The sophisticated methods used in recent high-prole cyber incidents have driven many to need to understand how such security issues work. Demystifying the complexity often associated with information assurance, Cyber Security Essentials provides a clear understanding of the concepts behind prevalent threats, tactics, and procedures. To accomplish this, the team of security professionals from VeriSign’s iDefense ® Security Intelligence Services supplies an extensive review of the computer security landscape. Although the text is accessible to those new to cyber security, its comprehensive nature makes it ideal for experts who need to explain how computer security works to non-technical staff. Providing a fundamental understanding of the theory behind the key issues impacting cyber security, the book: • Covers attacker methods and motivations, exploitation trends, malicious code techniques, and the latest threat vectors • Addresses more than 75 key security concepts in a series of concise, well- illustrated summaries designed for most levels of technical understanding • Supplies actionable advice for the mitigation of threats • Breaks down the code used to write exploits into understandable diagrams This book is not about the latest attack trends or botnets. It’s about the reasons why these problems continue to plague us. By better understanding the logic presented in these pages, readers will be prepared to transition to a career in the growing eld of cyber security and enable proactive responses to the threats and attacks on the horizon. Information Security / Network Security ISBN: 978-1-4398-5123-4 9 781439 851234 90000 Graham Howard Olson CYBER SECURITY ESSENTIALS K12343 www.auerbach-publications.com ww w.c rc p ress. com K12343 cvr mech pb.indd 1 11/12/10 10:34 AM CYBER SECURITY ESSENTIALS Edited by James Graham Richard Howard Ryan Olson CYBER SECURITY ESSENTIALS Auerbach Publications Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2011 by Taylor and Francis Group, LLC Auerbach Publications is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 3 2 1 International Standard Book Number-13: 978-1-4398-5126-5 (Ebook-PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information stor- age or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copy- right.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that pro- vides licenses and registration for a variety of users. For organizations that have been granted a pho- tocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the Auerbach Web site at http://www.auerbach-publications.com V © 2011 by Taylor & Francis Group, LLC Contents A Not e f ro m the ex e cutive editors xi Ab o ut the Aut h ors xiii co Ntributo rs xv chA pte r 1 cy b er se curit y fuN dAm eNtAl s 1 1.1 Network and Security Concepts 1 1.1.1 Information Assurance Fundamentals 1 1.1.1.1 Authentication 1 1.1.1.2 Authorization 2 1.1.1.3 Nonrepudiation 3 1.1.1.4 Condentiality 3 1.1.1.5 Integrity 4 1.1.1.6 Availability 5 1.1.2 Basic Cryptography 6 1.1.3 Symmetric Encryption 11 1.1.3.1 Example of Simple Symmetric Encryption with Exclusive OR (XOR) 12 1.1.3.2 Improving upon Stream Ciphers with Block Ciphers 14 1.1.4 Public Key Encryption 16 1.1.5 e Domain Name System (DNS) 20 1.1.5.1 Security and the DNS 24 1.1.6 Firewalls 25 1.1.6.1 History Lesson 25 1.1.6.2 What’s in a Name? 25 1.1.6.3 Packet-Filtering Firewalls 27 VI Contents © 2011 by Taylor & Francis Group, LLC 1.1.6.4 Stateful Firewalls 28 1.1.6.5 Application Gateway Firewalls 29 1.1.6.6 Conclusions 29 1.1.7 Virtualization 30 1.1.7.1 In the Beginning, ere Was Blue… 31 1.1.7.2 e Virtualization Menu 31 1.1.7.3 Full Virtualization 33 1.1.7.4 Getting a Helping Hand from the Processor 34 1.1.7.5 If All Else Fails, Break It to Fix It 35 1.1.7.6 Use What You Have 35 1.1.7.7 Doing It the Hard Way 36 1.1.7.8 Biting the Hand at Feeds 37 1.1.7.9 Conclusion 38 1.1.8 Radio-Frequency Identication 38 1.1.8.1 Identify What? 39 1.1.8.2 Security and Privacy Concerns 41 1.2 Microsoft Windows Security Principles 43 1.2.1 Windows Tokens 43 1.2.1.1 Introduction 43 1.2.1.2 Concepts behind Windows Tokens 43 1.2.1.3 Access Control Lists 46 1.2.1.4 Conclusions 47 1.2.2 Window Messaging 48 1.2.2.1 Malicious Uses of Window Messages 49 1.2.2.2 Solving Problems with Window Messages 51 1.2.3 Windows Program Execution 51 1.2.3.1 Validation of Parameters 52 1.2.3.2 Load Image, Make Decisions 55 1.2.3.3 Creating the Process Object 56 1.2.3.4 Context Initialization 57 1.2.3.5 Windows Subsystem Post Initialization 58 1.2.3.6 Initial read … Go! 60 1.2.3.7 Down to the Final Steps 61 1.2.3.8 Exploiting Windows Execution for Fun and Prot 63 1.2.4 e Windows Firewall 64 References 70 chA pte r 2 AttAcke r tec h Niq u es AN d motivAti oNs 75 2.1 How Hackers Cover eir Tracks (Antiforensics) 75 2.1.1 How and Why Attackers Use Proxies 75 Contents VII © 2011 by Taylor & Francis Group, LLC 2.1.1.1 Types of Proxies 76 2.1.1.2 Detecting the Use of Proxies 78 2.1.1.3 Conclusion 79 2.1.2 Tunneling Techniques 80 2.1.2.1 HTTP 81 2.1.2.2 DNS 83 2.1.2.3 ICMP 85 2.1.2.4 Intermediaries, Steganography, and Other Concepts 85 2.1.2.5 Detection and Prevention 86 2.2 Fraud Techniques 87 2.2.1 Phishing, Smishing, Vishing, and Mobile Malicious Code 87 2.2.1.1 Mobile Malicious Code 88 2.2.1.2 Phishing against Mobile Devices 89 2.2.1.3 Conclusions 91 2.2.2 Rogue Antivirus 92 2.2.2.1 Following the Money: Payments 95 2.2.2.2 Conclusion 95 2.2.3 Click Fraud 96 2.2.3.1 Pay-per-Click 97 2.2.3.2 Click Fraud Motivations 98 2.2.3.3 Click Fraud Tactics and Detection 99 2.2.3.4 Conclusions 101 2.3 reat Infrastructure 102 2.3.1 Botnets 102 2.3.2 Fast-Flux 107 2.3.3 Advanced Fast-Flux 111 References 116 chA pte r 3 exploi tAt i oN 119 3.1 Techniques to Gain a Foothold 119 3.1.1 Shellcode 119 3.1.2 Integer Overow Vulnerabilities 124 3.1.3 Stack-Based Buer Overows 128 3.1.3.1 Stacks upon Stacks 128 3.1.3.2 Crossing the Line 130 3.1.3.3 Protecting against Stack-Based Buer Overows 132 3.1.3.4 Addendum: Stack-Based Buer Overow Mitigation 132 3.1.4 Format String Vulnerabilities 133 3.1.5 SQL Injection 138 3.1.5.1 Protecting against SQL Injection 140 3.1.5.2 Conclusion 141 3.1.6 Malicious PDF Files 142 3.1.6.1 PDF File Format 143 VIII Contents © 2011 by Taylor & Francis Group, LLC 3.1.6.2 Creating Malicious PDF Files 144 3.1.6.3 Reducing the Risks of Malicious PDF Files 145 3.1.6.4 Concluding Comments 147 3.1.7 Race Conditions 147 3.1.7.1 Examples of Race Conditions 148 3.1.7.2 Detecting and Preventing Race Conditions 151 3.1.7.3 Conclusion 152 3.1.8 Web Exploit Tools 152 3.1.8.1 Features for Hiding 153 3.1.8.2 Commercial Web Exploit Tools and Services 154 3.1.8.3 Updates, Statistics, and Administration 157 3.1.8.4 Proliferation of Web Exploit Tools Despite Protections 158 3.1.9 DoS Conditions 159 3.1.10 Brute Force and Dictionary Attacks 164 3.1.10.1 Attack 168 3.2 Misdirection, Reconnaissance, and Disruption Methods 171 3.2.1 Cross-Site Scripting (XSS) 171 3.2.2 Social Engineering 176 3.2.3 WarXing 182 3.2.4 DNS Amplication Attacks 186 3.2.4.1 Defeating Amplication 190 References 191 chA pte r 4 mAli ciou s cod e 195 4.1 Self-Replicating Malicious Code 195 4.1.1 Worms 195 4.1.2 Viruses 198 4.2 Evading Detection and Elevating Privileges 203 4.2.1 Obfuscation 203 4.2.2 Virtual Machine Obfuscation 208 4.2.3 Persistent Software Techniques 213 4.2.3.1 Basic Input–Output System (BIOS)/Complementary Metal- Oxide Semiconductor (CMOS) and Master Boot Record (MBR) Malicious Code 213 4.2.3.2 Hypervisors 214 4.2.3.3 Legacy Text Files 214 4.2.3.4 Autostart Registry Entries 215 4.2.3.5 Start Menu “Startup” Folder 217 4.2.3.6 Detecting Autostart Entries 217 Contents IX © 2011 by Taylor & Francis Group, LLC 4.2.4 Rootkits 219 4.2.4.1 User Mode Rootkits 219 4.2.4.2 Kernel Mode Rootkits 221 4.2.4.3 Conclusion 223 4.2.5 Spyware 223 4.2.6 Attacks against Privileged User Accounts and Escalation of Privileges 227 4.2.6.1 Many Users Already Have Administrator Permissions 228 4.2.6.2 Getting Administrator Permissions 229 4.2.6.3 Conclusion 230 4.2.7 Token Kidnapping 232 4.2.8 Virtual Machine Detection 236 4.2.8.1 Fingerprints Everywhere! 237 4.2.8.2 Understanding the Rules of the Neighborhood 238 4.2.8.3 Detecting Communication with the Outside World 240 4.2.8.4 Putting It All Together 241 4.2.8.5 e New Hope 243 4.2.8.6 Conclusion 243 4.3 Stealing Information and Exploitation 243 4.3.1 Form Grabbing 243 4.3.2 Man-in-the-Middle Attacks 248 4.3.2.1 Detecting and Preventing MITM Attacks 251 4.2.3.2 Conclusion 252 4.3.3 DLL Injection 253 4.3.3.1 Windows Registry DLL Injection 254 4.3.3.2 Injecting Applications 256 4.3.3.3 Reective DLL Injections 258 4.3.3.4 Conclusion 259 4.3.4 Browser Helper Objects 260 4.3.4.1 Security Implications 261 References 264 chA pte r 5 de feNs e ANd AN Alys is tec hNi q ues 267 5.1 Memory Forensics 267 5.1.1 Why Memory Forensics Is Important 267 5.1.2 Capabilities of Memory Forensics 268 5.1.3 Memory Analysis Frameworks 268 5.1.4 Dumping Physical Memory 270 5.1.5 Installing and Using Volatility 270 5.1.6 Finding Hidden Processes 272 5.1.7 Volatility Analyst Pack 275 5.1.8 Conclusion 275 [...]... how-to’s and FAQs and any other critical information that a soldier cannot afford to forget In summary, we took the liberty of building a cyber security smart book for you This book builds on the methods that all these types of books use The contents are inspired by the cyber security experts around the world who are continuously learning new concepts or who have to explain old concepts to bosses, peers,... person in your security organization When you need a refresher or you need to learn something new, start here That’s what we intend it to do for you © 2011 by Taylor & Francis Group, LLC About the Authors This book is the direct result of the outstanding efforts of a talented pool of security analysts, editors, business leaders, and security professionals, all of whom work for iDefense® Security Intelligence... iDefense is an open-source, cyber security intelligence operation that maintains expertise in vulnerability research and alerting, exploit development, malicious code analysis, underground monitoring, and international actor attribution iDefense provides intelligence products to Fortune 1,000 companies and “three-letter agencies” in various world governments iDefense also maintains the Security Operations... S ecurit y Fundamentals 1.1  Network and Security Concepts 1.1.1  Information Assurance Fundamentals Authentication, authorization, and nonrepudiation are tools that system designers can use to maintain system security with respect to confidentiality, integrity, and availability Understanding each of these six concepts and how they relate to one another helps security professionals design and implement... that security professionals must understand to enforce the CIA principles properly: authentication, authorization, and nonrepudiation In this section, we explain each of these concepts and how they relate to each other in the digital security realm All definitions used in this section originate from the National Information Assurance Glossary (NIAG) published by the U.S Committee on National Security. .. through Understanding the components of the CIA triad and the concepts behind how to protect these principals is important for every security professional Each component acts like a pillar that holds up the security of a system If an attacker breaches any of the pillars, the security of the system will fall Authentication, authorization, and nonrepudiation are tools that system designers can use to maintain... mandated by the US government to facilitate information sharing throughout the country’s business sectors iDefense has the industry-unique capability of determining not only the technical details of cyber security threats and events (the “what,” the “when,” and the “where”), but because of their international presence, iDefense personnel can ascertain the most likely actors and motivations behind these... s t i g at i o n To o l s © 2011 by Taylor & Francis Group, LLC A Note from the Executive Editors This is not your typical security book Other books of this genre exist to prepare you for certification or to teach you how to use a tool, but none explains the concepts behind the security threats impacting enterprises every day in a manner and format conducive to quick understanding It is similar to a... design and implement secure systems Each component is critical to overall security, with the failure of any one component resulting in potential system compromise There are three key concepts, known as the CIA triad, which anyone who protects an information system must understand: confidentiality, integrity, and availability Information security professionals are dedicated to ensuring the protection of these... how to run a UNIX machine This book has no code samples It is not a “how-to” book on hacking skills This book, instead, covers key security concepts and what they mean to the enterprise in an easyto-read format that provides practical information and suggestions for common security problems The essays in this book are short, designed to bring a reader up to speed on a subject very quickly They are not . 851234 90000 Graham Howard Olson CYBER SECURITY ESSENTIALS K12343 www.auerbach-publications.com ww w.c rc p ress. com K12343 cvr mech pb.indd 1 11/12/10 10:34 AM CYBER SECURITY ESSENTIALS Edited by James. high-prole cyber incidents have driven many to need to understand how such security issues work. Demystifying the complexity often associated with information assurance, Cyber Security Essentials . to a career in the growing eld of cyber security and enable proactive responses to the threats and attacks on the horizon. Information Security / Network Security ISBN: 978-1-4398-5123-4 9