Computer security - Vulnerabilities and Attack Techniques

Vulnerabilities and Attacks Introduction A vulnerability is a flaw in a computer's structure, execution, functioning, or oversight that compromises security. These weaknesses can be discovered through research, reverse-engineering, automated scanning, or custom exploit scripts. Understanding the different types of attacks and how they exploit vulnerabilities is fundamental to cybersecurity. This chapter covers the major attack types and vulnerability categories you'll encounter. Each attack exploits a specific weakness or trust relationship, and knowing how they work will help you both recognize and defend against them. Backdoor Attacks A backdoor is a secret method of bypassing normal authentication or security controls. Think of it as a hidden entrance to a system that circumvents the front door entirely. Backdoors can be intentionally created by authorized parties for legitimate administrative access. However, attackers also use them maliciously. Malware frequently installs backdoors to grant attackers remote administrative control over a compromised system, allowing them to return to the system even after the initial infection is cleaned up. The particularly dangerous aspect of backdoors is their stealth. They can be hidden deep within source code, embedded in system firmware, or disguised as legitimate processes, making them extremely difficult to detect through standard security tools. Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks Denial-of-Service Attacks A denial-of-service attack makes a machine or network resource unavailable to its intended users. Rather than stealing data or gaining control, DoS attacks aim to disrupt availability. Attackers accomplish this in multiple ways: Resource overload: Flooding a server with traffic or requests, overwhelming its capacity Account lockout: Repeatedly entering incorrect passwords to lock out legitimate users Distributed Denial-of-Service Attacks A distributed denial-of-service (DDoS) attack amplifies the damage by coordinating attacks from many compromised computers simultaneously. These compromised machines, collectively called a botnet, all send traffic toward the victim, dramatically increasing the volume of traffic and making the attack harder to stop. Reflective DDoS attacks take this further by tricking innocent third-party systems into sending traffic to the victim. For example, an attacker might send requests that appear to come from the victim's address to public servers. Those servers respond by sending their replies to the victim, multiplying the attack's impact without needing to control those third-party systems. This is called the amplification factor. Physical Access Attacks A direct-access attack occurs when an unauthorized person gains physical access to a computer. While digital attacks require network access, physical attacks bypass those protections entirely. Once an attacker has physical access, they can: Copy sensitive data directly from the hard drive Install malware or rootkits using bootable media (CDs, USB drives) Modify the operating system itself Boot the computer into alternative systems that bypass the normal security environment Protection Against Physical Attacks Two key technologies defend against physical access attacks: Disk encryption scrambles data on the storage drive, rendering copied files unreadable without the encryption key. Even if an attacker steals the drive, the data remains protected. Trusted Platform Module (TPM) is a hardware standard that secures encryption keys and prevents unauthorized modifications to the boot process. It ensures that the system won't start if someone has tampered with the hardware or replaced system components. Direct-Memory Attacks Direct-memory attacks exploit devices that can access computer memory directly without going through the normal CPU and security controls. External hard drives, network cards, and other devices with direct memory access (DMA) capabilities can be weaponized to read or modify system memory directly, bypassing operating system protections. Eavesdropping Attacks Eavesdropping is the surreptitious listening to private network communications. It occurs when data travels across an unsecured or unencrypted network where attackers can intercept it. Consider a simple example: if you send login credentials over an unencrypted network, anyone watching network traffic can read that plaintext data. Protecting Against Eavesdropping Virtual Private Networks (VPNs) encrypt data between two endpoints, protecting the contents of your communications even if they travel through untrusted networks. HTTPS (Hypertext Transfer Protocol Secure) encrypts web traffic, preventing eavesdropping on web communications. Using HTTPS instead of standard HTTP is a best practice for any sensitive interactions. Strong wireless encryption (such as WPA3) prevents attackers from intercepting Wi-Fi traffic. Malware Malware is software intentionally written to harm a computer system or its users. Malware can steal sensitive information, grant attackers control of a system, corrupt data, or permanently delete files. Types of Malware Understanding malware categories is crucial because each type works differently and requires different defenses. Viruses are malicious code that hijacks legitimate software and spreads copies of themselves to other programs. They require user action (opening an infected file, for example) to spread. The key distinction is that viruses attach themselves to existing software rather than working independently. Worms are self-replicating malware that spread between programs, applications, and devices without requiring user interaction. Unlike viruses, worms can propagate automatically across networks, making them particularly dangerous. The famous Morris Worm of 1988 and the Conficker worm demonstrate how quickly worms can spread globally. Trojan horses masquerade as legitimate software—a game, utility, or document—but contain hidden malicious code. When users install what they think is safe software, the Trojan executes its payload. Trojans frequently create remote-access backdoors on infected devices, giving attackers persistent control. Spyware secretly gathers information about the user or system and transmits it to attackers without consent. A specialized type called keyloggers records every keystroke the user enters, capturing passwords, search queries, messages, and other sensitive input. Scareware uses social engineering to frighten users into installing unwanted software. Users might see fake security warnings claiming their computer is infected, then pay to download a "solution" that is itself malware. Ransomware encrypts a victim's files and demands payment (often in untraceable cryptocurrency like Bitcoin) for the decryption key. This is both theft and extortion—the attacker steals use of the data and holds it hostage. Man-in-the-Middle (MITM) Attacks A man-in-the-middle attack intercepts, surveils, or modifies communications between two parties without their knowledge. The attacker secretly positions themselves between a user and the system they're communicating with, able to see and modify everything that passes through. MITM Attack Variants IP address spoofing hijacks routing protocols to reroute traffic through the attacker's system. By sending falsified routing information, the attacker convinces devices to send traffic to the attacker first, who then forwards it to the real destination. Message spoofing forges email, SMS, or instant messaging identities. An attacker sends messages that appear to come from a trusted contact but actually originate from the attacker, allowing them to monitor conversations or trick recipients. Wi-Fi SSID spoofing creates a fake Wi-Fi access point with the same name as a legitimate network (such as "AirportFreeWiFi"). Unsuspecting users connect to the fake network, allowing the attacker to capture and modify all their traffic. DNS spoofing hijacks domain name assignments. When you type a website address, DNS normally resolves it to the correct IP address. In DNS spoofing, attackers intercept or forge DNS responses, redirecting users to attacker-controlled systems instead of legitimate ones. SSL hijacking spoofs SSL/TLS authentication (the protocol that creates HTTPS connections). The attacker presents a fraudulent certificate that browsers may accept, allowing them to decrypt and read encrypted traffic they're intercepting. Multi-Vector Polymorphic Attacks Multi-vector polymorphic attacks combine multiple attack methods and continuously change their code structure to evade detection systems. Rather than using a single attack technique, these sophisticated attacks employ several approaches simultaneously. They're called "polymorphic" because they mutate—changing their code signature with each iteration so that signature-based detection tools cannot recognize them. Phishing and Spear-Phishing Phishing attempts to acquire sensitive information by deceiving users through false messages. Instead of exploiting technical vulnerabilities, phishing exploits human psychology and trust. Phishing commonly uses: Email spoofing with fake sender addresses appearing to come from banks, payment services, or other trusted organizations Instant messaging to reach users on chat platforms Text messages (SMS) to appear as legitimate alerts Phone calls impersonating legitimate organizations Users are directed to fake websites that look identical to legitimate ones but are actually controlled by attackers. When users enter their login credentials on these spoofed sites, the attacker captures that information. Spear-phishing is a targeted version of phishing that tailors messages with personal or organizational details to appear especially trustworthy to the target. For example, rather than sending generic bank alerts to millions of people, a spear-phisher might research their target, learn the names of executives, and craft a message from the target's own CEO asking for urgent action. The personalization makes it far more likely the victim will trust the message. Privilege Escalation Privilege escalation occurs when an attacker with limited access gains higher privileges without authorization. Most systems assign different privilege levels to different users; privilege escalation breaks through these restrictions. Horizontal escalation (also called account takeover) gains access to a low-privilege account and then moves laterally across the network, accessing resources and accounts at the same privilege level. For example, an attacker might compromise one employee's account and then use it to access shared files and other employee accounts. Vertical escalation targets higher-privilege accounts, such as administrators or system accounts, to obtain broader control of the system. Compromising an admin account gives the attacker significantly more power to modify system settings, install software, and access restricted areas. Social Engineering Social engineering convinces users to disclose secrets or grant physical access by exploiting trust and cognitive biases rather than technical vulnerabilities. It relies on understanding human psychology and weaknesses. Business email compromise (BEC) scams impersonate executives in convincing emails requesting urgent financial transfers or sensitive data. A scammer might send an email appearing to come from the CEO asking the finance team to wire funds for an "urgent acquisition" or requesting employee data "for tax purposes." Social engineering attacks often succeed because they appeal to authority, create urgency, exploit reciprocity, or build false trust—making users willing to bypass normal security procedures. Spoofing Spoofing pretends to be a valid entity by falsifying data such as IP addresses, email headers, or usernames. Spoofing attacks work by forging identifying information. Email spoofing forges the sending address of an email to make it appear to come from a legitimate sender. Because email headers are easily forged, an attacker can make an email appear to come from your bank, your boss, or anyone else. Media Access Control (MAC) address spoofing modifies the MAC address—the hardware identifier of a network interface—to obscure the attacker's true identity or impersonate another device on the network. Biometric spoofing creates a fake biometric sample (a fake fingerprint, face image, or voice recording) to pose as another user and bypass biometric authentication systems. Address Resolution Protocol (ARP) spoofing sends falsified ARP messages to associate the attacker's MAC address with a victim's IP address. ARP normally maps IP addresses to MAC addresses on local networks. By poisoning this mapping, attackers can intercept traffic intended for the victim. Tampering Tampering is the unauthorized modification or alteration of data, system components, or intended behavior. Rather than stealing or hiding information, tampering changes it. Examples include: Modifying data in transit to change transaction amounts Altering system files to change how software behaves Corrupting database records Modifying configuration files to disable security features Tampering threatens data integrity—the assurance that information hasn't been secretly modified. Strong protections include cryptographic hashing (which detects changes), digital signatures (which verify who made a change), and file integrity monitoring (which alerts when protected files are modified).