The Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA) is a commonly used challenge-response test to prevent attackers from using computer-generated responses to perform certain repetitive actions, such as signing up for e-mail accounts, submitting online forms and so on.
This test may be used as a security measure on websites, web-based e-mail systems and other services where an automated-response type attack might reasonably be expected.
A CAPTCHA test usually involves the user attempting to solve a challenge that current software cannot solve, such as deciphering a distorted visual image to discern numbers and letters; a correct answer to the challenge leads to the assumption that the user is human and is therefore permitted to use the service.
The widespread use of CAPTCHA security precautions have, ironically, led to the development of attack techniques specifically designed to crack CAPTCHA; most of these attacks still involve human interaction at some stage.
A general term used to collectively refer to:
- File viruses
- Boot viruses
- Macro viruses
- And script viruses.
These virus types are considered 'classic' in the sense that these were the first types of malware to emerge in the wild, back in the late '70s and early '80s.
The term 'classic' does not mean that these viruses are extinct or irrelevant, for though they form a much smaller proportion of today's threat landscape, such viruses are still alive and well.
A program or file that has been identified as ‘clean’ does not contain malicious code or behavioral routines, and performs its stated function.
Under certain circumstances, a clean program may be inadvertently identified as ‘malicious’, most often due to similarity between the program and a known malware. This miscategorization is known as a ‘False Positive’ or ‘False Alarm’.
The converse, where a malicious file is miscategorized as clean, is known as a ‘false negative’.
A type of online attack that involves misappropriating a user's actions on a website to perform unauthorized and unintended actions.
How Click-jacking Works
This type of attack generally involves an attacker embedding malicious code or script on the website, often by exploiting an iframe vulnerability. The code is then triggered by certain actions performed by an unsuspecting, who believes they are performing actions on the actual website.
As an example, the attacker can inject an invisible iframe layer that 'floats' over an existing webpage, with buttons on the floating layer lying directly over buttons on the visible page. If the user clicks on a visible button, they also unintentionally click the corresponding button on the invisible layer, causing unexpected actions to occur.
Though this type of attack is not new, it does periodically regain media prominence. The term 'click-jacking' was used in 2008 by Jeremiah Grossman and Robert Hansento describe this attack; it can also be referred to as iframe overlay or UI dressing.
There are a number of products, guidelines or practices being offered by various browser vendors and security professionals which are designed to prevent click-jacking. These offerings vary based on the browser being used, as well as their effectiveness.
Almost always used with malicious intent, code injection involves introducing or ‘injecting’ code into a computer program, causing it to perform in an unexpected manner.
Code injection attacks typically involve an input mechanism, which the attacker can use to enter malicious code instead of the expected input. The attack code may then exploit a flaw or loophole in the logic used to validate the input.
Today, the most common form of code injection attack targets websites using SQL databases to provide dynamic user-generated content services, such as comment boards, forums, etc. In an SQL injection attack, the attacker enters code into a web form, which is improperly validated; a successful attack may grant the attacker access to the SQL database and its content.
The command and control (C&C, or CC) server of a botnet is the main control point for the entire network of enslaved computers.
A command line interface (CLI) allows users to type in text-only instructions directing a program to perform specific tasks. The instructions must be read and interpreted by a command line interpreter in order to be executed.
Most operating systems and many technical business applications include a CLI in addition to the standard Graphic User Interface (GUI) interface, for the benefit of advanced users who often find it more efficient to issue instructions via the CLI.
Conversely, efficient use of the command line interface requires familiarity with a large number of esoteric commands, which is often beyond the expertise of more casual users.
A construction or creation kit used by malware authors to easily and efficiently create a malicious program.
Constructor kits make it very easy for a malicious user with little or no programming experience to create malicious programs. Often, these kits are simplified so that a user only needs to select the desired features/actions from a list of pre-prepared components.
Fortunately, because the malware produced from these kits are made of ready-made 'building blocks', they can be generically detected.
Content filter is a type of screening mechanism based on analysis of the content to be passed, rather than its source, behavior or other criteria. Content filtration is commonly used by business organizations to screen emails for spam and other undesirable communiqués.
Content filtration is also commonly used both by at work and at home to screen web content during a browsing session. In a business setting, it may be used to prevent access to non-business related sites; the extent of the filtration is typically outlined in an IT policy or guideline. In the home environment, a content filter may be set by adult supervisors to prevent minors from accessing undesirable sites or materials.
A simple data file containing information related to a website visitor's activities. The information contained in the cookie can include such details as the user's site preferences, contents of their electronic carts and so on.
Most websites a user visits will save its own cookie onto the visitor's computer system, and then retrieve it when the same visitor returns to the website at a later date, so that the user can continue their previous activities on the website with minimal disruption.
Due to privacy and/or security concerns, some users may opt to totally or selectively accept cookies, though some websites will not function correctly if cookies are not accepted.
The act of gaining unauthorized access to another user's cookies, which are typically used by websites to identify and authenticate its users. Once stolen the cookies can provide the attacker with access to the victim's browsing session, confidential information and so on.
A cookie is normally saved onto a user's computer by a website so that it will only be transmitted to that specific domain. They may also be set to only transmit under specific conditions, for example only if the transmission is over an SSL connection. This procedure is meant to ensure that only cookies appropriate to the website and from the appropriate users are accessible.
Attackers can however interfere with this process by redirecting cookies to an unauthorized domain or user. For example, cookie stealing can be carried out using a Cross Site Scripting (XSS) attack, in which an attacker exploits a vulnerability in a website to steal the session cookies from the website's visitors.
A type of attack in which malicious scripts are injected into a legitimate website in oder to be served to subsequent site visitors.
Cross site scripting (XSS) attacks can result in a variety of effects, including hijacked web browsing sessions, stolen session cookies, information theft and more. As more people become increasingly dependent on web-based services, XSS attacks are becoming increasingly common.
How Cross Site Scripting Works
A script may be injected into a website if an attacker inserts executable code into an input form - for example, a comment box or an enquiry form - that does not properly handle the code.
Ideally, websites should have proper input filtering and sanitizing processes that identify the inserted code as harmful and remove it. If there is a weakness or vulnerability in these processes however, the injected code can bypass the filtering mechanisms and 'sit' on the website, where it can then be presented to the next website visitor, usually with harmful consequences.
A number of website vulnerabilities can be exploited for a successful XSS attack. The way the attack is carried out will usually be specific to the vulnerability being exploited and can be categorized as persistent, non-persistent or DOM-based, depending on which classification systems are used.
A CSRF attack is a type of attack that hijacks the authentication credentials issued by web applications (such as a banking portal) to a trusted user’s web browser, in order to perform unauthorized actions on the target website.
To perform this attack, the user must be unwittingly tricked (usually by a social engineering scam or malicious redirect) onto a separate website that runs a script targeting the application. The script issues commands to the application via the user’s still-authenticated web browser; the commands are relayed to the application, which assumes the instructions are legitimate and execute them.
Unlike a XSS attack, which subverts a trusted web-based application into sending malicious scripts to a user, a CSRF attack exploits how a web app identifies a trusted visitor. In this case, the vulnerability lies with the application that inadequately verifies the authenticity of the instructions being received.
About Detection Names
A quick guide to Detections - why they are important, how they work and how to read them. Also includes Generic Detections and how they differ from traditional Detections.