2: Types of Attacks

Social engineering attacks are all about gaining sensitive information by exploiting your fear, emotions and anything through different means.

Types of Social engineering attacks:

  • Phishing: usually aimed at getting sensitive data or credentials.

    • Basic scam aimed at as many people they can (usually through mass mailing)

    • Using for example, brand trust like Walmart, Google, PayPal....etc

    • Spear-phishing: Just a little more sophisticated type of phishing that targets specific people such as CEOs...

      • Targeted phishing attack

      • Whaling: Just a little more targeted attack that targets C-level executives such as CIO, CEO, COO, CFOS.

  • Vishing: This is done via voice-technologies, voice-mail, VoIP, cellphone.

  • Tailgating: With an authenticated person, an unauthentic person makes his way into the building without having to authenticate.

  • Shoulder Surfing: Looking over someone's shoulder with the purpose of seeing someone's authentication details.

  • Hoax: Misleading information

  • Watering Holes Attack: This attack targets a group of people that work together by infecting websites that the group is known to visit. It only takes a single user to get infected to gain access to the network.

Why is social engineering effective and successful?

  • Authority

    • People are conditioned to respond to authority.

  • Intimidation

    • Using implied authority for means of propagating an attack

    • Two higher ranking military person

  • Consensus

    • When a user does not know how to react (say to an email), so they will look to others to see how to react (to click the email, to respond to the email)

  • Scarcity

    • People are more likely to respond to scams when there is a time or availability concern

    • Download "this add-on" to view the page

    • Not being able to view a page until a program to install can make the victim see it even more

  • Familiarity

    • People are comfortable with those they are familiar with

  • Trust

    • First objective is to establish trust

  • Urgency

Application and Service Based Attacks

  • DoS (Denial of Servic) Attack: an attack that meant to shut down a machine or network, making it inaccessible to its intended users. It could be both physical and technological.

    • Physical: If someone cuts the power of the data center.

    • Technological: If someone floods too much information or packets then the target machine can handle. It'll be so busy handling them and ultimately may crash or shut down

  • DDoS (Distributed Denial of Service) Attack: Like DoS attack, its sole purpose is also to disrupt the service to prevents the legitimate users to do their job. However, this time they take a more collaborative approach through botnet and zombies to attack a target all at once and at a particular time.

  • Man-In-The-Middle Attack (MITM): It works by sitting between two endpoints where the attacks can intercept, manipulate and re-direct data.

  • Buffer Overflow Attack: Attackers exploit buffer overflow issues by overwriting the memory of an application. It happens when the attacker gives more data than it can handle, so it spills over into the unchecked memory.

  • Cross-Site Scripting (XSS): The attack embeds some malicious code to the website and when the user visits it while rendering the HTML, it also renders the executes the code.

  • Cross Site Request Forgery (CSRF): An attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

  • Address Resolution Protocol (ARP) Spoofing: In this attack, the attacks spoofs the MAC address and makes it way into the cache by going through the legitimate ARP process.

  • DNS Poisoning: Having malicious DNS entries in the DNS cache (Recursive DNS) that can send the user to a bad site.

  • Domain Hijacking: Transferring domains to other malicious party through malicious means.

    • Often go undisputed

    • Hard to reverse

    • ICANN’s Registrar Transfer Dispute Resolution Policy to seek the return of the domain

  • Typo-squadding: When you make a typo while typing the domain name and lends to a different website than the intended one.

  • Click-jacking: Placing hidden links on seemingly legit images or clickable content that redirect the victim to an unintended location

  • Session-hijacking: Using stolen cookies, the attacker does malicious activity on behalf of the victim such as bank fund transfer or something else.

  • Man-In-the-Browser: A malicious piece of code that attackers put into the browser. So they can intercept, and get traffic/data.

  • Zero-Day: An exploit that nobody knows about and has no solution.

  • Driver manipulation:

  • Pass the Hash:

WEP (Wired Equivalent Privacy)

WEP encryption uses a shared key authentication and sends the same key with data packets being transmitted across the wireless network. If malicious users have enough time and gather enough data they can eventually piece together their own key.

Rogue AP

Rogue Access Point is the SSID of a malicious access point under the same name like the legitimate ones are that once connected, can scrape data and do other type of things.

Evil twin

It is similar in nature of Rogue Access Point but the process is a little automated. It changes the NIC information to the legitimate access points and once gets does what Rogue AP does.

WPS (WiFi Protected Setup)

A network security standard to create a secure wireless home network but poorly implemented.

Bluetooth Attack

Bluejacking: Bluejacking is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones,

Bluesnarfing: Bluesnarfing is the theft of information through Bluetooth. Hackers do it by sneaking into mobile devices — smartphones, laptops, tablets, or PDAs whose connection has been left open by their owners.

Near Field Communication

Near field communication technology can transfer files between two NFC-enabled devices over the radio frequencies. If files can be transferred, imagine the malware could be transferred this way.

Known Ciphertext Attack

In cryptography, a ciphertext-only attack (COA) or known ciphertext attack is an attack model for cryptanalysis where the attacker is assumed to have access only to a set of ciphertexts. While the attacker has no channel providing access to the plaintext prior to encryption, in all practical ciphertext-only attacks, the attacker still has some knowledge of the plaintext. For instance, the attacker might know the language in which the plaintext is written or the expected statistical distribution of characters in the plaintext. Learn more

Forms of known ciphertext attack examples - WEP, PPTP (Point-to-Point Tunneling Protocol)

Rainbow Tables

A rainbow table is a pre-computed table for caching the output of cryptographic hash functions, usually for cracking password hashes.

Dictionary Attack

A dictionary attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password.

Brute-force Attack

A brute force attack, also known as an exhaustive search, is a cryptographic hack that relies on guessing possible combinations of a targeted password until the correct password is discovered.

Collision Attack

Trying to produce the same hash value regardless of what the input was.

Examples - NTLM, MD5, SHA-1

Therefore, one should use SHA-2 and above in SHA family.

Weak Cipher Consideration

  • SSL 2.0 vs SSL 3.0

  • TLS 1.0 vs TLS 1.1 vs TLS 1.2

  • WEP vs WPA vs WPA2

  • TKIP vs CCMP

  • PPTP/MPPE vs L2TP/IPSec

  • RC 4 vs RC 5

  • DES vs 3DES vs AES (256-bit)

Remember, WPA2 comes in two version. WPA2-Personal and WPA2-Enterprise. WPA2-Personal protects unauthorized network access by utilizing a set-up password. WPA2-Enterprise verifies network users through a server. WPA2 is backward compatible with WPA.