SecurityArena

Computer Fraud and Abuses

• Salami  It involves subtracting a small amount of funds from an account with the hope that such an insignificant amount would not be noticed.
• Data Diddling  It refers to the alteration of existing data. Many times this modification happens before it is entered into an application or as soon as it completes processing and is outputted from an application.
• Excessive Privileges  It is likely to occur when a user has more computer rights, permissions and privileges than what is required for the tasks he / she needs to fulfill. Individuals with in an organization may gain these excessive due to phenomenon of Authorization Creep.
• Password Sniffing  It refers to sniffing network traffic in the hopes of capturing passwords being sent between computers.
• IP Spoofing  It refers to manually changing the IP address within a IP packet used to carry out some attack, so as to point its origin to another address instead of the attacker. Spoofing can be considered a masquerading attack. Masquerading is the act of trying to pretend to be someone else.
• Denial of Service (DoS)  DoS attacks are aimed against the availability of a service to its authorized users. Several types of tools are available to perform DoS attacks, which makes DoS attacks extremely easy to carry out. Many systems are vulnerable to SYN attacks, Ping of Death attacks, fragment attacks, and DDoS attacks, because these attacks are mainly aimed at the use of the protocols within the TCP/IP stack, integral to almost all computers.
• Dumpster Diving  It refers to someone searching through another person’s garbage for discarded document, information and other precious items that could then be used against that person or company. Dumpster diving is unethical, but it’s not illegal unless it’s done by trespassing on someone else’s property.
• Emanations Capturing  It refers to eavesdropping of the electrical waves emitted by every electrical device. One very grave and real security risk is emanation capturing of company or home wireless network (secured as well as unsecured). To avoid these capturing special shielding like tempest may be used that permit only a small amount of electrical signals to be emitted. The companies can also use material within the walls of the building to stop these types of electrical waves from passing through them.
• Wiretapping  It refers to eavesdropping of communication signals passing through communication lines. Tools used to intercept communications include cellular scanners, radio receivers, microphone receivers, tape recorders, network sniffers, and telephone-tapping devices.

It is illegal to intentionally eavesdrop on another person’s conversation under most countries’ prevailing laws in order to protect an individual’s privacy expectations. Eavesdropping is only acceptable if the person consents with or there is a court order allowing law enforcement to perform these actions.

• Social Engineering  It is a highly effective type of attack that exploits the human element of security. Social engineering is described as a technique used by hackers to deceive a trusted information system user within a organization into revealing sensitive information, or trick an unsuspecting person into performing actions that create a security hole in information system.

It is imperative to understand that a misplaced reliance on security technologies alone, such as firewalls, authentication devices, encryption, and intrusion detection systems are virtually ineffective against a motivated attacker employing a wide array of techniques including social engineering.

• Masquerading  A method that an attacker can use to fool others of her real identity.
• Phreaking  Phreakers are hackers who specialize in telephone and Private Branch Exchange (PBX) fraud. Famous 2600 group was a telephone phreakers group.
  • Blue boxes. A device that simulates a tone that tricks the telephone company’s system into thinking the user is authorized for long distance service, which enables him to make the call.
  • Red boxes. Simulates the sound of coins being deposited into a payphone.
  • Black boxes. Manipulates the line voltage to receive a toll-free call.
• Passive vs Active  A passive attack is non-intrusive, as in eavesdropping or wiretapping. An active attack is intrusive, as in DoS, social engineering or penetration attacks.