|
Network Chico security
terms glossary
| @ | A
| B | C | D
| E | F | G
| H | I | J
| K | L | M
| N | O | P
| Q | R | S
| T | U | V
| W | X | Y
| Z |
Welcome to the Network Chico
computer security terms glossary.
=S=
Search Hijacker: Any software
that resets your browser's settings to point to other sites when
you perform a search. Hijacks may reroute your info and address
requests through an unseen site, capturing that info. In such
hijacks, your browser may behave normally, but be slower. Search
results when such a hijacker is running will sometimes differ
from non-hijacked results.
Simplicity: The amount
of effort required to exploit a vulnerability. Some attacks against
systems can be more difficult to exploit than others. Some exploits
merely require inputting a command string, while others involve
compiling code and executing the resulting program under an explicit
set of conditions. For example:
- 1, 2, 3 Complex: Detailed computer security knowledge and
experience is required, and exploit techniques are difficult
to obtain or execute
- 4, 5, 6, 7 Simple: General computer security knowledge is
required, and exploit techniques are easily obtained and executed
- 8, 9, 10 Extremely Simple: Unskilled attackers can easily
obtain and execute exploit techniques. Typically, compiled binaries
or GUI exploit tools are readily available
Slack Space: In more general
usage, slack space is the disk space 'wasted' by the difference
between a file's real size and the minimum storage unit of the
file system storing it. For example, on a FAT32 file system under
Windows 9x, disk cluster size may be 4KB (4096 bytes). What this
means is that regardless of their actual sizes, all files from
1 to 4096 bytes will remove 4096 bytes of free disk space from
the drive as the file system cannot allocate drive space in units
smaller than a cluster. Thus, if you created ten one byte files,
despite having only stored ten bytes of data, you will have used
40960 bytes of disk space. In a sense this is a waste of 40950
bytes of disk space, which is said to be 'slack space'. (There
are solutions to this 'problem' of wasting disk space, such as
sub-block allocation methods and the like, and these are employed
in more advanced file systems.) An important thing to be aware
of is that few popular operating systems overwrite this unused
space between the end of a file and the end of the last cluster
the file occupies. Thus, pieces of 'inert' virus code can be
found in various kinds of 'slack space'. Whilst this is unlikely
to be seen when scanning files, such code may be detected in
memory and incorrectly reported as an active infection once the
contents of (cluster-sized) disk buffers are copied elsewhere
(see Ghost Positive for an example with boot sectors). There
are, however, other kinds of slack space that can be of more
significance to virus writers. For example, the internal format
of Win32 portable executables (the PE format) is section based,
with files consisting of a header and one or more sections containing
code, data resources and the like. Each section, including the
header, is 'padded out' to the nearest whole multiple of the
file alignment size (which is specified in the header). This
arrangement means that PE files can contain sections that do
not completely fill the last section assigned to them in the
file, just as the final cluster assigned to a file may not be
filled. Some viruses have taken advantage of this section slack
space, perhaps most notably CIH (see also Multiple
Cavity Infector).
Slow Infector: Most resident
viruses attempt to maximize their hit rate by infecting at least
the commonly used programs on a system. Some go so far as to
attempt to infect all possible targets (see Fast Infector). However,
infecting many targets tends to increase the likelihood of being
detected so some resident viruses only infect files as they are
modified or created. This beats integrity checking methods, as
the addition of a new file or modification of an existing one
reported by an integrity checker would normally be expected so
the user will ignore the reported change, assuming it to be entirely
due to (legitimate) reasons for the file's creation or modification.
An early example is the Darth Vader virus. A related, though
different, technique for reducing the likelihood of detection
is that of the sparse infector.
Slow Mailer: A slow mailer
is a virus that distributes itself from victim machines via e-mail
but not in the 'explosive' manner attributed to mass mailers.
Ska (aka Happy99) and Kak are classic examples of slow mailers,
respectively sending itself once to each addressee the victim
sends e-mail to or embedding itself in all outgoing HTML messages
the victim sends. Despite the mass mailers such as Melissa and
LoveLetter hogging the media spotlight, Ska and Kak are also
excellent examples of how slow mailers 'last the distance'. For
example, several sources of prevalence statistics show roughly
twice as many Kak incidents in 2000 as LoveLetter incidents,
with the explosive nature of LoveLetter - then the most prevalent
virus in history - seen in the fact that most LoveLetter incidents
were recorded in a single month (May). Slow mailers often have
the '@m' suffix to their names, making the additional threat
they may pose readily identifiable to the informed.
Slow Polymorphism: A term
occasionally applied to polymorphic viruses that only morph their
code 'occasionally' rather than each time they replicate, as
is more common. This is an 'anti-antivirus research' technique.
Sneakernet: The network
of inter-personal contacts that existed before ethernet made
LANs commonplace and long before the Internet as we know it today
existed. The name is a play on 'sneaker' and 'ethernet' and refers
to the sharing patterns seen when data files and programs were
mainly distributed and copied between workmates, other professional
colleagues and friends via diskette. As all diskettes have boot
sectors and most PCs will attempt to boot from a diskette left
in a floppy drive, boot sector infectors were the most prevalent
viruses when sneakernet was the predominant sharing mechanism.
Sniffer: A wiretap that
eavesdrops on computer networks. The attacker must be between
the sender and the receiver in order to sniff traffic. This is
easy in corporations using shared media. Sniffers are frequently
used as part of automated programs to sift information off the
wire, such as clear-text passwords, and sometimes password hashes
(to be cracked).
Social Engineering:
- There are two main ways to obtain technical or administrative
information about a computer system. The first is from the machines
and systems themselves and the second is from the administrators
and users of the machines. Surreptitious or unauthorized attempts
to obtain such system information are known as hacking or cracking
if the attempt involves obtaining the information from the machines
and as social engineering if they involve manipulating or 'tricking'
a person into divulging the information.
- By extension of the previous meaning, the term social engineering
is often used to describe the 'tricks' used by mass mailing viruses
to entice recipients messages with viral attachments to run (or
'view') those attachments.
SOCKS Proxy: Socks (or
"SOCKS") is an IETF standard protocol for TCP/IP-based
networking applications. A proxy server (a server that sits between
a client application and a real server) can use SOCKS to accept
requests from clients so that they can be forwarded across the
Internet. Socks uses sockets to represent and keep track of individual
connections. SOCKS proxy servers are widespread, and used legitimately
for improving system performance, caching web pages and filtering
client requests. Unfortunately, SOCKS proxy servers can also
be used for undermining system security; attackers can hide their
IP address by "bouncing" their requests off a victim’s
computer with an open SOCKS proxy.
SPAM Tool: Any software
designed to extract email addresses from web sites and other
sources, remove ""dangerous"" or ""illegal""
addresses, and/or efficiently send unsolicited (and perhaps untraceable)
mail to these addresses.
Sparse Infector: Although
not an approach to beat integrity checking, like slow infection
methods, sparse infection is also an approach to reduce the chances
of early detection. The main idea is to replicate only occasionally;
for example, only infecting one in every 100 programs that are
executed. Another approach a sparse infector may take to deciding
which files to infect is to only target files that meet certain
criteria such as having a size divisible by a particular value
or with a creation date of a certain day of the month and so
on.
Spoofer: To spoof is to
forge your identity. Attackers use spoofers to forge their IP
address (IP spoofing). The most common use of spoofing today
is smurf and fraggle attacks. These attacks use spoofed packets
against amplifiers in order to overload the victim's connection.
This is done by sending a single packet to a broadcast address
with the victim as the source address. All the machines within
the broadcast domain then respond back to the victim, overloading
the victim's Internet connection. Since smurfing accounts for
more than half the traffic on some backbones, ISPs are starting
to take spoofing seriously and have started implementing measures
within their routers that verify valid source addresses before
passing the packets.
Spyware Cookie: Any cookie
that is shared among two or more unrelated sites for the purpose
of gathering and sharing private user information. See also the
Network Chico browser
cookie page.
Spyware or Spy Ware: A
program that gathers information and can be 'silently' installed
and run in 'stealth' mode. This kind of software is used to gather
information from a user's machine, such as recorded keystrokes
(passwords), a list of websites visited by the user, applications
installed on the machine, the version of operating system, registry
settings, etc.
SR-1: Service Release
1. A Service Release is an incremental update and/or bug-fix
version of an application, similar to the better-known term Service
Pack (or SP). SR-1 is usually of significance in antivirus issues
when talking about Word 97 SR-1, as this release introduced some
subtle changes to Word's VBA environment that had implications
for the replication mechanisms of most Word macro viruses written
prior to its release. (See also Class Infector.)
Stealth Virus: Aside from
infecting seldom (see Slow Infector and Sparse Infector), some
viruses take other steps to make themselves difficult to detect.
For example, stealth boot viruses intercept attempts to read
the boot sector (where they reside) and return copies of the
original boot sector so it is seen as it was prior to infection
- the first PC virus, Brain, is an example of this. More sophisticated
boot sector stealth also intercepts write functions, preventing
the viral code being overwritten and perhaps redirecting such
writes to the 'safe' copy of the original boot sector. Stealth
file infectors typically hide any file size increases they are
responsible for when a file's properties are read from the disk
- Number of the Beast and Frodo were early examples. Macro viruses
have also attempted many stealth techniques, such as replacing
the standard list of macros with a list from which the virus'
macros are missing, and preventing users from accessing the Visual
Basic Editor. For their stealth functions to work, a virus must
be 'resident'.
With executable viruses, this residency means the virus' modifications
go undetected by antivirus programs as well as preventing the
user from noticing changes (such as in file sizes and the like).
However, with macro viruses, such stealth mechanisms only help
prevent the user noticing or reporting changes because virus
scanners look directly at the document files containing the viruses
and are not dependent on internal functions of Word - the only
functions a macro virus can usurp - in order to detect these
viruses. In general, to counter stealth mechanisms you must be
able to re-establish a 'clean' environment. With boot and program
stealth, restarting from a clean system is necessary to ensure
there is no possibility of the normal system functions being
interfered with. With stealth macro viruses a clean user environment
is needed. This can be attained by assuring that all global templates
and other code resources that may be loaded during the host application's
startup phase, and as a result of loading a (potentially) infected
document, do not get a chance to run.
Surveillance: Any software
designed to use a webcam, microphone, screen capture, or other
approaches to monitor and capture information. Some such software
will transmit this captured information to a remote source. See
also Key Logger.
SYN Flood Attack: In the
normal course of a TCP connection, a SYN (TCP connection request)
is sent to a target computer. When the target computer receives
the SYN, it sends a SYN_RECEIVED message back to the machine
that sent the SYN (reading the IP source address of the originating
packet). The target computer then waits for the machine that
originated the request to send back a SYN_ACK upon receipt of
its SYN_RECEIVED message (this SYN-RECEIVED state is saved in
a buffer either until the ACK is received or until the request
has been waiting for a particular finite period of time and is
then purged). When this "three-way" handshake is completed,
data can travel freely between the two computers. During a SYN
Flood Attack, a SYN is sent to the target computer, however the
source IP address is spoofed. The target computer attempts to
send its SYN_RECEIVED message back to the originating IP address
of the SYN, however, because the address is spoofed, this message
will either be sent to an IP address that does not exist or to
a computer that did not send the original SYN (and therefore
will ignore this message). When this occurs, the target machine
may send several more SYN_RECEIVED messages, and wait for a finite
time for a SYN_ACK that will never come, storing this information
in a buffer. The more of these spoofed packets that are sent
to the target computer, the more system resources that are used
on the target computer. Once the limit is reached for a given
TCP port, the target computer responds by resetting all further
connection requests until system resources are freed. The result
of this attack is a Denial of Service.
System Boot Sector: A
seldom used term denoting the boot sectors at the beginning of
disk partitions and other logical drives such as floppies and
some other removable drives. This term is used in the glossary
to denote the set of boot sectors excluding master boot records.
| @ | A
| B | C | D
| E | F | G
| H | I | J
| K | L | M
| N | O | P
| Q | R | S
| T | U | V
| W | X | Y
| Z |
|
