Hacking

Hacking is the unauthorized access, modification, or use of an electronic device or some element of a computer system.

hacking

How Hacking Works?

Example:

  • Russian hackers broke into Citibank’s system and stole $10 million from customer accounts.
  •  Sony PlayStation, the online gaming place, here hackers hacked credit card numbers, email, password of the users.

Hijacking

Hijacking is gaining control of a computer to carry out illicit activities without the user’s knowledge.

How Hijacking Works?

How Hijacking Works?

Spamming

Spamming is use of messaging system to send an unsolicited messages as well as sending messages repeatedly on the same site.

Spamming is incurred specially in Advertising, while the most recognized form of spam email spam.

Anyone who uses email encounters spam , also known as junk mail. It may  fill up your inbox and take up your valuable time or may trick you into giving out your private information to someone you don’t know.

Examples:

Email message you didn’t ask for that are from senders you don’t know.

  • Unsolicited commercial email messages sent in bulk, often to a purchased mailing list that contains your address.
  • Misleading messages from people you know whose email account have been hacked.

Pharming

Pharming is the fraudulent practice of internet users to a bogus website that mimics the appearance of a legitimate one in order to obtain personal information such a passwords account numbers etc.

For example, a user may create web page that appears to be for a specific bank requesting a username and password for login. However, if information I entered into this page  ,it is captured by the person who created it.

Consequently ,they may  use this information  on an actual bank site, gaining access to a persons bank account.

What is Spoofing?

In the context of computer security, a spoofing attack is an attack in which one person or program successfully acts as another by falsifying data, thereby gaining an illegitimate advantage.

Spoofing is the act of disguising a communication from an unknown source as being from a known, trusted source.

  • Spoofing is an art of faking a real identity.
  • The main purpose is to trick the authenticator to release sensitive information or to gain unauthorized access
  • Ex- An attacker can book a domain like faceb00k.com to make similar looking URL of fackbook.com, also they can get a copy of original site by web mirroring tools.

An Example –CEO CFO Frauds

“CEO frauds usually begins with the thieves either phishing an executive  and gaining access to that individuals inbox or emailing employees from a look –alike domain name that is one or two letters off from the target company true domain name.”

  • In first point , attacker spoofs the Email ID of CEO
  • In second point , attacker spoofed the cell number to make a fake call or SMS
  • According to an FBI report , US companies lost 2.3 billion dollars from Fed 2016, CEO frauds attacks.

What can be Spoofed?

What can be Spoofed

Email Spoofing

“Email spoofing is sending of emails with a forged sender , where sender’s email ID looks same or similar but in reality that’s a fake.”

  • Email spoofing mainly requires a similar looking domain name.
  • The famous CEO CFO frauds are usually done using this technique
  • http://emkei.cz is a site that can be used for email spoofing.

Caller ID Spoofing

“Call spoofing is a technique of making a call or SMS with a fake caller ID to pretend to be someone else.”

  • Caller ID can be spoofed to make calls and messages
  • Caller ID spoofing is done to hide the real identity

of caller

used for call spoofing

IP Address Spoofing

“IP spoofing is a technique of masking the real IP of computer with a fake IP while interacting on word wide web.”

  • IP or Internet Protocol is the basic protocol for communication over internet. Where each data packet’s must have an associated IP of the sender.in this case user temper’s the IP address associated with data packet.
  • It’s a major threat where IP based authentication is allowed.
  • IP spoofing is widely be used for DoS (Denial of Service) attacks to hide the real sender’s IP

Website Spoofing

website spoofing is creating a hoax copy of the original website to mislead the real website users.

  • This technique is also known as URL SPOOFING
  • It requires similar URL and same design of the original site
  • http://freenom.com is a site to get similar domains for free
  • http://000webhost.com is a hosting service provider for free

Buffer Overflow Attack

A buffer overflow attack happens when the amount of data entered into na program is greater than the amount of the memory set aside to receive it. The input overflow usually overwrites the next computer instruction, causing the system to crash. Hackers exploit this buffer overflow by carefully crafting the input so that the overflow contains code that tells the computer what to do next. This code could open a back door into the system, provide the attacker with full control of the systems, access confidential data, destroy or harm system components, slow system operations, and carry out any number of other inappropriate acts.

Buffer overflow exploits can occur with any form of input, including mail servers, databases, web servers, and FTPs. Many exploits have been written to cause buffer overflows. The Code Red worm used a buffer overflow to exploit a hole in Microsoft’s Internet Information Services.

For example, consider a program that requests a user password in order to grant the user access to the system.

Trojan Horse

A Trojan horse is a set of malicious computer instructions in an authorized and otherwise properly functioning program. In one study, Trojans were the malware of choice, as they were used in over 66% of all infections. Unlike viruses and worms, the code does not try to replicate itself. Some Trojans give the creator the power to control the victims computer remotely. Most Trojan infections occur when a user runs an infected program received in an e-mail, visits a malicious website, or downloads software billed as helpful add-ons to popular software programs.

Example:

  • Trojan-Banker: Its purpose is to steal your account data for online banking systems, e-payment systems and credit or debit cards.
  • Trojan-Downloader: Trojan-downloaders can download and install new versions of malicious programs onto your computer-including Trojans and adware.

Identity Theft

Identity theft is assuming that someone’s identity for purpose of economic gain by illegally obtaining  and using confidential information as like credit cards, bank account etc.

Types of Identity Theft

  • Financial identity theft.
  • Drivers identity theft.
  • Criminal identity theft.
  • Social identity theft.
  • Medical identity theft.
  • Insurance identity theft.

Prevention of Identity Theft

  • Check your credit report regularly.
  • Monitor your account statement for unauthorized transaction.
  • Keep your SS card safely.
  • Do not respond to spam email.

Pretesting

Pretesting is using an invented scenario  to increase the likelihood that a victim will divulge or do something. Mainly it is false motive.

Actually pretesting is a social engineering technique in which a fictional situation is create for the purpose of obtaining personal and sensitive information from an unsuspecting individual.

Real Life Example of Pretesting

  • ABN Bank pretesting.
  • Walmart pretesting.

Social Engineering

The techniques or psychological tricks used to get people to comply with the perpetrator’s wishes in order to gain physical or logical access to a building, computer, server, or network. It is usually to get the information needed to obtain confidential data. What makes social engineering especially dangerous is that it relies on human error, rather than vulnerabilities in software and operating systems.

Understanding Social Engineering

The biggest challenge with social engineering hacks is the realism. Interactions seem reasonable and real but the person on the other side is not who they pretend to be.

For example, a woman might call a male victims bank and pretend to be his wife claiming an emergency and requesting access to his account. If the woman can successfully socially engineer the banks customer service representative by appealing to the representatives empathetic tendency, she may succeed in obtaining access to the mans account and be able to steal his money.

Social Engineering

Cisco reported that fraudsters take advantage of the following human traits in order to entice a person to reveal information or take a specific action:

  1. Compassion: The desire to help others who present themselves as

really needing your help.

  1. Greed: People are more likely to cooperate if they get something free

or think they are getting a once-in-a-lifetime deal.

  1. Sloth: Few people want to do things the hard way, waste time, or do

something unpleasant; fraudsters take advantage of our lazy habits and

tendencies.

  1. Trust: People are more likely to cooperate with people who gain

their trust.

  1. Urgency: A sense of urgency or immediate need that must be met

leads people to be more cooperative and accommodating.

  1. Vanity: People are more likely to cooperate if you appeal to their vanity by telling them they are going to be more popular or successful.

Establishing the following policies and procedures-and training people to follow them-can help minimize social engineering:

  1. Never let people follow you into a restricted building.
  2. Never log in for someone else on a computer, especially if you have

administrative access.

  1. Never give sensitive information over the phone or through e-mail.
  2. Never share passwords or user IDs.
  3. Be cautious of anyone you do not know who is trying to gain access through you.

Shoulder Surfing

Shoulder surfing is using direct observation techniques, such as looking over someone’s shoulder, to get information. Shoulder surfing is an effective way to get information in crowded places because it’s relatively easy to stand next to someone and watch as they fill out a form, enter a PIN number at an ATM machine, or use a calling card at a public pay phone.

Some Tips to Help Prevent Shoulder Surfing

  • Be aware of your surroundings. Watch for people and recording devices.
  • Sit with your back to the wall if you’re in a public place and entering personal or financial information into your computer or cell phone.
  • The keypad on the ATM when you enter your PIN.
  • Make sure your ATM transaction is complete and take your receipt.
  • Pick strong passwords so it’s hard for any observer to guess what you typed.
  • Lock your computer screen at work when you leave your desk.

Skimming

Skimming is a reading technique meant to look for main or general ideas in a text, without going into detailed and exhaustive reading. In skimming, a reader reads only important information, but not everything.

Malware

Malware, which is any software that is used to do harm. Malware is a constant and growing concern, as well as an expensive one.

For Example, Heartland Payment Systems was the victim of one of the largest ever security breaches in U.S. history. Over 130 million credit card numbers were stolen, and Heartland spent more than $12.6 million in legal costs and fines associated with the security breach.

Most malware is the result of installation or injection by a remote attacker. It is spread using several approaches, including shared assess to files, e-mail attachments, and remote assess vulnerabilities.

Time Bombs

Time bombs and logic bombs are Trojan horses that lie idle until triggered by a specified date or time , by a change in the system, by a message sent to the system, or by an event that does not occur. once triggered, the bombs goes off ,destroying programs, data, or both.

Example:

Disgruntled company insider who want even with their company write time or logic bombs. Anticipating that he would not receive a bonus or new contract, Duronio planted a Trojan horse time bomb at USB Paine Webber. Several weeks after he left the firm, t5he trigger date of March 4 arrived. His 60 lines of malicious code attracted the company’s 2,000 server and deleted company files just as a stock market opened .The effects were catastrophic.

Brokers computers  were out of commission for days or weeks, depending on how badly the machines were damaged the existence of branch backup tapes. Some 20% of computer of the computers had no backup tapes, and some servers were never fully restored.

Over 400 employees and 200 IBM consultant worked feverishly, at a cost of 3.1 million, to restore the systems. Duronio cashed out his IRA  and sold USB stock short, figuring to make to make a killing when the stock plugged. It never did, and he lost money on his short sale. He was sentenced to eight years in prison.

Legal Uses of time bombs

There are legal uses of time and logic bombs, such as in trail version of software. The software becomes unusable after a certain amount of time passes or after the software has been used a certain number of times.

Spyware

Software the secretly monitor computer usages, collect personal information about the users, and send it to someone else, often without the permission.

URL Hijacking

URL hijacking is a process in which a website is falsely removed from the results of a search engine and replaced by another webpage that links to the remote page.

Causes of URL Hijacking:

  • Enter the misspelled domain name into the browser.

google.com           googel.com

  • Enter the wrong domain extension

instagram.com      instagram.org

  • Spelled differently from the registered one (such as colour instead of color).

SQL Injection

SQL injection is a code injection technique that might destroy the database or the security system.

This technique is used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.

SQL injection