Annualized Loss Expectancy: The Annualized Loss Expectancy (ALE) is the expected monetary loss that can be expected for an asset due to a risk over a one year period. It is defined as:

ALE = SLE * ARO

where SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence.

An important feature of the Annualized Loss Expectancy is that it can be used directly in a cost-benefit analysis. If a threat or risk has an ALE of $5,000, then it may not be worth spending $10,000 per year on a security measure which will eliminate it.

One thing to remember when using the ALE value is that, when the Annualized Rate of Occurrence is of the order of one loss per year, there can be considerable variance in the actual loss. For example, suppose the ARO is 0.5 and the SLE is $10,000. The Annualized Loss Expectancy is then $5,000, a figure we may be comfortable with. Using the Poisson Distribution we can calculate the probability of a specific number of losses occurring in a given year:

Number of Losses in Year Probability Annual Loss

0 0.6065 $0

1 0.3033 $10,000

2 0.0758 $20,000

≥3 0.0144 ≥$30,000

We can see from this table that the probability of a loss of $20,000 is 0.0758, and that the probability of losses being $30,000 or more is approximately 0.0144. Depending upon our tolerance to risk and our organization's ability to withstand higher value losses, we may consider that a security measure which costs $10,000 per year to implement is worthwhile, even though it is more than the expected losses due to the threat.

TERMS AND DEFINITIONS

To discuss the history and evolution of information risk analysis and assessment, several terms whose meanings are central to this discussion should first be defined.

Annualized loss expectancy (ALE) — This discrete value is derived, classically, from the following algorithm (see also the definitions for single loss expectancy [SLE] and annualized rate of occurrence [ARO] below):

SLE * ARO = ALE

To effectively identify risk and to plan budgets for information risk management and related risk reduction activity, it is helpful to express loss expectancy in annualized terms. For example, the preceding algorithm will show that the ALE for a threat (with an SLE of $1,000,000) that is expected to occur only about once in 10,000 years is $1,000,000 divided by 10,000, or only $100.00. When the expected threat frequency (ARO) is factored into the equation, the significance of this risk factor is addressed and integrated into the information risk management process. Thus, risk is more accurately portrayed, and the basis for meaningful cost/benefit analysis of risk reduction measures is established.

Annualized rate of occurrence (ARO) — This term characterizes, on an annualized basis, the frequency with which a threat is expected to occur. For example, a threat occurring once in 10 years has an ARO of 1/10 or 0.1; a threat occurring 50 times in a given year has an ARO of 50.0. The possible range of frequency values is from 0.0 (the threat is not expected to occur) to some whole number whose magnitude depends on the type and population of threat sources. For example, the upper value could exceed 100,000 events per year for minor, frequently experienced threats such as misuse-of-resources. For an example of how quickly the number of threat events can mount, imagine a small organization — about 100 staff members — having logical access to an information processing system. If each of those 100 persons misused the system only once a month, misuse events would be occurring at the rate of 1,200 events per year. It is useful to note here that many confuse ARO or frequency with the term and concept of probability (defined below). While the statistical and mathematical significance of these metrics tend to converge at about 1/100 and become essentially indistinguishable below that level of frequency or probability, they become increasingly divergent above 1/100 to the point where probability stops — at 1.0 or certainty — and frequency continues to mount undeterred, by definition.

Exposure factor (EF) — This factor represents a measure of the magnitude of loss or impact on the value of an asset. It is expressed as a percent, ranging from 0% to 100%, of asset value loss arising from a threat event. This factor is used in the calculation of single loss expectancy (SLE).

E-mail spoofing: E-mail spoofing is a term used to describe (usually fraudulent) e-mail activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source. E-mail spoofing is a technique commonly used for spam e-mail and phishing to hide the origin of an e-mail message. By changing certain properties of the e-mail, such as the From, Return-Path and Reply-To fields (which can be found in the message header), ill-intentioned users can make the e-mail appear to be from someone other than the actual sender. The result is that, although the e-mail appears to come from the address indicated in the From field (found in the e-mail headers), it actually comes from another source.

Occasionally (especially if the spam requires a reply from the recipient, such as the '419' scams), the source of the spam e-mail is indicated in the Reply-To field (or at least a way of identifying the spammer); if this is the case and the initial e-mail is replied to, the delivery will be sent to the address specified in the Reply-To field, which could be the spammer's address. However, most spam emails (especially malicious ones with a Trojan/virus payload, or those advertising a web site) forge this address too, and replying to it will annoy an innocent third party.

Prior to the advent of unsolicited commercial email as a viable business model, "legitimately spoofed" email was common. For example, a visiting user might use the local organization's SMTP server to send email from the user's foreign address. Since most servers were configured as open relays, this was a common practice. As spam email became an annoying problem, most of these "legitimate" uses fell victim to anti-spam techniques.

Methods

Because many spammers now use special software to create random sender addresses, even if the user finds the origin of the e-mail it is unlikely that the e-mail address will be active.

The technique is now used ubiquitously by mass-mailing worms as a means of concealing the origin of the propagation. On infection, worms such as ILOVEYOU, Klez and Sober will often try to perform searches for e-mail addresses within the address book of a mail client, and use those addresses in the From field of e-mails that they send, so that these e-mails appear to have been sent by the third party. For example:

User1 is sent an infected e-mail and then the e-mail is opened, triggering propagation

The worm finds the addresses of User2 and User3 within the address book of User1

From the computer of User1, the worm sends an infected e-mail to User2, but the e-mail appears to have been sent from User3

This can be particularly problematic in a corporate setting, where e-mail is sent to organizations with content filtering gateways in place. These gateways are often configured with default rules that send reply notices for messages that get blocked, so the example is often followed by:

User2 doesn't receive the message, but instead gets a message telling him that a virus sent to them has been blocked. User3 receives a message telling him that a virus sent by them has been blocked. This creates confusion for both User2 and User3, while User1 remains unaware of the actual infection.

Newer variants of these worms have built on this technique by randomizing all or part of the e-mail address. A worm can employ various methods to achieve this, including:

• Random letter generation

• Built-in wordlists

• Amalgamating addresses found in address books, for example:

o User1 triggers an e-mail address spoofing worm, and the worm finds the addresses user2@efgh.com, user3@ijkl.com and user4@mnop.com within the users e-mail address book

o The worm sends an infected message to user2@efgh.com, but the e-mail appears to have been sent from user3@mnop.com

Spoofed/Forged Email

I. Description

Email spoofing may occur in different forms, but all have a similar result: a user receives email that appears to have originated from one source when it actually was sent from another source. Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords).

Examples of spoofed email that could affect the security of your site include:

• email claiming to be from a system administrator requesting users to change their passwords to a specified string and threatening to suspend their account if they do not do this

• email claiming to be from a person in authority requesting users to send them a copy of a password file or other sensitive information

• Prevention (Deterrence)

o Use cryptographic signatures (e.g., PGP "Pretty Good Privacy" or other encryption technologies) to exchange authenticated email messages. Authenticated email provides a mechanism for ensuring that messages are from whom they appear to be, as well as ensuring that the message has not been altered in transit. Similarly, sites may wish to consider enabling SSL/TLS in their mail transfer software. Using certificates in this manner increases the amount of authentication performed when sending mail.

o Configure your mail delivery daemon to prevent someone from directly connecting to your SMTP port to send spoofed email to other sites.

o Ensure that your mail delivery daemon allows logging and is configured to provide sufficient logging to assist you in tracking the origin of spoofed email.

o Consider a single point of entry for email to your site. You can implement this by configuring your firewall so that SMTP connections from outside your firewall must go through a central mail hub. This will provide you with centralized logging, which may assist in detecting the origin of mail spoofing attempts to your site.

o Educate your users about your site's policies and procedures in order to prevent them from being "social engineered," or tricked, into disclosing sensitive information (such as passwords). Have your users report any such activities to the appropriate system administrator(s) as soon as possible. See also CERT advisory CA-1991-04, available from

Q. "I found out from returned "undelivered" email that those address does not exist in my lists--in the first place, I have never sent them".

A. Many affected owners of email domain being spoofed are complaining of having their account being suspended for spamming and receiving "tons" of harassing hate mails marked as coming from them--which they have never sent and only found-out when they start receiving angry replies or returned undelivered bounce email.

The victims of these new form of harassment in which fake or boogie messages was sent-out posing as the original owner of the email address by spoofing, are usually done by dissatisfied or fired employees, competitors, pranksters, junk mailers, provocateurs or spammers trying to sell something--not that they want you to respond to the email but to click on a link in the message.

According to the FBI, spoofing is generally not illegal because no hacking is required, unless it involves a direct threat of violence or death and by using such tactic, knows as email spoofing--they exploit the simplicity of Internet SMTP (simple mail transport protocol RFC 821).

Email can be spoofed by tweaking the settings on standard email client like; Eudora, Outlook Express, etc.

There are also many website that offers an automated process for creating and sending spoofed email by inserting someone else email address into the Mail FROM: or REPLY TO: fields--which also contains information about the "origin" of the message--but most people don't know how to decipher it or simply assume that the spoofed message is genuine.

Spoofing is usually to obtain info, sell something, computer infected by spam zombie, spambot or simply hate mail by assuming another's ID and making the recipient think that the email is from the sender...

a) Pretending to be a legitimate bank, etc., to get your ID.

b) A link in the message body taking you to a sales site

c) Attachments with virus or hate message

d) Selling something by using an infected computer to send-out sales pitch (unknown to the owner of the machine) and at the same time "spoofing" the spam using the computer owner address book email list.

Spam and e-mail-laden viruses can take a lot of the fun and utility out of electronic communications, but at least you can trust e-mail that comes from people you know – except when you can’t. A favorite technique of spammers and other “bad guys” is to “spoof” their return e-mail addresses, making it look as if the mail came from someone else. In effect, this is a form of identity theft, as the sender pretends to be someone else in order to persuade the recipient to do something (from simply opening the message to sending money or revealing personal information). In this article, we look at how e-mail spoofing works and what can be done about it, examining such solutions as the Sender Policy Framework (SPF) and Microsoft’s Sender ID, which is based on it.

**********************

1. What is a Dictionary Attack?

A dictionary attack consists of trying "every word in the dictionary" as a possible password for an encrypted message.

What is a Chosen Plaintext Attack?

A chosen plaintext attack is an attack where the cryptanalyst is able to define his own plaintext, feed it into the cipher, and analyze the resulting ciphertext.

Mounting a chosen plaintext attack requires the cryptanalyst to be able to send data of his choice into the device which is doing the encryption, and it requires the cryptanalyst to be able to view the output from the device. Because of these requirements, a chosen plaintext attack is in some cases impossible to attempt

2. What is a Brute Force Attack?

A brute force attack consists of trying every possible code, combination, or password until you find the right one

What is a Message Digest?

A message digest is a number which is created algorithmically from a file and represents that file uniquely. If the file changes, the message digest will change.

In addition to allowing us to determine if a file has changed, message digests can also help to identify duplicate files.

3. What are Digital Certificates?

Digital certificates are the equivalent of a driver's license, a marriage license, or any other form of identity. The only difference is that a digital certificate is used in conjunction with a public key encryption system. Digital certificates are electronic files that simply work as an online passport. Digital certificates are issued by a third party known as a Certification Authority such as VeriSign or Thawte. These third party certificate authorities have the responsibility to confirm the identity of the certificate holder as well as provide assurance to the website visitors that the website is one that is trustworthy and capable of serving them in a trustworthy manner.

Digital certificates have two basic functions. The first is to certify that the people, the website, and the network resources such as servers and routers are reliable sources, in other words, who or what they claim to be. The second function is to provide protection for the data exchanged from the visitor and the website from tampering or even theft, such as credit card information.

A digital certificate contains the name of the organization or individual, the business address, digital signature, public key, serial number, and expiration date. When you are online and your web browser attempts to secure a connection, the digital certificate issued for that website is checked by the web browser to be sure that all is well and that you can browse securely. The web browser basically has a built in list of all the main certification authorities and their public keys and uses that information to decrypt the digital signature. This allows the browser to quickly check for problems, abnormalities, and if everything checks out the secure connection is enabled. When the browser finds an expired certificate or mismatched information, a dialog box will pop up with an alert.

4. What is a Digital Signature?

A digital signature is a message digest used to cryptographically sign a message.

Digital signatures rely on asymmetric or public key, cryptography.

To create a digital signature, you sign the message with your private key. The digital signature then becomes part of the message.

This has two effects:

• Any changes to the message can be detected, due to the message digest algorithm.

• You cannot deny signing the message, because it was signed with your private key.

These two features, message integrity and non-repudiation, make digital signatures a very useful component for e-commerce applications

5. What is a One-Time Pad?

A one-time pad is the only theoretically unbreakable cipher. A one-time pad is a private key, or symmetric, cipher where the key size is equal to the plaintext size. Because of this, the key is never reutilized. As the key is never reutilized, there is no basis for mathematical cryptanalysis.

An example of a very poor one-time pad would be if you were to encrypt a letter to a friend using a substitution cipher and using Hemingway's A Farewell to Arms as a key. Your friend could decrypt your letter using an identical copy of A Farewell to Arms. No one else would be able to decrypt your message, unless they had a copy of the book you were using as a key.

This is actually a very poor one-time pad because books do not have random text. A message encrypted using a book as a one-time pad would actually not be difficult to cryptanalyst.

For a one-time pad to be truly unbreakable, the key must be generated with effective randomness.

One-time pad ciphers are sometimes called Vernam ciphers

6. What is Steganography?

Steganography is the art and science of hiding messages. Steganography is often combined with cryptography so that even if the message is discovered it cannot be read.

The word steganography is derived from the Greek words "steganos" and "graphein", which mean "covered" and "writing." Steganography, therefore, is covered writing.

Historical stenganography involved techniques such as disappearing ink or microdots. Modern steganography involves hiding data in computer files.

It is fairly easy to hide a secret message in a graphic file without obviously altering the visible appearance of that file

7. What is SHA-1?

SHA stands for Secure Hash Algorithm. It consists of five hash functions designed by the National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST). The five algorithms are SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. SHA-1 is the most commonly used of the SHA series.

Hash algorithms are called secure when

1. It is impossible to find a message that corresponds to a given message digest.

2. It is impossible to find two different messages that produce the same message digest.

3. If a message is changed even by a single character, the result will be a completely different message digest.

SHA-1 has these properties and is therefore referred to as secure. It is designed to work with the Digital Signature Algorithm (DSA). SHA-1 is a one-way hash function. One-way functions are characterized by two properties. The first is that they are one-way. This means that you can take a message and compute a hash value, but you cannot take a hash value and recreate the original message. It is also collision-free and, thus, no two messages can hash to the same value.

SHA-1 produces a 160-bit message digest with a maximum length of 264 ?1. The message M to be hashed must have a length of l bit, where 0 l 264. The message digest is the fixed-length output of a message. The message digest is then input to the DSA, which will then generate the signature for the message. Signing the message digest instead of the message offers improved performance because the message digest will be much smaller than the message. The recipient of the message will then use the same hash algorithm to verify the signature. Any change that occurs during transit will result in a different message digest and, thus, the signature will not verify. Once it is verified as true, the recipient is able to unlock the message. This method prevents unauthorized users from viewing messages that are not intended for them.

When computing a message digest, SHA-1 processes blocks of 512 bits. The total length of the message digest will be a multiple of 512. This process is known as padding of the message.

SHA-1 differs from SHA-0 only by a single bitwise rotation in the message schedule of its compression function.

Cryptanalysis is the method of obtaining encrypted information without using the hash value. Breaking a hash function implies showing that the one-way property does not hold for it. Cryptographers have demonstrated that it just might be possible for the SHA-1 hash algorithm to be broken. Some have presented a collision for 58-round SHA-1, found with 233 hash operations. A brute force search would require 280 operations. However, experts argue that this might not happen for some time. Nevertheless, attacks always get better, and the National Institute of Standards and Technology (NIST) already has standards for longer - and harder-to-break - hash functions: SHA-224, SHA-256, SHA-384, and SHA-512.

Applications of SHA-1

SHA-1 can be used in a variety of applications:

1. Security applications that require authentication

2. E-mail

3. Electronic funds transfer

4. Software distribution

5. Data storage

Smurf attack: The Smurf attack is a way of generating significant computer network traffic on a victim network. This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages.

In such an attack, a perpetrator sends a large amount of ICMP echo request (ping) traffic to IP broadcast addresses, all of which have a spoofed source IP address of the intended victim. If the routing device delivering traffic to those broadcast addresses delivers the IP broadcast to all hosts (for example via a layer 2 broadcast), most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, hundreds of machines might reply to each packet.

In the late 1990s, many IP networks would participate in Smurf attacks (that is, they would respond to pings to broadcast addresses). Today, thanks largely to the ease with which administrators can make a network immune to this abuse, very few networks remain vulnerable to Smurf attacks

The fix is two-fold:

• Configure individual hosts and routers not to respond to ping requests or broadcasts.

• Configure routers not to forward packets directed to broadcast addresses. Until 1999, standards required routers to forward such packets by default, but in that year, the standard was changed to require the default to be not to forward.

SNOOPING: Snooping, in a security context, is unauthorized access to another person's or company's data. The practice is similar to eavesdropping but is not necessarily limited to gaining access to data during its transmission. Snooping can include casual observance of an e-mail that appears on another's computer screen or watching what someone else is typing. More sophisticated snooping uses software programs to remotely monitor activity on a computer or network device.

Malicious hackers (crackers) frequently use snooping techniques and equipment such as key-loggers to monitor keystrokes, capture passwords and login information, and to intercept e-mail and other private communications and data transmissions. Corporations sometimes snoop on employees legitimately to monitor their use of business computers and track Internet usage; governments may snoop on individuals to collect information and avert crime and terrorism.

Although snooping has a negative connotation in general, in computer technology snooping can refer to any program or utility that performs a monitoring function. For example, a snoop server is used to capture network traffic for analysis, and the snooping protocol monitors information on a computer bus to ensure efficient processing.

What is Active Directory?

An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996 and first used with Windows 2000.

An active directory (sometimes referred to as an AD) does a variety of functions including the ability to provide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory.

An active directory can be defined as a hierarchical structure and this structure is usually broken up into three main categories, the resources which might include hardware such as printers, services for end users such as web email servers and objects which are the main functions of the domain and network.

It is interesting to note the framework for the objects. Remember that an object can be a piece of hardware such as a printer, end user or security settings set by the administrator. These objects can hold other objects within their file structure. All objects have an ID, usually an object name (folder name). In addition to these objects being able to hold other objects, every object has its own attributes which allows it to be characterized by the information which it contains. Most IT professionals call these setting or characterizations schemas.

Depending on the type of schema created for a folder, will ultimately determine how these objects are used. For instance, some objects with certain schemas cannot be deleted, they can only be deactivated. Others types of schemas with certain attributes can be deleted entirely. For instance, a user object can be deleted, but the administrator object cannot be deleted.

When understanding active directories, it is important to know the framework that objects can be viewed at. In fact, an active directory can be viewed at either one of three levels; these levels are called forests, trees or domains. The highest structure is called the forest because you can see all objects included within the active directory.

Within the Forest structure are trees, these structures usually hold one or more domains, going further down the structure of an active directory are single domains. To put the forest, trees and domains into perspective, consider the following example.

A large organization has many dozens of users and processes. The forest might be the entire network of end users and specific computers at a set location. Within this forest directory are now trees that hold information on specific objects such as domain controllers, program data, system, etc. Within these objects are even more objects which can then be controlled and categorized.

How are Active Directories used?

If you are a computer administrator for a large corporation or organization, you can easily update all end users computers with new software, patches, files, etc simply by updating one object in a forest or tree.

Because each object fits into a set schema and has specific attributes, a network administrator can easily clear a person on a set tree or instantly give access to some users for certain applications or deny access to certain users for others. The Microsoft servers use trust to determine whether or not access should be allowed. Two types of trust that Microsoft active directories incorporate are transitive trusts and one way non transitive trusts. A transitive trust is when there is a trust that goes further than two domains in a set tree, meaning two entities are able to access each other’s domains and trees.

A one way transitive trust is when a user is allowed accessed to another tree or domain, however, the other domain does not allow access to the other domains. This can be summed up as a network administrator and end user. The network administrator can access most trees in the forest including a specific end user's domain. However the end user, while able to access his or her own domain, cannot access other trees.

It is important to note that active directories are a great way to organize a large organization or corporation's computers data and network. Without an active directory, most end users would have computers that would need to be updated individually and would not have access to a larger network where data can be processed and reports can be created. While active directories can be extremely technical and require lots of expertise to navigate, they are essential to storing information and data on networks.

What is an Intrusion Detection System (IDS)?

An Intrusion Detection System (IDS) is a system for detecting misuse of network or computer resources.

An IDS will have a number of sensors it utilizes to detect intrusions. Example sensors may be:

• A sensor to monitor TCP connection requests.

• Log file monitors.

• File integrity checkers.

The IDS system is responsible for collecting data from its sensors and analyzing this data to give the security administrator notice of malicious activity on the network.

IDS technologies are commonly divided into NIDS (Network Intrusion Detection Systems) and HIDS (Host Intrusion Detection Systems).

Newer NIDS also attempt to act as NIPS (Network Intrusion Prevention Systems).

Snort is an excellent open source Network Intrusion Detection System.

What is a Packet Sniffer?

Packet Sniffing

Packet sniffing is listening (with software) to the raw network device for packets that interest you. When your software sees a packet that fits certain criteria, it logs it to a file. The most common criteria for an interesting packet is one that contains words like "login" or "password."

To do packet sniffing, you will have to obtain or code a packet sniffer that is capable of working with the type of network interface supported by your operating system:

Network interfaces include:

• LLI

• NIT (Network Interface Tap)

• Ultrix Packet Filter

• DLPI (Data Link Provider Interface)

• BPF (Berkeley Packet Filter)

LLI was a network interface used by SCO, which has been augmented with DLPI support as of SCO OpenServer Release V.

NIT was a network interface used by Sun, but has been replaced in later releases of SunOS/Solaris with DLPI.

Ultrix supported the Ultrix Packet Filter before Digital implemented support for BPF

What is TLS (Transport Layer Security)?

TLS (Transport Layer Security), defined in RFC 2246, is a protocol for establishing a secure connection between a client and a server. TLS (Transport Layer Security) is capable of authenticating both the client and the server and creating a encrypted connection between the two.

The TLS (Transport Layer Security) protocol is extensible, meaning that new algorithms can be added for any of these purposes, as long as both the server and the client are aware of the new algorithms.

SSL vs. TLS

TLS (Transport Layer Security) is a replacement for Netscape's earlier SSL (Secure Sockets Layer) protocol.

TLS Usage

Many protocols use TLS (Transport Layer Security) to establish secure connections, including HTTP, IMAP, POP3, and SMTP

What is a Denial of Service (DoS) attack?

A Denial of Service (DoS) attack is an attack which attempts to prevent the victim from being able to use all or part of their network connection.

A denial of service attack may target a user, to prevent them from making outgoing connections on the network. A denial of service may also target an entire organization, to either prevent outgoing traffic or to prevent incoming traffic to certain network services , such as the organizations web page.

Denial of service attacks are much easier to accomplish than remotely gaining administrative access to a target system. Because of this, denial of service attacks have become very common on the Internet.

Types of Denial of Service (DoS) attacks

These are a few of the classic denial of service attacks. Most of these rely upon weaknesses in the TCP/IP protocol. Vendor patches and proper network configuration have made most of these denial of service attacks difficult or impossible to accomplish.

Flood Attack

The earliest form of denial of service attack was the flood attack. The attacker simply sends more traffic than the victim could handle. This requires the attacker to have a faster network connection than the victim. This is the lowest-tech of the denial of service attacks, and also the most difficult to completely prevent.

Ping of Death Attack

The Ping of Death attack relied on a bug in the Berkeley TCP/IP stack which also existed on most systems which copied the Berkeley network code. The ping of death was simply sending ping packets larger than 65,535 bytes to the victim. This denial of service attack was as simple as:

ping -l 86600 victim.org

SYN Attack

In the TCP protocol, handshaking of network connections is done with SYN and ACK messages. The system that wishes to communicate sends a SYN message to the target system. The target system then responds with an ACK message. In a SYN attack, the attacker floods the target with SYN messages spoofed to appear to be from unreachable Internet addresses. This fills up the buffer space for SYN messages on the target machine, preventing other systems on the network from communicating with the target machine.

Teardrop Attack

The Teardrop Attack uses IP's packet fragmentation algorithm to send corrupted packets to the victim machine. This confuses the victim machine and may hang it.

Smurf Attack

In the Smurf Attack, the attacker sends a ping request to a broadcast address at a third-party on the network. This ping request is spoofed to appear to come from the victims network address. Every system within the broadcast domain of the third-party will then send ping responses to the victim.

Distributed Denial of Service (DDoS) attacks

A Distributed Denial of Service (DDoS) attack is a denial of service attack which is mounted from a large number of locations across the network.

DDoS attacks are usually mounted from a large number of compromised systems. These systems may have been compromised by a trojan horse or a worm, or they might have been compromised by being hacked manually.

These compromised systems are usually controlled with a fairly sophisticated piece of client-server software such as Trinoo, Tribe Flood Network, Stacheldraht, TFN2K, Shaft, and Mstream.

The Mydoom worm attempted DDoS attacks against SCO and Microsoft from the systems which it infected.

DDoS attacks can be very difficult to defend against

What is IP Address Spoofing?

IP address spoofing denotes the action of generating IP packets with fake source IP addresses in order to impersonate other systems or to protect the identity of the sender. Spoofing can also refer to forging or using fake headers on emails or netnews to - again - protect the identity of the sender and to mislead the receiver or the network as to the origin and validity of sent data.

Basics of IP Address Spoofing

The Internet Protocol or IP is the fundamental protocol for sending/receiving data over computer networks and the Internet. With the Internet protocol, each packet sent or received contains information relevant to the operation such as the source and the destination of the packet. With IP address spoofing, the information placed on the source field is not the actual source of the packet. By using a different address in the source field of the packet, the actual sender can make it look like the packet was sent by another computer and thus the response of the target computer will be sent to the fake address specified in the packet - unless the attacker wants to redirect the response to his own computer.

Effects of IP Address Spoofing

IP address spoofing is very useful especially in the case of denial of service (DoS) attacks where large amounts of information are sent to a target computer or system without the perpetrators caring about the response of the target systems. This type of attack is especially effective since the attack packets seem to be coming from different sources and thus the perpetrators are hard to trace.

Hackers using IP address spoofing frequently make use of randomly chosen IP addresses from the entire spectrum of IP address space while some more advanced hackers only use the unregistered portions of the IP address range. IP address spoofing, however, is less effective than using botnets for DoS attacks because it can be monitored by Internet authorities using backscatter technique which can determine a DoS attack based on the number of invalid IP addresses used in the attack. Nevertheless, it remains a viable alternative for hackers.

IP address spoofing is also a very useful tool in infiltrating networks and overcoming network security measures. This happens when IP address spoofers use a trusted IP address within the network and thus circumvent the need to provide a username or password to log in to the system. This sort of attack generally is based on a specific set of host controls (such as rhosts) that are configured insecurely.

IP Address Spoofing Defense

Ingress filtering or packet filtering the incoming traffic from outside the system using a technology is an effective way of defending against IP address spoofing since this technique can determine if packets are coming from inside or outside the system. Consequently, egress filtering can also block spoofed IP address packets from exiting the system and launching an attack on other networks.

Upper layer protocols such as the TCP or Transmission Control Protocol in which a sequence of numbers is used to established a secure connection with other systems is also an effective way of defending against IP address spoofing.

Turning off source routing (loose and strict) on your network routers can also assist in preventing hackers from taking advantage of many spoofing features. Source routing was a technology used widely in the past to prevent a single network fault from causing a major network outage, but the current routing protocols on the Internet today makes it all but unnecessary

What are the main Online Security Threats?

Just about anyone that gets online is at risk. Online security threats are one of the biggest challenges on the Internet today. The problem is that the people that want to attack your computer and the computers of the people that you know don't create difficult methods to create problems; instead they focus on common failures that will give them access. When those that get on the Internet know how these attacks take place, these attacks can be lessened and even prevented in most cases.

The best thing you can do if you get on the Internet at all is to use security software and hardware such as firewalls and authentication servers, as this is the most effective way to protect your computer and your personal information. The problem is that every day there are new viruses and security threats that are launched all over the Internet, which means you need programs that can be updated continuously and don't just target one specific type of problem. It's best if you choose hardware and software that will update itself each time you are on the Internet, without you having to remember. It's also very important that you choose your passwords carefully, so that those that might want access to your information won't be able to guess as to what password you might use.

Some of the main online security threats are:

Web servers and services

Many default HTTP web servers expose visitors every time they log on to these websites. You should be sure that you have the patches available that have been released over the last few years and that your computer isn't utilizing a default configuration.

Password Protection

Passwords are undeniably a huge part of your online security. You'll find that almost every website that you visit that deals with online transactions, emailing, and shopping use passwords to verify you are who you say you are. This means that you not only need to choose a password that cannot easily be figured out, but you should also keep it safe and secure and not share it with anyone. Do not use the same password for all of your accounts and attempt to come up with a password that contains letters, numbers, and special characters.

Windows remote access services

Most systems provide methods for remote access, which can be great when you need to access your information from other places, but it means that other people with the right tools might be able to access your information as well. If you use remote access services you should be sure that you are using a good firewall protection service as well as other security software that will help you to prevent unauthorized access by anyone but you and those that you authorize.

File sharing applications

File sharing programs are used by most computer users to share files. Peer to peer file sharing is an easy way to share files between computer users, as it uses a network to link the computers to one another so the information can be shared. The problem is that this allows hackers easy access to search and even download files from any computer on the network. Most experts warn that it simply is not a good idea to use peer-to-peer programs to share files.

Instant messaging

Instant messaging is a common enough means of communication, but it is often used by hackers to attack one's system. Configuring your instant messaging services properly so that you have complete control over any file transfer that can take place through instant messaging can easily prevent this.

Mail client

Many hackers use email as a means to spread devastating viruses and worms by including them as attachments in emails. This can be prevented or limited by configuring your mail server properly so that you can block suspicious attachments or files.

LSAS exposures

Windows local security authority subsystem is a place of vulnerability for most victims. This system has a major buffer overflow that most hackers know how to exploit to take over control of your computer. Proper configuration and use of security patches can help one avoid this safety threat.

Spyware Attacks

Spyware attacks are something that we are probably all familiar with, as they are the most common online security threat faced by Internet users. Spyware is simply a computer program that is designed to steal information from your computer without your knowledge. The software will typically be installed on your computer without you even knowing it, and then it will send your personal information such as documents, passwords, credit card numbers, bank accounts, and many others to another source. Common spyware includes Trojan horses, key loggers, dialers, and adware programs.

Trusted anti spyware programs that are available will help protect your computer from spyware. Do not simply download software that you have never heard of, instead stick with the names that you know. You should also take care to scan all files before they are downloaded.

Online threats are very real, but if you know how you become vulnerable, you'll be able to better protect yourself. You should be able to get online without constantly worrying, and you can

What is Access Control?

Access control is a term taken from the linguistic world of security. In general, it means the execution of limitations and constrictions on whoever tries to occupy a certain protected property. Guarding an entrance of a person is also a practice of access control. There are many types of access control. Some of them are mentioned in this article. You, the reader of this article, will have several types of access control around you.

Access Control for Computers (Anti-Virus etc)

Nowadays, almost every computer user has a firewall or antivirus running on his computer, a popup blocker and many other programs. All of these are with access control functions. All of these programs guard us from intruders of sorts. They inspect everything trying to enter the computer and let it in or leave it out. Computers have complicated access control abilities. They ask for authentication and search for the digital signatures.