UNIT IV

Unauthorized computer access, popularly referred to as hacking, describes a criminal action whereby someone
uses a computer to knowingly gain access to data in a system without permission to access that data.

Computer Intrusion
Computer intrusions occur when someone tries to gain access to any part of your computer system. Computer
intruders or hackers typically use automated computer programs when they try to compromise a computer’s
security. There are several ways an intruder can try to gain access to your computer. They can:
1. Access your computer to view, change, or delete information on your computer.
2. Crash or slow down your computer.
3. Access your private data by examining the files on your system.
4. Use your computer to access other computers on the Internet.

Computer Viruses and Malicious codes

Viruses –
 A virus is a computer code or program, which is capable of affecting your computer data badly by
corrupting or destroying them.
 Computer virus has the tendency to make its duplicate copies at a swift pace, and also spread it across
every folder and damage the data of your computer system.
 A computer virus is actually a malicious software program or "malware" that, when infecting your
system, replicates itself by modifying other computer programs and inserting its own code.
 Infected computer programs may include data files, or even the "boot" sector of the hard drive.

Ways a virus can affect your computer system. The ways are mentioned below −
 By downloading files from the Internet.
 During the removable of media or drives.
 Through pen drive.
 Through e-mail attachments.
 Through unpatched software & services.
 Through unprotected or poor administrator passwords.

Impact of Virus
Let us now see the impact of virus on your computer system −
 Disrupts the normal functionality of respective computer system.
 Disrupts system network use.
 Modifies configuration setting of the system.
 Destructs data.
 Disrupts computer network resources.
 Destructs of confidential data.

Malicious Code - is the kind of harmful computer code or web script designed to create system vulnerabilities
leading to back doors, security breaches, information and data theft, and other potential damages to files and
computing systems. It's a type of threat that may not be blocked by antivirus software on its own. Malware
specifically refers to malicious software, but malicious code includes website scripts that can exploit
vulnerabilities in order to upload malware.
It is an auto-executable application that can activate itself and take on various forms, including Java Applets,
ActiveX controls, pushed content, plug-ins, scripting languages or other programming languages that are
designed to enhance Web pages and email.
The code gives a cybercriminal unauthorized remote access to the attacked system — called an application back
door — which then exposes sensitive company data. By unleashing it, cybercriminals can even wipe outa
computer's data or install spyware.
Internet Hacking and Cracking
Hacking is the activity of identifying weaknesses in a computer system or a network to exploit the security to
gain access to personal data or business data. An example of computer hacking can be: using a password cracking
algorithm to gain access to a computer system.
Computers have become mandatory to run a successful business. It is not enough to have isolated computers
systems; they need to be networked to facilitate communication with external businesses. This exposes them
to the outside world and hacking. System hacking means using computers to commit fraudulent acts such as
fraud, privacy invasion, stealing corporate/personal data, etc. Cybercrimes cost many organizations millions
of dollars every year. Businesses need to protect themselves against such attacks.

A Hacker is a person who finds and exploits the weakness in computer systems and/or networks to gain
access. Hackers are usually skilled computer programmers with knowledge of computer security.

Hackers are classified according to the intent of their actions. The following list classifies types of hackers
according to their intent:
 Ethical Hacker (White hat): A security hacker who gains access to systems with a view to fix the
identified weaknesses. They may also perform penetration Testing and vulnerability assessments.
 Cracker (Black hat): A hacker who gains unauthorized access to computer systems for personal gain.
The intent is usually to steal corporate data, violate privacy rights, transfer funds from bank accounts etc.
 Grey hat: A hacker who is in between ethical and black hat hackers. He/she breaks into computer
systems without authority with a view to identify weaknesses and reveal them to the system owner.
 Script kiddies: A non-skilled person who gains access to computer systems using already made tools.
 Hacktivist: A hacker who use hacking to send social, religious, and political, etc. messages. This is
usually done by hijacking websites and leaving the message on the hijacked website.
 Phreaker: A hacker who identifies and exploits weaknesses in telephones instead of computers.

Cracking
 Cracking is a technique used to breach computer software or an entire computer security system, and
with malicious intent.
 Cracking is when someone performs a security hack for criminal or malicious reasons, and the
person is called a “cracker.” Just like a bank robber cracks a safe by skilfully manipulating its lock, a
cracker breaks into a computer system, program, or account with the aid of their technical wizardry.
 it’s always with the aim of doing something naughty when you’re there: stealing data, impersonating
someone, or even just using paid software for free.

Some common types of cracking:

 Password cracking - is the act of obtaining a password from stored data. Most common password
cracking methods.
 Brute force cracking: The cracking algorithm outputs random strings of characters until it
gets a match.
 Dictionary cracking: It’s similar to brute-force cracking, but rather than using random
characters, dictionary cracking limits itself to actual words.
 Rainbow table cracking: A rainbow table uses precomputed hash values to figure out the
encryption used to hash a password.
 Software cracking - is when someone alters a piece of software to disable or entirely remove one or
more of its features. Most software cracking uses at least one of the following tools or techniques:
 Keygen: Short for “key generator,” a keygen is a program a cracker builds to generate valid serial
numbers for a software product.
 Patch: Patches are small bits of code that modify existing programs. Developers release patches
for software all the time. Crackers can make them too, and when they do, the patch’sjob is to
alter the way the program works by removing the unwanted features.
  Loader: A loader’s job is to block the software’s protection measures as the software starts up.
Some loaders bypass copy protections, while others are popular with gamers who enjoy cheating
in online multiplayer games.
 Network cracking - is when someone breaks through the security of a LAN, or “local area network.”
Cracking a wired network requires a direct connection, but cracking a wireless network is much more
convenient, because the cracker just needs to be close to the wireless signal. A common example of a
wireless LAN is the Wi-Fi system in your home.

Viruses and Worms

1. Worms: Worms is similar to virus but it does not modify the program. It replicates itself more and more to
cause slow down the computer system. Worms can be controlled by remote. The main objective of worms to
eat the system resources.
2. Virus: A virus is a malicious executable code attached to another executable file which can be harmless or
can modify or delete data. When the computer program runs attached with virus it performs some action such
as deleting a file from the computer system. Virus can’t be controlled by remote.

Difference between Worms and Virus:

S.No. WORMS VIRUS
A Worm is a form of malware that replicatesitself A Virus is a malicious executable code attached
1. and can spread to different computers via Network. to another executable file which can be harmless or
can modify or delete data.
The main objective of worms to eat the system The main objective of virus is to modify the
2.
resources. information.
It doesn’t need a host to replicate from one
3. It require host is needed for spreading.
computer to another.
4. It is less harmful as compared. It is more harmful.
Worms can be detected and removed by the Antivirus software are used for protection against
5.
Antivirus and firewall. viruses.
6. Worms can be controlled by remote. Virus can’t be controlled by remote.
7. Worms are executed via weaknesses in system. Viruses are executed via executable files.
Morris Worm, Storm Worm and SQL Slammer Resident and Non -resident viruses are two types
8.
are some of the examples of worms. of Virus.
9. It does not needs human action to replicate. It needs human action to replicate.
10. Its spreading speed is faster. Its spreading speed is slower as compared.

Software Piracy
Software piracy is the act of stealing software that is legally protected. This stealing includes copying,
distributing, modifying or selling the software.
Copyright laws were originally put into place so that the people who develop software (programmers, writers,
graphic artists, etc.) would get the proper credit and compensation for their work. When software piracy occurs,
compensation is stolen from these copyright holders.

Types of Software Piracy

There are five main types of software piracy.
 Soft lifting - is when someone purchases one version of the software and downloads it onto multiple
computers, even though the software license states it should only be downloaded once. This often occurs
in business or school environments and is usually done to save money. Softlifting is the most common
type of software piracy.
 Client-server overuse - is when too many people on a network use one main copy of the program at the
same time. This often happens when businesses are on a local area network and download the
 software for all employees to use. This becomes a type of software piracy if the license doesn’t entitle
you to use it multiple times.
 Hard disk loading - is a type of commercial software piracy in which someone buys a legal version
of the software and then reproduces, copies or installs it onto computer hard disks. The person then
sells the product. This often happens at PC resale shops and buyers aren’t always aware that the additional
software they are buying is illegal.
 Counterfeiting - occurs when software programs are illegally duplicated and sold with the appearance
of authenticity. Counterfeit software is usually sold at a discounted price in comparison to the legitimate
software.
 Online Piracy - also known as Internet piracy, is when illegal software is sold, shared or acquired by
means of the Internet. This is usually done through a peer-to-peer (P2P) file-sharing system, which is
usually found in the form of online auction sites and blogs.

The Dangers of Software Piracy

Software piracy may have a cheaper price point, but there are many dangers that software pirates should be
aware of. Consequences of software piracy are:
 Increased chances that the software will malfunction or fail
 Forfeited access to support for the program such as training, upgrades, customer support and bug fixes
 No warranty and the software can’t be updated
 Increased risk of infecting your PC with malware, viruses or adware
 Slowed down PC
 Legal repercussions due to copyright infringement

Intellectual property Rights

Intellectual property rights are the legal rights that cover the privileges given to individuals who are the owners
and inventors of a work, and have created something with their intellectual creativity. Individuals related to areas
such as literature, music, invention, etc., can be granted such rights, which can then be used in the business
practices by them.
The creator/inventor gets exclusive rights against any misuse or use of work without his/her prior information.
However, the rights are granted for a limited period of time to maintain equilibrium.

Types of Intellectual Property Rights

Intellectual Property Rights can be further classified into the following categories −
 Copyright
 Patent
 Patent
 Trade Secrets, etc.
Advantages of Intellectual Property Rights
Intellectual property rights are advantageous in the following ways −
 Provides exclusive rights to the creators or inventors.
 Encourages individuals to distribute and share information and data instead of keeping it confidential.
 Provides legal defense and offers the creators the incentive of their work.
 Helps in social and financial development.

Intellectual Property in Cyber Space

 Every new invention in the field of technology experiences a variety of threats. Internet is one such threat,
which has captured the physical marketplace and have converted it into a virtual marketplace.
 To safeguard the business interest, it is vital to create an effective property management and protection
mechanism keeping in mind the considerable amount of business and commerce taking place in the Cyber
Space.
 Today it is critical for every business to develop an effective and collaborative IP management mechanism
and protection strategy. The ever-looming threats in the cybernetic world can thus be monitored and
confined.
 Various approaches and legislations have been designed by the law-makers to up the ante in delivering
a secure configuration against such cyber-threats. However, it is the duty of the intellectual property right
(IPR) owner to invalidate and reduce such mala fide acts of criminals by taking proactive measures.

Mail Bombs
An email bomb is an attack against an email inbox or server designed to overwhelm an inbox or inhibit the
server’s normal function, rendering it unresponsive, preventing email communications, degrading network
performance, or causing downtime. The intensity of an email bomb can range from an inconvenience to a
complete denial of service. Typically, these attacks persist for hours or until the targeted inbox or server
implements a mitigation tactic to filter or block the attacking traffic. Such attacks can be carried out intentionally
or unintentionally by a single actor, group of actors, or a botnet.

There are five common email bomb techniques:

1. Mass mailing – intentionally or unintentionally sending large quantities of random email traffic to
targeted email addresses. This attack is often achieved using a botnet or malicious script, such as by
the automated filling out of online forms with the target email inserted as the requesting/return address.
2. List linking – signing targeted email addresses up for numerous email subscriptions, which indirectly
flood the email addresses with subscribed content. Many subscription services do not ask for verification,
but if they do these emails can be used as the attack emails. This type of attack is difficult to prevent
because the traffic originates from multiple legitimate sources.
3. ZIP bomb – sending very large compressed archive files to an email address, which when decompressed,
consume available server resources to damage performance.
4. Attachment – sending multiple emails with large attachments designed to overload the storage space
on a server and cause the server to stop responding.
5. Reply-all – responding “Reply All” to large dissemination lists instead of just to the original sender. This
inundates inboxes with a cascade of emails, which are compounded by automated replies, suchas out-
of-office messages. These are often accidental in nature. This can also occur when a malicious actor
spoofs an email address and the automatic replies are directed toward the spoofed address.

Effects of Mail Bombs

Email bombs can create denial of service conditions that may impede election offices from conducting routine
or election day activities. For example, a successful email bomb may inhibit election offices from accessing
inboxes for citizen engagement, voter registration, or other services. The impact of such an attack is highly likely
to compound if occurring around polling or registration dates. Additionally, cyber actors sometimes use email
bomb attacks to mask other malicious activity, distract users, or prevent the regular flow of notifications
associated with critical or abnormal account activity.
Exploitation
An exploit is a code that takes advantage of a software vulnerability or security flaw. It is written either by
security researchers as a proof-of-concept threat or by malicious actors for use in their operations. When used,
exploits allow an intruder to remotely access a network and gain elevated privileges, or move deeper into the
network.
In some cases, an exploit can be used as part of a multi-component attack. Instead of using a malicious file, the
exploit may instead drop another malware, which can include backdoor Trojans and spyware that can steal user
information from the infected systems.

Common types of computer exploit

 Known exploits - When someone discovers a software vulnerability, they’ll often alert the software’s
developer, who can then fix the vulnerability immediately with a security patch. They may also spread
the word about the vulnerability on the internet to warn others. Either way, the developer will (hopefully)
be able to respond and repair the vulnerability before an exploit can take advantage of it.
 Zero-day exploits (unknown exploits) - Sometimes, exploits catch everyone by surprise. When a hacker
discovers a vulnerability and immediately creates an exploit for it, it’s called a zero-day exploit
— because the exploit attack happens on the same day the vulnerability is found. At that point, the
developer has known about the vulnerability for “zero days.”
 Hardware exploits - While software exploits get most of the media attention, they’re not the only types
of exploits out there. Sometimes, hackers can exploit flaws in the physical hardware (and its firmware)
in your device.

Steganography
Steganography is the technique of hiding secret data within an ordinary, non-secret, file or message in order
to avoid detection; the secret data is then extracted at its destination.

Use of Steganography
There are many ways to conceal information using Steganography. The most common method is by embedding
information into digital images. We all know that digital images say, a JPEG image, contains several megabytes
of data in the form of pixels. This allows some room for someone to embed steganography information within
the digital file. With the use of steganography applications, a hacker alters the least significant bits of the data
file and embeds a malicious code into the image. Once the targeted user downloads and opens the image file in
their computer, the malware is activated. Depending on its programming, the malware can now open a leeway
for the attacker to gain control over the user’s device or network. The danger of Steganography is that the
difference between the original image and the steganography image is subtle and the two cannot be distinguished
by the naked eye.

3 Techniques used in Steganography

1. Least Significant Bit - In this Steganography method, the attacker identifies the least significant bits
of information in the carrier image and substitutes it with their secret message, in this case, malicious
code. When the target downloads the carrier file, they introduce the malware into their computer which
allows the attacker access to this device and the hack begins. Cybersecurity professionals commonly
use sandboxes to detect these corrupt files. However, black hat hackers have invented various
methods of bypassing sandboxes like sleep patching. Sleep patched malwareis not easily detected by
the sandbox since it poses as benign and buys time while studying the timingartifacts of the sandbox
and executes when the sandbox is vulnerable.
2. Palette Based Technique - This technique also uses digital images as malware carriers. Here, the
attackers first encrypt the message and then hide it in a stretched palette of the cover image. Even
though this technique can carry a limited amount of data, it frustrates threat hunters since the malware
is encrypted and takes a lot of time to decrypt.
3. Secure Cover Selection - This is a very complex technique where the cyber criminals compare the
blocks of the carrier image to the blocks of their specific malware. If an image with the same blocks as
the malware is found, it is chosen as the candidate to carry the malware. The identical malware blocks
are then carefully fitted into the carrier image. The resulting image is identical to the original and the
worst part is that this image is not flagged as a threat by detection software and applications.
These are just but a few methods by which black hat hackers frustrate ethical hackers using Steganography.
Steganography allows attackers to operate in stealth mode while conducting a serious attack. Most of these
attacks are zero-day exploits which give threat hunters sleepless nights. Some preventive measures against
Steganography include the deployment of security patches, updating software, and educating end-users.

Key loggers and spyware

Key logger –
 Keyloggers are a serious threat to users and the users' data, as they track the keystrokes to intercept
passwords and other sensitive information typed in through the keyboard. This gives hackers the benefit
of access to PIN codes and account numbers, passwords to online shopping sites, email ids, email logins,
and other confidential information, etc.
 When the hackers get access to the users' private and sensitive information, they can take advantage
of the extracted data to perform online money transaction the user's account. Keyloggers can sometimes
be used as a spying tool to compromise business and state-owned company's data.
 The main objective of Keyloggers is to interfere in the chain of events that happen when a key is pressed
and when the data is displayed on the monitor as a result of a keystroke.
 A Keyloggers can be done by introducing a wiring or a hardware bug in the keyboard, to achieve video
surveillance; terminating input and/or output; or by also implementing the use of a filter driver in the
keyboard stack; and demanding data from the user's keyboard using generalized documented methods.
There are two other rootkit methods used by hackers: masking in kernel mode and masking in user mode.

Types of Keyloggers
Key logger tools are mostly constructed for the same purpose. But they’ve got important distinctions in terms
of the methods they use and their form factor.
Here are the two forms of Keyloggers
1. Software Keyloggers
2. Hardware Keyloggers

Software Keyloggers - Software Keyloggers are computer programs that install onto your device’s hard drive.
Common Keyloggers software types may include:
 API-based Keyloggers directly eavesdrop between the signals sent from each keypress to the program
you’re typing into. Application programming interfaces (APIs) allow software developers and hardware
manufacturers to speak the same “language” and integrate with each other. API keyloggers quietly
intercept keyboard APIs, logging each keystroke in a system file.
 “Form grabbing”-based Keyloggers eavesdrop all text entered into website forms once you send it
to the server. Data is recorded locally before it is transmitted online to the web server.
 Kernel-based keyloggers work their way into the system’s core for admin-level permissions. These
loggers can bypass and get unrestricted access to everything entered in your system.

Hardware Keyloggers - Hardware keyloggers are physical components built-in or connected to your device.
Some hardware methods may be able to track keystrokes without even being connected to your device. For
brevity, we’ll include the keyloggers you are most likely to fend against:
 Keyboard hardware keyloggers can be placed in line with your keyboard’s connection cable or built
into the keyboard itself. This is the most direct form of interception of your typing signals.
 Hidden camera keyloggers may be placed in public spaces like libraries to visually track keystrokes.
 USB disk-loaded keyloggers can be a physical Trojan horse that delivers the keystroke logger malware
once connected to your device.
Prevention from Keystroke logging
 Always read your terms of service or any contracts before accepting.
 Install internet security software on all your devices.
 Make sure your security programs are updated on the latest threats.
 Don’t leave your mobile and computer devices unsupervised.
 Keep all other device software updated.
 Do not use unfamiliar USB drives or external hard drives.
Spyware
 Spyware is a broad category of malware designed to secretly observe activity on a device and send
those observations to a snooper. That data can be used to track your activity online and that information
can be sold to marketers.
 Spyware can also be used to steal personal information, such as account passwords and credit card
numbers, which can result in identity theft and fraud.
 Spyware is unwanted software that infiltrates your computing device, stealing your internet usage data
and sensitive information.
 Spyware is classified as a type of malware — malicious software designed to gain access to or damage
your computer, often without your knowledge. Spyware gathers your personal information and relays
it to advertisers, data firms, or external users.

Types of spyware
Spyware can take a number of forms. They include:
 Adware: It eyes your online activity and displays ads it thinks you'll be interested in based on that
information. Although benign compared to some other forms of spyware, adware can have an impact on
the performance of a device, as well as just being annoying.
 Tracking cookies: They're similar to adware, although they tend to be less intrusive.
 Trojans: After landing on a device, they look for sensitive information, such as bank account
information, and send it to a seedy third-party who will use it to steal money, compromise accounts or
make fraudulent purchases. They can also be used to gain control of a computer through the installation
of a backdoor or a remote access Trojan (RAT).
 Keyloggers: They allow a miscreant to capture every keystroke from your keyboard, including the
keystrokes you use when you log into your online accounts.
 Stalkerware: It's typically installed on a mobile phone so the owner of the phone can be tracked by a
third party. For example, during the trial of Joaquín “El Chapo” Guzmán, it was revealed the drug kingpin
installed spyware on the phones of his wife, associates and female friends so he could read their text
messages, listen to their conversations and follow their movements.
 Stealware: It's crafted to take advantage of online shopping sites awarding credits to websites that send
traffic to their product pages. When a user goes to one of those sites, stealware intercepts the request and
takes credit for sending the user there.
 System monitors: They record everything that's happening on a device—from keystrokes, emails and
chat room dialogs to websites visited, programs launched, and phone calls made—and send it to a snoop
or cyber-criminal. They can also monitor a system's processes and identify any vulnerabilitieson it.

Prevention from spyware

Here are four main steps to help prevent spyware.
 Don’t open emails from unknown senders.
 Don’t download files from untrustworthy sources.
 Don’t click on pop-up advertisements.
 Use reputable antivirus software.

Spyware can be harmful, but it can be removed and prevented by being cautious and using an antivirus tool.
If you’ve been infected with spyware, take steps to remove it. Be proactive by changing your passwords and
notifying your bank to watch for fraudulent activity.

Trojan and backdoors

 A Trojan horse or Trojan is a type of malware that is often disguised as legitimate software.
 Trojans can be employed by cyber-thieves and hackers trying to gain access to users' systems.
 Users are typically tricked by some form of social engineering into loading and executing Trojans on
their systems.
 Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain
backdoor access to your system. These actions can include:
 Deleting data
  Blocking data
 Modifying data
 Copying data
 Disrupting the performance of computers or computer networks
 Unlike computer viruses and worms, Trojans are not able to self-replicate.
Trojan and its impact
 Backdoor - A backdoor Trojan gives malicious users remote control over the infected computer. They
enable the author to do anything they wish on the infected computer – including sending, receiving,
launching and deleting files, displaying data and rebooting the computer. Backdoor Trojans are often
used to unite a group of victim computers to form a botnet or zombie network that can be used for criminal
purposes.
 Exploit - are programs that contain data or code that takes advantage of a vulnerability within application
software that’s running on your computer.
 Rootkit - are designed to conceal certain objects or activities in your system. Often their main purpose
is to prevent malicious programs being detected – in order to extend the period in which programs can
run on an infected computer.
 Trojan-Banker - programs are designed to steal your account data for online banking systems, e-
payment systems and credit or debit cards.
 Trojan-Downloader - can download and install new versions of malicious programs onto your computer
– including Trojans and adware.

Protection against Trojan

Here are some dos and don’ts to help protect against Trojan malware. First, the dos:
 Computer security begins with installing and running an internet security suite. Run periodic diagnostic
scans with your software. You can set it up so the program runs scans automatically during regular
intervals.
 Update your operating system’s software as soon as updates are made available from the software
company. Cybercriminals tend to exploit security holes in outdated software programs. In addition to
operating system updates, you should also check for updates on other software that you use on your
computer.
 Protect your accounts with complex, unique passwords. Create a unique password for each account using
a complex combination of letters, numbers, and symbols.
 Keep your personal information safe with firewalls.
 Back up your files regularly. If a Trojan infects your computer, this will help you to restore your data.
 Be careful with email attachments. To help stay safe, scan an email attachment first.

A lot of things you should do come with a corresponding thing not to do — like, do be careful with email
attachments and don’t click on suspicious email attachments. Here are some more don’ts.
 Don’t visit unsafe websites. Some internet security software will alert you that you’re about to visit an
unsafe site, such as Norton Safe Web.
 Don’t open a link in an email unless you’re confident it comes from a legitimate source. In general,
avoid opening unsolicited emails from senders you don’t know.
 Don’t download or install programs if you don’t have complete trust in the publisher.
 Don’t click on pop-up windows that promise free programs that perform useful tasks.
 Don’t ever open a link in an email unless you know exactly what it is.

Phishing
 Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message
by someone posing as a legitimate institution to lure individuals into providing sensitive data such as
personally identifiable information, banking and credit card details, and passwords.
 The information is then used to access important accounts and can result in identity theft and financial
loss.
 Phishing is an example of social engineering techniques used to deceive users. Users are lured by
communications purporting to be from trusted parties such as social networking websites, auction sites,
banks, mails/messages from friends or colleagues/executives, online payment systems or IT
 administrators.

Types of phishing
 Spear phishing - Phishing attempts directed at specific individuals or companies
 Catphishing and catfishing - is a type of online deception that involves getting to know someone closely
in order to gain access to information or resources, usually in the control of the mark, or to otherwise get
control over the conduct of the target.
 Clone phishing - is a type of phishing attack whereby a legitimate, and previously delivered, email
containing an attachment or link has had its content and recipient address(es) taken and used to create
an almost identical or cloned email.
 Voice phishing - uses fake caller-ID data to give the appearance that calls come from a trusted
organization.
 SMS phishing - or smishing uses cell phone text messages to deliver the bait to induce people to divulge
their personal information.

Prevention against Phishing

 To protect against spam mails, spam filters can be used. Generally, the filters assess the origin of the
message, the software used to send the message, and the appearance of the message to determine if it’s
spam. Occasionally, spam filters may even block emails from legitimate sources, so it isn’t always 100%
accurate.
 The browser settings should be changed to prevent fraudulent websites from opening. Browsers keep
a list of fake websites and when you try to access the website, the address is blocked or an alert message
is shown. The settings of the browser should only allow reliable websites to open up.
 Many websites require users to enter login information while the user image is displayed. This type of
system may be open to security attacks. One way to ensure security is to change passwords on a regular
basis, and never use the same password for multiple accounts. It’s also a good idea for websites to use
a CAPTCHA system for added security.
 Banks and financial organizations use monitoring systems to prevent phishing. Individuals can report
phishing to industry groups where legal actions can be taken against these fraudulent websites.
Organizations should provide security awareness training to employees to recognize the risks.
 Changes in browsing habits are required to prevent phishing. If verification is required, always contact
the company personally before entering any details online.
 If there is a link in an email, hover over the URL first. Secure websites with a valid Secure Socket Layer
(SSL) certificate begin with “https”. Eventually all sites will be required to have a valid SSL.

DOS Attack
 A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it
inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or
sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users
(i.e., employees, members, or account holders) of the service or resource they expected.
 Victims of DoS attacks often target web servers of high-profile organizations such as banking, commerce,
and media companies, or government and trade organizations. Though DoS attacks do not typically result
in the theft or loss of significant information or other assets, they can cost the victim a great deal of time
and money to handle.
 A denial-of-service (DoS) attack is a type of cyber attack in which a malicious actor aims to render a
computer or other device unavailable to its intended users by interrupting the device's normal functioning.
 DoS attacks typically function by overwhelming or flooding a targeted machine with requests until
normal traffic is unable to be processed, resulting in denial-of-service to addition users.
 A DoS attack is characterized by using a single computer to launch the attack.

There are two general methods of DoS attacks: flooding services or crashing services.
Flood attacks occur when the system receives too much traffic for the server to buffer, causing them to slow
down and eventually stop.
Popular flood attacks include:
  Buffer overflow attacks – the most common DoS attack. The concept is to send more traffic to a
network address than the programmers have built the system to handle. It includes the attacks listed
below, in addition to others that are designed to exploit bugs specific to certain applications or
networks
 ICMP flood – leverages misconfigured network devices by sending spoofed packets that ping every
computer on the targeted network, instead of just one specific machine. The network is then triggered
to amplify the traffic. This attack is also known as the smurf attack or ping of death.
 SYN flood – sends a request to connect to a server, but never completes the handshake. Continues until
all open ports are saturated with requests and none are available for legitimate users to connectto.
Other DoS attacks simply exploit vulnerabilities that cause the target system or service to crash. In these attacks,
input is sent that takes advantage of bugs in the target that subsequently crash or severely destabilize the system,
so that it can’t be accessed or used.

Protection from DoS attack

A general rule: The earlier you can identify an attack-in-progress, the quicker you can contain the damage. Here
are some things you can do.
 Method 1: Get help recognizing attacks - Companies often use technology or anti-DDoS services to help
defend themselves. These can help you recognize between legitimate spikes in network trafficand a
DDoS attack.
 Method 2: Contact your Internet Service provider - If you find your company is under attack, you should
notify your Internet Service Provider as soon as possible to determine if your traffic can be rerouted.
Having a backup ISP is a good idea, too. Also, consider services that can disperse the massiveDDoS
traffic among a network of servers. That can help render an attack ineffective.
 Method 3: Investigate black hole routing - Internet service providers can use “black hole routing.” It
directs excessive traffic into a null route, sometimes referred to as a black hole. This can help prevent the
targeted website or network from crashing. The drawback is that both legitimate and illegitimate traffic
is rerouted in the same way.
 Method 4: Configure firewalls and routers - Firewalls and routers should be configured to reject bogus
traffic. Remember to keep your routers and firewalls updated with the latest security patches.
 Method 5: Consider front-end hardware - Application front-end hardware that’s integrated into the
network before traffic reaches a server can help analyze and screen data packets. The hardwareclassifies
the data as priority, regular, or dangerous as they enter a system. It can also help block threatening data.

DDOS Attack
 A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a
targeted server, service or network by overwhelming the target or its surrounding infrastructure with a
flood of Internet traffic.
 DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources
of attack traffic. Exploited machines can include computers and other networked resources such as IoT
devices.
 From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing
regular traffic from arriving at its destination.

Working
 DDoS attacks are carried out with networks of Internet-connected machines.
 These networks consist of computers and other devices (such as IoT devices)which have been infected
with malware, allowing them to be controlled remotely by an attacker. These individual devices are
referred to as bots (or zombies), and a group of bots is called a botnet.
 Once a botnet has been established, the attacker is able to direct an attack by sending remote instructions
to each bot.
  When a victim’s server or network is targeted by the botnet, each bot sends requests to the target’s IP
address, potentially causing the server or network to become overwhelmed, resulting in a denial-of-
service to normal traffic.
 Because each bot is a legitimate Internet device, separating the attack traffic from normal traffic can
be difficult.

Identification of DDOS Attack

The most obvious symptom of a DDoS attack is a site or service suddenly becoming slow or unavailable. But
since a number of causes — such a legitimate spike in traffic — can create similar performance issues, further
investigation is usually required. Traffic analytics tools can help you spot some of these telltale signs of a DDoS
attack:
 Suspicious amounts of traffic originating from a single IP address or IP range
 A flood of traffic from users who share a single behavioral profile, such as device type, geolocation,
or web browser version
 An unexplained surge in requests to a single page or endpoint
 Odd traffic patterns such as spikes at odd hours of the day or patterns that appear to be unnatural (e.g.
a spike every 10 minutes)

Types of DDOS attack

 Application layer attacks - Sometimes referred to as a layer 7 DDoS attack (in reference to the 7th layer
of the OSI model), the goal of these attacks is to exhaust the target’s resources to create a denial- of-
service. The attacks target the layer where web pages are generated on the server and delivered in
response to HTTP requests. A single HTTP request is computationally cheap to execute on the client
side, but it can be expensive for the target server to respond to, as the server often loads multiple files
and runs database queries in order to create a web page. Layer 7 attacks are difficult to defend against,
since it can be hard to differentiate malicious traffic from legitimate traffic.
 Protocol attacks - also known as a state-exhaustion attacks, cause a service disruption by over-
consuming server resources and/or the resources of network equipment like firewalls and load balancers.
Protocol attacks utilize weaknesses in layer 3 and layer 4 of the protocol stack to render the target
inaccessible.
 Volumetric attacks - This category of attacks attempts to create congestion by consuming all available
bandwidth between the target and the larger Internet. Large amounts of data are sent to a target by using
a form of amplification or another means of creating massive traffic, such as requests from a botnet.
 Fragmentation Attacks - are another common form of a DDoS attack. The cybercriminal exploits
vulnerabilities in the datagram fragmentation process, in which IP datagrams are divided into smaller
packets, transferred across a network, and then reassembled. In Fragmentation attacks, fake data packets
unable to be reassembled, overwhelm the server.

Protection from DDOS attack

Method 1: Take quick action
Method 2: Configure firewalls and routers
Method 3: Consider artificial intelligence
Method 4: Secure your Internet of Things devices

SQL Injection
 SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend
database manipulation to access information that was not intended to be displayed. This information may
include any number of items, including sensitive company data, user lists or private customer details.
 The impact SQL injection can have on a business is far-reaching.
 A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables and,
in certain cases, the attacker gaining administrative rights to a database, all of which are highly
detrimental to a business.
  When calculating the potential cost of an SQLi, it’s important to consider the loss of customer trust should
personal information such as phone numbers, addresses, and credit card details be stolen.
 While this vector can be used to attack any SQL database, websites are the most frequent targets.

Types of SQL Injections

SQL injections typically fall under three categories: In-band SQLi (Classic), Inferential SQLi (Blind) and Out-
of-band SQLi. You can classify SQL injections types based on the methods they use to access backend data and
their damage potential.

In-band SQLi - The attacker uses the same channel of communication to launch their attacks and to gather their
results. In-band SQLi’s simplicity and efficiency make it one of the most common types of SQLi attack. There
are two sub-variations of this method:
 Error-based SQLi—the attacker performs actions that cause the database to produce error messages.
The attacker can potentially use the data provided by these error messages to gather information about
the structure of the database.
 Union-based SQLi—this technique takes advantage of the UNION SQL operator, which fuses multiple
select statements generated by the database to get a single HTTP response. This response may contain
data that can be leveraged by the attacker.

Inferential (Blind) SQLi - The attacker sends data payloads to the server and observes the response and behavior
of the server to learn more about its structure. This method is called blind SQLi because the data isnot
transferred from the website database to the attacker, thus the attacker cannot see information about the attack
in-band.
Blind SQL injections rely on the response and behavioral patterns of the server so they are typically slower to
execute but may be just as harmful. Blind SQL injections can be classified as follows:
 Boolean—that attacker sends a SQL query to the database prompting the application to return a result.
The result will vary depending on whether the query is true or false. Based on the result, the information
within the HTTP response will modify or stay unchanged. The attacker can then work outif the message
generated a true or false result.
 Time-based—attacker sends a SQL query to the database, which makes the database wait (for a period
in seconds) before it can react. The attacker can see from the time the database takes to respond, whether
a query is true or false. Based on the result, an HTTP response will be generated instantly or after a
waiting period. The attacker can thus work out if the message they used returned true or false, without
relying on data from the database.

Out-of-band SQLi - The attacker can only carry out this form of attack when certain features are enabled on the
database server used by the web application. This form of attack is primarily used as an alternative to the in-band
and inferential SQLi techniques.
Out-of-band SQLi is performed when the attacker can’t use the same channel to launch the attack and gather
information, or when a server is too slow or unstable for these actions to be performed. These techniques count
on the capacity of the server to create DNS or HTTP requests to transfer data to an attacker.

SQL Injection Prevention Techniques

 Input validation - The validation process is aimed at verifying whether or not the type of input submitted
by a user is allowed. Input validation makes sure it is the accepted type, length, format, and so on. Only
the value which passes the validation can be processed. It helps counteract any commands inserted in the
input string.
 Parametrized queries - are a means of pre-compiling an SQL statement so that you can then supply the
parameters in order for the statement to be executed. This method makes it possible for the database to
recognize the code and distinguish it from input data.
 Stored procedures - require the developer to group one or more SQL statements into a logical unit to
create an execution plan. Subsequent executions allow statements to be automatically parameterized.
Simply put, it is a type of code that can be stored for later and used many times.
  Escaping - Always use character-escaping functions for user-supplied input provided by each database
management system (DBMS). This is done to make sure the DBMS never confuses it with the SQL
statement provided by the developer.
 Avoiding administrative privileges - Don't connect your application to the database using an account
with root access. This should be done only if absolutely needed since the attackers could gain access to
the whole system.
 Web application firewall - A WAF operating in front of the web servers monitors the traffic which goes
in and out of the web servers and identifies patterns that constitute a threat. Essentially, it is a barrier put
between the web application and the Internet.

Buffer Overflow
 Buffers are memory storage regions that temporarily hold data while it is being transferred from one
location to another.
 A buffer overflow (or buffer overrun) occurs when the volume of data exceeds the storage capacity of
the memory buffer. As a result, the program attempting to write the data to the buffer overwrites adjacent
memory locations.
 For example, a buffer for log-in credentials may be designed to expect username and password inputs of
8 bytes, so if a transaction involves an input of 10 bytes (that is, 2 bytes more than expected), the program
may write the excess data past the buffer boundary.
 Buffer overflows can affect all types of software. They typically result from malformed inputs or failure
to allocate enough space for the buffer. If the transaction overwrites executable code, it can cause the
program to behave unpredictably and generate incorrect results, memory access errors, or crashes.
Buffer overflow example

Buffer Overflow Attack

 Attackers exploit buffer overflow issues by overwriting the memory of an application. This changes
the execution path of the program, triggering a response that damages files or exposes private
information. For example, an attacker may introduce extra code, sending new instructions to the
application to gain access to IT systems.
 If attackers know the memory layout of a program, they can intentionally feed input that the buffer cannot
store, and overwrite areas that hold executable code, replacing it with their own code. For example, an
attacker can overwrite a pointer (an object that points to another area in memory) and point it to an
exploit payload, to gain control over the program.

Types of Buffer Overflow Attacks

 Stack-based buffer overflows are more common, and leverage stack memory that only exists during
the execution time of a function.
 Heap-based attacks are harder to carry out and involve flooding the memory space allocated for a
program beyond memory used for current runtime operations.

Protection against Buffer overflow

Developers can protect against buffer overflow vulnerabilities via security measures in their code, or by using
languages that offer built-in protection.
In addition, modern operating systems have runtime protection. Three common protections are:
  Address space randomization (ASLR)—randomly moves around the address space
locations of data regions. Typically, buffer overflow attacks need to know the locality of
executable code, and randomizing address spaces makes this virtually impossible.
 Data execution prevention—flags certain areas of memory as non-executable or executable,
which stops an attack from running code in a non-executable region.
 Structured exception handler overwrites protection (SEHOP)—helps stop malicious
code from attacking Structured Exception Handling (SEH), a built-in system for managing
hardware and software exceptions. It thus prevents an attacker from being able to make use
of the SEH overwrite exploitation technique. At a functional level, an SEH overwrite is
achieved using a stack-based buffer overflow to overwrite an exception registration record,
stored on a thread’s stack.

Security measures in code and operating system protection are not enough. When an organization
discovers a buffer overflow vulnerability, it must react quickly to patch the affected software and
make sure that users of the software can access the patch.