CompTIA Sec+ | Microsoft MTA Security: Types of Wireless Attacks Part 2

Posted by & filed under CompTIA Security+, MICROSOFT MTA SECURITY.

The Types of Wireless Attacks Part 2

CompTIA Security+ Objective 1.2

WPS Attacks

Wi-Fi Protected Setup (WPS) allows users to configure a wireless network without typing in the passphrase. Instead, users can configure devices by pressing buttons or by entering a short personal identification number (PIN).
For example, a user can configure a new wireless device by pressing a button on the WAP and on the wireless device. It will automatically configure the device within about 30 seconds with no other actions needed. These buttons can be physical buttons on the devices, or virtual buttons that the user clicks via an application or web page. When using the PIN method, users first identify the eight-digit PIN on the WAP and then enter the PIN on the new wireless device.

How to prevent a WPS attack

Security experts recommend disabling WPS on all devices. However, not all devices include the capability to turn off WPS. Worse, many WAP interfaces include configuration settings that appear to turn off WPS—making users think it’s disabled when it’s still operational and vulnerable to attacks. Several testers reported that they were unable to disable WPS on each Linksys and Cisco Valet WAPs they tested. Some vendors have released firmware updates to address this, but updates are not available for all devices.

BlueJacking

Bluejacking is the practice of sending messages between mobile users using a Bluetooth wireless connection. People using Bluetooth-enabled mobile phones and PDAs can send messages, including pictures, to any other user within a 10-meter or so range. Because such communications don’t involve the carrier, they are free of charge, which may contribute to their appeal.

How to prevent a BlueJacking Attack?

Setting the Bluetooth on the Right Mode


If you happen to use the Bluetooth connection more often, putting it off/on can be a chore. Adjust the setting of Bluetooth to non-discoverable mode. The non-discoverable mode hides the device from attackers or unknown people.


Factory Reset of the Phone

 

If your device was perpetrated at some point, it means that the attacker’s device has already been added as a trusted device on your phone. Reset the phone to take off all the devices from the trusted list.


Keep Away from Strangers


Make it a point to decline any messages or connection requests from unknown devices. Most attacks happen due to accepting connection requests from strangers who then get added as trusted devices.
Keep the Device Updated and Password Character Strong
Make sure you maintain strong passwords and change them at regular intervals. Keep your devices up-to-date with the latest technology.


Putting off the Bluetooth When Not in Use


If you don’t use the Bluetooth connection frequently, keep it off to avoid your device from being listed in the sender’s device search list. This method keeps the device safe from perpetrators who try to gain access to others’ phones using Bluetooth.


Set Password for Bluetooth

 

It is very simple to secure your device by setting a pin or a password for your Bluetooth connection. This will prompt a password from anyone trying to pair with your device. Remember to keep this password secure by sharing it only with trusted people.

Bluesnarfing

Bluesnarfing is the theft of information from a wireless device through a Bluetooth connection. Bluetooth is a high-speed but very short-range wireless technology for exchanging data between desktop and mobile computers, personal digital assistants (PDAs), and other devices. By exploiting a vulnerability in the way Bluetooth is implemented on a mobile phone, an attacker can access information — such as the user’s calendar, contact list and e-mail and text messages — without leaving any evidence of the attack. Other devices that use Bluetooth, such as laptop computers, may also be vulnerable, although to a lesser extent, by virtue of their more complex systems. Operating in invisible mode protects some devices, but others are vulnerable as long as Bluetooth is enabled.

How to Prevent Bluesnarfing

Setting the Bluetooth on the Right Mode


If you happen to use the Bluetooth connection more often, putting it off/on can be a chore. Adjust the setting of Bluetooth to non-discoverable mode. The non-discoverable mode hides the device from attackers or unknown people.


Factory Reset of the Phone


If your device was perpetrated at some point, it means that the attacker’s device has already been added as a trusted device on your phone. Reset the phone to take off all the devices from the trusted list.


Keep Away from Strangers


Make it a point to decline any messages or connection requests from unknown devices. Most attacks happen due to accepting connection requests from strangers who then get added as trusted devices.
Keep the Device Updated and Password Character Strong
Make sure you maintain strong passwords and change them at regular intervals. Keep your devices up-to-date with the latest technology.


Putting off the Bluetooth When Not in Use


If you don’t use the Bluetooth connection frequently, keep it off to avoid your device from being listed in the sender’s device search list. This method keeps the device safe from perpetrators who try to gain access to others’ phones using Bluetooth.


Set Password for Bluetooth


It is very simple to secure your device by setting a pin or a password for your Bluetooth connection. This will prompt a password from anyone trying to pair with your device. Remember to keep this password secure by sharing it only with trusted people.

RFID Attacks

7 Types of Security Attacks on RFID Systems

1. Reverse Engineering

 

Like most products, RFID tags and readers can be reverse engineered; however, it would take a lot of knowledge about the protocols and features to be successful. Hackers would take apart the chip in order to find out how it works in order to receive the data from the IC.

 

2. Power Analysis

 

This attack requires nothing more than the brain of a hacker and a cell phone. According to leading experts1, power analysis attacks can be mounted on RFID systems by monitoring the power consumption levels of RFID tags. Researchers stumbled upon this hacking technique when studying the power emission levels in smart cards, especially in the difference in power levels between a correct passcode and an incorrect passcode
Purpose: Steal Information and/or Gain Access

 

3. Eavesdropping & Replay

 

Eavesdropping, like it sounds, occurs when an unauthorized RFID reader listens to conversations between a tag and reader then obtains important data. It is still necessary for the hacker to know the specific protocols and tag and reader information for this technique to work.

Replay attacks builds on eavesdropping and specifically occur when one part of communication in an RFID system is recorded and then ‘replayed’ at a later time to the receiving device in order to steal information or gain access.

 

4. Man-in-the-Middle Attack or Sniffing


A man-in-the-middle attack happens during the transmission of a signal. Like eavesdropping, the hacker listens for communication between a tag and reader and then intercepts and manipulates the information. The hacker diverts the original signal and then sends false data while pretending to be a normal component in the RFID system.


5. Denial of Service


A Denial of Service attack is the broad concept of an RFID system failure that is associated with an attack. These attacks are usually physical attacks like jamming the system with noise interference, blocking radio signals, or even removing or disabling RFID tags.

 

6. Cloning & Spoofing


Technically two specific events, cloning and spoofing are usually done back to back. Cloning is duplicating data from a pre-existing tag, and spoofing is then using the cloned tag to gain access to a secured area or item. Because the hacker has to know the data on the tag to clone it, this type of attack is mainly seen in access or asset management operations.


7. Viruses

 

According to some sources1, RFID tags currently do not have enough memory capacity to store a virus; but in the future, viruses could be a serious threat to an RFID system. A virus programmed on an RFID tag by an unknown source could cripple an RFID system when the tagged item is read at a facility. When read, the virus would transfer from tag to reader and then to a company’s network and software – bringing down connected computers, RFID components, and networks.

NFC attacks

The Near Field Communication (NFC) is a set of standards for mobile devices designed to establish radio communication with each other by being touched together or brought within a short distance. The NFC standard regulates a radio technology that allows two devices to communicate when they are in close proximity, usually no more than a few centimeters, allowing the secure exchange of information.


New users of near field communication, especially for payment purposes such as storing credit card information, are understandably concerned at first about the security and safety of their private information. Possible security attacks include eavesdropping, data corruption or modification, interception attacks, and physical thefts.

How to prevent NFC Attacks

1) Monitor NFC updates and patch your device promptly


The NFC vulnerabilities used to compromise devices in the Pwn2Own competition have been fixed, but manufacturers are typically slow to release patches for vulnerabilities in smartphones.
They’re getting better, however, leaving consumers as the primary hurdle for locking down phones.


2) If you’re not using NFC, turn it off


NFC is new, and many consumers have yet to adopt the technology. Unless you’ve started using Google Wallet or Apple Pay, turn NFC off.

 

Aside from saving some power, turning off unused networking features is a good rule of thumb to limit exposure to attackers.

Deauthentication/Disassociation attack

Deauthentication/Disassociation attack is a part of the Denial-of-Service attacks. Attackers may also use this attack in order to recover hidden ESSIDs or to capture WPA/WPA2 handshakes by forcing victims to re-authenticate. This attack can be used only if there is at least one client connected to the access point.

Source: Tutorialspoint 

CompTIA Sec+ | Microsoft MTA Security: Types of Wireless Attacks

Posted by & filed under CompTIA Security+, MICROSOFT MTA SECURITY.

The Types of Wireless Attacks Part 1

CompTIA Security+ Objective 1.2

Replay Attacks

replay attack occurs when an attacker copies a stream of messages between two parties and replays the stream to one or more of the parties. Unless mitigated, the computers subject to the attack process the stream as legitimate messages, resulting in a range of bad consequences, such as redundant orders of an item.

How to prevent a replay attack

Preventing such an attack is all about having the right method of encryption. Encrypted messages carry “keys” within them, and when they’re decoded at the end of the transmission, they open the message. In a replay attack, it doesn’t matter if the attacker who intercepted the original message can read or decipher the key. All he or she has to do is capture and resend the entire thing — message and key — together.


To counter this possibility, both sender and receiver should establish a completely random session key, which is a type of code that is only valid for one transaction and can’t be used again.


Another preventative measure for this type of attack is using timestamps on all messages. This prevents hackers from resending messages sent longer ago than a certain length of time, thus reducing the window of opportunity for an attacker to eavesdrop, siphon off the message, and resend it.


Another method to avoid becoming a victim is to have a password for each transaction that’s only used once and discarded. That ensures that even if the message is recorded and resent by an attacker, the encryption code has expired and no longer works.

Initialization vector (IV) Attack

An initialization vector (IV) attack is an attack on wireless networks. It modifies the IV of an encrypted wireless packet during transmission. IVs are blocks of bits that are used to differentiate users on the wireless network. IVs eliminate the need for users to constantly reauthenticate with an access point and are therefore sent frequently. Eventually, an authenticated user will reuse an IV because the number of bits used is limited; the frequency of repetition depends on how much data is sent across the connection.

 

If enough IVs are captured, it is possible to decipher the encryption key using a program, such as aircrack-ng. Once an attacker learns the plaintext of one packet, the attacker can compute the RC4 key stream generated by the IV used.  This key stream can then be used to decrypt all other packets that use the same IVs. Since there is only a small set of possible initialization vectors, attackers can eventually build a decryption table to decrypt every packet sent over that wireless connection.

Evil Twin

An evil twin, in security, is a rogue wireless access point that masquerades as a legitimate Wi-Fi access point so that an attacker can gather personal or corporate information without the end-user’s knowledge.


An attacker can easily create an evil twin with a smartphone or other Internet-capable device and some easily-available software. The attacker positions himself in the vicinity of a legitimate hot spot and lets his device discover what service set identifier (name) and radio frequency the legitimate access point uses. He then sends out his own radio signal, using the same name as the legitimate access point.

 

To the end-user, the evil twin looks like a hot spot with a very strong signal; that’s because the attacker has not only used the same network name and settings as the “good twin” he is impersonating, he has also physically positioned himself near the end-user so that his signal is likely to be the strongest within range. If the end-user is tempted by the strong signal and connects manually to the evil twin to access the Internet, or if the end-user’s computer automatically chooses that connection because it is running in promiscuous mode, the evil twin becomes the end-user’s Internet access point, giving the attacker the ability to intercept sensitive data such as passwords or credit card information.

 

Evil twins are not a new phenomenon in wireless transmission. Historically they have been called base station clones or honeypots. What’s different now is that more businesses and consumers are using wireless devices in public places and it’s easier than ever for someone who doesn’t have any technical expertise to create an evil twin.

How to Prevent an Evil Twin

To avoid evil twin network connections, end users should only use public hot spots for Web browsing and refrain from online shopping or banking. To protect your individual or corporate data, individual who use wireless devices should always connect to the Internet through a VPN.

Rogue Access Point

One of the most common wireless security threats is the rogue access point—it is used in many attacks, both DoS and data theft. Many other rogue access points, however, are deployed by employees wanting unfettered wireless access—these access points are called soft access points. Other rogues are located in neighboring companies using your network for free access.

 

Typically low-cost and consumer-grade, these access points often do not broadcast their presence over the wire and can only be detected over-the-air. Because they are typically installed in their default mode, authentication and encryption are not enabled, thereby creating a security hazard. Because wireless LAN signals can traverse building walls, an open access point connected to the corporate network the perfect target for war driving. Any client that connects to a rogue access point must be considered a rogue client because it is bypassing the authorized security procedures put in place by the IT department.

How to Prevent an Attack from a Rogue Access Points?

Establish strict rules and make sure they are well published.

 

Only authorized IT staff can connect networking equipment. All devices that connect to the network, including wireless access points, conform to company security policies.

Note: Some colleges even expel students who are caught with rogue access points or ad-hoc networks.

 

Change the rogue classification rules.

 

By default, unknown devices are classified as suspects. When you change this default to rogue, the controller automatically classifies any third-party access point or client as a rogue, and you can optionally isolate the access point by dropping all packets to and from the device.

 

Eliminate benign access points from the rogue list so that real rogues stand out.

 

When you add safe networks’ SSIDs and/or vendor names to the list of SSIDs allowed on the network, these access points cannot be classified as rogues. .

 

Use strong security

 

The IEEE 802.11i security standard uses IEEE 802.1X for mutual authentication between the network and the client. This means that clients that try to access network resources must be authenticated by the network. In a similar vein, the client verifies the authenticity of the network infrastructure it is attaching to before beginning data transmission. With 802.1X, the credentials used for authentication, such as login passwords, are never transmitted without encryption over the wireless medium. In addition, 802.1X provides dynamic per-user, per-session encryption keys, removing the administrative burden and security issues associated with static encryption keys. Security is configured in WLAN profiles.

 

Use active access point scanning in addition to passive scanning.

 

Active scans send probes with a null SSID name to look for rogue access points and clients. Active scan is enabled by default on radio-profiles. We recommend that you do not change this setting.

 

Immediately investigate wireless bridge frames and eliminate the source.

 

An attacker often sets up a laptop with two wireless adaptors—one card is used by the rogue access point and the other is used to forward requests through a wireless bridge to the legitimate access point.

 

Enable automatic countermeasures to immediately react to rogues or suspect rogues.

 

Countermeasures can attack or isolate rogue and/or suspect transmitters using various methods of attack.

 

Jamming

There’s nothing really good that comes from wireless jamming. This is jamming the radio frequencies of a communication, most commonly for a wireless network. At its most basic level, this is a denial of service. You are trying to use a network that is no longer available, so you don’t have access to any of those services. The goal with radio frequency jamming is to decrease the signal-to-noise ratio at the receiving device.

 

Because there’s so much jam signal, the device isn’t able to discern the good signal. And therefore, you aren’t able to communicate at all over the network.

 

Networks can also be jammed by flooding the AP with Deauthentication Frames in what is know as a deauth-attack. By assuming the identity (MAC address) of a station on the network, the AP will deauthenticate the real station. The real station will then attempt to reauthenticate, but, it will never succeed due to the barrage of deauth-frames and its network access will be effectively blocked.

How to minimize the impact of Jamming?

To minimize the impact of an unintentional disruption, it is important the identify its presence. Jamming makes itself known at the physical layer of the network, more commonly known as the MAC (Media Access Control) layer. The increased noise floor results in a faltered noise-to-signal ratio, which will be indicated at the client. It may also be measurable from the access point where network management features should able to effectively report noise floor levels that exceed a predetermined threshold. From there the access points must be dynamically reconfigured to transmit channel in reaction to the disruption as identified by changes at the physical layer.

Source: Tutorialspoint 

CompTIA and Immersive Labs Issue A Pen Test Challenge

Posted by & filed under CompTIA Security+, MICROSOFT MTA SECURITY.

CompTIA and Immersive Labs are challenging cybersecurity professionals in the United States and United Kingdom to test their penetration testing skills this month.

The two organizations launched the pen test challenge on the opening day of RSA® Conference 2019.

“Penetration testing, if done right, is a proven and valuable activity that all organizations should engage in,” said Dr. James Stanger, chief technology evangelist at CompTIA. “Unfortunately pen tests are too often done by rote simply to check a box on a compliance form.

“The true value of a pen test occurs when the testers have adequate skills, and when additional security teams use the pen test results to improve procedures and security controls,” Stanger continued. “Our challenge is designed to provide cybersecurity pros with a chance to hone their pen testing skills and have some fun at the same time.”

“It’s great to partner with a such a respected training and global certification provider,” said James Hadley, CEO of Immersive Labs. “We want our gamified and intelligence powered labs to inspire the continuous development of cyber security professionals.”

The CompTIA / Immersive Labs Pen Test Challenge is open to anyone over the age of 18 residing in the U.S. or UK. Visit here to enter the competition and receive a verification email with instructions on how to log in to the Immersive Labs platform to begin the challenge.

Once registered, all participants are automatically entered into a prize drawing. Two winners will be selected by random draw performed by a computer process after the close of the competition on Friday, March 24.

Winners will have their choice of:

The CompTIA Pentest+ Bundle, including CertMaster Learn, a comprehensive, self-paced eLearning program for exam preparation that uses videos, assessment and performance-based questions;

CertMaster Practice, and adaptive knowledge assessment that determines what you’ve already mastered and what you still need to learn to improve confidence and increase retention before taking an exam; and an exam voucher,

or A CompTIA Certification Exam Voucher for the certification of their choice.

Winners will be notified by email. Prizes are non-exchangeable, no-transferable and no cash alternate is offered.

To join the challenge click here.

Be an Ethical Hacker! Check out our CompTIA Security+ certification program. Click here

References: ComTIA Press releases

CompTIA Sec+ | Microsoft MTA Security: Most Common Application/Service Attacks Part 2

Posted by & filed under CompTIA Security+, MICROSOFT MTA SECURITY.

   The nature of cyberattacks is constantly in flux, always evolving to keep pace with the times. Hacking of websites, theft of credit card information and other personal information has become an almost daily occurrence, along with illegal remittances via Internet banking. Recent years have witnessed the accelerating dissemination of new technologies such as IoT and the expanding utilization of information communication technology. Massive DDoS attacks have been launched using vulnerable IoT devices as springboards, while large-scale power outages have occurred due to attacks on critical infrastructure. Also whole factories, are connected to networks, there is an increased risk that factories and other manufacturing centers, as well as infrastructure, will become targets of cyber attacks. This makes security measures more important than ever before, and the best way to protect yourself and your company is to know about these different types of cyber attacks. Then you can use that information to take steps to make sure that your networks and devices are secure against any attacks. Below are some common terms for service attacks topic.

 

 

Man in the middle attack

 

 

What is man in the middle attack?

 

A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of a MITM is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones (Wikipedia, n.d.).

 

 

How does a man-in-the-middle attack work?

How does this play out? Let’s say you received an email that appeared to be from your bank, asking you to log in to your account to confirm your contact information. You click on a link in the email and are taken to what appears to be your bank’s website, where you log in and perform the requested task.

In such a scenario, the man in the middle (MITM) sent you the email, making it appear to be legitimate. (This attack also involves phishing, getting you to click on the email appearing to come from your bank.) He also created a website that looks just like your bank’s website, so you wouldn’t hesitate to enter your login credentials after clicking the link in the email. But when you do that, you’re not logging into your bank account, you’re handing over your credentials to the attacker.

 

 

 

Injection Attacks

 

 

What is Injection Attacks?

 

 

Injection is the exploitation of a computer bug that is caused by processing invalid data. Injection is used by an attacker to introduce (or “inject”) code into a vulnerable computer program and change the course of execution. The result of successful code injection can be disastrous, for example by allowing computer worms to propagate.

Code injection vulnerabilities (injection flaws) occur when an application sends untrusted data to an interpreter. Injection flaws are most often found in SQL, LDAP, XPath, or NoSQL queries; OS commands; XML parsers, SMTP headers, program arguments, etc. Injection flaws tend to be easier to discover when examining source code than via testing (Wikipedia, n.d.).
The most common injection attack.

Structured Query Language (SQL*) Injection is a code injection technique used to modify or retrieve data from SQL databases. By inserting specialized SQL statements into an entry field, an attacker is able to execute commands that allow for the retrieval of data from the database, the destruction of sensitive data, or other manipulative behaviors.
With the proper SQL command execution, the unauthorized user is able to spoof the identity of a more privileged user, make themselves or others database administrators, tamper with existing data, modify transactions and balances, and retrieve and/or destroy all server data.

In modern computing, SQL injection typically occurs over the Internet by sending malicious SQL queries to an API endpoint provided by a website or service (more on this later). In its most severe form, SQL injection can allow an attacker to gain root access to a machine, giving them complete control.

 

 

Privilege escalation

 

 

What is Privilege escalation?

 

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions (wikipedia.org, n.d.).

 

 

Example of Privilege escalation attack.

 

Common examples of vertical privilege escalation attacks are lock screen bypasses on many of today’s popular smartphones. Android and iOS have both been affected by such vulnerabilities, which allow an unauthorized user to gain access to someone else’s contacts and apps just by performing a simple hack. Jailbreaking or Rooting — bypassing the manufacturer’s programming restrictions to take full control of a smartphone or other device is also an example of a privilege escalation attack.

 

 

 

 

ARP poisoning

 

What is ARP poisoning?

 

ARP poisoning or ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network. Once the attacker’s MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address. ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit. ARP spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol (veracode, n.d.).

 

 

 

Amplification

 

What is An Amplification Attack?

 

An Amplification Attack is any attack where an attacker is able to use an amplification factor to multiply its power. Amplification attacks are “asymmetric”, meaning that a relatively small number or low level of resources is required by an attacker to cause a significantly greater number or higher level of target resources to malfunction or fail. Examples of amplification attacks include Smurf Attacks (ICMP amplification), Fraggle Attacks (UDP amplification), and DNS Amplification (radware.com, n.d.).

 

 

DNS amplification attack

 

This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open DNS resolvers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.

 

What is the biggest DDOS attack ever recorded?

 

March 2018, the developer platform GitHub was hit by the most powerful distributed denial of service attack recorded to date with about 1.35 terabits per second of traffic going in to the GitHub servers. Unlike the formal botnet attacks used in large DDoS efforts, like against Dyn and the French telecom OVH, memcached DDoS attacks don’t require a malware-driven botnet. Attackers simply spoof the IP address of their victim and send small queries to multiple memcached servers—about 10 per second per server—that are designed to elicit a much larger response. Known as an amplification attack, The memcached systems then return 50 times the data of the requests back to the victim.

 

 

 

Man In the Browser

 

What is Man in the Browser Attack (MITB)?

 

The man-in-the-browser (MITB) attack utilizes a Trojan Horse in a pre-infected device/system to infect the internet browser, and sniff, capture and modify information as it travels between the user interface of the infected browser and the internet (wikipedia.org, n.d.).

MITB malware is a Trojan that infects endpoints through malicious email attachments, links, or even when a user visits an infected website. Cyber criminals target victims through social engineering – phishing and targeted spearphishing attacks to attempt infection.

 

 

What does MITB do?

 

Man-in-the-Browser (MITB) malware can view and steal information as a user types into the browser. It can also directly modify the elements in the user’s browser and also inject content such as new fields without the user knowing about it. This in effect changes the functionality of the webpage. As an example, the MITB malware can inject a field for entry of date of birth, social security number or passport number in the login form. As the original URL and SSL protections are retained, the victim will not suspect the webpage.

 

The MITB malware can also fool the webpage server by injecting its own JavaScript using the stolen credentials. If the webpage belongs to a banking institution then it could be fooled into allowing it to perform online financial transfers or payments. The bank would think that the legitimate user had initiated the transaction. Some MITB malware is so advanced that even when the user logs into the next time, the fund transfer or debit of money is not displayed.

 

 

Zero day

 

What is zero day?

 

A zero day exploit is a cyber attack that occurs on the same day a weakness is discovered in software. At that point, it’s exploited before a fix becomes available from its creator.

Initially when a user discovers that there is a security risk in a program, they can report it to the software company, which will then develop a security patch to fix the flaw. This same user may also take to the Internet and warn others about the flaw. Usually the program creators are quick to create a fix that improves program protection, however, sometimes hackers hear about the flaw first and are quick to exploit it. When this happens, there is little protection against an attack because the software flaw is so new (kaspersky, n.d.).

 

 

Recent Zero-Day Exploits

 

As of March 2019, Google revealed that it sent out a fix for Chrome Browser for a zero-day that was under active attacks.

 

 

Google described the security flaw as a memory management error in Google Chrome’s FileReader –a web API included in all major browsers that lets web apps read the contents of files stored on the user’s computer.


More specifically, the bug is a use-after-free vulnerability, a type of memory error that happens when an app tries to access memory after it has been freed/deleted from Chrome’s allocated memory. An incorrect handling of this type of memory access operation can lead to the execution of malicious code.

According to Chaouki Bekrar, CEO of exploit vendor Zerodium, the CVE-2019-5786 vulnerability allegedly allows malicious code to escape Chrome’s security sandbox and run commands on the underlying OS (Cimpanu, 2019).

 

Zero-day attacks are cyber attacks against software flaws that are unknown and have no patch or fix.

It’s extremely difficult to detect zero-day attacks, especially with traditional cyber defenses. Traditional security measures focus on malware signatures and URL reputation. However, with zero-day attacks, this information is, by definition, unknown. Cyber attackers are extraordinarily skilled, and their malware can go undetected on systems for months, and even years, giving them plenty of time to cause irreparable harm.

 

 

 

 

Be an Ethical Hacker! Check out our CompTIA Security+ certification program. Click here

 

References

 

Cimpanu, C. (2019, 03 06). Google reveals Chrome zero-day under active attacks. Retrieved from zdnet.com: https://www.zdnet.com/article/google-reveals-chrome-zero-day-under-active-attacks/

 

kaspersky. (n.d.). What is Zero Day Exploit? Retrieved from usa.kaspersky.com: https://usa.kaspersky.com/resource-center/definitions/zero-day-exploit

 

radware.com. (n.d.). Amplification Attack. Retrieved from security.radware.com: https://security.radware.com/ddos-knowledge-center/ddospedia/amplification-attack/

 

veracode. (n.d.). ARP SPOOFING. Retrieved from www.veracode.com: https://www.veracode.com/security/arp-spoofing

 

Wikipedia. (n.d.). Retrieved from Wikipedia.com: https://en.wikipedia.org/wiki/Man-in-the-middle_attack

 

Wikipedia. (n.d.). Code Injection. Retrieved from wikipedia.org: https://en.wikipedia.org/wiki/Code_injection

 

wikipedia.org. (n.d.). Man-in-the-browser. Retrieved from wikipedia.org: https://en.wikipedia.org/wiki/Man-in-the-browser

 

wikipedia.org. (n.d.). Privilege escalation. Retrieved from wikipedia.org: https://en.wikipedia.org/wiki/Privilege_escalation

CompTIA Sec+ | Microsoft MTA Security: Most Common Application/Service Attacks Part 1

Posted by & filed under CompTIA Security+, MICROSOFT MTA SECURITY.

CompTIA Sec+ | Microsoft MTA Security: Most Common Application/Service Attacks Part 1

“Richard Clarke, a former counter-terrorism expert for the United Government, once said, “If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked”. While the latter is a tad harsh (we wouldn’t wish a cyber attack on anyone!), the former is certainly true.”

If you don’t protect yourself and your business from cybercrime, it’s only a matter of time before you’ll be the victim of an attack. According to a Statistics, In 2018, the number of data breaches in the United States amounted to 1,244 with over 446.5 million records exposed. (statista, n.d.)

The best way to protect yourself is to know about the different types of cyber attacks. Then you can use that information and take steps to make your networks secure.

 

Here are some Common Application/Service Attacks that you need to know.

 

DDoS

 

What is a DDos Attack?

 

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up with highway, preventing regular traffic from arriving at its desired destination (Cloudflare, n.d.).

 

Example of a DDoS attack: Application Layer Attacks 

 

Sometimes referred to as a layer 7 DDoS attack (in reference to the 7th layer of the OSI model), the goal of these attacks is to exhaust the resources of the target. The attacks target the layer where web pages are generated on the server and delivered in response to HTTP requests. A single HTTP request is cheap to execute on the client side, and can be expensive for the target server to respond to as the server often must load multiple files and run database queries in order to create a web page. Layer 7 attacks are difficult to defend as the traffic can be difficult to flag as malicious (Cloudflare, n.d.).

Application Layer Attack

 

 

Buffer Overflow

 

What is a Buffer Overflow?

 

Applications set aside areas of memory, or buffers, for use as storage, frequently setting aside a finite amount of memory for a buffer. A buffer overflow exists when an application attempts to store more data than can fit in a fixed-size buffer. Buffer overflow attacks occur when an intruder is able to send data in excess of a fixed-size application buffer and the application does not check to ensure this doesn’t happen. By overflowing a buffer with executable code, an intruder can cause an application to perform unexpected and often malicious actions using the same privileges the application has been granted (Symantec Corporation, n.d.).

 

What is a Buffer Overflow Attack?

 

An attack that works by exploiting a known bug in one of the applications running on a server. This then causes the application to overlay system areas, such as the system stack, thus allowing the attacker to gain administrative rights. In most cases, this gives the attacker complete control over the system. Also called stack overflow (Symantec Corporation, n.d.).

 

Buffer Overflow

 

 

Cross-site Scripting

 

What is a Cross-site Scripting?

 

Cross-site scripting is what happens when an attacker takes advantage of a vulnerability in a webpage to inject their own code. That code can steal user information such as credentials, session cookies, and other sensitive data, and can even live persistently on a site to attack multiple users.
A XSS attack is unique because these vulnerabilities don’t target the website or web app they exploit—it’s only an attack vector. XSS uses scripts that are executed on a user’s machine; these scripts are called client-side scripts. The vast majority of these are coded in JavaScript or HTML, though there are other languages that can be used for client-side scripts (Vigliarolo, 2018).

 

What is an example of cross-site scripting?

 

One useful example of cross-site scripting attacks is commonly seen on websites that have unvalidated comment forums. In this case, an attacker will post a comment consisting of executable code wrapped in ‘’ tags. These tags tell a web browser to interpret everything between the tags as JavaScript code. Once that comment is on the page, when any other user loads that website, the malicious code between the script tags will be executed by their web browser, and they will become a victim of the attack.

 

 

Cross-Site Request Forgery

 

What is Cross-Site Request Forgery?

 

Cross-Site Request Forgery, often abbreviated as CSRF, is a possible attack that can occur when a malicious website, blog, email message, instant message, or web application causes a user’s web browser to perform an undesired action on a trusted site at which the user is currently authenticated. The impact of a CSRF attack is determined by the capabilities exposed within the vulnerable application. CSRF attacks are, on the most basic level, used by an attacker to make a target system perform any available and malicious function via the target’s browser without knowledge of the target user. This function usually is not known by the victim until after it has occurred as well.

 

A CSRF vulnerability can give an attacker the ability to force an authenticated, logged-in user to perform an important action without their consent or knowledge. It is the digital equivalent to someone forging the signature of a victim on an important document. It is in fact more effective, because the attacker leaves no trace of evidence behind. This is because the forged request contains all of the information and comes from the same IP address as a real request from the victim. This means that any application that allows a user to send or update data is a possible target for an attacker.
One important thing to remember is that for CSRF to work, the victim has to be logged in the targeted site. While this may feel like an impedance to the attacker, many websites let the user choose to “keep me logged in”. This greatly increases the size of the timeframe in which a forgery can be made (Barracuda, n.d.).

 

Examples of CSRF.

 

The most common goal of a CSRF is theft—either data theft, identity theft, or financial theft. Some common uses of CSRF include:

 

  • Transfer money from one bank account to another. Your online session at your bank becomes compromised, and treats this like a legitimate request and sends $1000 from your account to Mallory’s account. All evidence suggests you legitimately made this transaction from your logged-in browser.
  • Use a content management system to add/delete content from a website. If the victim is an administrative user, the entire website would be under the attacker’s control.
  • Change a user’s password. If a victim is logged into their account, the attacker can simply forge a request for an email change. Once this goes through, If the attacker can forge a password reset request, the attacker could subsequently gain full control of the victim’s account.
  • Add items to a user’s shopping basket or change the delivery address of an order. Many websites have a “my account” page or other similar pages that stores a user’s information, and often allows a user to change their address or adjust their shopping cart. With CSRF, an attacker can adjust this information, and to the website, it will look as if the victim was the originator of all changes .

 

 

DNS Poisoning

 

What is DNS poisoning?

 

DNS cache poisoning, also known as DNS spoofing, is a type of attack that exploits vulnerabilities in the domain name system (DNS) to divert Internet traffic away from legitimate servers and towards fake ones. (HOFFMAN, n.d.)

 

This kind of attack is often categorized as a “pharming” attack and it creates several problems. First, users think they are at a familiar site, but they aren’t. Unlike with a “phishing” attack where an alert user can spot a suspicious URL, in this case the URL is legitimate. Remember, the browser resolves the address of the domain automatically so there is no intervention of any kind on the part of the users and, since nothing unusual has happened, they have no reason to be suspicious.

 

Another problem is that hundreds or even thousands of users can be redirected if an attacker successfully inserts a single fake entry into a caching server. The scale of the problem is amplified by the popularity of the domain being requested. Under these circumstances, even a moderately experienced hacker can cause a lot of trouble, obtaining passwords and other valuable or sensitive information.

 

It is possible to attack e-mail systems in a similar way. Rather than inserting a fake record for a Web server into a DNS caching server, the attacker inserts a fake record for a mail server, thereby redirecting corporate e-mail to a server they control.

 

DNS Poisoning DNS Poisoning

 

Want to learn more about our CompTIA Security+ Certification Courses? Click here.

 

References

Barracuda. (n.d.). What is CSRF? Retrieved from www.barracuda.com/: https://www.barracuda.com/glossary/csrf

Cloudflare. (n.d.). What is a DDoS Attacks? Retrieved from Cloudflare.com: https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/

HOFFMAN, C. (n.d.). What is DNS Cache Poisoning? Retrieved from www.howtogeek.com: https://www.howtogeek.com/161808/htg-explains-what-is-dns-cache-poisoning/

statista. (n.d.). Cyber crime: number of breaches and records exposed 2005-2018. Retrieved from www.statista.com: https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/

Symantec Corporation. (n.d.). Buffer Overflow. Retrieved from us.norton.com: https://us.norton.com/online-threats/glossary/b/buffer-overflow.html

Vigliarolo, B. (2018, December 3). Cross-site scripting attacks: A cheat sheet. Retrieved from https://www.techrepublic.com: https://www.techrepublic.com/article/cross-site-scripting-attacks-a-cheat-sheet/

 

Product categories

Sources:  CMU, NIST, Standford

Are you looking to break into the exciting field of cybersecurity? Join our 5-day CompTIA Security+ Bootcamp Training and build your cybersecurity knowledge and skills. 

Or

Become a certified ethical hacker! Our 5-day CEH Bootcamp is unlike other strictly theoretical training, you will be immersed in interactive sessions with hands-on labs after each topic. You can explore your newly gained knowledge right away in your classroom by pentesting, hacking and securing your own systems. Learn more 

CISSP Security Models of Control

Posted by & filed under CISSP.

Security Models of Control

Security models of control are used to determine how security will be implemented, what subjects can access the system, and what objects they will have access to. Simply stated, they are a way to formalize security policy. Read more »

CISSP Security Mechanisms

Posted by & filed under CISSP.

Although a robust architecture is a good start, real security requires that you have security mechanisms in place to control processes and applications. Some good security mechanisms are described in the following sections. Read more »