Wednesday, July 04, 2007

Types of Vulnerabilities and Their Impacts:

With all of the different types of vulnerabilities and security warnings these days, one of the most often asked questions is in regards to what it is that all of the various types of attacks actually do. If we take a step back in time and look at what some of the early attacks did, it puts into perspective just how sophisticated and damaging the latest attacks have come. Attacks on computers and the data they contain have come a long way in a very short time. With most of our computers now networked and attached to the Internet, our data can be attacked from far, far away, and the results can be devastating. The attackers have also found that stealing data, finding weaknesses, and disrupting services are all lucrative endeavors that other thieves are willing to pay for. And if you haven't already, see my review of TechEd 2007 for more information on security and attacks.


A Look Back at Some Early Computer Attacks:

Let’s go way back to the day of the early PC when they were not yet networked to any great extent. The networking architecture back in the day was known as “sneaker-net” where the method of sharing files was literally by manually sharing floppy disks and physically handing them from person to person. “Sneaker-net” got its name because of the idea that you had to put on your sneakers to make the long journey to get the disk to the person who you wanted to share with. The most common type of attack at that time was the virus. WORMS and backdoors typically weren’t useful because of the lack of remote connectivity. Trojan horses were usually not in the form of remote access programs, but they did exist in the type that looked like usable programs, and they would perform some other hidden function such as corrupting files or erasing the hard drive.

In those days, viruses typically got onto a computer by someone putting an infected floppy disk into the machine. This was often by way of an infected game program, or someone using the same disks they used at school in their computers at home. There were a lot of viruses on college campus computers in those days, making it fairly common to catch a virus by using a computer at school. I remember when I took a computer hardware repair course at a local junior college back in the early 90’s: I built a completely separate computer at home to do all my labs and class homework, aside from the computer I used to do all my word processing and other work to prevent getting a virus on my main machine. There was also a lot of software swapping (today we call it piracy), and it wouldn’t be uncommon at all for people to pass infected disks to many people. I remember being called to check out one of the office PCs where I worked and found a computer screen displaying the message: “Your computer has just been Stoned.” The Stoned virus was a very common early virus and would format the hard drive, then display that or a similar message. I asked the person what they had been running, or particularly had installed on the computer lately, and the reply was (of course) “Nothing!” I looked beside the computer to see a floppy diskette containing a golf game. I scanned the floppy, and sure enough, there was the Stoned virus.

Back then the main damage caused by viruses ranged from an annoying pop-up message of some sort, to a complete format of the hard drive. Some viruses would go off randomly, some would go off on a particular day and time. The “Joshi” virus, for example, always went off on the day of the year of Joshi’s birthday - the virus writer had dedicated a virus to their dead son. Remember Michelangelo? Same type of virus – went off on a particular day. Since computers weren’t typically networked, and the Internet was not used by us common folk, the concept of the WORM did not yet really exist. Neither did the idea exist of people stealing data or damaging systems over a network or the Internet itself. But now, with networks and the Internet being such ubiquitous parts of our lives, “sniffing” network packets to steal passwords, intercepting and altering data before sending it on to the correct recipient, and even using tactics to deny access to certain web sites or databases are some of the very common attack methods.
Today, we have networks, the Internet, email, and a variety of other ways for computers to be attacked by others who may even be on an entirely different continent. I remember in 1990, there were fewer than 1,000 viruses. Last I checked there were over 50,000 viruses, including their variant forms. When I attended the recent Microsoft TechEd conference (see my review here), it was revealed that 82% of all email today is SPAM. Much of the SPAM out there these days contains phishing attacks and links to malicious sites.

Another startling fact that was mentioned was that there were currently 3,700 distinctly different malicious types of one particular type of image file that exploits the WMF vulnerability found in early 2006. There are also 38 million plus pieces of other potentially unwanted (PUP) software circulating on the Internet. We also have WORMS, Trojan Horses, backdoors, remote exploits, and a variety of other ways for our computers to be vulnerable.

So I wanted to take a look at some of the more common types of attacks and what kinds of impacts they can have. I am discussing the attack impacts in this article – but the attack itself can come in the form of any of the methods I just mentioned, as well as by attackers luring users to malicious web sites or convincing them to open an infected email attachment, in an attack method known as social engineering. The various attack vectors are too many to mention here, but I thought it important to at least discuss the impacts that attacks commonly present. The bad news is that this article only scratches the surface of what is out there.
Keep in mind that the objective of any of these attacks is to violate security. The three basic tenets of computer security are the three basic parts of the C – I – A triad as defined below:

  • confidentiality: not exposing personal or sensitive information to unauthorized people;
  • integrity: Not having data altered so that it is inaccurate, incorrect, or unusable;
  • availability: Being able to get to your data or information services when you need to.

An attack can be focused on one or more of those three aspects of data security, and can come in a variety of ways. So let’s take a look at some of the various impacts on malicious attacks:


The Methodologies and Impacts:

File transfer location tampering: This mainly exists of capturing data in transit and re-routing it to a location other than that which was intended. If someone is transferring financial or other sensitive data, the attacker can get a hold of data for identity theft, corporate espionage, or other reasons. It is obvious that the data falling into the wrong hands is often a devastating problem and can result in serious damage to an individual or corporation. The attacker may make their attack less noticeable by capturing the data then forwarding the data on to the correct recipient. The intent is not to prevent data from being correctly transmitted. The intent in this case is to simply steal the data and use the information for financial gain. The criminal can get more mileage out of this attack by making it less noticeable that it is happening. A variety of methods can be used for this, including ARP poisoning, and various other methods used for “Man in The Middle” attacks.

Elevation of privileges: This is a very common result of an attack, and can lead to other types of attacks or more serious outcomes. If an attacker can get administrator level privileges to a computer, then they can basically do anything they want. This includes taking control of the computer, installing other malicious software, deleting files, changing configuration settings, and doing many other high-level tasks that only an administrator can do. This is why it is so important to use your computer (especially while on the Internet) as a limited user. If you are on the computer as a user with no administrative privileges, it makes it much more difficult for malicious code to run and do damage. Windows Vista addresses this very serious concern by implementing a feature called User Access Control (UAC) and having Internet Explorer operate in a limited user capacity.

Remote code execution: You are probably starting to already see that many of these attack outcomes do many of the same things. That is true. Remote code execution allows an attacker to remotely take control of a machine, run code, execute programs, and many other things that can lead to damage, data loss, data theft, or other things to damage your system. But additionally, if someone can remotely use your machine to execute code, they can also turn your computer into a “Zombie” and use it to attack other systems. This often results in what is known as a “Distributed Denial of Service (DDoS) attack. See “Denial of service” below for more information. The Windows Vista UAC feature mentioned above also helps to address this type of impact.

Denial of service (DoS): Remember the three parts of the information security triad are “Confidentiality,” “Integrity,” and “Availability.” This particular attack outcome is that of taking away the availability of your system, or other systems’ ability to access other system resources. There are a variety of ways to do this: crashing a system, tying up a system’s resources so that they can’t process data properly, or creating huge amounts of network traffic so that others trying to access a system cannot get to the system because of the sheer volume of traffic. If a process can drive your CPU’s usage up to 100%, then your computer is almost useless and you have a hard time getting work done because it is so slow. If a web server is flooded with bogus SYN packets (part of the process that is used to request a connection with a web server), then the web server cannot provide the requested web pages or other data.

Distributed Denial of Service (DDos): This is simply a case of all of the above attack attributes, mentioned in “Denial of Service,” being performed by many computers simultaneously. In fact, this may be a combination of the above attacks where some code has been planted on and executed from a compromised computer. These many “zombie” computers simply take commands from a central attacker to flood the network with attack packets and cause the target (web server as in the case above) to be literally flooded with connection requests, and no longer respond to anything. This means that the target is then unavailable, and thus “denying service” to all legitimate computers that try to connect.

Modifying information: This impact is specifically aimed at changing the integrity (the “I” in C-I-A). As in the case of file transfer location tampering mentioned above, the goal here is to intercept information before sending it on. However, the intent is to not just steal the information to use it for financial gain later. The intent of this type of attack may be for a few different reasons. In one example, the data may be modified so as to actually cause damage to an organization by making their data incorrect and therefore useless. The purposely injected errors may be extremely difficult to locate, causing extensive staff-hours of research to correct. Another example of the usefulness of this type of attack is to divert financial transaction amounts for financial gain. The easiest way to illustrate this is the case of someone billing you $100 dollars for goods or services that only cost $90 dollars. They input into the system that the services cost $90 dollars, that they billed you for $90 dollars, and that $90 was received from you. They then pocket the 0ther $10 dollars for themselves. You may have seen the movie Office Space” where the guys injected a so-called “virus” into the system that took the rounded interest (fractions of a penny) and diverted it to an off-shore account for themselves. To make a good plot, the plan backfired, and they ended up with way too much money and were in a position of being easily discovered. This is another aspect of this type of attack: To make the interception modification, and theft of data to be difficult to detect.

Spoofing: Simply doing any of the above, but making the attacker’s identity to appear as the identity of someone else is known as spoofing. This can manifest itself in a few different ways. One way is for an attacker to get your log in credentials, log in as (or appear to log in as) you, and perform tasks under your name. If Bob (the attacker) logs in as Gary, and deletes a bunch of files, the audit logs will show that Gary did it. Gary gets blamed and has a hard time proving it wasn’t him. Another type of spoofing comes in the case of DoS and DDos mentioned above, where requests for a web site, for example, are requested, but the return network address of the computer is purposely changed. The acknowledgement then gets sent to an address that either doesn’t exist, or is that of a computer that did not make the request. In the mean time, the web server is waiting for the remote computer’s acknowledgement to its acknowledgement (the SYN, SYN-ACK, ACK process in the TCP three-way handshake). This is one way in which DoS works – the target machine is tied up waiting for acknowledgements from a computer that doesn’t exist, and is then too busy to service legitimate requests.

Theft of sensitive information: As in the case of modifying file transfer locations, the primary purpose of this type of attack is as its name implies - to steal data. Remember, this is the “confidentiality” part of the C – I – A triad; exposing data to unauthorized people. Modifying file transfer locations involves intercepting data, stealing it, possibly modifying its contents, then possibly (or not) sending it on to its intended recipient. This is just outright theft. Many of the other previously mentioned impacts can contribute to a criminal’s ability to steal information. If an attacker can elevate their privileges on your machine, for example, they can browse all of the folders on your computer, not just the folders available under a limited user’s logon context. There may be a variety of reasons for stealing data from a computer, including using the data for identity theft purposes, stealing proprietary information, or stealing password files so as to crack them and use them to gain further system access.

Buffer overflow: A buffer is simply memory space used to temporarily store data. For example, your computer has buffers for receiving incoming communications until it has a chance to process it and put it into the appropriate place in memory for the working application to access and use to do work. This space is not infinite. If the buffer can purposely be filled up, in some cases the excess data will simply overflow (thus the term buffer overflow) out of the buffer and have unpredictable results. This type of attack simply involves sending a computer more data than it can handle so that excess data spills over into areas of memory used to execute code. One thing that attackers have found is that certain vulnerabilities exist that are susceptible to these buffer overflow attacks. They will craft a special package that contains a large amount of data, send it to your computer, the buffers will fill up, and the excess data will be overflowed to parts of memory where it can be executed. This code execution may result in things used to crash a computer, elevate privileges so that other attacks will work, or a variety of other undesirable things.


Wrapping It All Up:

Attacks come in many forms, and have many different purposes and impacts. These attacks are meant to do everything from being a minor annoyance, to disrupting service, to theft of data, and to outright destruction of computer information systems. As I mentioned in my review of the TechEd 2007 conference (see my article here), data thieves have found that personally identifiable information is worth money. Whereas the hackers of old just wanted attention, the bad guys doing the computer attacking these days are just criminals, plain and simple. They want to make a living either by stealing your data, stealing the data of a competing company, or interrupting service. When they find vulnerability and a way to exploit it, they can also sell the exploit methods for money as well. And they have found a variety of ways to conceal their attacks and make their consequences undetectable for a long time.

There is good news; many of the attack impacts mentioned here are preventable. Good antivirus software, malware protection, firewalls, and above all keeping patches up to date will help prevent many of the exploits. I have told people over and over abut the dangers of clicking on every single link they get in an email, especially when that email is from someone unknown to them. Even the emails from people whom you trust is susceptible these days, because attack methods can use your own address book and email client to send out mass emails without your knowledge, and the recipients will think it came from you. But that too is preventable; use diligence and awareness when browsing emails, and especially on the web.


Additional Resources: