Explain Vulnerability, Threat, Attack & Control in relation to Computer Intrusion.

 A vulnerability is a weakness in the security system, for example, in procedures, design, or

implementation, that might be exploited to cause loss or harm. For instance, a particular
system may be vulnerable to unauthorized data manipulation because the system does not
verify a user's identity before allowing data access.
 A threat to a computing system is a set of circumstances that has the potential to cause loss
or harm. There are many threats to a computer system, including human-initiated and
computer-initiated ones. We have all experienced the results of inadvertent human errors,
hardware design flaws, and software failures.
 A human who exploits vulnerability perpetrates an attack on the system. An attack can also
be launched by another system, as when one system sends an overwhelming set of messages
to another, virtually shutting down the second system's ability to function.. A threat is
blocked by control of vulnerability.

Various types of Threats.

 Four kinds of Threat: • Interception • Interruption • Modification • Fabrication

 An interception means that some unauthorized party has gained access to an asset. The
outside party can be a person, a program, or a computing system. Examples of this type of
failure are illicit copying of program or data files, or wiretapping to obtain data in a network.

 In an interruption, an asset of the system becomes lost, unavailable, or unusable. An

example is malicious destruction of a hardware device, erasure of a program or data file, or
malfunction of an operating system file manager so that it cannot find a particular disk file.

 If an unauthorized party not only accesses but tampers with an asset, the threat is a
modification. For example, someone change the values in a database, alter a program so that
it performs an additional computation, or modify data being transmitted electronically.

 In fabrication, an unauthorized party might create a fabrication of counterfeit objects on a

computing system. The intruder may insert spurious transactions to a network
communication system or add records to an existing database.

Various types of Malicious Code:

 There are several kinds of programs that can be used for interception or modification of data.
Malicious code or rogue program Virus Trojan horse
logic bomb trapdoor or backdoor Worm rabbit

 Malicious code or rogue program is the general name for unanticipated or undesired effects in
programs or program parts, caused by an agent intent on damage. The agent is the writer of the
program or the person who causes its distribution. By this definition, most faults found in software
inspections, reviews, and testing do not qualify as malicious code, because we think of them as
unintentional. This definition excludes unintentional errors, although they can also have a serious
negative effect. This definition also excludes coincidence, in which two benign programs combine for
a negative effect.
  Virus is a program that can replicate itself and pass on malicious code to other non-malicious
programs by modifying them. The term "virus" was coined because the affected program acts like a
biological virus: It infects other healthy subjects by attaching itself to the program and either
destroying it or coexisting with it. Because viruses are insidious, we cannot assume that a clean
program yesterday is still clean today. A good program can be modified to include a copy of the virus
program, so the infected good program itself begins to act as a virus, infecting other programs. The
infection usually spreads at a geometric rate, eventually overtaking an entire computing system and
spreading to all other connected systems.
 A transient virus has a life that depends on the life of its host; the virus runs when its attached
program executes and terminates when its attached program ends. (During its execution, the transient
virus may spread its infection to other programs.) A resident virus locates itself in memory; then it
can remain active or be activated as a stand-alone program, even after its attached program ends.
 A Trojan horse is malicious code that, in addition to its primary effect, has a second, malicious effect.
As an example of a computer Trojan horse, consider a login script that solicits a user's identification
and password, passes the identification information on to the rest of the system for login processing,
but also retains a copy of the information for later, malicious use. In this example, the user sees only
the login occurring as expected, so there is no evident reason to suspect that any other action took
place.
 A logic bomb is a class of malicious code that "detonates" or goes off when a specified condition
occurs.
 A time bomb is a logic bomb whose trigger is a time or date.
 A trapdoor or backdoor is a feature in a program by which someone can access the program other
than by the obvious, direct call, perhaps with special privileges.
For instance, an automated bank teller program might allow anyone entering the number 990099 on
the keypad to process the log of everyone's transactions at that machine. In this example, the
trapdoor could be intentional, for maintenance purposes, or it could be an illicit way for the
implementer to wipe out any record of a crime.
 A worm is a program that spreads copies of itself through a network. Shock and Hupp are apparently
the first to describe a worm, which, interestingly, was for non-malicious purposes. The primary
difference between a worm and a virus is that a worm operates through networks, and a virus can
spread through any medium (but usually uses copied program or data files).
Additionally, the worm spreads copies of itself as a stand-alone program, whereas the virus
spreads copies of itself as a program that attaches to or embeds in other programs.
 A rabbit is a virus or worm that self-replicates without bound, with the intention of exhausting some
computing resource. A rabbit might create copies of itself and store them on disk in an effort to
completely fill the disk, for example.

Trapdoor & Rootkit

 Trapdoors: A trapdoor is an undocumented entry point to a module. Developers insert trapdoors
during code development, perhaps to test the module, to provide "hooks" by which to connect future
modifications or enhancements, or to allow access if the module should fail in the future. In addition
to these legitimate uses, trapdoors can allow a programmer access to a program once it is placed in
production. Developers usually remove trapdoors during program development, once their intended
usefulness is spent.
 Trapdoors can persist in production programs because the developers
o forget to remove them
o intentionally leave them in the program for testing
o intentionally leave them in the program for maintenance of the finished program, or
o intentionally leave them in the program as a covert means of access to the component
after it becomes an accepted part of a production system
 A rootkit is a piece of malicious code that goes to great lengths not to be discovered or, if discovered
and removed, to reestablish itself whenever possible. The name rootkit refers to the code's attempt to
operate as root, the super privileged user of a Unix system.
 Whenever the user executes a command that would show the rootkit's presence, for example, by
listing files or processes in memory, the rootkit intercepts the call and filters the result returned to the
user so that the rootkit does not appear. For example, if a directory contains six files, one of which is
the rootkit, the rootkit will pass the directory command to the operating system, intercept the result,
delete the listing for itself, and display to the user only the five other files.

 Viruses: A computer virus is code that recursively replicates a possibly evolved copy
of itself. Viruses infect a host file or system area, or they simply modify a reference to
such objects to take control and then multiply again to form new generations.

 Worms: Worms are network viruses, primarily replicating on networks. Usually a worm will
execute itself automatically on a remote machine without any extra help from a user.
However, there are worms, such as mailer or mass mailer worms, that will not always
automatically execute themselves without the help of a user. Worms are typically standalone
applications without a host program. However, some worms, like W32/Nimda.A@mm, also
spread as a file-infector virus and infect host programs, which is precisely why the easiest
way to approach and contain worms is to consider them a special subclass of virus. If the
primary vector of the virus is the network, it should be classified as a worm.

 Mailers and mass-mailer worms: These comprise a special class of computer worms, which
send themselves in an e-mail. Mass-mailers, often referred to as "@mm" worms such as
VBS/Loveletter.A@mm, send multiple e-mails including a copy of themselves once the virus
is invoked. Mailers will send themselves less frequently. For instance, a mailer such as
W32/SKA.A@m sends a copy of itself every time the user sends a new
message.

 Octopus: An octopus is a sophisticated kind of computer worm that exists as a set of

programs on more than one computer on a network. For example, head and tail copies are
installed on individual computers that communicate with each other to perform a function.
An octopus is not currently a common type of computer worm but will likely become more
prevalent in the future.

 Rabbits: A rabbit is a special computer worm that exists as a single copy of itself at any point
in time as it "jumps around" on networked hosts. These are typically crafty, malicious
applications that usually run themselves recursively to fill memory with their own copies and
to slow down processing time by consuming CPU time. Such malicious code uses too much
memory and thus can cause serious side effects on a machine within other applications that
are not prepared to work under low-memory conditions and that unexpectedly cease
functioning.
 Logic Bombs: A logic bomb is a programmed malfunction of a legitimate application. An
application, for example, might delete itself from the disk after a couple of runs as a copy
protection scheme; a programmer might want to include some extra code to perform a
malicious action on certain systems when the application is used. These scenarios are
realistic when dealing with large projects driven by limited code-reviews.

 Trojan Horses: The simplest kind of malicious program is a Trojan horse. Trojan horses try
to appeal to and interest the user with some useful functionality to lure the user to run
the program. In other cases, malicious hackers leave behind Trojanized versions of real
tools to disguise their activities on a computer, so they can retrace their steps to the
compromised system and perform malicious activities later.
 For example, on UNIX-based systems, hackers often leave a modified version of "ps" (a tool
to display a process list) to hide a particular process ID (PID), which can relate to another
backdoor Trojan's process. Later on, it might be difficult to find such changes on a
compromised system. These kinds of Trojans are often called user mode rootkits.

 Backdoors (Trapdoors): A backdoor is the malicious hacker's tool of choice that allows
remote connections to systems. A typical backdoor opens a network port (UDP/TCP) on the
host when it is executed. Then, the listening backdoor waits for a remote connection
from the attacker and allows the attacker to connect to the system. This is the most
common type of backdoor functionality, which is often mixed with other Trojan-like
features.
 Another kind of backdoor relates to a program design flaw. Some applications, such as the
early implementation of SMTP (simple mail transfer protocol) allowed features to run a
command (for example, for debugging purposes). The Morris Internet worm uses such a
command to execute itself remotely, with the command placed as the recipient of the
message on such vulnerable installations.

 Password-Stealing Trojans: Password-stealing Trojans are a special subclass of Trojans.

This class of malicious program is used to capture and send a password to an attacker. As a
result, an attacker can return to the vulnerable system and take whatever he or she wants.
Password stealers are often combined with Keyloggers to capture keystrokes when the
password is typed at logon.
 Germs: Germs are first-generation viruses in a form that the virus cannot generate to its usual
infection processes. Usually, when the virus is compiled for the first time, it exists in a
special form and normally does not have a host program attached to it. Germs will not have
the usual marks that most viruses use in second-generation form to flag infected
files to avoid re-infecting an already infected object.
 Exploits: Exploit code is specific to a single vulnerability or set of vulnerabilities.
Its goal is to run a program on a (possibly remote, networked) system automatically or
provide some other form of more highly privileged access to the target system. Often, a
single attacker builds exploit code and shares it with others.
 Injectors: Injectors are special kinds of droppers that usually install virus code in memory.
An injector can be used to inject virus code in an active form on a disk interrupt handler.
Then, the first time a user accesses a diskette, the virus begins to replicate itself
normally.
 A special kind of injector is the network injector. Attackers also can use legitimate utilities,
such as Netcat (NC), to inject code into the network. Usually, a remote target is specified,
and the datagram is sent to the machine that will be attacked using the injector. An attacker
initially introduced the Code Red worm using an injector; subsequently, the worm replicated
as data on the network without ever hitting the disk again as a file.
 Injectors are often used in a process called seeding. Seeding is a process that is used to inject
virus code to several remote systems to cause an initial outbreak that is large enough to cause
a quick epidemic. For example, there is supporting digital evidence that W32/Witty worm
was seeded to several systems by its author.

 Auto-Rooters: Auto-rooters are usually malicious hacker tools used to break into new
machines remotely. Auto-rooters typically use a collection of exploits that they execute
against a specified target to "gain root" on the machine. As a result, a malicious hacker
gains administrative privileges to the remote machine.

 Kits (Virus Generators): Virus writers developed kits, such as the Virus Creation Laboratory
(VCL) or PSMPC generators, to generate new computer viruses automatically, using a menu-
based application. With such tools, even novice users were able to develop harmful computer
viruses without too much background knowledge. Some virus generators exist to create DOS,
macro, script, or even Win32 viruses and mass mailing worms. "Advanced Code Evolution
Techniques and Computer Virus Generator Kits," the so-called "Anna Kournikova" virus
(technically VBS/VBSWG.J) was created by a Dutch teenager, Jan de Wit, from the VBSWG
kitsadly, de Wit got lucky and the kit, infamous for churning out mainly broken, intended
code produced a working virus.

 Spammer Programs: Spammer programs are used to send unsolicited messages to Instant
Messaging groups, newsgroups, or any other kind of mobile device in forms of e-mail or cell
phone SMS messages. The primary motivation of spammers is to make money by generating
traffic to Web sites. In addition, spam messages are often used to implement Phishing attacks.
 Flooders: Malicious hackers use flooders to attack networked computer systems with an
extra load of network traffic to carry out a denial of service (DoS) attack. When the DoS
attack is performed simultaneously from many compromised systems (so-called zombie
machines), the attack is called a distributed denial of service (DDoS) attack. There are much
more sophisticated DoS attacks including SYN floods, packet fragmentation attacks, and
other (mis-)sequencing attacks, traffic amplification, or traffic deflection, just to name the
most common types.
 Keyloggers: A Keyloggers captures keystrokes on a compromised system, collecting
sensitive information for the attacker. Such sensitive information might include names,
passwords, PINs, birthdays, Social Security numbers, or credit card numbers. The
Keyloggers is installed on the system, unbeknownst to the user, a computer could be
compromised for weeks before the attack is ever noticed. Attackers often use Keyloggers to
commit identity theft.
  Rootkits: Rootkits are a special set of hacker tools that are used after the attacker has broken
into a computer system and gained root-level access. Usually, hackers break into a system
with exploits and install modified versions of common tools. Such rootkits are called user-
mode rootkits because the Trojanized application runs in user mode.

 Some more sophisticated rootkits, such as Adore, have kernel-mode module components.
These rootkits are more dangerous because they change the behavior of the kernel. Thus,
they can hide objects from even kernel-level defense software. For example, they can
hide processes, files in the file system, registry keys, and values under Windows, and
implement stealth capabilities for other malicious components. In contrast, user-mode
rootkits cannot typically hide themselves effectively from kernel-level defense software.
User-mode rootkits only manipulate with user-mode objects; therefore, defense systems
relying on kernel objects have chance to reveal the truth.
 Members of CARO* (Computer Antivirus Researchers Organization) designed a computer
virus naming scheme for use in antivirus (AV) products. Today, the CARO naming scheme is
slightly outdated compared to daily practice, but it remains the only
standard that most antivirus companies ever attempted to adopt. *CARO (Computer
Antivirus Researcher's Organization) is an informal group of individuals who have been
working together since around 1990 across corporate and academic borders to study the
whole of computer malware. CARO essentially superseded other less formalized groups of
anti-virus professionals

TOCTTOU Errors:
 Time-of-Check to Time-of-Use Errors: The third programming flaw we investigate involves
synchronization. To improve efficiency, modern processors and operating systems usually change
the order in which instructions and procedures are executed. In particular, instructions that appear
to be adjacent may not actually be executed immediately after each other, either because of
intentionally changed order or because of the effects of other processes in concurrent execution.

 Access control is a fundamental part of computer security that ensures that only those who should
access an object are allowed that access. Every requested access must be governed by an access
policy stating who is allowed access to what; then the request must be mediated by an access-policy
enforcement agent. But an incomplete mediation problem occurs when access is not checked
universally. The time-of-check to time-of-use (TOCTTOU) flaw concerns mediation that is
performed with a "bait and switch" in the middle. It is also known as a serialization or
synchronization flaw.
Bug, Error, Fault, Failure:i
 A bug can be a mistake in interpreting a requirement, a syntax error in a piece of code, or the
(as-yet-unknown) cause of a system crash.
 When a human makes a mistake, called an error, in performing some software activity, the
error may lead to a fault, or an incorrect step, command, process, or data definition in a
computer program.
 A failure is a departure from the system's required behavior.
 A fault is an inside view of the system, as seen by the eyes of the developers, whereas a
failure is an outside view: a problem that the user sees.
 It can be discovered before or after system delivery, during testing, or during operation and
maintenance. Since the requirements documents can contain faults, a failure indicates that the
system is not performing as required, even though it may be performing as specified.
C14 CABLE MODEM

 Cable Modem - A cable modem is a digital device, which connects the computer system to
the Internet, via a coaxial cable. It is used for transmission of data. The cable line is typically
filtered and separate from the cable TV lines in your home. This technology can have speed
as high as 30 Mbps, compared to the phone modems, which have a speed of 56 Kbps. In
cable modems the actual transfer speed becomes slower (in the range of 256 Kbps to 4 Mbps)
because the bandwidth is commonly divided up among all subscribers in a defined area,
such as a neighborhood or a subdivision.
 A cable modem typically has two connections, one to the cable wall outlet and the other to
a computer (PC). Most cable modems are external devices that connect to the PC through a
standard 10Base-T Ethernet card and twisted-pair wiring. External Universal Serial Bus
(USB) modems and internal PCI modem cards are also available. The end user can also
watch Cable TV through the same cable line using a splitter.
 Cable Modem is becoming a popular alternative among home users who prefer it to dial up
access. Cable Internet means bringing the net to your house through the same cable that
brings you TV channels into your TV. This is much simpler than the DSL network. It consists
of the Cable Modem Termination System (CMTS) at the provider and the cable modem at
subscriber place. The cable modem lets the user access the net through the Cable TV ( CATV
) network.

 These are of 3 types :-

1) External Modem - Most common type of modem used. It is similar to the dial-up
external modem. One side of the cable modem will be connected to the coaxial able
coming from cable operator and the other side connects to PC through an Ethernet
Interface. But now u also get cable modems with USB interface.
2) Internal Modems - These cable modems will fit inside PC and usually have PCI
interface. They are cheaper than external cable modems and being PCI will fit
only inside a desktop PC.
3) Set-top Box - These are usually offered by companies like Samsung and jadoonet.
They allow access to the net using your TV and a keyboard. It consists of a cable
modem, which will connect the cable from your operator to the TV at the other end.
 The key components of a cable modem include a tuner, a modulator, demodulator, MAC and
the interface. The tuner is a device for frequency matching with the radio frequency signal
being received from (or sent into) the cable network. The tuner has a biplexer, that handles
separate frequencies for the upload and download data. The tuner connects the
modulator/demodulator units to the cable. The demodulator receives radio frequency
signals, converts them from analog to digital signals, performs error correction and
synchronization and transmits this to the computer. The modulator works in the reverse
direction transforming the digital data from the computer into the radio frequency analog
signal. The Media Access Control (MAC) is a mechanism between the upload and
download paths that is used by the service providers to control the bandwidth being used.
The interface can be PCI, Ethernet or USB and this connects cable modem to a PC.
 In the downstream direction, the digital data is modulated and then placed on a 6 MHz
television channel, between 50MHz and 750 MHz. Currently, 64 QAM (quadrated amplitude
modulation) is the preferred downstream modulation technique, offering up to 27 Mbps per 6
MHz channel. This signal can be placed in a 6 MHz channel adjacent to TV signals on either
side without disturbing the cable television video signals. The upstream is transmitted
between 5 and 42 MHz. This tends to become very noisy, due to RF interference and impulse
noise. So most manufacturer use QPSK (Quaternary Phase shift keying), as it is more robust.
But it is slower than QAM. QAM and QPSK are methods to modulate digital signals to radio
frequency signals.
Cable Modem security threats -
Cable modem services pose an additional security risk over DSL or dial-up connections as
the technology shares connections among multiple subscribers and often maintain the same IP
address for prolonged periods of time thus exposing a subscriber's data via packet sniffers to
any other user on the connection in the same way that a LAN shares data among multiple PCs.
A packet-sniffing program installed on a computer in a neighborhood of cable modem
users may be able to capture data or information transmitted by any other cable modem in
the same neighborhood. A packet sniffer is a program that captures data from transmitted
information packets as they travel over the network. Captured data may include user
names, passwords, and personal information that traverse the network in clear text.
The combination of "Always-Connected" Internet access and ignored or poorly assigned
personal software security settings (such as, not disabling or protecting the shared file
feature in Windows), create an opportunity for hackers to jump in and gain access to a
users computer under the pretext of posing as legitimate employee access.
Windows users have the ability to share their drives, folders and files with other users by
enabling some rather simple settings in the Control Panel. Shared drives without
designating specific users and passwords for the shares open the users computer up to
intruders as unprotected windows shares can easily be exploited.