“HACKING”

What Is a Hacker, Really?

The basic definition of a hacker is someone who uses a computer system to gain unauthorized access to another system for data or who makes another system unavailable. These hackers will use their skills for a specific goal, such as stealing money, gaining fame by bringing down a computer system, or making a network unavailable — even sometimes destroying them. However, there are three different types of hackers, each with a particular goal, and not all are the bad guys.

Types of Hacking

Ways Hackers Hack Your Site.

1. DDOS ATTACK – DISTRIBUTED DENIAL OF SERVICE ATTACK

DDoS, or Distributed Denial of Services, is where a server or a machine’s services are made unavailable to its users.

And when the system is offline, the hacker proceeds to either compromise the entire website or a specific function of a website to their own advantage.

It’s kind of like having your car stolen when you really need to get somewhere fast.

The usual agenda of a DDoS campaign is to temporarily interrupt or completely take down a successfully running system.

The most common example of a DDoS attack could be sending tons of URL requests to a website or a webpage in a very small amount of time.  This causes bottlenecking at the server side because the CPU just ran out of resources.

Denial-of-service attacks are considered violations of the Internet Architecture Board’s Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers.

2. REMOTE CODE EXECUTION ATTACKS

A Remote Code Execution attack is a result of either server side or client side security weaknesses.

Vulnerable components may include libraries, remote directories on a server that haven’t been monitored, frameworks, and other software modules that run on the basis of authenticated user access. Applications that use these components are always under attack through things like scripts, malware, and small command lines that extract information.

The following vulnerable components were downloaded 22 million times in 2011:

Apache CXF Authentication Bypass (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3451)

By failing to provide an identity token, attackers could invoke any web service with full permission.

3. CROSS SITE REQUEST FORGERY ATTACKS

A Cross Site Request Forgery Attack happens when a user is logged into a session (or account) and a hacker uses this opportunity to send them a forged HTTP request to collect their cookie information.

In most cases, the cookie remains valid as long as the user or the attacker stays logged into the account.  This is why websites ask you to log out of your account when you’re finished – it will expire the session immediately.

In other cases, once the user’s browser session is compromised, the hacker can generate requests to the application that will not be able to differentiate between a valid user and a hacker.

A CROSS SITE ATTACK EXAMPLES

Here’s an example:

http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243

<img src=”<span style=”color: red;”>http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#</span>” width=”0″ height=”0″ />

In this case the hacker creates a request that will transfer money from a user’s account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control.

4. SYMLINKING – AN INSIDER ATTACK

A symlink is basically a special file that “points to” a hard link on a mounted file system.  A symlinking attack occurs when a hacker positions the symlink in such a way that the user or application that access the endpoint thinks they’re accessing the right file when they’re really not.

If the endpoint file is an output, the consequence of the symlink attack is that it could be modified instead of the file at the intended location. Modifications to the endpoint file could include appending, overwriting, corrupting, or even changing permissions.

In different variations of a symlinking attack a hacker may be able to control the changes to a file, grant themselves advanced access, insert false information, expose sensitive information or corrupt or destroy vital system or application files.

5. SOCIAL ENGINEERING ATTACKS

A social engineering attack is not technically a “hack”.

It happens when you divulge private information in good faith, such as a credit card number, through common online interactions such as email, chat, social media sites, or virtually any website.

The problem, of course, is that you’re not getting into what you think you’re getting into.

A classic example of a social engineering attack is the “Microsoft tech support” scam.

This is when someone from a call center pretends to be a MS tech support member who says that your computer is slow and/or infected, and can be easily fixed – at a cost, of course.

Here’s an article from Wired.com on how a security expert played along with so-called Microsoft tech support person.

Biometrics

are a security approach that offers great promise, but also presents users and implementers with a number of practical problems.  Whilst some of these are technical, and possess technical solutions, however difficult they may be to implement, others are social and cultural.  Social and cultural barriers are much more complicated to resolve, and need much more thought by would-be implementers as well as the manufacturers and suppliers before they will succeed.  Culturally, one size does not fit all, and that may increase the cost and complexity of solutions.

DISADVANTAGES OF BIOMETRICS

PROCESSES OF BIOMETRICS

COMMON BIOMETRICS

Biometric technologies can either be physiological or behavioral. Physical biometrics includes fingerprint, facial recognition, hand geometry, iris scan, and retina scan. Voice recognition, signature and keystroke are all examples of behavioral biometrics. The commonly used biometrics are briefly described below.

FINGERPRINTING

“Fingerprints are the impressions of the papillary or friction ridges on the surfaces of the hand” (Higgins 2003, p.45). He stated further fingerprints are the oldest and most widely recognized biometric markers. This statement is backed by Chirillo and Blaul (2003, p. 4) who stated that fingerprint recognition is one of the oldest biometric technologies. Lockie (2002, p. 16) also stated that fingerprints are the most commonly used biometric.

Fingerprints have been used by humans for personal identification and access control for centuries. The matching accuracy using the biometric type has shown very high figure. Fingerprints of even identical twins are different and so are the prints on each finger of the same person which increases the rate of accuracy.

According to postnote (2001), at a national level, automated fingerprinting is the only biometric used generally in the United Kingdom. An investigative project, which was to be completed by April 2002, was looking at the concept of using a single biometric identifier, likely to be fingerprints by default, throughout the Criminal Justice System including police, prisons and courts. Prisons already take ink fingerprints from convicted prisoners. These can be compared against the police database as proof that the right person is being held. An automated system would give rapid confirmation of a person’s identity and allow Information about individuals to be shared quickly and easily.

Below are some strengths and weaknesses of fingerprinting according to Nanavati (2002 p. 45).

Strengths of deploying fingerprint technology include:

  • It can be used in a range of environment.
  • It is a mature and proven core technology capable of high level accuracy.
  • It employs ergonomic and easy-to-use devices.
  • The ability to enrol multiple fingers can increase system accuracy and flexibility.

Weaknesses of fingerprint technology include:

  • Most devices are unable to enrol some small percentage of users.
  • Performance can deteriorate over time.
  • It is associated with forensic applications.

FACE RECOGNITION

Facial scan technology employs distinctive features of the human face in order to identify or verify a user. Face appearance is particularly, a compelling biometric because of its everyday use by nearly everyone as the primary source of recognizing other humans. It is more acceptable than most biometrics because of its naturalness. Faces have been institutionalized as a guarantor of identity in identity cards and passports since photography became prominent.

However, Chirillo & Blaul (2003 p. 55) stated that most face recognition and identification devices do not indeed perform a scan but instead, capture an image of the face in a video or picture format. He further added that the information is converted to a template or a data representation of the captured information, while the initial information is stored. After this process, subsequent scanned faces can then be compared to the original captured faces.

Strengths and weaknesses of face recognition technology are given below according to Nanavati (2002 p. 63).

Strengths of facial recognition include:

  • It is capable of leveraging existing image acquisition equipment.
  • It is capable of searching against static image such as passports and driver’s license photographs.
  • It is the only biometric capable of operating without user cooperation.

Weaknesses of this technology include:

  • Matching accuracy is reduced by change in acquisition environment.
  • Matching accuracy is also reduced by changes in physiological characteristics.
  • Tendency of privacy abuse is high due to non-cooperative enrollment and identification capabilities.

IRIS-SCAN

Bolle et al (2004 p. 43) defined iris as “the colored part of the eye bounded by the pupil and sclera.” He added that iris has been purported as a universal biometric identifier with very good discriminating characteristics. Iris-scan technology uses the distinctive characteristics of the human iris in order identify or verify the identity of the users. Nanavati (2002 p. 77) stated that Iris-scan technology has the potential to play a major or large role in the biometric marketplace if real-world systems as well as solutions meet the theoretical promise of this technology. He further added that Iris-scan technology has been successfully deployed in high-security physical access applications, ATMs and also kiosks for banking and travel applications. The technology is also being positioned for desktop usage. Nanavati (2002) stated some strengths and weaknesses of Iris-scan technology.

Strengths of Iris-scan technology:

  • It has the potential for exceptionally high levels of accuracy.
  • It is capable of reliable verification as well as identification.
  • It maintains stability of characteristics over a lifetime frame.

Weaknesses of Iris-scan technology:

  • It has a propensity for false rejection.
  • Acquisition of the images requires moderate attentiveness and training.
  • Some users exhibit a certain degree of discomfort with eye-based technology.
  • A proprietary acquisition device is required for deployment.

VOICE RECOGNITION; VOICE SCAN

According to Chirillo & Blaul (2003, p. 201), Voice recognition actually s comprised of two different types of technology which are voice scan and speech recognition. They explained further that voice-scan is deployed to authenticate a user based on his or her voice characteristics; while on the other hand, speech recognition is used for the “technological comprehension” of spoken words.

Voice-scan technology makes use of the distinctive aspects of the voice to identify or verify the identity of users. Voice-scan is sometimes taken as speech recognition, a technology that works by translating what a user is saying (the process in speech recognition is unrelated to authentication). Nanavati (2002, p. 87) described voice-scan technology as one that verifies the identity of the user who is speaking. Bolle et al (2003, p. 40) stated that similar to face appearance, voice-scan (also known as voice recognition) is often used due to its prevalence in human communication and its day to day use. They further added that voice is a behavioral biometric but it depends on some underlying physical traits, which “govern the type of speech signals we are able and likely to utter.” Examples of these physical traits are the fundamental frequency (which is a function of the vocal tract length), cadence, nasal tone. Nanavati (2002, p. 87) stated the strengths and weaknesses of voice-scan.

Strengths of voice-scan technology:

  • It is capable of leveraging telephony infrastructure.
  • It effectively layers with other processes such as speech recognition and verbal passwords.
  • It generally lacks the negative perceptions associated with other biometrics.

Weaknesses of voice-scan technology:

  • It is potentially more susceptible to replay attacks than other biometrics.
  • Its accuracy is challenged by low-quality capture devices, ambient noise, etc.
  • The success of voice-scan as a PC solution requires users to develop new habits.
  • The large size of the template limits the number of potential applications.

HAND-SCAN

Hand -scan is one of the most established biometric technologies. It has been in use for years in several applications especially for verification of individuals. According to Nanavati (2002, p. 99), hand-scan technology make use of the distinctive parts of the hand particularly, the height and the width of the back of the hand as well as the finger. Hand-scan is more of an application specific solution than majorities of biometric technologies and is used exclusively for physical access and also, time and attendance applications.

Although hand-scan geometry biometrics is still a technology that is growing slowly, Chirillo & Blaul (2003, p. 145) stated that estimates forecast revenues to increase to approximately $50 million in 2005, which is approximately 2 to 5 percent of the whole biometric market. They gave primary reason for the minimal forecast as limited usages and aptness mainly for access control and time and attendance applications.

Nanavati (2002, p. 99) stated the strengths and weaknesses of hand-scan technology.

Strengths of hand-scan technology:

  • It is able to operate in challenging environments.
  • It is an established, reliable core technology.
  • It is generally perceived as non intrusive.
  • It is based on relatively stable physiological characteristics.

Weaknesses of hand-scan technology:

  • It has limited accuracy.
  • The form factor limits the scope of potential applications.
  • The ergonomic design limits usage by certain populations.

Chirillo & Blaul (2003, p. 146) stated cost as a weakness stating that approximately, hand-scan reader cost $1,400 to $2000, placing the devices towards the high end of the physical security spectrum.

WHERE NOT TO USE BIOMETRICS

Biometrics offer great amount of benefits in safeguarding systems and is perceived as more reliable than other security techniques (traditional security methods). However, biometric technologies are not the perfect security to be deployed for every application and in some cases biometric authentication is just not the right solution.”

One of the major challenges facing the biometric industry is defining those environments in which biometrics offer the strongest benefits to both individuals and institutions, and then showing that the benefits of deployment outweigh the risk as well as the costs (Nanavati 2002, p. 7).

Posted by:

Delicana, Flora Mae

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s