INVITATION TO CYBERSECURITY 72 intent of the system.1 The people who designed the technology are not aware that the system is capable of such behaviors—otherwise they would have fixed the problem. Fixing vulnerabilities in software is called software patching. This is done by installing an updated version of the software. Hackers work hard to identify vulnerabilities. Finding a new vulnerability that nobody knows about in a widely used software program is a significant coup. Previously unknown vulnerabilities are called zero-day vulnerabilities because they have been known about for zero days. Zero days are exploits that target zero-day vulnerabilities. Zero days are valuable because they have a high probability of succeeding—nobody knows about them so they have not been patched. Once a zero day has been used “in the wild,” the underlying vulnerability is likely to be exposed, publicized, and patched. At that point, the zero day vulnerability becomes an n-day vulnerability because it has now been known about for some n greater than zero number of days. N-days are not as effective as zero days because updates may have been installed, and many security conscious organizations work diligently to do so as quickly as possible. However, many systems are not patched in a timely manner, meaning n-days are still effective. A surprising number of major hacks are actually due to n-days, not zero days, including the NotPetya malware attack of 2017, the most financially devastating cyber attack in history up to that time. Technical vulnerabilities reside in software including operating systems. These vulnerabilities are usually found by hackers with elite levels of skill. Many of them are due to programming errors or oversights. For example, one of the best known technical exploits is the buffer overflow attack. In this type of attack, the attacker is able to send code to the target computer and force it to execute it. Sometimes this provides the attacker with root access, or administrator-level access, to the target system. This is known as gaining root and is especially damaging for the victim because the attacker has complete control of the system. The hacker Aleph One popularized buffer overflows in a tutorial he published in Phrack he titled, “Smashing the Stack for Fun and Profit.” A buffer overflow is a type of injection attack. An injection attack is an attack where hackers provide code as user input and trick the target computer into executing their input. This is possible because as we learned in Chapter 2, all information within a computer system is 1s and 0s including machine instructions. The 1s and 0s must be interpreted within the proper context in order to be processed appropriately. Injection attacks trick computers into mistaking data 1s and 0s for code 1s and 0s. Some injection attacks are remote code execution (RCE) attacks. An RCE attack is an attack where hackers are able to execute their code on a victim’s computer from over the network. Websites are also vulnerable to attack. This is called web exploitation. Historically, many websites have been vulnerable to injection attacks. The most popular web-based injection attacks are SQL injection and cross-site scripting (XSS) which attack database servers 1 This definition of a hack is from Bruce Schneier.
RkJQdWJsaXNoZXIy MTM4ODY=