Interception Attack

What is Data Security?

Jason Andress , in The Basics of Data Security (Second Edition), 2014

Types of attack payloads

When nosotros look at the types of attacks nosotros might face, we can generally place them into i of four categories: interception, interruption, modification, and fabrication. Each category can bear on ane or more than of the principles of the CIA triad, every bit shown in Effigy 1.three. Additionally, the lines between the categories of attack and the item furnishings they can have are somewhat blurry. Depending on the assail in question, we might argue for it to be included in more than than one category or have more than one type of effect.

Effigy 1.3. Categories of attack.

Interception

Interception attacks permit unauthorized users to access our data, applications, or environments, and are primarily an set on against confidentiality. Interception might accept the form of unauthorized file viewing or copying, eavesdropping on phone conversations, or reading e-mail, and can be conducted against information at remainder or in motility. Properly executed, interception attacks tin can be very difficult to notice.

Interruption

Interruption attacks cause our assets to become unusable or unavailable for our use, on a temporary or permanent basis. Interruption attacks often affect availability just can be an set on on integrity likewise. In the example of a DoS attack on a mail service server, we would classify this every bit an availability assail. In the case of an aggressor manipulating the processes on which a database runs in gild to prevent access to the data it contains, we might consider this an integrity attack, due to the possible loss or abuse of data, or we might consider it a combination of the ii. We might also consider such a database set on to be a modification assault rather than an interruption set on.

Modification

Modification attacks involve tampering with our asset. Such attacks might primarily exist considered an integrity assault but could besides represent an availability set on. If we access a file in an unauthorized manner and alter the data information technology contains, we have affected the integrity of the data contained in the file. All the same, if we consider the instance where the file in question is a configuration file that manages how a particular service behaves, perhaps ane that is acting as a Web server, we might affect the availability of that service by changing the contents of the file. If we continue with this concept and say the configuration we altered in the file for our Web server is 1 that alters how the server deals with encrypted connections, we could even make this a confidentiality attack.

Fabrication

Fabrication attacks involve generating data, processes, communications, or other similar activities with a system. Fabrication attacks primarily bear on integrity but could be considered an availability attack as well. If we generate spurious information in a database, this would exist considered to be a fabrication assault. We could also generate e-mail, which is commonly called spoofing. This can be used as a method for propagating malware, such as we might find beingness used to spread a worm. In the sense of an availability attack, if we generate enough boosted processes, network traffic, e-postal service, Web traffic, or virtually anything else that consumes resource, we can potentially render the service that handles such traffic unavailable to legitimate users of the system.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780128007440000014

Security

John F. Buford , ... Eng Keong Lua , in P2P Networking and Applications, 2009

Sample Attacks and Threats

Theft is an example of an interception attack. Theft attacks tin exist targeted at the network, overlay, or application layer with a simple goal of stealing confidential data from others. Theft is the major attack discovered in studies of file sharing organisation security, 479,480,481 in which adversaries took advantage of data leakage and inadvertent disclosures to access confidential information.

Wrapster,486 a gratuitous utility software initially designed for Napster users, was released in 2000. It tin be used as a tool to enable information leakage in P2P file sharing systems. Wrapster is used to transform any file, such every bit a program, video, or text, into a file in MP3 format to disguise it. An private then shares the transformed file as an MP3 file using a P2P file sharing system. A receiving peer uses Wrapster to convert the file to its original format. Thus, using Wrapster together with file sharing software on the visitor's network, a malicious insider could covertly featherbed the company security mechanisms and policies, and leak confidential data to anyone participating in the P2P file sharing system.

The near well-known set on is illegal re-create and distribution of multimedia content and software. Copyright protection has been a nonstop battle for the Movement Picture Association of America (MPAA) and Recording Industry Association of America (RIAA). Co-ordinate to contempo reports487, U.South. movie studios lose $447 1000000 annually due to online piracy. Placing copyrighted content online and sharing them freely via P2P file sharing applications has been a cardinal attractor of P2P file sharing and streaming. As a result, MPAA and RIAA have targeted P2P networks as a potential threat. Ane of the most famous lawsuits perhaps is the RIAA 5. Napster case, which led to injunction and shutdown of the original Napster service. The legal controversy has continued beyond Napster, withal. For example, in Elektra five. Barker, RIAA put individual users on the stand. The goal is to prevent unauthorized copying and online distribution of music files.

Bandwidth clogging, an instance of an interruption class of assail, has been a concern of many corporations and universities. It is especially serious for P2P content distribution applications. The rich multimedia (audio and video) files that P2P users share are usually large in size. Consequently, P2P multimedia download and streaming ever cause heavy traffic, which clogs an organization'southward network and affects response time and performance of normal business organisation correspondence. The harm escalates when adversaries manipulate peers to issue multimedia download or streaming simultaneously. This is the reason that many corporations and universities are banning the use of P2P file-sharing or streaming applications.

Deprival of service (DoS) is another important type of interruption attack. Almost any attack that obstructs availability tin can be categorized as a DoS attack. DoS attacks could crusade service breakdown through disruption of physical network components; consumption of resource such equally storage, ciphering, or bandwidth resource; obstacle of communications; and interference with configuration and state information. For example, a DoS attacker may employ malware to max out a user's CPU time or crash a arrangement by triggering errors in instructions.

P2P networks further open up upwardly various possibilities for distributed DoS (DDoS) attacks,488,489,490 networked DoS attacks whereby nodes work together to prevent a system from performing its task. For case, an assaulter registers with a P2P overlay, gains access to multiple peer devices, plants zombie processes488 (daemons that perform the actual set on) on those peer devices, and launches an attack with all the zombies on a target device or service at a predetermined time. With hundreds or thousands of zombies located on a P2P network working together, the victim's network bandwidth could exist hands drained, causing denial of services.

On May 14, 2007, Prolexic Technologies, a network security vendor specializing in protecting spider web sites from DoS attacks, issued an warning491 considering the company observed an increment in the number and frequency of P2P-based DDoS attacks, which can crusade a major local network disruption. "The popularity of peer-to-peer networks has now gained the interest of cyber criminals who run into these networks every bit a huge potential for distributing malware and launching DDoS attacks past convincing 100k+ computers to set on on their behalf. Recently, attackers have constitute a way to pull off this type of attack anonymously, and with ease, flooding victims with far more connections than they can handle," the commodity stated. Co-ordinate to Prolexic, the most aggressive P2P-DDoS assail is a so-called DC++492 attack, which employs the popular DC++ open-source client for Windows using a Straight Connection network. In a DC++ attack, the adversary acts every bit a puppet primary, instructing peers of a P2P network to connect to a victim's Website. With a P2P network of size N peers, and each peer opening one thousand connections simultaneously, the victim's site could potentially be striking with up to mN connections in brusk order. Prolexic reported very large DC++ attacks of over 300k (N > 300,000) IP addresses in its article,491 which shows how the DDoS trouble constantly evolves. Today, an increasing number of P2P-DDoS attacks are targeting Websites. In these attacks, peers (P2P network customer computers, for example) are tricked into requesting a file from the victim's site, allowing the adversary to use the P2P network to overwhelm the victim'southward site and disrupt its availability. To an adversary, the major advantages of using a DDoS assault include (1) more set on traffic with a large number of distributed or peer resource and (ii) more than difficulty for the victim to runway and shut downwardly the attacking sources or zombies.

DDoS attacks appear in various forms. Mirkovic and Reiher489 allocate DDoS attacks based on caste of automation, communication mechanism, scanning strategy, propagation mechanism, exploited vulnerability, attack charge per unit dynamics, and bear on. For example, based on degree of automation, these attacks can exist categorized into transmission attacks, semiautomatic attacks, and automatic attacks; random, hit list, topological, permutation, and local subnet are several classes that exist in scanning strategy-based classifications. Alternatively, the attacks can be grouped into central, back-chaining, and autonomous subsets according to their propagation mechanism.

Later on in this affiliate nosotros look at how P2P overlay networks tin can be taken reward of by adversaries to issue DDoS attacks. Some available methods to defend confronting DoS attacks are also discussed.

The term virus refers to a program that reproduces by introducing a copy of itself and infecting another reckoner or device without permission or knowledge of the user. Often the virus is appended to the finish of a file or the program header is modified to point to the virus code. A virus, as we all know, tin can cause severe impairment to a system or device. A P2P network offers an attractive platform for attackers to spread viruses. A piece of code, the virus, could appear to be a pop file-sharing program and later when downloaded and accessed could unknowingly impact many peers in the P2P overlay. The virus gains access to the peers' devices, modifies data and files on the devices, changes user countersign or access data, destroys the file system, and more than, causing an interception, an pause, a modification, and/or a fabrication course of assault.

These examples are only an analogy of the security threats existing in P2P networks. Interested readers tin refer to [493] and [494] for more discussion.

Read full affiliate

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9780123742148000143

Jargon, Principles, and Concepts

Marking Osborne , in How to Crook at Managing Information Security, 2006

Generic Types of Assault

When you are analyzing a new organisation or protocol against malevolent intrusion, starting at the very basic primitives of CIA can seem self-defeating and long-winded. After all, most attacks inevitably lead to loss of integrity, availability, and confidentiality. For example, a successful buffer overflow assault that allows a hacker vanquish admission will allow that hacker to affect CIA; the same failed attack may compromise availability and integrity, corrupting memory or stalling the applicable service.

Fifty-fifty if you are a smashing fan of CIA bear on analysis, when it'south applied to specific protocol security assay many feel it is too abstruse and bookish. Many prefer to either use common criteria analysis (documented in the next chapter) or to analyze the protocol against generic set on types, every bit detailed in this section.

Network Enumeration and Discovery

Non really an attack, network enumeration and discovery can be used to assess the extent to which a network volition divulge information near itself. Good examples of bad practices are route protocols that provide routing tables to whatever peer, but for the asking, and name services and directory services that exercise the same thing.

Message Interception

Message interception attacks exploit weaknesses in a network's privacy. If you can intercept a message and keep a re-create (i.e., packet sniffing), yous tin can obtain valuable information.

Message Injection/Address Spoofing

These attacks exploit weaknesses in the way a network establishes transport connections, allowing the attacker to inject traffic masquerade as a valid IP accost and thus proceeds arrangement admission. If I know your network management system is on address 10.0.0.one and your primal system is ten.0.0.100, and if I transport a system down message to 10.0.0.ane seemingly from ten.0.0.100 in an attempt to cause panic, I am spoofing the source address.

Session Hijacking

Session hijacking is a combination of interception and injection. Information technology allows an attacker to avoid password protections by taking over an existing connection once authentication is consummate. For example, if I am sniffing your network, I might be aware that y'all have a Telnet session between your network management system on address 10.0.0.ane and your central system ten.0.0.100. If I send a serial of packets to the NMS on x.0.0.1 that causes you to drop the connection but at the aforementioned time proceed to send packets to 10.0.0.100 with a spoofed accost of x.0.0.1, I have hijacked the session.

Denial of Service

Denial-of-service (DoS) attacks are designed to deny legitimate users admission to resources. They can involve many attackers, in which case it is said to be a distributed DoS (DDoS) assail.

Bulletin Replay

Message replay attacks cause disruption by replaying genuine traffic that has been recorded previously using sniffer software.

Social Engineering

Social engineering is a term used to describe situations in which an attacker masquerades as a genuine employee and tricks a third party into divulging information (such as a password) that volition permit the attacker access to the system. Typical examples include pretending to exist an employee, phoning up the assist desk-bound, and asking for that employee's password.

Brute-Force Attacks on Authenticated Services

Brute-strength attacks apply automated methods to repetitively gauge authentication credentials. For case, repeated attempts to log in at the Telnet prompt is an online animate being-force attack. Offline attacks include using joe-doe or killer-scissure to crack a UNIX shadow file or using the crypto workbench to observe a underground key.

Read full affiliate

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9781597491105500105

Threats to VoIP Communications Systems

Thomas Porter , Michael Gough , in How to Cheat at VoIP Security, 2007

ARP Spoofing

ARP is a fundamental Ethernet protocol. Maybe for this reason, manipulation of ARP packets is a potent and frequent attack mechanism on VoIP networks. Most network administrators assume that deploying a fully switched network to the desktop prevents the ability of network users to sniff network traffic and potentially capture sensitive information traversing the network. Unfortunately, several techniques and tools exist that permit whatsoever user to sniff traffic on a switched network because ARP has no provision for authenticating queries or query replies. Additionally, considering ARP is a stateless protocol, most operating systems (Solaris is an exception) update their cache when receiving ARP reply, regardless of whether they have sent out an bodily request.

Among these techniques, ARP redirection, ARP spoofing, ARP hijacking, and ARP cache poisoning are related methods for disrupting the normal ARP process. These terms oftentimes are interchanged and confused. For the purpose of this section, we'll refer to ARP enshroud poisoning and ARP spoofing as the same process. Using freely available tools such as ettercap, Cain, and dsniff, an evil IP device tin can spoof a normal IP device by sending unsolicited ARP replies to a target host. The artificial ARP reply contains the hardware address of the normal device and the IP address of the malicious device. This "poisons" the host's ARP cache (see Figure 5.5).

Figure v.five. ARP Spoofing (Enshroud Poisoning)

In Figure 5.5, Ned is the attacking estimator. When SAM broadcasts an ARP query for Sally'southward IP address, Ned, the attacker, responds to the query stating that the IP accost (ten.1.1.ii) belongs to Ned's MAC address, BA:DB:AD:BA:DB:AD. Packets sent from Sam supposedly to Sally volition exist sent to Ned instead. Sam will mistakenly assume that Ned's MAC address corresponds to Sally's IP address and will directly all traffic destined for that IP address to Ned's MAC. In fact, Ned can poison Sam'south ARP cache without waiting for an ARP query since on Windows systems (9x/NT/ii   Yard), static ARP entries are overwritten whenever a query response is received regardless of whether or not a query was issued.

Sam'south ARP enshroud now looks like this:

Internet Address Physical Address
10.1.1.one AA:BB:CC:DD:EE:FF int0
x.1.1.ii BA:DB:AD:BA:DB:AD int0

This entry volition remain until it ages out or a new entry replaces it.

ARP redirection tin can work bidirectionally, and a spoofing device can insert itself in the middle of a conversation betwixt two IP devices on a switched network (come across Figure 5.6). This is probably the most insidious ARP-related assail. By routing packets on to the devices that should truly be receiving the packets, this insertion (known as a Man/Monkey/Moron in the Eye assail) tin can remain undetected for some fourth dimension. An attacker can route packets to /dev/null (nowhere) likewise, resulting in a DoS attack.

Figure five.half dozen. An ARP MITM Assail

Sam's ARP cache:

Net Address Physical Address
x.1.i.one AA:BB:CC:DD:EE:FF int0
10.1.1.two BA:DB:AD:BA:DB:AD int0

Sally'southward ARP cache:

Internet Address Physical Address
x.one.1.ane BA:DB:Advert:BA:DB:AD int0
x.one.1.two AA:BB:CC:DD:EE:00 int0

Every bit all IP traffic betwixt the true sender and receiver now passes through the attacker's device, it is footling for the assaulter to sniff that traffic using freely available tools such equally Ethereal or tcpdump. Whatever unencrypted information (including e-mails, usernames and passwords, and web traffic) can be intercepted and viewed.

This interception has potentially drastic implications for VoIP traffic. Freely bachelor tools such as vomit and rtpsniff, equally well as individual tools such as VoipCrack, allow for the interception and decoding of VoIP traffic. Captured content can include spoken communication, signaling and billing data, multimedia, and PIN numbers. Voice conversations traversing the internal IP network can be intercepted and recorded using this technique.

At that place are a number of variations of the aforementioned techniques. Instead of imitating a host, the attacker can emulate a gateway. This enables the attacker to intercept numerous packet streams. Nevertheless, most ARP redirection techniques rely on stealth. The attacker in these scenarios hopes to remain undetected past the users being impersonated. Posing as a gateway may result in alerting users to the aggressor'southward presence due to unanticipated glitches in the network, because frequently switches deport in unexpected ways when attackers manipulate ARP processes. One unintended (much of the time) event of these attacks, particularly when switches are heavily loaded, is that the switch CAM (Content-Addressable Memory) table—a finite-sized IP address to MAC address lookup tabular array—becomes disrupted. This leads to the switch forwarding unicast packets out many ports in unpredictable way. Penetration testers may want to continue this in mind when using these techniques on production networks.

In order to limit damage due to ARP manipulation, administrators should implement software tools that monitor MAC to IP address mappings. The freeware tool, Arpwatch, monitors these pairings. At the network level, MAC/IP address mappings can exist statically coded on the switch; however, this is often administratively untenable. Dynamic ARP Inspection (DAI) is available on newer Cisco Goad 6500 switches. DAI is part of Cisco's Integrated Security (CIS) functionality and is designed to preclude several layer ii and layer three spoofing attacks, including ARP redirection attacks. Notation that DAI and CIS are available merely on Catalyst switches using native fashion (Cisco IOS).

The potential risks of decoding intercepted VoIP traffic can be eliminated by implementing encryption. Avaya's Media Encryption feature is an example of this. Using Media Encryption, VoIP conversations between two IP endpoints are encrypted using AES encryption. In highly secure environments, organizations should ensure that Media Encryption is enabled on all IP codec sets in utilise.

DAI enforces authorized MAC-to-IP accost mappings. Media Encryption renders traffic, even if intercepted, unintelligible to an aggressor.

The post-obit are some boosted examples of phone call or signal interception and hijacking. This form of threats, though typically more difficult to reach than DoS, tin can consequence in significant loss or alteration of data. DoS attacks, whether acquired by agile methods or inadvertently, although important in terms of quality of service, are mostly irritating to users and administrators. Interception and hijacking attacks, on the other manus, are well-nigh always agile attacks with theft of service, data, or money as the goal. Note that this listing is not exhaustive just illustrates some attack scenarios.

Rogue VoIP Endpoint Attack Rogue IP endpoint contacts VoIP server past leveraging stolen or guessed identities, credentials, and network access. For instance, a rogue endpoint can use an unprotected wall jack and auto-registration of VOIP phones to get onto the network. RAS password guessing tin can be used to masquerade as a legitimate endpoint. Lax account maintenance (expired user accounts left active) increases risk of exploitation.

Registration Hijacking Registration hijacking occurs when an attacker impersonates a valid UA to a registrar and replaces the registration with its ain accost. This attack causes all incoming calls to be sent to the aggressor.

Proxy Impersonation Proxy impersonation occurs when an assaulter tricks a SIP UA or proxy into communicating with a rogue proxy. If an attacker successfully impersonates a proxy, he or she has access to all SIP messages.

Toll Fraud Rogue or legitimate VoIP endpoint uses a VoIP server to identify unauthorized toll calls over the PSTN. For case, inadequate admission controls can permit rogue devices place toll calls by sending VoIP requests to call processing applications. VoIP servers tin can exist hacked into in order to make gratis calls to outside destinations. Social engineering science can exist used to obtain exterior line prefixes.

Message Tampering Capture, modify, and relay unauthenticated VoIP packets to/from endpoints. For example, a rogue 802.11 AP tin can commutation flames sent or received by wireless endpoints if no payload integrity check (due east.g., WPA MIC, SRTP) is used. Alternatively, these attacks tin occur through registration hijacking, proxy impersonation, or an attack on any component trusted to process SIP or H.323 messages, such as the proxy, registration servers, media gateways, or firewalls. These represent non-ARP-based MITM attacks.

VoIP Protocol Implementation Attacks Transport VoIP servers or endpoints invalid packets to exploit VoIP protocol implementation CVEs. Such attacks tin can lead to escalation of privileges, installation and operation of malicious programs, and system compromise. For example, CAN-2004-0054 exploits Cisco IOS H.323 implementation CVEs to execute arbitrary code. CSCed33037 uses unsecured IBM Director agent ports to proceeds administrative command over IBM servers running Cisco VoIP products.

Notes from the Undercover…

ANI/Caller-ID Spoofing

Caller ID is a service provided past nearly telephone companies (for a monthly cost) that will tell you the name and number of an incoming call. Automatic Number Identification (ANI) is a system used past the phone company to decide the number of the calling party. To spoof Caller-ID, an attacker sends modem tones over a POTS lines between rings ane and ii. ANI spoofing is setting the ANI so every bit to send incorrect ANI data to the PSTN and so that the resulting Caller-ID is misleading. Traditionally this has been a complicated process either requiring the assistance of a cooperative phone visitor operator or an expensive company PBX organisation.

In ANI/Caller-ID spoofing, an evildoer hijacks phone number and the identity of a trusted party, such as a bank or a government function, The identity appears on the caller ID box of an unsuspecting victim, with the caller hoping to co-opt valuable information, such as account numbers, or otherwise appoint in malicious mischief. This is not a VoIP result, per se. In fact, one of the large drawbacks about VoIP trunks is their inability to send ANI properly because of incomplete standards.

Read total chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9781597491693500062