Friday, November 28, 2008

Wireless LANs

Wireless LANs
Not all networks are connected with cabling; some networks are wireless. Wireless LANs use high frequency radio signals, infrared light beams, or lasers to communicate between the computers on the network. Each computer on a wireless network has transceiver/antenna to send and receive the data. Information is relayed between transceivers as if they were physically connected. For longer distance, wireless communications can also take place through cellular telephone technology, microwave transmission, or by satellite.Wireless networks are great for allowing laptop or remote computers to connect to the LAN. The two most common types of infrared communications used are line-of-sight and scattered broadcast. Line-of-sight communication means that there must be an unblocked direct line between the workstation and the transceiver. If a person walks within the line-of-sight while there is a transmission, the information would need to be sent again. Scattered infrared communication is a broadcast of infrared transmissions sent out in multiple directions that bounces off walls and ceilings until it eventually hits the receiver. Networking communications with laser are virtually the same as line-of-sight infrared networks.Wireless LANs have several disadvantages. They provide poor security, and are susceptible to interference from lights and electronic devices. They are also slower than LANs using cabling.

Understanding computer networks

A computer network is composed of multiple connected computers that communicate over a wired or wireless medium to share data and other resources. For instance, a home computer network may consist of two or more computers that share files and a printer using the network. The size and scalability of any computer network are determined both by the physical medium of communication and by the software controlling the communication.

We can broadly classified the computer networks into three main categories. They are

Local Area Network (LAN)
Metropolitan Area Network (MAN) &
Wide Area Network (WAN)

Local Area Network (LAN)
A network covering a small geographic area, like a home, office, or building is known as LAN. Current LANs are most likely to be based on Ethernet technology. The hub is just like what it sounds. A bicycle wheel uses a hub and spokes - all the spokes connect to a central point - the hub.
LANs use different technologies to link computers together. Depending on the circumstance, the computers in the network might be connected using cables and hubs. Other networks might be connected strictly wirelessly. It depends on the number of PCs that you are trying to connect, the physical layout of your workspace, and the various needs that you have as you develop your network.
The defining characteristics of LANs, in contrast to WANs (wide area networks), include their much higher data transfer rates, smaller geographic range, and lack of a need for leased telecommunication lines. Current LAN technologies generally operate at speeds up to 10 Gbit/s. This is the data transfer rate.

Metropolitan Area Network (MAN)
A Metropolitan Area Network is a network that connects two or more Local Area Networks together but does not extend beyond the boundaries of the immediate town, city, or metropolitan area. Multiple routers, switches & hubs are connected to create a MAN.

Wide Area Network (WAN)
A WAN is a data communications network that covers a relatively broad geographic area (i.e. one country to another and one continent to another continent) and that often uses transmission facilities provided by common carriers, such as telephone companies. The highest data rate commercially available, as a single bitstream, on WANs is 40 Gbit/s, principally used between large service providers.

Wednesday, November 26, 2008

Actions can take to protect computer systems


Adopt the following practices for protecting your system from various attacks:
1. Consult your system support personnel.
2. Use virus protection software
3. Use a firewall
4. Don’t open unknown email attachments
5. Don’t run programs of unknown origin
6. Disable hidden filename extensions
7. Keep all applications (including your operating system) patched
8. Turn off your computer or disconnect from the network when not in use
9. Disable Java, JavaScript, and ActiveX if possible
10. Disable scripting features in email programs
11. Make regular backups of critical data
12. Make a boot disk in case your computer is damaged or compromised
Consult your system support personnel if you work from home
If you use your broadband access to connect to your employer's network via a Virtual Private Network (VPN) or other means, your employer may have policies or procedures relating to the security of your home network. Be sure to consult with your employer's support personnel, as appropriate, before following any of the steps outlined in this document.

Use virus protection software
Be sure to keep your anti-virus software up-to-date. Many anti-virus packages support automatic updates of virus definitions. Use these automatic updates when available.

Use a firewall
It is recommend the use of some type of firewall product, such as a network appliance or a personal firewall software package. Intruders are constantly scanning home user systems for known vulnerabilities. Network firewalls (whether software or hardware-based) can provide some degree of protection against these attacks. However, no firewall can detect or stop all attacks, so it’s not sufficient to install a firewall and then ignore all other security measures.

Don't open unknown email attachments
Before opening any email attachments, be sure you know the source of the attachment. It is not enough that the mail originated from an address you recognize. If you must open an attachment before you can verify the source, we suggest the following procedure:
Be sure your virus definitions are up-to-date
Save the file to your hard disk
Scan the file using your anti virus software
Open the file
For additional protection, you can disconnect your computer's network connection before opening the file.

Don't run programs of unknown origin
Never run a program unless you know it to be authored by a person or company that you trust. Also, don't send programs of unknown origin to your friends or co-workers simply because they are amusing -- they might contain a Trojan horse program.

Disable hidden filename extensions
Windows operating systems contain an option to "Hide file extensions for known file types". The option is enabled by default, but you can disable this option in order to have file extensions displayed by Windows. After disabling this option, there are still some file extensions that, by default, will continue to remain hidden.
There is a registry value which, if set, will cause Windows to hide certain file extensions regardless of user configuration choices elsewhere in the operating system. The "NeverShowExt" registry value is used to hide the extensions for basic Windows file types. For example, the ".LNK" extension associated with Windows shortcuts remains hidden even after a user has turned off the option to hide extensions.

Keep all applications, including your operating system, patched
Vendors will usually release patches for their software when a vulnerability has been discovered. Most product documentation offers a method to get updates and patches. You should be able to obtain updates from the vendor's web site. Read the manuals or browse the vendor's web site for more information.
Some applications will automatically check for available updates, and many vendors offer automatic notification of updates via a mailing list. Look on your vendor's web site for information about automatic notification. If no mailing list or other automated notification mechanism is offered you may need to check periodically for updates.

Turn off your computer or disconnect from the network when not in use
Turn off your computer or disconnect its Ethernet interface when you are not using it. An intruder cannot attack your computer if it is powered off or otherwise completely disconnected from the network.
Disable Java, JavaScript, and ActiveX if possible
Be aware of the risks involved in the use of "mobile code" such as ActiveX, Java, and JavaScript. A malicious web developer may attach a script to something sent to a web site, such as a URL, an element in a form, or a database inquiry. Later, when the web site responds to you, the malicious script is transferred to your browser.
The most significant impact of this vulnerability can be avoided by disabling all scripting languages. Turning off these options will keep you from being vulnerable to malicious scripts. However, it will limit the interaction you can have with some web sites.

Make regular backups of critical data
Keep a copy of important files on removable media such as ZIP disks or recordable CD-ROM disks (CD-R or CD-RW disks). Use software backup tools if available, and store the backup disks somewhere away from the computer.

Tuesday, November 25, 2008

Digital Signature & SSL

A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time-stamped. A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that the receiver can be sure of the sender's identity and that the message arrived intact. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real.

Assume you were going to send some secret information to your superior officer in another town. You want to give him the assurance that it was unchanged from what you sent and that it is really from you.
You copy-and-paste the information into an e-mail note.
Using special software, you obtain a message hash (mathematical summary) of the information.
You then use a private key that you have previously obtained from a public-private key authority to encrypt the hash.
The encrypted hash becomes your digital signature of the message. (Note that it will be different each time you send a message.)
At the other end, your superior receives the message.
To make sure it's intact and from you, he makes a hash of the received message.
He then uses your public key to decrypt the message hash or summary.
If the hashes match, the received message is valid.

SSL:- Digital certificates encrypt data using Secure Sockets Layer (SSL) technology, the industry-standard method for protecting web communications developed by Netscape Communications Corporation. The SSL security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. Because SSL is built into all major browsers and web servers, simply installing a digital certificate turns on their SSL capabilities.
SSL comes in two strengths, 40-bit and 128-bit, which refer to the length of the "session key" generated by every encrypted transaction. The longer the key, the more difficult it is to break the encryption code. Most browsers support 40-bit SSL sessions, and the latest browsers, including Netscape Communicator 4.0, enable users to encrypt transactions in 128-bit sessions - trillions of times stronger than 40-bit sessions. Global companies that require international transactions over the web can use global server certificates program to offer strong encryption to their customers.
Security Center by VeriSign gives you access to a wealth of security resources, products, technologies, and news. Visit often for the latest information – because when it comes to protecting yourself on the Web, you can't be too careful.

What Can you Do to Protect Yourself from Spoofing ?

Don't click on the link in an email that asks for your personal information. It will take you to a phony Web site that looks just like the Web site of the real company or agency. Following the instructions, you enter your personal information on the Web site – and into the hands of identity thieves.

Use a search engine to find the official Web site.

If you get an email that warns you, with little or no notice, that an account of yours will be shut down unless you reconfirm your billing information, do not reply or click on the link in the email. Instead, contact the company cited in the email using a telephone number or Web site address you know to be genuine.

If someone contacts you and says you’ve been a victim of fraud, verify the person’s identity before you provide any personal information.

Be suspicious if someone contacts you unexpectedly and asks for your personal information. It’s hard to tell whether something is legitimate by looking at an email or a Web site, or talking to someone on the phone. But if you’re contacted out of the blue and asked for your personal information, it’s a warning sign that something is “phishy.” Legitimate companies and agencies don’t operate that way.

Avoid emailing personal and financial information. Before submitting financial information through a Web site, look for the "lock" icon on the browser's status bar. It signals that your information is secure during transmission.

Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges.

Email Spoofing

"Email spoofing" is a term used to describe fraudulent emails in which the sender's address and other parts of the email header are altered to appear as though the email originated from a different source. In short, spoofing is a counterfeit email with stolen email addresses used without the knowledge of the real address.

Spoofing is a technique commonly used by spammers and scammers using phishing to hide the real origin of an email message. By changing certain properties of the email, such as the "From", "Return-Path" and "Reply-To" fields, these criminals can make the email appear to be from someone other than the actual sender.

Typically, they use phishing and spoofing to get personal information from you in order to steal your identity. Pretending to be from a legitimate retailer, bank, or government agency, the sender asks to “confirm” your personal information for some made-up reason: your account is about to be closed, an order for something has been placed in your name, or your information has been lost because of a computer problem.

The most common use is to send an email appearing to be from a bank asking you to go to its site (with the link provided) to reenter your most personal information. The link takes you to a bogus website and capture your information and use this information to transfer money from your account.

Friday, November 21, 2008

Cryptography

Cryptography is the practice and study of hiding information. In cryptography, encryption is the process of transforming information to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information. In many contexts, the word encryption also implicitly refers to the reverse process, decryption, to make the encrypted information readable again.

Cryptography has been around for centuries, used mainly to secure communication between Governments or military officials. For cryptography to work, both the sending and receiving party must use the same process to encode and decode the data. The keys used for cryptography must be guarded closely, because anyone who has the key has the ability to decrypt the data. Keys are usually not sent via the medium they are meant to protect. Transmission of the keys usually would be done via a telephone conversation, the postal system or some other physical means, such as CD or Floopy.

The key is a piece of information that controls the operation of a cryptographic algorithm. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa during decryption. Keys are also used in other cryptographic algorithms, such as digital signature schemes and message authentication codes.

There are two main types of encryption: asymmetric encryption (also called public-key encryption) and symmetric encryption.

A cryptographic system that uses two keys -- a public key known to everyone and a private or secret key known only to the recipient of the message. When A wants to send a secure message to B, he uses B's public key to encrypt the message. B then uses his private key to decrypt it.
An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the private key if you know the public key.

Public-key systems, such as Pretty Good Privacy (PGP), are becoming popular for transmitting information via the Internet. They are extremely secure and relatively simple to use. The only difficulty with public-key systems is that you need to know the recipient's public key to encrypt a message for him.

Pretty Good Privacy (PGP) is one of the most common ways to protect messages on the Internet because it is effective, easy to use, and free. PGP is based on the public-key method, which uses two keys -- one is a public key that you disseminate to anyone from whom you want to receive a message. The other is a private key that you use to decrypt messages that you receive. To encrypt a message using PGP, you need the PGP encryption package, which is available for free from a number of sources.

A public key infrastructure (PKI) is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique for each CA. This is carried out by software at a CA, possibly under human supervision, together with other coordinated software at distributed locations. For each user, the user identity, the public key, their binding, validity conditions and other attributes are made unforgeable in public key certificates issued by the CA.

PKI arrangements enable computer users without prior contact to be authenticated to each other, and to use the public key information in their public key certificates to encrypt messages to each other. In general, a PKI consists of client software, server software, hardware (e.g., smart cards), legal contracts and assurances, and operational procedures. A signer's public key certificate may also be used by a third-party to verify the digital signature of a message, which was made using the signer's private key.

In general, a PKI enables the parties in a dialogue to establish confidentiality, message integrity and user authentication without having to exchange any secret information in advance, or even any prior contact. The validity of a PKI between the communicating parties is, however, limited by practical problems such as uncertain certificate revocation, CA conditions for certificate issuance and reliance, variability of regulations and evidentiary laws by jurisdiction, and trust. These problems, which are significant for the initial contact, tend to be less important as the communication progresses in time (including the use of other communication channels) and the parties have opportunities to develop trust on their identities and keys.

Thursday, November 20, 2008

How you can prevent email related threats

You probably receive lots of mail each day, much of it unsolicited and containing unfamiliar but plausible return addresses. Some of this mail uses social engineering to tell you of a contest that you may have won or the details of a product that you might like. The senders are trying to encourage you to open the letter, read its contents, and interact with them in some way that is financially beneficial - to them. Even today, many of us open letters to learn what we've won or what fantastic deal awaits us. Since there are few consequences, there's no harm in opening them.

Email-borne viruses and worms operate much the same way, except there are consequences, sometimes-significant ones. Malicious email often contains a return address of someone we know and often has a provocative Subject line. This is social engineering at its finest – something we want to read from someone we know.

Email viruses and worms are common. If you've not received one, chances are you will. Here are steps you can use to help you decide what to do with every email message with an attachment that you receive. You should only read a message that passes all of these tests.
The Know test: Is the email from someone that you know?
The Received test: Have you received email from this sender before?
The Expect test: Were you expecting email with an attachment from this sender?
The Sense test: Does email from the sender with the contents as described in the Subject line and the name of the attachment(s) make sense? For example, would you expect the sender – let's say your Mother – to send you an email message with the Subject line "Here you have, ;o)" that contains a message with attachment – let's say AnnaKournikova.jpg.vbs? A message like that probably doesn't make sense. In fact, it happens to be an instance of the Anna Kournikova worm, and reading it can damage your system.
The Virus test: Does this email contain a virus? To determine this, you need to install and use an anti-virus program. That task is described in Task 1 - Install and Use Anti-Virus Programs of "Home Computer Security."
You should apply these five tests – KRESV – to every piece of email with an attachment that you receive. If any test fails, toss that email. If they all pass, then you still need to exercise care and watch for unexpected results as you read it.

IP Address

An IP address (Internet Protocol address) is a unique address that certain electronic devices use in order to identify and communicate with each other on a computer network utilizing the Internet Protocol standard (IP)—in simpler terms, a computer address. Any participating network device—including routers, switches, computers, time-servers, printers, Internet fax machines, and some telephones—can have their own unique address.

In other words, the IP address acts as a locator for one IP device to find another and interact with it. It is not intended, however, to act as an identifier that always uniquely identifies a particular device.

An IP address can also be thought of as the equivalent of a street address or a phone number for a computer or other network device on the Internet. Just as each street address and phone number uniquely identifies a building or telephone, an IP address can uniquely identify a specific computer or other network device on a network. An IP address differs from other contact information, however, because the linkage of a user's IP address to his/her name is not publicly available information.

Further, an IP address is not necessarily linked, in a persistent way, to a physical location or even data link layer address.

In the past, an IP address could be considered a unique identifier of a particular IP host, in addition to being a locator. When it was usable as an identifier, it was static, and it was assumed to be globally unique from end to end of the Internet.

In current practice, an IP address is less likely to be an identifier, due to technologies such as:
· Dynamic assignment, as with an address that is assigned by the access device by which the user's host connects over a dialup telephone line or by a set-top box for an IP over cable network. However the network provider maintains a database of which IP address was assigned to which access port on dialup, or MAC address on LANs or broadband networks. This information, assuming it is available to the investigator, may help to identify the computer, although that is unlikely if it was a dialup connection where the identifier is of the dial-in port, not the computer itself. More extensive forensic work, with access to telephone records, may identify the calling telephone, although that may itself be a "cutout" on the way to the real telephone.

Network address translation (NAT), a feature common on gateway routers in corporate networks or home LANs, where the address visible to the Internet is the "outside" of a device that maps it to a completely different and hidden address on the "inside”.

Friday, November 14, 2008

Understanding Cyber Forensics

Cyber forensics can be defined as the process of extracting information and data from computer storage media and guaranteeing its accuracy and reliability. The challenge of course is actually finding this data, collecting it, preserving it, and presenting it in a manner acceptable in a court of law.
In other words, Cyber forensic or Computer forensics is the application of scientifically proven methods to gather, process, interpret, and to use digital evidence to provide a conclusive description of cyber crime activities. Cyber forensics also includes the act of making digital data suitable for inclusion into a criminal investigation. Today cyber forensics is a term used in conjunction with law enforcement, and is offered as courses at many colleges and universities worldwide.

In cyber crimes, physical evidence, which was the backbone of criminal investigation, no longer exists. The domain of evidence has transcended from the physical to the virtual – digital evidence. Digital evidence is latent in nature and needs use of some tools to gather and interpret the evidence just like DNA analysis.

Since any evidence has to be accepted by the court of law, digital evidence also needs to be produced in a manner acceptable to the court. Cyber Forensics to facilitate digital evidence acquisition and analysis has become the need of the hour.
Electronic evidence is fragile and can easily be modified. Additionally, cyber thieves, criminals, dishonest and even honest employees hide, wipe, disguise, cloak, encrypt and destroy evidence from storage media using a variety of freeware, shareware and commercially available utility programs.
A global dependency on technology combined with the expanding presence of the Internet as a key and strategic resource requires that corporate assets are well protected and safeguarded.
When those assets come under attack, or are misused, infosecurity professionals must be able to gather electronic evidence of such misuse and utilize that evidence to bring to justice those who misuse the technology.
Cyber forensics, while firmly established as both an art as well as a science, is at its infancy. With technology evolving, mutating, and changing at such a rapid pace, the rules governing the application of cyber forensics to the fields of auditing, security, and law enforcement are changing as well. Almost daily, new techniques and procedures, are designed to provide infosecurity professionals a better means of finding electronic evidence, collecting it, preserving it, and presenting it to client management for potential use in the prosecution of cyber criminals.
The anonymity provide by the Internet, and the ability for society’s criminal element, to use information technology as a tool for social and financial discourse, mandates that those professionals charged with the responsibility of protecting critical infrastructure resources, have the tools to do so. The authors of this site have developed a text that will provide one of those tools.
Cyber Forensics activities can be broadly classified into three.
Computer (disk) forensics - deals with gathering evidence from computer media seized at the crime scene.
Network Forensics – deals with gathering digital evidence that is distributed across large-scale, complex networks. Often this evidence is transient in nature and is not preserved within permanent storage media.
Device Forensics - deals with gathering digital evidence available in different types of devices such as mobile phones, PDA, printers, scanners, camera, fax machines, etc. All these areas itself became independent research areas.
In Cyber Crimes the evidence is digital information available in the computer or devices used in the crime. This digital evidence is highly volatile and prone to modification by others. The challenge before the information technology community is how to prepare evidence in cyber crimes from computers and networks so that it can be effectively presented before the court of law. Cyber Forensics procedure, which will conform to the law, is needed for proving the digital evidence in the court. The most accepted procedure is Identify, Seize, Authenticate, Acquire, Analyse, and Preserve the evidence. In this authentication of digital evidence is most important component due to the fact that digital evidence is highly tampered prone. Cyber Forensics analysis requires tools, which will be able to access any data available on the mass storage media including deleted files and data in unallocated disk areas. Cyber Crime investigation is actually a team effort where law enforcement agencies, computer experts and cyber forensics experts work together to unearth evidence required for proving the crime in the court of law.

Prevent online credit card fraud with a battery-powered credit card

This is an article published in the Times of India on 13/11/2008. The article says that a new credit card, which is battery powered has been designed by an Australian firm, EMUE to prevent online fraud. The details are as follows.
The card, which includes an alpha-numeric display, built-in microprocessor, a key pad and three years of battery power, will display a one-time number with which to authenticate each on-line credit card transaction, whenever the user will enter the PIN number. The company authorities hope that this will prevent the $1 billion credit card fraud a year.

The trial of this card would begin with an Australian bank in the first quarter of next year.

Friday, November 7, 2008

Understanding Internet

The Internet is a worldwide system of computer networks - a network of networks in which users at any one computer can get information from any other computer in the Internet. A network is a series of computers interconnected by communication paths. Networks can be characterized as local area networks (LANs), metropolitan area networks (MANs), and wide area networks (WANs) depending upon the geographical implementation of the network.Today, the Internet is a public, cooperative, and self-sustaining facility accessible to millions of people worldwide. Physically, the Internet uses a portion of the total resources of the currently existing public telecommunication networks. Technically, what distinguishes the Internet is its use of a set of protocols called TCP/IP (Transmission Control Protocol/Internet Protocol).For many Internet users, electronic mail (e-mail) has practically replaced the Postal Service for short written transactions. Electronic mail is the most widely used application on the Net.The most widely used part of the Internet is the World Wide Web (often abbreviated "WWW" or called "the Web"). Its outstanding feature is hypertext, a method of instant cross-referencing. In most Web sites, certain words or phrases appear in text of a different color than the rest; often this text is also underlined. When you select one of these words or phrases, you will be transferred to the site or page that is relevant to this word or phrase. Sometimes there are buttons, images, or portions of images that are "clickable." If you move the pointer over a spot on a Web site and the pointer changes into a hand, this indicates that you can click and be transferred to another site.A browser is an application program that provides a way to look at and interact with all the information on the World Wide Web. Any user who wants to view the web sites on Internet needs to have a browser program. For example Internet Explorer, Netscape Navigator etc. It is a basic tool required to surf Internet. For example if you want to watch movies, Cricket matches etc on Television you need a TV set and a cable connection or Antenna to receive the signals. Similarly for surfing the Internet you need a computer and an Internet connection through some service provider (Normally known as ISP) and browser software like Internet Explorer installed in your computer.Technically, a Web browser is a client program that uses HTTP (Hypertext Transfer Protocol) to make requests of Web servers throughout the Internet on behalf of the browser user.HTTP (Hypertext Transfer Protocol) is the set of rules for transferring files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web. As soon as a Web user opens their Web browser, the user is indirectly making use of HTTP.

Tuesday, November 4, 2008

Cyber Forensics

Cyber forensics can be defined as the process of extracting information and data from computer storage media and guaranteeing its accuracy and reliability. The challenge of course is actually finding this data, collecting it, preserving it, and presenting it in a manner acceptable in a court of law.
In other words, Cyber forensic or Computer forensics is the application of scientifically proven methods to gather, process, interpret, and to use digital evidence to provide a conclusive description of cyber crime activities. Cyber forensics also includes the act of making digital data suitable for inclusion into a criminal investigation. Today cyber forensics is a term used in conjunction with law enforcement, and is offered as courses at many colleges and universities worldwide.

In cyber crimes, physical evidence, which was the backbone of criminal investigation, no longer exists. The domain of evidence has transcended from the physical to the virtual – digital evidence. Digital evidence is latent in nature and needs use of some tools to gather and interpret the evidence just like DNA analysis.

Since any evidence has to be accepted by the court of law, digital evidence also needs to be produced in a manner acceptable to the court. Cyber Forensics to facilitate digital evidence acquisition and analysis has become the need of the hour.
Electronic evidence is fragile and can easily be modified. Additionally, cyber thieves, criminals, dishonest and even honest employees hide, wipe, disguise, cloak, encrypt and destroy evidence from storage media using a variety of freeware, shareware and commercially available utility programs.
A global dependency on technology combined with the expanding presence of the Internet as a key and strategic resource requires that corporate assets are well protected and safeguarded.
When those assets come under attack, or are misused, infosecurity professionals must be able to gather electronic evidence of such misuse and utilize that evidence to bring to justice those who misuse the technology.
Cyber forensics, while firmly established as both an art as well as a science, is at its infancy. With technology evolving, mutating, and changing at such a rapid pace, the rules governing the application of cyber forensics to the fields of auditing, security, and law enforcement are changing as well. Almost daily, new techniques and procedures, are designed to provide infosecurity professionals a better means of finding electronic evidence, collecting it, preserving it, and presenting it to client management for potential use in the prosecution of cyber criminals.
The anonymity provide by the Internet, and the ability for society’s criminal element, to use information technology as a tool for social and financial discourse, mandates that those professionals charged with the responsibility of protecting critical infrastructure resources, have the tools to do so. The authors of this site have developed a text that will provide one of those tools.
Cyber Forensics activities can be broadly classified into three.
Computer (disk) forensics - deals with gathering evidence from computer media seized at the crime scene.
Network Forensics – deals with gathering digital evidence that is distributed across large-scale, complex networks. Often this evidence is transient in nature and is not preserved within permanent storage media.
Device Forensics - deals with gathering digital evidence available in different types of devices such as mobile phones, PDA, printers, scanners, camera, fax machines, etc. All these areas itself became independent research areas.
In Cyber Crimes the evidence is digital information available in the computer or devices used in the crime. This digital evidence is highly volatile and prone to modification by others. The challenge before the information technology community is how to prepare evidence in cyber crimes from computers and networks so that it can be effectively presented before the court of law. Cyber Forensics procedure, which will conform to the law, is needed for proving the digital evidence in the court. The most accepted procedure is Identify, Seize, Authenticate, Acquire, Analyse, and Preserve the evidence. In this authentication of digital evidence is most important component due to the fact that digital evidence is highly tampered prone. Cyber Forensics analysis requires tools, which will be able to access any data available on the mass storage media including deleted files and data in unallocated disk areas. Cyber Crime investigation is actually a team effort where law enforcement agencies, computer experts and cyber forensics experts work together to unearth evidence required for proving the crime in the court of law.

Monday, November 3, 2008

Common types of Cyber Attacks

The following are the most common types of atacks an intruder could do when he gets into your network.
Website Defacement
A website defacement is when a Defacer breaks into a web server and alters the hosted website or creates one of his own. Sometimes the Defacer makes fun of the system administrator for failing to maintain server security. Most times the defacement is harmless, however, it can sometimes be used as a distraction to cover up more sinister actions such as uploading malware.

Unsolicited Commercial Email (UCE or SPAM)
E-mail spam, also known as bulk e-mail or junk e-mail is a subset of spam that involves sending nearly identical messages to numerous recipients by e-mail. A common synonym for spam is unsolicited bulk e-mail (UBE). Some definitions of spam specifically include the aspects of email that is unsolicited and sent in bulk.UCE refers specifically to Unsolicited Commercial E-mail.
In addition to wasting people's time with unwanted e-mail, Spam also eats up a lot of network bandwidth. Consequently, there are many organizations, as well as individuals, who have taken it upon themselves to fight Spam with a variety of techniques. But because the Internet is public, there is really little that can be done to prevent Spam, just as it is impossible to prevent junk mail. However, some online services have instituted policies to prevent spammers from spamming their subscribers.
Spam is flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise choose to receive it. Most Spam is commercial advertising, often for dubious products, get-rich-quick schemes, or quasi-legal services. Spam costs the sender very little to send -- most of the costs are paid for by the recipient or the carriers rather than by the sender.

IP Spoofing
Spoofing an IP address is the act of replacing the real source address with a different source address. This is a technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host.

Spoofing is the creation of TCP/IP packets using somebody else's IP address. Routers use the "destination IP" address in order to forward packets through the Internet, but ignore the "source IP" address. That address is only used by the destination machine when it responds back to the source.
A common misconception is that "IP spoofing" can be used to hide your IP address while surfing the Internet, chatting on-line, sending e-mail, and so forth. This is generally not true. Forging the source IP address causes the responses to be misdirected, meaning you cannot create a normal network connection. However, IP spoofing is an integral part of many network attacks that do not need to see responses (blind spoofing). Newer routers and firewall arrangements can offer protection against IP spoofing.

Email Spoofing
E-mail spoofing is a term used to describe fraudulent email activity in which the sender address and other parts of the email header are altered to appear as though the email originated from a different source. E-mail spoofing is a technique commonly used for spam e-mail and phishing to hide the origin of an e-mail message. By changing certain properties of the e-mail, such as the From, Return-Path and Reply-To fields (which can be found in the message header), ill-intentioned users can make the e-mail appear to be from someone other than the actual sender. It is often associated with website spoofing which mimic an actual, well-known website but are run by another party either with fraudulent intentions or as a means of criticism of the organization's activities.
As many spammers now use special software to create random sender addresses, even if the user finds the origin of the e-mail it is unlikely that the e-mail address will be active.
The technique is now used ubiquitously by mass-mailing worms as a means of concealing the origin of the propagation. On infection, worms such as ILOVEYOU, Klez and Sober will often try to perform searches for e-mail addresses within the address book of a mail client, and use those addresses in the From field of e-mails that they send, so that these e-mails appear to have been sent by the third party.

URL Spoofing or Phishing
Another kind of spoofing is "webpage spoofing," also known as phishing. In this attack, a legitimate web page such as a bank's site is reproduced in "look and feel" on another server under control of the attacker. The intent is to fool the users into thinking that they are connected to a trusted site, for instance to harvest user names and passwords.
This attack is often performed with the aid of URL spoofing, which exploits web browser bugs in order to display incorrect URLs in the browsers location bar; or with DNS cache poisoning in order to direct the user away from the legitimate site and to the fake one. Once the user puts in their password, the attack-code reports a password error, then redirects the user back to the legitimate sit

Caller ID Spoofing
In public telephone networks, it has for a long while been possible to find out who is calling you by looking at the Caller ID information that is transmitted with the call. There are technologies that transmit this information on landlines, on cellphones and also with VoIP. Unfortunately, there are now technologies (especially associated with VoIP) that allow callers to lie about their identity, and present false names and numbers, which could of course be used as a tool to defraud or harass. Because there are services and gateways that interconnect VoIP with other public phone networks, these false Caller IDs can be transmitted to any phone on the planet, which makes the whole Caller ID information now next to useless. Due to the distributed geographic nature of the Internet, VoIP calls can be generated in a different country to the receiver, which means that it is very difficult to have a legal framework to control those who would use fake Caller IDs as part of a scam.

Login Spoofing
Login spoofing is a technique used to obtain a user's password. The user is presented with an ordinary looking login prompt for username and password, which is actually a malicious program, usually called a Trojan horse under the control of the attacker. When the username and password are entered, this information is logged or in some way passed along to the attacker, breaching security.
To prevent this, some operating systems require a special key combination (called a Secure attention key) to be entered before a login screen is presented, for example Control-Alt-Delete. Users should be instructed to report login prompts that appear without having pressed this secure attention key. Only the kernel, which is the part of the operating system that interacts directly with the hardware, can detect whether the secure attention key has been pressed, so it cannot be intercepted by third party programs, unless the kernel itself has been compromised.

Denial of Service (DoS)
A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to, motives for and targets of a DoS attack may vary, it generally comprises the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely.
One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by:
forcing the targeted computer to reset, or consume its resources such that it can no longer provide its intended service; and/or,
obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
Although a DoS attack does not usually result in the theft of information or other security loss, it can cost the target person or company a great deal of time and money.
Common forms of denial of service attacks are:
1. Buffer Overflow Attacks
The most common kind of DoS attack is simply to send more traffic to a network address than the programmers who planned its data buffers anticipated someone might send. The attacker may be aware that the target system has a weakness that can be exploited or the attacker may simply try the attack in case it might work. A few of the better-known attacks based on the buffer characteristics of a program or system include:
Sending e-mail messages that have attachments with 256-character file names to Netscape and Microsoft mail programs
Sending oversized Internet Control Message Protocol (ICMP) packets (this is also known as the Packet Internet or Inter-Network Groper (ping) of death)
Sending to a user of the Pine e-mail program a message with a "From" address larger than 256 characters
2. SYN Attack
When a session is initiated between the Transport Control Program (TCP) client and server in a network, a very small buffer space exists to handle the usually rapid "hand-shaking" exchange of messages that sets up the session. The session-establishing packets include a SYN field that identifies the sequence in the message exchange. An attacker can send a number of connection requests very rapidly and then fail to respond to the reply. This leaves the first packet in the buffer so that other, legitimate connection requests can't be accommodated. Although the packet in the buffer is dropped after a certain period of time without a reply, the effect of many of these bogus connection requests is to make it difficult for legitimate requests for a session to get established. In general, this problem depends on the operating system providing correct settings or allowing the network administrator to tune the size of the buffer and the timeout period.
3. Teardrop Attack
This type of denial of service attack exploits the way that the Internet Protocol (IP) requires a packet that is too large for the next router to handle be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash.
4. Smurf Attack
In this attack, the perpetrator sends an IP ping request to a receiving site. The ping packet specifies that it be broadcast to a number of hosts within the receiving site's local network. The packet also indicates that the request is from another site, the target site that is to receive the denial of service. The result will be lots of ping replies flooding back to the innocent, spoofed host. If the flood is great enough, the spoofed host will no longer be able to receive or distinguish real traffic.
5. Viruses
Computer viruses, which replicate across a network in various ways, can be viewed as denial-of-service attacks where the victim is not usually specifically targeted but simply a host unlucky enough to get the virus. Depending on the particular virus, the denial of service can be hardly noticeable ranging all the way through disastrous.
6. Physical Infrastructure Attacks
Here, someone may simply snip a fiber optic cable. This kind of attack is usually mitigated by the fact that traffic can sometimes quickly be rerouted.
7. Mail Bombing
In Internet usage, an e-mail bomb is a form of net abuse consisting of sending huge volumes of e-mail to an address in an attempt to overflow the mailbox or overwhelm the server in a denial-of-service attack. Mailbombing is the act of sending an e-mail bomb, a term shared with the act of sending actual exploding devices through parcel post.
There are two methods of perpetrating an e-mail bomb -- mass mailing and list linking.
Mass mailing consists of sending numerous duplicate mails to the same email ID. These types of mail bombs are simple to design; but due to their extreme simplicity, they can be easily filtered by spam filters.
List linking on the other hand, consists of signing a particular email id up to several subscriptions. This type of bombing is effective as the person has to unsubscribe from all the services manually. In order to prevent this type of bombing, most services send a confirmation email to your inbox when you register for the subscription on that particular website.
8. Hidden file extensions
Windows operating systems contain an option to "Hide file extensions for known file types". The option is enabled by default, but a user may choose to disable this option in order to have file extensions displayed by Windows. Multiple email-borne viruses are known to exploit hidden file extensions. The first major attack that took advantage of a hidden file extension was the VBS/LoveLetter worm which contained an email attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs". Other malicious programs have since incorporated similar naming schemes. Examples include
Downloader (MySis.avi.exe or QuickFlick.mpg.exe)
VBS/Timofonica (TIMOFONICA.TXT.vbs)
VBS/CoolNote (COOL_NOTEPAD_DEMO.TXT.vbs)
VBS/OnTheFly (AnnaKournikova.jpg.vbs)
The files attached to the email messages sent by these viruses may appear to be harmless text (.txt), MPEG (.mpg), AVI (.avi) or other file types when in fact the file is a malicious script or executable (.vbs or .exe, for example).

Distributed Denial of Service (DDoS)
On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.
A hacker begins a DDoS attack by exploiting vulnerability in one computer system and making it the DDoS master. It is from the master system that the intruder identifies and communicates with other systems that can be compromised. The intruder loads cracking tools available on the Internet on multiple compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The inundation of packets to the target causes a denial of service.
Malware can carry DDoS attack mechanisms; one of the more well known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack.
A system may also be compromised with a trojan, allowing the attacker to download a zombie agent (or the trojan may contain one). Attackers can also break into systems using automated tools that exploit flaws in programs that listen for connections from remote hosts. This scenario primarily concerns systems acting as servers on the web.
The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track down and shut down.
Firewalls and IPS can prevent these kind of attacks.