Yearly predictions are always risky. Even more so when your subjects are cybercrime organizations, hacktivist groups, and other security attackers – entities not exactly known for sharing plans.
Nevertheless, this task fits well into an overall goal of changing the accepted balance of power between attackers and defenders. As defenders, it seems we are destined to constantly be on the reactive side – unlike attackers, who are always the initiators. Therefore, the following predictions may help change these static roles, and allow you to look ahead at the upcoming threat trends to proactively plan your defense strategy.
5 Threat Trends
My 2013 predictions are based on real attack statistics collected by Radware’s Emergency Response Team over the past two years. Here they are.
1. Availability-based threats will become a major IT concern – A recent security survey we conducted revealed the growth in availability-based attacks, such as Denial-of-Service (DoS) and Distributed Denial of Service (DDoS). Hacktivist groups will continue taking advantage of the fact that many security professionals fail to realize how vulnerable their organizations are to an outage from simple volumetric threats.
2. Longer and more persistent attack campaigns – Security attacks will become more persistent and significantly longer. Only a few years ago attacks would last minutes or hours, but in 2012 we already noticed many attacks that lasted days and even weeks, while switching between multiple attack vectors. Attackers will increasingly adopt these long, persistent attack methods as they pose a serious challenge for most organizations.
3. Attackers will increasingly target dynamic web resources – Attackers are always looking for ways to amplify the impact of their attack. Dynamic web resources – data that changes frequently and cannot be cached by CDNs – provides a perfect opportunity for attackers. Attackers can easily bypass CDNs and directly attack dynamic web resources with significant results. The most vulnerable to this threat are financially-oriented web sites, which are inherently focused on dynamic data.
4. More encrypted-based attacks – I expect to see a rise in encrypted attacks carried over HTTPS. Such attacks, particularly at the application level, are very challenging for detection because they reach deep into the network before they are detected and inspecting traffic is not that simple. Most organizations are still not prepared enough to detect or mitigate attacks carried over encrypted traffic.
5. Targeted Advanced Persistent Threat (APT) attacks – In the past, the same security attacks would be launched repeatedly, using the same attack vectors and sequence while targeting a different victim each time. Not anymore. Attackers will launch unique attacks that are designed to exploit the vulnerabilities of a specific organization or network. Each attack will look different so that traditional defense mechanisms, which analyze past attacks and issue patches and signatures, will no longer be relevant.
5 Defense Trends
Since I raised the flag of proactivity, here are five defense approaches and trends we can expect looking forward.
1. Resource-aware detection – Current security solutions are challenged by low and slow attacks, which consume the resources of the attacked service making it unavailable. Such attacks appear legitimate in terms of traffic rates and protocol rules and are therefore difficult to detect. To provide a better detection and mitigation of low and slow attacks we will see resource-aware security solutions that can look into the servers they protect and identify the resource consumption.
2. Counter attack techniques – Defense strategies will increasingly incorporate counter attack techniques. Yes, counter attacks always raise debates, yet they are a decisive way of changing the inherent weakness in the defenders stance. They also allow organizations to stay a step ahead of cybercrime organizations, hacktivist groups and other attackers with malicious intent. Counter attack mechanisms will be able to identify the attack tool, launch a counterattack that exploits the tool’s weakness and slow down or completely neutralize the attack tool.
3. Security eco systems – In order to withstand Advanced Persistent Threat (APT) attacks that change from one case to another, a security eco systems is needed, in which multiple systems share data and work in synch. One such example is the synchronization between on-premise security devices and CDNs – a cooperation that will optimize the detection and mitigation of attacks targeting dynamic resources. Another example may include the synchronization between ISPs and on-premise devices, so that volumetric attacks can be mitigated early on before saturating the customer’s available Internet pipe.
4. Advanced security cloud services – We expect to see more security cloud services that will offload security operations performed on customer premises to the cloud for more effective and centralized handling. This may include malware and virus inspections, forensics and security expert audits – activities that do not require immediate, real-time action.
5. Application real-time signatures creation processes – The APT attack trend is creating a more pressing need for technologies that can automate the security signature creation – whether on the cloud or on premises. Automating the signature creation process will reduce the exposure time to attacks – from malware detection to the configuration of all systems with the new security signature
Antivirus software is crucial for combating viruses, malware, and hackers, but simply installing an antivirus program is rarely enough. You should also use strong passwords; keep your system, applications, and browser plug-ins up-to-date; and make sure your firewall is doing its job by blocking all intrusions. Following these extra safeguards can reduce the chances of your PC becoming a Petri dish full of digital contagions.
Luckily, a number of tools and services can simplify all the extra security precautions that modern PCs require. They go above and beyond what’s offered in antivirus suites, performing security audits of vulnerabilities that the big-name software packages miss. Here are five to check out.
An outdated browser or plug-in can serve as a security hole for hackers and malware authors to exploit, so you’ll want to keep your web software up-to-date. Qualys BrowserCheck is a free service that scans your Web browser to determine if you’re running outdated or insecure versions of some popular plug-ins or add-ons, including Adobe Reader, Adobe Flash, Java, and Windows Media Player.
You can run a quick scan from your browser in Windows, Mac, or Linux. You don’t even have to download any software—Qualys runs completely within your browser. Supported browsers include Internet Explorer (IE), Mozilla Firefox, Google Chrome, Safari, Opera, and Camino. Once Qualys BrowserCheck completes its scan, it lists which plug-ins it scanned, and indicates whether you’re running insecure versions of any of your plug-ins, and if any updates are available. The scan also provides links to where you can download the newest plug-in version, so you don’t have to hunt around for it.
Alternatively, you can run a full scan after downloading and installing the Qualys BrowserCheck plug-in, which supports IE, Firefox, and Chrome on Windows—there’s no Mac or Linux support for the full scan. This full scan can check all supported browsers you have installed, not just the browser you used to run the scan. And the full scan can also detect other system vulnerabilities as well, such as no automatic Windows Updates or Windows Firewall running, or out-of-date or disabled antivirus software.
Once Qualys BrowserCheck finishes doing its thing, you’ll see a list of scanned plug-ins for your current browser, and icons to view the results for each of your other browsers. And if you choose to do system checks, you’ll see a tab showing its results as well.
Secunia Personal Software Inspector (PSI)
Secunia Personal Software Inspector (PSI) is a free program that scans your PC for security vulnerabilities, like missing updates that hackers and malware authors can exploit to infect or hack into your PC. If PSI finds a vulnerability, it will try to automatically download and install any relevant updates. Otherwise, it helps you manually fix the issue.
After you download and install Secunia PSI, it will scan your system and notify you via its system tray icon if other programs require a manual update. You can open the program to find your Secunia System Score, a list of any programs that need to be updated, and a list of any software that it found to be up-to-date.
Password Security Scanner
Password Security Scanner is a free utility that scans for passwords stored by Windows applications and Web browsers, and tells you how strong they are. This gives you a chance to identify weak passwords, and change them to something more secure. Although you can’t see the actual passwords, you can see the username and which site or service they belong to.
The Password Security Scanner runs on Windows, and it will scan passwords stored by Internet Explorer, Mozilla Firefox, Microsoft Outlook, Windows Live Mail, and MSN/Windows Messenger, as well as your dial-up and VPN passwords.
After you download and install the utility, it will automatically scan and display additional details about your passwords, including their length, the types of characters used, and overall password strength. If you need help building better passwords, have a look at Alex Wawro’s primer on the topic.
ShieldsUp is a free, Web-based port scanner that tests your Internet connection for possible security holes, such as incorrect firewall settings. Although the testing regimen and reporting might be a bit over the head of average computer users, the ShieldsUP site provides a wealth of background information about firewalls and port scanning.
ShieldsUp lets you scan a few different port ranges, including File Sharing ports (to make sure you’re not offering direct access to your files) and Common Ports (to check the most commonly used ones). It also lets you check all ports via the All Service Ports scan option. In addition, you can tell it to scan a specific port or range of ports. Additionally, you can evaluate your web browser headers for privacy and tracking issues, and test to see if your PC is susceptible to spam via the Windows Messenger Service, a messaging system built into Windows.
If results show open ports, you can investigate the firewall settings of your router or PC and try to close or secure them.
Belarc Advisor is free for personal use, and scans your PC’s hardware, network connections, software, antivirus status, Windows Updates, and Windows security policies for insecure settings and other security vulnerabilities. It generates a report in HTML that you can view in your browser. This report provides details on the scanned items and any detected issues, along with links on how to fix them, but it doesn’t automatically fix them for you. Also, the information it reveals is geared more for techies and IT professionals than average home users.
In the beginning of the report, the service shows your overall security status via three scores: Security Benchmark Score, Virus Protection, and Microsoft Security Updates. Click on any of these to see more details.
By scrolling through the report, you’ll discover details on your hardware specs, user accounts, peripherals, and networking. You’ll also find a list of installed software versions, licenses, usage, and a report on missing or insecure Windows Hotfixes.
Ransomware (also referred to in some cases as cryptoviruses, cryptotrojans or cryptoworms) comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system’s hard drive, while some may simply lock the system and display messages intended to coax the user into paying. Modern ransomware attacks were initially popular within Russia, but in recent years there have been an increasing number of ransomware attacks targeted towards other countries, such as Australia, Germany, and the United States among others.
Hping is tool used by VAPT,Network professional for network scanning and crafting TCP/IP packets. Hping is tool providing testing against firewalls ,security auditing and now implemented in the one of best tool Nmap scanner available on various platforms. Hping is command-line based TCP/IP packet assembler/analyzer.hping isn’t only able to send ICMP requests,It supports ICMP,UDP and Raw-IP protocols, also has a traceroute capability,enable to send files between covered channel.
The stuff we can do using Hping:
Advanced port scanning
Network testing, using different protocols, TOS, fragmentation
Manual path MTU discovery
Advanced traceroute, under all the supported protocols
Remote OS fingerprinting
Remote uptime guessing
TCP/IP stacks auditing
hping can also be useful to students that are learning TCP/IP.
There are two version of Hping present in cyber world.Hping 2 and Hping 3, since version 3 which is in alpha state they are trying to not be just little tool but to make it a framework for scripting TCP/IP. Hping 3 comes with two new thing : the first is an engine called APD that is able to translate simple packet description in form of string into packet to be sent and the reverse.The second is TCL scripting language,which makes it scriptable TCP/IP stack.
hping2 was used (in the past) to…
Traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities.
Perform the idle scan (now implemented in nmap with an easy user interface).
Test firewalling rules.
Exploit known vulnerabilties of TCP/IP stacks.
Learn TCP/IP (hping was used in networking courses AFAIK).
Hping3 should be used to…
Write real applications related to TCP/IP testing and security.
Automated firewalling tests.
Proof of concept exploits.
Networking and security research when there is the need to emulate complex TCP/IP behaviour.
Prototype IDS systems.
Simple to use networking utilities with Tk interface.
Send TCP SYN packets to port 0 on host example.com(It will automatically increment the port number by 1) $ hping example.com -S –V
Send TCP SYN packets to port 443 on host example.com:- $ hping example.com -S -V -p 443
Send TCP packets to port 443 on host example.com with the SYN + ACK flags set:- $ hping example.com -S -A -V -p 443
Send TCP SYN packets every 5 seconds to port 443 on host example.com:- $ hping example.com -S -V -p 443 -i 5
Send UDP packets to port 111 on host example.com:- $ hping example.com --udp -V -p 111
Send UDP packets spoofed to be from source host 192.168.1.150 to host example.com:- $ hping example.com --udp --spoof 192.168.1.150
Send UDP packets spoofed to be from various random source IP addresses to host example.com:- $ hping example.com --udp --rand-source
Send UDP packets with the data portion padded with 100 bytes but containing the contents of payload.txt to host example.com:- $ hping example.com -V --udp --file payload.txt --data 100
Tcl is a simple-to-learn yet very powerful language. Its syntax is described in just a dozen rules, but it has all the features needed to rapidly create useful programs in almost any field of application – on a wide variety of international platforms.
The following script will send ICMP packet to 192.168.1.8, using TTL values from 1 to 6