Joseph Steinberg - Cybersecurity For Dummies

Some advanced threats that are used in targeted attacks are described as advanced persistent threats (APTs):

Advanced: Uses advanced hacking techniques, likely with a major budget to support R&D

Persistent: Keeps trying different techniques to breach a targeted system and won’t move on to target some other system just because the initial target is well protected

Threat: Has the potential to inflict serious damage

Another type of advanced attack is the opportunistic, semi-targeted attack. If criminals want to steal credit card numbers, for example, they may not care whether they successfully steal an equivalent number of active numbers from Best Buy, Walmart, or Barnes & Noble. All that the criminals likely care about is obtaining credit card numbers — from whom the numbers are pilfered isn’t relevant.

At the same time, launching attacks against sites that don’t have credit card data is a waste of the attacker’s time and resources.

While it is not necessary for most people to understand the details of how technical cyberattacks exploit system vulnerabilities, it is often interesting for people to understand the basic ideas behind popular methods utilized by hackers. The following sections outline some common ways of breaching and exploiting technical systems.

Rootkits are software toolsets that allow attackers to perform unauthorized activities at a privileged level on a compromised computer. (“Root” refers to the administrator account on UNIX systems.) Rootkits typically also contain features that seek to ensure that the attacker maintains access while that access remains secret from the authorized user or users of the compromised device.

Brute-force attacks are simply attacks in which an attacker tries many possible values until the tools the attacker is using guess the correct value. A brute-force attack, for example, might consist of an attacker trying to log in to a user’s account by trying every possible password combination until the attacker (or the attacker’s brute-force attack tool, as the case may be) submits the correct one. Or the attacker may try different decryption keys until successfully decrypting an encrypted message.

Injection attacks are attacks in which a system is expecting some sort of input from a user, but instead of submitting such input, an attacker submits malicious material such as code, which the receiving system then either executes or distributes to others to execute. Even though proper coding of applications can, at least in theory, prevent most forms of injection attacks, the reality is that many (if not most) systems remain vulnerable to such attacks, and as a result, injection attacks are an extremely commonly used tool within hacker arsenals.

Cross-site scripting (XSS) is a specific type of injection attack in which an attacker adds malicious code into a legitimate web site so that when a user visits the relevant website (via a web browser or app), the malicious code is delivered to the user’s device and is executed there. The attacker is able to insert the malicious code into the legitimate server because the server allows users to submit material that will then be displayed to other users.

Online user forums and social media platforms are prime candidates for cross-site scripting attacks if they are not properly secured against such attacks. So are websites that allow users to comment on information such as a news article. For example, an XSS attack may occur if a hacker submits malicious code within a comment in such a fashion that when a subsequent user’s browser tries to display the comment, it will end up executing the code.

SQL injection attacks are a specific type of injection attacks that exploit the way most computer systems store data, which is in relational databases that provide access to people and systems through the use of what is known as standard Structured Query Language (SQL) interfaces. When an attacker launches a SQL injection attack, the attacker simply submits data to the system that includes SQL commands rather than regular data. For example, if the system asks the user to submit a user ID in order to search on it, and the attacker, aware of the SQL command likely to be used by the system to its database in order to perform that search, instead submits a user ID that consists of code to both complete that command and to issue another command to display all records in the database, the system, if not protected against SQL injection, might do exactly what the attacker wants.

Even if the SQL injection attack does not fully work — and the system being attacked does not display the data — the system’s response to the SQL injection attack may still reveal information about how it handles SQL injection, thereby providing the hacker with information about the system, the database, and the security mechanisms in place (or information as to what is not in place that should be).

Session hijacking refers to situations in which an attacker takes over the communications session between two or more parties. For example, during an online baking session, if an attacker is able to come between the user and the user’s bank in such a fashion that the bank continues its session with the attacker rather than with the legitimate user, that would be an example of a successful session hijacking attack.

In a session hijacking situation, the attacker effectively becomes the authenticated and authorized user as far as the other party is concerned, and the attacker can do anything on the relevant system that the legitimate user would have been authorized to do. Session hijacking often occurs when session management is mishandled by an application, especially in cases in which trust that communications are from a particular session with a particular user is established through technical mechanisms that should not be trusted for such purposes.

Malformed URL attacks are attacks in which an attacker crafts a URL that appears to link to a particular legitimate website, but because of special characters utilized within the URL text, actually does something nefarious. The attacker may then distribute the nefarious URL in email and text messages and/or by posting it within a comment on a blog or via other social media.

Another form of malformed URL attack is an attack in which an attacker crafts a URL that contains elements within it that will cause a system being accessed to malfunction.

Buffer overflow attacks are attacks in which an attacker submits data to a system that exceeds the storage capacity of the memory buffer in which that data is supposed to be stored, thereby causing the system to overwrite other memory with the data the user submitted. Carefully crafted buffer overflow input by an attacker, for example, could overwrite memory space in which the system is storing commands that it will execute per the instructions of its authorized user — perhaps even replacing such commands with commands the attacker wants the system to execute.

Chapter 3

IN THIS CHAPTER

Clarifying who the “good guys” and “bad guys” are