Week 4 - STRIDE: Spoofing
On week one, I briefly mentioned STRIDE as a method for threat identification.
From this week, I want to go into a little more detail on each of its
Mnemonic. First, let's talk a little more about STRIDE. In security, there are three fundamental
aspects of the asset when speaking of
security. They are Confidentiality, Integrity, and Availability, which
are referred to as the CIA triad.
To protect the asset means to protect its confidentiality, integrity, and
availability. STRIDE provides six ways to identify threats that would
target the three areas.
Let's get started with the first mnemonic, Spoofing. Spoofing is an identity tampering where the attacker impersonates another human being or the originator of a communication. The targeted object can be a person, an organization, a device, or even a parameter in an algorithm or protocol. Let's take a look at some of the spoofing methods that have been used.
Caller ID Spoofing
Caller ID is a common name for Calling Number Identification, which was introduced to the telephone system during the privacy movement in the ninety. The caller ID, usually the caller name or the calling number, is transmitted to the receiving end at the second ring. Spoofing the caller ID means the attacker makes a phone call to the target using one number but set caller ID to someone else's phone number or name.
Website Spoofing
Website spoofing tricks the users into thinking that they are visiting the real website. Generally, the site contents are nearly identical to the real one with a few exceptions. Some exceptions can be links to malicious pages or customized forms that obtain user information. The website often has an URL similar to the authentic one like www.google.ca.com or www.youtubes.com. Without paying attention to details, the user won't recognize that they are visiting the wrong website.
Email Spoofing
Email spoofing is widely used in phishing attacks. The hacker composes an email that looks as authentic as it was written by a trustworthy source. The email contents look real except it contains fault contact information. This has happened several times at the company I worked. Emails were sent to the VPs and the secretary asking them to do certain task and request for the response. The email contains the CEO's name, signature, and phone number, except the email address.
DNS Spoofing
DNS is an acronym for Domain Name System. It is a system that learns and performs the mapping between a name (normally known as domain name) and an IP address. DNS spoofing usually refers to the association of the legitimate domain name to the attacker's intended IP address. To achieve this, the attacker must successfully access the DNS server and change the mapping table to translate the domain name to a malicious IP address.
IP Spoofing
IP protocol includes a few parameters in the packet header such as originator IP address and port, destination IP address and port, sequence number and so on. To carry out an IP spoofing attack, the malicious party first acquires an IP address that is trusted by the target. The attacker set the trusted address as the source address in the spoofed packets and send to the target. IP spoofing is often used in denial of service attack to pass through the known IP address filtering mechanism is turned on at the targeted system. In the main in the middle attack, the source IP address in the packets from the source to the destination and the destination to the source are spoofed.
ARP Spoofing
Address Resolution Protocol (ARP) provides the way to associate the layer two (data layer) address, Media Access Control (MAC), with the layer three (transport layer) address, IP address. When sending packets from one device to another over IP protocol, the packets are sent to the data link layer. The data link layer extracts the destination IP address and looks in the ARP table to find the MAC address of the destination device and the outgoing port to send the packets. The process is repeated until the packets reach the destination. A malicious party can influent the ARP table by feeding the ARP protocol a different destination MAC address, which causes the packets to go to another path.
References:
https://www.csoonline.com/article/2115848/data-protection/data-protection-ip-spoofing.html
https://www.tripwire.com/state-of-security/security-awareness/how-to-protect-yourself-from-caller-id-spoofing/
https://www.veracode.com/security/spoofing-attack
https://wealthyaffiliaterealdeal.com/what-you-need-to-know-about-phishing-and-spoofing/
https://pecb.com/pdf/articles/38-pecb_security-vs-spoofing.pdf
https://blogs.cisco.com/security/what-is-email-spoofing-and-how-to-detect-it
- Spoofing: pretend to be someone or something that has legitimate permission to access the asset. It is one of the ways to break the confidentiality.
- Tampering: ways to change the integrity of the asset.
- Repudiation: ways to obtain proves of violation
- Information Disclosure: access restricted information without permission (confidentiality)
- Denial of Service: cause the system to halt or slow down to a point that it cannot supply the service. (availability)
- Elevation of Privilege: user can perform action beyond the assigned privileges (authorization which leads to confidentiality)
Let's get started with the first mnemonic, Spoofing. Spoofing is an identity tampering where the attacker impersonates another human being or the originator of a communication. The targeted object can be a person, an organization, a device, or even a parameter in an algorithm or protocol. Let's take a look at some of the spoofing methods that have been used.
Caller ID Spoofing
Caller ID is a common name for Calling Number Identification, which was introduced to the telephone system during the privacy movement in the ninety. The caller ID, usually the caller name or the calling number, is transmitted to the receiving end at the second ring. Spoofing the caller ID means the attacker makes a phone call to the target using one number but set caller ID to someone else's phone number or name.
Illustration of caller ID spoofing (media.philly.com)
Website Spoofing
Website spoofing tricks the users into thinking that they are visiting the real website. Generally, the site contents are nearly identical to the real one with a few exceptions. Some exceptions can be links to malicious pages or customized forms that obtain user information. The website often has an URL similar to the authentic one like www.google.ca.com or www.youtubes.com. Without paying attention to details, the user won't recognize that they are visiting the wrong website.
Email Spoofing
Email spoofing is widely used in phishing attacks. The hacker composes an email that looks as authentic as it was written by a trustworthy source. The email contents look real except it contains fault contact information. This has happened several times at the company I worked. Emails were sent to the VPs and the secretary asking them to do certain task and request for the response. The email contains the CEO's name, signature, and phone number, except the email address.
DNS Spoofing
DNS is an acronym for Domain Name System. It is a system that learns and performs the mapping between a name (normally known as domain name) and an IP address. DNS spoofing usually refers to the association of the legitimate domain name to the attacker's intended IP address. To achieve this, the attacker must successfully access the DNS server and change the mapping table to translate the domain name to a malicious IP address.
IP Spoofing
IP protocol includes a few parameters in the packet header such as originator IP address and port, destination IP address and port, sequence number and so on. To carry out an IP spoofing attack, the malicious party first acquires an IP address that is trusted by the target. The attacker set the trusted address as the source address in the spoofed packets and send to the target. IP spoofing is often used in denial of service attack to pass through the known IP address filtering mechanism is turned on at the targeted system. In the main in the middle attack, the source IP address in the packets from the source to the destination and the destination to the source are spoofed.
Illustration of IP spoofing (Wiki)
ARP Spoofing
Address Resolution Protocol (ARP) provides the way to associate the layer two (data layer) address, Media Access Control (MAC), with the layer three (transport layer) address, IP address. When sending packets from one device to another over IP protocol, the packets are sent to the data link layer. The data link layer extracts the destination IP address and looks in the ARP table to find the MAC address of the destination device and the outgoing port to send the packets. The process is repeated until the packets reach the destination. A malicious party can influent the ARP table by feeding the ARP protocol a different destination MAC address, which causes the packets to go to another path.
References:
https://www.csoonline.com/article/2115848/data-protection/data-protection-ip-spoofing.html
https://www.tripwire.com/state-of-security/security-awareness/how-to-protect-yourself-from-caller-id-spoofing/
https://www.veracode.com/security/spoofing-attack
https://wealthyaffiliaterealdeal.com/what-you-need-to-know-about-phishing-and-spoofing/
https://pecb.com/pdf/articles/38-pecb_security-vs-spoofing.pdf
https://blogs.cisco.com/security/what-is-email-spoofing-and-how-to-detect-it
Comments
Post a Comment