Galley discusses three types of attacks against computer systems: Physical, Syntactic
and Semantic. A physical attack uses conventional weapons, such as bombs or fire. A
syntactic attack uses virus-type software to disrupt or damage a computer system or
network. A semantic attack is a more subtle approach. Its goal is to attack users'
confidence by causing a computer system to produce errors and unpredictable results.
Syntactic attacks are sometimes grouped under the term "malicious software" or
"malware". These attacks may include viruses, worms, and Trojan horses. One
common vehicle of delivery formal ware is email.
incorrect information. Modification of information has been perpetrated even without
the aid of computers, but computers and networks have provided new opportunities to
achieve this. Also, the dissemination of incorrect information to large numbers of
people quickly is facilitated by such mechanisms as email, message boards, and
websites
Hacking tricks can be divided into different categories elaborated below:
Trojan programs that share files via instant messenger
Instant messaging allows file-sharing on a computer. All present popular instant
by installing patches or plug-ins; this is also a major threat to present information
security. These communication software also make it difficult for existing hack prevention method to prevent and control information security. Hackers use instant
communication capability to plant Trojan program into an unsuspected program; the
planted program is a kind of remotely controlled hacking tool that can conceal itself
and is unauthorized.
A hacker need not open a new port to perform transmissions; he can perform his
operations through the already opened instant messenger port. Even if a computer
uses dynamic IP addresses, its screen name doesn't change.
Hijacking and Impersonation
commonly used method is eavesdropping on unsuspecting users to retrieve user
accounts, passwords and other user related information.
The theft of user account number and related information is a very serious
problem in any instant messenger. For instance, a hacker after stealing a user's
information impersonate the user; the user's contacts not knowing that the user's
account has been hacked believe that the person they're talking to is the user, and are
persuaded to execute certain programs or reveal confidential information. Hence, theft
of user identity not only endangers a user but also surrounding users. Guarding
against Internet security problems is presently the focus of future research; because
without good protection, a computer can be easily attacked, causing major losses.
Hackers wishing to obtain user accounts may do so with the help of Trojans
designed to steal passwords. If an instant messenger client stores his/her password on
his/her computer, then a hacker can send a Trojan program to the unsuspecting user.
When the user executes the program, the program shall search for the user's password
and send it to the hacker.
Denial of Service
There are many ways through which a hacker can launch a denial of service (DoS)
attack on an instant messenger user. A Partial DoS attack will cause a user end to
hang, or use up a large portion of CPU resources causing the system to become
There are many ways in which a hacker can cause a denial of service on an instant
messenger client. One common type of attack is flooding a particular user with a large
number of messages. The popular instant messaging clients contain protection against
flood-attacks by allowing the victim to ignore certain users. However, there are many
tools that allow the hacker to use many accounts simultaneously, or automatically
create a large number of accounts to accomplish the flood-attack.
Phishing
The word phishing comes from the analogy that Internet scammers are using email
lures to fish for passwords and financial data from the sea of Internet users. The term
was coined in 1996 by hackers who were stealing AOL Internet accounts by
replacing “f'” with “ph” the term phishing was derived.
Phishing Techniques
Phishing techniques can be divided into different categories, some of which are elaborated below:
Link manipulation
Most methods of phishing use some form of technical deception designed to make a
link in an email (and the spoofed website it leads to) appear to belong to the spoofed
organization. Misspelled URLs or the use of sub domains are common tricks used by
Another common trick is to make the anchor text for a link appear to be valid, when
the link actually goes to the phishers' site.
An old method of spoofing used links containing the '@' symbol, originally
intended as a way to include a username and password (contrary to the standard). For
example, the link
http://www.google.com@members.tripod.com/might deceive a
http://www.google.com@members.tripod.com/might deceive a
actually directs the browser to a page on members.tripod.com, using a username of
www.google.com: the page opens normally, regardless of the username supplied.
Such URLs were disabled in Internet Explorer, while the Mozilla and Opera web
browsers opted to present a warning message and give the option of continuing to the
site or canceling.
Filter evasion
Phishers have used images instead of text to make it harder for anti-phishing filters to
detect text commonly used in phishing emails.
Website forgery
Once the victim visits the website the deception is not over. Some phishing scams use
JavaScript commands in order to alter the address bar. This is done either by placing a
picture of a legitimate URL over the address bar or by closing the original address bar
and opening a new one with the legitimate URL.
An attacker can even use flaws in a trusted website's own scripts against the
victim. These types of attacks (known as cross-site scripting) are particularly
problematic, because they direct the user to sign in at their bank or service's own web
page, where everything from the web address to the security certificates appears
correct. In reality, the link to the website is crafted to carry out the attack, although it
is very difficult to spot without specialist knowledge. Just such a flaw was used in
2006 against Pay Pal.
A Universal Man-in-the-middle Phishing Kit, discovered by RSA Security,
provides a simple-to-use interface that allows a phisher to convincingly reproduce
websites and capture log-in details entered at the fake site.
Phone phishing
Once the phone number (owned by the phisher, and provided by a voice over IP
service) was dialed, prompts told users to enter their account numbers and PIN. Voice
phishing sometimes uses fake caller-ID data to give the appearance that calls come
from a trusted organization.
Fake Web sites
Fake bank websites stealing account numbers and passwords have become
increasingly common with the growth of online financial transactions. Hence, when
using online banking, we should take precautions like using a secure encrypted
First, the scammers create a similar website homepage; then they send out e-mails
with enticing messages to attract visitors. They may also use fake links to link internet
surfers to their website. Next, the fake website tricks the visitors into entering their
personal information, credit card information or online banking account number and
passwords. After obtaining a user's information, the scammers can use the information
to drain the bank accounts, shop online or create fake credit cards and other similar
crimes.
sends messages to a computer with an IP address indicating that the message is
coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety
of techniques to find an IP address of a trusted host and then modify the packet
headers so that it appears that the packets are coming from that host.
A closely interconnected and often confused term with phishing and pharming is
spoofing. A "spoofer", in Internet terms, is defined generally as the "cracker" who
alters, or "forges", an e-mail address, passwords).
Spoofing Attacks Techniques
Spoofing attacks can be divided into different categories, some of which are
elaborated below:
Man-in-the-middle attack and internet protocol spoofing
spoofs Alice into believing they're Bob, and spoofs Bob into believing they're Alice,
thus gaining access to all messages in both directions without the trouble of any.
Spyware
information from any computer without the knowledge of the owner. Everything the
surfer does online, including his passwords, may be vulnerable to spyware. Spyware
can put anyone in great danger of becoming a victim of identity theft.
Solutions
As the spyware threat has worsened, a number of techniques have emerged to
counteract it. These include programs designed to remove or to block spyware, as
well as various user practices which reduce the chance of getting spyware on a
system. Nonetheless, spyware remains a costly problem. When a large number of
pieces of spyware have infected a Windows computer, the only remedy may involve
backing up user data, and fully reinstalling the operating system.
Security practices
To deter spyware, computer users have found several practices useful in addition to
Many system operators install a web browser other than IE, such as Opera or
Mozilla Fire-fox. Although these have also suffered some security vulnerabilities,
their comparatively small market share compared to Internet Explorer makes it
uneconomic for hackers to target users on those browsers. Though no browser is
completely safe, Internet Explorer is at a greater risk for spyware infection due to its
large user base as well as vulnerabilities such as ActiveX.
Electronic Bulletin Boards
Chat rooms and electronic bulletin boards have become breeding grounds for identity
theft. When criminals have obtained personal identifying information such as credit
card numbers or social security numbers, they visit hacker chat rooms and post
messages that they have personal information for sale.
Information Brokers
information broker has emerged in recent years; the kind that sells personal
information to anyone requesting it electronically via the Internet Driven by greed,
some information brokers are careless when they receive an order. They fail to verify
the identity of the requesting party and do little, if any, probing into the intended use
of the information.
Internet Public Records
There are two ways public records are accessible electronically. Some jurisdictions
post them on their government web sites, thereby providing free or low-cost access to
records. Government agencies and courts also sell their public files to commercial
data compilers and information brokers. They in turn make them available on a fee
basis, either via web sites or by special network hookups.
The crime of identity theft and other types of fraud will be fueled by easy access to
personal identifiers and other personal information via electronic public records. Such
information includes Social Security numbers, credit card and bank account numbers,
and details about investments.
Solutions
What can be done to mitigate the negative consequences of making public records
containing personal information available on the Internet and from other electronic
the Internet altogether. Indeed, they should not. The public policy reasons for making
public records available electronically are irrefutable - promoting easier access to
government services as well as opening government practices to the public and
fostering accountability.
But there are several approaches government agencies and court systems can take
to minimize the harm to individuals when sensitive personal information is to be
posted on the Internet while at the same time promoting government accountability.
Regulating the information broker industry
The information broker industry must be regulated. At present, information brokers
purchase public records from local, state, and federal government agencies and
repackage them for sale to subscribers. They add data files from commercial data
Requiring more accountability of the private investigator industry
The private investigator profession, a major user of public records information, must
be regulated in those states where there are no oversight agencies. Further, existing
regulations must be tightened and made uniform nationwide, perhaps by federal law.
Private investigators must be held to strong standards regarding their access to and
use of sensitive personal information. They should be held accountable when they
misuse personal information.
this article is quit interested to the every one in the digital age...hope u like this article so leave this comment ...
0 comments:
Post a Comment