Please provide detailed understanding about chapter 6.
- Read the slides.
- This should not be more than 4 paragraphs.
- Please use clear sentences.
do on your ownon time
Computer Fraud and Abuse Techniques
Chapter 6
6-
1
Copyright © 2015 Pearson Education, Inc.
Copyright © 2015 Pearson Education, Inc.
1
Types of Attacks
Hacking
Unauthorized access, modification, or use of an electronic device or some element of a computer system
Social Engineering
Techniques or tricks on people to gain physical or logical access to confidential information
Malware
Software used to do harm
6-2
Copyright © 2015 Pearson Education, Inc.
Hacking
Hijacking
Gaining control of a computer to carry out illicit activities
Botnet (robot network)
Zombies
Bot herders
Denial of Service (DoS) Attack
Spamming
Spoofing
Makes the communication look as if someone else sent it so as to gain confidential information.
6-3
Copyright © 2015 Pearson Education, Inc.
Forms of Spoofing
E-mail spoofing
Caller ID spoofing
IP address spoofing
Address Resolution (ARP) spoofing
SMS spoofing
Web-page spoofing (phishing)
DNS spoofing
6-4
Copyright © 2015 Pearson Education, Inc.
Why is there spoofing? Well its because the perpetrator of the fraud wants you to think that they are someone else that you’d trust. For example:
E-mail spoofing, allows you to think that the e-mail you received is from someone you know. This type of attack is often combined with a social engineering technique called phishing. For example, perpetrators will send an e-mail spoofing the senders address from your bank. Inside the e-mail they will embed a link which they hope you will click on it and use your login and password basically giving them access to your bank account.
Caller ID spoofing will display the wrong number on your phone hoping that you think it’s from a trusted source (e.g., Bank).
IP address spoofing is used to conceal the identity of a sender of DoS attacks.
ARP spoofing allows for man in the middle as well as DoS attacks. ARP spoofing can allow the perpetrator to “sniff” the data that is coming over the Internet. Sniffing means that the perpetrator can see the data as it is passing from the source to the intended destination over the Internet.
SMS spoofing is falsifying the sender of a text message (it can also be used in phishing scams).
4
Hacking with Computer Code
Cross-site scripting (XSS)
Uses vulnerability of Web application that allows the Web site to get injected with malicious code. When a user visits the Web site, that malicious code is able to collect data from the user.
Buffer overflow attack
Large amount of data sent to overflow the input memory (buffer) of a program causing it to crash and replaced with attacker’s program instructions.
SQL injection (insertion) attack
Malicious code inserted in place of a query to get to the database information
6-5
Copyright © 2015 Pearson Education, Inc.
5
Other Types of Hacking
Man in the middle (MITM)
Hacker is placed in between a client (user) and a host (server) to read, modify, or steal data.
Piggybacking
Password cracking
War dialing and driving
Phreaking
Data diddling
Data leakage
podslurping
6-6
Copyright © 2015 Pearson Education, Inc.
These types of hacking are used to gain unauthorized access into a computer system or confidential data.
Piggybacking can be using a neighbors unsecured wifi, an unauthorized person following an authorized person through a door bypassing screening or the security code needed to gain access into a secure area, and tapping into a communications line and electronically latching onto an authorized user as they enter the system.
Password cracking is penetrating the system to steal passwords.
War dialing is using a program to dial phone lines looking for an unsecured dial-up modem line.
War driving is driving around looking for an unsecured wireless network, this invites unauthorized access into your network.
Phreaking is attacking the phone system to get free service.
Data diddling is falsifying data entry (e.g., timecards for payroll).
Data leakage is unauthorized copying of data.
Podslurping is using a flash drive to download the unauthorized data.
6
Hacking Used for Embezzlement
Salami technique:
Taking small amounts at a time
Round-down fraud
Economic espionage
Theft of information, intellectual property and trade secrets
Cyber-extortion
Threats to a person or business online through e-mail or text messages unless money is paid
6-7
Copyright © 2015 Pearson Education, Inc.
Hacking Used for Fraud
Internet misinformation
E-mail threats
Internet auction
Internet pump and dump
Click fraud
Web cramming
Software piracy
6-8
Copyright © 2015 Pearson Education, Inc.
Internet misinformation is used to spread false or misleading information.
E-mail threats that require an action by the victim causing them great expense.
Internet auction fraud can unfairly bid up the price, deliver inferior products, or not deliver anything at all, or the buyer fails to make a payment.
Internet pump and dump uses the Internet to inflate the price of the stock and then sell it. Usually occurs with penny stocks buying large volumes of the stock, then posts false information to drive up the stock and sells shares to pocket profit before the price falls back down.
Click fraud uses botnets to click on ads to get Web click-through commissions.
Webcramming is a scam that offers a free Web site and then continuing to charge the person for months after they don’t want or use the Web site.
Software piracy is unauthorized copying or distribution of copyrighted software. This can occur by:
Selling a computer preloaded with unauthorized software,
installing single license software on more than one computer, and
loading software on a server allowing unrestricted access.
8
Social Engineering Techniques
Identity theft
Assuming someone else’s identity
Pretexting
Using a scenario to trick victims to divulge information or to gain access
Posing
Creating a fake business to get sensitive information
Phishing
Sending an e-mail asking the victim to respond to a link that appears legitimate that requests sensitive data
Pharming
Redirects Web site to a spoofed Web site
URL hijacking
Takes advantage of typographical errors entered in for Web sites and user gets invalid or wrong Web site
Scavenging
Searching trash for confidential information
Shoulder surfing
Snooping (either close behind the person) or using technology to snoop and get confidential information
Skimming
Double swiping credit card
Eeavesdropping
6-9
Copyright © 2015 Pearson Education, Inc.
Why People Fall Victim
Compassion
Desire to help others
Greed
Want a good deal or something for free
Sex appeal
More cooperative with those that are flirtatious or good looking
Sloth
Lazy habits
Trust
Will cooperate if trust is gained
Urgency
Cooperation occurs when there is a sense of immediate need
Vanity
More cooperation when appeal to vanity
6-10
Copyright © 2015 Pearson Education, Inc.
Minimize the Threat of Social Engineering
Never let people follow you into restricted areas
Never log in for someone else on a computer
Never give sensitive information over the phone or through e-mail
Never share passwords or user IDs
Be cautious of someone you don’t know who is trying to gain access through you
6-11
Copyright © 2015 Pearson Education, Inc.
Types of Malware
Spyware
Secretly monitors and collects information
Can hijack browser, search requests
Adware
Keylogger
Software that records user keystrokes
Trojan Horse
Malicious computer instructions in an authorized and properly functioning program
Trap door
Set of instructions that allow the user to bypass normal system controls
Packet sniffer
Captures data as it travels over the Internet
Virus
A section of self-replicating code that attaches to a program or file requiring a human to do something so it can replicate itself
Worm
Stand alone self replicating program
6-12
Copyright © 2015 Pearson Education, Inc.
Cellphone Bluetooth Vulnerabilities
Bluesnarfing
Stealing contact lists, data, pictures on bluetooth compatible smartphones
Bluebugging
Taking control of a phone to make or listen to calls, send or read text messages
6-13
Copyright © 2015 Pearson Education, Inc.
Bluesnarfing and bluebugging may take advantage of bluetooth technology on smartphones.
13