Thursday, December 31, 2015

What is a Cross Site Request Forgery Attack ?



A Cross Site Request Forgery Attack or CSRF Attack is an attack in which a user who is authenticated to a web application is tricked to perform an unwanted action like transferring funds to the attacker or change of password in his account.





How is CSRF Attack perpetrated

Most of the sites use cookies where it stores user credentials associated with the site, IP address etc. For every browser request, the information in the cookie is included with every submitted request. Normally, when a user authenticates himself in the web application, the cookie is set.

Suppose, a user has authenticated in a banking site bank.com and corresponding cookie is set in his machine. So, at this point, whatever request his browser will send to the banking site, the cookie will be used.


Now, an attacker XYZ wants to exploit the cookie and trick the user to transfer $10,000 to the attacker's account. And corresponding HTTP request for that operation is :

http://bank.com/transfer.do?acct=XYZ&amount=10000


So, the attacker sends an email to the user ot tricks him to click a link in a webpage at this point. And the link contains :

<a href=”http://bank.com/transfer.do?acct=XYZ&amount=10000”>Interesting Pictures! </a>



When the user will click the link while he is already authenicated to the banking site, the action will be performed and $10,000 will be transferred to the attacker XYZ.


Here, I just gave one simple example to understand the attack. In similar way, the user may be tricked to change his password, email address or to purchase something. And, applications using GET or POST method or using forms are equally vulnerable to this attack.



CSRF Attack can be stored in the vulnerable site also. And if that happens, the severity of the attack increases. In that scenario, the likelihood of the attack also increases, as the victim is more likely to visit the webpage than to visit some random website or click on some random link.



Countermeasures of CSRF Attack


The most common method of preventing CSRF Attack is to append some unpredictable challenge token to each request submitted by the user. Such tokens must be unique per session and also unique per request. As a result, even if the victim is tricked to click on some malicious link and submit a request, the attacker won't be able to predict the value of the challenge token. And so, the request will not get performed by the web application. Most web applications prevent CSRF Attack in this method.



Cautions to be taken by users

  • Log off immediately after using the web application.
  • Do not allow your browser to store username and password of sensitive web application like banking site.
  • Do not use the same browser to open sensitive web application and browse other websites freely.
  • You can also use plugins like No-Script. It makes POST based CSRF vulnerabilities much difficult to exploit.



So, follow some simple rules and beware of the possible vulnerabilities. And, stay safe, stay secured.

What is an FTP Bounce Attack ?



Suppose, X is a user on attacker.com and X wants to transfer a file from target.com. But, X does not have permission to transfer file from target.com. There is another machine middle-man.com who has permission to transfer file from target.com.

So, X makes a plan. He opens an FTP connection to middle-man.com. And then, instructs middle-man.com to transfer the file from target.com to attacker.com using FTP protocol. This is called FTP Bounce Attack.








How is FTP Bounce Attack perpetrated


This attack is possible when FTP Server in middle-man.com supports passive mode.

Let's look into what is passive mode of FTP connection.


FTP protocol normally uses two connections – one control connection and one data connection. Commands are transferred using control connection and data travels through the data connection.

In Active FTP, the FTP client first initiates the control connection from its port N to FTP Server's command port – port 21. The client then listens to port N+1 and sends the port N+1 to FTP Server. FTP Server then initiates the data connection, from its port M to the port N+1 of the FTP Client.


But, if the FTP Client has a firewall setup that controls the incoming data connections from outside, then active FTP may be a problem. And, a feasible solution for that is Passive FTP.


In Passive FTP, the client initiates the control connection from its port N to the port 21 of FTP Server. After this, the client issues a passv comand. The server then sends the client one of its port number M. And the client initiates the data connection from its port P to port M of the FTP Server.


In FTP Bounce Attack, the attacker exploits the passive mode of the FTP Server. He performs the following steps :

  • X opens an FTP connection from attacker.com to the FTP Server middle-man.com
  • X issues a port command and asks the server to open a data connection to port M. But, he tricks the FTP Server. Instead of specifying IP address of attacker.com, he gives the IP address of target.com.
  • X now sends the FTP Server a file of listed commands and requests it to execute that.
  • The file has the following set of commands :
    1. Open an FTP connection to target.com
    2. middle-man.com uses passive mode. So, it must send a port number to which target.com should open a data connection. middle-man.com specifies that with a port command, but instead of giving IP address of middle-man.com, the file specifies IP address of attacker.com.
    3. Transfer the required file over the connection thus established.


So, at this point, middle-man.com is tricked to request target.com to open a data connection from target.com to actually attacker.com.

And this is how FTP Bounce Attack is performed.



Countermeasures


A commonly used countermeasure is to configure the FTP Server not to allow connections to be established with any other host other than the FTP Client.


This was an informative article on FTP Bounce Attack. Hope you enjoyed it.

Wednesday, December 30, 2015

What is a Confused Deputy Attack ?



Let's look at a simple example to understand the problem first.

Suppose, a client sends name of an input file and output file to the server. The server compiles the input file and stores it in the output file. Let's also assume that, the client has less privilege than the server.






Now, also assume there is another file “restricted” on which the server has permission where the client does not. At this point, if the client sends an arbitrary input file and “restricted” as output file, the server will compile the input file and write it to the file “restricted”, overwriting its previous content. Here, the client did not have permission to “restricted”, but server had. So, the server here is a deputy who was exploited to perform a malicious action. This type of problems are called Confused Deputy Attack.



Is there any real life example of Confused Deputy Attack ?


Yes, there are couple of.

  • Cross-site request forgery is an example of Confused Deputy Attack. Web applications normally use a cookie to authenticate all requests transmitted by a browser. An attacker can take advantage of that and use JavaScript to submit an authenticated HTTP request using authority of the client of the web browser.
  • Clickjacking is another example of Confused Deputy Attack. A user visits an attacker controlled website and thinks he is harmlessly browsing a website. But actually, he is tricked to act as a confused deputy and performs sensitive actions to get infected by malware.
  • FTP Bounce Attack is an example of Confused Deputy Attack. In this attack, an attacker uses PORT command and uses a victim machine's FTP Server to get access to TCP ports to which the attacker himself has to permission to connect to. Here, the FTP Server is the confused deputy.



Is there any countermeasures for Confused Deputy Attack ?


Yes, the client can send the input file and capability of the output file to the server, where a capability of a file is the name of the file, along with permission on the file of the client. As a result, if the client does not have permission on the output file, it won't be able to overwrite it.

In the example of Cross-site request forgery, a URL supplied cross site would use its own authority irrespective of the authority of the client of the web browser.



This was an informative article on Confused Deputy Attack. Hope you liked it.

Tuesday, December 29, 2015

What is Page Hijacking ?



If a website duplicates the contents of a popular website, web crawlers will detect the duplicate while indexing the webpages. And if two pages have same content, only one will be shown and the other will be kept in Show Similar Pages. And, attackers take advantage of this behavior in Page Hijacking.




How is Page Hijacking perpetrated


In Page Hijacking, attackers make a website, duplicating the contents of a popular website. Then, they use some malicious techniques that ensures that after a few weeks their duplicate website gets shown and the other is kept in Show Similar Pages.


For example, suppose a popular website is called www.ecommerce.com and it sells online clothes.

To do Page Hijacking, attackers first make a website www.ecommerce.org and duplicate the webpages. After a few weeks, the search result will show something like this :


Ecommerce.org - Buy Clothes Online
Offering clothes online
www.ecommerce.org
- Show Similar Pages -


As a result, visitors searching with “online clothes” will end up visiting the malicious website www.ecommerce.org, instead of the authentic website of ecommerce.com.


Now, the attackers are free to redirect the innocent visitors to an unrelated malicious website, which may spread malware through drive-by download or by some other means. Or, the attackers may even plan for perpetrating more attacks.



Countermeasures of Page Hijacking for Users


A couple of steps can be taken to prevent falling victims of Page Hijacking :

  • Use your common sense while browsing. Do not install anything in your computer, unless you are very sure how much trusted the source is.
  • Use anti-virus autoprotection, so that it can alert you at proper time.
  • Keep an anti-hijack toolkit to be on safer side. You can use Ad-aware, Spybot, Hijackthis, CWShredder or similar.
  • Keep your browser and other commonly used software updated with recent security patches.


Countermeasures of Page Hijacking for Website Owners

If a website is falling victim of Page Hijacking and website traffic rank is dropping dramatically suffering the business a lot, the website owners should contact the third-party site first. A couple of times Page Hijacking happens unintentionally. If that is the case, then the third-party site cooperates in most of the cases.

However, if Page Hijacking is done for malicious purposes, then the website owners should report the malicious website to search engines. Many a times the search engines investigate the matter and take necessary steps.


So, beware of various security vulnerabilities, so that you can protect yourself and your websites in a better way. And, stay safe, stay secured.

Monday, December 28, 2015

What is Mousetrapping and How does it spread malware ?



Mousetrapping is a technique used by attackers to keep visitors from leaving theit website, so that they can take advantage of that. Mousetrapping is done by launching numerous numbers of pop-ups endlessly or disabling Back/Forward or even the close button.



Different ways of Mousetrapping 


Mousetrapping can be done in different ways :

  • a numerous numbers of new pages may open up
  • the same page may open several times
  • browser buttons like Back/Forward or Close may become inaccessible, making the page harder to close
  • several pop-ups may open up that alert about something or ask to take some action
  • unwanted commercial ads, gambling requests, fake lottery requests or adult contents may start showing up again and again


Threats of Mousetrapping


Mousetrapping is normally associated with typosquatting and browser hijacking. When a user misspells a popular URL in the address bar, the malicious website opens and it starts Mousetrapping. Clearly, it takes time for the user to close the website, and by then, the attackers start drive-by download of malware. They can even change the browser settings of the user, so that the attackers can infect the computer with even more malware or perform more attacks.



Countermeasures of Mousetrapping


There are a number of countermeasures that can be taken to prevent Mousetrapping :

  • If you ever run into Mousetrapping, press keyboard shortcut to close the windows. Because, most of the browser buttons become unaccessible at this time, and closing webpages like this takes less time also.
  • If that does not work, you can try disabling javascript functionality in your browser. Because normally Mousetrapping is implemented using javascript.
  • If that also does not work by any chance, you can reboot your computer (e.g. With Ctrl + Alt + Delete in Windows)
  • Never ever perform the actions suggested in the pop-ups. Because that is what is the intention of the attackers. If you perform those actions, your computer will definitely be infected with malware.
  • Keep the software you use updated with security patches, so that the attackers cannot take advantage of the security holes of those software.
  • Keep your computer updated with a trusted anti-malware program.
  • Please remember that educating oneself with the recent threats and its countermeasures is always the best policy to go with.



This was an article to keep you informed about another recent threat and the countermeasures that can be taken. Hope it solved its purpose.

What is a Drive-By Download ?



Previously, malware used to infect a computer through installation of software initiated by the user. When a user used to click on a link and accept installation of software, software would start installation, and with that malware used to download and infect the computer. But, now many attackers use a concept called Drive-By Download to spread malware.





What is a Drive-By Download ?


A Drive-By Download is a technique through which a malware can start downloading simply through visiting the attacker controlled website. When a user visits a malicious website, download starts in background in the computer or mobile devices. Mostly, this type of download exploits some security flaw in the browser or other software commonly used.



How does Drive-By Download work ?


The initial code installed by Drive-By Download is very small. The code often simply contacts with other computers and instructs to download the rest of the malware. Normally, the malicious website contains several malware exploiting different security flaws. And when a user visits the website, at least one of them gets downloaded taking advantage of some security flaw.


Attackers normally send links of these malicious websites through email or text messages and even through attracting social media posts. The attackers sometimes post an interesting article or cartoon in social media and when a user enjoys the article, Drive-By Download starts in background.



Countermeasures of Drive-By Downloads


Security experts are constantly doing research on this topic. Normally, security experts use some test machine and visit websites that have previous records of spreading malware. If on visiting the website, malware starts downloading on the test machine, proper action is taken.

Though educating oneself is the best policy. Do not click on suspicious looking links. If you are not very sure about the authenticity of a website, it is better not to visit it. And be careful about clicking on interesting looking suspicious social media posts. They may do much harm than any benefit.

And it is always advisable to update the software you are using with security patches. Mostly, attackers take the advantage of security flaws in software to spread malware.

Preferable use a safe search tool that will keep you updated about possible malicious websites. And use a trusted antivirus software.


This article was to inform you about another recent threat. Hope it solved its purpose.

What is Typosquatting ?



Sometimes misspelling in the address bar of a URL of a popular website takes us to a similar looking but different website altogether. Most of the cases these similar looking websites are controlled by hackers, who exploit this for illegitimate purposes. This is called Typosquatting.




Typosquatting is a type of cybersquatting, where an attacker uses an internet domain name with the intent of illegitimate profit from the goodwill of a trademark belonging to someone else. Most of the cases Typosquatting is done by the attackers with the intent of spreading malware, get revenue from website traffic or phishing.



Typosquatted URL's


Study says, mainly five types of URL's are used for Typosquatting :

  • Foreign language spelling of a popular website
  • Common misspelling or typing error of a popular website, e.g. goggle.com
  • A differently phrased domain name, e.g. apples.com
  • A different top level domain, e.g. amazon.org
  • Abuse of Country Code Top Level Domain, e.g. Google.cm

A user is more likely to wrongly type these types of URL's in the address bar and the typosquatters exploit that.




Why is Typosquatting done


There are several reasons for which attackers do Typosquatting. To name a few :

  • To earn revenue from website traffic visited by the visitors with miss-typed URL.
  • To redirect the typo-traffic to the competitor of the actual website.
  • To try to sell the typosquatted domain to the actual website and earn money illegitimately.
  • To redirect the typo-traffic to the actual website, but through the affiliate program, and thus illegitimately earning revenue from the brand-owner's affiliate program.
  • To steal sensitive data from the visitors. Sometimes the attackers makes a website looking very much similar to the actual website. As a result, if a visitor visiting the website provides his name, credit card numbers etc by mistake, the information gets stolen.
  • Sometimes, these fake websites are used in phishing.
  • With a drive-by-download, malware can be installed in a computer by just visiting the website, though the user does not click or initiate installation of any software from the website. Sometimes, these fake websites are used to spread malware.
  • To expose users to internet pornography.


From 2006 to 2008, a typosquatted domain of Google called Goggle.com was used to spread malware and even rogue anti-malware.



Defenses


One possible defense of Typosquatting may be to buy variants of domain names that can be used by typosquatters. For example the following variants of domain names can be considered :

  • Replacement of letter 'O' with number '0'
  • Domain names with missing dot (.) between www and the actual domain name. For example, wwwexample.com
  • Singular and plural versions of domain names.
  • Hyphenated and non-hyphenated versions of domain names.
  • Domains with other domain extensions like .net, .org, .com etc.

There are also a number of tools available which can suggest variants of domains that can be typosquatted. One such tool can be found here .


Also, there are a number of tools available to detect Typosquatting. One such example may be Microsoft Strider. One can use the tools for mitigating the risks.




There are more ways to scam people in internet than ever before. You need to be aware of all these scams and stay educated and use your common sense.

Saturday, December 26, 2015

What is a Browser Hijacker ?



A Browser Hijacker is an unwanted software that changes a web browser's settings without the user's permission. But, actually a Browser Hijacker is much more serious than that. Other than changing browser's settings, it often installs adware, spyware or other malwares and steals sensitive user information, making the user vulnerable for even more attacks.


I think almost all of us have encountered them at some point of time. Most of the time, they are bundled with software from untrusted sources. Some software installs them as ad-ons by default and some gives us the option to install it and a user installs them by mistake.

Once installed, they change browser settings, default search engine, home page. Some of them installs adware and starts displaying unwanted ads. And most of the they install additional malware and start stealing sensitive user information like username, credit card numbers etc. As a result, the user becomes vulnerable to more attacks like Phishing. They slow down computer performance. And some of them change systems settings so maliciously that the user becomes left with no other option than to uninstall the Operating Systems.




This article will mention a couple of most common Browser Hijackers and how they affect a computer. I am pretty sure, if you have experienced sudden slow down of your system or display of unwanted ads or pornographic sites, you can recognize few of them in your system.

Ask Toolbar – This hijacker comes as a bundle with software from untrusted source. It changes the browser settings like homepage and default search engine. It also displays unwanted adverts. You can uninstall it from your system's Add/Remove Programs.

Babylon Toolbar – This also comes with software from untrusted source. It changes the browser homepage. It changes the default search engine to isearch.babylon.com. It also installs additional adware and displays unwanted adverts, sponsored links and spurious search results. The program also steals user data like search terms etc. This also can be uninstalled from system's Add/Remove Programs.

Conduit Search – This also comes with software from unwanted sources. It changes browser's default search engine, home page, new tab page and several other settings. Once installed, it steals sensitive user information and transfers those data to malicious third party. The users infected with this hijacker can experience Phishing attempts. It also installs other malware like adware or spyware in the computer. Uninstalling this malware is not easy. It changes system settings in such a way that computer starts showing several system errors after uninstallation. And as long as it is installed, it prevents any change of browser settings from the malicious one.

CoolWebSearch – It redirects users to its malicious homepage of CoolWebSearch search engine. The results of this search engine are mostly sponsored links. This hijacker can be uninstalled using a tool called CWShredder.

Coupon Server – This comes with many freeware applications in internet. This program can infect a computer without a user's knowledge. It forcibly redirects users to its homepage to fool users. It also directs browsers to suspicious domains and change other browser settings.

GoSave – This hijacker inserts unwanted adverts into webpages. It also adds plugins or extensions to whatever browser is default. This program is not necessarily named GoSave – it varies from GS Booster, GS Sustainer or something else.

istartsurf – This also comes bundled with other software from untrusted sources. It installs silently and replaces the preferred search tool.

Mixi.DJ – Mixi.DJ offers media player, but with this comes free toolbar and conduit based search engine. It changes the browser home page. It also adds itself to computer's registry, creates strings in memory and changes Internet Explorer's icon to magnifying glass.

MyStart.IncrediBar Search – It is much more dangerous than a hijacker. It is also a virus and spyware. The effect may be as simple as simple performance degradation to system crashes. Sometimes, the effects are so severe that the user is left with no other option than to uninstall the Operating System. You can recognize this program by installation of its MyStart search toolbar. Uninstallation of this malware is not easy. It changes system settings in such a malicious manner that removing this malware becomes a daunting task. But, there are a few applications like Spysweeper, Eset NOD32 and AdwCleaner which can remove this malware.




Onewebsearch – This is also a malware. It is often referred as onewebsearch virus and it changes browser settings upon installation.



RocketTab – This is also much serious than a mere hijacker. It redirects all http and https traffic through itself. It also creates problems for security applications.



Searchassist – It changes newtab home page to searchassist.net. If not uninstalled properly, it repeatedly changes browser settings. It slows down computer performance and causes the computer to restart frequently. It is also a spyware. It can be uninstalled with ADWCleaner, Spyhunter and MalwareBytes.



Search-daily.com - It slows down computer performance and redirects user's searches to pornographic sites.



Searchult.com – This is also a malware. It changes browser settings and displays unwanted adverts.



Searchgol.com – It changes browser's default search engine. And it downloads other malware in the computer. Removing this virus is not easy. Users need to perform browser restore after uninstallation.



Searchnu.com – It changes default search engine to search-results.com. If anything is searched in the search engine, the search will redirect the user to Ask.com and related websites. Uninstalling this hijacker is however easy.



Snap.do – It redirects the users to Snap.do search engine. But, it is not merely a hijacker. It is also a spyware. It also downloads other malicious programs like DVDVideoSoftTB, General Crawler and Save Valet. General Crawler is a backdoor and it reinstalls itself everytime a user tries to uninstall. It also steals sensitive user data.



SourceForge Installer – It changes the browser homepage to istartsurf.com. It changes registry settings and resets the browser settings if the user tries to change it.



Taplika – It is also a trojan and steals sensitive user data and sends them to malicious third party. It can encrypt personal data. The user may even lose personal data. It can also cause hardware damages.



TV Wizard – It changes browser settings and redirects DNS Not Found. It also changes security settings of browser and reduces overall security. It also tracks users and at uninstallation, only part of it is uninstalled.



Vosteran – This also comes with software installed from untrusted sources. It changes browser settings such as home page and default search engine.



So, beware of Browser Hijackers. Think twice before installing software from dubious sources. And be careful while selecting the add-ons while installing software. Update your computer with anti-malware programs. And stay safe, stay secured. 

What is a Spider Trap ?


Attackers normally use a Spambot for sending spams. A Spambot is an automated program which is used by the attackers to send spam emails to users, send automated posts to various forums or even social networking sites like twitter.


Spambots crawl websites for malicious purposes and waste a website's bandwidth unnecessarily. So, websites use Spider Traps as a countermeasure against those spambots.



How does a Spider Trap work




Spambots request webpages from a webserver several times within a short duration. So, to counter them, a Spider Trap catches spambots and makes them run in some infinite loop.


There are a number of common techniques that are frequently used to make the Spambots run in an infinite loop. To name a few of them :

  • Sometimes, a cyclic directory structure is used. For example : /path/to/directory/again/path/to/directory. As a result, if a spambot starts crawling the website, it will start running in an infinite loop.
  • Some websites use unbounded number of dynamic pages. For example, algorithmically generated poetry or including a calendar.
  • Webpages filled with a large number of characters so that when a lexical analyzer will try to parse it, it will end up crashing.



Disadvantage of using Spider Trap

Not all web crawlers are spambots. Sometimes, polite web crawlers crawl websites for indexing purpose. So, a website cannot use Spider Traps to trap all the crawlers it encounters. It needs to differentiate between Spambots and legitimate web crawlers.



How to prevent legitimate webcrawlers from falling into Spider Trap


Polite webcrawlers alternate requests between different hosts. They do not request webpages from same server more than once within a short time frame. So, normally Spam Traps do not affect them much. Moreover, websites with Spider Traps can keep a robots.txt, which can keep enough information so that legitimate webcrawlers do not fall in trap.



This was a short informative article on Spider Trap. Hope you enjoyed it.

What is a Spambot ?



A Spambot is an automated program used for sending spams. Using this type program a spammer sends spam emails, automated posts to various forums or even social networking sites like twitter.


Spambots are widely used by the attackers to send spams to email accounts. They are even used to send spam comments to online forums and social networking sites like twitter.





Email Spambots :

Email Spambots are widely used to send spam emails to various email accounts.

Firstly, attackers use automated web crawlers to collect email addresses of people from various websites, newsgroups, chat room and forums. And, after collecting enough number of email addresses, they use automated scripts to send spam emails to those email accounts.



Forum Spambots :


Sometimes malicious users apply illegitimate techniques to increase search engine ranking of their websites. They make automated scripts and start posting to various forums, blogs and wikis. Those automated posts are not meant for human reading. They contain hyperlinks to their websites, exploiting which they illegitimately increase the search engine rankings of those websites. These types of Spambots are called Forum Spambots.



Twitter Spambots :


Sometimes malicious users use Spambots to produce automated posts in social networking sites like Twitter. These Spambots can automatically follow other users, post comments or even re-tweet and all these are done for malicious purposes. These are called Twitter Spambots.


Countermeasures of Spambots


We can take a couple of steps which can prevent us from these Spambots. To name a few :

  • Do not write your email address in any webpage as it is. Instead apply the technique of address munging. Just to give an example, if your email address is john@example.com, you can write it as john [AT] example [DOT] com. Normally, these Spambots use the concept of regular expressions to collect email addresses from webpages. If you follow address munging like this, it will prove difficult for them to collect your email address for spamming.
  • Some Spambots are quite smart and they use techniques to counter address munging. They modify their scripts to take care of commonly used address munging techniques. So, to outwit their techniques some other methods are used. You can display part of your email address as an image. This will again make their life more difficult.
  • To prevent Spambots from posting automated posts to your forum, you may use security questions or ask a submitter to email few lines confirming her intention. As Spambots give fake email addresses in posts, this type of confirmation will prove difficult for them.
  • And you can always mark an email as spam when you get one. Remember, email service providers normally use machine learning to detect spams. So, the more you mark emails as spams, the more efficient the software becomes to detect future spams.


This was just an introductory article to keep you informed about Spambots. Hope it solved its purpose.

What is a Spamtrap ?



Nowadays, almost all email service providers can automatically detect spams emails in user accounts effectively and redirect those potential spam emails to spam folders without human intervention.

But, how are spam emails detected automatically by email service providers ?



How are spam emails detected automatically ?

Almost all email service providers use machine learning to detect these spam emails. Typically, this machine learning technique relies on some predefined rules. When an incoming email matches most of those rules, the email is marked as spam and redirected to spam folders automatically. Otherwise, the email is sent to inbox.



What is a Spamtrap 





To detect spam emails automatically, firstly one has to decide on rules of detecting spam emails, based upon which the software can detect potential spam emails.

To decide on those rules, firstly enough research is done on spam emails to detect the most common properties of spam emails. And, based on those properties, rules of detecting spam emails are set.

Once the rules are decided, the email service providers set those rules in the spam detection software. And, spam emails are automatically detected in user email accounts.

A Spamtrap is an email address which is used to collect spam emails, so that enough research can be done on them to detect spams.

We have learnt about Honeypots in Computer Security and how they are used to lure the attackers. Spamtraps are like honeypots for collecting spam emails. They are the email addresses that are meant to collect spams only.


How are Spamtraps used


Anti-spam systems are normally automated. They collect samples of spam emails and make rules based upon them.

So, Spamtraps, which are email addresses dedicated to receive spam emails only, are created. After collecting enough samples, the anti-spam system study them and make rules for detecting spams. And, everything is done in an automated way.



How do Spamtraps reach the spammers

After creating Spamtraps, they are published over the internet, so that when spammers collect email addresses from various websites using crawlers, the Spamtraps are collected by the crawlers.

As Anti-Spam Systems work in an automated fashion, any legitimate emails coming in the Spamtraps can be mistakenly taken as spams and that can affect the system.

So, to prevent receiving legitimate emails in Spamtraps, Spamtraps are published in a location hidden from view such that only an automated script can find them.

After harvesting the email-ids spammers start sending out spams in bulk. But, as spamtraps are hidden from normal views, Spamtraps collect spams only and they do not receive legitimate emails.



Vulnerabilities of using Spamtraps

There are a couple of vulnerabilities of using Spamtraps. To mention a few of them :

  • If spammers can detect a spamtrap, the spamtrap becomes tainted. Spammers may send malicious emails in the spamtrap to control the automated spam detection process.
  • Spammers can even send malicious emails to spamtraps with sender's address modified to the spamtrap itself. And this can cause backscatter.
  • Sometimes, spammers put lots of legitimate email ids in the To and CC field of spams. So, if any of those legitimate email receivers reply to that spam email, the legitimate email address also can get considered as spam address by mistake.
  • If a Spamtrap becomes visible and someone sends legitimate email to the spamtrap by mistake, that email also will get considered as spam by mistake.


Spamtraps are widely used by anti-spam systems. This was just an introductory article about what a Spamtrap basically is. Hope you enjoyed this.



Thursday, December 24, 2015

What is a Botnet ?



A Botnet is a group of internet-connected computers, which communicate with each other to complete some repetitive tasks.

Normally, this term is used in negative connotation and it indicates a group of computers which are affected by malware and their computational resources are used for other illegal activities like performing DoS Attacks, sending spams etc without the computer owner's knowledge.


The term Botnet is widely used in Internet Relay Chat. This is where the term was born. But, later similar concepts started getting used by attackers for performing attacks and other illegal activities.



How does a computer become a Bot


A computer becomes a bot when the computer unknowingly gets infected by a malware like virus, worm or trojan.

Computer viruses attach themselves with other computer programs. So, when a user executes a virus infected program, e.g. an infected Microsoft Word Document or an .exe file, the computer gets infected by the virus. And after that, they self-replicate themselves and infect more computers.

Computer worms spread themselves through the network, taking advantage of security vulnerabilities of various programs. And trojans spread themselves by using social engineering. By opening suspicious email attachments, clicking on unverified links or downloading software from untrusted resources they can infect a computer. Sometimes, attackers even display falsified webpage ads of anti-virus software and on clicking on it, it infects a computer.

And when a computer gets infected by malware, it may be controlled by the attackers and used as a Bot.



How does a Botnet work ?


A Botnet's originator can control the computers forming the Botnet through IRC or Internet Relay Chat. The server that controls the Botnet is known as Command and Control Server.

Botnet operators use some protocols to control the Botnet. These protocols include a server program, a client program and a program that embeds the client in the victim's machine. The computers of the Botnet communicate over the network, sometimes in an encrypted fashion so that it can remain covert.



How is a Botnet created




  • A computer gets infected by malware.
  • The computer starts working as a Bot and logs into a particular Command and Control Server.
  • A malicious attacker, say a DoS attacker purchases the services of the Botnet from the operator of the Botnet.
  • The attacker instructs the operator to perform a DoS attack, for example, to redirect internet traffic of all those machines of the Botnet to the victim machine.
  • A DoS attack is performed. The victim machine gets flooded with network packets, being unavailable for intended operations.



Purpose of Botnet


Computers in a Botnet can be used in many illegal activities. Just to give some common examples :

  • Sending spam emails.
  • Performing DoS attacks.
  • Advertising Adware without the user's knowledge and awareness.
  • Stealing sensitive information through Spyware.
  • Generating false web traffic through Click Fraud for attacker's personal and commercial gain, without user's knowledge.
  • Recruiting more computers in the Botnet and spread computer worms.
  • Spreading scarewares like ransomware.



Countermeasures of Botnet


There are a couple of countermeasures we can take :
  • Prevent your computer from being infected by a malware. Do not open suspicious email attachments. Do not click on suspicious links. Install software from trusted sources only.
  • Update your computer with latest security patches of softwares you use. Malware often spreads exploiting the security vulnerabilities of softwares.
  • Update your computer with latest anti-virus software.
  • Various computer and network security companies have released software to counter Botnets. For example, Norton AntiBot helps consumers by shutting down Command and Control Servers or entire IRC servers of Botnet. Use of these software can help you in preventing this attacks.



And remember, awareness always helps. So, keep yourself updated with various security vulnerabilities and how to deal with them. And stay safe, stay protected.

Tuesday, December 22, 2015

What is a Backdoor ?



Suppose, you have saved your password in your laptop. So, anyone who has access to your laptop, can get unauthorized access to your account. And that is a simple way of saying what a Backdoor is.

A Backdoor is a method for bypassing normal authentication in a system and thus, provide unauthorized remote access to the system to malicious users.








A Backdoor may be implemented as a hidden part of a program or a seperate program or even be implemented by hardware.

Just to give an example, in 2003 a Backdoor was planted in Linux Kernel. In a conditional statement for checking root access permission, '==' was replaced with '='. As a result, it gave unauthorizd access to malicious callers. Even very recently, in 2015, Juniper Networks have warned about a malicious Backdoor in their firewalls that automatically decrypts VPN traffic.




There are two types of Backdoors – Object Code Backdoors and Asymmetric Backdoors.

In Object Code Backdoors, software source code remains unchanged, but the object code gets modified maliciously. As the object code is designed to be machine readable, it becomes much more difficult to detect. These type of Backdoors are inserted in the on-disk object code or inserted at some point during compilation, linking or loading.

Recompiling the software source code may get rid of the Backdoors. So, malicious users sometimes change the compiler source code in such a way that, whenever it compiles, links and loads the source code, the Backdoor is inserted. These Backdoors can be fixed by recompiling the compiler and removing the Backdoor inserting codes.


Normally, Backdoors are symmetric. Anyone who finds the Backdoor, can in turn use it. But, Asymmetric Backdoors can be exploited only by the attacker who plants it, even if the Backdoor implementation becomes public. This type of attacks are termed as Kleptography and they can be carried out in software, hardware or in combination of both. The theory of Asymmetric Backdoors is a part of a larger field named Cryptovirology.




Countermeasures

  • Once Backdoors are detected, rebuild a clean system and transfer data.
  • Another method is to use Diverse Double Compiling or DDC. It requires a different compiler and the source code of the compiler to be tested. That source code, while compiled with two different compilers, would result in two different stage-1 compilers showing same behavior. Thus, the same source code compiled in two different stage-1 compilers, must result in two identical stage-2 compilers. This method was applied to verify that C compiler of GCC Suite contained no trojan, using the icc as the other compiler. Normally, Operating Systems vendors implement these type of methods to make sure they are not distributing a compromised system.




This was an introductory article on Backdoors. Hope you enjoyed it.


How does TLS or Transport Layer Security Protocol work ?



When two hosts communicate with each other over the unsecured network and they want to transfer sensitive data between them, especially for bank transactions or ecommerce transactions, they must use an encrypted and secured connection. SSL or Secure Socket Layer was developed by Netscape for that purpose. It enabled bank and ecommerce transaction security over the unsecure network.





Protocols in the Application Layer need to remain unchanged, yet provide communication security. And hence, SSL was implemented in Session Layer.


SSL 2.0 was first publicly released version of the protocol. But, soon security flaws were found in it. So, SSL 3.0 replaced SSL 2.0. TLS 1.0 is an upgraded version of SSL 3.0.



How does TLS work ?

Once a client starts communication with the server, TCP connection gets established following the below mentioned couple of steps.






  • The Client first communicates with the server sending a Hello message. The message includes number of options that will be used in the communication, such as version of the protocol to be used, CipherSuites supported by the client, compression methods and a 32 byte random number.
  • Server replies to the Hello message and makes choices about the options to be used, like version of protocol, CipherSuite and compression method. It also fills up the SessionID and replaces the 32 byte random number with date and timestamp.
  • The Server now sends Digital Certificates to the Client. This Digital Certificates contain the public key of the Server.
  • The Client verifies the Digital Certificate with CA or Certificate Authority.
  • After the Digital Certificate is verified, the Client starts to negotiate the symmetric key. There are a number of algorithms it can use. One example is Diffie-Hellman Key Exchange Algorithm. Please note that, at this point, secure connection is not yet established. So, symmetric key cannot be exchange between the Server and the Client directly and hence, key exchange algorithms like Diffie-Hellman Key Exchange Protocol is used. The Client also signs the message and sends the MAC or Message Athentication Code to the Server.
  • The Server processes the key exchange parameters. It also checks the MAC or Message Athentication Code to verify the integrity and authenticity of the message sent.
  • If everything goes well, a secure TLS connection is established between the Server and the Client and secure communication starts to transfer sensitive application data.



This was an informative article on TLS. Hope you enjoyed it.

Monday, December 21, 2015

What is a Replay Attack ?



A Replay Attack is an attack in which the attacker repeats or delays a valid transmission and fraudulently re-transmits it. Using this approach, an attacker can fraudulently authenticate himself to a system though he is not authorized to do so.





How is Replay Attack perpetrated

Let's suppose, Alice and Bob are communicating with each other over the network. Bob wants to authenticate himself to Alice. So, Bob will provide his password which will then be transmitted over the network in encrypted fashion, may be as a password hash.

Suppose Charles is an attacker. He listens to the conversation between Alice and Bob and reads Bob's password while it was transmitted to Alice. So, after the session is over between Alice and Bob, Charles opens a connection to Alice. When the system asks for authentication, Charles provides Bob's password which he had read and fraudulently copied.

So, Alice's system will not understand the deception and authenticate Charles. Charles at this point will gain access to Alice's system and use that connection for malicious purposes like stealing sensitive data or performing even more attacks.



Prevention 

We can take a couple of steps to prevent this type of attacks :

  • At the time of authentication, Alice can first send a session token like a random number to Bob. Bob can now append the hashed token value with his password and send the resultant encrypted hash to Alice. Alice will now decrypt the token and if there is a match, she will authenticate Bob. If we take this approach, then even if Charles later repeats the encrypted hash to Alice, the token value will not match and authentication will not be possible. This session token value should be a random number rather than a some other calculated number. Because that will reduce the possibility of guessing the session token by Charles.
  • One Time Password is also another approach to prevent this attack. This One Time Passwords expire after a short period of time. So, if Charles repeats the communication after that interval, he cannot authenticate himself.
  • Sending Time Stamp is another way to prevent this attack. Alice can periodically transmit her time. And when Bob will want to communicate with Alice, he needs to append the time in his clock at the time of authentication. In this approach, Alice does not need to generate random numbers.



So, this was a very short article on Replay Attack just for your information. Hope you enjoyed it.

Sunday, December 20, 2015

Authentication Reflection Attack and DoS Reflection Attack



In this article, we will discuss about Authentication Reflection Attack and Denial of Service Reflection Attack.



Authentication Reflection Attack


Two hosts over the network use Challenge-Response-Authentication system to authenticate each other. In this system, one host throws a challenge to another host and the other host sends the response back to the first host. If the response matches, the other host is authenticated.





But, sometimes same protocol is used to authenticate hosts in either direction. That is, the same challenge-response protocol is used to authenticate either of the hosts. To authenticate any host, the first host encrypts the challenge C with encryption key K and sends E(K, C) to the other host.

But, as the same challenge-response authentication protocol is used in either direction, the other host can open another connection to the first host and throw the same challenge E(K, C) to the first host. At this point, if the first host sends a response to the challenge to the second host, the second host can use the same response in the first connection and send it back to the first host. As a result, the second host will be able to fraudulently authenticate it to the first host though it is not authorized to do so. And the attackers use this vulnerability to attack a system and steal data. This is called Authentication Reflection Attack.


Countermeasures of Authentication Reflection Attack


With a few modifications with the authentication protocol this vulnerability can be eliminated :

  • The first host can include its identifier in the response to the second host. So, if the second host sends the same response to the first host back, the first host can easily identify that and reject the response.
  • If the second host opens a second connection to the first host, while the first connection from the first host to the second host is already open, the first host can delay its response to the second host over the second connection until the second host is done with responding to the first challenge over the first connection.
  • We can also use different key or protocol between the two directions.


DoS Reflection Attack


In DoS Reflection Attack, an attacker spoofs his IP address, and sends lots of request messages to other hosts of the network. As the attacker uses the victim machine's IP address as the source IP address of the outgoing request messages, all the other hosts sends a response to the victim machine. At this point, if the attacker has much higher bandwidth than the victim machine, the victim machine gets lots of reponses which uses up all its network bandwidth. As a result, victim machine becomes no longer available for legitimate requests. This is called DoS Reflection Attack.






DNS Amplification Attack is also a type of Reflection Attack. In this attack, the attacker sends lots of DNS query to a DNS server, but forges the IP address of the victim machine as source IP. As a result, the DNS server ends up sending all the responses to the victim machine. As the DNS responses are much larger in size, the victim machine ends up getting flooded with the responses which use up all its bandwidth.


So, beware of various security vulnerabilities, so that you can protect your systems in a better way and stay safe, stay protected.

What is Side Channel Attack ?



If a burglar wants to break into your house, not necessarily he has to break the lock and come inside. He may break in through the window or break the hinges of the door and break in. Attackers use similar concept to break a cryptosystem through Side Channel Attack.







Side Channel Attack


In practice, cryptosystem is implemented on physical devices. Algorithmically it is very difficult to break the cryptographic algorithm itself.

But, normally during cryptographic computation, the physical devices reveal some information in terms of power consumption, heat dissipation, time of computation, electromagnetic leaks etc. These information are called Side Channel Information.

In Side Channel Attack, attacker uses these Side Channel Information to determine the secret keys and break the cryptosystem.



Types of Side Channel Attack


There are different types of Side Channel Attack, each based on different Side Channel Information.

Some most common ones are mentioned below :


Time of Cryptographic Computation :

Various cryptographic computations normally take different time to execute. If an attacker has the information of time taken for computation of various inputs, and he does statistical analysis on the data, it becomes much easier for him to get the secret key.

The basic principle that the attacker uses here is, computation time of various cryptographic operation depends to some extent on the secret key. And, based on that information this type of Side Channel Attacks are perpetrated.


Power Consumption :

Similarly, power consumption of a cryptographic device also may reveal much information for the attackers.

For example, if for a smart card or embedded system power is drawn from an untrusted source and an attacker has the information on how much power is drawn by the cryptosystem at various inputs, the attacker can do statistical analysis on that information and it will become much easier for him to break the cryptosystem.


Electromagnetic Radiation :

Electrical devices often generate electromagnetic radiation as part of their operation. An attacker can observe this electromagnetic radiation of the cryptographic device and understand their relationship with the cryptographic computation. This can reveal a surprising amount of information with which it will become quite easier for the attacker to get the secret key. In this type of Side Channel Attack, attackers exploit this Side Channel Information.


Injection of Faults :

In this type of Side Channel Attack, the attacker injects faults in the cryptographic devices and observes its behavior.

The attacker may inject computational faults in the cryptosystem or he may send intentionally corrupted data to the device and then observe the output. If the attacker observes this non-standard information, it also reveals much information for the attacker.


Acoustic Sound :

Attackers sometimes even analyze the acoustic sounds produced at the time of cryptographic computation of the physical device and use that information to break the cryptosystem.


Reading Data from Memory :

Other than these, the attackers may read sensitive data from the memory after they are supposedly been deleted, or they may exploit the off-limit memory to access adjacent memory and use that information to break the cryptosystem.


Attackers may even use a combination of Side Channel Information to make the attack easier.



Countermeasures 


We can take some steps which may prove to be much helpful. Some of them are mentioned below :

  • As Side Channel Attacks are made based on leaked Side Channel Information, an effective countermeasure of Side Channel Attacks is to reduce the correlation between Side Channel Information and the secret key. One such countermeasure is to add random delay in cryptographic computations. One way this can be done is by Blinding. In this method, before decrypting the cyphertext, a random number is encrypted and added to the cyphertext. The decryption algorithm is then applied on the combined component and the random number is eliminated after the decryption. As a result of these operations, a random delay is added on the computation time and it becomes difficult for the attackers to extract the secret key observing the time of execution of various cryptographic computations.
  • Another countermeasure is to add some delay and design the cryptosystem in such a way that every cryptographic computation takes same amount of time. It reduces much the correlation between the secret key and computation time, making it very difficult for the attackers to attack.
  • Sometimes, special shielding is applied to lessen the electromagnetic emissions. This helps much in reducing leaked electromagnetoc emissions.
  • Power line conditioning and filtering can help in reducing power-monitoring attacks.
  • Another countermeasure is to make the software “PC-Secure”. In a PC-Secure program, the execution path does not depend on the secret values. All conditional branches instead depend on the public information only. As a result, it reduces the correlation between leaked Secure Channel Information and the secret key.
  • Sometimes, cryptographic code is designed to use memory only in a predictable fashion, such as accessing only the input, output and program data and in a fixed pattern only. This helps much in reducing Side Channels Attacks based on timing information or cache access pattern.



So, this was just an introductory article on Side Channel Attack. Hope you enjoyed it.