Chapter Two

Computer Threat
Chapter objectives
 Up on completion of this chapter you should be able to: –
Understand what are malicious programs & how they affect the system.

Know different class of attack like Access, Reconnaissance, DoS, etc.

Understand issues related to program security and controls against program

flaws in execution.

Describe security requirements and techniques for database security.

1/30/2024 Compiled by: Naol G. (MSc.) 2

2.1. Malicious Code

 Malicious code / malware refers to a type of software that is written to

intentionally cause undesirable effects.
 Malware can do anything that normal program can do (it depends on its intent).
 Open/close/modify files or data, and interact with OS.

 They can do damage:

 Encrypt data(Ransomware), steal information(Spyware), harm system (Virus, worms)

 The malware can gets into system are via:

 downloading free games /applications from untrusted websites.

 clicking on ads placed by scammers on websites you visit.

 phishing emails that trick you into clicking on link or opening an attachment, etc.

3
Malicious Code
 Way to recognize if our system affected by malware are:
 System suddenly slows down or crashes.

 anti-malware tools may alert you of an infection during scans.

 runs out of battery life more quickly than it should, etc.

 Motives for creating malicious codes can include:

 seeking profit (e.g., with ransomware)

 desire to send a political message

 personal amusement

 to demonstrate that vulnerability exists in software & to deny service.

1/30/2024 Compiled by: Naol G. (MSc.) 4

Malicious Code…
 We can classify malware with respect to those that:
need a host program (viruses, trojan horse).
are independent, self-contained programs (worms, trojan horses).
does not replicate (trojan horses).
does replicate (viruses and worms).

 Viruses: is a type of malicious software that is designed

intentionally to infect a computer system with ability to replicate and
spread to other computers.

 Computer viruses typically require a host program to carry out

their malicious activities.
 A host program is a legitimate application or file that the virus
attaches itself to.

5
Malicious Code (Virus Phases)

 Computer viruses typically go through several phases as they infect and spread through
computer systems.

6
Malicious Code (Virus Phases)…
1) Dormant phase

 In this phase, the virus is inactive and does not cause any harm.

 It stay idle place themselves within target system , waiting to be activated.

2. Propagation phase

 The virus begins to places an identical copy of itself (replicate) into other programs

or into certain system areas on the disk.

 Each infected program will now contain a clone of the virus.

7
Malicious Code (Virus Phases)…

3. Triggering phase
 This is the point the virus is activated & begins its intended malicious activities.

 The activation can be triggered by specific events, conditions, or actions, such

as the execution of program or opening of file.

4. Execution phase
 This is the actual work of the virus, where the payload will be released.

 It can be destructive such as deleting files, crashing the system, or corrupting files.

 It can be harmless such as popping up jokey or political messages on screen.

8
Malicious Code (Types of Virus)
 Boot Sector Virus
 It infects the boot sector of floppy disks or the Master Boot Record (MBR) of hard disks.
 The Boot sector comprises all the files which are required to start the OS.
 It either overwrites the existing program or copies itself to another part of the disk.
 The Brain virus is a classic example, discovered in 1986 and targeted IBM PC.

 Macro Virus

 a virus that is written in a macro language, which is embedded inside a software

application (e.g., word processors and spreadsheet applications).
 Start infection when a word processor or spreadsheet file is opened.
 Mainly the source of such viruses is via emails (Melissa Virus, 1999).

1/30/2024 Compiled by: Naol G. (MSc.) 9

Malicious Code (Types of Virus)…

 Polymorphic Virus

 It is a complicated computer virus that can adapt to different defenses.

 To prevent detection, it constantly change the versions of itself while retaining the same
program after each infection. Use mutation engine to encrypt & decrypt its code.

 Chameleon virus is the first polymorphic virus in the early 1990s.

 Multipartite Virus

 It can attack both the boot sector and the executable files.

 Well-known example is Invader virus, which was discovered in the late 1990s.

1/30/2024 Compiled by: Naol G. (MSc.) 10

Malicious Code…
 Worms: similar to viruses, but they can independently spread
without host program.

 They reproduces by copying themselves from one computer to

another (usually through networks).

 They often creates denial of service.

 Morris Worm
 Released by Robert Morris in 1988, attacks on UNIX systems.

1/30/2024 Compiled by: Naol G. (MSc.) 11

Malicious Code…
 Trojan Horse:
 Ancient Greek tale of the city of Troy and the wooden horse which was
full of soldiers.
 A superficially attractive program with hidden side-effects.
 E.g., Game, SW Upgrade, etc.
 When run performs some additional tasks
 Allows attacker to indirectly gain access.
 The program does what the user expects but it does more, unnoticed
by the user.

1/30/2024 Compiled by: Naol G. (MSc.) 12

Malicious Code…
 Spyware:
 aims to gather information about a person or organization and send it
to third party in a way that harms the user by violating their privacy,
endangering their device's security.

 Is frequently associated with advertising.

 Examples
 Cookies: Any data that the cookie saves can be retrieved by any website, so your entire Internet
browsing history can be tracked.
 Key Loggers: is a program that records every keystroke made by user to gain access confidential
information
 Legal Uses of Spyware
 Managers may use spyware as a means of monitoring employee use of company technology.
 Parents may use this type of software on their home computer to monitor the activities of their
children on the Internet to protect their children from online predators.

1/30/2024 Compiled by: Naol G. (MSc.) 13

Malicious Code…
 Ransomware:
 is a type of malware that infects a computer and
restricts a user’s access to the infected computer.

 This type of malware attempts to extort money

from victims by displaying an on-screen alert.
 These alerts often state that

 their computer has been locked or that all of their

files have been encrypted, and demand that a
ransom is paid to restore access.

 Example: Wannacry, 2017

1/30/2024 Compiled by: Naol G. (MSc.) 14

Malware Countermeasure Approaches
 Some common malware countermeasure approaches to detect, prevent, and
mitigate the impact of malicious software include:

 Anti-malware software:

 antivirus programs, anti-spyware tools and anti-

ransomware software.

 Firewalls:

 to monitor and control incoming and outgoing

network traffic.

1/30/2024 Compiled by: Naol G. (MSc.) 15

Malware Countermeasure Approaches

 Patch Management:

 Ensure that OSs, and applications are regularly

updated.

 User Education and awareness:

 Providing training and awareness programs to educate

users.

1/30/2024 Compiled by: Naol G. (MSc.) 16

2.2. Classes of Attack
 Any number of motives could inspire an attacker; three motives that are popular are
◦ financial gain, political and gathering intelligence.

 The 3 classes of attack that are commonly found in today's network environment:
1. Access attacks

2. Reconnaissance attacks

3. Denial of service (DoS) attacks

 Each class has various more-specific subcategories of attack methods.

1/30/2024 Compiled by: Naol G. (MSc.) 17

Classes of Attack (Access Attacks)
 An access attack is an attempt to access another user account or network
device through improper means.

 These attacks are often aimed at stealing data, obtaining user credentials, or
elevating privileges within the system.

 The three types of access attacks are:

a) password attacks
b) port redirection and
c) man-in-the-middle attacks

1/30/2024 Compiled by: Naol G. (MSc.) 18

Classes of Attack (Access Attacks…)
a) Password Attacks
◦ The attacker attempts to crack a user's password using techniques like
 brute force (trying all possible combinations) or phishing (tricking users into revealing their
passwords)
◦ Note that many instances of attempted and/or successful password attacks have
come from internal employees.
◦ So prevent password attacks:
 Changing passwords frequently is recommended.

 Changing passwords every time employee leaves company.

 Encrypting password is important (Cisco equipment).

 Enforce strong password policy.

 Use two or multi-factor authentication (biometric)

1/30/2024 Compiled by: Naol G. (MSc.) 19

Classes of Attack (Access Attacks…)
b) Port redirection attacks Mitigation: Firewall, IDPS, Security audits, etc.

◦ Also known as port forwarding attack that occur when an attacker gains
unauthorized access to a network's router/firewall and sets up port forwarding
rules to redirect traffic from specific external ports to internal devices.

c) Man-in-the-Middle Attacks
◦ This attack happens when a hacker eavesdrops or listens for network traffic and intercepts a
data transmission.

◦ The hacker can also take over the communication and reformat the packets to send..

◦ Proper data encryption protocol makes the captured data useless.

1/30/2024 Compiled by: Naol G. (MSc.) 20

Classes of Attack (Reconnaissance Attack)
 Is a kind of attack in which an attacker doing primary survey or probing to gather
information that will help in a future attack. .
 Information that can be compiled during this attack includes:
 Ports open on a server (ftp, http, etc.).
 IP addresses on the host network.
 Hostnames associated with the IP addresses.

 The three common tools used for reconnaissance attacks are:

1. Packet sniffers (also known as network monitors)
2. Ping sweeps
3. Port scans

1/30/2024 Compiled by: Naol G. (MSc.) 21

Classes of Attack (Reconnaissance Attacks…)
1. Packet Sniffers
 It may also be called a network analyzer or packet analyzer.

 It is a method of detecting and assessing packet data sent over a network.

 A common software program available today is Wireshark, formerly known as

Ethereal.

 Note that sniffer programs are two-edged!

Attacker uses them for eavesdropping

Defender uses them for defense purposes: intrusion detection

1/30/2024 Compiled by: Naol G. (MSc.) 22

Classes of Attack (Reconnaissance Attacks…)
2. Ping Sweeps
 Also known as an ICMP sweep which used by attackers to discover and map out active hosts
within a target network.

 The attack involves sending a series of ICMP echo requests (ping) to a range of IP addresses to
determine which hosts are reachable and responsive. Use Nmap, Zenmap tool.

3. Port Scans
 It is method used by attackers to identify open ports & services on a target system or network.

 Program can be used by company to audit a network as well as by a hacker for malicious intent.

 Use Nmap, Zenmap tools.

1/30/2024 Compiled by: Naol G. (MSc.) 23

Classes of Attack (Denial of Service Attacks)
 DoS attacks are implemented as a means of denying a service that is normally available
to a user or organization.

 E.g., users might be denied access to email as the result of a successful DoS attack.

 A current example of a DoS attack is a teardrop, which can cause a system to crash by
running the CPU up to 100%.

 DoS can also be in the form of

 Distributed DoS (DDoS) attack

 TCP SYN attack

1/30/2024 Compiled by: Naol G. (MSc.) 24

Classes of Attack (DoS Attacks…)
 Distributed DoS (DDoS) attack:
 With distributed DoS, multiple systems are compromised to send a DoS attack to a specific
target.
 The compromised systems are commonly called zombies or slaves.
 As a result of the attack, the targeted system denies service to valid users.

1/30/2024 Compiled by: Naol G. (MSc.) 25

Classes of Attack (DoS Attacks…)
 TCP SYN attack:
 It is a type of DoS attack that targets the TCP three-way handshake process to establish a
connection between a client and a server.
 The three-way handshake process
begins when a client sends a SYN packet to the server to initiate a connection.
The server then responds with a SYN-ACK packet, and
the client sends an ACK packet to complete the handshake and establish the connection.

 In this attack, the attacker sends a large number of SYN packets to the target server,
 but does not respond to the SYN-ACK packets sent by the server.

 This causes
 the server to keep the half-open connections open and
 wait for the final ACK packet from the client,
 tying up resources and preventing legitimate clients from establishing connections.

1/30/2024 Compiled by: Naol G. (MSc.) 26

2.3. Program flaws
• Program security is an indication of some degree of trust that the program
enforces expected like:

• Confidentiality, integrity and availability, etc.

• An assessment of security can be influenced by someone's perspective on software

quality:
• If it takes too long to break through its security controls.

• If it has run for a period of time with no apparent failures.

• Any potential meeting security requirements makes code secure.

1/30/2024 Compiled by: Naol G. (MSc.) 27

Program flaws…
• Challenges in Program Security
• Security often conflict with usefulness and performance

• Programming and software development techniques change faster than security

techniques.

• A single flaw can be catastrophic.

• Aims of Program Security

• To produce trusted software i.e. where code has been carefully developed and analyzed.

1/30/2024 Compiled by: Naol G. (MSc.) 28

Program flaws…
 Program security flaw is an undesired program behavior caused by a program
vulnerability.

 They are mostly unintentional errors in which the program's design or implementation

that can lead to unexpected behavior, crashes or incorrect results.

 These flaws can include things like logic errors, race conditions, and memory leaks..

Buffer overflow errors

Incomplete mediation errors

Time-of-check to Time-of-use (TOCTOU) errors

1/30/2024 Compiled by: Naol G. (MSc.) 29

Program flaws (Buffer Overflows errors)
 Buffer Overflows error is a type of software vulnerability where a program writes
more data to a buffer than it can hold.

 It is similar to analogy of “trying to pouring 2 liter of water in to 1 liter size bottle.”

 A buffer is a space in which data can be held and it exist in memory.

 Because memory is finite, a buffer's capacity is finite too.

 So the programmer must declare the buffer's maximum size.

 Then the compiler can set aside that amount of space.

1/30/2024 Compiled by: Naol G. (MSc.) 30

Program flaws (Buffer Overflows… Example)
 Imagine a web application that accepts user input for a search function.
 The application uses a buffer to store the user input before processing the search query.

 If the application does not properly validate the size of the input, it could lead to a buffer
overflow vulnerability.
 Cause: due to improper memory management within the application (no input size check).
 Effect: It can lead to corruption of adjacent memory, & application crash / execute arbitrary
code.
 Security Implications: attackers can gain unauthorized access to the system, execute
arbitrary codes, modify data, or even take control of the entire system.
 Mitigation:
 Use functions like strncpy() instead of unsafe functions like strcpy() for input validation.
 Compiler & code analysis tools that detect the vulnerabilities during development phase.
 Use exception handling mechanism.
1/30/2024 Compiled by: Naol G. (MSc.) 31
Program flaws /Incomplete mediation errors

 Incomplete mediation is error that occurs when the application accepts incorrect

data from the user and fail to validate.

 Users sometimes mistype data in web forms

◦ Phone number: 5199885438457867

◦ Email: iang#cs.uwaterloo.ca

 The web application needs to ensure that what the user has entered constitutes a

meaningful request.

1/30/2024 Compiled by: Naol G. (MSc.) 32

Program flaws /Incomplete mediation…
Client-side mediation
 You’ve probably visited web sites with forms that do client-side mediation.
o When you click “submit”, JavaScript code will first run validation checks on data you
entered.
o If you enter invalid data, a popup will prevent you from submitting it.
Problem: what if the user
o Turns off JavaScript?
o Edits the form before submitting it?
Example URL generated by client’s browser during online purchase

Instead, user edits URL directly, changing price and total cost as below:

Users use forged URL to access the server.

The server takes 25 as the total cost, but it was 205.
1/30/2024 Compiled by: Naol G. (MSc.) 33
Program flaws /Incomplete mediation…
 Defenses against incomplete mediation
 Client-side mediation is an OK method to use in order to have a friendlier user
interface, but is useless for security purposes.

 You have to do server-side mediation, whether or not you also do client-side.

 For values entered by the user:

o Always do very careful checks on the values of all fields.

 For state stored by the client:

o Make sure client has not modified the data in any way.

1/30/2024 Compiled by: Naol G. (MSc.) 34

Program flaws /Time-of-Check-to-Time-of-Use (TOCTOU)
 TOCTOU errors refer to software vulnerabilities that occur when a system's
state changes between the time a check is performed and the time the result of that
check is used.
 Cause:
 The errors arise in situations where a system checks a condition at one point in time and then
uses the result of that check at a later time.

 During the time between the check and the use, the condition or resource may have changed,
leading to unexpected behavior.

 Effect:
 The TOCTOU errors can lead to security issues like privilege escalation, and data integrity issues.

1/30/2024 Compiled by: Naol G. (MSc.) 35

Program flaws /TOCTOU…
 For example,
 In a file system, a program checks whether a file exists and then, based on that check, decides to
perform an operation on the file.

 However, between the check and the operation, the file can be deleted or modified by another
process, leading to unintended consequences. file that serves as a reference to another file or directory.

The attacker makes a symbolic link: logfile -> file she owns
Between the “check” and the “open”, she changes it: logfile -> /etc/passwd

 Security Implications:
 An attacker might exploit a TOCTOU vulnerability to gain elevated privileges, bypass access
controls, or manipulate sensitive data.

1/30/2024 Compiled by: Naol G. (MSc.) 36

Program flaws /TOCTOU…

Defenses against TOCTTOU errors

 Developers should use techniques such as atomic operations, file locking.

 Additionally, proper access controls, input validation, and secure coding practices can help

reduce the risk of TOCTOU vulnerabilities.

1/30/2024 Compiled by: Naol G. (MSc.) 37

2.4. Controls against program flaws in execution
 Controls to protect against program flaws in execution are essential for ensuring the
security of software applications.

 They are aimed to mitigate impact of vulnerabilities to be exploited during execution

of program.

 The controls can be categorized at different levels. These are:

◦ Development controls

◦ Operating system controls

◦ Administrative controls

1/30/2024 Compiled by: Naol G. (MSc.) 38

Controls against program flaws in execution
 Development controls:
◦ Development controls are crucial for mitigating program threats during the software
development lifecycle.
◦ Some key development controls against program threats include:

 Secure Coding Standards and Guidelines: cover secure coding practices, input validation, output

encoding, error handling

 Code Reviews: peer reviews and security-focused code inspections.

 Threat Modeling: identify potential security threats & vulnerabilities in the software design.

 Security Testing: static code analysis helps identify security vulnerabilities in the code.

 Secure Development Tools: tools &libraries that are free from known vulnerabilities. And etc.
1/30/2024 Compiled by: Naol G. (MSc.) 39
Controls against program flaws in execution
 Operating system controls:
◦ OS controls play a crucial role in protecting against program flaws in execution.

◦ These controls are designed to safeguard the OS and the programs running on it.
◦ Some key operating system controls against program flaws include:

 Address Space Layout Randomization (ASLR):

 randomizes the memory addresses used by the program, making it more difficult for

attackers to predict the location of critical system functions.

 Secure Boot Enforcement: ensures that OS only boots from trusted & verified bootloaders.

 Sandboxing: running programs in a restricted environment with limited access to system

resources and sensitive data. And etc.

1/30/2024 Compiled by: Naol G. (MSc.) 40
Controls Against Program Threats
 Administrative controls:
 Administrative controls are essential for protecting against program flaws in execution.
 The controls involve policies, procedures and practices that need to be enforced by an
organization.
 Patch management: robust patch management process ensure that OS & applications
are regularly updated.

 Least privilege principle: granting users only the minimum level of access & permissions
required to perform their duties can limit the impact of program flaws in execution.

 Security awareness and training: awareness and training programs to employees can
help raise awareness of program execution risks. And etc.

1/30/2024 Compiled by: Naol G. (MSc.) 41

2.5. Database security
 Database security is a critical aspect of computer security that focuses on
protecting the confidentiality, integrity, and availability of data stored within a
database system.

 Database security measures are essential for safeguarding sensitive information from
unauthorized access, data breaches, and other security threats.

 A given database is secured when database reliability and integrity, secrecy, inference
control, and multi-level databases is ensured.

1/30/2024 Compiled by: Naol G. (MSc.) 42

Database security...
 Database reliability and integrity:

◦ It refers to the ability of a database system to consistently and accurately store,

retrieve, and manage data without errors or failures.

◦ This includes ensuring that

 the database is available when needed,

 data is stored without corruption, and

 the system can recover quickly from any potential disruptions,

 data is valid, complete, and free from errors.

1/30/2024 Compiled by: Naol G. (MSc.) 43

Database security...
 Techniques to ensure database reliability and integrity are:
 Backup & Recovery: ensures data availability and integrity in case of system failures
or data corruption.

 Data validation: ensure that only valid and accurate data is entered into the
database, preventing data integrity issues.

 Transaction management: ensure that database operations are atomic, consistent,

isolated, and durable (ACID properties), maintaining data integrity.

1/30/2024 Compiled by: Naol G. (MSc.) 44

Database security...
 Database Secrecy:
◦ It refers to the protection confidential information stored within a database from
unauthorized access, disclosure or theft.

◦ Techniques to ensure database secrecy are:

 Access Control: ensure that only authorized users have access to sensitive data,

protecting data secrecy.

 Encryption: to protect sensitive data both at rest and in transit, preventing

unauthorized access and maintaining data secrecy.

1/30/2024 Compiled by: Naol G. (MSc.) 45

Database security...
 Inference Control:
 Is refers to the measures and techniques used to prevent unauthorized users
from inferring or deducing sensitive information from the data they are allowed
to access.

 Example of inference control attack:

 In a given company, employees can access to their own salary, but not of their
colleagues.

 However, employee with access to sales performance data and commission structures
may be able to infer their colleagues salaries by analyzing the correlation between sales
performance and compensation, breaching the confidentiality of salary information.
1/30/2024 Compiled by: Naol G. (MSc.) 46
Database security...
 Multi-Level Databases:
 Is refers to a database system that is designed to handle data with different levels of
sensitivity.

 In such a database, information is categorized into different security levels and access to
the data is controlled based on the authorization level of the user.

 Inference control attacks target to multi-level databases with unauthorized users

attempting to deduce sensitive information. Example:
 In a military organization, a database contains classified information at various levels of
sensitivity, including "top secret," "secret," and "confidential."

 An employee with access to data at the "confidential" level.

 An employee might attempt to infer "top secret" information based on the relationships
found in the "confidential" data.

1/30/2024 Compiled by: Naol G. (MSc.) 47

Database security...
 Techniques to ensure attack on multi-Level databases & inference control are:
 Database auditing & monitoring: to track user access, data modifications, and
potential inference control activities.
 Regularly review audit logs to identify suspicious behavior.

 Data classification & labeling: Clearly classify and label data based on its sensitivity
level.
 This helps users understand the security implications of the data they are accessing
and reinforces the need to adhere to access controls.

1/30/2024 Compiled by: Naol G. (MSc.) 48

End of Chapter-2
Questions?
Read More…..

1/30/2024 Compiled by: Naol G. (MSc.) 49