Types of
Vulnerability Attacks and Impacts:
By: W.P. ("The Gonz") Flinn
With all of the different types of
vulnerabilities and security warnings these days, one of the
most often asked questions is in regards to what it is that
all of the various types of attacks actually do. If we take
a step back in time and look at what some of the early
attacks did, it puts into perspective just how sophisticated
and damaging the latest attacks have come. Attacks on
computers and the data they contain have come a long way in
a very short time. With most of our computers now networked
and attached to the Internet, our data can be attacked from
far, far away, and the results can be devastating. The
attackers have also found that stealing data, finding
weaknesses, and disrupting services are all lucrative
endeavors that other thieves are willing to pay for.
And if you haven't already, see
my review of TechEd 2007
for more information on security and attacks.
A Look Back at Some Early
Computer Attacks:
Let’s
go way back to the day of the early PC when they were not
yet networked to any great extent. The networking
architecture back in the day was known as “sneaker-net”
where the method of sharing files was literally by manually
sharing floppy disks and physically handing them from person
to person. “Sneaker-net” got its name because of the idea
that you had to put on your sneakers to make the long
journey to get the disk to the person who you wanted to
share with. The most common type of attack at that time was
the virus. WORMS and backdoors typically weren’t useful
because of the lack of remote connectivity. Trojan horses
were usually not in the form of remote access programs, but
they did exist in the type that looked like usable programs,
and they would perform some other hidden function such as
corrupting files or erasing the hard drive.
In those days, viruses typically got onto a
computer by someone putting an infected floppy disk into the
machine. This was often by way of an infected game program,
or someone using the same disks they used at school in their
computers at home. There were a lot of viruses on college
campus computers in those days, making it fairly common to
catch a virus by using a computer at school. I remember
when I took a computer hardware repair course at a local
junior college back in the early 90’s: I built a completely
separate computer at home to do all my labs and class
homework, aside from the computer I used to do all my word
processing and other work to prevent getting a virus on my
main machine. There was also a lot of software swapping
(today we call it piracy), and it wouldn’t be uncommon at
all for people to pass infected disks to many people. I
remember being called to check out one of the office PCs
where I worked and found a computer screen displaying the
message: “Your computer has just
been Stoned.” The Stoned virus was a very common
early virus and would format the hard drive, then display
that or a similar message. I asked the person what they had
been running, or particularly had installed on the computer
lately, and the reply was (of course) “Nothing!” I
looked beside the computer to see a floppy diskette
containing a golf game. I scanned the floppy, and sure
enough, there was the Stoned virus.
Back then the main damage caused by viruses
ranged from an annoying pop-up message of some sort, to a
complete format of the hard drive. Some viruses would go
off randomly, some would go off on a particular day and
time. The “Joshi” virus, for example, always went off on
the day of the year of Joshi’s birthday - the virus writer
had dedicated a virus to their dead son. Remember
Michelangelo? Same type of virus – went off on a particular
day. Since computers weren’t typically networked, and the
Internet was not used by us common folk, the concept of the
WORM did not yet really exist. Neither did the idea exist
of people stealing data or damaging systems over a network
or the Internet itself. But now, with networks and the
Internet being such ubiquitous parts of our lives,
“sniffing” network packets to steal passwords, intercepting
and altering data before sending it on to the correct
recipient, and even using tactics to deny access to certain
web sites or databases are some of the very common attack
methods.
Today, we have networks, the Internet, email,
and a variety of other ways for computers to be attacked by
others who may even be on an entirely different continent.
I remember in 1990, there were fewer than 1,000 viruses.
Last I checked there were over 50,000 viruses, including
their variant forms. When I attended the recent Microsoft
TechEd conference (see
my review here), it was revealed that 82% of all email
today is SPAM. Much of the SPAM out there these days
contains phishing attacks and links to malicious sites.
Another startling fact that was mentioned was that there
were currently 3,700 distinctly different malicious types of
one particular type of image file that exploits the
WMF vulnerability
found in early 2006. There are also 38 million plus pieces
of other potentially unwanted (PUP) software circulating on
the Internet. We also have WORMS, Trojan Horses, backdoors,
remote exploits, and a variety of other ways for our
computers to be vulnerable.
So I wanted to take a look at some of the
more common types of attacks and what kinds of impacts they
can have. I am discussing the attack impacts in this
article – but the attack itself can come in the form of any
of the methods I just mentioned, as well as by attackers
luring users to malicious web sites or convincing them to
open an infected email attachment, in an attack method known
as social engineering. The various attack vectors are too
many to mention here, but I thought it important to at least
discuss the impacts that attacks commonly present. The bad
news is that this article only scratches the surface of what
is out there.
Keep in mind that the objective of any of
these attacks is to violate security. The three basic
tenets of computer security are the three basic parts of the
C – I – A triad as defined below:
-
confidentiality: not
exposing personal or sensitive information to
unauthorized people;
-
integrity: Not having data
altered so that it is inaccurate, incorrect, or
unusable;
-
availability: Being able to
get to your data or information services when you need
to.
An attack can be focused on one or more of
those three aspects of data security, and can come in a
variety of ways. So let’s take a look at some of the
various impacts on malicious attacks:
The Methodologies and
Impacts:
File transfer location
tampering: This mainly exists
of capturing data in transit and re-routing it to a location
other than that which was intended. If someone is
transferring financial or other sensitive data, the attacker
can get a hold of data for identity theft, corporate
espionage, or other reasons. It is obvious that the data
falling into the wrong hands is often a devastating problem
and can result in serious damage to an individual or
corporation. The attacker may make their attack less
noticeable by capturing the data then forwarding the data on
to the correct recipient. The intent is not to prevent data
from being correctly transmitted. The intent in this case
is to simply steal the data and use the information for
financial gain. The criminal can get more mileage out of
this attack by making it less noticeable that it is
happening. A variety of methods can be used for this,
including
ARP poisoning, and various other methods used for
“Man in The Middle” attacks.
Elevation of privileges:
This is a very common result of an attack, and can lead to
other types of attacks or more serious outcomes. If an
attacker can get administrator level privileges to a
computer, then they can basically do anything they want.
This includes taking control of the computer, installing
other malicious software, deleting files, changing
configuration settings, and doing many other high-level
tasks that only an administrator can do. This is why it is
so important to use your computer (especially while on the
Internet) as a limited user. If you are on the computer as
a user with no administrative privileges, it makes it much
more difficult for malicious code to run and do damage.
Windows Vista addresses this very serious concern by
implementing a feature called
User Access Control
(UAC) and having Internet Explorer operate in a limited
user capacity.
Remote code execution:
You are probably starting to already see that many of these
attack outcomes do many of the same things. That is true.
Remote code execution allows an attacker to remotely take
control of a machine, run code, execute programs, and many
other things that can lead to damage, data loss, data theft,
or other things to damage your system. But additionally, if
someone can remotely use your machine to execute code, they
can also turn your computer into a “Zombie” and use it to
attack other systems. This often results in what is known
as a “Distributed Denial of Service (DDoS) attack. See
“Denial of service” below for more information. The Windows
Vista UAC feature mentioned above also helps to address this
type of impact.
Denial of service (DoS):
Remember the three parts of the information security triad
are “Confidentiality,” “Integrity,” and “Availability.”
This particular attack outcome is that of taking away the
availability of your system, or other systems’ ability to
access other system resources. There are a variety of ways to do
this: crashing a system, tying up a system’s resources so
that they can’t process data properly, or creating huge
amounts of network traffic so that others trying to access a
system cannot get to the system because of the sheer volume
of traffic. If a process can drive your CPU’s usage up to
100%, then your computer is almost useless and you have a
hard time getting work done because it is so slow. If a web
server is flooded with bogus SYN packets (part of the
process that is used to request a connection with a web
server), then the web server cannot provide the requested
web pages or other data.
Distributed Denial of
Service (DDos): This is
simply a case of all of the above attack attributes,
mentioned in “Denial of Service,” being performed by many
computers simultaneously. In fact, this may be a
combination of the above attacks where some code has been
planted on and executed from a compromised computer. These
many “zombie” computers simply take commands from a central
attacker to flood the network with attack packets and cause
the target (web server as in the case above) to be literally
flooded with connection requests, and no longer respond to
anything. This means that the target is then unavailable,
and thus “denying service” to all legitimate computers that
try to connect.
Modifying information:
This impact is specifically aimed at changing the integrity
(the “I” in C-I-A). As in the case of file transfer
location tampering mentioned above, the goal here is to
intercept information before sending it on. However, the
intent is to not just steal the information to use it for
financial gain later. The intent of this type of attack may
be for a few different reasons. In one example, the data
may be modified so as to actually cause damage to an
organization by making their data incorrect and therefore
useless. The purposely injected errors may be extremely
difficult to locate, causing extensive staff-hours of
research to correct. Another example of the usefulness of
this type of attack is to divert financial transaction
amounts for financial gain. The easiest way to illustrate
this is the case of someone billing you $100 dollars for
goods or services that only cost $90 dollars. They input
into the system that the services cost $90 dollars, that
they billed you for $90 dollars, and that $90 was received
from you. They then pocket the 0ther $10 dollars for
themselves. You may have seen the movie Office Space” where
the guys injected a so-called “virus” into the system that
took the rounded interest (fractions of a penny) and
diverted it to an off-shore account for themselves. To make
a good plot, the plan backfired, and they ended up with way
too much money and were in a position of being easily
discovered. This is another aspect of this type of attack:
To make the interception modification, and theft of data to
be difficult to detect.
Spoofing:
Simply doing any of the above, but making the attacker’s
identity to appear as the identity of someone else is known
as spoofing. This can manifest itself in a few different
ways. One way is for an attacker to get your log in
credentials, log in as (or appear to log in as) you, and
perform tasks under your name. If Bob (the attacker) logs
in as Gary, and deletes a bunch of files, the audit logs
will show that Gary did it. Gary gets blamed and has a hard
time proving it wasn’t him. Another type of spoofing comes
in the case of DoS and DDos mentioned above, where requests
for a web site, for example, are requested, but the return
network address of the computer is purposely changed. The
acknowledgement then gets sent to an address that either
doesn’t exist, or is that of a computer that did not make
the request. In the mean time, the web server is waiting
for the remote computer’s acknowledgement to its
acknowledgement (the SYN, SYN-ACK, ACK process in the
TCP three-way handshake). This is one way in which DoS
works – the target machine is tied up waiting for
acknowledgements from a computer that doesn’t exist, and is
then too busy to service legitimate requests.
|
Normal TCP
Connection |
Spoofed TCP
Connection |
(Click
images to see full size)
Theft of sensitive
information: As in the case
of modifying file transfer locations, the primary purpose of
this type of attack is as its name implies - to steal data.
Remember, this is the “confidentiality” part of the C – I –
A triad; exposing data to unauthorized people. Modifying
file transfer locations involves intercepting data, stealing
it, possibly modifying its contents, then possibly (or not)
sending it on to its intended recipient. This is just
outright theft. Many of the other previously mentioned
impacts can contribute to a criminal’s ability to steal
information. If an attacker can elevate their privileges on
your machine, for example, they can browse all of the
folders on your computer, not just the folders available
under a limited user’s logon context. There may be a
variety of reasons for stealing data from a computer,
including using the data for identity theft purposes,
stealing proprietary information, or stealing password files
so as to crack them and use them to gain further system
access.
Buffer overflow:
A
buffer is simply memory space used to temporarily store
data. For example, your computer has buffers for receiving
incoming communications until it has a chance to process it
and put it into the appropriate place in memory for the
working application to access and use to do work. This
space is not infinite. If the buffer can purposely be
filled up, in some cases the excess data will simply
overflow (thus the term
buffer overflow) out of the buffer and have
unpredictable results. This type of attack simply involves
sending a computer more data than it can handle so that
excess data spills over into areas of memory used to execute
code. One thing that attackers have found is that certain
vulnerabilities exist that are susceptible to these buffer
overflow attacks. They will craft a special package that
contains a large amount of data, send it to your computer,
the buffers will fill up, and the excess data will be
overflowed to parts of memory where it can be executed.
This code execution may result in things used to crash a
computer, elevate privileges so that other attacks will
work, or a variety of other undesirable things.
Wrapping It All Up:
Attacks come in many forms, and have many
different purposes and impacts. These attacks are meant to
do everything from being a minor annoyance, to disrupting
service, to theft of data, and to outright destruction of
computer information systems. As I mentioned in my review
of the TechEd 2007 conference
(see my article here), data thieves have found that
personally identifiable information is worth money. Whereas
the hackers of old just wanted attention, the bad guys doing
the computer attacking these days are just criminals, plain
and simple. They want to make a living either by stealing
your data, stealing the data of a competing company, or
interrupting service. When they find vulnerability and a
way to exploit it, they can also sell the exploit methods
for money as well. And they have found a variety of ways to
conceal their attacks and make their consequences
undetectable for a long time.
There is good news; many of the attack impacts mentioned
here are preventable. Good antivirus software, malware
protection, firewalls, and above all keeping patches up to
date will help prevent many of the exploits. I have told
people over and over abut the dangers of clicking on every
single link they get in an email, especially when that email
is from someone unknown to them. Even the emails from
people whom you trust is susceptible these days, because
attack methods can use your own address book and email
client to send out mass emails without your knowledge, and
the recipients will think it came from you. But that too is
preventable; use diligence and awareness when browsing
emails, and especially on the web.
Additional Resources:
Back to the Computer
Page
