Software Security and Threats

Change, Configuration, and Testing

Change and Configuration Management

• Provides an organized framework.
• Enables cost/benefit analysis.

1. Request Control - Enables users to request modifications.
2. Change Control - Used to recreate and analyze situations for appropriate changes.
3. Release Control - Procedure for approving changes before releasing them.

Always conduct acceptance testing during release control.

---

Software Testing

• Thorough testing before distribution.
• Use of special datasets to exercise all paths.
• Automated and manual testing.

Example: If a software is expected to add two numbers, inputting 3 and 4 should yield 7. If it yields 8, then there's an error.

Always compare actual results against expected results during testing.

---

Virus Propagation Techniques

Viruses employ various techniques to propagate and ensure their persistence. These methods can be categorized into the following:

• File Infection:

  • Viruses infect different types of executable files.

  • They become active when the operating system executes them.

  • For Windows, these are typically .exe and .com files.

• Service Injection:

  • Viruses evade detection by embedding themselves into the trusted runtime processes of the OS.

  • Examples include svchost.exe, winlogon.exe, and explorer.exe.

Cheats for games, such as CS:GO, inject into csgo.exe to dodge anti-cheat, much like viruses bypass anti-virus systems.

• Boot Sector Infection:

  • Viruses infect the legitimate boot sector.
  • These viruses are loaded into memory during the OS load process.

• Macro Infection:

  • Viruses spread by infecting the code in macros.

  • Commonly, they use Visual Basic for Applications in MS Office documents.

---

AV Software

Employs multiple strategies to detect and combat malware.

1. Signature-Based Detection:

   • Uses algorithmic patterns to identify known viruses.

   • Regular updates of virus signatures are critical.

   Example: Windows updates its virus signatures daily.

2. Behavior-Based Detection:

   • Monitors systems for abnormal activities.

   • Flags or blocks suspicious behavior even if no known signature match is found.

   • Modern solutions leverage AI and ML. Some even connect to cloud systems to analyze potential threats.

   Remember: Modern threats may appear once and vanish, making behavior-based detection essential.

---

Threats to Software

Techniques to Compromise Password Security:

1. Password Crackers:

   • Extracts passwords from stolen credential data.
   • Methods can vary and include:
     • Dictionary attack
     • Brute force
     • Social engineering attack

2. Rootkit (escalation of privilege):

   • A rootkit is essentially a kit that offers root access!
   • Exploits OS vulnerabilities for escalated privileges.
3. Application Attacks:
   • Targets vulnerabilities in poorly designed software.
4. Buffer Overflow:
   • Occurs when user input isn't validated for size.
   • Memory buffers can overflow if the input exceeds capacity. Common in web forms.
5. Backdoor:
   • Undocumented command sequences allowing bypassing of access restrictions.
   • Although useful during development, they sometimes mistakenly remain in the live environment.
   • Example: WannaCry leveraged a backdoor for its zero-click network propagation.
6. Time-of-Check-to-Time-of-Use:
   • A timing vulnerability where permissions are checked too early before a resource request.
   • Example: Imagine a multi-threaded environment where a file's permission is checked and then accessed later. Between the check and the access, another process could potentially change the file's permissions or even the file itself.

---

Web Application Vulnerabilities:

Cross-Site Scripting (XSS):

• A type of injection attack where malicious scripts are inserted into trusted websites.

• Occurs when an attacker uses a web application to relay malicious code to another user.

• Typically happens when web apps process unfiltered user input.

Example: A commenting system on a blog displays user comments without filtering. An attacker could input a script as their "comment". Other users viewing the comment will execute the script, potentially stealing cookies or other data.

Cross-site

Request Forgery (XSRF or CSRF)

• SQLDefinition: InjectionExploits the trust a user has in a specific website, causing them to unknowingly perform an action they did not intend. Similar to cross-site scripting attacks but exploits a different aspect of the trust relationship.

• How it works: A malicious website or email makes the user's browser send a request to a trusted site where the user is already authenticated, leading to unwanted actions performed on the trusted site.

• Mitigation:

  1. Use secure tokens for web apps.
     • This ensures that each request from a user is genuine and not generated by a third party.
  2. Check the referring URL in requests.
     • By doing this, the site can ensure that the request came from the correct location.

Always ensure web apps use secure tokens and validate referring URLs to guard against CSRF attacks.

SQL Injection

Attackers provide unexpected input to manipulate the underlying database.

For example,

Example: Onon a login page, instead of a regular password, an attacker inputs password' OR '1' = '1. If not properly sanitized, the database might interpret this as always true, granting unauthorized access.

Input validation, using prepared statements, and limiting account privileges help protect against SQL injection. 

---

Network Reconnaissance Techniques:

1. IP Probes:

   • Tools attempt to ping a range of addresses.
   • Responsive systems are noted for further investigation.

2. Port Scan:

   • Identifies open or listening ports on a system.
   • Critical servers like web and file servers are common targets.

3. Vulnerability Scans:

   • Identifies specific system vulnerabilities.
   • Popular tools include Nessus, OpenVAS, Qualys, and Core Impact.