q − 1 - It works!

abdomendebonairΑσφάλεια

2 Νοε 2013 (πριν από 4 χρόνια και 6 μέρες)

110 εμφανίσεις

Lecture 17

Security


Introduction

Cryptography basics

Web Security and Vulnerabilities

Network SecurityTools

Network

security

comprises

the

measures

a

company

takes

to

protect

its

computer

system,

and

it

is

a

prime

concern

for

every

company

that

uses

computers
.


Compromised

network

security

means

a

hacker

or

competitor

may

gain

access

to

critical

or

sensitive

data,

possibly

resulting

in

data

loss,

or

even

complete

destruction

of

the

system
.


Appropriate

network

security

is

achieved

when

a

user

has

to

go

through

several

layers

of

security

before

being

able

to

access

the

desired

network
.



The

more

layers

the

system

has,

the

more

secure

it

is
.


http://www.wisegeek.com/what
-
is
-
network
-
security.htm

What is Network Security?

Cryptography


Encryption, decryption

Keys, lengths, and harness

Asymmetric key cryptography

Hash functions

Authentication

PKI and key management

Privacy

We

generate

a

special

pair

of

values

(e,d)
.

The

plaintext

message

M

is

encrypted

into

the

cyphertext

message

C

using

modular

exponentiation

mod

n
.

The Public Key Method

We decrypt
C

back into
M

by,

Before

we

look

at

how

e

and

d

are

generated

it

is

important

to

understand

what

is

happening

in

these

two

expressions
.

First

of

all

modular

exponentiation

does

not

involved

raising

a

value

to

a

power
.


The

possible

values

for

C

(and

M)

are

between

0

and

n
-
1
.

Converting

a

string

of

characters

the

plaintext

message

into

an

integer

is

fairly

straightforward
.

Once

it

is

in

numeric

form

modular

exponentiation

produces

a

value

equal

to

the

remainder

after

diving

M
e

by

n
.

Computing the Key Pair
(e,d)

Let's look at how to compute the values of
e

and
d
. We start with a pair of values
p

and
q

that must be relatively prime (i.e. they have no common factors). These would
normally be very large but for the purposes of this example we will choose,

p = 47

q = 71

Now we need to find a value e such that the greatest common divisor between e and the

product of (p
-
1) times (q
-
1) is 1, or




gcd(e,(p
-
1)(q
-
1)) = 1.


Please don't ask why....thanks. The product of p*q will be the modulus n.


n = p*q = 3337

and

so

(p
-
1
)(q
-
1
)

=

3220
.

We

will

choose

e

to

be

79

since

it

is

obvious

that

greatest

common

denominator

between

79

and

3220

is

1
.

79*d = 1 mod 3220

Now we Need a
d

to go with our
e

First use the regular Euclidean Algorithm to find gcd(79,3220). The answer must be
one
-

otherwise we can't be sure that a solution exists, so we proceed as follows:

3220 = 40*79 + 60

79 = 1*60 + 19

60 = 3*19 + 3

19 = 6*3 + 1

3 = 3*1 + 0

The

last

nonzero

remainder

is

the

gcd
.

Thus

gcd(
79
,
3220
)

=

1

(as

expected)
.

Now

write

this

gcd

(one)

as

a

linear

combination

of

19

and

3220

by

working

back

up

the

tree

that

we

just

created
:


Thus 1019*79
-

25*3220 = 1 Now do "mod 3220" on both sides to
obtain:




1019*79 = 1 mod 3220

Thus

d

=

1019
.

So

the

inverse

of

79

mod

3220

is

1019
.

Another

way

of

saying

this

is

that

79
*
1019

will

be

one

more

than

a

multiple

of

3220
.


Modular Exponentiation

procedure

mod_exp (b: int, n = (a
k
-
1
a
k
-
2

. . . a
1
a
0
)
2
, m : pos_int)


x:=1;


power := b
mod

m


for

i
in

0..k
-
1
loop


if

a
i

= 1
then

x := (x*power)
mod

m


power := (power*power)
mod

m


end loop

Example: Find 2
644

mod

645


644
10

= 1010000100
2

2
644

mod

645 = (2
512.
2
128.
2
4
)
mod

645 = (2
512

mod

645)
.
(2
128

mod

645)
.
(2
4

mod

645)


= 1


If

p

and

q

are

prime,

the

number

of

values

x

in

0

<

x

<

n

for

which

gcd(x,n)=
1

is

given

by


(n)

=

(p
-
1
)(q
-
1
)
.


(n) =

⡰q⤠=

⡰)

(q) = (p − 1)(q − 1)


Let's try a really simple example...


p=3

q=5


n=15


so
(p
-
1)(q
-
1)=(2)(4)=8
.

The Euclidean Totient

gcd(8,15)= 1

gcd(9,15)= 3

gcd(10,15)= 5

gcd(11,15)= 1

gcd(12,15)= 3

gcd(13,15)= 1

gcd(14,15)= 1

gcd(1,15)= 1

gcd(2,15)= 1

gcd(3,15)= 3

gcd(4,15)= 1

gcd(5,15)= 5

gcd(6,15)= 3

gcd(7,15)= 1

Public Key Cryptography

In

1976
,

Rivest,

Shamir

and

Adleman

introduced

a

public

key

cryptosystem,

known

as

the

RSA

system
.

Example
:

Encrypt

the

message

STOP

with

p

=

43

and

q

=

59
,

so

that

n

=

43
.
59

=

2537

and

e

=

13
.


gcd(e,(p
-
1)(q
-
1)) = gcd(13, 42
.
58) = 1.

S T O P

18 19 14 15

M
1

M
2

To decrypt we need
d
, which is an inverse of
e mod (p
-
1)(q
-
1)

SAFER+ Algorithm Details

Pseudo
-
Hadamard Transform

9 12 13 16 3 2 7 6 11 10 15 14 1 8 5 4

Armenian Shuffle

Diffie
-
Hellman

An

algorithmic

method

For

Key

Agreement

allows

two

hosts

to

create

and

share

a

secret

key
.

VPNs

operating

on

the

IPSec

standard

use

the

Diffie
-
Hellman

method

for

key

management
.


Key

management

in

IPSec

begins

with

the

overall

framework

called

the

Internet

Security

Association

and

Key

Management

Protocol

(ISAKMP)
.

Within

that

framework

is

the

Internet

Key

Exchange

(IKE)

protocol
.


IKE

relies

on

yet

another

protocol

known

as

OAKLEY

and

it

uses

Diffie
-
Hellman
.

Diffie
-
Hellman Key Exchange

http://philipfox.net/dh/dh.html

http://www.sans.org/reading_room/whitepapers/vpns/review
-
diffie
-
hellman
-
algorithm
-
secure
-
internet
-
protocols_751

Kerberos

Created

by

MIT

as

a

solution

to

network

security

problems
.

The

Kerberos

protocol

uses

strong

cryptography

so

that

a

client

can

prove

its

identity

to

a

server

(and

vice

versa)

across

an

insecure

network

connection
.

After

client

and

server

have

used

Kerberos

to

prove

their

identity,

they

can

encrypt

all

of

their

communications

to

assure

privacy
.

http://www.answers.com/topic/kerberos
-
protocol
-
1

When

users

log

in

to

a

Kerberos

system,

their

password

is

encrypted

and

sent

to

the

authentication

service

in

the

Key

Distribution

Center

(KDC)
.

If

successfully

authenticated,


the

KDC

creates

a

master

ticket

that

is

sent

back

to

the

user's

machine
.

Each

time

the

user

wants

access

to

a

service,

the

master

ticket

is

presented

to

the

KDC

in

order

to

obtain

a

service

ticket

for

that

service
.

The

master
-
service

ticket

method

keeps

the

password

more

secure

by

sending

it

only

once

at

logon
.

From

then

on,

service

tickets

are

used,

which

function

like

session

keys
.

After

users

are

authenticated,

they

are

granted

a

master

ticket

that

is

used

to

obtain

service

tickets
.

Service

tickets

act

like

session

keys

in

other

security

systems
.

Network & IT

Security Threats

and

Countermeasures

BD_ADDR Attacks

Bluetooth Vulnerability

The

BD_ADDR

spoofing

attack

allows

an

attacker

to

masquerade

as

some

trusted/paired

device

and

use

the

credentials

to

gain

access

to

profiles

requiring

authorization/authentication

in

one

another

remote

device
.

The

BD_ADDR

spoofing

attack

can

be

perfomed

in

two

ways
:


(
1
)

Spoofing

the

BD_ADDR

of

a

trusted

device

to

access

profiles

requiring

authorization
.


(
2
)

Spoofing

the

BD_ADDR

and

obtaining

the

shared

secret

link

key

created

during

the

pairing

procedure

to

access

profiles

requiring

authentication
.

http://www.seguridadmobile.com/bluetooth/bluetooth
-
security/BD_ADDR
-
spoofing.html

Each

Bluetooth

device

is

allocated

a

unique

48
-
bit

Bluetooth

device

address

(BD_ADDR)
.

This

number

is

obtained

by

contacting

the

IEEE

to

get

an

OUI

that

forms

24
bits

of

the

48
bit

address
.

You

can

apply

for

a

further

OUI

when

more

BD_ADDR

values

are

required
.

Bluetooth Device Address (BD_ADDR)

4
.
2
.
1

Authentication

The

authentication

procedure

is

based

on

a

challenge
-
response

scheme

[

]
.

The

verifier

sends

[

]

a

random

number

(the

challenge)

to

the

claimant
.

The

claimant

calculates

a

response,

that

is

a

function

of

this

challenge,

the

claimant’s

BD_ADDR

and

a

secret

key
.

The

response

is

sent

back

to

the

verifier,

that

checks

if

the

response

was

correct

or

not
.

[

]

A

successful

calculation

of

the

authentication

response

requires

that

two

devices

share

a

secret

key
.


www.bluetooth.org

The BD_ADDR Attack

Assume

that

the

attacker

eavesdropped

on

an

entire

pairing

and

authentication

process,

and

saved

all

the

messages


The

attacker

can

now

use

a

brute

force

algorithm

to

find

the

PIN

used
.


The

attacker

enumerates

all

possible

values

of

the

PIN
.

Knowing

IN_RAND

and

the

BD_ADDR,

the

attacker

runs

E
22

with

those

inputs

and

the

guessed

PIN,

and

finds

a

hypothesis

for

Kinit
.


The

attacker

can

now

use

this

hypothesis

of

the

initialization

key,

to

decode

messages

2

and

3
.

Messages

2

and

3

contain

enough

information

to

perform

the

calculation

of

the

link

key

Kab,

giving

the

attacker

a

hypothesis

of

Kab
.


The

attacker

now

uses

the

data

in

the

last

4

messages

to

test

the

hypothesis
:

Using

Kab

and

the

transmitted

AU_RANDA

(message

4
),

the

attacker

calculates

SRES

and

compares

it

to

the

data

of

message

5
.


If

necessary,

the

attacker

can

use

the

value

of

messages

6

and

7

to

re
-
verify

the

hypothesis

Kab

until

the

correct

PIN

is

found
.


Sending AT commands to mobile phones


The

execution

of

AT

commands

is

one

of

the

main

goals

in

hypothetical

attacks

to

mobile

phones
.

AT

commands

are

a

set

of

instructions

that

allow

remote

configuration

and

operation

in

a

GSM

device,

such

as

mobile

phones
.

Like

a

"remote

shell"
.

However,

not

all

the

AT

commands

are

always

implemented

by

manufacturers

in

their

devices
:


Basic

operations
:

voice

and

data

calls,

set

call

divert,

manufacturer

info,

model

info,

IMEI,

battery

status,

signal

status
.


Address

book

operations
:

read,

add

and

delete

contacts

from

the

address

book

and

also

get

the

last

dialed/missed/received

calls

list
.


SMS

operations
:

list,

read,

write,

send

and

delete

SMS

messages
.

http://www.brics.dk/~jones/sms/packed/dg_at_r3a.pdf

Sending / Getting files from mobile phones


The capability of sending files and even getting files is another important goal when it
comes to attack mobile phones. Bluetooth supports file exchange through the
OBEX

protocol. Two profiles can be used for this, among all defined by the Bluetooth SIG:



Object Push Profil
e: requires Authorization.


This profile allows you to send files.

You can use
ussp
-
push

tool, available after installing
ussp
-
push

package in Ubuntu.


Or either you can use
Obexftp
, available after installing
obexftp

package in Ubuntu.

It's important to force it to use the channel associated to the Object Push Profile.

File Transfer Profile
: requires Authentication and Authorization.


Allows you to send files, get files and list directories.

You

can

use

Obexftp

to

send

files
.

If

no

channel

is

specified,

it

will

use

the

one

associated

to

the

File

Transfer

Profile

by

default
.


Finally, you can get files from the phone to the PC.

Dictionary (Brute
-
Force) Password Attacks

A method of accessing an obstructed device through attempting multiple combinations of
numeric and/or alphanumeric passwords.

Cain

and

Abel

-

Password

recovery

tool

for

Windows
.

Recover

passwords

by

sniffing

the

network,

cracking

encrypted

passwords

using

Dictionary,

Brute
-
Force

and

Cryptanalysis

attacks,

recording

VoIP

conversations,

decoding

scrambled

passwords,

revealing

password

boxes,

uncovering

cached

passwords

and

analyzing

routing

protocols
.


John

the

Ripper

-

A

multi
-
platform

password

hash

cracker

currently

available

for

many

flavors

of

Unix

(
11

are

officially

supported,

not

counting

different

architectures),

DOS,

Win
32
,

BeOS,

and

OpenVMS
.

Its

primary

purpose

is

to

detect

weak

Unix

passwords
.

It

supports

several

crypt(
3
)

password

hash

types

which

are

most

commonly

found

on

various

Unix

flavors,

as

well

as

Kerberos

AFS

and

Windows

NT/
2000
/XP

LM

hashes
.

Several

other

hash

types

are

added

with

contributed

patches
.



THC

Hydra

-

A

network

authentication

cracker

which

supports

different

services
.

It

can

perform

rapid

dictionary

attacks

against

telnet,

ftp,

http,

https,

smb,

and

several

databases
.



Aircrack

-

A

suite

of

cracking

tools

for

WEP/WPA

802
.
11
a/b/g

WEP

and

WPA

cracking
.

It

can

recover

a

40

through

512
-
bit

WEP

key

once

enough

encrypted

packets

have

been

gathered,

as

well

as

attack

WPA

1

or

2

networks

using

cryptographic

methods

or

by

brute

force
.


http://sectools.org/crackers.html

L
0
phtcrack

-

Windows

password

auditing

and

recovery

application

attempts

to

crack

Windows

passwords

from

hashes

which

it

can

obtain

(given

proper

access)

from

stand
-
alone

Windows

workstations,

networked

servers,

primary

domain

controllers,

or

Active

Directory
.

In

some

cases

it

can

sniff

the

hashes

off

the

wire,

includes

methods

for

generating

password

guesses

(dictionary,

brute

force,

etc)
.



Airsnort

-

802
.
11

WEP

Encryption

Cracking

Tool,

a

wireless

LAN

(WLAN)

tool

that

recovers

encryption

keys
.

It

was

developed

by

the

Shmoo

Group

and

operates

by

passively

monitoring

transmissions,

computing

the

encryption

key

when

enough

packets

have

been

gathered
.

Similar

to

Aircrack
.


SolarWinds

-

A

suite

of

network

discovery/monitoring/attack

tools

targeted

at

systems

administrators
.

Security
-
related

tools

include

network

discovery

scanners,

an

SNMP

brute
-
force

cracker,

router

password

decryption,

a

TCP

connection

reset

program,

and

a

set

of

router

config

download/upload

applications
.


Pwdump

-

A

Windows

password

recovery

tool

to

extract

NTLM

and

LanMan

hashes

from

a

Windows

target,

whether

or

not

Syskey

is

enabled
.

It

can

display

password

histories

if

they

are

available,

and

output

or

write

to

a

log

file

the

data

in

L
0
phtcrack
-
compatible

form
.


RainbowCrack

-

A

hash

cracker

that

makes

use

of

a

time
-
memory

trade
-
off

to

do

all

the

cracking
-
time

computation

in

advance

and

store

the

results

in

"rainbow

tables"
.

RainbowCrack

can

be

hundreds

of

times

faster

than

a

brute

force

cracker

once

the

precomputation

is

finished
.


Brutus

-

A

Windows
-
only

network

brute
-
force

authentication

cracker
.

Attacks

network

services

of

remote

systems

trying

to

guess

passwords

by

using

a

dictionary

with

permutations
.

It

supports

HTTP,

POP
3
,

FTP,

SMB,

TELNET,

IMAP,

NTP,

etc
.

Buffer Overflow Attack

Also

known

as

stack

overflow

attack,

works

by

exploiting

a

known

bug

in

one

of

the

applications

running

on

a

server
.

It

then

causes

the

application

to

overlay

system

areas,

such

as

the

system

stack,

thus

gaining

administrative

rights
.

void

function (
char

*str)

{


char

buffer[16];


strcpy (buffer, str);

}


int

main ()

{


char

*str = “XXXXXXXXX...


...XXXXX....


...XXXXXXXX”;


function (str);

}

http://www.thehackerslibrary.com/?p=488

Cache Cramming

The

technique

of

tricking

a

browser

to

run

cached

Java

code

from

the

local

disk,

instead

of

the

internet

zone,

so

it

runs

with

less

restrictive

permissions
.

The

Java

Security

Manager

usually

disallows

port
-
scanning

behavior,

but

crackers

use

the

trick

of

placing

Java

code

(e
.
g
.

a

port

scanner)

into

the

browser's

cache

(only

works

with

MS

Explorer
)

and

later

executing

it

through

a

file
:

URL

(using

frames

in

the

usual

way)
.

This

attack

works

because

Microsoft's

cache

layout

is

transparent
.


http://www.securingjava.com/chapter
-
five/chapter
-
five
-
13.html

Cache Poisoning

Malicious

or

misleading

data

from

a

remote

name

server

is

saved

[cached]

by

another

name

server
.

Typically

used

with

DNS

cache

poisoning

attacks
.

http://courses.csail.mit.edu/6.857/2010/

see also
DNS Bug, DNS Spoofing

Denial of service attack

A

user

or

program

takes

up

all

the

system

resources

by

launching

a

multitude

of

requests,

leaving

no

resources

and

thereby

"denying"

service

to

other

users
.

Typically,

denial
-
of
-
service

attacks

are

aimed

at

bandwidth

control
.

(see

Flooding

Attack)

Detecting DDoS attacks

Simply

blocking

the

attacker

does

not

work

because

there

are

too

many

zombies

and

to

recognize

them

you

usually

have

to

receive

and

decrypt

the

incoming

packets
.


Tupakula

and

Varadharajan

suggest

a

Packet

Marking

Technique

that

reduces

the

number

of

packets

needed

to

tag,

identify

and

block

suspicous

requests

to

as

few

as

a

single

packet
.

http://ntrg.cs.tcd.ie/undergrad/4ba2.05/group2/index.html

Easter Egg

Hidden

functionality

within

an

application

program,

which

becomes

activated

when

an

undocumented,

and

often

convoluted,

set

of

commands

and

keystrokes

are

entered
.

Easter

eggs

are

typically

used

to

display

the

credits

for

the

development

team

and

are

intended

to

be

non
-
threatening
.

http://www.pocket
-
lint.com/news/9889/google
-
earth
-
flight
-
sim
-
game

Hidden

inside

Google

Earth

is

a

secret

flight

simulator

game

that

uses

Google's

satellite

imagery
.



To

get

to

the

game,

you

need

to

open

Google

Earth

and

hit


Cmd+Option+capitalA


or



Ctrl+Alt+A


if

you’re

using

a

Windows

Machine
.


Emanations Analysis

Gaining

direct

knowledge

of

communicated

data

by

monitoring

and

resolving

a

signal

that

is

emitted

by

a

system

and

that

contains

the

data

but

is

not

intended

to

communicate

the

data
.


https://www.ntt
-
review.jp/archive/ntttechnical.php?contents=ntr200810sf2.html

TEMPEST

Eavesdropping on PC displays.


Information

on

a

PC

screen

can

be

remotely

reconstructed

exactly

as

it

appeared

on

the

display

by

monitoring

and

appropriately

demodulating

the

weak

emanations

generated

by

the

PC

and

its

peripheral

equipment


Such

an

eavesdropping

technique

had

been

researched

by

some

military

organizations

since

around

1960
,

but

most

of

the

results

were

classified

and

not

disclosed

to

the

public
.


It

came

to

public

attention

in

1985

when

Wim

van

Eck

pointed

out

that

information

on

a

cathode

ray

tube

display

can

easily

be

reconstructed
.


Since

his

work,

research

on

information

leakage

of

this

kind

has

been

conducted

by

many

organizations
.


The

National

Security

Agency

(NSA)

in

the

USA

refers

to

this

type

of

threat

by

the

covername

TEMPEST
,

and

this

term

is

now

in

general

use
.

Fragment Overlap Attack

A

TCP/IP

attack

that

is

possible

because

IP

allows

packets

to

be

broken

down

into

fragments

for

more

efficient

transport

across

various

media
.

The

TCP

packet

(and

its

header)

are

carried

in

the

IP

packet
.

In

this

attack

the

second

fragment

contains

incorrect

offset
.

When

packet

is

reconstructed,

the

port

number

will

be

overwritten
.

http://baishui.info/orelly/networking_2ndEd/fire/ch04_02.htm

An

attacker

can

construct

a

packet

with

acceptable

headers

in

the

first

fragment

but

then

overlap

the

next

fragment

so

that

it

also

has

headers

in

it
.


Since

packet

filters

don't

expect

TCP

headers

in

non
-
first

fragments,

they

won't

filter

on

them,

and

the

headers

don't

need

to

be

acceptable
.


The

figure

on

the

right

shows

examples

of

overlapped

fragments
.

Honey pot


Programs

that

simulate

one

or

more

network

services

that

you

designate

on

your

computer's

ports
.

An

attacker

assumes

you're

running

vulnerable

services

that

can

be

used

to

break

into

the

machine
.

A

honey

pot

can

be

used

to

log

access

attempts

to

those

ports

including

the

attacker's

keystrokes
.

This

could

give

you

advanced

warning

of

a

more

concerted

attack
.

http://stankiewicz.free.fr/Wikka/wikka.php?wakka=HowtoHoneypot

A

Honeypot

allows

you

to

capture

and

analyze

suspect

activities
.

For

example,

assume

you

have

an

ADSL

connection,

with

only

one

public

IP

address
.

The

ISP

modem

is

configured

to

perform

a

network

address

translation

(NAT)

on

all

incoming

packets

(destination
:

public

IP

address)

to

the

private

honeypot

address
.


The

Honeywall

is

connected

to

the

Vmnet
0

interface

which

is

bridged

to

the

eth
0

device
.

It

is

also

connected

to

the

Vmnet
1

interface

like

the

honeypot
.

This

configuration

allows

us

to

have

an

independent

network

between

the

two

virtual

OS's
.

Vmnet
2

is

a

host
-
only

interface

used

for

the

Honeywall

administration
.



Note

that

the

Wifi

connection

is

outside

the

Honewall
.

Protocol Attacks

When

the

characteristics

of

network

services

are

exploited

by

the

attacker
.

Examples

include

the

creation

of

infinite

protocol

loops

which

result

in

denial

of

services

(e
.
g
.
,

echo

packets

under

IP),

the

use

of

information

packets

under

the

Network

News

Transfer

Protocol

to

map

out

a

remote

site,

and

use

of

the

Source

Quench

protocol

element

to

reduce

traffic

rates

through

select

network

paths
.

(a

type

of

DoS

Attack)

IRPAS (Internet Routing Protocol Attack Suite)


itrace

-

traceroute(1) by ICMP echo request

tctrace

-

traceroute(1) by TCP SYN packets

netenum

-

enumeration/ping
-
sweep tool

netmask

-

ICMP netmask request

protos

-

IP protocol scanner

hsrp

-

HSRP takeover tool

cdp

-

for

sending

CDP

(Cisco

router



Discovery

Protocol)

messages

to

the

wire
.

igrp

-

for sending Interior Gateway Routing


Protocol messages.

irdp

-

for sending ICMP router discovery protocol messages.

irdpresponder

-

waits for IRDP requests and sends out response packets to fool clients.

ass

-

Autonomous System Scanner, a TCP port scanner that knows more than one protocol.

file2cable

-

sends out raw ethernet frames from files.

http://www.ferzip.com/?p=286

http://www.phenoelit
-
us.org/irpas/

Tiny Fragment Attack

With

many

IP

implementations

it

is

possible

to

impose

an

unusually

small

fragment

size

on

outgoing

packets
.

If

the

fragment

size

is

made

small

enough

to

force

some

of

a

TCP

packet's

TCP

header

fields

into

the

second

fragment,

filter

rules

that

specify

patterns

for

those

fields

will

not

match
.

If

the

filtering

implementation

does

not

enforce

a

minimum

fragment

size,

a

disallowed

packet

might

be

passed

because

it

didn't

hit

a

match

in

the

filter
.


This

attack

can

be

used

to

circumvent

user
-
defined

filtering

rules
.

The

attacker

hopes

that

a

filtering

router

will

examine

only

the

first

fragment

and

allow

all

other

fragments

to

pass
.


This

attack

can

be

prevented

at

the

router

by

enforcing

rules,

which

govern

the

minimum

size

of

the

first

fragment
.

This

first

fragment

should

be

made

large

enough

to

ensure

it

contains

all

the

necessary

header

information
.


http://www.ouah.org/fragma.html

Web Bug

Tiny

images,

invisible

to

a

user,

placed

on

web

sites

in

such

a

way

that

they

allow

third

parties

to

track

use

of

web

servers

and

collect

information

about

the

user,

including

IP

address,

Host

name,

browser

type

and

version,

operating

system

name

and

version,

and

web

browser

cookie
.

http://w2.eff.org/Privacy/Marketing/web_bug.html

Example, Two Web Bugs found on Quicken's home page www.quicken.com


<img src="http://ad.doubleclick.net/ad/pixel.quicken/NEW" width=1 height=1 border=0>


<IMG WIDTH=1 HEIGHT=1 border=0


SRC="http://media.preferences.com/ping?ML_SD=IntuitTE_Intuit_1x1_RunOfSite_Any
&db_afcr=4B31
-
C2FB
-
10E2C&event=reghome&group=register& time=1999.10.27.20.5 6.37">



The IP address of the computer that fetched the Web Bug

The URL of the page that the Web Bug is located on

The URL of the Web Bug image

The time the Web Bug was viewed

The type of browser that fetched the Web Bug image

A previously set cookie value

What Information is returned by a Web Bug ?

Terminology & Information Sources

http://www.ssimail.com/Glossary.htm

http://www.ssimail.com/Glossary.htm

http://www.sans.org/security
-
resources/glossary.php

http://csrc.nist.gov/publications/nistir/NISTIR
-
7298_Glossary_Key_Infor_Security_Terms.pdf

http://csrc.nist.gov/publications/

http://www.itl.nist.gov/fipspubs/

http://www.itl.nist.gov/fipspubs/by
-
num.htm

http://www.symantec.com/business/security_response/threatexplorer/

http://glossary.spamlaws.com/