Security 101: Attack Vectors, Part 1

In the first part of this series, we discussed the entry points that an intruder could use to attack our “building,” our metaphor for network security. In the next few posts, we shall focus on the next level: attack vectors.

If vulnerabilities are the entry points, then attack vectors are the ways attackers can launch their assaults or try to infiltrate the building.

In the broadest sense, the purpose of the attack vectors is to implant a piece of code that makes use of a vulnerability. This code is called the payload, and attack vectors vary in how a payload is implanted.

Although there’s no official classification for attack vectors, we often catalog them according to how much interaction with the victim is needed to make them work. For example, if the attack vector is a malicious file, then the victim needs to download and open it for the attack to work. On the other hand, a SQL-injection attack needs little or no interaction with its victims.

These criteria help to determine how massive an attack can be. An attack that requires little interaction will probably be less massive than one that requires a high level of interaction. In the first case, the attacker can target only a certain number of “buildings” at the same time, that number is usually small, and all the work is done by the attacker. In contrast, an attack that depends on a high level of interaction can target many buildings in parallel because the attacker leaves the malicious code somewhere–disguised as file or a website–and its victims retrieve it on their own. So even though the attack requires a lot of work beforehand, at the moment of infection the work of the attack is done by the victims, not the attacker.

Most known attack vectors can be classified in one of three categories of interaction: low, medium, or high. Today we’ll focus on low-interaction vectors, leaving the rest for next time.

Low Interaction

These are vectors that require attackers to do much of the work ahead of time. Most of the effort is simply reconnaissance, figuring out the where and how of the attack. Victims need to do little for these attacks to be successful. Many of the vectors in this category require Internet applications. Here are three common vectors of this type:

  • SQL Injection: As the name implies, this vector works only on websites or applications that have direct contact with a database. Typically an attacker finds a legitimate website with some design flaws such that after a user inputs data, the information is not cleaned. (By cleaned we mean that all input is checked for special characters; if found they’re deleted with everything that follows them.) The lack of cleaning allows an attacker to send to the database SQL commands that will be executed–because the website doesn’t check whether the input is valid. As a result, the attacker can execute any SQL code without having the necessary permissions.
  •  

  • Buffer Overflows (BO): When any application requires user data, it is usually stored in a memory buffer until it is needed. As with SQL injection, sometimes the application does not check that the input fits in the buffer. Enter too much data and it overflows the buffer. When this happens the data that falls outside the buffer is translated into memory direction numbers, and whatever is on that memory direction is executed. An overflow could allow an attacker to at least crash the application, but if it is done correctly an overflow can execute any command the attacker wants, as long as the attacker knows in which memory direction the command is stored.
  •  

  • Cross-Site Scripting (XSS): This is a special kind of injection, similar to SQL injection. XSS works only on websites that allow the execution of scripting code (such as JavaScript). In this case, when a website asks for user input, the attacker enters scripting code between the <script> and </script> tags. The site reads the input, recognizes it as scripting code, and executes it without restrictions. This can be a one-time attack or a persistent attack if the input is stored in some part of the website (such as a Facebook wall message, or a user’s profile page). This attack is mostly silent because the tags make the scripting code invisible to any visitors.

 
These basic vectors have a lot of variations, depending of the platform, application under attack, and other criteria. Basically all low-interaction vectors work in a similar manner.

Until next time!

WikiLeaks’ Assange Seeks Appeal to U.K. Supreme Court

Julian Assange and his lawyer Jennifer Robinson arrive for his extradition hearing at Belmarsh Magistrates' Court in London earlier this year. Matt Dunham/AP

WikiLeaks founder Julian Assange is seeking to appeal his extradition ruling to Great Britain’s Supreme Court, arguing that he has not been charged with any crime and that the request for his extradition to Sweden was made by a “partisan prosecutor.” Assange will seek permission to appeal on Dec. 5 in Great Britain’s High Court.

Earlier this month, Assange lost a first appeal after a court ruled that he must return to Sweden to face sex-crime allegations in that country.

Assange has not yet been charged with any crimes but is being sought for questioning in Sweden on rape and coercion allegations stemming from sexual relations he had with two women in that country in August 2010. One woman has claimed that Assange pinned her down to have sex with her and intentionally tore a condom he wore. The second woman claims that he had sex with her while she was initially asleep, failing to wear a condom despite repeated requests for him to do so. Assange has disputed their claims.

According to the British newspaper the Guardian, in order to be granted permission to appeal to the Supreme Court, Assange’s attorneys must show the High Court that his case relates to a point of law that goes beyond Assange. They plan to argue that his extradition is unlawful on two grounds — that the extradition request was made by a “partisan prosecutor working for the executive” and that it’s questionable whether he can be considered “the accused,” and is therefore extraditable, when Sweden has not yet decided if he will be prosecuted. Assange’s attorneys raised the same issues with the High Court during his earlier appeal, but the court rejected them.

If the High Court refuses to grant him a so-called “certificate” to appeal, Assange will have to return to Sweden within 10 days of his appearance before the court, the newspaper says. If the High Court grants him a certificate, then his attorneys will seek leave to appeal on those grounds either from the High Court or directly from the Supreme Court. If he is granted an appeal hearing, the paper says it will likely take place at the Supreme Court around May next year.

Occupy Wall Street Loses Legal Bid to Rebuild in Zuccotti Park

Photo: Dawn Lim/Wired.com

After a day of chants, debates and yelling at the police who evicted them from Zuccotti Square Tuesday, Occupy Wall Street protestors were overtaken by a wave of silence that rippled through the crowd at 5 p.m. as they learned they’d lost a court battle to rebuild the park.

Occupy Wall Street protestors had been hopeful all day that a state court would allow them to re-establish their two-month old encampment in Manhattan’s Zuccotti Park, which was destroyed 16 hours earlier by hundreds of police officers in a surprise morning raid ordered by Mayor Michael Bloomberg.

Instead, the court allowed the city’s new rules against structures and sleeping in the park to stand.

The false hopes deepened the impact of the court loss on Occupiers, who began living in the park near Wall Street in September in protest against an economic and political system that has benefitted the ultra-rich at the expense of the rest of society for decades.

The sidewalks around the park remained open to protestors, and after the shock of the ruling set in, the motley crew of protestors split along demographics. The young homeless settled in for sleep on the sidewalk on the west side of the park, while the seemingly unstoppable drum circle took to the sidewalk across from the park’s northern edge.

Marine Sgt. Shamar Thomas marching Tuesday. Photo: Dawn Lim/Wired.com

On the east side, a general assembly gathered to make decisions about how to proceed under the new rules.

Occupy remains determined not to fade away, despite the raid, the new rules and the imminent approach of winter.

“The whole world is watching,” said one protestor, in a message echoed out telephone-style to the rest of the General Assembly. “What we do in this space will inspire people everywhere.”

Tim Fitzgerald, an active member of Occupy’s logistics group, told Wired.com that the legal fight wasn’t over, either.

“We have really good lawyers and plan to appeal,” Fitzgerald said, showing off the red indentations in his wrists from the cuffs put on him that morning when he was arrested, in the kitchen, for trespassing and disorderly conduct.

At 6 p.m., the police began allowing protestors back in the park, which led, despite light rain, to a party, albeit one best described as a bit beleaguered.

Hacker Schools University in Grade Change Caper

A hacker apparently broke into the computer system of Santa Clara University to change the grades of more than 60 current and former students, the California school announced on Monday.

The school’s breach came to light after a 25-year-old electrical engineering student named Mark Loiseau announced on Twitter that FBI agents appeared at his off-campus apartment on Monday morning to question him. He said the agents were brandishing copies of his cell phone records, which they had obtained from Verizon.

“Three federal agents just came over to my apartment and grilled me about some hacking scandal at SCU,” Loiseau tweeted. “They had my phone records!”

The university, located in Silicon Valley and run by the Jesuit Order, acknowledged later on its website that it had called in the FBI to investigate after a female student came forward in August to report that one of her grades had mysteriously changed on a recent transcript she had obtained.

After school officials failed to find an explanation for the change, they launched an investigation to look into the grades of tens of thousands of other students at the school, going back decades, according to the San Jose Mercury News.

School protocol requires signatures, a review and a software audit of approvals before a grade can be changed. But officials found evidence of unapproved grade changes going back to 2006. In all cases, the grades were improved — some subtly, others more dramatically, such as morphing an F into an A.

The hack appears to have occurred between June 2010 and July 2011 and affected a “handful of current undergraduate students and approximately sixty former undergraduate students,” according to the school’s statement.

The school contacted local police first, and then the FBI.

“We have treated this intrusion with the utmost seriousness because of the threat to our academic records and to our integrity as an institution of higher learning,” University President Michael Engh wrote in his blog post announcing the breach and investigation.

The FBI agents who appeared at Loiseau’s door apparently considered him a suspect, asking him if he had noticed that about 18 of his grades were changed from F to A and also questioning him about why he had deleted a series of voicemails from his Google Voice account around the time the hack was committed.

Loiseau said he told the agents he had never received 18 F’s. He later checked his transcript and discovered that it recorded him receiving an A in a freshman political science course. He told the Mercury News that he recalled actually receiving a lower grade in the class, but didn’t indicate what that grade had been.

He told CNET that the FBI agents asked to search his computers, but he declined, given that they didn’t have a warrant.

Photo: mstinas / Flickr