Bài giảng Romney_ais13 - Chapter 6: Computer Fraud and Abuse Techniques

Computer Fraud and Abuse TechniquesChapter 66-1Learning ObjectivesCompare and contrast computer attack and abuse tactics.Explain how social engineering techniques are used to gain physical or logical access to computer resources.Describe the different types of malware used to harm computers.6-2Types of Attacks HackingUnauthorized access, modification, or use of an electronic device or some element of a computer systemSocial EngineeringTechniques or tricks on people to gain physical or logical access to confidential informationMalwareSoftware used to do harm6-3HackingHijackingGaining control of a computer to carry out illicit activitiesBotnet (robot network)ZombiesBot herdersDenial of Service (DoS) AttackSpammingSpoofingMakes the communication look as if someone else sent it so as to gain confidential information.6-4Forms of SpoofingE-mail spoofingCaller ID spoofingIP address spoofingAddress Resolution (ARP) spoofingSMS spoofingWeb-page spoofing (phishing)DNS spoofing6-5Hacking with Computer CodeCross-site scripting (XSS)Uses vulnerability of Web application that allows the Web site to get injected with malicious code. When a user visits the Web site, that malicious code is able to collect data from the user.Buffer overflow attackLarge amount of data sent to overflow the input memory (buffer) of a program causing it to crash and replaced with attacker’s program instructions.SQL injection (insertion) attackMalicious code inserted in place of a query to get to the database information6-6Other Types of HackingMan in the middle (MITM)Hacker is placed in between a client (user) and a host (server) to read, modify, or steal data.PiggybackingPassword crackingWar dialing and drivingPhreakingData diddlingData leakagepodslurping6-7Hacking Used for EmbezzlementSalami technique: Taking small amounts at a timeRound-down fraudEconomic espionageTheft of information, intellectual property and trade secretsCyber-extortionThreats to a person or business online through e-mail or text messages unless money is paid6-8Hacking Used for FraudInternet misinformationE-mail threatsInternet auction Internet pump and dumpClick fraudWeb crammingSoftware piracy6-9Social Engineering TechniquesIdentity theftAssuming someone else’s identityPretextingUsing a scenario to trick victims to divulge information or to gain accessPosingCreating a fake business to get sensitive informationPhishingSending an e-mail asking the victim to respond to a link that appears legitimate that requests sensitive dataPharmingRedirects Web site to a spoofed Web siteURL hijackingTakes advantage of typographical errors entered in for Web sites and user gets invalid or wrong Web siteScavengingSearching trash for confidential informationShoulder surfingSnooping (either close behind the person) or using technology to snoop and get confidential information SkimmingDouble swiping credit cardEeavesdropping6-10Why People Fall VictimCompassionDesire to help othersGreedWant a good deal or something for freeSex appealMore cooperative with those that are flirtatious or good lookingSlothLazy habits TrustWill cooperate if trust is gainedUrgencyCooperation occurs when there is a sense of immediate needVanityMore cooperation when appeal to vanity6-11Minimize the Threat of Social EngineeringNever let people follow you into restricted areasNever log in for someone else on a computerNever give sensitive information over the phone or through e-mailNever share passwords or user IDsBe cautious of someone you don’t know who is trying to gain access through you6-12Types of MalwareSpywareSecretly monitors and collects informationCan hijack browser, search requestsAdware KeyloggerSoftware that records user keystrokesTrojan HorseMalicious computer instructions in an authorized and properly functioning programTrap door Set of instructions that allow the user to bypass normal system controlsPacket snifferCaptures data as it travels over the InternetVirusA section of self-replicating code that attaches to a program or file requiring a human to do something so it can replicate itselfWormStand alone self replicating program6-13Cellphone Bluetooth VulnerabilitiesBluesnarfingStealing contact lists, data, pictures on bluetooth compatible smartphonesBluebuggingTaking control of a phone to make or listen to calls, send or read text messages6-14Key TermsHackingHijackingBotnetZombieBot herderDenial-of-service (DoS) attackSpammingDictionary attackSplogSpoofingE-mail spoofingCaller ID spoofingIP address spoofingMAC addressAddress Resolution Protocol (ARP) spoofingSMS spoofingWeb-page spoofingDNS spoofingZero day attackPatchCross-site scripting (XSS)Buffer overflow attackSQL injection (insertion) attackMan-in-the-middle (MITM) attackMasquerading/impersonationPiggybacking6-15Key Terms (continued)Password crackingWar dialingWar drivingWar rocketingPhreakingData diddlingData leakagePodslurpingSalami techniqueRound-down fraudEconomic espionageCyber-extortionCyber-bullyingSextingInternet terrorismInternet misinformationE-mail threatsInternet auction fraudInternet pump-and-dump fraudClick fraudWeb crammingSoftware piracySocial engineeringIdentity theftPretextingPosingPhishingvishing6-16Key Terms (continued)CardingPharmingEvil twinTyposquatting/URL hijackingQR barcode replacementsTabnappingScavenging/dumpster divingShoulder surfingLebanese loopingSkimmingChippingEavesdroppingMalwareSpywareAdwareTorpedo softwareScarewareRansomwareKeyloggerTrojan horseTime bomb/logic bombTrap door/back doorPacket sniffersSteganography programRootkitSuperzappingVirusWormBluesnarfingBluebugging6-17