.4.2 Attacks: A Technical view

The types of attacks on computers and network systems can be classified into two
categories:
(a) Theoretical concepts behind these attacks
(b) Practical approaches used by the attackers.

a) Theoretical Concepts
The principles of security face threat from various attacks. These attacks are classified into
four categories, as mentioned namely:
 Interception -
 This attack results from violating confidentiality.
 It means that an unauthorized party has gained access to a resource. The party can
be a person, program or computer-based system.
 Example: Copying of data or programs and listening to network traffic.

Swetha C M, Assistant Professor, STJIT, Ranebennur 9

Network security Module 1- Attacks on Computer & Computer Security

 Fabrication -
 This attack results from violating authentication.
 This involves creation of illegal objects on a computer system.
 Example: The attacker may add fake records to a database.

 Modification –
 This attack results from violating Integrity. The attacker may modify the values in a
database.

 Interruption
 This attack results from violating availability.
 The resource becomes unavailable, lost or unusable.
 Example: Causing problems to a hardware device, erasing program, data or operating
system components.

These attacks are further grouped into two types:

 Passive attacks
 Active attacks

Passive attacks
 Passive attacks are those, wherein the attacker indulges in eavesdropping or monitoring
of data transmission.
 The attacker aims to obtain information that is in transit.
 The term passive indicates that the attacker does not attempt to perform any
modifications to the data.
 Passive attacks are harder to detect.
 The general approach to deal with passive attacks is to think about prevention, rather
than detection or corrective actions.
Passive attacks do not involve any modifications to the contents of an original message.

Passive attacks can be further classified into two sub-categories. These categories are:
 Release of message contents
 Traffic analysis.

Swetha C M, Assistant Professor, STJIT, Ranebennur 10

Network security Module 1- Attacks on Computer & Computer Security

 Release of message contents:

 When a confidential email message is sent, it is desired that only the recipient is able
to access it. Otherwise, the contents of the message are released against our wishes to
someone else.
 Using certain security mechanisms, we can prevent release of message contents. For
example, we can encode messages using a code language, so that only the desired
parties understand the contents of a message, because only they know the code
language.
 However, if many such messages are passing through, a passive attacker could try to
figure out similarities between them to come up with some sort of pattern that provides
the attacker some clues regarding the communication that is taking place.
 Such attempts of analysing (encoded) messages to come up with likely patterns are the
work of the traffic analysis attack.

Active attacks
 The active attacks are based on modification of the original message in some manner or
the creation of a false message. These attacks cannot be prevented easily.
 They can be detected with some effort and attempts can be made to recover from them.
These attacks can be in the form of interruption, modification and fabrication.
 In active attacks, the contents of the original message are modified in some way.
 Trying to pose as another entity involves masquerade (interruption) attacks.
 Modification attacks can be classified further into replay attacks and alteration of
messages.
 Fabrication causes Denial Of Service (DOS) attacks.
 This Classification can be shown as follows:

Swetha C M, Assistant Professor, STJIT, Ranebennur 11

Network security Module 1- Attacks on Computer & Computer Security

 Masquerade is caused when an unauthorized entity pretends to be another entity.

 Example: User C might pose as user A and send a message to user B. User B might
be led to believe that the message indeed came from user A. In masquerade attacks,
an entity poses as another entity.
 Example, the attack may involve capturing the user's authentication sequence (e.g.
user ID and password). Later those details can be used to gain illegal access to the
computer system.

 Replay attack is caused when a user captures a sequence of events or some data units
and re-sends them.
 For instance, suppose user A wants to transfer some amount to user C's bank
account.
 Both users A and C have accounts with bank B. User A might send an electronic
message to bank B, requesting for the funds transfer.
 User C could capture this message and send a second copy of the same to bank B.
Bank B would have no idea that this is an unauthorized message and would treat
this as a second and different, funds transfer request from user A.
 Therefore, user C would get the benefit of the funds transfer twice: once authorized,
once through a replay attack.

 Alteration of messages involves some change to the original message.

 For instance, suppose user A sends an electronic message Transfer $100 to D's
account to bank B. User C might capture this and change it to Transfer $1000 to C's
account.
 Both the beneficiary and the amount have been changed - instead, only one of these
could have also caused alteration of the message.

 Denial Of Service (DOS) attacks make an attempt to prevent legitimate users from
accessing some services, which they are eligible for.
 For instance, an unauthorized user might send too many login requests to a server
using random user ids one after the other in quick succession, so as to flood the
network and deny other legitimate users from using the network facilities.

Swetha C M, Assistant Professor, STJIT, Ranebennur 12

Network security Module 1- Attacks on Computer & Computer Security

1.4.3 The Practical Side of Attacks

 The security attacks can happen at the application level or the network level and can be
classified into broad categories : Application-level attacks and Network-level attacks

 Application-level attacks:
These attacks happen at an application level, i.e. the attacker the attempts to access, modify
or prevent access to information of a particular application or the application itself.
Example: Trying to obtain someone’s credit card information on the Internet or changing
the contents of a message to change the amount in a transaction, etc.

 Network-level attacks:
These attacks generally aim at reducing the capabilities of a network by a number of
possible means. These attacks generally make an attempt to either slow down or completely
bring to halt, a computer network.
This can lead to application-level attacks, because once someone is able to gain access to a
network, they can access/modify at least some sensitive information, causing havoc.

1.4.4 PROGRAMS that ATTACK

Programs that attack computer systems to cause some damage or to create confusion are:
 Virus
 Worm
 Trojan Horse
 Applets & ActiveX Controls
 Cookies
 JavaScript VBScript & Jscript

Swetha C M, Assistant Professor, STJIT, Ranebennur 13

Network security Module 1- Attacks on Computer & Computer Security

1) Virus
 Virus can be used to launch an application-level attack or a network level attack virus.
 A virus is a computer program that attaches itself to the legitimate program code and runs
when the legitimate program runs causing damage to the computer system or to the
network.
 It can infect other programs in that computer or programs that are in
other computers but on the same network as shown in figure 1.6.

Figure 1.6 Virus

 In this example, after deleting all the files from the current user's computer, the virus
self-propagates by sending its code to all users whose email addresses are stored in the
current user's address book.
 Viruses can also be triggered by specific events (e.g. a virus could automatically execute
at 12 PM every day). Usually, viruses cause damage to computer and network systems
to the extent that it can be repaired, assuming that the organization deploys good
backup and recovery procedures.

During its lifetime, a virus goes through four phases:

(a) Dormant phase: Here, the virus is idle. It gets activated based on certain action or event
(e.g. the user typing a certain key or certain date or time is reached, etc). This is an
optional phase.
(b) Propagation phase: In this phase, a virus copies itself and each copy starts creating
more copies of self, thus propagating the virus.
(c) Triggering phase: A dormant virus moves into this phase when the action/event for
which it was waiting is initiated.
(d) Execution phase: This is the actual work of the virus, which could be harmless (display
some message on the screen) or destructive (delete a file on the disk).

Swetha C M, Assistant Professor, STJIT, Ranebennur 14

Network security Module 1- Attacks on Computer & Computer Security

Viruses can be classified into the following categories:

(a) Parasitic virus: This is the most common form of viruses. Such a virus attaches itself
to executable files and keeps replicating. Whenever the infected file is executed, the virus
looks for other executable files to attach itself and spread.
(b) Memory-resident virus: This type of virus first attaches itself to an area of the main
memory and then infects every executable program that is executed.
(c) Boot sector virus: This type of virus infects the master boot record of the disk and
spreads on the disk when the operating system starts booting the computer.
(d) Stealth virus: This virus has intelligence built in, which prevents anti-virus software
programs from detecting it.
(e) Polymorphic virus: A virus that keeps changing its signature (i.e. identity) on every
execution, making it very difficult to detect.
(f) Metamorphic virus: In addition to changing its signature like a polymorphic virus, this
type of virus keeps rewriting itself every time, making its detection even harder.
(g) Macro virus. This virus affects specific application software, such as Microsoft Word or
Microsoft Excel. These viruses affect the documents created by users and spread easily
since such documents are very commonly exchanged over email. There is a feature called
as macro these application software programs work, which allows the users to write small
useful utility programs within the documents. Viruses attack these macros and hence the
name macro virus.

2) Worm:
 worm is similar to a virus, but different in implementation. A virus modifies a program
(i.e. it attaches itself to the program under attack) whereas a worm does not modify a
program. Instead, it replicates itself again and again.
 The replication grows so much that the computer or the network on which the worm
resides, becomes very slow, finally coming to a halt.
 The basic purpose of a worm attack is different from that of a virus. A worm attack
attempts to make the computer or the network under attack unusable by eating all its
resources. This is illustrated in figure 1.7
 A worm does not perform down any destructive actions and instead, only consumes
system resources to bring it down.

Swetha C M, Assistant Professor, STJIT, Ranebennur 15

Network security Module 1- Attacks on Computer & Computer Security

Figure 1.7 Worm

3) Trojan Horse

 A Trojan horse is a hidden piece of code, like a virus. The main purpose of a virus is to
make some sort of modifications to the target computer or network whereas a trojan
horse attempts to reveal confidential information to an attacker.
 The name (Trojan horse) is due to the Greek soldiers, who hid inside a large hollow horse,
which was pulled by troy citizens, unaware of its contents. Once the Greek soldiers
entered the city of Troy, they opened the gates for the rest of Greek soldiers.
 In the same way, a Trojan horse could silently sit in the code for a Login screen by
attaching itself to it. When the user enters the user id and password. the Trojan horse
could capture these details and send this information to the attacker without the
knowledge of the user who had entered the id and password.
 A Trojan horse allows an attacker to obtain some confidential information about a
computer or a network. The attacker can then use the user id and password to gain
access to the system. This is shown in figure

Swetha C M, Assistant Professor, STJIT, Ranebennur 16

Network security Module 1- Attacks on Computer & Computer Security

Figure 1.8 Trojan Horse

4) Applets and ActiveX Controls:

 Applets and ActiveX controls were born due to the technological development of the
World Wide Web (www) application of the Internet.
 The Web consists of communication between client and server computers using a
communications protocol called as Hyper Text Transfer Protocol (HTTP).
 The client uses a piece of software called as Web browser. The server runs a program
called as Web server.
 In its simplest form, a browser sends a HTTP request for a Web page to a Web server.
The Web server locates this Web page (actually a computer file) and sends it back to the
Web browser, again using HTTP.
 The Web browser interprets the contents of that file and shows the results on the screen
to the user. This is shown in Fig. 1.9.

Figure 1.9 HTTP connection between client and server

Swetha C M, Assistant Professor, STJIT, Ranebennur 17

Network security Module 1- Attacks on Computer & Computer Security

 Here, the client sends a request for a Web page called as www.yahoo.com/info, which
the server sends back to the client.
 Many Web pages contain small programs that get downloaded onto the client along with
the Web page itself. These programs then execute inside the browser.
 Sun Microsystems provides Java applets for this purpose and Microsoft's technology
makes use of ActiveX controls for the same purpose.
 Both are small programs that get downloaded along with a Web page and then execute
on the client. This is shown in Fig. 1.10.

Figure 1.10 Applet sent back along with a Web page

Here, the server sends an applet along with the Web page to the client.
 Usually, these programs (applets or ActiveX controls) are used to either perform some
processing on the client side or to automatically and periodically request for information
from the web server using a technology called as client pull.
 For instance, a program can get downloaded on to the client along with the Web page
showing the latest stock prices on a stock exchange and then periodically issue HTTP
requests for pulling the updated prices to the Web server.
 To prevent these attacks, Java applets have strong security checks as to what they can
do and what they cannot. ActiveX controls have no such restrictions.
 A number of checks have been in place to ensure that neither applets nor ActiveX
controls can do a lot of damage and even if they somehow manage to do it, it can be
detected.
 Java applets (from Sun Microsystems) and ActiveX controls (from Microsoft Corporation)
are small client-side programs that might cause security problems, if used by attackers
with a malicious intention.

Swetha C M, Assistant Professor, STJIT, Ranebennur 18

Network security Module 1- Attacks on Computer & Computer Security

5) Cookies:
 Cookies were born as a result of a specific characteristic of the Internet. The Internet
uses HTTP protocol, which is stateless.
 Suppose that the client sends an HTTP request for a Web page to the server. The Web
server locates that page on its disk, sends it back to the client and completely forgets
about this interaction!
 If the client wants to continue this interaction, it must identify itself to the server in the
next HTTP request. Otherwise, the server would not know that this same client had sent
a HTTP request earlier.
 Since a typical application is likely to involve a number of interactions between the client
and the server, there must be some mechanism for the client to identify itself to the
server each time it sends an HTTP request to the server.
 For this, cookies are used. Cookies are the most popular mechanism of maintaining the
state information (i.e. identifying a client to a server). A cookie is just one or more pieces
of information stored as text strings in a text file on the disk of the client computer (i.e.
the Web browser).
 Actually, a Web server sends the Web browser a cookie and the browser stores it on the
hard disk of the client computer. The browser then sends a copy of the cookie to the
server during the next HTTP request.
 This is used for identification purposes as shown in Figs 1.11 (a) and 1.11 (b).

Figure 1.11a Creation of cookies

Swetha C M, Assistant Professor, STJIT, Ranebennur 19

Network security Module 1- Attacks on Computer & Computer Security

Figure 1.11b Usage of cookies

This works as follows:

(a) When you interact with a Web site for the first time, the site might want you to register
yourself. Usually, this means that the Web server sends a page to you wherein you have a
form to enter your name, address and other details such as date of birth, interests etc.
(b) When you complete this form and send it to the server with the help of your browser, the
server stores this information into its database. Additionally, it also creates a unique id for
you. It stores this id along with your information in the database (as shown in Fig. 1.11(b))
and also sends the id back to you in the form of a cookie.
(c) The next time you interact with the server, you do not have to enter any information
such as your name and address. Your browser would automatically send your id (i.e. the
cookie) along with the HTTP request for a particular page to the server (as shown in Fig.
1.11b)).
(d) The server now takes this id, tries to find a match in its database and having found it,
knows that you are a registered user. Accordingly, it sends you the next page.

Swetha C M, Assistant Professor, STJIT, Ranebennur 20

Network security Module 1- Attacks on Computer & Computer Security

6) JavaScript, VBScript and JScript

 A Web page is constructed using a special language called as Hyper Text Markup
Language (HTML). It is a tag-based language. A tag begins with the symbol <> and it
ends with </>.
 Between these boundaries of the tags, the actual information to be displayed on the
user's computer is mentioned. As an example, let us consider how the tag pair <B> and
</B> can be used to change the text font to boldface.
 When a browser comes across this portion of a HTML document, it realizes that the
portion of the text embedded within the <b> and </b> tags need to be displayed in
boldface. Therefore, it displays this text in boldface.
 In addition to HTML tags, a Web page can contain client-side scripts. These are small
programs written in scripting languages like JavaScript, VBScript or Jscript, which are
executed inside the Web browser on the client computer.
 For instance, let us assume that a user visits the Web site of an online bookshop.
Suppose that the Web site mandates that the user must place an order for at least three
books. Then, the web page can contain a small JavaScript program, which can ensure
that this condition is met before the user can place the order. Otherwise, the JavaScript
program would not allow the user to proceed. Note that HTML cannot be used for this
purpose, as its sole purpose is to display text on the client computer in a pre-specified
format. To perform dynamic actions, scripts are needed.
 These scripts can be dangerous at times. Since these scripts are small programs, they
can perform a lot of actions on the client’s computer. There are restrictions on the
actions of a scripting program. Incidents of security breaches have been reported,
blaming the scripting languages.

1.4.5 Dealing with viruses

 The detection, identification and removal of viruses’ steps is shown in figure 1.12

Figure 1.12 Virus elimination steps

Swetha C M, Assistant Professor, STJIT, Ranebennur 21

Network security Module 1- Attacks on Computer & Computer Security

 Detection of viruses involves locating the virus, having known that a virus has attacked.
Then we need to identify the specific virus that has attacked. Finally, we need to remove
it. For this we need to remove all traces of the virus and restore the affected
programs/files to their original states. This is done by anti-virus software.
 Anti-virus software is classified into four generations as shown in figure 1.13

4th Generation Full-featured protection

Figure 1.13 Generations of anti-virus software

The key characteristics of the four generations of anti-virus software.

1st generation
 These anti-virus software programs were called as simple scanners. They needed a virus
signature to identify a virus. A variation of such programs kept a watch on the length of
programs and looked for changes so as to possibly identify a virus attack.
2nd generation
 These anti-virus software programs did not rely on simple virus signatures. Rather, they
used heuristic rules to look for possible virus attacks. The idea was to look for code
blocks that were commonly associated with viruses. Another variation of these anti-virus
programs used to store some identification about the file (e.g. a message digest) to detect
changes in the contents of the file.
3rd generation
 These anti-virus software programs were memory resident. They watched for viruses
based on actions, rather than their structure. Thus, it is not necessary to maintain a
large database of virus signatures. Instead, the focus is to keep watch on a small number
of suspect actions.
4th generation
 These anti-virus software programs package many anti-virus techniques together ( e.g.
scanners, activity monitoring). They also contain access control features, thus attempts
of viruses to infect files.

Swetha C M, Assistant Professor, STJIT, Ranebennur 22

Network security Module 1- Attacks on Computer & Computer Security

 There is a category of software called as behavior-blocking software, which integrates

with the operating system of the computer and keeps a watch on virus-like behavior in
real time.
 Whenever such an action is detected, this software blocks it, preventing damages. The
actions under watch can be:
 Opening , viewing , modifying , deleting files
 Network communications
 Modification of settings such as start-up scripts
 Attempt to format disks
 Modification of executable files
 Scripting of email and instant messaging to send executable content to others

The main advantage of such software programs is that they are more into virus prevention
than virus detection. In other words, they stop viruses before they can do any damage,
rather than detecting them after an attack.

1.4.6 JAVA Security

 Java was designed in such a way that Java programs are considered safe as they cannot
install, execute or propagate viruses and because the program itself cannot perform any
action that is harmful to the user's computer.
 One of the key attributes of Java is the ability to download Java programs over a network
and execute these programs on a different computer within the context of a Java-enabled
browser.
 Different developers were attracted to Java with different expectations. As a result , they
brought different ideas about Java security. If we put Java to be free from introducing
viruses, any release of Java should satisfy our requirements.
 However, if functionalities such as digital signatures, authentication and encryption are
required in the least release 1.1 of Java must be used.

 The Java Sandbox

 Java’s security model is closely associated with the idea of a sandbox model. A sandbox
model allows a program to be hosted and executed, but there are some restrictions in
place.
 The developer/end user may decide to give the program access to certain resources.
However, in general, they want to make sure that the program is confined to its sandbox.
The overall execution of a java program on the Internet is as shown in Fig 1.14.

Swetha C M, Assistant Professor, STJIT, Ranebennur 23

Network security Module 1- Attacks on Computer & Computer Security

Figure 1.14 Steps in execution of a Java program on the Internet

 The chief job of the Java sandbox is to protect a number of resources and it performs
this task so at a number of levels.
 A sandbox in which program can access the CPU, the screen, the keyboard and
mouse and its own memory. This is the basic sandbox. It contains just enough
resources for a program to execute.
 A sandbox in which a program can access the CPU and its memory as well as access
the Web server from which it was downloaded. This is often considered as the
default state for the sandbox.
 A sandbox in which program can access the CPU, its memory, its Web server and
to a set of resources (files, computers, etc.) that are local.
 An open sandbox, in which the program can access whatever resources the host
machine can.
 Java Application Security
 The broad level aspects of Java security and their relation to each other.
 The bytecode verifier: The bytecode verifier ensures that Java class files obey the rules
of the Java programming language. The bytecode verifier ensures memory protection for
all Java programs. However, not all files are required to go through byte code verification.

Swetha C M, Assistant Professor, STJIT, Ranebennur 24

Network security Module 1- Attacks on Computer & Computer Security

 The class loader: Class loaders load classes that are located in Java's default path
(called as CLASSPATH). In Java 1.2, the class loaders also take up the job of loading
classes that are not found in the CLASSPATH.
 The access controller: In Java 1.2, the access controller allows (or prevents) access
from the core JAVA API to the operating system.
 he security manager: The security manager is the chief interface between the core
Java API and the operating system. It has the ultimate responsibility for allowing or
disallowing access to all the operating system resources. The security manager uses the
access controller for many of these decisions.
 The security package: The security package (that is, classes in the java.security
package) helps in authenticating signed Java classes.
 The key database: The key database is a set of keys used by the security manager and
access Controller to validate the digital signature that comes along with a signed class
file.

 Built-in Java Application Security

 From version 1.2, the Java platform itself comes with a Security model built for the
applications it runs. Here, the classes that are found in the CLASSPATH may have to go
through a security check. This allows running of the application code in a sandbox
defined by a user or an administrator. The following points are important:
 Access methods are strictly adhered to
 A program cannot access arbitrary memory location
 Entities that are declared as final must not be changed
 Variables may not be used before they are initialized
 Array bounds must be checked during all array accesses
 Objects cannot arbitrarily cast into other object type

Swetha C M, Assistant Professor, STJIT, Ranebennur 25

Network security Module 1- Attacks on Computer & Computer Security

1.4.7 Specific Attacks

1) Sniffing and Spoofing :
 On the Internet, computers exchange messages with each other in the form of small
blocks of data, called as packets. A packet, like a postal envelope that contains the actual
data to be sent and the addressing information.
 Attackers target these packets, as they travel from the source computer to the
destination computer over the Internet. These attacks take two main forms:
(a) Packet sniffing (also called as snooping) and (b) Packet spoofing.
 Since the protocol used in this communication is called as Internet Protocol (IP), other
names for these two attacks are: (a) IP sniffing and (b) IP spoofing.

a) Packet sniffing:
 Packet sniffing is a passive attack on an ongoing conversation. An attacker need not
hijack a conversation, but instead, can just observe (i.e. snif) packets as they pass by.
 To prevent an attacker from sniffing packets, the information that is passing needs to
be protected in some ways. This can be done at two levels:
(i) The data that is traveling can be encoded in some way or
(ii) The transmission link itself can be encoded.
 To read a packet, the attacker needs to access it. The simplest way to do this is to control
a computer through which the traffic goes. Usually, this is a router. However, routers
are highly protected resources. Therefore, an attacker might not be able to attack it and
instead, attack a less protected computer on the same path.
b) Packet spoofing:
 In this technique, an attacker sends packets with a false source address. When this
happens, the receiver (i.e. the party who receives these packets containing false address)
would inadvertently send replies back to this forged address (called as spoofed address).
This can lead to three possible cases:
i) The attacker can intercept the reply - If the attacker is between the destination
and the forged source, the attacker can see the reply and use that information for
hijacking attacks.
ii) The attacker need not see the reply - If the attacker's intention was a Denial Of
Service (DOS) attack, the attacker need not bother about the reply.
iii) The attacker does not want the reply- The attacker could simply be angry with the
host, so it may put that host's address as the forged source address and send the
packet to the destination. The attacker does not want a reply from the destination,
as it wants the host with the forged address to receive it and get confused.

2) Phishing :
Swetha C M, Assistant Professor, STJIT, Ranebennur 26
Network security Module 1- Attacks on Computer & Computer Security

 In Phishing , attackers set up fake Web sites, which look like real Web sites. It is simple
to create Web pages as it involves simple technologies such as HTML, JavaScript, CSS
(Cascading Style Sheets), etc. Learning and using these technologies is quite simple.
Phishing works as follows.
 The attacker decides to create his own Web site, which looks very identical to a real Web
site. For example, the attacker can clone Citibank's Web site. The cloning is so clever
that human eye will not be able to distinguish between the real (Citibank's) and fake
(attacker's) sites now.
 The attacker sends an email to the legitimate customers of the bank. The email itself
appears to come from the bank. For ensuring this, the attacker exploits the email system
to suggest that the sender of the email is some bank official (e.g.
[email protected]).
 This fake email warns the user that there has been some sort of attack on the Citibank's
computer systems and that the bank wants to issue new passwords to all its customers
or verify their existing PINs, etc. For this purpose, the customer is asked to visit a URL
mentioned in the same email.
 When the customer (i.e. the victim) innocently clicks on the URL specified in the email,
she is taken to the attacker's site and not the bank's original site. There, the customer
is prompted to enter confidential information, such as her password or PIN.
 Since the attacker's fake site looks exactly like the original bank site, the customer
provides this information. The attacker gladly accepts this information and displays a
Thank you to the unsuspecting victim. In the meanwhile, the attacker now uses the
victim's password or PIN to access the bank's real site and can perform any transaction
as if he/she is the victim!

3) Pharming (DNS Spoofing):

 This attack was earlier known as DNS spoofing or DNS poisoning is now called as
pharming attack.
 With the Domain Name System (DNS), people can identify Web sites with human-
readable names (such as www.yahoo.com) and computers can continue to treat them as
IP addresses (such as 120.10.81.67).
 For this, a special server computer called as a DNS server maintains the mappings
between domain names and the corresponding IP addresses. The DNS server could be
located anywhere. Usually, it is with the Internet Service Provider (ISP) of the users.
Example: The DNS spoofing attack works as follows.
 Suppose that there is a merchant (Bob), whose site's domainname is www.bob.com and the
IP address is 100.10.10.20. Therefore, the DNS entry forBob in all the DNS servers is
maintained as follows: www.bob.com 100.10.10.20

Swetha C M, Assistant Professor, STJIT, Ranebennur 27

Network security Module 1- Attacks on Computer & Computer Security

 The attacker (Trudy) manages to hack and replace the IP address of Bob with his own
(say 100.20.20.20) in the DNS server maintained by the ISP of a user(say Alice).
Therefore, the DNS server maintained by the ISP of Alice now has the following entry:
www.bob.com 100.20.20.20
 Thus, the contents of the hypothetical DNS table maintained by the ISP would be
changed. A hypothetical portion of this table (before and after the attack) is shown in
Figure below.

 When Alice wants to communicate with Bob's site, her Web browser queries the DNS
server maintained by her ISP for Bob's IP address, providing it the domain name (i.e.
www.bob.com). Alice gets the replaced (i.e. Trudy's) IP address, which is 100.20.20.20.
 Now, Alice starts communicating with Trudy, believing that she is communicating with
Bob! Such attacks of DNS spoofing are quite common and cause a lot of havoc.

Swetha C M, Assistant Professor, STJIT, Ranebennur 28