CompTIA Security+ Exam Cram Notes

Started by certforumz, August 18, 2011, 02:31:17 PM

Previous topic - Next topic

certforumz


certforumz

#1
Social Engineering Attacks:


  • Shoulder surfing
  • Dumpster diving
  • Tailgating
  • Impersonation
  • Hoaxes
  • Whaling
  • Vishing


'Whaling' and 'spear phishing' scams

What are whaling and spear phishing scams?

Whaling or spear phishing occurs when a scammer targets an organisation and sends personalised emails to either a group of employees or a specific executive officer or senior manager. Emails refer to fake but critical business matters, such as a legal subpoenas or customer complaints.

Emails may appear to have been sent from a trustworthy source such as an employer or staff member within the organisation. Email addresses may be similar (but not identical) to an address you are familiar with.

The scammer's aim is to convince you that the email requires urgent action by following a link to a fake website or opening a malware-infected attachment. When you visit the fake, but convincing website, it will ask you to do one or more of the following:
• enter confidential company information and passwords
• provide financial details or enter them when making a payment for a fake software download.

If financial details are provided, the scammer will use them to commit fraud.

Alternatively, if you open an email attachment, it will download malware onto your computer. Malware can record your key strokes, passwords and other company information, allowing the scammer to access it when you go online.

Warning signs

  • You receive an email out of the blue on an urgent company related matter which you were previously unaware of.
  • The email comes from an email address you either do not recognise or which is similar (but not identical) to an address you are familiar with.
  • The email contains either an attachment or a link to a website where you are asked to enter personal details or to pay to download software so as to view an official document such as a subpoena.
  • Remember - Legitimate websites which ask you to enter sensitive personal information are commonly encrypted to protect your details. This is usually identified by the use of "https:" rather than "http:" at the start of the internet address or a closed padlock or unbroken key icon at the bottom right corner of your browser window.  If these are missing or there is an open padlock or broken key icon present, the website is not secure and could be a scam site.
  • The scam website will often look very official and convincing.

Protect yourself from whaling and spear phishing scams

  • Consider what personal information you post on social/business networking services. Scammers use publicly-available information to identify potential whaling/spear phishing victims.
  • Seek independent legal advice if you receive an email regarding a legal subpoena or customer complaint.
  • You can verify a website's authenticity by looking for "https:" at the beginning of the internet address, the locked padlock icon or the unbroken key icon.
  • Check if a website has a digital certificate. If it has one it will generally appear as a padlock icon alongside the web address. You can click on the icon to ensure that the certificate has been verified, is official and hasn't expired.  
  • Install and regularly update antivirus, antispyware and firewall software.
  • Never click on links provided in emails or open attachments from strangers. An email with an attachment that arrives unexpectedly could contain malware, even if it's not whaling/spear phishing malware.
  • Never provide your personal, business, credit card or account details online unless you have verified the website is authentic. If you think you have provided account details to a scammer, contact your bank or financial institution immediately. 
  • Ensure your businesses postal mail is delivered to a secure/locked mailbox.
  • Shred all business documents before you dispose of them.
Source: http://www.scamwatch.gov.au/content/index.phtml/itemId/829460


The difference between mass phishing and spear-phishing is that in spear-phishing, only the employees of a particular entity are targeted, whereas in mass phishing, the targets are random and the perpetrators only desire to extract personal information from the victims.

Furthermore, in spear-phishing, perpetrators often disguise their messages as coming from within the entity they wish to penetrate which is also where the target works, whereas in mass-phishing, they impersonate a global and/or popular brand to which the victim may or may not be a customer and such cyber-criminals do not wish to infiltrate the brand they impersonate.

Whaling is a type of spear-phishing in which the targets are high-profile individuals only such as CEOs, managing directors and high-ranking governmental officials.

h??p://resources.infosecinstitute.com/phishing-techniques-similarities-differences-and-trends-part-ii-targeted-phishing/

certforumz

Phishing, vishing and smishing are all ways for a thief to use current technology to get you personal account information to use for fraudulent purposes.

Phishing

This is a scam that uses email or pop-up messages to trick you into disclosing your credit card number, bank account information, Social Security number, password or other sensitive information. These emails will claim to be from a business or organization you deal with - such as your University Credit Union, bank, online payment service, or even a government agency. The email usually says that you need to "update" or "validate" your account information. It often threatens dire consequences if you don't respond. The message directs you to a website that looks just like the legitimate organization's web site, but is not. The idea is to get you to enter your information so they can capture it.

Vishing

Also known as "voice" phishing over the phone. This is another way for scammers to steal credit card or debit card numbers and other information used in identity theft scams. Be suspicious of any message you receive claiming to be from University Credit Union asking you to provide sensitve or confidential financial information.

Smishing

A text message is sent to the member's cell phone that asks the member to call a toll-free number once that call is refunded, they will ask for personal information such as Account Number, Credit/Debit card number or Social Security Number.

The U.S. Department Of Justice (DOJ) recently issued three simple recommendations - Stop, Look, and Call - that Internet users can follow when they see E-mails, text messages, Websites or hear a voice mail that may be fraudulent. The DOJ's recommendations are listed below.

1. Stop. A phishing E-mail, voice mail or text message will typically include upsetting or exciting (but false) statements with one purpose in mind. They want people to react immediately to that false information, by clicking on the link and inputting the requested data before they take time to think about what they are doing. Internet users, however, need to resist the impulse to click immediately. No matter how upsetting or exciting the statement in the E-mail may be there is always enough time to check out the information more closely. The same is true for text messages and voice mails. Think carefully before responding.

2. Look. Internet users should look more closely at the claims made in the E-mail, think about whether those claims make sense, and be highly suspicios if the E-mail asks for numerous items of thier personal information such as: Account Numbers, User Names, or Passwords. For example: If the E-mail, voice mail or text message indicates that it comes from a financial institution where you have an account or a credit card account, but tells you that you have to enter your account information agian, that makes no sense. Legitimate banks and finacial institutions already have their customers' account number in their records. Even if the E-mail says a customer's account is being terminated the real bank or financial institution will still have that customer's account number and identifying information.

If the E-mail, voice mail or text message says that you have won a prize or are entitled to receive some special "deal," and then asks for financial or personal data, there is good reason to be highly suspicious.

Legitimate companies that want to give you a real prize don't ask for extensive amounts of personal and financial information before you are enittled to receive the prize.

3.Call. If the E-mail, voice mail or text message states it is from a legitimate company or financial institution, Internet users should call or E-mail that  company directly (get the number yourself- don't use the one in the message) and ask whether the E-mail is truly from that company. To be sure that they are contacting the real company or institution where they have accounts, credit-card account holders can call the toll-free customer numbers on the back of their cards, and financial institution customers can call the telephone numbers on their monthly statements.


certforumz

#3
Shoulder Surfing:

Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone. Shoulder surfing can also be done long distance with the aid of binoculars or other vision-enhancing devices. To prevent shoulder surfing, experts recommend that you shield paperwork or your keypad from view by using your body or cupping your hand.

Dumpster Diving:

In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an attack on a computer network. Dumpster diving isn't limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network. To prevent dumpster divers from learning anything valuable from your trash, experts recommend that your company establish a disposal policy where all paper, including print-outs, is shredded in a cross-cut shredder before being recycled, all storage media is erased, and all staff is educated about the danger of untracked trash.

Tailgating:

Tailgating is when another person, whether an employee or not, passes through a secure door without the knowledge of the person who has gained legitimate access through the secure door. This is a similar concept to when there is a car following closely behind you on the freeway without your permission. You are being tailgated.

Piggybacking is when another person follows through a door WITH the permission of the person who has received access. If someone is hugging you or actually on your back, this is called "piggybacking". Only 2 technologies are able to distinguish between 2 people hugging and 1 large person. Humans and 3-dimensional machine vision systems.

There are various methods of stopping tailgating and piggybacking through secure doors. At mission critical sites, 24/7 armed guards are often employed at significant expense. An alternative to an armed guard may be the installation of a 3-dimensional machine vision system that can differentiate between humans and objects. This is the same proven technology that has been employed for decades in the field of factory automation and robotics. Newton Security's patented T-DAR technology is worlds most reliable system for detecting and preventing tailgating through secure doors.

The two types of entrances that are found in an anti-tailgating system are single doors and a set of 2 doors in a secure space which is called a mantrap.

A single door anti-tailgating system has the ability to alert sound and alarm, alert security personnel to an unauthorized intrusion. Since there is only one door, this cannot be a man trap.

A mantrap is a secured space with 2 or more doors. When 1 person enters the mantrap area the T-DAR 3-D machine vision system performs a dynamic scan, confirming that only one person is in the space. If another person enters the space, they are detected and since there are now 2 people in the space an alarm is sounded. The door on the secure side of space is locked so neither person can enter space. Both people must exit the mantrap before entry process may procee

Article Source: http://ezinearticles.com/1902821

Impersonation Attack:

Impersonation is one of the most common social engineering techniques and it takes many forms. Impersonation can occur in person, over the phone or on-line. There are basically seven scenarios where impersonation is used to create a successful social engineering attack:

The overly helpful help desk. A Social Engineer calls the help desk pretending to be an employee. They claim to have forgotten their password and ask the help desk to reset it or give it to them. The Social Engineer will often know names of employees in the organization he is trying to penetrate, and will have learn as much as possible about the person he is trying to impersonate. Help desks are one of the most frequent targets of social Engineering attempts for a reason. They are trained to be helpful to users and will often give out passwords or other important network information without thoroughly verifying the identity of the caller.

Third-party Authorization. The Social Engineer may have obtained the name of someone in the organization who has the authority to grant access to information. They may call the target and claim that the Superintendent, Mr. Big, requested that information be provided.

This attack is particularly effective if the attacker is aware that Mr. Big is out of town. He may say something like, "I spoke with Mr. Big late last week before he went on vacation and he said that you would be able to provide me with this information in his absence."

Tech Support. The Social Engineer may pretend to be technical support from one of the organization's software vendors or contractors to gain information. The attacker explains that he is troubleshooting a network problem and has narrowed the problem to a certain computer. He claims to need a user ID and password from that computer to finish tracing the problem. Unless the user has been properly educated in security practices, they will be likely give the "trouble-shooter" the information requested.

h?tp://www.npdn.org/social_engineering_types

An attack in which a hostile computer system masquerades as a trusted computer.


certforumz

Analyze and differentiate among types of wireless attacks


  • Rogue access points
  • Interference
  • Evil twin
  • War driving
  • Bluejacking
  • Bluesnarfing
  • War chalking
  • IV attack
  • Packet sniffing


Evil Twin:

Evil twin is a term for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications.[1]

An evil twin is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate provider.

This type of evil twin attack may be used to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there.

Rogue Access Point and Evil Twin are used inter-changeably.

War Driving

Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer, smartphone or personal digital assistant (PDA).

Software for wardriving is freely available on the Internet, notably NetStumbler, InSSIDer or Ekahau Heat Mapper for Windows; Kismet or SWScanner for Linux, FreeBSD, NetBSD, OpenBSD, DragonFly BSD, and Solaris; and KisMac for Macintosh.


Bluejacking:

Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers. Bluetooth has a very limited range, usually around 10 metres (32.8 ft) on mobile phones, but laptops can reach up to 100 metres (328 ft) with powerful (Class 1) transmitters.

Bluesnarfing:

Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs. This allows access to a calendar, contact list, emails and text messages, and on some phone users can copy pictures and private videos. Both Bluesnarfing and Bluejacking exploit others' Bluetooth connections without their knowledge. While Bluejacking is essentially harmless as it only transmits data to the target device, Bluesnarfing is the theft of information from the target device.

Bluejacking is the different from bluesnarfing. Bluejacking is the act of sending unsolicited messages via a Bluetooth connection to Bluetooth-enabled devices. Since Bluetooth has a very limited range, up to 100 meters for Class 1 transmitters and significantly less for Class 2 and 3 transmitters, the sender must be physically nearby the owner of the device. Most bluejacking instances are not harmful. Instead it often is used for marketing campaigns.

Warchalking:

Warchalking is the drawing of symbols in public places to advertise an open Wi-Fi network. Inspired by hobo symbols, the warchalking marks were conceived by a group of friends in June 2002 and publicised by Matt Jones who designed the set of icons and produced a downloadable document containing them

Initialization vector (IV) attack

An initialization vector (IV) attack is an attack on wireless networks. It modifies the IV of an encrypted wireless packet during transmission. Once an attacker learns the plaintext of one packet, the attacker can compute the RC4 key stream generated by the IV used. This key stream can then be used to decrypt all other packets that use the same IV. Since there is only a small set of possible initialization vectors, attackers can eventually build a decryption table to decrypt every packet sent over that wireless connection.


Packet sniffing

Packet sniffing, a network attack strategy, captures network traffic at the Ethernet frame level. After capture, this data can be analyzed and sensitive information can be retrieved. Such a network attack starts with a tool such as Wireshark. Wireshark allows you to capture and examine data that is flowing across your network. Any data that is not encrypted is readable, and unfortunately, many types of traffic on your network are passed as unencrypted data — even passwords and other sensitive data.

certforumz

Analyze and differentiate among types of application attacks


  • Cross-site scripting
  • SQL injection
  • LDAP injection
  • XML injection
  • Directory traversal/command injection
  • Buffer overflow
  • Zero day
  • Cookies and attachments
  • Malicious add-ons
  • Session hijacking
  • Header manipulation

Cross-site scripting

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.

https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29



SQL Injection:


SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. It is perhaps one of the most common application layer attack techniques used today. It is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.

In essence, SQL Injection arises because the fields available for user input allow SQL statements to pass through and query the database directly.

SQL Injection: A Simple Example:

Take a simple login page where a legitimate user would enter his username and password combination to enter a secure area to view his personal details or upload his comments in a forum.

When the legitimate user submits his details, an SQL query is generated from these details and submitted to the database for verification. If valid, the user is allowed access. In other words, the web application that controls the login page will communicate with the database through a series of planned commands so as to verify the username and password combination. On verification, the legitimate user is granted appropriate access.

Through SQL Injection, the hacker may input specifically crafted SQL commands with the intent of bypassing the login form barrier and seeing what lies behind it. This is only possible if the inputs are not properly sanitised (i.e., made invulnerable) and sent directly with the SQL query to the database. SQL Injection vulnerabilities provide the means for a hacker to communicate directly to the database.

The technologies vulnerable to this attack are dynamic script languages including ASP, ASP.NET, PHP, JSP, and CGI. All an attacker needs to perform an SQL Injection hacking attack is a web browser, knowledge of SQL queries and creative guess work to important table and field names. The sheer simplicity of SQL Injection has fuelled its popularity.

LDAP injection

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.

Possible way to fix LDAP injection or SQL injection is to filter any metacharacters from user input. Metacharacters include, but are not limited to these:

* ; | ] [ ?

Each of these characters has a special meaning on the command line, and their use must be avoided for purposes other than their special meaning.

XML injection

Writing unvalidated data into an XML document can allow an attacker to change the structure and contents of the XML.

XML injection occurs when:

1. Data enters a program from an untrusted source.

2. The data is written to an XML document.

Applications typically use XML to store data or send messages. When used to store data, XML documents are often treated like databases and can potentially contain sensitive information. XML messages are often used in web services and can also be used to transmit sensitive information. XML message can even be used to send authentication credentials.

The semantics of XML documents and messages can be altered if an attacker has the ability to write raw XML. In the most benign case, an attacker might be able to insert extraneous tags and cause an XML parser to throw an exception. In more nefarious cases of XML injection, an attacker might be able to add XML elements that change authentication credentials or modify prices in an XML e-commerce database. In some cases, XML injection can lead to Cross-Site Scripting or Dynamic Code Evaluation.

Example 1:

Assume an attacker is able to control shoes in following XML.

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>

Now imagine this XML is included in a back end web service request to place an order for a pair of shoes. Suppose the attacker modifies his request and replaces shoes with shoes</item><price>1.00</price><item>shoes. The new XML would look like:

<order>   <price>100.00</price>   <item>shoes</item><price>1.00</price><item>shoes</item></order>

When using SAX parsers, the value from the second <price> overrides the value from the first <price> tag. This allows the attacker to purchase a pair of $100 shoes for $1.

Directory traversal/command injection:

Properly controlling access to web content is crucial for running a secure web server. Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.

Web servers provide two main levels of security mechanisms:

    Access Control Lists (ACLs)
    Root directory

An Access Control List is used in the authorization process. It is a list which the web server's administrator uses to indicate which users or groups are able to access, modify or execute particular files on the server, as well as other access rights.
The root directory is a specific directory on the server file system in which the users are confined. Users are not able to access anything above this root.

For example: the default root directory of IIS on Windows is C:\Inetpub\wwwroot and with this setup, a user does not have access to C:\Windows but has access to C:\Inetpub\wwwroot\news and any other directories and files under the root directory (provided that the user is authenticated via the ACLs).

The root directory prevents users from accessing sensitive files on the server such as cmd.exe on Windows platforms and the passwd file on Linux/UNIX platforms.

This vulnerability can exist either in the web server software itself or in the web application code.

In order to perform a directory traversal attack, all an attacker needs is a web browser and some knowledge on where to blindly find any default files and directories on the system.

What an Attacker can do if your Website is Vulnerable

With a system vulnerable to Directory Traversal, an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to view restricted files, or even more dangerous, allowing the attacker to execute powerful commands on the web server which can lead to a full compromise of the system.

Depending on how the website access is set up, the attacker will execute commands by impersonating himself as the user which is associated with "the website". Therefore it all depends on what the website user has been given access to in the system.

Example of a Directory Traversal Attack via Web Application Code

In web applications with dynamic pages, input is usually received from browsers through GET or POST request methods. Here is an example of a GET HTTP request URL:

h..p://test.webarticles.com/show.asp?view=oldarchive.html

With this URL, the browser requests the dynamic page show.asp from the server and with it also sends the parameter "view" with the value of "oldarchive.html". When this request is executed on the web server, show.asp retrieves the file oldarchive.htm from the server's file system, renders it and then sends it back to the browser which displays it to the user. The attacker would assume that show.asp can retrieve files from the file system and sends this custom URL:

h..p://test.webarticles.com/show.asp?view=
../../../../../Windows/system.ini

This will cause the dynamic page to retrieve the file system.ini from the file system and display it to the user. The expression ../ instructs the system to go one directory up which is commonly used as an operating system directive. The attacker has to guess how many directories he has to go up to find the Windows folder on the system, but this is easily done by trial and error.

Example of a Directory Traversal Attack via Web Server

Apart from vulnerabilities in the code, even the web server itself can be open to directory traversal attacks. The problem can either be incorporated into the web server software or inside some sample script files left available on the server.

The vulnerability has been fixed in the latest versions of web werver software, but there are web servers online which are still using older versions of IIS and Apache which might be open to directory traversal attacks. Even tough you might be using a web werver software version that has fixed this vulnerability, you might still have some sensitive default script directories exposed which are well known to hackers.

For example, a URL request which makes use of the scripts directory of IIS to traverse directories and execute a command can be:

h..p://server.com/scripts/..%5c../Windows/System32/
cmd.exe?/c+dir+c:\

The request would return to the user a list of all files in the C:\ directory by executing the cmd.exe command shell file and run the command "dir c:\" in the shell. The %5c expression that is in the URL request is a web server escape code which is used to represent normal characters. In this case %5c represents the character "\".

Newer versions of modern web server software check for these escape codes and do not let them through. Some older versions however, do not filter out these codes in the root directory enforcer and will let the attackers execute such commands.

How to Check for Directory Traversal Vulnerabilities

The best way to check whether your web site & applications are vulnerable to Directory Traversal attacks is by using a Web Vulnerability Scanner. A Web Vulnerability Scanner crawls your entire website and automatically checks for Directory Traversal vulnerabilities. It will report the vulnerability and how to easily fix it.. Besides Directory Traversal vulnerabilities a web application scanner will also check for SQL injection, Cross site scripting & other web vulnerabilities.

Acunetix Web Vulnerability Scanner scans for SQL Injection, Cross Site Scripting, Google Hacking and many more vulnerabilities. Download the trial version of Acunetix WVS.

Preventing Directory Traversal Attacks

First of all, ensure you have installed the latest version of your web server software, and sure that all patches have been applied.

Secondly, effectively filter any user input. Ideally remove everything but the known good data and filter meta characters from the user input. This will ensure that only what should be entered in the field will be submitted to the server.

Buffer Overflow Attack

An attacker uses buffer overflow attacks to corrupt the execution stack of a web application. The attacker sends carefully crafted input to a web application to force the web application to execute arbitrary code that allows the attacker to take over the system that is being attacked.

Web servers or web applications that manage the static and dynamic aspects of a site, or use graphic libraries to generate images, are vulnerable to buffer overflow attacks.

certforumz

Zero Day Exploit:

A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known. There are zero days between the time the vulnerability is discovered and the first attack.

Ordinarily, when someone detects that a software program contains a potential security issue, that person or company will notify the software company (and sometimes the world at large) so that action can be taken. Given time, the software company can fix the code and distribute a patch or software update. Even if potential attackers hear about the vulnerability, it may take them some time to exploit it; meanwhile, the fix will hopefully become available first.

Sometimes, however, a hacker may be the first to discover the vulnerability. Since the vulnerability isn't known in advance, there is no way to guard against the exploit before it happens. Companies exposed to such exploits can, however, institute procedures for early detection:

    Use virtual LANs (IPsec) to protect the contents of individual transmissions.
    Deploy an intrusion detection system (stateful firewall.
    Introduce network access control to prevent rogue machines from gaining access to the wire.
    Lock down wireless access points and use a security scheme like Wi-Fi Protected Access or WPA2 for maximum protection against wireless-based attacks.