Lecture 02

Understanding security threats

and countermeasures

ECEG 4192 1
 Introduction
• Vulnerability: is an inherent weakness in the design,
configuration, implementation, or management of a
network or system
– Vulnerabilities are what make networks susceptible to
information loss and downtime.
– Every network and system has some kind of vulnerability.
• Threat: Is a potential for violation of security, which
exists when there is a circumstance, capability, action, or
event that could breach security
– That is, a threat is a possible danger that might exploit a
vulnerability.
• Attack: Is an assault on system security
– That is, an intelligent act that is a deliberate attempt to evade
security services and violate the security policy of a system.
• For example, a threat could be a denial of service. A vulnerability
is in the design of the operating system, and an attack could be a
"ping of death." 2
ECEG 4192
 Types of attack
• Based on where they originate from, attacks can be
Internal or External
– Internal: initiated by an entity inside the security perimeter
– Internal attack may be serious as the attacker has some
knowledge of the network and resources, may also have some
level of access to these resources
– 60-80% of network misuse originate from inside
– External attacks initiated from outside the perimeter
• Based on whether an attacker affects system resources
directly or not, attacks can be passive or active
– A passive attack attempts to learn or make use of information
from the system but does not affect system resources, but
active attack attempts to alter system resources or affect their
operation ECEG 4192 3
 Passive attacks
• Nature of monitoring/listening of transmissions
• The goal is to obtain the information to be transmitted
• Most common type is called traffic analysis
• The attacker can determine
– The identity and location of the communicating hosts
– Frequency and length of the messages being exchanged
– Monitor and record network traffic to get information that
can be helpful in initiating other active attacks
• Very difficult to detect, because there is no clear activity
that can be monitored or detected
– Neither the sender nor receiver is aware that the messages is
being monitored by others
ECEG 4192 4
 Cont’d
• It is feasible to prevent passive attacks by means of
encryption.
• Thus, the emphasis in dealing with passive attacks is on
prevention rather than detection.

ECEG 4192 5
 Active attacks
• Involve some modification or the creation of a false
data stream
• Difficult to prevent these attacks, detection is easier
– to detect active attacks and to recover from any disruption
• There are many attacks under this category
• Spoofing attack:
– When one entity pretends to be a different entity
– Several different types: IP address , ARP spoofing
– In IP spoofing, a node sends IP packets from a false (or
“spoofed”) source address in order to hide itself
• impersonate machines with access permissions and bypass trust-
based network security measures
– Packet filtering techniques can be used for detection
ECEG 4192 6
 Active attacks (cont’d)
• Denial of service (DoS):
– Prevents/disrupts the normal use of communications facilities
e.g. by overloading a given system with messages
– Can be carried out using different techniques

– Ping Flood attack: sends ICMP ping requests to the victim

host without waiting for the answer leading to the point
where the host cannot answer to them
– Due to network bandwidth congestion with ICMP packets
(both requests and replies), high CPU utilization
– Disable ICMP traffic on the firewall

ECEG 4192 7
 Active attacks (cont’d)
• Denial of service (DoS) …. Cont’d
– SYN flood attack: exploits the way the TCP three-way
handshake works
– Attacker host(s) send SYN Packets to the victim host
requesting a connection
– The victim host responds with SYN-ACK packets but the
attacker host never responds back with ACK packets
– The victim reserves space for all those connections still
awaiting the remote attacker hosts to respond - which never
happens
– These “dead open connections” prevent legitimate requests

ECEG 4192 8
 Active attacks (cont’d)
• Social Engineering:
– psychological manipulation of people to perform actions that
potentially lead to leak of confidential information
– Social engineers use various strategies to trick users
– To pretend to be someone else (IT professional, manager,
governmental authority )
– Phishing attack- the use of spoofed emails to steal
information (bank account details, etc)
– Create user awareness, users should follow use policies and
procedures

ECEG 4192 9
 Active attacks (cont’d)
• SQL injection attack:
– uses existing vulnerabilities in the applications to inject a
code/string for execution
– We will discuss this in detail
• Password Attacks:
– aim at guessing passwords used by users so that the attacker
can use these stolen passwords to gain access
– Attackers use different techniques such as brute-force attacks
and dictionary attacks to guess passwords
– We will discuss these attacks in detail
• There are many more attacks

ECEG 4192 10
Password security

ECEG 4192 11
 Introduction
• Passwords are used in many systems
• Important to understand the strengths and weaknesses
of passwords systems
• A Strawman Proposal:
– Basic password system: file with username, password records
(colon delimiter)
john:automobile
mary:balloon
joe:wepntkas
– Simple to implement, but risky
– All users compromised if hacker gets the password file
– Remedy: do not store passwords in clear text
ECEG 4192 12
 Hashing
• Encrypt passwords, don’t store “in clear text”
• Store an encrypted version of the passwords
– Two-way encryption-> uses a key, key storage is a problem
– Better: “one-way encryption”, no way to decrypt->hashing
• In hashing, When the user enters a password in an
attempt to log in, you can encrypt the user-entered
password and compare it to the encrypted one in the
file.
– If you store only one-way encrypted passwords in the
password file, even if an attacker gets the password file, he
would not be able to decrypt the users’ passwords.
• E.g. SHA-1 (Secure Hash Algorithm) and MD5 (Message
Digest 5)
ECEG 4192 13
 Cont’d
• E.g. of hashed password
john:9Mfsk4EQh+XD2lBcCAvputrIuVbWKqbxPgKla7u67oo=
mary:AEd62KRDHUXW6tp+XazwhTLSUlADWXrinUPbxQEfnsI=
joe:J3mhF7Mv4pnfjcnoHZ1ZrUELjSBJFOo1r6D6fx8tfwU=
• When John’s password needs to be checked, the hash
of the password that is entered is computed and
compared against the hash in the password file

ECEG 4192 14
 Password attacks
• Offline Dictionary Attacks: Given the password file, the
attacker can still attempt to determine some users’
passwords
– Due to the fact that most users do not choose good passwords
– Users often will choose passwords that happen to be words in
the dictionary, street names, company names, or other well-
known strings
– An attacker can easily build a dictionary of words, common
street names, common names of companies, and so forth
– If the attacker knows that SHA-1 hash function is used to store
encrypted passwords, the attacker can compute the SHA-1
hashes of words in a dictionary
– The attacker will simply look for matches between the hashes
in the password file and the hashes that he has computed
Offline dictionary Attack
ECEG 4192 15
 Password attacks (cont’d)
• Offline dictionary attack

ECEG 4192 16
 Password attacks (cont’d)
• Salting : Defense technique for offline dictionary attack
• Salting is the practice of including additional information
in the hash of the password to make the attacker’s job
harder
• In addition to username and password values, a third
field for a random number in the password file is
included, e.g:
john:ScF5GDhWeHr2q5m7mSDuGPVasV2NHz4kuu5n5eyuMbo=:1515

• The attacker now needs to try combinations of

dictionary words concatenated with salts

ECEG 4192 17
 Password attacks (cont’d)
The use of salting

ECEG 4192 18
 Password attacks (cont’d)
• Online Dictionary Attacks: the attacker actively tries
username and password combinations using a live,
running system
• Like the offline dictionary attack, the attacker will
maintain a dictionary that can be tried against
• Mitigation techniques:
– Monitor the number of unsuccessful tries
– If a large number of failed logins are coming from one or
more IP addresses, one can block subsequent login attempts
from suspicious users

ECEG 4192 19
 Password attacks (cont’d)
• Brute force attacks: is an attempt to discover a
password by trying every possible combination
– Done with a computer program, so the speed at which
someone can brute-force a password increases as available
computer hardware becomes faster and faster
– Would likely start at one-digit passwords before moving to
two-digit passwords and so on
– May take several days, months, and even years to guess
– The time to complete an attack depends on the nature of the
password and the strength of the computer(s)
– Mitigation:
• Choose stronger passwords (alphanumeric + special characters)
• Limit maximum attempts: if user exceeds these attempts, system locks
• Inject random pauses for each invalid attempt
ECEG 4192 20
 Password attacks (cont’d)
• Brute force attacks (cont’d)
• E.g: Estimate the amount of time to break 8 characters of
numeric, alphabet and alphanumeric passwords when
run on computers capable of processing 1 million and 1
billion passwords per second.
– What happens if the password length is 14 characters?

Solution:
• Numeric password: 1 character can be any of the 10 numeric
values, for 8 characters, there are 108 combinations
• Alphabets: 52 possible values , for 8 characters=528 combinations
• And soon…

ECEG 4192 21
 Cont’d

These values show the maximum time to discover a given password,

but on average, trying half of the combinations would lead to success
ECEG 4192 22
 Additional Password Security Techniques
• In addition to hashing and salting techniques
• Strong Passwords: making them as long as possible
– Include letters, numbers, and special characters
– But the stronger the password, the more difficult to remember
• Password Filtering:
– let the users choose passwords by themselves but require them
to choose again if the password chosen is weak
• Aging Passwords: let passwords expire
• Limited Login Attempts: after a fixed number of failed
trials, lock or disable passwords
– But a legitimate user might be locked after a few wrong trials
ECEG 4192 23
SQL Injection Attack

ECEG 4192 24
 What is SQL injection?
• Untrusted data is evaluated in the context of a command
or query language
• A general class of command injection vulnerabilities
• Command injection vulnerability - untrusted input
inserted into query or command
• In SQL injection attack, untrusted (e.g., end-user
supplied) data is inserted into a query or command, and
specially crafted malicious input can be misinterpreted
by query processor
• It is possible if an application uses data that can be
controlled by an attacker as part of an SQL query.
ECEG 4192 25
SQL injection attack

ECEG 4192 26
 SQL injection attack scenario (1)
• E.g. pizza ordering application
• includes a feature that allows users to review the orders
they have made in a given month.
– The user is presented with the form shown below

HTTP request:
https://www.deliver-me-pizza.com/show_orders?month=10
27
ECEG 4192
 SQL injection attack scenario (2)
• When receiving such a request, the application
constructs an SQL query and this query instructs the
database to retrieve from the orders table
SELECT pizza, toppings, quantity, order_day
FROM orders
WHERE userid=4123
AND order_month=10
• The application then executes the query and retrieves
the result set.
• It then inserts the data returned into an HTML
table to be returned to the user’s browser
ECEG 4192 28
 SQL injection attack scenario (2)

What happens if the attacker enters a different value than a month?

• e.g: 0 OR 1=1
• The query will be as follows
SELECT pizza, toppings,quantity, order_day
FROM orders
WHERE userid=4123
AND order_month=0 OR 1=1
29
ECEG 4192
 SQL injection attack scenario (3)
• Since the operator precedence of the AND operator is
higher than that of OR, the WHERE condition is
equivalent to
– WHERE (userid=4123 AND order_month=0) OR 1=1

• The SQL query returns the entire contents of the orders

table as the WHERE clause is always true
• The input of the attacker actually altered the meaning of
the query
• The attacker can do more damaging commands

ECEG 4192 30
 SQL injection attack scenario (4)
• More damaging attack: attacker sets month=
0 AND 1=0
UNION SELECT cardholder, number, exp_month, exp_year
FROM creditcards

• The query looks like

SELECT pizza, toppings, quantity, order_day
FROM orders
WHERE userid=4123
AND order_month=0 AND 1=0
UNION SELECT cardholder, number, exp_month, exp_year
FROM creditcards
• Attacker is able to Combine 2 queries
– 1st query: empty table (where fails)
– 2nd query: credit card #s of all users is retrieved
ECEG 4192 31
 SQL injection attack scenario (5)
• Even more dangerous!
• Month= 0; DROP TABLE creditcards;
• Then the query looks like
SELECT pizza, toppings,quantity, order_day
FROM orders
WHERE userid=4123
AND order_month=0;
DROP TABLE creditcards;
• Then DB executes two attacks
– Removes creditcards schema from the DB
– Future orders fail. DoS attack!

ECEG 4192 32
 SQL injection attack scenario (6)
• SQL injection attack can ruin entire businesses
• For example:
– In 2005 a credit card payment processing company
called CardSystems had 263,000 credit card numbers
stolen from its database.
– Even worse, since the credit card numbers were
stored in its database in an unencrypted form, over 40
million credit card numbers were potentially exposed
to the attack!

ECEG 4192 33
 Mitigation techniques (1)
• Blacklisting: eliminating quote, semicolon characters
found in user input
– Not comprehensive! If you forget one dangerous character to
blacklist, it might lead to successful attack
– May conflict with functional requirements of your application
• E.g. username O’Brien might be prevented from registering

• Limiting Privileges: run SQL commands under a database

account with limited privileges
– Can select queries; but not run arbitrary insert, update, or
delete statements
• E.g. a user with limited privilege may not be able to drop a table

ECEG 4192 34
 Mitigation techniques (2)
• Applying Input Validation: validating data (constraining
all input variables) before it is used in an SQL query
– E.g. constraining the month input to integer value b/n 1 to 12
– Or rejecting unreasonably long inputs
• Escaping: turn a potentially dangerous input string into a
sanitized one
– transform a username with a quote in it to valid input by
escaping it and storing it in the database
– Escaping is telling MySQL that the single quote is part of the
string input, not a command
– Only applicable to string-valued parameters that are enclosed in
quotes in the query
• N.B: Combination of these techniques are used for better
protection of SQL injection attack ECEG 4192 35