Open source software security

Glossary of Computer Security Terminology

30 November -0001


A buffer overflow is an attack method by which a program is attacked by assigning a variable a larger value than it is scoped for. For instance, in a login program, if the field to hold you name can only hold 50 characters and an attacker sends the program 300 characters, and the program doesn't appropriately error check, it may become possible to fill up the variable and have the extra input handled as part of the program. Essentially this allows an attacker to issue commands as the program by overflowing a variable and coding commands into the extra space beyond the variable.



Brute force is the term used to describe an attack method consisting of password guessing. Because this process can easily be automated with simple programming, brute force attacks are a favorite of unskilled crackers. The advantage of brute force attacks is that any password can be cracked given enough time. The major disadvantage is that brute forcing is takes a lot of time, and that it leaves a lot of copious traces on a target machine.



Carding is the process of either deriving valid credit card numbers, either by generating programs that test possible numbers against some form of authentication, or carding can describe the act of illegally purchasing material with a stolen credit card number. Even though credit card fraud is highly illegal, it flourishes with the rise of online business. It is important to NEVER transmit credit card numbers via e-mail or other unencrypted methods. In addition, make sure that any credit card information submitted online is done over SSL (secure socket layer). SSL ensures that this information is encrypted during transitions. SSL is usually indicated by a small locked padlock icon in the lower right hand corner of a browser window.



Also sometime misnomered as dDos (Distributed Denial of Service), a denial of service is an attack which causes a targets internet connection to become flooded out. This is usually accomplished by sending an unusually large number or size of packets to a target, causing servers to crash or internet connections to stop responding. Due to advances in techniques to combat DoS attacks, many attackers have turned to a distributed Denial of Service. This type of attack involves a large number of machines to attack a target at once, thereby increasing the chances of service interruption. DoS attacks are commonly combined with packet spoofing to hide the origin of the attack. Some DoS events are caused by completely legitimate traffic. The slashdot effect, for instance, which is caused by a huge number of people requesting a web page and crashing the web server, is a completely legitimate DoS attack.



A firewall is either a hardware or software device that inspects TCP and UDP packets as they traverse across the device, rejecting or accepting certain packets based on the firewall's setup. Firewalls have become a staple for defense against network intrusion, but are by no means a complete solution. Almost every firewall can be bypassed at some point, but this in no way invalidates their value. Firewalls provide a best first line defense in protecting networks.



Spoofing is the process by which user on the network changes the packets emerging from his/her machine so that they appear to be originating from a different computer. This is an effective attack method when an assailant knows a 'trusted' machine. Thus if an attacker knows that the machine at trusts all packets from machine then an attacker at can spoof his/her packets so that they appear to come from the trusted machine ( and send commands to in packets appearing to come from the trusted host. The problem with spoofing packets is that responses to the packets are sent to the spoofed machine. This means packets that are spoofed are fired into a void, making packet spoofing attacks difficult to accomplish.



Port scanning is the process by which an attacker explores the available services on a remote machine. A port scan usually consists of "stealth" attacks where a scanner sends packets that won't show up in log files. Port scanning reveals the types of remote services (ftp, telnet, etc) that are running on a target machine. Port scans are usually the first step in a cracking attempt and should be taken seriously if discovered.



A script is the derogatory term for a pre compiled or programmed attack. Script kiddies are crackers that download and use attack programs written by others. It is a derogatory term used to describe attackers of very little skill (thus they must use scripts written by others and are incapable of forming their own attack methods).



Sniffing is the act of putting an ethernet adaptor into 'promiscuous' mode and recording network packets. This process is accomplished due to the nature of TCP/IP. On the internet, communications between computers are not necessarily sent from a originating computer directly to a receiver. Instead communications are broadcast, and then picked up by routers or other computers and forwarded to their destination. Normally ethernet cards will ignore communications mode it accepts all the packets on the network. By means of sniffing a computer can capture packets, usernames, and passwords on a network. While there are methods to detect cards that are set in promiscuous mode on the network, by the time a card goes promiscuous the damage is usually done. Sniffing is usually the first thing an attacker will do after compromising a target computer.



Social engineering is a rather effective cracking method that involves attacking the weakest link in any computer security system - the human operators. Social engineering involves duplicity, false representation, or other means to cull information from a human operator (through the phone, spoofed e-mail, etc). Social engineering techniques are well documented and spam a wide gamut from virtual prank calls to involved deceptions with falsified credential, etc.



Named for the mythical Trojan horse, a trojan, very simply is any program altered to perform functions not originally intended in the program. For instance, if a login program checks user authentication, then passes users to a new area of the computer, a trojaned login program could perform all the usual login functions plus record all usernames and passwords to a secret file. The term trojan has grown to also include programs that provide remote users with control mechanisms over a computer. Programs like NetBus and Back Orifice are examples of these types of 'trojans', which are actually remote administration tools. Most common anti-virus tools check for trojans as well as viruses and worms on a host computer.



Computer viruses (also known as malware) are programs with 'infect' or append themselves to parts of a computer. A virus may or may not cause harm to a target machine. The earliest viruses were passed via floppy disk and usually attached themselves to the boot sector of infected computers. Some viruses perform 'logic bomb' type functions whereby they execute malicious code when a certain precondition (such as a date passing) is met. The most effective guard against viruses is user education. Viruses are executable programs and are mainly passed via e-mail and Microsoft Word macro scripts. It is important to NEVER open an attachment to an e-mail from an unknown sender, or any suspicious attachment. Virus checkers will only find viruses AFTER they are on your computer and may not prevent a virus from infecting a host.



The term virus is often used synonymously with worm, but they are two separate things. A worm is a program which replicates itself and passes its code off to new computers. Many worms contain viruses but not all viruses contain worms. The Morris worm is one of the earliest well known worms, and it passed itself through e-mail. The Love Bug is a more recent worm enabled virus. Worms are also executable programs but may propagate by using vulnerabilities in operating systems or programs and do not always need operator interaction to execute or propagate. The main threat caused by worms is system overload caused by worm replication. If a worm tries to replicate too much, or too often it could cause service outages or server crashes. Many worms are completely harmless other than their threat of service denial.