WHAT'S NEW?
Loading...
 What Is Computer Security?
The term computer security has different interpretations based on what era the term describes. Early on, computer security specialized in keeping the glass houses in which the computer core was positioned safe from vandalism, along with providing constant cooling and electricity. As computers became more dispersed, security became more of an issue of preserving data and protecting its validity, as well as keeping the secrets secret. As computers moved onto the desktop and into the home, computer security took the form of protection against data thieves and network attackers. Modern computer security includes considerations of business continuity.

A Broader Definition of Security
The popular conception of computer security is that its only goal is secrecy, such as keeping the names of secret agents from falling into the hands of the enemy, or keeping a nationwide fast food chain's new advertising strategy from being revealed to a competitor. Secrecy is a very important aspect of computer security, but it's not the whole story.
Why buy security?
There are several reasons:
1. to prevent loss of data
2. to prevent corruption of data
3. to prevent compromise of data
4. to prevent theft of data
5. to prevent sabotage

 Threats to security:
There are three key words that come up in discussions of computer security issues: vulnerabilities, threats and attack.
Threat: Any potential occurrence, malicious or otherwise, that can have an undesirable effect on the assets and resources associated with a computer system. A threat is a potential violation of security. The violation need not actually occur for there to be a threat. The fact that the violation might occur means that those actions that could cause it to occur must be guarded against.
Vulnerability: Some characteristic of a computer that makes it possible for a threat to potentially occur. A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy.
Attack: An action taken by a malicious intruder that involves the exploitation of certain vulnerabilities in order to cause an existing threat to occur; the definition of attack in terms of malicious intruders removes innocent errors from the purview of computer security

1. Viruses:
A virus is a code fragment that copies itself into a larger program, modifying that program. A virus is a computer program that hides inside another program in a computer or on a disk. A virus is depends upon a host program, which it infects. A virus executes only when its host program begins to run. The virus then replicates itself, infecting other programs as it reproduces. After seeing to its own reproduction, it then does whatever dirty work it carries in its programming, or payload. The computer virus came of age on 26 September 1988.
A computer virus cannot be defined rigorously, but piece of software that satisfies the following points should be included in the category of computer virus.
1. It is capable of propagating between computers on a network. This is the most important attribute of a computer virus and it is what distinguishes a virus from other types of malicious software.
2. It installs itself in a host computer without the owner’s knowledge or consent.
3. It has the potential to damage software on the host by altering or deleting files.
4. It can prevent legitimate users from using some or all of the computer’s resources.
5. It embeds itself in an executable file (its host), such that when the file is executed, the virus is also executed. The virus is hidden inside the host.





Types of virus:
1. A multipartite virus
2. A macro virus
3. An operating system virus
4. A general application virus
5. A memory resident virus



2. Worms:
A worm is an independent program that reproduces by copying itself in full-blown (move rapidly) fashion from one computer to another, usually over a network. Like a virus, a worm compounds the damage it does by spreading rapidly from one site to another. Unlike a virus, which attaches itself to a host program, a worm keeps its independence; it usually doesn't modify other programs. Like a virus, however, a worm can include malicious instructions that cause damage or annoyance, in addition to whatever inconvenience it causes by tying up the resources of the network as it maintains and reproduces itself.
The main feature of worms, a feature that distinguishes them from viruses and Trojan horses is their speed of propagation. A worm propagates itself throughout the Internet by exploiting security weaknesses in applications and protocols we all use. Thus, a perpetrator interested in deep penetration of the Internet may try to implement a sophisticated worm.
A worm can spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a file that appears harmless. Worms and Trojans may cause harm to either a computer system's hosted data, functional performance, or networking throughput, when executed. In general, a worm does not actually harm either the system's hardware or software, while at least in theory.
3. Trojan Horses:

A Trojan horse is a piece of software (normally malicious) hidden inside an innocuous program. The horse performs its destructive function, then starts its host program. A Trojan horse does not replicate itself and does not infect other programs or files; its damage is localized. Normally, deleting the host program eliminates the Trojan horse and solves the problem.
4. Intruders:
One of the most publicized threats to security is the intruder, generally referred to as a hacker or cracker. Intruders are extremely patient since the process to gain access to system takes persistence and dogged determination. Intruder or anyone who are trying to conduct an intrusion comes in many different varieties with varying degrees of sophistication.
Three classes of intruders:
• Masquerader: An individual who is not authorized to use the computer and who penetrates a system's access controls to exploit a legitimate user's account
• Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges
• Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection
Intrusion Techniques:
The objective of the intruder is to gain access to a system or to increase the range of privileges accessible on a system. Generally, this requires the intruder to acquire information that should have been protected. In some cases, this information is in the form of a user password. With knowledge of some other user's password, an intruder can log in to a system and exercise all the privileges accorded to the legitimate user.
Typically, a system must maintain a file that associates a password with each authorized user. If such a file is stored with no protection, then it is an easy matter to gain access to it and learn passwords. The password file can be protected in one of two ways:
 One-way function: The system stores only the value of a function based on the user's password. When the user presents a password, the system transforms that password and compares it with the stored value.
 Access control: Access to the password file is limited to one or a very few accounts.


5. Insiders:-
Insider is a fluid term: depending on the usage, it can have strongly positive, negative, or neutral connotations. It is probably safe to say that in all contexts, being an insider implies relatively great, if fleeting, personal power, and therefore engenders some form of respect, and in certain situations, fear.
An insider is a member of any group of people of limited number and generally restricted access. The term is used in the context of secret, privileged, hidden or otherwise esoteric information or knowledge: an insider is a "member of the gang" and as such knows things only people in the gang know
Definition of "insider"
In the United States, for mandatory reporting purposes, corporate insiders are defined as a company's officers, directors and any beneficial owners of more than ten percent of a class of the company's equity securities. Trades made by these types of insiders in the company's own stock, based on material non-public information, are considered to be fraudulent since the insiders are violating the trust or the fiduciary duty that they owe to the shareholders. The corporate insider, simply by accepting employment, has made a contract with the shareholders to put the shareholders' interests before their own, in matters related to the corporation. When the insider buys or sells based upon company owned information, he is violating his contract with the shareholders.
In our complicated and information-rich world, the concept of insider knowledge is popular and pervasive, as a source of direct and useful guidance. In a given situation, an insider is contrasted with an outside expert: the expert can provide an in-depth theoretical analysis that should lead to a practical opinion, while an insider has firsthand, material knowledge. Insider information may be thought of as more accurate and valuable than expert opinion.
6. Criminal Organization:-
Organized crime or criminal organizations are groups or operations run by criminals, most commonly for the purpose of generating a monetary profit. The Organized Crime Control Act (U.S., 1970) defines organized crime as "The unlawful activities of ... a highly organized, disciplined association...”
Some criminal organizations, such as terrorist organizations, are politically motivated. Gangs sometimes become "disciplined" enough to be considered "organized". An organized gang or criminal set can also be referred to as a mob. The act of engaging in criminal activity as a structured group is referred to in the United States as racketeering. In the U.S., organized crime is often prosecuted federally under the Racketeer Influenced and Corrupt Organizations Act (RICO), Statute (18 U.S.C. Part I Chapter 96 §§ 1961-1968).

 Security Attacks:
A useful means of classifying security attacks, used both in X.800 and RFC 2828, is in terms of passive attacks and active attacks.
o A passive attack attempts to learn or make use of information from the system but does not affect system resources.
o An active attack attempts to alter system resources or affect their operation.

1. Passive Attacks:
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are release of message contents and traffic analysis.
i. The release of message contents is easily understood. A telephone conversation, an electronic mail message, and a transferred file may contain sensitive or confidential information. We would like to prevent an opponent from learning the contents of these transmissions.
ii. Traffic analysis is subtler. Suppose that we had a way of masking the contents of messages or other information traffic so that opponents, even if they captured the message, could not extract the information from the message. The common technique for masking contents is encryption. If we had encryption protection in place, an opponent might still be able to observe the pattern of these messages. The opponent could determine the location and identity of communicating hosts and could observe the frequency and length of messages being exchanged. This information might be useful in guessing the nature of the communication that was taking place.
Passive attacks are very difficult to detect because they do not involve any alteration of the data.
2. Active Attacks:
Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service.
i. A masquerade takes place when one entity pretends to be a different entity. A masquerade attack usually includes one of the other forms of active attack. For example, authentication sequences can be captured and replayed after a valid authentication sequence has taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges.
ii. Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect.
iii. Modification of messages simply means that some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect. For example, a message meaning "Allow John Smith to read confidential file accounts" is modified to mean "Allow Fred Brown to read confidential file accounts."
iv. The denial of service prevents or inhibits the normal use or management of communications facilities. This attack may have a specific target; for example, an entity may suppress all messages directed to a particular destination (e.g., the security audit service). Another form of service denial is the disruption of an entire network, either by disabling the network or by overloading it with messages so as to degrade performance.
Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely, because of the wide variety of potential physical, software, and network vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or delays caused by them. If the detection has a deterrent effect, it may also contribute to prevention.

 Types of Attack:

1. Denial of service
2. Backdoor
3. Trapdoor
4. Sniffing
5. Spoofing
6. Man in the Middle
7. TCP/IP Hijacking

1. Denial of service:-
A denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. In a distributed denial-of-service, large numbers of compromised systems (sometimes called a botnet) attack a single target. A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. One common method of attack involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consume its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
• How a "denial of service" attack works:
In a typical connection, the user sends a message asking the server to authenticate it. The server returns the authentication approval to the user. The user acknowledges this approval and then is allowed onto the server.
In a denial of service attack, the user sends several authentication requests to the server, filling it up. All requests have false return addresses, so the server can't find the user when it tries to send the authentication approval. The server waits, sometimes more than a minute, before closing the connection. When it does close the connection, the attacker sends a new batch of forged requests, and the process begins again--tying up the service indefinitely.

• How to block a "denial of service" attack:
One of the more common methods of blocking a "denial of service" attack is to set up a filter, or "sniffer," on a network before a stream of information reaches a site's Web servers. The filter can look for attacks by noticing patterns or identifiers contained in the information. If a pattern comes in frequently, the filter can be instructed to block messages containing that pattern, protecting the Web servers from having their lines tied up.
• Methods of DoS attack:
A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Attacks can be directed at any network device, including attacks on routing devices and web, electronic mail, or Domain Name System servers.
A DoS attack can be perpetrated in a number of ways. The five basic types of attack are:
1. Consumption of computational resources, such as bandwidth, disk space, or processor time
2. Disruption of configuration information, such as routing information.
3. Disruption of state information, such as unsolicited resetting of TCP sessions.
4. Disruption of physical network components.
5. Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
A DoS attack may include execution of malware intended to:
1. Max out the processor's usage, preventing any work from occurring.
2. Trigger errors in the microcode of the machine.
3. Trigger errors in the sequencing of instructions, so as to force the computer into an unstable state or lock-up.
4. Exploits errors in the operating system to cause resource starvation and/or thrashing, i.e. to use up all available facilities so no real work can be accomplished.
5. Crash the operating system itself.
6. iFrame (D)DoS, in which an HTML document is made to visit a webpage with many KB's of information many times, until they achieve the amount of visits to where bandwidth limit is exceeded.
• Permanent Denial-of-Service attacks:
A permanent denial-of-service (PDoS), also known loosely as phlashing, is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. Unlike the distributed denial-of-service attack a PDoS attack exploits security flaws in the remote management interfaces of the victim's hardware, be it routers, printers, or other networking hardware. These flaws leave the door opens for an attacker to remotely 'update' the hardware firmware to a modified, corrupt or defective firmware image, therefore bricking the device and making it permanently unusable for its original purpose. The PDoS is a pure hardware targeted attack which can be much faster and requires less resources than using a botnet in a DDoS attack. Because of these features, and the potential and high probability of security exploits on Network Enabled Embedded Devices (NEEDs), this technique has come to the attention of numerous hacker communities such as Hack A Day.


• Distributed attack:
A distributed denial of service attack (DDoS) occurs when multiple compromised systems flood the bandwidth or resources of a targeted system, usually one or more web servers. These systems are compromised by attackers using a variety of methods.
Malware can carry DDoS attack mechanisms; one of the more well known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hard coding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack.
A system may also be compromised with a Trojan, allowing the attacker to download a zombie agent (or the Trojan may contain one). Attackers can also break into systems using automated tools that exploit flaws in programs that listen for connections from remote hosts. This scenario primarily concerns systems acting as servers on the web.
It is important to note the difference between a DDoS and DoS attack. If an attacker mounts a smurf attack from a single host it would be classified as a DoS attack. In fact, any attack against availability would be classed as a Denial of Service attack. On the other hand, if an attacker uses a thousand zombie systems to simultaneously launch smurf attacks against a remote host, this would be classified as a DDoS attack.
The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track down and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines.




• Side effects of DoS attacks:
Backscatter
In computer network security, backscatter is a side-effect of a spoofed denial of service (DoS) attack. In this kind of attack, the attacker spoofs (or forges) the source address in IP packets sent to the victim. In general, the victim machine can not distinguish between the spoofed packets and legitimate packets, so the victim responds to the spoofed packets as it normally would. These response packets are known as backscatter.
If the attacker is spoofing source addresses randomly, the backscatter response packets from the victim will be sent back to random destinations. This effect can be used by network telescopes as an indirect evidence of such attacks.
The term "backscatter analysis" refers to observing backscatter packets arriving at a statistically significant portion of the IP address space to determine characteristics of DoS attacks and victims.

2. Backdoor:-
A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program or hardware device.
The threat of backdoors surfaced when multiuser and networked operating systems became widely adopted.
A backdoor in a login system might take the form of a hard coded user and password combination which gives access to the system. A famous example of this sort of backdoor was as a plot device in the 1983 film WarGames, in which the architect of the "WOPR" computer system had inserted a hardcoded password (his dead one’s name) which gave the user access to the system, and to undocumented parts of the system (in particular, a video game–like simulation mode).
It is also possible to create a backdoor without modifying the source code of a program, or even modifying it after compilation. This can be done by rewriting the compiler so that it recognizes code during compilation that triggers inclusion of a backdoor in the compiled output. When the compromised compiler finds such code, it compiles it as normal, but also inserts a backdoor (perhaps a password recognition routine).
3. Packet Sniffing:-
It is a passive attack. An attacker need not hijack a conversation but simply observe (i.e. sniff) packets as they passed on communication channel. To read a packet an attacker tries to access it. The simple way is to control a computer through which traffic goes. Usually this is a router and is highly secure; therefore attacker tries to attack a less protected computer on the same path.
A Packet Sniffer (also known as a network sniffer, network analyzer or protocol analyzer or, for particular types of networks, an Ethernet sniffer or wireless sniffer) is computer software or computer hardware that can intercept and log traffic passing over a digital network or part of a network. As data streams flow across the network, the sniffer captures each packet and eventually decodes and analyzes its content according to the appropriate RFC or other specifications.
In its simple form a packet sniffer simply captures all of the packets of data that pass through a given network interface. Typically, the packet sniffer would only capture packets that were intended for the machine in question. However, if placed into promiscuous mode, the packet sniffer is also capable of capturing ALL packets traversing the network regardless of destination.
By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic. Within a given network, username and password information is generally transmitted in clear text which means that the information would be viewable by analyzing the packets being transmitted.
A packet sniffer can only capture packet information within a given subnet. So, its not possible for a malicious attacker to place a packet sniffer on their home ISP network and capture network traffic from inside your corporate network (although there are ways that exist to more or less "hijack" services running on your internal network to effectively perform packet sniffing from a remote location). In order to do so, the packet sniffer needs to be running on a computer that is inside the corporate network as well. However, if one machine on the internal network becomes compromised through a Trojan or other security breach, the intruder could run a packet sniffer from that machine and use the captured username and password information to compromise other machines on the network.
Detecting rogue packet sniffers on your network is not an easy task. By its very nature the packet sniffer is passive. It simply captures the packets that are traveling to the network interface it is monitoring. That means there is generally no signature or erroneous traffic to look for that would identify a machine running a packet sniffer. There are ways to identify network interfaces on your network that are running in promiscuous mode though and this might be used as a means for locating rogue packet sniffers.

The versatility of packet sniffers means they can be used to:
• Analyze network problems.
• Detect network intrusion attempts.
• Gain information for effecting a network intrusion.
• Monitor network usage.
• Gather and report network statistics.
• Filter suspect content from network traffic.
• Spy on other network users and collect sensitive information such as passwords (depending on any content encryption methods which may be in use)
• Reverse engineer protocols used over the network.
• Debug client/server communications.
• Debug network protocol implementations.

4. Packet Spoofing:-
In the context of computer security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. In this an attacker sends packet with false source address (spoofed address). In this case the receiver sends reply to the forged address (spoofed address) and not to the attacker.
Spoofing is the creation of TCP/IP packets using somebody else's IP address. Routers use the "destination IP" address in order to forward packets through the Internet, but ignore the "source IP" address. That address is only used by the destination machine when it responds back to the source.
A common misconception is that "IP spoofing" can be used to hide your IP address while surfing the Internet, chatting on-line, sending e-mail, and so forth. This is generally not true. Forging the source IP address causes the responses to be misdirected, meaning you cannot create a normal network connection.
However, IP spoofing is an integral part of many network attacks that do not need to see responses (blind spoofing).

This can lead to three possible cases:
1) The Attacker can intercept the reply:-
If attacker is between destination and forged source, the attacker can see the reply and use that info for hijacking attacks.
2) The attacker need not see reply:-
If attacker’s intension was Denial of Service (DoS) attack, then attacker need not bother about the reply.
3) Attacker does not want the reply:-
Attacker may use a valid host address as forged source address and send packet to the destination. Attacker does not want replay from destination as he wants host with forged address to receive is and get confused.

5. Man in the Middle:-
In a man-in-the-middle attack, the attacker inserts himself between two communicating parties. Both believe they're talking to each other, and the attacker can delete or modify the communications at will.
The idea behind this attack is to get in between the sender and the recipient, access the traffic, modify it and forward it to the recipient. The term “Man-in-the-middle” have been used in the context of computer security since at least 1994 , Some different variants of this kind of attack exist, but a general definition of a man-in-the-middle attack may be described as a “ Computer security breach in which a malicious user intercepts — and possibly alters — data traveling along a network.”
One of the most successful vectors for gaining control of customer information and resources is through man-in-the-middle attacks. In this class of attack, the attacker situates himself between the customer and the real web-based application, and proxies all communications between the systems. From this vantage point, the attacker can observe and record all transactions. This form of attack is successful for both HTTP and HTTPS communications.
For man-in-the-middle attacks to be successful, the attacker must be able to direct the customer to their proxy server instead of the real server. Lets look at what kind of MITM attacks can be used and under what scenario.


Here is a list of Different type of MITM attacks
 LOCAL AREA NETWORK: -
1) ARP poisoning
2) DNS spoofing
3) STP mangling
4) Port stealing
 FROM LOCAL TO REMOTE (through a gateway):
1) ARP poisoning
2) DNS spoofing
3) DHCP spoofing
4) ICMP redirection
5) IRDP spoofing - route mangling
 REMOTE:
1) DNS poisoning
2) Traffic tunneling
3) Route mangling
However with respect to Identity Theft 'Transparent proxy attack' and 'DNS poisoning attack' are the most popular amongst hacking community. Here is an articulate explanation of both these attacks:
• Transparent proxy attack
In order to execute this attack the hackers try to trick the victim through below mentioned four easy steps. Step four explains analogy of MITM in case of Https..
STEP1
URL rewriting: Prepend all URL's with the attacker's host so that requests are routed through it. http://home.netscape.com/ becomes http://www.attacker.org/http://www.server.com/
STEP2
Pages are then requested through www.attacker.org, which functions as a proxy to fetch the true page (in this case, http://www.server.com/), applying any of the attacker's desired transformations in the process.
STEP3



STEP 4
After the above steps have been executed there is a secure connection between the victim and the attacker's host of which the victim is unaware as he is happy to notice that he has a secured connection hence his data is safe.
The attacker can then create a secure connection to the real host, decrypt the received data, apply transformations, re- encrypt for the victim, and send it on to him.` The Victim still remains uninformed however the Hacker has already achieved his goal.
• DNS Cache Poisoning
This is another popular MITM attack with hackers when it comes to "phishing". This attack is based on simple convention of Ip to host resolution .Here is how it works:
Every system has a host file in its systems directory in case of windows this file resides at the following location in case of windows:
C:\WINNT\system32\drivers\etc
Your computer also has a hidden system file called the Hosts file. This file can be used to hard code domain name translations and direct you to a different site.
6. TCP/IP Hijacking:-
TCP/IP Hijacking is one of the most simple, yet powerful attacks a hacker can use. With proper use TCP/IP Hijacking can be used to sniff passwords and other information from a switched network. When an Ethernet network uses a HUB, packets that are sent to the hub from a pc on the network, are transmitted to all of it's ports. Using a HUB on your network makes sniffing all the data on the network easy. What about sniffing on a
switched network? A switch is more intelligent then a hub. On a switched network, the switch inspects packets
that it receives then forwards that packet to the correct destination according to it's table. This makes sniffing on the network a bit harder.

What is TCP/IP Hijacking?

With TCP/IP Hijacking an attacker sets up a device on the network that tricks other devices on the network into sending their packets to it instead of where they are intended to go. With wired networks, TCP/IP Hijacking will use a technique known as spoofing, which is basically the act of pretending to be something you are not.
One of the most common types of spoofing used in TCP/IP Hijacking is Address Resolution Protocol (ARP) spoofing. Every computer on an Ethernet network using TCP/IP must have a unique IP address. They must also have another address known as the media access control (MAC) address so they can move packets around the network. Each computer on the network will then keep a table of IP Address and their corresponding MAC address, known as the ARP Table. When ARP Spoofing a hacker will change that table to redirect packets on the network to their computer.

TCP Connecting Hijacking is one of the Man-in-the-Middle attacks. With this attack, an attacker can allow normal authentication to proceed between the two hosts, and then seize control of the connection. There are two possible ways to do this: one is during the TCP three-way handshake, and the other is in the middle of an established connection. Connection hijacking exploits a "desynchronized state" in TCP communication. When two hosts are desynchronized enough, they will discard (ignore) packets from each other. An attacker can then inject forged packets with the correct sequence numbers (and potentially modify or add commands to the communication). This requires the attacker to be located on the communication path between the two hosts so that he may eavesdrop, in order to replicate packets being sent.
TCP Connection Hijacking allows attackers to view and change private information.
TCP Connection Hijacking Mitigation
The Connection Hijacking (Man-In-The-Middle) attacks rely upon IP spoofing. By utilizing IPsec VPN at the network layer and by using session and user (or host) authentication and data encryption technologies at the application layer and at the data link layer, the risk of IP Spoofing and then Connection Hijacking will be reduced significantly.


TCP Connection Hijacking (Man-In-The-Middle Attack)

TCP Connection Hijacking (Man-In-The-Middle Attack)

Related Terms:IPsec VPN, Firewall, Connection Hijacking, Man-In-The Middle Attack, Denial of Service, DDOS, TCP, ARP Spoofing, DNS Spoofing

 Security Basics:-

Computer security requires the methods to ensure the security of system. Now a day’s computers are connected to each other via network, which then introduces the network security. As computers became more dispersed, security became more of an issue of preserving data and protecting its validity, as well as keeping the secrets secret. As computers moved onto the desktop and into the home, computer security took the form of protection against data thieves and network attackers.
Computer security and network security are part of a larger undertaking that protects your computer and everything associated with it your building, your terminals and printers, your cabling, and your disks and tapes. Most importantly, computer security protects the information you've stored in your system. That's why computer security is often called information security.
You can get a good thumbnail sketch of computer and network security by examining the principles on which it is founded. Computer and network security are built on three pillars, commonly referred to by the C-I-A acronym:
 Confidentiality
 Integrity
 Availability
Data is confidential if it stays obscure to all but those authorized to use it. Data has integrity as long as it remains identical to its state when the last authorized user finished with it. Data is available when it is accessible by authorized users in a convenient format and within a reasonable time.
1. Secrecy and Confidentiality:-
A secure computer system must not allow information to be disclosed to anyone who is not authorized to access it. For example, in highly secure government systems, secrecy ensures that users access only information that they are allowed, by the nature of their security clearances, to access. Similarly, in business environments, confidentiality ensures the protection of private information (such as payroll data) as well as sensitive corporate data (such as internal memos and competitive strategy documents).
Of course, secrecy is of paramount importance in protecting national defense information and highly proprietary business information. In such environments, other aspects of security (e.g., integrity and availability), while important, may be less critical.
2. Accuracy OR Integrity:-
Accuracy or integrity means that the system must not corrupt the information or allow any unauthorized malicious or accidental changes to it. A secure computer system must maintain the continuing integrity of the information stored in it.
As with confidentiality, integrity can apply to a stream of messages, a single message, or selected fields within a message. Again, the most useful and straightforward approach is total stream protection.
3. Availability:-
A secure computer system must keep information available to its users. Availability means that the computer system's hardware and software keeps working efficiently and that the system is able to recover quickly and completely if a disaster occurs.
Both X.800 and RFC 2828 define availability to be the property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system.
4. Authentication:-
It is used to establish proof of identity.
The authentication service is concerned with assuring that a communication is authentic. In the case of a single message, such as a warning or alarm signal, the function of the authentication service is to assure the recipient that the message is from the source that it claims to be from.
5. Non repudiation:-
It deals with the ability to verify that message has been sent and received. Sender can be identified and verified.
Non repudiation prevents either sender or receiver from denying a transmitted message. Thus, when a message is sent, the receiver can prove that the alleged sender in fact sent the message. Similarly, when a message is received, the sender can prove that the alleged receiver in fact received the message.

 Operational Model of Security:-

One of the mechanisms to protect computer system is prevention of unauthorized entries. For example- If unauthorized users are not allowed to gain access to the computer system it can be considered as a safe or protected.
But some times a mishap or malicious things may be done by authorized users. Some times different techniques are used to bypass this prevention technique. In this case after failing prevention some technology or mechanism must be used to detect the problem and take proper action i.e. detection and response must be added to prevention techniques in order to fulfill the security requirements of system.
Protection can be achieved by prevention plus detection and response. This is known as operational model of computer security. Different security techniques and technologies tries to fulfill this.

Protection = Prevention + Detection + Response


Prevention Detection Response

Access control Audit Logs Back up

Firewall + Intrusion Detection + Insider Response System Team

Encryption Honey pots Computer Forensics










 Access Control:-

Access is the ability of a subject to interest with an object. Authentication, deals with verifying the identity of a subject. Authentication is the process used to verify to the computer system or network that the individual is who they claim to be. The most common method to do this is use of User ID and Password.
The access control can be implemented in computer systems and networks in several ways. An access control matrix provides the simplest framework for showing the process.
How does computer system security provide protection? There are four primary methods:
1. System access controls
These methods ensure that unauthorized users don't get into the system and encourage (sometimes force) authorized users to be security-conscious for example, by changing their passwords on a regular basis. The system also protects password data and keeps track of who's doing what in the system, especially if what they're doing is security-related (e.g., logging in, trying to open a file, using special privileges). System access controls are the soul of authentication.
2. Data access controls
These methods monitor who can access what data, and for what purpose. Another word for this is authorization, that is, what you can do once you are authenticated. Your system might support discretionary access controls; with these, you determine whether other people can read or change your data. Your system might support mandatory access controls; with these, the system determines access rules based on the security levels of the people, the files, and the other objects in your system. Role-based access controls are a hybrid system; these methods extend individual authorization to group memberships.
3. System and Security Administration
These methods perform the offline procedures that make or break a secure system by clearly delineating system administrator responsibilities, by training users appropriately, and by monitoring users to make sure that security policies are observed. This category also involves more global security management; for example, figuring out what security threats face your system and what it will cost to protect against them.
4. System Design
These methods take advantage of basic hardware and software security characteristics; for example, using a system architecture that's able to segment memory, thus isolating privileged processes from non privileged processes.
• Types of access controls:-
There are three basic types of access controls that provide different levels of protection to the files in your system:
1) Discretionary access control (DAC)
2) Mandatory access control (MAC)
3) Role-based access control (RBAC)
1. Discretionary access control:-
Discretionary access control is an access policy that restricts access to files (and other system objects such as directories and devices) based on the identity of users and/or the groups to which they belong. With discretionary access control (DAC) you decide how you want to protect your files and whether to share your data.
Discretionary access control may seem burdensome, but it is highly flexible. With some complicated maneuvering, it's possible to accomplish these goals with self/group/public controls, but the more special cases you have, the more unwieldy this kind of file access becomes. The system we will explore next offers little such flexibility.
2. Mandatory access control:-
Mandatory access control is an access policy supported for systems that process especially sensitive data (e.g., government classified information or sensitive corporate data). Systems providing mandatory access controls must assign sensitivity labels to all subjects (e.g., users, programs) and all objects (e.g., files, directories, devices, windows, sockets) in the system. A user's sensitivity label specifies the sensitivity level, or level of trust, associated with that user; it's often called a clearance. A file's sensitivity label specifies the level of trust that a user must have to be able to access that file. MACs use sensitivity labels to determine who can access what information in your system.
Together, labeling and MAC implement a multilevel security policy a policy for handling multiple information classifications at a number of different security levels within a single computer system
3. Role-based access control:-
Role-based access control determines a user's access based on that user's role. For instance, financial managers may need to access all accounting data: taxes, payroll, receivables, collections, credit. A clerk in accounts receivable, however, will need only a subset of the accounting data, and an engineer over in R&D will need very little of it. The role a user is assigned to is based on the least privilege concept. The role is defined with the least amount of permissions or functionalities that is required to get the job done. If the privileges for a role change, permissions can be added or removed. This offers greater flexibility by changing the role instead of changing the user's permissions.
Since a user can belong to more than one role at a time, there is the chance for conflict. One role may allow access to a resource where another role denies access to that resource. Conflicts like this need to be corrected on a user- by-user basis. As a general rule, the least permissive combinations are used.