1.2 Given a scenario, analyze potential indicators to determine the type of attack.

  • Malware
    • Ransomware
    • Trojans
    • Worms
    • Potentially Unwanted Programs (PUPs)
    • Fileless Virus
    • Command and Control
    • Bots
    • Cryptomalware
    • Logic Bombs
    • Spyware
    • Keyloggers
    • Remote Access Trojan (RAT)
    • Rootkit
    • Backdoor
  • Password Attacks
    • Spraying
    • Dictionary
    • Brute Force
      • Offline
      • Online
    • Rainbow Table
    • Plaintext/Unencrypted
  • Physical Attacks
    • Malicious Universal Serial Bus (USB) Cable
    • Malicious Flash Drive
    • Card Cloning
    • Skimming
  • Adversarial Artificial Intelligence (AI)
    • Tainted Training Data for Machine Learning (ML)
    • Security of Machine Learning Algorithms
  • Supply-Chain Attacks
  • Cloud-Based vs. On-Premises Attacks
  • Cryptographic Attacks
    • Birthday
    • Collision
    • Downgrade

What is malware?  Malware is a type of application that has an illegitimate intent.  There are many types of malware and they can overlap significantly.

Let’s be clear.  When people think of malware, they think of Windows computer viruses.  But in reality, there are many forms of malware that can infect Apple computers, Apple iPhones, and Android smartphones.  And there are many forms of malware that infect surveillance cameras, routers, medical devices, and industrial control equipment.  If a device contains some kind of “computer” – a component that calculates something or makes decision – then there is ALWAYS a possibility that it could become infected.  And if there is a possibility, then somebody out there will find a way. 

I don’t want to sound pessimistic, but

  • Practically every computer has a security flaw or backdoor

  • There are many individuals and organizations who do nothing but look for ways to attack computers, either for fun or for profit

Once a system (computer) is infected it should be

  • Disconnected from any network (ethernet, Wi-Fi, etc.)

  • Reimaged (reload the operating system, applications, and data from a clean back up).  Some infections affect the system firmware and can only be cleaned with a hardware replacement.


A virus is an unauthorized program that causes undesired activity.  A virus is not a standalone program, but instead it latches on to another legitimate program.  When the legitimate program runs, so does the virus.

Viruses typically infect executable programs such as programs with extensions of .exe.  Viruses can also infect documents, such as Microsoft Word documents or Microsoft Excel spreadsheets.  These are known as macro viruses.  Current versions of Microsoft Office disable macros by default (a user can open a Microsoft Office document file without allowing the macro to execute).

Viruses can enter automatically through backdoors.  A user could inadvertently introduce a virus by clicking on attachments or downloading files from the internet.

The damage that a virus does is called the payload.  Viruses can cause a wide range of effects from being simply a nuisance to deleting files.  Viruses that infect industrial control systems can cause millions of dollars in damage.  Viruses that infect medical equipment can put lives at risk.

A virus can be detected and prevented using an antivirus program.  An antivirus program has two methods of detecting viruses

  • Definitions:  A definition is a specific “fingerprint” of the virus.  An antivirus program may contain hundreds of thousands of virus definitions.  It scans each new file introduced into the computer against the definitions.  If the attributes of a file match a definition, then the antivirus program knows that it has located a virus (and knows which virus it has located).

    To develop the antivirus definitions, the antivirus software manufacturer must first obtain copies of the virus and create the definition.  That means that some computers have already been infected with the virus by the time the definition has been created.  Thus, definitions do not provide complete protection against viruses.

    A polymorphic virus is one that attempts to change its code.  Each time the virus runs, the code changes slightly, but the damage that it causes remains the same.  A polymorphic virus attempts to hide from antivirus definitions.

  • Heuristics.  A heuristic is a type of artificial intelligence.  It allows the antivirus program to determine whether a specific program is legitimate or not, based on its behavior.  For example, a program that attempts to modify critical system files is likely not legitimate.

    The latest generation antivirus programs share data with the cloud.  For example, Norton Antivirus automatically collects data regarding suspicious applications from users.  This data is sent to a response center for further analysis.  Norton Antivirus then updates all user programs with the results.  By sharing data with the cloud, antivirus programs are able to detect viruses faster.

The most famous computer viruses have been

  • ILOVEYOU.  Released in 2000, ILOVEYOU was transmitted via e-mail with a subject line of “I love you”.  It overwrote system files and personal files, before spreading through e-mail.  It caused $15 billion in damage.

  • MyDoom.  Similar, to ILOVEYOU, MyDoom spread via e-mail in 2004.  It is estimated that 25% of all e-mails sent in 2004 were infected with MyDoom.  It caused $38 billion in damage.

  • Stuxnet.  Stuxnet is a special kind of virus because it infected the firmware of a USB drive.  The firmware of a USB drive is not typically accessible to the computer or to an antivirus program – it’s considered “read only” memory and allows the USB drive to read/write data from/to the computer.

    The Stuxnet virus contained a second virus inside of it.  When the USB drive was inserted into a PLC (an industrial control system), the second virus infected the PLC.  Stuxnet only infected Siemens S7 PLCs.

    Stuxnet was used to infect industrial control systems that were “air gapped” (not connected to the internet or to any network).

    Stuxnet was unusual because

    • It took advantage of multiple zero-day exploits (security holes that are unknown to the software manufacturers).  A zero-day exploit is considered valuable to a virus manufacturer/hacker, and to use several in the same virus is highly unusual.  Zero-day exploits are quickly patched by manufacturers once discovered and can’t be reused.  A zero-day exploit could be worth up to a million dollars.  To use several million dollars worth of zero-day exploits in a virus that brings the creator no financial reward is highly unusual.

    • It limited its infection to only specific types of computers and PLCs.  Most virus manufacturers do not want to limit the damage that they cause.

    • It is estimated that Stuxnet took between three man-years and fifteen man-years to prepare.  Development of Stuxnet required advanced knowledge of the Windows operating system, USB firmware, and Siemens PLCs.

Zero Day

A Zero Day attack is one that uses a Zero Day exploit.  A Zero Day exploit is a vulnerability in a software program or system that has just been discovered; therefore, there is no patch.  Day Zero is the day that the exploit is first discovered by the public.

A hacker might discover a zero-day vulnerability and use it to exploit systems for days, weeks, or even years before it is detected.  Hackers sell zero-day exploits to other hackers and to government agencies.  Some intelligence agencies purchase and store zero-day exploits until they need to use one to attack a high-value target.  Once the public discovers the zero-day exploit, the software manufacturers and antivirus companies will work to patch it, usually in a matter of days.

The Zero Day vulnerability is not a form of malware.  It is simply a backdoor that a hacker can use to insert some form of malware, which could include a Man-in-the-Browser or DDoS.


Ransomware is an extension of crypto-malware, in that it instructs the user to pay a ransom in exchange for unlocking the files.

Typically, the user is instructed to visit a TOR website, where they are provided further instructions.  TOR websites are generally able to hide their location, although law enforcement agencies have developed methods to identify them.  The user is instructed to pay the ransom with cryptocurrency (untraceable currency) such as bitcoin. 

In most cases, the hackers provide the victim with the tool to decrypt their files upon receipt of payment.  In some cases, the hackers do not.

The ransom amounts have ranged from the equivalent of $500 to $20,000 depending on the person or organization that was affected.  Many organizations pay the ransom and don’t publicly admit that they have been hacked.

How to prevent ransomware

  • Proper user education to teach users how to identify potential ransomware delivered via e-mail, and to not open unusual attachments.

  • Block e-mail attachments that contain macro-enabled Microsoft Word and Excel documents.

  • Regularly install Windows operating system security updates

How to defeat ransomware once infected

  • Attempt to restore data from backup or from the Volume Shadow Copy.  This only works if the organization has backed up their data, and only the data that was backed up can be restored.  This is not effective against newer versions of ransomware, which delete the Volume Shadow Copy. 

  • Attempt to decrypt the ransomware.  Police forces in the EU have been able to provide victims with assistance in decrypting some forms of ransomware.  Some versions of ransomware use weak encryption that can be broken through brute force or other techniques.

  • Pay the ransom.  In earlier cases, it was almost certain that the hackers would automatically (or manually) provide the decryption key upon payment of the ransom.  In more recent cases, this is not guaranteed because there are many copycat ransomware viruses created by people with very little knowledge or infrastructure.  Ransomware developers have franchised their operation to “script kiddies” who are simply distributing the ransomware and collecting payments.  There are also versions of ransomware that have been put out by nation-states to cause political disruption; this type of malware only destroys data but is disguised as ransomware.

Notable infections

  • In 2019, Jackson County, Georgia paid $400,000 to remove ransomware from their computers.

  • University of Calgary paid $20,000 to decrypt computers infected by ransomware in 2017.  The FBI later charged two people in Iran with spreading the virus, which infected computers at health care providers and other organizations.

Notable ransomware

  • CryptoLocker was transmitted over e-mail as a ZIP file.  Inside the e-mail was an executable disguised as a PDF.  The decryption key was sent to a remote server.  A victim could pay a ransom and receive a decryption key automatically.  The creators of CrytoLocker made an estimated $27 million.  In 2014, security firm FireEye was able to obtain the database of decryption keys, allowing victims to decrypt their files for free.

  • WannaCry took advantage of a zero-day exploit in the Windows Server Message Block.  WannaCry infected computers that had not patched the Windows Server Message Block vulnerability.  The average ransom amount was $600.  Over 200,000 computers were infected, with losses estimated at over $4 billion.

  • Unlike other forms of ransomware, Petya encrypted the master boot record of a Windows computer.  This caused the entire computer hard drive to be encrypted.  Another version, known as NotPetya was targeted towards Ukrainian government entities and critical infrastructure.  NotPetya quickly spread to other computers worldwide and could not be decrypted.  It is believed that NotPetya was created by the Russian government.


A trojan is a legitimate program that hides an illegitimate program.  A user must install the trojan and/or give it permission before it can take effect.  Trojan is named after the Trojan horse.

Trojans can hide in many programs including toolbars, screensavers, games, and other applications.

Examples of Trojans

  • FinFisher (FinSpy), which is developed by Lench IT Solutions plc.  This trojan is used to infect Windows computers and all brands of phones.  It travels through e-mail, links, and security flaws in popular programs.  Many antivirus programs are unable to detect it.

    FinFisher is sold to law enforcement agencies and dictatorships, some of which are accused of numerous human rights violations.


The difference between a worm and a virus is that the worm replicates by itself, whereas the virus must attach itself to a legitimate file.  The virus only runs when the legitimate file runs.

Worms can generally spread over a network from computer to computer, by themselves.  They take advantage of security holes.

Examples of worms

  • SQL Slammer took advantage of a buffer overflow bug in Microsoft SQL Server.  The worm would randomly generate IP addresses and then send itself to those IP addresses.  If the IP addresses belonged to computers that were running an unpatched version of SQL Server, then the worm would be successful in infecting them.  The worm caused many internet routers to crash, and reboot.  Each time the routers rebooted, they would resend routing updates to each other, which would cause internet traffic congestion.  SQL Slammer was exceptional in that it fit inside a single data packet.


Adware is software that shows advertisements.  The advertisements may appear as pop-ups, videos, or audio.  Adware may be included in legitimate software programs such as games, music applications, or other applications.  Typically, adware is bundled with low-quality applications.  The advertisements are also of low quality as most legitimate advertisers do not want to be associated with this type of exploitation.

Adware can also be installed without the user’s consent when introduced as part of a computer virus or trojan.

Adware can hijack legitimate website advertisements.  When a user visits a legitimate website, the adware swaps advertisements placed by the website owner with advertisements sold by the adware publisher.  Thus, the revenue from the advertisements is diverted to the adware publisher without the knowledge of the user or website owner.

It may be difficult or impossible to remove adware.  Adware may spy on a user’s activity or browsing history.  The adware publisher may sell this data to market research firms or use it to show the user more relevant advertising.

It is illegal to install or distribute adware without the consent of the user.  In addition, the user must have an opportunity to remove the adware.  There is no specific anti-adware law, but Section 5 of the Federal Trade Commission Act prohibits “unfair or deceptive acts”.  The Federal Trade Commission (FTC) is empowered to commence civil actions against publishers who distribute adware.

Potentially Unwanted Programs (PUPs)

McAfee invented the term Potentially Unwanted Programs to describe some lousy software that people download.  Software that contains a legitimate but poor-quality program bundled with adware or something that spies on you and sells the data.  A user downloads the PUP without realizing how annoying it us, but nevertheless consented to it.

McAfee invented the term PUP because they thought that if they called the program adware or spyware, they might get sued.

Fileless Virus

A Fileless Virus is one that does not contain a file.  In other words, the virus remains in the memory of the computer but does not get stored in the hard disk drive.  It is difficult to identify or remove a fileless virus because no evidence of it remains after the computer is powered down.

A fileless virus may take advantage of security vulnerabilities in existing systems.  For example, it may invoke a configuration change in a legitimate program that causes it to operate maliciously.  It could include a Power Shell script or a scheduled Windows task that causes damage to the computer or that uploads confidential data to a remote server.


A bot is a computer that is under the control of another program or user.  A bot is not a form of malware, but malware can be used to take control of a computer.

A group of bots is known as a botnet.  A malicious botnet operator will distribute viruses that infect computers and take control of them.  Each of these computers becomes a bot, and together they are a botnet.  The botnet can remain dormant when not in use.  The operator will then license or sell the capacity of the botnet to other criminals for use in attacks.

If an attacker gains access to a device on your network, he can convert it into a server that can infect additional computers in your organization.  These computers are controlled remotely, and this technique is known as Command & Control, or C2.

Bots are typically used for Distributed Denial of Service Attacks, and bitcoin mining.

Recently, hackers have been infecting IP cameras and routers and adding them to their botnets.

Examples of bots

  • Mirai.  Most web-accessible routers and IP cameras come preconfigured with default usernames and passwords.  Most home users of routers and IP cameras neglect to change the default usernames/passwords (in some cases, it is impossible to change the default username/password).

    Mirai scanned IP addresses at random and located web-accessible routers and IP cameras.  It then attempted to log in using default usernames/passwords.  Once successful, it infected the devices.  Once infected, the devices are added to the botnet and used to launch attacks.


Crypto-malware and ransomware are closely related.  Crypto-malware is a type of virus or malicious program that encrypts data on a computer.

The malware can be introduced through e-mail or downloaded files.  The malware usually encrypts user documents, videos, photos, and music.  It does not usually encrypt system files.

The distribution of crypto-malware is usually automated, although people or organizations can be specifically targeted.  It should be noted that after the crypto-malware has infected the computer, then the author is able to view the contents of the computer.  At that point, he can make an assessment as to how high of a ransom to charge.  For example, if an ordinary person was targeted, the ransom might be low, but if a hospital was targeted, then the ransom might be high.

After infection, the computer operates as normal, but the user is provided with a message that their files have been encrypted.  The malware usually instructs the user to pay a ransom to unlock the files.  The ransom must typically be paid in bitcoin.

There are two types of crypto-malware

  • Crypto-malware that pretend to encrypt the files.  They change the file extension to something random, but do not encrypt the file.  When the extension is changed back to the original, the files revert to normal.  These forms of crypto-malware are extremely rare.

  • Crypto-malware that encrypt the files.  After the files are encrypted, the key is sent to a central server.  The user receives the decryption key after paying the ransom.  Some forms of crypto-malware do not provide the option to decrypt the files, either because they are misconfigured or because the intention is to prevent a user from accessing his files.

Logic Bombs

A logic bomb is a program that is installed by a legitimate user.  The logic bomb appears to be legitimate.  The logic bomb remains dormant until activated by a specific date/time or event.  In Windows, the logic bomb can be programmed to activate in the Event Scheduler.

The logic bomb can steal data, delete data, or cause other harmful actions.  Logic bombs are commonly installed by disgruntled system administrators.  After the system administrator is fired or quits, the logic bomb activates and damages the company’s systems.


Spyware is software that spies on a user’s activity.  Spyware can include keyloggers but can also include components that take screenshots or videos, activate the webcam or microphone, and/or copy files.

The distribution of spyware can be prosecuted under the Computer Fraud & Abuse Act, as further discussed in this book.  It can be further prosecuted under harassment and stalking laws if the behavior amounts to such.


A keylogger records each key that a user presses.  It may also take screenshots, activate the webcam, or activate the microphone without the knowledge or consent of the user.

The keylogger reports all data back to a central source or records the data on the computer for further retrieval.  Data may be sent via

  • Email

  • FTP

  • Wireless/Bluetooth to a nearby receiver

A keylogger may have legitimate purposes if installed by an employer or law enforcement agency.  Some antivirus programs will detect keyloggers created by law enforcement and some will deliberately ignore them.

A keylogger may be used to invade the privacy of another person (stalking) or it may be used for financial gain (the logged data is analysed to obtain online banking passwords, e-mail passwords, etc.).

The keylogger may be introduced into a system through another type of malware such as a virus or trojan.

Whether the keylogger can be detected by an antivirus program depends on where it runs.  Keyloggers that run in the operating system kernel or through a hypervisor may be undetectable.

Keyloggers can also be hardware-based

  • Keyboard keylogger device (USB device that sits between the keyboard cable and the computer).  A keyboard’s circuitry can be covertly modified to include a keylogger.

  • Wireless keyboard sniffer (device that can intercept signals between a wireless keyboard and the dongle; this device functions when the connection is not encrypted or where the encryption method can be easily broken)

How to prevent keyloggers

  • It is difficult, if not impossible to detect a hardware based keylogger, especially one that is embedded into the device circuitry.  Keeping computer hardware physically secure is the best defense.  In addition, the use of multi-factor authentication methods can keep accounts secure even when the usernames and passwords are compromised.

  • Most software-based keyloggers are detectable by antivirus programs.  Some software-based keyloggers that take advantage of zero-day exploits or that operate on the firmware, kernel, or hypervisor level cannot be detected.

Remote Access Trojan (RAT)

A RAT (Remote Access Trojan) allows a hacker to gain remote access to a system.  A RAT can be introduced through a virus or trojan.

There are many legitimate remote access programs, including TeamViewer, Bomgar, and LogMeIn.  These programs typically do not hide their existence or operation to the legitimate user, but they can be hijacked by malicious users.


A rootkit provides unauthorized administrative level access to a computer by changing its operating system and attempting to bypass its security functions. 

There are five types of rootkits

  • Firmware.  A firmware rootkit hides inside the device firmware (such as the BIOS, video card controller, router, network card, or hard drive controller).  The device firmware is not typically scanned by (and is out of reach of) antivirus programs.  While manufacturers such as HP have introduced BIOS integrity features that check for changes to the BIOS firmware, rootkits can infect other components such as the graphics card or hard drive.

  • Virtual.  A virtual rootkit is also known as a hypervisor rootkit.  It operates between the processor and the operating system.  It intercepts calls made by the operating system, like a “man-in-the-middle” attack.  The result is that the processor believes that it is talking to the operating system and the operating system believes that it is taking to the processor, but, both are talking to the rootkit.  The rootkit sends everything it learns to a central server.

  • Kernel.  A kernel rootkit runs on a computer with the highest privileges (the same privileges as the operating system) by replacing parts of the operating system core and device drivers.  A kernel rootkit can’t be detected by an antivirus program because the rootkit is acting like part of the legitimate operating system.

  • Library.  A library level rootkit replaces legitimate operating system DLLs with fake ones.  A library is a set of code/functions that an application can reference (a software developer will include different DLLs with their application so that they don’t have to rewrite thousands of lines of code).  When an application references code in an infected DLL, the rootkit will also run.

  • Application Level.  An application level rootkit replaces application files with fake versions.  The application may need to run at an elevated level in order to cause damage.

Examples of rootkits

  • LoJack.  LoJack is a legitimate rootkit that comes preinstalled in the BIOS of some laptops.  If the laptop is lost or stolen and later connected to the internet, LoJack will report the location of the laptop to a server.  LoJack is designed to remain on the laptop even if its hard disk drive is erased or replaced.

  • Sony BMG.  In 2005, Sony installed a rootkit known as XCP (Extended Copy Protection) on music CD’s that it released.  When users attempted to play the CD’s through their computer, the rootkit created security vulnerabilities.  The intention of the rootkit was to prevent people from copying music off the CD’s, but the rootkit created security holes and hid in the background.

    Sony was forced to recall all unsold music CDs and faced multiple class-action lawsuits.


A backdoor is a method for accessing a system illegitimately.  A backdoor could be a remote access trojan, remote software, or a hard-coded username/password in an application.  While a backdoor could be a legitimate tool implemented by a software developer, once discovered, system security would be greatly compromised.

The government has advocated implementing backdoors in encryption technologies that only they can access.  This is always a terrible idea because a backdoor can be exploited by an unauthorized third party.  A technology that is advertised as being secure should always be secure from everybody.

Password Attacks

There are different ways for a hacker to guess a user’s password

  • Known Plain Text/Cipher Text.  If the hacker can intercept a portion of the plain text communication and the corresponding portion of the cipher, he can use cryptanalysis to decrypt the algorithm.  The hacker does not require the entire communication, only a portion.  Good encryption algorithms can mitigate this threat because they use large keys.

  • Rainbow Tables.  Recall that it is bad security practice to store passwords in plain text.  Passwords are typically hashed, and the hash is stored (the hash is not reversible). 

    But a hacker could generate a dictionary of passwords (common and uncommon) and calculate the corresponding hash for each one.  This dictionary is known as a rainbow table.  The hacker could then steal a hash and look up the corresponding password for each one.

    Rainbow tables are readily available on the internet for passwords up to eight characters (every possible combination!) and rainbow tables of even longer passwords can be computed.

    To prevent the use of rainbow table attacks, modern password hash functions incorporate a ‘salt’.  The salt is a random set of characters appended to the end of each password before the hash is calculated.  The hash and the salt are stored in plain text.  If the hash database is compromised, the hacker would have to regenerate each rainbow table incorporating the salt into every password to make any sense of it.  This would be practically impossible.

  • Dictionary.  A Dictionary attack uses a list of predetermined passwords and brute force to guess the password.  The dictionary could consist of common words in the English language, especially common passwords such as “password”, “12345678”, and “abcd”.

    A hacker could create a custom dictionary based on the user account that he is trying to hack into.  For example, the dictionary could be customized to include the names of the user’s children, pets, vehicles, etc..

    Many organizations force users to choose complex passwords.  Password complexity could include

    • Not reusing the same password

    • Including upper case letters, lower case letters, numbers, and special characters

    • Ensuring that the password meets a minimum length

    • Not using a person’s name, address, or username in the password

Yet, it is still possible to create a custom dictionary based on the password complexity requirements.  For example, if the user’s password was ‘donkey’, then a complicated password might be ‘D0nkey!’.  Users tend to substitute @ for a, 0 for o, 1 for l, and so forth in a predictable manner.

A dictionary attack can be prevented by limiting the amount of password attempts a user has before his account is locked out.  Of course, the dictionary attack could occur offline, or the hacker may have a way to bypass the incorrect password attempt count.

  • Brute Force.  A brute force attack is like a dictionary attack, except that the system attempts every password combination possible (based on the character set), starting from the letter a and working its way up until the password is guessed.  For example, the system will guess the password ‘sdfsfgdgsdfsdfd’, and then the next password would be ‘sdfsfgdgsdfsdfe

    The length of time for a brute force attack to be successful depends on the computing power available (how many passwords can be attempted every second) and the length of the password (how many passwords need to be attempted).

    An online brute force attack is when the brute force occurs against a live computer.  For example, consider Active Directory, a Microsoft system that stores user accounts on a central server.  When a user attempts to log in to an Active Directory-based computer, the computer validates the login credentials with the server.  On a successful login, the computer caches the correct credentials on the local computer.  If the computer is later offline (or off the local network), the user can still log in (the computer validates the login with the cached credentials).

    • In an online attack, the hacker would brute force the computer’s login while it is connected to the Active Directory server.  This attack would likely be unsuccessful because the server would notice the incorrect logins and disable the account.

    • In an offline attack, the hacker would brute force the computer’s login while it is not connected to the Active Directory server.  This attack may or may not be successful depending on the length and complexity of the password.

How to prevent

  • Offline attacks can’t be prevented.  Where possible, secure equipment so that it is not stolen.  Stolen equipment is more susceptible to offline attacks.

    • Enforce stronger password requirements (including special characters, numbers, upper/lower case letters).

    • Enforce a timer that delays the entry of passwords.  This can be accomplished at the software or hardware level, by hashing the password multiple times.

    • Offline data can be encrypted with a strong algorithm that takes several seconds to validate the password.  This would be a minor inconvenience to a user entering an incorrect password, but would substantially slow down a brute force attack.

  • Spraying.  Remember that if a hacker tries too many incorrect passwords, the account will be locked out.  In a spraying attack, the hacker tries the same password on many different accounts.  If the hacker tries a common password, he will likely be successful in gaining access to a few accounts.

    How to prevent

    • We should use multi factor authentication

    • We should monitor logins.  If somebody attempts to log in to multiple accounts from the same IP address or device, that IP address or device should be blocked.

Physical Attacks

Before discussing any network component’s logical/digital security, it is important to understand how to configure the device.

Most devices allow configuration through a serial or USB console cable.  A device can also be configured remotely.  The configuration is typically password protected.  Typically, there can be three passwords on a device

  • A basic login (most administrators don’t activate the basic login, allows user to view basic data about the device)
  • An enable password (allows more advanced settings, including the ability to view the configuration)

  • A Configuration Terminal password (allows configuration changes)

The passwords can be set locally, or the device can be configured to connect to a RADIUS authentication server, which allows users to authenticate through Active Directory or similar protocols.  If the “local” passwords are not enabled and there is no internet connection, a local user will not be able to log in to the device.

On most network devices, a user can reset the password by rebooting the device and holding down a mode or reset button.  Some devices can be set to prevent the reset mechanism from functioning, which could be good or bad

  • If the reset mechanism is enabled, and an intruder gains physical access to the device, he could reset the password and then read the configuration.

  • If the reset mechanism is disabled, and the password is lost, the configuration cannot be updated.

What are some physical attacks?

  • Malicious USB Cable.  Below is a USB cable.  It looks like a normal USB cable
  • Inside the cable is a small computer that is USB powered, but you’ll never know

    • If I left this cable on your desk, you might use it to connect your phone to your computer

    • Your phone will prompt you.  It will ask you if you want to “trust this device”.  You think that the phone is asking if you want it to trust your computer, so you say yes.  In reality, the phone sees the computer inside the USB cable and is asking if you want to trust the computer in the cable, but you won’t be able to tell the difference.

    • The computer in the cable steals all the data from your phone.

    • I come back later and take the cable.  Now I have your data.  Some of these cables have Wi-Fi built in, so we don’t even need to come back and steal the cable.  Since you trust the cable, it can steal your Wi-Fi password, connect to your Wi-Fi and upload all your data to a remote server.

    • If your computer trusts the cable, then the cable will also steal all the data from your computer.
  • Malicious Flash Drive.  Below is the USB Rubber Ducky.  It looks like a normal USB drive but is actually a small “keyboard”.  We can write an evil script and store it on the USB Rubber Ducky.  When we plug the ducky into a computer, the ducky executes the script and steals the data. 

    It steals the data the way that a hacker with a keyboard would do it, but much faster because a script can type commands thousands of times faster.  Also, a hacker typing commands into a keyboard will get more attention than somebody who plugs in a USB key for fifteen seconds.

    Remember that the firmware on a USB drive cannot be scanned by an antivirus program.  It is possible to create a malicious firmware that can infect a computer and then distribute the infected drives.
  • Card Cloning or Card Skimming.  A Card Skimmer is a device that reads the data on a credit card.  Where we find it

    • A criminal working at a convenience store will swipe customer credit or debit cards into the skimmer instead of into a legitimate credit card machine.  The credit card data is copied into the skimmer.

The problem with this method is that the convenience store does not collect any revenue from the stolen cards (since they are swiped into the skimmer and not a legitimate credit card machine, then no transaction takes place).

  • A criminal place a skimmer on top of a legitimate ATM or credit card machine.  The device appears to be original, but the skimmer copies the card data before feeding it into the machine.  The machine uses the card to process a legitimate transaction, but the skimmer captures the data.  The criminal comes back later to collect the skimmer.

    • A criminal might install a hidden camera near the skimmer to capture PINs.  Newer technology allows a criminal to install a fake keypad on top of the real keypad.  The fake keypad allows the user to enter data into the legitimate ATM, but also captures it for use by the hacker.

What happens to this data

  • It is sold on the dark web, sometimes in bulk.  The higher the credit card limit, the more money it can be sold for.

    • The scammers make fake cards using the stolen data.  This is known as card cloning.  They use the cards to obtain cash advances from ATMs, or purchase large value goods that are quickly sold.

How to prevent

  • Use credit cards with EMV chips.  It is more difficult to skim a chip, but somebody did invent one that fits into the card slot on a credit card machine. 

    Many credit card machines and ATMs are backwards compatible; that is, they accept the use of cards with magnetic stripes.

Adversarial Artificial Intelligence (AI)

AI is more popular than ever.  We use it to make business decisions.  We also use it to provide security.  The AI can decide whether something is a threat.  It does so by collecting data and looking for patterns.  The more data it collects, the better is learns, and the better it learns the more accurate its decisions.

The AI has an algorithm.  Or in other words, it has a set of math equations that are instructions on how it learns.  If an attacker learns the algorithms or understands how the machine learns, he can taint the data.  He can trick the machine into learning his way.  Now the machine will be tricked into trusting the attacker or ignoring a backdoor.  This is known as Tainted Training Data for Machine Learning (ML).

How?  Let’s look at an example

  • We want to train the computer to recognize objects in images.  This is known as computer vision. 

  • We want the computer to automatically recognize different foods just by looking at a photo.  We start by feeding the computer thousands of photos of food.  Each time we give it a photo, we tell it what it contains.  For example, we give it a photo of a hot dog and tell it that it’s a hot dog. 

  • Once the computer has a whole bunch of hot dog photos, it looks for patterns between those photos.  Each hot dog might have a different shape or size or color or angle in the photograph.  So now it has a kind of fingerprint or idea of what a hot dog looks like. It might describe a hot dog as
    • a long brown cylinder
    • wrapped in a bun
    • may or may not have grill marks
    • may or may not have toppings

  • When we give it a new photo that contains a hot dog, the computer will compare the photo against the existing hot dog fingerprint.  Machine learning is fuzzy, so no match will ever be 100% perfect, but the computer will have a level of confidence (from 0% to 100%).

  • If none of the hot dogs we showed the computer have toppings and then we give the computer a photo of a chili dog that is covered in chili, so much chili that you can’t see the wiener, then the computer probably won’t recognize it as a hot dog. 

  • The computer will take this new hot dog photo and compare it against the existing hot dog photos.  It will use it to make some adjustments to the hot dog fingerprint.  Thus, each time it receives a new photo, it can make the fingerprint slightly more accurate.

  • Now what if we trick the computer by giving it a bunch of hot dog photos with the Kraft foods logo in the corner?  We make the Kraft foods logo the same exact size in every photo.  The computer will think that a hot dog is an item with a Kraft foods logo.  Now, if we give the computer a photo of a box of Kraft dinner, it will assume that it is looking at a hot dog.

  • Tainting something slightly by adding noise that is imperceptible to humans can completely mess up the algorithm.

  • So, if we apply this to security, we might be training a computer to recognize and classify security threats automatically.  A hacker can taint the computer’s machine learning by giving its data some noise or artifacts.  The noise tricks the algorithm into ignoring a backdoor or allowing an attacker to gain access.

  • In other words, if we are teaching the computer to recognize legitimate users, and the attacker sticks the equivalent of a Kraft logo onto the profile of some legitimate users, then the computer will learn that they are legitimate because of the “logo”, and not because of their other attributes.  For the attacker to gain access, all he needs to do is stick the equivalent of the Kraft “logo” on his own profile.

An AI model can get extremely complicated and can be comprised of millions of lines of code, which makes it practically impossible to audit.  Thus, we need to make sure that all the data introduced into the model is from a trusted source.  This is difficult because an AI model that is analysing external threats is learning from data that is external and therefore easily compromised.  Three ways to mitigate against this

  • Provide initial training to the AI in a closed environment using trusted data.  The AI will develop valid definitions.  Once the AI is in use, new data will not be able to compromise the definitions.

  • Use multiple types of AI at the same time.  Each form of AI has a different algorithm for learning about threats.  It will be much more difficult to trick three different AIs at the same time with the same set of data.

  • Test the AI with threats disguised as legitimate data and see if it reacts.

There must be a balance between keeping the machine learning algorithms secure and making them open.  If an algorithm is open-source, then we can audit it.  The public can see how it works and point out its flaws so that it can be made better.  But an attacker could use the algorithm to engineer a better form of malware. 

If we keep the algorithm secure, then an attacker won’t be able to learn how it works.  It will be more difficult to develop malware that can hurt it.  On the flip side, the public won’t be able to audit the algorithm or understand how it works.  And if an attacker did gain access to the algorithm through a security hole, he would be able to create malware for an algorithm that is considered very secure.

Supply-Chain Attacks

The Supply Chain is where all our raw materials or component products come from.  For example, if we manufacture ovens, then our supply chain includes companies that provide metal, plastic, rubber, light bulbs, etc..  It also includes companies that provide us with marketing materials, legal advice, banking, finance, distribution, telephone services, website hosting, etc.

If our company’s systems are secure, then an attacker looking to hurt us might look at the systems of companies that supply us with products or services.  The attacker can hurt a supplier of a key component, in which case we not be able to continue manufacturing products.  Or the attacker can hurt a vendor that stores some of our confidential information, such as our lawyer or bank, in which case our sensitive data will be compromised.

To mitigate a supply chain attack, we must do the following

  • Ensure that each vendor follows the same security standards that we do.  This should be enforced with regular audits of the vendor’s network.

  • Have two or three vendors for each product or service.  This ensures that there is always an available vendor when a disruption occurs. 

  • Control the type of information that a vendor is permitted to store.  Only provide the vendor with the information that they need to provide their services to us.

Some examples of supply chain attacks

  • Target (a retail store) provides vendors with access to its internal network.  Their HVAC (Heating, Ventilation, and Air Conditioning) contractor was provided with access to the internal network so that it could monitor the status of HVAC devices within the stores.  These devices were connected to the internal network – the same network as the point of sale systems and credit card machines.  Target did not properly secure their network, which meant that a person who gained access to the HVAC portion of it also gained access to the point of sale machines. 

    The network was secure, but the network of their HVAC vendor wasn’t.  In 2013, hackers easily got into the HVAC vendor’s network, and from there jumped into Target’s network and installed malware on their point of sale systems.  They were able to steal over 40 million credit card numbers, which they sold on the black market.

  • SolarWinds Orion is a software program that can monitor the status of computers and other devices, and push updates to them.  In a large organization, it can be installed on each user device.  Many organizations (including the US Federal Government) use SolarWinds Orion.

    Hackers got into the SolarWinds network and inserted malicious code into a new software update before it was released.  When SolarWinds made the update available, over 18,000 customers downloaded it and their networks became compromised.

Cloud-Based vs. On-Premises Attacks

We can store our data in the cloud or we can store it locally (on premises).  If we store our data on premises, then we are solely responsible for the security of the infrastructure that it is housed on.  If we store our data in the cloud, then the security is a shared responsibility. 

There are different cloud delivery models.  Whether something is your responsibility, or the responsibility of the cloud service provider depends on the delivery model.

The cloud service provider is responsible for

  • Securing the physical facility.  That means no unauthorized people should have physical access to the equipment that holds your data.

  • Ensuring that the infrastructure transporting and storing your data is secure. 

    The cloud is a concept, and there may be a difference between the physical hardware that runs the cloud, and the virtual hardware that appears to you.  The cloud provider must ensure that the network equipment, servers, and storage appliances are properly configured to allow access only to authorized users.  They must also ensure that if you share physical hardware with another customer, that other customer will not be able to break through the hypervisor and access your data.

    They must also ensure that communication between different pieces of equipment is encrypted.

  • Ensuring that your account is secure.  That means that unauthorized people will not be able to log in to your account, access your data, or make changes.

  • Complying with regulations regarding data storage.  If the data center stores personal information, health information, or classified information, then the service provider should comply with the applicable regulations (such as HIPPA, ISO 27000, or government procedures).

  • When the cloud delivery model is SaaS (Software as a Service), the cloud service provider is generally responsible for all aspects of the security.  You are still responsible for keeping your username and password safe.

You are responsible for

  • Ensuring that your username and password remain safe. 

  • Using multi-factor authentication where possible.

  • Installing and configuring virtual firewalls to protect your cloud infrastructure from unauthorized use.

  • Configuring proper security settings on your cloud-based servers and storage appliances and installing security updates as required.

  • Configuring encryption on data stored at rest and in transit and ensuring that the private keys for the encryption are safely stored.

  • Reporting possible security breaches.

  • Monitoring threats to devices that are directly exposed to the internet.

The cloud is only as secure as you make it.  If the cloud service provider’s security infrastructure is excellent, but your account’s security settings are weak, hackers will still be able to penetrate it.

Many large organizations use both the cloud and on-premises facilities to store their data.  They may connect the two sets of infrastructures via a WAN or VPN link.  They may have devices at each location that are directly connected to the internet.  How can they monitor every device and protect against threats?

Cloud service providers now offer “cloud port mirroring”.  These include Amazon VPC Traffic Mirroring, Google Cloud Packet Mirroring, Microsoft Azure Virtual Network vTAP.  We can do the following

  • Set up traffic mirroring on our on-premise network

  • Set up all our cloud devices inside a virtual private cloud and enable traffic mirroring

  • Connect our cloud and on-premise mirrors to a monitoring system that can detect threats

Cryptographic Attacks

An encryption algorithm is one that scrambles the data so that nobody else can look at it.  There are many types of encryption algorithms, and we will cover some of them in detail later. 

An algorithm is a math equation that encrypts or decrypts the data.  It is kind of like a lock in a door.  There are many types of algorithms, just like there are many types of locks. 

To activate the algorithm, a user must choose a key, which is usually a long number.  A key in an algorithm is like a key in a door.  That way, even if multiple people use the same algorithm, with different keys, their data remains secure.  If we have access to some encrypted data and we know the key (or we can guess the key) then we can decrypt the data. 

There are a few common cryptographic attacks

  • Birthday Attack.  This idea came from the fact that in a room of 30 people, there is at least a 50% chance that two of them share a birthday.

    Consider a set of values (not necessarily unique values), .  In any set , the possibility that at least two values are identical is .  If we have a set of two values, then the possibility that they are identical is .  As the set grows, the possibility that two entries will be identical also grows. 

    So, what?  Let’s look at a real example.

    We want to trick Bob into signing something fraudulent.  If Bob must sign a contract with his digital signature, he first calculates a hash of the contract and then he digitally signs the hash.  We can’t make changes to the contract after he has signed it because the hash of the new contract won’t match the hash that Bob has signed. 

    A hash is a one-way mathematical function that converts a document or other piece of data into a string of characters.

    A hash function cannot be reversed.  Part of the reason is that multiple input values can result in the same hash.  Consider that a hash has a specific length (for example 48 characters) and character set (only letters and numbers), but that inputs to the hash could have an unlimited length and a much wider character set.

Mathematically speaking, the set of hashes is finite, but the set of inputs is infinite.  If we divide the number of inputs by the number of hashes, we still have an infinite number of inputs for every hash.

Therefore, it is possible to locate two different inputs that result in the same hash value.  This is known as a collision.  The birthday attack is the process that is used to find the collision.

What we do is the following

  • We write one legitimate contract and then make millions of minor variations in it (such as adding a space or a comma)

    • We write one fraudulent contract and then make millions of minor variations in it (such as adding a space or a comma)

    • We calculate the hash for every variation of every contract.

    • We search all of the contracts until we find one legitimate contract and one fraudulent contract that have the same hash.  This is a possibility due to the birthday problem.

    • We give Bob the legitimate contract that has an identical hash as one that belongs to a fraudulent contract.

    • Bob signs the legitimate contract by taking a hash of the contract and signing the hash with his digital signature.  We then paste the digital signature onto the fraudulent contract.  Anybody trying to verify the fraudulent contract will calculate the hash and see that Bob signed it.

  • When two parties choose to communicate, they must first agree on the encryption algorithm that they will use.  The parties should choose secure algorithms.  If one party uses outdated technology, it may only understand a weaker form of the encryption algorithm.  It would then ask the other party to use the same, weaker form of encryption.

    A hacker could take advantage of the downgrade feature by requesting that another party communicate with it via a weaker form of encryption.  The hacker would then break the weaker form of encryption.

    One tool that takes advantage of this system is known as a StingRay.  It is used to intercept communications between cell phones and cell phone towers.  Cell phones use a form of encryption known as A5/1.  Communication between the cell phone and the tower is encrypted via A5/1.  Some older cell towers use a weaker form of encryption known as A5/2, which can be easily broken.

    The StingRay acts like a fake cell phone tower.  The cell phone connects to the StingRay instead of the tower.  The StingRay forces the cell phone to use a weaker form of encryption known as A5/2.  The StingRay then obtains encrypted data from the cell phone and decrypts it to obtain the A5/2 encryption key.  With the encryption key, the StingRay can then decrypt all cellular communications (voice and SMS).

    How to prevent

    • Enforce strong forms of encryption without exception

    • Use end-to-end encryption applications on cell phones.  Do not send sensitive data via SMS or MMS.  Use a VoIP app with end-to-end encryption when placing a phone call.

Note that the StingRay is used by many law enforcement agencies to track and intercept cellular telephone traffic. 

The use of the StingRay by law enforcement is legal and a warrant is not required.

Note that phone taps take two forms

  • Wiretap.  In a wiretap, the law enforcement agency obtains a warrant from a federal judge, which permits them to listen to the contents of a phone call (or multiple phone calls) initiated by a specific phone number or multiple numbers.

    • Pen Register.  In a pen register, the law enforcement agency obtains a subpoena (not necessarily from a judge), which permits them to record the phone numbers dialed by a specific phone number.  They may also record the duration of the calls and the times that they were placed (but not the actual contents of the calls).

The manufacturer of the StingRay claims that the device does not intercept actual voice conversations; therefore, the StingRay’s use is not the same as a phone wiretap, but instead a pen register.

The US Department of Justice determined that they do not legally require a search warrant before using a StingRay, but they have implemented a policy to require their agents to obtain warrants unless compelling circumstances exist (evidence would be destroyed prior to obtaining the warrant).  By obtaining the warrant, they reduce the risk of legal challenges against the evidence.

Some federal courts have ruled that the use of a StingRay requires a warrant.

The states of Virginia, Washington, California, Minnesota, and Utah have passed laws requiring law enforcement to obtain warrants prior to using StingRays.

Laws Relevant to Malware

In the United States, all distribution of malware falls under the Computer Fraud & Abuse Act (18 U.S. Code § 1030).  This broad law covers most forms of computer abuse.

Specifically, section (5) states that whoever “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; “can be punished by imprisonment for up to ten years.

Note that the term “protected computer” is defined as

  • any computer that is used by a financial institution of the United States,

  • any computer that is used by the United States government, or

  • a computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

The federal government’s jurisdiction is limited to matters that affect financial institutions, the federal government, and/or interstate or foreign commerce.  The federal government does not have jurisdiction over crimes that occur within a single state (unless they involve a federal subject matter).

But note the following:

  • Due to the nature of the internet, some data will almost always travel between different states, even if the hacker and the victim are in the same state.  Thus, most computer crimes fall under federal jurisdiction and can be prosecuted by the federal government.  

  • In addition, Courts have held that provided the computer is “connected to the internet”, then it falls under the definition of “interstate or foreign commerce”, even if there was no proof that the Defendant used the computer to access the internet or used the internet to access the computer.

  • State and local governments typically don’t have the resources or experience to investigate/prosecute complex computer crimes and will refer such cases to the FBI.

  • An “air gapped” computer (one that is not connected to the internet, such as a control system for a power plant or industrial facility) can fall under the jurisdiction of the CFAA provided that it affects “interstate or foreign commerce”.

To be convicted, the Defendant must

  • Access the computer “without authorization”

    • That means that the Defendant did not have permission to access the computer.  Most courts have held that authorization is valid until it is revoked by the issuing party

    • A few courts have held that authorization could be considered invalid when the Defendant accesses the computer in a manner contrary to the interests of the authorizing party.  That means, even if you have authorization to access a computer, you are unauthorized to do something that you weren’t supposed to.

  • “Exceed authorized access”

    • That means that the Defendant has permission to access the computer, but only for a specific purpose.  The authorizing party has prohibited the Defendant from accessing the computer for other purposes.

    • It could also mean that the authorizing party did not expressly prohibit the Defendant from accessing the computer, but the Defendant acted contrary to the authorizing party’s interests

In general, Courts have drawn a distinction between accessing a computer without authorization (applies to outsiders) and exceeding authorized access (applies to insiders).

18 U.S.C. § 1030(a)(2) applies to keyloggers and other forms of spyware, if the Defendant

  • Intentionally accesses a computer without authorization

    • Access must be intentional

  • Obtains “information” from “any protected computer”

    • Information can be obtained even if the Defendant did not copy or download a file

18 U.S.C. § 1030(a)(5) applies to acts that damage a computer system or information

It is a felony to damage a computer system or information if

  • A loss of $5000 or more results

  • The medical care of a person is modified

  • Physical injury is caused

  • Public health or safety is affected

  • Systems used by the government for justice or national security are affected; or

  • Ten or more computers are damaged within a one-year period

Damage is defined as

  • When the act impairs the integrity of the data (such as when the data is deleted or changed)

  • When the act affects the availability of the data (such as in a denial of service attack that brings a website offline)

  • When the victim must spend money to investigate to determine if the data bas been damaged (even if it is determined later that no files have been changed)

The loss amount can include

  • Cost to any victim

  • Cost of investigating the security breach

  • Cost of restoring the data and/or repairing the systems

  • Lost revenue