Cybersecurity Attacks

In the context of cybersecurity, risk, vulnerability, and threat are distinct concepts that collectively contribute to understanding and managing potential security issues.

• Risk - Risk refers to the potential for harm or loss resulting from the exploitation of vulnerabilities by threats. It involves assessing the likelihood of an incident occurring and the impact it could have on an organization's assets, systems, or operations.
• Vulnerability - A vulnerability is a weakness or flaw in a system, network, application, or process that can be exploited by a threat to compromise its security. Vulnerabilities can arise due to design flaws, programming errors, misconfigurations, or outdated software.
• Threat - A threat refers to any potential danger or harmful event that could exploit vulnerabilities and negatively impact the confidentiality, integrity, or availability of an information system or its data. Threats can come from various sources, including malicious actors, malware, natural disasters, technical failures, or human errors.

In other terms, vulnerability refers to the likelihood of an attack being successful and threat refers to the severity of the impact of an attack if it were to occur. Before starting with risk mitigation and risk management, there is a need to understand the vulnerabilities and the threats to those vulnerabilities.

Types of attacks:

A man-in-the-middle (MiTM) attack is a type of cyber-attack in which the attacker secretly intercepts and relays messages between two parties who believe they are communicating directly with each other. It usually comes during a connection to an unsecured or poorly secured wifi router.

It will allow the attacker to capture and manipulate sensitive personal information in real-time such as:

• login credentials
• card numbers

MiTM attack steps

1. An attacker installs a packet sniffer to detect insecure network traffic
2. Once the user logs into the insecure website, the attacker sends them to a fake website
3. The fake website mimics the original website and collects all pertinent user data that the attacker uses on the original website

Types of MiTM attacks

• Wi-Fi eavesdropping: public Wi-Fi users get tricked into connecting to malicious Wi-Fi networks and hotspots. Cybercriminals accomplish this by setting up Wi-Fi connections with names that resemble nearby businesses.
• Internet Protocol spoofing: cybercriminals alter the source IP address of a website, email address or device.
• Cache / ARP spoofing: attackers send false ARP messages over the LAN to link the spoofer’s MAC address to a legitimate IP address of a computer or server on the network.
• URL spoofing: the attacker uses a domain (URL) that looks very similar to that of the target website in a way that the unsuspecting user is unlikely to notice the difference.
• Email spoofing: here, attackers alter the email’s header field to misrepresent who the real sender is.  Email spoofs are always used as a part of phishing attacks where victims trust the source of the email and then they are tricked into clicking a malicious link.
• DNS spoofing: cybercriminals inject fake DNS entries into the DNS server, so when legitimate users access the server, they are sent to the injected DNS location, not their intended destination.
• Session hijacking: A.k.a stealing browser cookies, this malicious practice takes place when cybercriminals steal personal data and passwords stored inside the cookies of a user's browsing session.
• Replay attacks -A replay attack is a form of cyber attack where an attacker intercepts and maliciously resends valid data or communication to gain unauthorized access or manipulate a system or process.

Let's take a deep dive into each type of MiM attack.

Wi-Fi eavesdropping

In today's interconnected world, Wi-Fi networks are prevalent and widely used for seamless internet connectivity. However, these networks can be susceptible to security risks, with one notable threat being Wi-Fi eavesdropping.

Wi-Fi eavesdropping refers to the unauthorized interception and monitoring of wireless network traffic by an attacker. Attackers can capture and analyze Wi-Fi data packets transmitted between devices, potentially compromising sensitive information, such as usernames, passwords, or confidential data

Risks of Wi-Fi Eavesdropping:

• Data Interception: Eavesdroppers can capture unencrypted data packets transmitted over the network, allowing them to access sensitive information.
• Identity Theft: Attackers can gather personal information, login credentials, or financial details, which can lead to identity theft or unauthorized access to online accounts.
• Confidentiality Breach: Eavesdropping can expose confidential business data, trade secrets, or proprietary information, leading to financial losses or reputational damage.

Attackers utilize specialized software tools to capture and analyze wireless network packets, intercepting data transmitted over the airwaves. Eavesdroppers position themselves between the target device and the intended Wi-Fi network, intercepting and manipulating communication.

IP Spoofing

IP spoofing involves altering the source IP address of network packets to impersonate another entity or mask the attacker's true identity. Attackers use IP spoofing to bypass security measures, launch various types of attacks, or perform covert activities, making it difficult to trace the origin of malicious activities.

Spoofing enables attackers to hide their true IP addresses, making it difficult for security systems to identify and trace the source of malicious activities. Spoofed IP addresses are often used in Distributed Denial of Service (DDoS) attacks, overwhelming target systems with a flood of network traffic, making it challenging to filter out legitimate requests. Attackers can also impersonate legitimate users by spoofing their IP addresses, gaining unauthorized access to sessions or intercepting sensitive information.

Techniques Used in IP Spoofing:

• Source IP Address Modification: Attackers manipulate the source IP address field in IP headers, forging packets to appear to originate from a different IP address than their actual source.
• IP Address Spoofing Tools: Various software tools and scripts allow attackers to automate the process of IP spoofing, simplifying the execution of spoofing attacks.

Let's take a look at a real-life example of a Man-in-the-Middle Attack that occurred in 2014.

ARP Spoofing

Address Resolution Protocol (ARP) spoofing is a deceptive technique used by attackers to manipulate the ARP tables on a local network. ARP spoofing involves falsifying ARP messages to associate an attacker's MAC address with the IP address of another device, leading to the redirection of network traffic intended for the targeted device.

Attackers employ ARP spoofing to intercept sensitive information, conduct man-in-the-middle attacks, or perform network reconnaissance.

By redirecting network traffic, attackers can capture and analyze sensitive information such as login credentials, financial data, or unencrypted communications. ARP spoofing allows attackers to position themselves between communicating parties, enabling them to intercept, modify, or inject malicious content into the traffic. Spoofing the ARP tables can also cause network connectivity issues, leading to service disruptions or denial of service for legitimate users.

Techniques Used in ARP Spoofing:

• ARP Cache Poisoning: Attackers send falsified ARP messages, associating their MAC address with the IP address of the targeted device, poisoning the ARP cache of other devices on the network.
• Gratuitous ARP: Attackers send unsolicited ARP replies, falsely claiming ownership of an IP address and causing other devices to update their ARP tables with the attacker's MAC address.

URL Spoofing

URL (Uniform Resource Locator) spoofing is a deceptive technique used by attackers to manipulate or falsify URLs with the intention of misleading users and redirecting them to malicious websites. URL spoofing involves creating a fraudulent or deceptive URL that appears legitimate to users, leading them to believe they are accessing a trusted website or service.

Attackers employ URL spoofing to trick users into divulging sensitive information, such as login credentials, financial details, or personal data, or to deliver malware.URL spoofing is often used in phishing campaigns where attackers masquerade as legitimate organizations, aiming to trick users into revealing sensitive information. Attackers may use spoofed URLs to distribute malware by tricking users into downloading malicious files or visiting compromised websites. URL spoofing also allows attackers to create fake websites that closely resemble legitimate brands, deceiving users and damaging the brand's reputation.

Techniques Used in URL Spoofing:

• Domain Name Deception: Attackers register domain names that closely resemble legitimate ones by altering characters, adding subdomains, or using alternative top-level domains (TLDs).
• URL Obfuscation: Attackers use techniques like URL shortening services, obfuscated code, or redirects to disguise the true destination of the URL.
• Homograph Attacks: Attackers employ characters from different character sets that visually resemble legitimate characters to create misleading URLs.

Email Spoofing

Email spoofing involves forging or altering the email header information, including the "From" address, to make the message appear as if it is sent from a trusted source.

Attackers use email spoofing to deceive recipients, gain their trust, and trick them into taking certain actions, such as revealing sensitive information or clicking on malicious links.

Email spoofing is commonly used in phishing campaigns, where attackers impersonate reputable organizations to trick recipients into providing sensitive information or performing malicious actions. Attackers may spoof the email of a company executive or a trusted business partner to deceive employees into initiating unauthorized financial transactions or sharing confidential data. Spoofed emails can also contain malicious attachments or links that, when clicked, lead to the download or installation of malware on the recipient's device.

Techniques Used in Email Spoofing:

• From Address Manipulation: Attackers alter the "From" field to display a forged email address that appears to be legitimate or trustworthy.
• Domain Name Spoofing: Attackers use similar domain names or subdomains that closely resemble legitimate ones to trick recipients.
• Reply-To Address Modification: Attackers change the "Reply-To" address to direct responses to a different email address, allowing them to intercept and manipulate communication.

DNS Spoofing or Poisoning

DNS spoofing ( a.k.a DNS cache poisoning) is an attack in which altered DNS records are used to redirect online traffic to a fraudulent website that resembles its intended destination. Attackers can poison DNS caches by impersonating DNS nameservers, making a request to a DNS resolver, and then forging the reply when the DNS resolver queries a nameserver.

Session Hijacking

Session hijacking, also known as session stealing or session sidejacking, is a type of attack where an unauthorized individual intercepts and takes control of a user's active session on a network or web application. In this attack, the attacker aims to exploit vulnerabilities or weaknesses in the session management process to gain unauthorized access to the session and impersonate the legitimate user.

Here's how session hijacking typically occurs:

1. Session Identification: When a user logs into a web application or network, a session is established, and a unique session identifier (session ID) is generated. The session ID is used to authenticate and track the user's activities during their session.
2. Interception: The attacker intercepts the session ID, often through various means such as eavesdropping on network traffic, capturing cookies, or exploiting security vulnerabilities in the application.
3. Session ID Usage: With the intercepted session ID, the attacker can impersonate the legitimate user by injecting the session ID into their own browser or using it to forge requests. This enables the attacker to gain unauthorized access to the user's session and perform actions on their behalf.
4. Exploitation: Once the attacker has control over the session, they can potentially access sensitive information, manipulate data, perform unauthorized transactions, or carry out other malicious activities within the compromised session.

There are different techniques used for session hijacking, including:

• Session Sniffing: The attacker captures network traffic to intercept and obtain session IDs or authentication credentials.
• Session Sidejacking: The attacker steals session IDs from unencrypted network connections or compromised devices to gain unauthorized access.
• Cross-site Scripting (XSS): By injecting malicious scripts into a website, the attacker can hijack session information from unsuspecting users.

Replay Attacks

A replay attack is a subset of MiTM attacks and is when third-party intercepts and “replays” a secure data transmission, allowing the third party to interact with the receiver as though they were the original sender.

Let's take a look at an example:

• Tom sends a login request to a website—the login request is verified, and Tom can log in.
• Sally intercepts the login request without Tom or the website being aware.
• Sally doesn’t even need to read the contents of the request; she can simply “replay” it.
• To the website, it will appear as though Tom is logging in again, and Sally’s login request (as Tom's) will be successful.

How to Prevent MiTM Attacks:

1. Avoid Public Hotspot: Avoid using public WiFi to protect the integrity of your sessions and opt for secure wireless networks.
2. Use a VPN: A VPN helps prevent attackers from intercepting traffic, making it more difficult for them to steal session IDs.
3. HTTPS: The use of HTTPS ensures that there is SSL/TLS encryption throughout the session traffic. Attackers will be unable to intercept the plaintext session ID, even if the victim’s traffic was monitored. It is advised to use HSTS (HTTP Strict Transport Security) to guarantee complete encryption.
4. Implement a Strong Encryption Point with Wi-Fi Protected Access (WPA/WPA-2): WPA can secure your wireless network from MitM attacks.

Watch the below video for a more detailed overview of MiTM attacks.

A Denial-of-Service (DoS) attack is an attack meant to shut down a single machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic or sending it information that triggers a crash.

DDoS:

A distributed denial-of-service (DDoS) attack occurs when multiple machines are operating together to attack one target or one system by sending fake traffic.

The attack starts when an attacker identifies a vulnerability in one master system. Then, they gain access to other vulnerable systems by introducing malware or bypassing authentication controls. DDoS attackers often leverage the use of a botnet —a group of hijacked or infected internet-connected devices to carry out large-scale attacks.

The host of infected systems is called a bot or zombie.

How a DDos attack works

Network resources (such as web servers) have a finite limit to the number of requests that they can service simultaneously. Additionally, the channel that connects the server to the Internet will also have a finite bandwidth/capacity. Whenever the number of requests exceeds the capacity limits of any component of the infrastructure, the level of service is likely to suffer in one of the following ways:

• The response to requests will be much slower than normal.
• Some /or all users’ requests may be totally ignored.

In general, DDoS attacks can be segregated by which layer of the Open Systems Interconnection (OSI) model they attack. They are most common in the Network (Layer 3), Transport (Layer 4), Presentation (Layer 6) and Application (Layer 7) Layers.

Content Delivery Network

A Content Delivery Network is a distributed network of servers strategically located in different geographical locations to deliver web content and data to users more efficiently and effectively. The primary purpose of a CDN is to improve website performance, enhance user experience, and handle high traffic loads by reducing latency and minimizing the distance between the content and the end user.

A CDN works by caching and distributing content across its network of servers. When a user requests a specific web page, file, or media resource, the CDN serves the content from the server that is geographically closest to the user, reducing the time it takes for the content to reach the user's device. This proximity ensures faster content delivery and decreases the burden on the origin server hosting the website.

A multi-CDN refers to the use of multiple CDN providers simultaneously to further optimize content delivery. With a multi-CDN approach, content is distributed across multiple CDN networks, leveraging the strengths and capabilities of each provider. This strategy enhances performance, redundancy, and resilience by leveraging the combined infrastructure of multiple CDNs.

By utilizing multiple CDNs, organizations can achieve broader geographic coverage, minimize reliance on a single provider, and dynamically route traffic based on real-time performance metrics. This approach allows organizations to select the most optimal CDN for specific regions or situations, ensuring the best possible content delivery performance and user experience.

Categorizing protocols by TCP/IP model

Categorizing protocols by the TCP/IP model involves classifying network protocols based on the layers defined in the TCP/IP networking framework. The TCP/IP model consists of four layers, namely the Network Interface layer, Internet layer, Transport layer, and Application layer. Each layer performs specific functions and encompasses various protocols that facilitate communication between networked devices. Here's a breakdown of the protocol categories within the TCP/IP model:

• Network Interface Layer: This layer handles the physical transmission of data and addresses protocols that govern how network devices interact with the underlying network hardware. Protocols such as Ethernet, Wi-Fi (802.11), and Token Ring fall under this category.
• Internet Layer: The Internet layer deals with the logical addressing and routing of data across different networks. The primary protocol at this layer is the Internet Protocol (IP), responsible for assigning IP addresses to devices and enabling packet routing between networks. Other protocols, such as Internet Control Message Protocol (ICMP) for error reporting and Internet Group Management Protocol (IGMP) for multicast group management, are also part of this layer.
• Transport Layer: This layer focuses on end-to-end communication and ensures reliable data transfer between devices. The Transmission Control Protocol (TCP) is a prominent protocol in this layer, offering connection-oriented and reliable delivery of data. Additionally, the User Datagram Protocol (UDP) provides connectionless and unreliable transmission. These protocols enable applications to establish communication channels and manage data delivery.
• Application Layer: The Application layer contains protocols that support specific application services and functionalities. This layer encompasses a wide range of protocols, including the Hypertext Transfer Protocol (HTTP) for web browsing, File Transfer Protocol (FTP) for file transfers, Simple Mail Transfer Protocol (SMTP) for email transmission, Domain Name System (DNS) for domain name resolution, and many more. These protocols enable various applications to interact with the network and exchange data.

Categorizing protocols by the TCP/IP model helps in understanding the functionality and purpose of each protocol within the networking architecture. It provides a structured approach to organizing and discussing network protocols, facilitating the implementation, troubleshooting, and management of networked systems based on the TCP/IP framework.

Syn Flood Attack

An SYN FLOOD attack is a type of DDoS attack that opens many connections with the target server and then never closes them. The attacker, acting as a client, sends a SYN message, when the server responds with a SYN-ACK the malicious client never sends an ACK message.

In this way the server is forced to keep numerous connections open, taxing its resources until it fails.

Categories of DDoS attacks

Smurf Attacks

A smurf attack is a DDoS attack that sends packets spoofing the victim's source IP. When devices on the network attempt to respond, the amount of traffic slows the targeted device to the point of being unusable.

This type of attack is named after the cartoon character "The Smurfs” because of their ability to take down larger enemies by working together.

Smurfing attacks are named after the malware ”DDoS.Smurf”, which enables hackers to execute them.

How a Smurf Attack Works

1. “DDoS.Smurf” malware creates an ICMP Echo Request coming from a spoofed IP address that routes back to the smurf attack victim.
2. The ICMP Echo Request is sent to an IP broadcast network that then relays the message to every device on the network, eliciting ICMP Echo Replies.
3. The devices send ICMP Echo Replies back to the IP broadcast network, indicating the ICMP Echo Request has been received.
4. All of the replies are rerouted to the Smurf attack victim, resulting in a DDoS attack.

UDP Flood Attacks

Under normal conditions, when a server receives a UDP packet at a particular port, it goes through two steps in response:

1. The server first checks to see if any programs are running which are presently listening for requests at the specified port.
2. If no programs are receiving packets at that port, the server responds with an ICMP (ping) packet to inform the sender that the destination was unreachable.

What is a UDP flood attack?

A UDP flood is a type of denial-of-service attack in which a large number of User Datagram Protocol (UDP) packets are sent to a targeted server with the aim of overwhelming that device’s ability to process and respond.

The receiving host checks for applications associated with these datagrams and—finding none—sends back a “Destination Unreachable” packet. As more and more UDP packets are received and answered, the system becomes overwhelmed and unresponsive to other clients.

Ping of Death Attack

Type of denial-of-service (DoS) attack, in which the attacker aims to disrupt a targeted machine by sending a packet larger than the maximum allowable size, causing the target machine to freeze or crash.

When the target machine attempts to put the pieces back together of the malicious packets, the total exceeds the size limit and a buffer overflow can occur, causing the target machine to freeze, crash or reboot.

The original ping-of-death attack is less common today, but a new Ping of Death attack for IPv6 packets for Microsoft Windows was discovered and patched in mid-2013.

DDoS Attach Types

A buffer overflow occurs when a program or process attempts to write more data to a buffer (fixed-length block of memory) than it can hold. Buffers contain a defined amount of data and any extra data will overwrite data values in memory addresses adjacent to the destination buffer.

Attackers can exploit a buffer overflow to control, modify, or crash a process and violating a programming language and overriding the bounds of the buffer to trigger additional actions allows them to send new instructions to an app, therefore giving the hackers access to IT systems, or corrupting an app and taking over a machine.

Types of buffer overflow attacks:

1. Stack-based Buffer Overflow: This type of attack targets the stack, a region of memory used for storing local variables and function call information. By overflowing a buffer on the stack, an attacker can overwrite the return address of a function, allowing them to redirect the execution flow to a malicious code payload.
2. Heap-based Buffer Overflow: In contrast to stack-based attacks, heap-based buffer overflows target dynamically allocated memory on the heap. Attackers manipulate the size of dynamically allocated buffers, causing adjacent data structures to become corrupted. This can lead to various consequences, including arbitrary code execution or cause the program to crash.
3. Integer Overflow: While not strictly a buffer overflow, an integer overflow can lead to similar consequences. It occurs when an arithmetic operation results in a value larger than the maximum representable value for the data type. Attackers can exploit integer overflows to manipulate memory or control program behaviour.
4. Format String Attacks: Format string vulnerabilities occur when a program uses user-supplied format strings without proper validation. By exploiting this vulnerability, an attacker can manipulate the format string to read or write data from arbitrary memory locations, potentially leading to a buffer overflow and execution of malicious code.
5. Unicode Overvflow: Unicode is a character encoding standard that assigns a unique numerical value (code point) to each character in various writing systems. It provides a way to represent and handle text in different languages and scripts. Vulnerabilities related to Unicode or character encoding exist within specific software applications or implementations.

Injection attacks are a common type of security vulnerability that can compromise the integrity and security of software applications. Injection attacks occur when an attacker injects malicious code or commands into an application's input fields or data streams. Attackers exploit vulnerabilities in an application's handling of user input to execute unauthorized actions, gain unauthorized access, or manipulate the application's behaviour.

Watch the following video on Injection Attacks created by an ethical hacker for IBM that outlines the different types of Injection Attacks and their potential impacts.

SQL Injection Attacks:

SQL Injection Attacks are a type of injection attack that makes it possible to execute malicious SQL statements, which are then able to control a database server behind a web application.

A successful SQL injection exploit can:

1. read sensitive data from the database
2. modify database data (Insert/Update/Delete)
3. execute administration operations on the database (such as the shutdown of the DBMS)
4. Recover the content of a given file present on the DBMS file system and
5. In some cases, issue commands to the operating system.

Examples of SQL Injections:

SQL Injection Based on 1=1 is Always True

SQL Injection Based on Batched SQL Statements

Cross-site Scripting Attacks:

Cross-site scripting (XSS) attacks occur when hackers execute malicious JavaScript within a victim’s browser. Sensitive details about the authenticated user can be stolen from the session, and completely compromise a website.

Attackers can inject their code to target the visitors of the website by adding their own ads, phishing prompts, or other malicious content.

Examples of XSS attacks

This will list all the cookie variables in the browser at this time. Document.cookie variable clearly contains some sensitive information.

Preventing Injection Attacks 

1. Input Validation and Sanitization: Implement strict input validation by validating and sanitizing all user input to ensure it conforms to expected formats and data types. Use parameterized queries or prepared statements to prevent SQL injection attacks by separating data from SQL commands.
2. Least Privilege Principle: Assign minimal privileges to application components, databases, and user accounts, limiting the potential impact of an injection attack.
3. Input Filtering and Encoding: Filter and sanitize input data by removing or encoding special characters to prevent interpretation as code or commands. Apply appropriate encoding mechanisms (e.g., HTML encoding) to prevent cross-site scripting (XSS) attacks.
4. Security Testing and Code Reviews: Regularly conduct security testing, including vulnerability scanning and penetration testing, to identify and address injection vulnerabilities. Perform code reviews to identify insecure coding practices and ensure secure coding standards are followed.
5. Use Security Frameworks and Libraries: Utilize security frameworks and libraries that provide built-in protection against common injection vulnerabilities.
6. Security Awareness Training: Educate developers and users about the risks and best practices for preventing injection attacks. Encourage a security-conscious culture that emphasizes the importance of secure coding practices and vigilant user behaviour.

• Filter input on arrival. At the point where user input is received, filter as strictly as possible based on what is expected or valid input.
• Encode data on output: to prevent the code from being interpreted as active content:
  • HTML markup will be substituted with entities.
  •  The browser displays the entities but doesn't run them
• Web Firewall Applications: Use Web Firewall Applications to employ different methods to counter-attack vectors. In the case of XSS, most will rely on signature-based filtering to identify and block malicious requests.

Preventing Injection Attacks:

CSRF (Cross-Site Request Forgery) is a type of security vulnerability that allows an attacker to perform unauthorized actions on behalf of an authenticated user. It occurs when an attacker tricks a victim into unknowingly executing malicious actions on a trusted website or application where the victim is authenticated. Very commonly exploited a vulnerability that allows an attacker to force a user to unknowingly perform actions, therefore, allowing changes to be performed by the name of the users without their knowledge or approval.

As a result, CSRF commonly targets cloud storage, social media, banking and online shopping web page applications in order to harvest social media images and create embarking social media posts, right through to taking money from online accounts. Because of this, CSRF is ranked #8 on OWASP's top 10 charts.

Watch the following video on CSRF.

Example CSRF Attack:

In the previous video, we saw an example of a CSRF Attack. In this example we saw a user visit a page that contains a CSRF attack while also logged into their bank account. Upon visiting the page, a request is performed to transfer money from one account to another.

User TAB 1: Bank Account

User TAB 2: Page that contains CSRF

The result is $6,000 withdrawn from the user’s account.

So how did this attack occur?

The banking application allows for a request to originate from servers other than itself because there is no unique token that is tied to the user session.

The general rule therefore should be that if this token is absent or incorrect, it will stop the transaction from being performed.

How to detect and prevent CSRF attacks:

Detect by using:

• by using an automated web vulnerability scanner.
  • For example Acunetix, App Scan

Prevent by using:

• ANTI-CSRF tokens
• Web Application Firewall (this help prevent CSRF attacks)

Both brute force and dictionary attacks are methods employed by attackers to gain unauthorized access to systems or encrypted data. They both rely on systematically trying various combinations or pre-compiled lists of passwords or encryption keys to find the correct one.

Brute Force Attacks

A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. These types of attacks can take a significant amount of time to complete.

A five-digit lock with individual values from zero to nine has exactly 100,000 possible permutations.

Birthday Attacks

A Birthday Attack is a type of cryptographic attack that belongs to a class of brute force attacks. It exploits the mathematics behind the birthday problem in probability theory.

What is the Birthday Paradox?

The birthday paradox, also known as the birthday problem, is a counterintuitive phenomenon in probability theory. It states that in a group of relatively few people, the probability of two people sharing the same birthday is surprisingly high.

Contrary to what one might expect, the birthday paradox arises from the combinatorial nature of the problem rather than the total number of possible birthdays (365 in a non-leap year).

For example, with just 23 people in a group, the probability of at least two people sharing a birthday exceeds 50%. With 50 people, the probability increases to approximately 97%.

The birthday paradox is often used to illustrate the concepts of probability, combinatorics, and the non-intuitive nature of probability theory. It demonstrates how seemingly improbable events can occur more frequently than expected when dealing with large numbers and random combinations.

How do Birthday Attacks Work?

Birthday attacks exploit or take advantage of collision to a hash function (2 different messages hash out to the same value). It forces this collision in order to change the original message. The success of this attack largely depends upon the higher likelihood of collisions found between random attack attempts and a fixed degree of permutations, as described in the birthday paradox problem.

Example of a Birthday Attack

Bob and Sue are going to get married, as a precaution they both agree to write up a document that in case of a divorce outlines ownership of their respective property. This document states that whatever assets/property Bob owned prior to the marriage he retains in the event of a divorce, and inversely whatever assets/property Sue owned prior to the marriage she retains. Once completed, they take this document and put it into a hashing algorithm to create a message digest value.

In secret, Sue then makes a copy of the original document, and she changes the wording to state in the event of divorce any assets or property that belonged to her prior to marriage, she will retain in the event of a divorce and she will also receive all assets/property previously owned by Bob. Sue creates a hash of the altered document to make a message digest. Initially, the message digest is different. But using the Birthday Attack theory, Sue consistently tweaks the document, slightly changing words and punctuation until she can actually create a message digest value that matches the original.

Unsurprisingly, Bob and Sue get divorced. During the divorce proceedings Sue tells Bob she is to receive everything in the settlement, Bob unknowingly refers to the hashed document and states that they had a formal agreement and refers the lawyers and Sue to the encrypted document. to give her everything he has. Upon reviewing each others version of the document using the hashing algorithm and they both have the same message digest, however, once decrypted, Sue’s document clearly states that she is entitled to everything.

How to Prevent Birthday Attacks

To avoid this attack, a very strong combination and a long sequence of bit length can be chosen so that the birthday attack becomes computationally infeasible, i.e. about twice as many bits as are needed to prevent an ordinary brute-force attack

Dictionary Attacks

A Dictionary Attack is the method of breaking into a password-protected computer, network or other IT resources by systematically entering every word in a dictionary as a password. Attackers incorporate words related to sports teams, monuments, cities, addresses and other regionally specific items when building their attack library dictionaries:

An example of this is the massive SolarWinds data breach which was executed using a dictionary attack. SolarWinds is an IT management company that monitors, analyzes, diagnose and optimizes database performance and data ops. SolarWinds serviced a large number of clients, most notably the US Department of Justice. From 2019 to 2020, Russian-backed hackers were able to log in to SolarWinds' update server by correctly guessing the administrator password, "solarwinds123," and then planting a backdoor that was activated when SolarWinds customers updated their software. This became one of the biggest breaches of the last decade.

Unlike other forms of attack that target security vulnerabilities, Social Engineering targets Human vulnerability. Social engineering (aka Human Hacking) is the art of manipulating and exploiting human psychology to deceive individuals into revealing sensitive or confidential information, performing certain actions, or granting unauthorized access. It is a technique commonly used by attackers to bypass technical security measures by exploiting the trust and vulnerability of individuals which usually occurs through digital communication.

The goal of social engineering is to exploit human behaviour and emotions, such as curiosity, fear, trust, or urgency, to manipulate individuals into revealing valuable information or performing actions that benefit the attacker.

Signs of Social Engineering Attempts

• Sense of Urgency: Social engineering attacks often create a sense of urgency to pressure individuals into acting quickly without careful consideration. These are generally urgent requests for immediate action, such as resetting passwords or providing sensitive information.
• Unsolicited Communication: Social engineers might reach out under the guise of a company providing help for a problem you have, similar to a tech support scam. You might believe they’re who they say they are and provide them access to your device or accounts. These are generally unsolicited emails, phone calls, or messages, especially if they request sensitive information, ask for money, or offer unexpected rewards. Legitimate organizations usually do not reach out unexpectedly to ask for such information.
• Emotional Manipulation: Social engineering attackers often try to evoke strong emotions, such as fear, curiosity, or excitement, to cloud judgment and prompt immediate action. Be mindful of these emotional triggers and take a step back to evaluate the situation objectively.
• Prizes, Gifts and Opportunities for Money: Social Engineers like to play on greed and desperation and offer lure in victims by starting with offering the intended victim good news like winning a cruise, a lottery that didn’t enter or an opportunity to make large sums of money.
• Strange Requests from ‘Friends’: Having taken over the identity of someone, Social Engineers will often use this to gather further information or money from their contacts.

Examples of Social Engineering

• Physical Breaches - physically posing as a legitimate source to steal confidential data or information from you.
• Baiting - a social engineer might leave a USB stick, loaded with malware, in a public place where targets will see it such as in a cafe or bathroom.
• Phishing - Tricking a user into providing info or downloading malware usually by using an email that appears from a trusted or reputable source.
• Scareware - pop-ups or emails indicating you need to “act now” to get rid of viruses or malware on your device.  In fact, if you act you might be downloading a computer virus or malware.

Phishing attacks are fraudulent attempts to deceive individuals into revealing sensitive information, such as passwords, credit card details, or personal data, by impersonating a trusted entity. Attackers often use various tactics to trick victims into clicking on malicious links, downloading malware-infected files, or providing their confidential information.

Phishing Attacks have three categories.

General Phishing Attack

General phishing attacks are broad-based and typically target a large number of individuals indiscriminately. Attackers send out mass emails or messages that appear to be from well-known companies, financial institutions, or service providers, aiming to trick recipients into revealing their personal information or performing certain actions. These attacks are often generic and not personalized to specific targets.

Spear Phishing

Spear phishing attacks are more targeted and personalized compared to general phishing attacks. Attackers conduct thorough research on their intended victims to gather information such as their names, job titles, affiliations, or recent activities. They then craft tailored and convincing messages that appear to be from a trusted source known to the target, such as a colleague, supervisor, or business partner. The goal is to increase the likelihood of the victim falling for the scam by leveraging familiarity and trust.

Whaling Attacks

Whaling attacks, also known as CEO fraud or executive phishing, are a specialized form of spear phishing that specifically targets high-level executives or individuals in senior positions within an organization. Attackers carefully select their targets and conduct extensive research to gather detailed information about the individual's role, responsibilities, and communication patterns. The aim is to deceive the executive into taking actions that could lead to significant financial loss or compromise the organization's sensitive data.

While general phishing attacks cast a wide net, spear phishing and whaling attacks are more sophisticated and personalized. They rely on social engineering techniques to manipulate individuals into believing that the communication is legitimate and trustworthy. By tailoring the attack to specific targets, attackers increase their chances of success.

Example of an Email Phishing Attack

An email is sent to a target with a password expiry notice.

This Phishing Attack has a call to action which asks the victim to click a URL to a spoofed website or malicious link that contains malware.

While this URL may look legitimate at first glance there is a subtle difference between the actual URL and the spoofed website.

The spoofed website will either gather personal details from the victim or insert malware.

Malware, short for malicious software, refers to any software or code designed to harm, exploit, or gain unauthorized access to computer systems, networks, or devices. Malware is created with malicious intent and can cause a wide range of detrimental effects, including data theft, system damage, financial loss, and privacy breaches. Generally, Malware is designed to transmit information about your web browsing habits to a third party.

There are various types of malware, each with its own characteristics and purposes.

• Viruses: Viruses are self-replicating programs that infect other files or programs by attaching themselves to them. They can spread rapidly and can cause damage to files, software, and even the entire system.
• Worms: Worms are standalone programs that can replicate and spread across networks without needing to attach themselves to other files. They can consume network resources, slow down systems, and exploit vulnerabilities to gain unauthorized access.
• Trojans: Trojans are deceptive programs that masquerade as legitimate software or files. Once installed, they can perform various malicious activities, such as stealing sensitive information, opening backdoors for attackers, or initiating unauthorized actions on the compromised system.
• Ransomware: Ransomware encrypts files or locks the entire system, rendering it inaccessible to the user until a ransom is paid. It is a lucrative form of malware that extorts money from victims by exploiting their need for access to their data or systems.
• Spyware: Spyware is designed to gather information about a user's activities without their consent. It can monitor keystrokes, capture screenshots, track browsing habits, and steal sensitive data, including login credentials and financial information.
• Adware: Adware is software that displays unwanted advertisements on a user's computer or device. While not necessarily malicious, it can disrupt user experience, slow down systems, and collect user data for targeted advertising purposes.
• Rootkit: Rootkits operate at a deep level within an operating system, typically at the kernel or device driver level, which gives them high privileges and allows them to hide their presence and activities from regular system processes and users. Once a rootkit gains control, it can modify system files, manipulate system behaviour, and even tamper with security mechanisms.

Virus

A Virus is a software that replicates itself and spreads by damaging and deleting files. A computer virus attaches itself to a program or file, enabling it to spread from one computer to another, leaving infections as it travels. Generally, a Virus will enter a device by being attached to images, audio, video or download files.

A Virus can range in its severity. Some have mild effects while others can cause huge damage to hardware, software or files.

Almost all viruses are attached to executable files, although viruses may exist on your computer but don’t infect your computer unless you run a malicious program. A virus cannot spread without human action (running an infected program).

Worms

Worms can be considered a subclass of a Virus. Like a Virus, Worms are malicious programs that make copies of themselves on local devices and through network shares. Worms make the device work slower and spread from device to device. Unlike a Virus, however, a Worm has the capability to travel from one computer to another, without any human action.

Spread of Worms

Once you have been infected with a worm, without knowing it the worm sends a copy of itself to everyone listed in your email address book.

Then the worm replicates to send itself to everyone listed in each of the receiver’s address books, and the manifest continues.

Due to the capability of replicating itself and the ability to travel across the network, it consumes too much system memory (network bandwidth), causing web servers, network servers, and individual computers to stop responding.

Trojan Horse

A Trojan horse, often referred to simply as a "Trojan," is a type of malicious software that disguises itself as a legitimate program or file to deceive users and gain unauthorized access to their computer systems. The name "Trojan horse" is derived from Greek mythology, where the Greeks used a large wooden horse to infiltrate and attack the city of Troy.

Similar to its namesake, a Trojan horse appears harmless or useful on the surface, tricking users into executing or installing it. Once inside the system, the Trojan horse performs malicious actions without the user's knowledge or consent. Unlike viruses or worms, Trojans do not replicate themselves but instead rely on social engineering tactics to spread and carry out their malicious activities.

Trojan horses can take various forms, such as executable files, documents, email attachments or even fake software updates. Like Viruses, Trojans can range in severity, from simply being annoying like changing desktops or adding silly active desktop icons to causing series damage by deleting files and destroying information.

Trojans are known to create a backdoor on your computer that gives malicious users access to your system allowing confidential data to be compromised. Unlike Viruses, Trojans don’t reproduce by reinfecting files and don’t self-replicate.

Spyware

Spyware refers to malicious software that is designed to secretly collect information about a user's activities without their knowledge or consent. It is typically installed on a computer or device without the user's awareness and operates covertly in the background.

Spyware can gather a wide range of sensitive information, including browsing habits, keystrokes, login credentials, personal documents, emails, and more. The collected data is then transmitted to remote servers or used for various malicious purposes, such as identity theft, unauthorized access to financial accounts, targeted advertising, or selling the information to third parties.

Spyware often infiltrates systems through deceptive methods, such as bundling with legitimate software downloads, clicking on malicious links or ads, or exploiting security vulnerabilities. It can also be distributed through email attachments, infected websites, or infected removable storage devices.

Step by step, spyware will take the following actions on your computer or device:

1. Infiltrate – via an app install package, malicious website or file attachment
2. Monitor and capture data – via keystrokes, screen captures, and other tracking codes
3. Send stolen data – to the spyware author to be used directly or sold to other parties

Hackers can get spyware to your device in many ways, but these 4 are the most common:

1. It can penetrate your device in the form of a trojan (a type of malware that is disguised as legitimate software). Hackers use trojan in a sneaky process called social engineering.
   
2. Hackers can exploit user interactions with advertisements, adult material content, and various 3rd party program download to gain access to devices.
   
3. Hackers can compromise tracking cookies (a common practice that many legitimate websites employ).
   
4. Spyware can get onto your device through system monitors that are designed to monitor computer activity and performance.
   

Infected with Spyware

Once spyware gets on your device, it can cause nasty problems:

1. It can communicate your personal/confidential information (email activity, passwords, social media account, credit card info, and purchase history) to the attacker=> Your online identity is at high risk of being stolen and imitated.
2. Spyware can potentially corrupt and compromise your device. It can soak up your device’s resources making it run slowly, tag between applications, crash and overheat
3. It can manipulate search results and serve you potentially harmful and fraudulent websites, which may trick you to click on more harmful and dangerous viruses.

Adware

Adware is a type of malicious software that displays unwanted advertisements on a user's computer or device. It is often bundled with free software or downloaded unknowingly by users when they visit certain websites or click on malicious links. The primary purpose of adware is to generate revenue for its creators through advertising.

Adware typically works by injecting or displaying advertisements in various forms, such as pop-ups, banners, or in-text ads, while the user is browsing the internet. These ads can be intrusive, and disruptive, and may lead to a poor user experience. Adware may also redirect the user's web searches to sponsored websites or modify browser settings to display targeted advertisements.

Impacts of Adware

• Adware redirects your search requests to advertisement websites and collects data about you. This info is used to deliver custom advertisements to you.
• Adware is usually bundled with other files, and programs that you have downloaded and is not necessarily harmful however it has the potential to be.
• Pop-ups, toolbars installed in your browser, and changes made to your default search engines are common occurrences of adware.
• They can massively slow down your computer’s performance system.
• They can be malicious by hijacking your browser and redirecting you to potentially unsafe sites.
• Some adware contains trojan viruses and spyware specifically designed for stealthy installation.

Unfortunately, adware doesn’t always have to uninstall option meaning these types of programs can be difficult to remove. Some antivirus programs may not be able to determine if a specific adware is a threat or not.

Ransomware

Ransomware is a type of malware that blocks users from accessing their operating system or files until a ransom is paid. It does so by locking the system’s screen or encrypting the users’ files using advanced encryption algorithms.

There is generally a time restriction for completing the payment usually in Bitcoin, or else the files may be lost permanently or made public by attackers. Unfortunately, even if the victim pays the ransom, there is no assurance that the decryption key will be delivered.

What to do in cases of Ransomware Attacks

1. All businesses should have an incident response plan in place, and know it by heart meaning that it will reduce the time of response which is critical in these cases.
2. Isolate affected end-points (disconnect them) from the network to stop the spread.
3. Track down the attack: which computer was infected? Did the user click any suspicious emails? Or was there any unusual behaviour on their computer?
4. Identify the ransomware strain that affected your network.
5. Report the attack to authorities as soon as possible
6. If the computer is infected by ransomware, run it on safe mode and install an anti-malware solution in order to remove the ransomware, and use a decryption tool.
7. Patch your security system after the issue has been resolved
8. Perform a total security audit
9. Recover your data, restore data from backup
10. Go to www. nomoreransom.org, and look over the list of ransom names. You might be able to decrypt it.

Rootkit

A rootkit is a type of malware designed to give hackers access to and control over a target device. Although most rootkits affect the software and the operating system, some can also infect your computer’s hardware and firmware.

Rootkits are proficient at concealing their presence, but while they remain hidden, they are active. Rootkits can hide keyloggers, which capture your keystrokes without your consent.

Once they gain unauthorized access to computers, rootkits enable cybercriminals to:

• steal personal data and financial information
• install malware
• send out spam email
• participate in DDoS (distributed denial of service) attacks
• They can even disable or remove security software.

The name “rootkit” derives from Unix and Linux operating systems, where the most privileged account admin is called the "root". Once a bad actor has root-level (administrator-level, privileged) access, nothing on your computer is secure. Everything is fair game.

How to find Rootkits

It is almost impossible to find a rootkit installed on your PC, even if you know there is one on your computer. You need help from a next-gen antivirus solution.

Although Rootkit detection is a challenge, as a responsible computer user, you can keep an eye out for strange behaviour on your computer:

Bluejacking is a term used to describe the unauthorized sending of unsolicited messages or data to Bluetooth-enabled devices, such as mobile phones, tablets, or laptops. It is a form of wireless spamming or nuisance messaging that takes advantage of Bluetooth technology's short-range communication capabilities.

Bluejacking exploits a Bluetooth device's ability to receive and accept incoming data or messages from other nearby Bluetooth-enabled devices. The attacker typically sends a text message, contact card, or other types of data to the victim's device without their consent or knowledge. The messages are often harmless and aim to surprise or annoy the recipient rather than causing any real harm. It's important to note that bluejacking is generally considered a harmless prank rather than a malicious attack. The attacker does not gain control over the victim's device or access to their personal information. The main purpose is to disrupt or annoy the recipient by sending unsolicited messages.

An advanced persistent threat is a set of stealthy and continuous computer hacking processes, often targeting a specific entity. It is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time.

Characteristics of an APT

• Targets organizations and/or nations for business or political motives.
• Requires a high degree of covertness over a long period of time “low and slow” communications technique often coupled with the use of common communication protocols.
• Created by well-funded, highly sophisticated criminals or nation-states.
•  Advanced, multi-vector attack techniques using malware are used to exploit vulnerabilities and expand the attack.
• External command and control system continuously monitors and extracts data; self-modification and or active patching is utilized to update malware and help evade detection.

AAPT Target Attack

1. Reconnaissance: attacker quietly gathers information about the victim
2. Weaponization: attacker prepares an attack payload to deliver to the victim
3. Delivery: the attacker sends a payload to the victim
4. Exploitation: attackers payload deployed in the victim’s network
5. Installation: attacker establishes a foothold in the victim’s network
6. Command and control: attackers have hands on the keyboard remote access to the victim’s network
7. Actions on objectives: attacker acts to accomplish data exfiltration