Wikipedia Book Test 20090818

Information Security Primer From Social Engineering to SQL Injection...and Everything Beginning with P

PDF generated using the open source mwlib toolkit. See http://code.pediapress.com/ for more information. PDF generated at: Tue, 18 Aug 2009 21:14:59 UTC

Contents Articles It Begins with S

1

Social engineering (security)

1

Spyware

7

SQL injection

Bonus Material Password cracking

26 34 34

References Article Sources and Contributors

41

Image Sources, Licenses and Contributors

43

Article Licenses License

44

1

It Begins with S Social engineering (security) Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.

Social engineering techniques and terms All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases.[1] These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create attack techniques, some of which are listed here:

Pretexting Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone. It is more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target. [2] This technique is often used to trick a business into disclosing customer information, and is used by private investigators to obtain telephone records, utility records, banking records and other information directly from junior company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager (e.g., to make account changes, get specific balances, etc). As most U.S. companies still authenticate a client by asking only for a Social Security Number, date of birth, or mother's maiden name, the method is effective in many situations and will likely continue to be a security problem in the future. Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, or insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim. The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one's feet.

Phishing Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business—a bank, or credit card company—requesting "verification" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate—with company logos and content—and has a form requesting everything from a

Social engineering (security) home address to an ATM card's PIN. For example, 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user’s account was about to be suspended unless a link provided was clicked to update a credit card (information that the genuine eBay already had). Because it is relatively simple to make a Web site resemble a legitimate organization's site by mimicking the HTML code, the scam counted on people being tricked into thinking they were being contacted by eBay and subsequently, were going to eBay’s site to update their account information. By spamming large groups of people, the “phisher” counted on the e-mail being read by a percentage of people who already had listed credit card numbers with eBay legitimately, who might respond. IVR or phone phishing This technique uses a rogue Interactive voice response (IVR) system to recreate a legitimate sounding copy of a bank or other institution's IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free) number provided in order to "verify" information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning. One could even record the typical commands ("Press one to change your password, press two to speak to customer service" ...) and play back the direction manually in real time, giving the appearance of being an IVR without the expense. The technical name for phone phishing, is vishing. Baiting Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim.[3] In this attack, the attacker leaves a malware infected floppy disc, CD ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device. For example, an attacker might create a disk featuring a corporate logo, readily available off the target's web site, and write "Executive Salary Summary Q2 2009" on the front. The attacker would then leave the disk on the floor of an elevator or somewhere in the lobby of the targeted company. An unknowing employee might find it and subsequently insert the disk into a computer to satisfy their curiosity, or a good samaritan might find it and turn it in to the company. In either case as a consequence of merely inserting the disk into a computer to see the contents, the user would unknowingly install malware on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted company's internal computer network. Unless computer controls block the infection, PCs set to "auto-run" inserted media may be compromised as soon as a rogue disk is inserted.

2

Social engineering (security)

Quid pro quo Quid pro quo means something for something: • An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware. • In a 2003 information security survey, 90% of office workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen.[4] Similar surveys in later years obtained similar results using chocolates and other cheap lures, although they made no attempt to validate the passwords.[5]

Other types Common confidence tricksters or fraudsters also could be considered "social engineers" in the wider sense, in that they deliberately deceive and manipulate people, exploiting human weaknesses to obtain personal benefit. They may, for example, use social engineering techniques as part of an IT fraud. The latest type of social engineering techniques include spoofing or hacking IDs of people having popular e-mail IDs such as Yahoo, Gmail, Hotmail, etc. Among the many motivations for deception are: • Phishing credit-card account numbers and their passwords. • Hacking private e-mails and chat histories, and manipulating them by using common editing techniques before using them to extort money and creating distrust among individuals. • Hacking websites of companies or organizations and destroying their reputation.

Notable social engineers Kevin Mitnick Reformed computer criminal and later, security consultant Kevin Mitnick popularized the term 'social engineering', pointing out that it is much easier to trick someone into giving a password for a system than to spend the effort to hack into the system.[6] He claims it was the single most effective method in his arsenal.

The Badir Brothers Ramy, Muzher, and Shadde Badir - brothers, all of whom were blind from birth, managed to set up an extensive phone and computer fraud scheme in Israel in the 1990s using social engineering, voice impersonation, and Braille-display computers.[7]

3

Social engineering (security)

Others Other noted social engineers include Frank Abagnale, Dave Buchwald, David Bannon, Peter Foster, Stanley Mark Rifkin and Steven Jay Russell.

United States law In common law, pretexting is an invasion of privacy tort of appropriation.[8]

Pretexting of telephone records In December 2006, United States Congress approved a Senate sponsored bill making the pretexting of telephone records a federal felony with fines of up to $250,000 and ten years in prison for individuals (or fines of up to $500,000 for companies). It was signed by president George W. Bush on January 12 2007.[9]

Federal legislation The 1999 The "GLBA" is a U.S. Federal law that specifically addresses pretexting of banking records as an illegal act punishable under federal statutes. When a business entity such as a private investigator, SIU insurance investigator, or an adjuster conducts any type of deception, it falls under the authority of the Federal Trade Commission (FTC). This federal agency has the obligation and authority to ensure that consumers are not subjected to any unfair or deceptive business practices. US Federal Trade Commission Act, Section 5 of the FTCA states, in part: "Whenever the Commission shall have reason to believe that any such person, partnership, or corporation has been or is using any unfair method of competition or unfair or deceptive act or practice in or affecting commerce, and if it shall appear to the Commission that a proceeding by it in respect thereof would be to the interest of the public, it shall issue and serve upon such person, partnership, or corporation a complaint stating its charges in that respect...." The statute states that when someone obtains any personal, non-public information from a financial institution or the consumer, their action is subject to the statute. It relates to the consumer's relationship with the financial institution. For example, a pretexter using false pretenses either to get a consumer's address from the consumer's bank, or to get a consumer to disclose the name of his or her bank, would be covered. The determining principle is that pretexting only occurs when information is obtained through false pretenses. While the sale of cell telephone records has gained significant media attention, and telecommunications records are the focus of the two bills currently before the United States Senate, many other types of private records are being bought and sold in the public market. Alongside many advertisements for cell phone records, wireline records and the records associated with calling cards are advertised. As individuals shift to VoIP telephones, it is safe to assume that those records will be offered for sale as well. Currently, it is legal to sell telephone records, but illegal to obtain them.[10] U.S. Rep. Fred Upton (R-Kalamazoo, Michigan), chairman of the Energy and Commerce Subcommittee on Telecommunications and the Internet, expressed concern over the easy access to personal cell phone records on the Internet during Wednesday's E&C Committee hearing on "Phone Records For Sale: Why Aren't Phone Records Safe From Pretexting?"

4

Social engineering (security) Illinois became the first state to sue an online records broker when Attorney General Lisa Madigan sued 1st Source Information Specialists, Inc., on 20 January, a spokeswoman for Madigan's office said. The Florida-based company operates several Web sites that sell cell telephone records, according to a copy of the suit. The attorneys general of Florida and Missouri quickly followed Madigan's lead, filing suit on 24 January and 30 January, respectively, against 1st Source Information Specialists and, in Missouri's case, one other records broker - First Data Solutions, Inc. Several wireless providers, including T-Mobile, Verizon, and Cingular filed earlier lawsuits against records brokers, with Cingular winning an injunction against First Data Solutions and 1st Source Information Specialists on January 13. U.S. Senator Charles Schumer (D-New York) introduced legislation in February 2006 aimed at curbing the practice. The Consumer Telephone Records Protection Act of 2006 would create felony criminal penalties for stealing and selling the records of mobile phone, landline, and Voice over Internet Protocol (VoIP) subscribers. Hewlett Packard's former Chairman, Patricia Dunn, reported that the HP board hired a private investigation company to delve into who was responsible for leaks within the board. Dunn acknowledged that this company used the practice of pretexting to solicit the telephone records of board members and journalists. Chairman Dunn later apologized for this act and offered to step down from the board if it was desired by board members.[11] Unlike Federal law, California law specifically forbids such pretexting, and this case is being investigated by the California Attorney General.

In popular culture • In the film Hackers, the protagonist used a form of social engineering, where the main character accessed a TV network's control system by telephoning the security guard for the telephone number to the station's modem, posing as an important executive. Although the film is not highly accurate, the particular method demonstrates the power of social engineering when applied to criminal behavior. • In Jeffrey Deaver's book The Blue Nowhere, social engineering to obtain confidential information is one of the methods used by the killer, Phate, to get close to his victims. • In the movie Live Free or Die Hard, Justin Long is seen pretexting that his father is dying from a heart attack to have a BMW Assist representative start what will become a stolen car. • In the movie Sneakers, one of the characters poses as a low level security guard's superior in order to convince him that a security breach is just a false alarm. • In the movie The Thomas Crown Affair, one of the characters poses over the telephone as a museum guard's superior in order to move the guard away from his post. • In the James Bond movie Diamonds Are Forever, Bond is seen gaining entry to the Whyte laboratory with a then-state-of-the-art card-access lock system by "tailgating". He merely waits for an employee to come to open the door, then posing himself as a rookie at the lab, fakes inserting a non-existent card while the door is unlocked for him by the employee.

5

Social engineering (security)

See also • • • • • • •

Phishing Confidence trick Certified Social Engineering Prevention Specialist (CSEPS) Media pranks, which often use similar tactics (though usually not for criminal purposes) Physical information security Vishing SMiShing

References Further reading • Boyington, Gregory. (1990). Baa Baa Black Sheep Published by Bantam Books ISBN 0-553-26350-1 • Leyden, John. April 18, 2003. Office workers give away passwords for a cheap pen [12]. The Register. Retrieved 2004-09-09. • Long, Johnny. (2008). No Tech Hacking - A Guide to Social Engeering, Dumpster Diving, and Shoulder Surfing Published by Syngress Publishing Inc. ISBN 978-1-59749-215-7 • Mann, Ian. (2008). Hacking the Human: Social Engineering Techniques and Security Countermeasures Published by Gower Publishing Ltd. ISBN 0566087731 or ISBN 978-0-566-08773-8 • Mitnick, Kevin, Kasperavičius, Alexis. (2004). CSEPS Course Workbook. Mitnick Security Publishing. • Mitnick, Kevin, Simon, William L., Wozniak, Steve,. (2002). The Art of Deception: Controlling the Human Element of Security Published by Wiley. ISBN 0-471-23712-4 or ISBN 0-764-54280-X

External links • Social Engineering Fundamentals [13] - Securityfocus.com. Retrieved on August 3rd, 2009. • Social Engineering, the USB Way [14] - DarkReading.com. Retrieved on July 7th, 2006. • Should Social Engineering be a part of Penetration Testing? [15] - Darknet.org.uk. Retrieved on August 3rd, 2009. • "Protecting Consumers' Phone Records" [16] - US Committee on Commerce, Science, and Transportation. Retrieved on February 8th, 2006. • Plotkin, Hal. Memo to the Press: Pretexting is Already Illegal [17]. Retrived on September 9th, 2006. • Striptease for passwords [18] - MSNBC.MSN.com. Retrieved on November 1st, 2007.

6

Social engineering (security)

References [1] Mitnick, K: "CSEPS Course Workbook" (2004), unit 3, Mitnick Security Publishing. [2] " Pretexting: Your Personal Information Revealed (http:/ / www. ftc. gov/ bcp/ edu/ pubs/ consumer/ credit/ cre10. shtm)," Federal Trade Commission [3] [4] [5] [6] [7] [8] [9]

http:/ / www. darkreading. com/ document. asp?doc_id=95556& WT. svl=column1_1 Office workers give away passwords (http:/ / www. theregister. co. uk/ content/ 55/ 30324. html) Passwords revealed by sweet deal (http:/ / news. bbc. co. uk/ 1/ hi/ technology/ 3639679. stm) Mitnick, K: "CSEPS Course Workbook" (2004), p. 4, Mitnick Security Publishing. http:/ / www. wired. com/ wired/ archive/ 12. 02/ phreaks. html Restatement 2d of Torts § 652C. Congress outlaws pretexting (http:/ / arstechnica. com/ news. ars/ post/ 20061211-8395. html), Eric Bangeman, 12/11/2006 11:01:01, Ars Technica [10] Mitnick, K (2002): "The Art of Deception", p. 103 Wiley Publishing Ltd: Indianapolis, Indiana; United States of America. ISBN 0-471-23712-4 [11] HP chairman: Use of pretexting 'embarrassing' (http:/ / news. com. com/ HP+ chairman+ Use+ of+ pretexting+ embarrassing/ 2100-1014_3-6113715. html?tag=nefd. lede) Stephen Shankland, 2006-09-08 1:08 PM PDT CNET News.com [12] [13] [14] [15] [16] [17] [18]

http:/ / www. theregister. co. uk/ 2003/ 04/ 18/ office_workers_give_away_passwords/ http:/ / www. securityfocus. com/ infocus/ 1527 http:/ / www. darkreading. com/ document. asp?doc_id=95556& WT. svl=column1_1 http:/ / www. darknet. org. uk/ 2006/ 03/ should-social-engineering-a-part-of-penetration-testing/ http:/ / www. epic. org/ privacy/ iei/ sencomtest2806. html http:/ / www. plotkin. com/ blog-archives/ 2006/ 09/ memo_to_the_pre. html http:/ / www. msnbc. msn. com/ id/ 21566341/

Spyware Spyware is a type of malware that is installed on computers and that collects information about users without their knowledge. The presence of spyware is typically hidden from the user. Typically, spyware is secretly installed on the user's personal computer. Sometimes, however, spywares such as keyloggers are installed by the owner of a shared, corporate, or public computer on purpose in order to secretly monitor other users. While the term spyware suggests software that secretly monitors the user's behavior, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, such as Internet surfing habits and sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software and redirecting Web browser activity. Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss of Internet or functionality of other programs. In an attempt to increase the understanding of spyware, a more formal classification of its included software types is captured under the term privacy-invasive software. In response to the emergence of spyware, a small industry has sprung up dealing in anti-spyware software. Running anti-spyware software has become a widely recognized element of computer security practices for computers, especially those running Microsoft Windows. A number of jurisdictions have passed anti-spyware laws, which usually target any software that is surreptitiously installed to control a user's computer. The US Federal Trade Commission has placed on the Internet a page of advice to consumers about how to lower the risk of spyware infection, including a list of "do's" and "don'ts."[1]

7

Spyware

History and development The first recorded use of the term spyware occurred on October 16, 1995 in a Usenet post that poked fun at Microsoft's business model.[2] Spyware at first denoted hardware meant for espionage purposes. However, in early 2000 the founder of Zone Labs, Gregor Freund, used the term in a press release [3] for the ZoneAlarm Personal Firewall.[4] Since then, "spyware" has taken on its present sense.[4] According to a 2005 study by AOL and the National Cyber-Security Alliance, 61 percent of surveyed users' computers had some form of spyware. 92 percent of surveyed users with spyware reported that they did not know of its presence, and 91 percent reported that they had not given permission for the installation of the spyware.[5] As of 2006, spyware has become one of the preeminent security threats to computer systems running Microsoft Windows operating systems. Computers where Internet Explorer (IE) is the primary browser are particularly vulnerable to such attacks not only because IE is the most widely-used,[6] but because its tight integration with Windows allows spyware access to crucial parts of the operating system.[6] [7] Before Internet Explorer 7 was released, the browser would automatically display an installation window for any ActiveX component that a website wanted to install. The combination of user naiveté towards malware and the assumption by Internet Explorer that all ActiveX components are benign, led, in part, to the massive spread of spyware. Many spyware components would also make use of exploits in Javascript, Internet Explorer and Windows to install without user knowledge or permission. The Windows Registry contains multiple sections that by modifying keys values allows software to be executed automatically when the operating system boots. Spyware can exploit this design to circumvent attempts at removal. The spyware typically will link itself from each location in the registry that allows execution. Once running, the spyware will periodically check if any of these links are removed. If so, they will be automatically restored. This ensures that the spyware will execute when the operating system is booted even if some (or most) of the registry links are removed. Trend Micro Inc. defines Spyware as "[...] a program that monitors and gathers user information for different purposes.."[8] McAfee Inc. defines Spyware as "Software that transmits personal information to a third party without the user's knowledge or consent."[9]

Comparison Spyware, adware and tracking The term adware frequently refers to any software which displays advertisements, whether or not the user has consented. Programs such as the Eudora mail client display advertisements as an alternative to shareware registration fees. These classify as "adware" in the sense of advertising-supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and provides the user with a specific service. Most adware is spyware in a different sense than "advertising-supported software," for a different reason: it displays advertisements related to what it finds from spying on you. Gator Software from Claria Corporation (formerly GATOR) and Exact Advertising's BargainBuddy are examples. Visited Web sites frequently install Gator on client machines

8

Spyware in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user receives many pop-up advertisements. Other spyware behavior, such as reporting on websites the user visits, occurs in the background. The data is used for "targeted" advertisement impressions. The prevalence of spyware has cast suspicion upon other programs that track Web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet Explorer plug-in published by Amazon.com, as spyware, and some anti-spyware programs such as Ad-Aware report it as such. Many of these adware distributing companies are backed by millions of dollars of adware-generating revenues. Adware and spyware are similar to viruses in that they can be considered malicious in nature. People are profiting from misleading adware, sometimes known as scareware, such as Antivirus 2009. Similarly, software bundled with free, advertising-supported programs such as P2P act as spyware, (and if removed disable the 'parent' program) yet people are willing to download it. This presents a dilemma for proprietors of anti-spyware products whose removal tools may inadvertently disable wanted programs. For example, recent test results [10] show that bundled software (WhenUSave) is ignored by popular anti-spyware program Ad-Aware, (but removed as spyware by most scanners) because it is part of the popular (but recently decommissioned) eDonkey client. To address this dilemma, the Anti-Spyware Coalition has been working on building consensus within the anti-spyware industry as to what is and isn't acceptable software behavior. To accomplish their goal, this group of anti-spyware companies, academics, and consumer groups have collectively published a series of documents including a definition of spyware [11], risk model [12], and best practices [13] document.

Spyware, virus and worm Unlike viruses and worms, spyware does not usually self-replicate. Like many recent viruses, however, spyware—by design—exploits infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements, theft of personal information (including financial information such as credit card numbers), monitoring of Web-browsing activity for marketing purposes, and routing of HTTP requests to advertising sites. However, spyware can be dropped as a payload by a worm.

9

Spyware

10

Routes of infection Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities. Most spyware is installed without users' knowledge. Since they tend not to install software if they know that it will disrupt their working environment and compromise their Malicious websites attempt to install spyware on readers' computers. privacy, spyware deceives users, either by piggybacking on a piece of desirable software such as Kazaa, or by tricking them into installing it (the Trojan horse method). Some "rogue" anti-spyware programs masquerade as security software. The distributor of spyware usually presents the program as a useful utility—for instance as a "Web accelerator" or as a helpful software agent. Users download and install the software without immediately suspecting that it could cause harm. For example, Bonzi Buddy, a program bundled with spyware[14] and targeted at children, claims that: He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he's FREE![15] Spyware can also come bundled with other software. The user downloads a program and installs it, and the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software. In other cases, spyware authors have repackaged desirable freeware with installers that slipstream spyware. A third way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations. Internet Explorer prevents websites from initiating an unwanted download. Instead, it requires a user action, such as clicking on a link. However, links can prove deceptive: for instance, a pop-up ad may appear like a standard Windows dialog box. The box contains a message such as "Would you like to optimize your Internet access?" with links which look like buttons reading Yes and No. No matter which "button" the user presses, a download starts, placing the spyware on the user's system. Later versions of Internet Explorer offer fewer avenues for this attack. Some spyware authors infect a system through security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and installation of spyware. The spyware author would also have some extensive knowledge of

Spyware commercially-available anti-virus and firewall software. This has become known as a "drive-by download", which leaves the user a hapless bystander to the attack. Common browser exploits target security vulnerabilities in Internet Explorer and in the Sun Microsystems Java runtime. The installation of spyware frequently involves Internet Explorer. Its popularity and history of security issues have made it the most frequent target. Its deep integration with the Windows environment and scriptability make it an obvious point of attack into Windows. Internet Explorer also serves as a point of attachment for spyware in the form of Browser Helper Objects, which modify the browser's behavior to add toolbars or to redirect traffic. In a few cases, a worm or virus has delivered a spyware payload. Some attackers used the Spybot worm to install spyware that put pornographic pop-ups on the infected system's screen.[16] By directing traffic to ads set up to channel funds to the spyware authors, they profit personally.

Effects and behaviors A spyware program is rarely alone on a computer: an affected machine usually has multiple infections. Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic. Stability issues, such as applications freezing, failure to boot, and system-wide crashes, are also common. Spyware, which interferes with networking software commonly causes difficulty connecting to the Internet. In some infections, the spyware is not even evident. Users assume in those situations that the issues relate to hardware, Windows installation problems, or another Infection. Some owners of badly infected systems resort to contacting technical support experts, or even buying a new computer because the existing system "has become too slow". Badly infected systems may require a clean reinstallation of all their software in order to return to full functionality. Only rarely does a single piece of software render a computer unusable. Rather, a computer is likely to have multiple infections. The cumulative effect, and the interactions between spyware components, causes the symptoms commonly reported by users: a computer, which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Some spyware disables or even removes competing spyware programs, on the grounds that more spyware-related annoyances make it even more likely that users will take action to remove the programs. One spyware maker, Avenue Media, even sued a competitor, Direct Revenue, over this; the two later settled with an agreement not to disable each others' products.[17] Some other types of spyware use rootkit like techniques to prevent detection, and thus removal. Targetsoft, for instance, modifies the "Winsock" Windows Sockets files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage. A typical Windows user has administrative privileges, mostly for convenience. Because of this, any program the user runs (intentionally or not) has unrestricted access to the system. As with other operating systems, Windows users too are able to follow the principle of least privilege and use non-administrator least user access accounts, or to reduce the privileges of specific vulnerable Internet-facing proceses such as Internet Explorer (through the use of

11

Spyware tools such as DropMyRights do this.

12 [18]

). However as this is not a default configuration, few users

In Windows Vista, by default, a computer administrator runs everything under a limited user privileges. When a program requires administrative privileges, Vista will prompt the user with an allow/deny pop-up, see User Account Control. This improves on the design used by previous versions of Windows.

Advertisements Many spyware programs display advertisements. Some programs simply display pop-up ads on a regular basis; for instance, one every several minutes, or one when the user opens a new browser window. Others display ads in response to specific sites that the user visits. Spyware operators present this feature as desirable to advertisers, who may buy ad placement in pop-ups displayed when the user visits a particular site. It is also one of the purposes for which spyware programs gather information on user behavior. Many users complain about irritating or offensive advertisements as well. As with many banner ads, many spyware advertisements use animation or flickering banners which can be visually distracting and annoying to users. Pop-up ads for pornography often display indiscriminately. Links to these sites may be added to the browser window, history or search function. When children are the users, this could possibly violate anti-pornography laws in some jurisdictions. A number of spyware programs break the boundaries of illegality; variations of “Zlob.Trojan” and “Trojan-Downloader.Win32.INService” have been known to show undesirable child pornography, key gens, cracks and illegal software pop-up ads which violate child pornography and copyright laws. [19] [20] [21] [22] A further issue in the case of some spyware programs has to do with the replacement of banner ads on viewed web sites. Spyware that acts as a web proxy or a Browser Helper Object can replace references to a site's own advertisements (which fund the site) with advertisements that instead fund the spyware operator. This cuts into the margins of advertising-funded Web sites.

"Stealware" and affiliate fraud A few spyware vendors, notably 180 Solutions, have written what the New York Times has dubbed "stealware", and what spyware researcher Ben Edelman terms affiliate fraud, a form of click fraud. Stealware diverts the payment of affiliate marketing revenues from the legitimate affiliate to the spyware vendor. Spyware which attacks affiliate networks places the spyware operator's affiliate tag on the user's activity—replacing any other tag, if there is one. The spyware operator is the only party that gains from this. The user has their choices thwarted, a legitimate affiliate loses revenue, networks' reputations are injured, and vendors are harmed by having to pay out affiliate revenues to an "affiliate" who is not party to a contract.[23] Affiliate fraud is a violation of the terms of service of most affiliate marketing networks. As a result, spyware operators such as 180 Solutions have been terminated from affiliate networks including LinkShare and ShareSale.

Spyware

Identity theft and fraud In one case, spyware has been closely associated with identity theft.[24] In August 2005, researchers from security software firm Sunbelt Software suspected the creators of the common CoolWebSearch spyware had used it to transmit "chat sessions, user names, passwords, bank information, etc.",[25] however it turned out that "it actually (was) its own sophisticated criminal little trojan that's independent of CWS."[26] This case is currently under investigation by the FBI. The Federal Trade Commission estimates that 27.3 million Americans have been victims of identity theft, and that financial losses from identity theft totaled nearly $48 billion for businesses and financial institutions and at least $5 billion in out-of-pocket expenses for individuals.[27] Spyware-makers may commit wire fraud with dialer program spyware. These can reset a modem to dial up a premium-rate telephone number instead of the usual ISP. Connecting to these suspicious numbers involves long-distance or overseas charges which invariably result in high call costs. Dialers are ineffective on computers that do not have a modem, or are not connected to a telephone line.

Digital rights management Some copy-protection technologies have borrowed from spyware. In 2005, Sony BMG Music Entertainment was found to be using rootkits in its XCP digital rights management technology[28] Like spyware, not only was it difficult to detect and uninstall, it was so poorly written that most efforts to remove it could have rendered computers unable to function. Texas Attorney General Greg Abbott filed suit,[29] and three separate class-action suits were filed.[30] Sony BMG later provided a workaround on its website to help users remove it.[31] Beginning in April 25, 2006, Microsoft's Windows Genuine Advantage Notifications application[32] installed on most Windows PCs as a "critical security update". While the main purpose of this deliberately non-uninstallable application is making sure the copy of Windows on the machine was lawfully purchased and installed, it also installs software that has been accused of "phoning home" on a daily basis, like spyware.[33] [34] It can be removed with the RemoveWGA tool.

Personal relationships Spyware has been used to surreptitiously monitor electronic activities of partners in intimate relationships, generally to uncover evidence of infidelity. At least one software package, Loverspy, was specifically marketed for this purpose. Depending on local laws regarding communal/marital property, observing a partner's online activity without their consent may be illegal; the author of Loverspy and several users of the product were indicted in California in 2005 on charges of wiretapping and various computer crimes.[35]

13

Spyware

Browser cookies Anti-spyware programs often report Web advertisers' HTTP cookies, the small text files that track browsing activity, as spyware. While they are not always inherently malicious, many users object to third parties using space on their personal computers for their business purposes, and many anti-spyware programs offer to remove them. [36]

Examples of spyware These common spyware programs illustrate the diversity of behaviors found in these attacks. Note that as with computer viruses, researchers give names to spyware programs which may not be used by their creators. Programs may be grouped into "families" based not on shared program code, but on common behaviors, or by "following the money" of apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as "Gator". Likewise, programs which are frequently installed together may be described as parts of the same spyware package, even if they function separately. • CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The package directs traffic to advertisements on Web sites including coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the infected computer's hosts file to direct DNS lookups to these sites.[37] • Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites.[38] • HuntBar, aka WinTools or Adware.Websearch [39], was installed by an ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs—an example of how spyware can install more spyware. These programs add toolbars to IE, track aggregate browsing behavior, redirect affiliate references, and display advertisements.[40] [41] • Movieland, also known as Moviepass.tv and Popcorn.net, is a movie download service that has been the subject of thousands of complaints to the Federal Trade Commission (FTC), the Washington State Attorney General's Office, the Better Business Bureau, and other agencies. Consumers complained they were held hostage by a cycle of oversized pop-up windows demanding payment of at least $29.95, claiming that they had signed up for a three-day free trial but had not cancelled before the trial period was over, and were thus obligated to pay.[42] [43] The FTC filed a complaint, since settled, against Movieland and eleven other defendants charging them with having "engaged in a nationwide scheme to use deception and coercion to extract payments from consumers."[44] • MyWebSearch (of Fun Web Products) has a plugin that displays a search toolbar near the top of a browser window, and it spies to report user search-habits.[45] MyWebSearch is notable for installing over 210 computer settings, such as over 210 MS Windows registry keys/values.[46] [47] Beyond the browser plugin, it has settings to affect Outlook, email, HTML, XML, etc. Although tools exist to remove MyWebSearch,[46] it can be hand-deleted in 1 hour, by users familiar with using Regedit to find and delete keys/values (named with "MyWebSearch"). After reboot, the browser returns to the prior display appearance.

14

Spyware • WeatherStudio has a plugin that displays a window-panel near the bottom of a browser window. The official website notes that it is easy to remove (uninstall) WeatherStudio from a computer, using its own uninstall-program, such as under MS Windows C:\Program Files\WeatherStudio.[48] Once WeatherStudio is removed, a browser returns to the prior display appearance, without the need to modify the browser settings. • Zango (formerly 180 Solutions) transmits detailed information to advertisers about the Web sites which users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies (as seen in their Zango End User License Agreement [49]).[23] • Zlob trojan, or just Zlob, downloads itself to a computer via an ActiveX codec and reports information back to Control Server. Some information can be the search-history, the Websites visited, and even keystrokes. More recently, Zlob has been known to hijack routers set to defaults.[50]

Legal issues related to spyware Criminal law Unauthorized access to a computer is illegal under computer crime laws, such as the U.S. Computer Fraud and Abuse Act, the U.K.'s Computer Misuse Act and similar laws in other countries. Since the owners of computers infected with spyware generally claim that they never authorized the installation, a prima facie reading would suggest that the promulgation of spyware would count as a criminal act. Law enforcement has often pursued the authors of other malware, particularly viruses. However, few spyware developers have been prosecuted, and many operate openly as strictly legitimate businesses, though some have faced lawsuits.[51] [52] Spyware producers argue that, contrary to the users' claims, users do in fact give consent to installations. Spyware that comes bundled with shareware applications may be described in the legalese text of an end-user license agreement (EULA). Many users habitually ignore these purported contracts, but spyware companies such as Claria claim these demonstrate that users have consented. Despite the ubiquity of EULAs and of "clickwrap" agreements, under which a single click can be taken as consent to the entire text, relatively little case law has resulted from their use. It has been established in most common law jurisdictions that a clickwrap agreement can be a binding contract in certain circumstances.[53] This does not, however, mean that every such agreement is a contract or that every term in one is enforceable. Some jurisdictions, including the U.S. states of Iowa[54] and Washington,[55] have passed laws criminalizing some forms of spyware. Such laws make it illegal for anyone other than the owner or operator of a computer to install software that alters Web-browser settings, monitors keystrokes, or disables computer-security software. In the United States, lawmakers introduced a bill in 2005 entitled the Internet Spyware Prevention Act, which would imprison creators of spyware.[56]

15

Spyware

Administrative sanctions US FTC actions The US Federal Trade Commission has sued Internet marketing organizations under the "unfairness doctrine" [57] to make them stop infecting consumers’ PCs with spyware. In one case, that against Seismic Entertainment Productions, the FTC accused the defendants of developing a program that seized control of PCs nationwide, infected them with spyware and other malicious software, bombarded them with a barrage of pop-up advertising for Seismic’s clients, exposed the PCs to security risks, and caused them to malfunction, slow down, and, at times, crash. Seismic then offered to sell the victims an “antispyware” program to fix the computers, and stop the popups and other problems that Seismic had caused. On November 21, 2006, a settlement was entered in federal court under which a $1.75 million judgment was imposed in one case and $1.86 million in another, but the defendants were insolvent[58] In a second case, brought against CyberSpy Software LLC, the FTC charged that CyberSpy marketed and sold "RemoteSpy" keylogger spyware to clients who would then secretly monitor unsuspecting consumers’ computers. According to the FTC, Cyberspy touted RemoteSpy as a “100% undetectable” way to “Spy on Anyone. From Anywhere.” The FTC has obtained a temporary order prohibiting the defendants from selling the software and disconnecting from the Internet any of their servers that collect, store, or provide access to information that this software has gathered. The case is still in its preliminary stages. A complaint filed by the Electronic Privacy Information Center (EPIC) brought the RemoteSpy software to the FTC’s attention.[59] Netherlands OPTA An administrative fine, first of its kind in Europe, has been taken by the Independent Authority of Posts and Telecommunications (OPTA) from the Netherlands. It applied fines in total value of Euro 1,000,000 for infecting 22 million computers. The spyware is called DollarRevenue. The law articles which have been violated are art. 4.1 of the Dutch telecommunications law; the fines have been given based on art. 15.4 taken together with art. 15.10. A part of these fines has to be paid by the directors of these companies in their own person, i.e. not from the accounts of their companies, but from their personal fortunes.[60] Since a protest procedure has been taken, the fines will have to be paid after a Dutch law court will take a decision in this case. The culprits maintain that the evidence for violating the two law articles has been obtained illegally. The names of the directors and the names of the companies have not been revealed, since it is not clear that OPTA is allowed to make such information public.[61]

16

Spyware

Civil law Former New York State Attorney General and former Governor of New York Eliot Spitzer has pursued spyware companies for fraudulent installation of software.[62] In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling by agreeing to pay US$7.5 million and to stop distributing spyware.[63] The hijacking of Web advertisements has also led to litigation. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but settled out of court. Courts have not yet had to decide whether advertisers can be held liable for spyware which displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm. Rather, they have contracted with an advertising agency, which in turn contracts with an online subcontractor who gets paid by the number of "impressions" or appearances of the advertisement. Some major firms such as Dell Computer and Mercedes-Benz have sacked advertising agencies which have run their ads in spyware.[64]

Libel suits by spyware developers Litigation has gone both ways. Since "spyware" has become a common pejorative, some makers have filed libel and defamation actions when their products have been so described. In 2003, Gator (now known as Claria) filed suit against the website PC Pitstop for describing its program as "spyware".[65] PC Pitstop settled, agreeing not to use the word "spyware", but continues to describe harm caused by the Gator/Claria software.[66] As a result, other antispyware and antivirus companies have also used other terms such as "potentially unwanted programs" or greyware to denote these products.

Remedies and prevention As the spyware threat has worsened, a number of techniques have emerged to counteract it. These include programs designed to remove or to block spyware, as well as various user practices which reduce the chance of getting spyware on a system. Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware have infected a Windows computer, the only remedy may involve backing up user data, and fully reinstalling the operating system. For instance, some versions of Vundo cannot be completely removed by Symantec, Microsoft, PC Tools, and others because it infects rootkit, Internet Explorer, and Windows' lsass.exe (Local Security Authority Subsystem Service) with a randomly-filenamed dll (dynamic link library).

17

Spyware

Anti-spyware programs Many programmers and some commercial firms have released products dedicated to remove or block spyware. Steve Gibson's OptOut pioneered a growing category. Programs such as Lavasoft's Ad-Aware SE (free scans for non-commercial users, must pay for other features) and Patrick Kolla's Spybot - Search & Destroy (all features free for non-commercial use) rapidly gained popularity as effective tools Lavasoft's Ad-Aware 2008 to remove, and in some cases intercept, spyware programs. On December 16, 2004, Microsoft acquired the GIANT AntiSpyware software[67] , rebranding it as Windows AntiSpyware beta and releasing it as a free download for Genuine Windows XP and Windows 2003 users. In 2006, Microsoft renamed the beta software to Windows Defender (free), and it was released as a free download in October 2006 and is included as standard with Windows Vista. Major anti-virus firms such as Symantec, McAfee and Sophos have come later to the table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products as "spyware". However, recent versions of these major firms' home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as "extended threats" and now offers real-time protection from them (as it does for viruses). Recently, the anti-virus company Grisoft, creator of AVG Anti-Virus, acquired anti-spyware firm Ewido Networks, re-labeling their Ewido anti-spyware program as AVG Anti-Spyware Professional Edition. AVG also used this product to add an integrated anti-spyware solution to some versions of the AVG Anti-Virus family of products, and a freeware AVG Anti-Spyware Free Edition available for private and non-commercial use. This shows a trend by anti virus companies to launch a dedicated solution to spyware and malware. Zone Labs, creator of Zone Alarm firewall have also released an anti-spyware program.

18

Spyware

19 Anti-spyware programs can combat spyware in two ways:

1. They can provide real time protection against the installation of spyware software on your computer. This type of spyware protection works the same way as that of anti-virus protection in that the anti-spyware software scans all incoming network data for spyware software and blocks any threats it comes across. 2. Anti-spyware software programs can be used solely for detection and removal of spyware software that has already been installed onto your computer. This type of spyware protection is normally much easier to use and more popular. With this spyware protection software you can schedule weekly, daily, or Microsoft Anti-Spyware, in real-time protection blocks an instance of the AlwaysUpdateNews monthly scans of your computer to detect and from being installed. remove any spyware software that has been installed on your computer. This type of anti-spyware software scans the contents of the windows registry, operating system files, and installed programs on your computer and will provide a list of any threats found, allowing you to choose what you want to delete and what you want to keep. Such programs inspect the contents of the Windows registry, the operating system files, and installed programs, and remove files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings. Because many spyware and adware are installed as a result of browser exploits or user error, using security software (some of which are antispyware, though many are not) to sandbox browsers can also be effective to help restrict any damage done. Earlier versions of anti-spyware programs focused chiefly on detection and removal. Javacool Software's SpywareBlaster, one of the first to offer real-time protection, blocked the installation of ActiveX-based and other spyware programs. Like most anti-virus software, many anti-spyware/adware tools require a frequently-updated database of threats. As new spyware programs are released, anti-spyware developers discover and evaluate them, making "signatures" or "definitions" which allow the software to detect and remove the spyware. As a result, anti-spyware software is of limited usefulness without a regular source of updates. Some vendors provide a subscription-based update service, while others provide updates free. Updates may be installed automatically on a schedule or before doing a scan, or may be done manually. Not all programs rely on updated definitions. Some programs rely partly (for instance many antispyware programs such as Windows Defender, Spybot's TeaTimer and Spysweeper) or fully (programs falling under the class of HIPS such as BillP's WinPatrol) on historical observation. They watch certain configuration parameters (such as certain portions of the

Spyware

20

Windows registry or browser configuration) and report any change to the user, without judgment or recommendation. While they do not rely on updated definitions, which may allow them to spot newer spyware, they can offer no guidance. The user is left to determine "what did I just do, and is this configuration change appropriate?" Windows Defender's SpyNet attempts to alleviate this through offering a community to share information, which helps guide both users, who can look at decisions made by others, and analysts, who can spot fast-spreading spyware. A popular generic spyware removal tool used by those with a certain degree of expertise is HijackThis, which scans certain areas of the Windows OS where spyware often resides and presents a list with items to delete manually. As most of the items are legitimate windows files/registry entries it is advised for those who are less knowledgeable on this subject to post a HijackThis log on the numerous antispyware sites and let the experts decide what to delete. If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware. Killing the process tree may also work. A new breed of spyware (Look2Me spyware by NicTechNetworks is a good example) hides inside system-critical processes and start up even in safe mode, see rootkit. With no process to terminate they are harder to detect and remove. Sometimes they do not even leave any on-disk signatures. Rootkit technology is also seeing increasing use,[68] as is the use of NTFS alternate data streams. Newer spyware programs also have specific countermeasures against well known anti-malware products and may prevent them from running or being installed, or even uninstall them. An example of one that uses all three methods is Gromozon, a new breed of malware. It uses alternate data streams to hide. A rootkit hides it even from alternate data streams scanners and actively stops popular rootkit scanners from running.

Rogue anti-spyware programs Malicious programmers have released a large number of rogue (fake) anti-spyware programs, and widely distributed Web banner ads now spuriously warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware—or else, may add more spyware of their own.[69] [70] The recent[71] proliferation of fake or spoofed antivirus products has occasioned some concern. Such products often bill themselves as antispyware, antivirus, or registry cleaners, and sometimes feature popups prompting users to install them. This software is called rogue software. It is recommended that users do not install any freeware claiming to be anti-spyware unless it is verified to be legitimate. Some known offenders include: • AntiVirus 360

• Spydawn

• Antivirus 2008

• Spylocked

• Antivirus 2009

• Spysheriff

• AntiVirus Gold

• SpyShredder

Spyware

21

• ContraVirus

• Spyware Quake

• Errorsafe (AKA system doctor)

• SpywareStrike

• MacSweeper

• UltimateCleaner

• PAL Spyware Remover

• WinAntiVirus Pro 2006

• Pest Trap

• WinFixer

• PSGuard

• WorldAntiSpy

• Spy Wiper

On January 26, 2006, Microsoft and the Washington state attorney general filed suit against Secure Computer for its Spyware Cleaner product.[72] On December 4, 2006, the Washington attorney general announced that Secure Computer had paid $1 million to settle with the state. As of that date, Microsoft's case against Secure Computer remained pending.[73]

Security practices To deter spyware, computer users have found several practices useful in addition to installing anti-spyware programs. Many system operators install a web browser other than IE, such as Opera or Mozilla Firefox. Though no browser is completely safe, Internet Explorer is at a greater risk for spyware infection due to its large user base as well as vulnerabilities such as ActiveX. Some ISPs—particularly colleges and universities—have taken a different approach to blocking spyware: they use their network firewalls and web proxies to block access to Web sites known to install spyware. On March 31, 2005, Cornell University's Information Technology department released a report detailing the behavior of one particular piece of proxy-based spyware, Marketscore, and the steps the university took to intercept it.[74] Many other educational institutions have taken similar steps. Spyware programs which redirect network traffic cause greater technical-support problems than programs which merely display ads or monitor users' behavior, and so may more readily attract institutional attention. Some users install a large hosts file which prevents the user's computer from connecting to known spyware-related web addresses. However, by connecting to the numeric IP address, rather than the domain name, spyware may bypass this sort of protection. Spyware may get installed via certain shareware programs offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack. Recently, CNet revamped its download directory: it has stated that it will only keep files that pass inspection by Ad-Aware and Spyware Doctor. The first step to removing spyware is to put a computer on "lockdown". This can be done in various ways, such as using anti-virus software or simply disconnecting the computer from the internet. Disconnecting the internet prevents controllers of the spyware from being able to remotely control or access the computer. The second step to removing the spyware is to locate it and remove it, manually or through use of credible anti-spyware software. During and after lockdown, potentially threatening websites should be avoided.

Spyware

22

Programs distributed with spyware • • • • • • •

Bonzi Buddy[75] Dope Wars[76] EDonkey2000[77] Grokster[78] Kazaa[79] Morpheus[77] RadLight[80]

• Sony's Extended Copy Protection involved the installation of spyware from audio compact discs through autorun. This practice sparked considerable controversy when it was discovered. • WeatherBug[81] [82]

• WildTangent The antispyware program Counterspy used to say that it's okay to keep WildTangent, but it now says that the spyware Winpipe is "possibly distributed with the adware bundler WildTangent or from a threat included in that bundler".[83] • SpyEagle is a spyware program that is disguised as an Antivirus program.

Programs formerly distributed with spyware • AOL Instant Messenger[82] (AOL Instant Messenger still packages Viewpoint Media Player, and WildTangent) • DivX (except for the paid version, and the "standard" version without the encoder). DivX announced removal of GAIN software from version 5.2.[84] • FlashGet (trial version prior to program being made freeware)[85] • magicJack[86]

See also • Computer insecurity • Cyber spying • Defensive computing • • • • • • • • •

Employee monitoring software List of fake anti-spyware programs Malware Parasite software Phone home Rootkits Spy software Spy-phishing Spyware removal

Spyware

23

External links • How Spyware Works

[87]

• How Spyware And The Weapons Against It Are Evolving [88] — article discussing causes and possible remedies of the spyware problem. • StopBadware.org [89] — A non-profit group (sponsored by Google, Lenovo, and Sun) that aims to provide "reliable, objective information about downloadable applications".

References [1] Spyware:Quick Facts (http:/ / www. onguardonline. gov/ topics/ spyware. aspx) [2] Vossen, Roland (attributed); October 21, 1995; Win 95 Source code in c!! (http:/ / groups. google. com/ group/ rec. games. programmer/ browse_thread/ thread/ 86a426b0147496d8/ 3b5d1936eb4d0f33?lnk=st& q=& rnum=8#3b5d1936eb4d0f33) posted to rec.games.programmer; retrieved from groups.google.com November 28, 2006. [3] http:/ / www. zonealarm. com/ store/ content/ company/ aboutUs/ pressroom/ pressReleases/ 2000/ za2. jsp [4] Wienbar, Sharon. " The Spyware Inferno (http:/ / news. cnet. com/ 2010-1032-5307831. html)". News.com. August 13, 2004. [5] " AOL/NCSA Online Safety Study (http:/ / www. staysafeonline. info/ pdf/ safety_study_2005. pdf)". America Online & The National Cyber Security Alliance. 2005. [6] Spanbauer, Scott. " Is It Time to Ditch IE? (http:/ / www. pcworld. com/ article/ id,117550-page,1/ article. html)". Pcworld.com. September 1, 2004 [7] Keizer, Gregg. " Analyzing IE At 10: Integration With OS Smart Or Not? (http:/ / www. techweb. com/ wire/ software/ 170100394)". TechWeb Technology News. August 25, 2005. [8] http:/ / us. trendmicro. com/ us/ threats/ enterprise/ glossary/ s/ spyware/ index. php [9] http:/ / www. mcafee. com/ us/ security_wordbook/ spyware. html [10] http:/ / www. better-spyware-removal. com/ spyware-test-results. html [11] http:/ / www. antispywarecoalition. org/ documents/ DefinitionsJune292006. htm [12] http:/ / www. antispywarecoalition. org/ documents/ 20060629RiskModelDescription. htm [13] http:/ / www. antispywarecoalition. org/ documents/ BestPractices. htm [14] " Prying Eyes Lurk Inside Your PC; Spyware Spawns Efforts at Control. (http:/ / www. accessmylibrary. com/ coms2/ summary_0286-7669487_ITM)". The Gale Group, Inc.. . Retrieved 2008-06-05. [15] Woods, Mark. " Click, you're infected (http:/ / www. f-secure. com/ f-secure/ pressroom/ protected/ prot-1-2006/ 17-388-2826. shtml)". Protected. F-Secure. . Retrieved 2008-08-29. [16] " Security Response: W32.Spybot.Worm (http:/ / www. symantec. com/ avcenter/ venc/ data/ w32. spybot. worm. html)". Symantec.com. Retrieved July 10, 2005. [17] Edelman, Ben; December 7, 2004 (updated February 8, 2005); Direct Revenue Deletes Competitors from Users' Disks (http:/ / www. benedelman. org/ news/ 120704-1. html); benedelman.com; retrieved November 28, 2006. [18] http:/ / msdn2. microsoft. com/ en-us/ library/ ms972827. aspx [19] http:/ / digg. com/ security/ Warner_Bros_website_distributing_Zango_Spyware_Kiddy_Porn_browser [20] http:/ / www. aic. gov. au/ publications/ htcb/ htcb011. html [21] http:/ / www. 2-spyware. com/ news/ post81. html [22] http:/ / www. castlecops. com/ a5863-Child_Porn_Planting_Spyware_Beware. html [23] Edelman, Ben (2004). " The Effect of 180solutions on Affiliate Commissions and Merchants (http:/ / www. benedelman. org/ spyware/ 180-affiliates/ )". Benedelman.org. Retrieved November 14, 2006. [24] Ecker, Clint (2005). Massive spyware-based identity theft ring uncovered (http:/ / arstechnica. com/ news. ars/ post/ 20050805-5175. html). Ars Technica, August 5, 2005. [25] Eckelberry, Alex. "Massive identity theft ring" (http:/ / sunbeltblog. blogspot. com/ 2005/ 08/ massive-identity-theft-ring. html), SunbeltBLOG, August 4, 2005. [26] Eckelberry, Alex. "Identity Theft? What to do?" (http:/ / sunbeltblog. blogspot. com/ 2005/ 08/ identity-theft-what-to-do. html), SunbeltBLOG, August 8, 2005. [27] FTC Releases Survey of Identity Theft in U.S. 27.3 Million Victims in Past 5 Years, Billions in Losses for Businesses and Consumers (http:/ / www. ftc. gov/ opa/ 2003/ 09/ idtheft. htm). Federal Trade Commission, September 3, 2003. [28] Russinovich, Mark. "Sony, Rootkits and Digital Rights Management Gone Too Far," (http:/ / blogs. technet. com/ markrussinovich/ archive/ 2005/ 10/ 31/ sony-rootkits-and-digital-rights-management-gone-too-far. aspx), Mark's Blog, October 31, 2005, retrieved November 22, 2006

Spyware [29] Press release from the Texas Attorney General's office, November 21, 2005; Attorney General Abbott Brings First Enforcement Action In Nation Against Sony BMG For Spyware Violations (http:/ / www. oag. state. tx. us/ oagnews/ release. php?id=1266); retrieved November 28, 2006. [30] "Sony sued over copy-protected CDs; Sony BMG is facing three lawsuits over its controversial anti-piracy software" (http:/ / news. bbc. co. uk/ 1/ hi/ technology/ 4424254. stm), BBC News, November 10, 2005, retrieved November 22, 2006. [31] Information About XCP Protected CDs (http:/ / cp. sonybmg. com/ xcp/ english/ updates. html), retrieved November 29, 2006. [32] Microsoft.com - Description of the Windows Genuine Advantage Notifications application (http:/ / support. microsoft. com/ kb/ 905474/ ), retrieved June 13, 2006 [33] Weinstein, Lauren. Windows XP update may be classified as 'spyware' (http:/ / lauren. vortex. com/ archive/ 000178. html), Lauren Weinstein's Blog, June 5, 2006, retrieved June 13, 2006 [34] Evers, Joris. Microsoft's antipiracy (sic) tool "phones home" daily (http:/ / news. zdnet. com/ 2100-3513_22-6081286. html?tag=nl. e589), ZDNet News, June 7, 2006, retrieved June 13, 2006 [35] Creator and Four Users of Loverspy Spyware Program Indicted (August 26, 2005) (http:/ / www. usdoj. gov/ criminal/ cybercrime/ perezIndict. htm) [36] http:/ / www. symantec. com/ security_response/ writeup. jsp?docid=2006-080217-3524-99 [37] "" CoolWebSearch (http:/ / web. archive. org/ web/ 20060106083816/ http:/ / www. doxdesk. com/ parasite/ CoolWebSearch. html)". Parasite information database. Archived from the original (http:/ / www. doxdesk. com/ parasite/ CoolWebSearch. html) on 2006-01-06. . Retrieved 2008-09-04. [38] "" InternetOptimizer (http:/ / web. archive. org/ web/ 20060106084114/ http:/ / www. doxdesk. com/ parasite/ InternetOptimizer. html)". Parasite information database. Archived from the original (http:/ / www. doxdesk. com/ parasite/ InternetOptimizer. html) on 2006-01-06. . Retrieved 2008-09-04. [39] http:/ / securityresponse. symantec. com/ avcenter/ venc/ data/ adware. websearch. html [40] CA Spyware Information Center - HuntBar (http:/ / www3. ca. com/ securityadvisor/ pest/ pest. aspx?id=453072528) [41] What is Huntbar or Search Toolbar? (http:/ / www. pchell. com/ support/ huntbar. shtml) [42] " FTC, Washington Attorney General Sue to Halt Unfair Movieland Downloads (http:/ / www. ftc. gov/ opa/ 2006/ 08/ movieland. htm)". Federal Trade Commission. 2006-08-15. . [43] " Attorney General McKenna Sues Movieland.com and Associates for Spyware (http:/ / www. atg. wa. gov/ pressrelease. aspx?id=4286)". Washington State Office of the Attorney General. 2006-08-14. . [44] " Complaint for Permanent Injunction and Other Equitable Relief (PDF, 25 pages) (http:/ / www. ftc. gov/ os/ caselist/ 0623008/ 060808movielandcmplt. pdf)". Federal Trade Commission. 2006-08-08. . [45] "MyWay Searchbar, MyWay SpeedSearch", Adware Report, AdwareReport.com, Gooroo, Inc. 2004, webpage: AdwareRep-062 (http:/ / www. adwarereport. com/ mt/ archives/ 000062). [46] "MyWebSearch Removal Tool", Exterminate-it.com, 2009, Ext-it-mywebs (http:/ / www. exterminate-it. com/ malpedia/ remove-mywebsearch): lists the folders, files and 210 registry keys/values to be deleted. [47] "Removing My Web Search Bar and Error Message", What the Tech, Geeks to Go, Inc., 2009, webpage: WhatTheTech-MyWeb (http:/ / www. whatthetech. com/ 2009/ 04/ 21/ removing-my-web-search-bar-and-error-message-on-start-up/ ). [48] "WeatherStudio: Privacy Policy", WeatherStudio.com,

2009, web: WStudio-policy (http:/ / www. weatherstudio. com/ dp/ content/ weatherstudio/ privacypolicy. html). [49] http:/ / corporate. zango. com/ eula. aspx [50] PCMAG, New Malware changes router settings (http:/ / blogs. pcmag. com/ securitywatch/ 2008/ 06/ new_malware_silently_changes_r. php), PC Magazine, June 13, 2008. [51] " Lawsuit filed against 180solutions (http:/ / blogs. zdnet. com/ Spyware/ ?p=655)". zdnet.com September 13, 2005 [52] Hu, Jim. " 180solutions sues allies over adware (http:/ / news. com. com/ 2110-1024_3-5287885. html)". news.com July 28, 2004 [53] Coollawyer; 2001-2006; Privacy Policies, Terms and Conditions, Website Contracts, Website Agreements (http:/ / www. coollawyer. com/ webfront/ internet_law_library/ articles/ law_library_user_agreement_article. php); coollawyer.com; retrieved November 28, 2006. [54] " CHAPTER 715 Computer Spyware and Malware Protection (http:/ / nxtsearch. legis. state. ia. us/ NXT/ gateway. dll/ 2007 Iowa Code/ 2007code/ 1/ 26150/ 26151/ 26513?f=templates& fn=defaultURLquerylink. htm)". nxtsearch.legis.state.ia.us. Retrieved July 14, 2007. [55] Chapter 19.270 RCW: Computer spyware (http:/ / apps. leg. wa. gov/ RCW/ default. aspx?cite=19. 270). apps.leg.wa.gov. Retrieved November 14, 2006

24

Spyware [56] Gross, Grant. US lawmakers introduce I-Spy bill (http:/ / www. infoworld. com/ article/ 07/ 03/ 16/ HNspywarebill_1. html). InfoWorld, March 16, 2007, accessed March 24, 2007. [57] See Federal Trade Commission v. Sperry & Hutchinson Trading Stamp Co. [58] FTC Permanently Halts Unlawful Spyware Operations (http:/ / www. ftc. gov/ opa/ 2006/ 11/ seismicodysseus. shtm) (FTC press release with links to supporting documents); see also FTC cracks down on spyware and PC hijacking, but not true lies (http:/ / docs. law. gwu. edu/ facweb/ claw/ FTCcrackSpyw. pdf), Micro Law, IEEE MICRO (Jan.-Feb. 2005), also available at IEEE Xplore (http:/ / ieeexplore. ieee. org/ stamp/ stamp. jsp?arnumber=1411709& isnumber=30580). [59] See Court Orders Halt to Sale of Spyware (http:/ / www. ftc. gov/ opa/ 2008/ 11/ cyberspy. shtm) (FTC press release Nov. 17, 2008, with links to supporting documents). [60] OPTA, "Besluit van het college van de Onafhankelijke Post en Telecommunicatie Autoriteit op grond van artikel 15.4 juncto artikel 15.10 van de Telecommunicatiewet tot oplegging van boetes ter zake van overtredingen van het gestelde bij of krachtens de Telecommunicatiewet" from 5 november 2007, http:/ / opta. nl/ download/ 202311+ boete+ verspreiding+ ongewenste+ software. pdf [61] According to H. Moll and E. Schouten, "Limburgse ICT-baas blijkt spywarekoning" (http:/ / www. nrc. nl/ economie/ article868499. ece/ Limburgse_ICT-baas_blijkt_spywarekoning), in NRC Handelsblad, 21 december 2007, the companies are: ECS International, Worldtostart and Media Highway International. The directors are: Arjan de Raaf and Peter Emonds. Their accomplice having the nickname "Akill" has been arrested in Hamilton, New Zealand, for being the manager of a huge network of zombie computers. [62] Office of New York State Attorney General (2005-04-28). " State Sues Major "Spyware" Distributor (http:/ / www. oag. state. ny. us/ media_center/ 2005/ apr/ apr28a_05. html)". Press release. . Retrieved 2008-09-04. "Attorney General Spitzer today sued one of the nation's leading internet marketing companies, alleging that the firm was the source of "spyware" and "adware" that has been secretly installed on millions of home computers." [63] Gormley, Michael. " "Intermix Media Inc. says it is settling spyware lawsuit with N.Y. attorney general" (http:/ / web. archive. org/ web/ 20050622082027/ http:/ / news. yahoo. com/ news?tmpl=story& u=/ cpress/ 20050615/ ca_pr_on_tc/ spitzer_spyware)". Yahoo! News. 2005-06-15. Archived from the original (http:/ / news. yahoo. com/ news?tmpl=story& u=/ cpress/ 20050615/ ca_pr_on_tc/ spitzer_spyware) on 2005-06-22. . [64] Gormley, Michael (2005-06-25). " Major advertisers caught in spyware net (http:/ / www. usatoday. com/ tech/ news/ computersecurity/ 2005-06-25-companies-spyware_x. htm)". USA Today. . Retrieved 2008-09-04. [65] Festa, Paul. " See you later, anti-Gators? (http:/ / news. com. com/ 2100-1032_3-5095051. html)". News.com. October 22, 2003. [66] " Gator Information Center (http:/ / www. pcpitstop. com/ gator/ default. asp)". pcpitstop.com November 14, 2005. [67] "http:/ / www. microsoft. com/ presspass/ press/ 2004/ dec04/ 12-16GIANTPR. mspx" [68] Roberts, Paul F. " Spyware meets Rootkit Stealth (http:/ / www. eweek. com/ article2/ 0,1759,1829744,00. asp)". eweek.com. June 20, 2005. [69] Roberts, Paul F. (2005-05-26). " Spyware-Removal Program Tagged as a Trap (http:/ / www. eweek. com/ article2/ 0,1759,1821127,00. asp)". eWeek. . Retrieved 2008-09-04. [70] Howes, Eric L. " The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites (http:/ / www. spywarewarrior. com/ rogue_anti-spyware. htm)". Retrieved July 10, 2005. [71] http:/ / en. wikipedia. org/ wiki/ Spyware [72] McMillan, Robert. Antispyware Company Sued Under Spyware Law (http:/ / www. pcworld. com/ news/ article/ 0,aid,124508,00. asp). PC World, January 26, 2006. [73] Leyden, John. Bogus anti-spyware firm fined $1m (http:/ / www. theregister. co. uk/ 2006/ 12/ 05/ washington_anti-spware_lawsuit/ ). The Register, December 5, 2006. [74] Schuster, Steve. "" Blocking Marketscore: Why Cornell Did It (http:/ / web. archive. org/ web/ 20070214111921/ http:/ / www. cit. cornell. edu/ computer/ security/ marketscore/ MarketScore_rev2. html)". Archived from the original (http:/ / www. cit. cornell. edu/ computer/ security/ marketscore/ MarketScore_rev2. html) on 2007-02-14. .". Cornell University, Office of Information Technologies. March 31, 2005. [75] " Symantec Security Response - Adware.Bonzi (http:/ / sarc. com/ avcenter/ venc/ data/ adware. bonzi. html)". Symantec. Retrieved July 27, 2005. [76] Edelman, Ben (2005). " Claria's Misleading Installation Methods - Dope Wars (http:/ / www. benedelman. org/ spyware/ installations/ dopewars-claria/ )". Retrieved July 27, 2005 [77] Edelman, Ben (2005). " Comparison of Unwanted Software Installed by P2P Programs (http:/ / www. benedelman. org/ spyware/ p2p/ )". Retrieved July 27, 2005. [78] Edelman, Ben (2004). " Grokster and Claria Take Licenses to New Lows, and Congress Lets Them Do It (http:/ / www. benedelman. org/ news/ 100904-1. html)". Retrieved July 27, 2005

25

Spyware [79] Edelman, Ben (2004). " Claria License Agreement Is Fifty Six Pages Long (http:/ / www. benedelman. org/ spyware/ claria-license/ )". Retrieved July 27, 2005. [80] " eTrust Spyware Encyclopedia - Radlight 3 PRO (http:/ / www. ca. com/ us/ securityadvisor/ pest/ pest. aspx?id=54732)". Computer Associates. Retrieved July 27, 2005 [81] "" WeatherBug (http:/ / web. archive. org/ web/ 20050206011153/ http:/ / www. doxdesk. com/ parasite/ WeatherBug. html)". Parasite information database. Archived from the original (http:/ / www. doxdesk. com/ parasite/ WeatherBug. html) on 2005-02-06. . Retrieved 2008-09-04. [82] " Adware.WildTangent (http:/ / research. sunbeltsoftware. com/ threatdisplay. aspx?name=AdWare. WildTangent& threatid=236165)". Sunbelt Malware Research Labs. 2008-06-12. . Retrieved 2008-09-04. [83] " Winpipe (http:/ / research. sunbelt-software. com/ threatdisplay. aspx?name=Winpipe& threatid=15154)". Sunbelt Malware Research Labs. 2008-06-12. . Retrieved 2008-09-04. [84] " How Did I Get Gator? (http:/ / www. pcpitstop. com/ gator/ Confused. asp)". PC Pitstop. Retrieved July 27, 2005. [85] " eTrust Spyware Encyclopedia - FlashGet (http:/ / www. ca. com/ us/ securityadvisor/ pest/ pest. aspx?id=453077947)". Computer Associates. Retrieved July 27, 2005 [86] Gadgets boingboing.net, MagicJack's EULA says it will spy on you and force you into arbitration (http:/ / gadgets. boingboing. net/ 2008/ 04/ 14/ magicjacks-eula-says. html) [87] http:/ / computer. howstuffworks. com/ spyware. htm [88] http:/ / www. windowsecurity. com/ articles/ Spyware-Evolving. html [89] http:/ / www. stopbadware. org/

SQL injection SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.[1]

Forms of vulnerability Incorrectly filtered escape characters This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into an SQL statement. This results in the potential manipulation of the statements performed on the database by the end user of the application. The following line of code illustrates this vulnerability: statement = "SELECT * FROM users WHERE name = '" + userName + "';" This SQL code is designed to pull up the records of the specified username from its table of users. However, if the "userName" variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the "userName" variable as a' or 't'='t renders this SQL statement by the parent language: SELECT * FROM users WHERE name = 'a' or 't'='t';

26

SQL injection

27

If this code were to be used in an authentication procedure then this example could be used to force the selection of a valid username because the evaluation of 't'='t' is always true. While most SQL server implementations allow multiple statements to be executed with one call, some SQL APIs such as php's mysql_query do not allow this for security reasons. This prevents hackers from injecting entirely separate queries, but doesn't stop them from modifying queries. The following value of "userName" in the statement below would cause the deletion of the "users" table as well as the selection of all data from the "data" table (in essence revealing the information of every user), using an API that allows multiple statements: a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't This input renders the final SQL statement as follows: SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't';

Incorrect type handling This form of SQL injection occurs when a user supplied field is not strongly typed or is not checked for type constraints. This could take place when a numeric field is to be used in a SQL statement, but the programmer makes no checks to validate that the user supplied input is numeric. For example: statement := "SELECT * FROM data WHERE id = " + a_variable + ";" It is clear correlating manipulate characters.

from this statement that the author intended a_variable to be a number to the "id" field. However, if it is in fact a string then the end user may the statement as they choose, thereby bypassing the need for escape For example, setting a_variable to

1;DROP TABLE users will drop (delete) the "users" table from the database, since the SQL would be rendered as follows: SELECT * FROM data WHERE id=1;DROP TABLE users;

Vulnerabilities inside the database server Sometimes vulnerabilities can exist within the database server software itself, as was the case with the MySQL server's mysql_real_escape_string() function[2] . This would allow an attacker to perform a successful SQL injection attack based on bad Unicode characters even if the user's input is being escaped.

Blind SQL injection Blind SQL Injection is used when a web application is vulnerable to SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered. There are several tools that can automate these attacks once the location of the

SQL injection vulnerability and the target information has been established.[3] Conditional responses One type of blind SQL injection forces the database to evaluate a logical statement on an ordinary application screen. SELECT booktitle from booklist where bookId = 'OOk14cd' AND 1=1; will result in a normal page while SELECT booktitle from booklist where bookId = 'OOk14cd' AND 1=2; will likely give a different result if the page is vulnerable to a SQL injection. An injection like this will prove that a blind SQL injection is possible, leaving the attacker to devise statements that evaluate to true or false depending on the contents of a field in another table.[4] Conditional errors This type of blind SQL injection causes an SQL error by forcing the database to evaluate a statement that causes an error if the WHERE statement is true. For example, SELECT 1/0 from users where username='Ralph'; the division by zero will only be evaluated and result in an error if user Ralph exists. Time delays Time Delays are a type of blind SQL injection that cause the SQL engine to execute a long running query or a time delay statement depending on the logic injected. The attacker can then measure the time the page takes to load to determine if the injected statement is true.

Preventing SQL injection To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, parameterized statements must be used (preferred), or user input must be carefully escaped or filtered.

Parameterized statements With most development platforms, parameterized statements can be used that work with parameters (sometimes called placeholders or bind variables) instead of embedding user input in the statement. In many cases, the SQL statement is fixed. The user input is then assigned (bound) to a parameter. This is an example using Java and the JDBC API: PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE USERNAME=? AND PASSWORD=?"); prep.setString(1, username); prep.setString(2, password); Similarly, in C#: using (SqlCommand myCommand = new SqlCommand("SELECT * FROM USERS WHERE USERNAME=@username AND PASSWORD=HASHBYTES('SHA1', @password)", myConnection))

28

SQL injection { myCommand.Parameters.AddWithValue("@username", user); myCommand.Parameters.AddWithValue("@password", pass); myConnection.Open(); SqlDataReader myReader = myCommand.ExecuteReader()) ................... } In PHP version 5 and above, there are multiple choices for using parameterized statements. The PDO[5] database layer is one of them: $db = new PDO('pgsql:dbname=database'); $stmt = $db->prepare("SELECT priv FROM testUsers WHERE username=:username AND password=:password"); $stmt->bindParam(':username', $user); $stmt->bindParam(':password', $pass); $stmt->execute(); There are also vendor-specific methods. For example in MySQL 4.1 and above with the mysqli[6] extension. Example[7] : $db = new mysqli("localhost", "user", "pass", "database"); $stmt = $db -> prepare("SELECT priv FROM testUsers WHERE username=? AND password=?"); $stmt -> bind_param("ss", $user, $pass); $stmt -> execute(); In ColdFusion, the CFQUERYPARAM statement is useful in conjunction with the CFQUERY statement to nullify the effect of SQL code passed within the CFQUERYPARAM value as part of the SQL clause.[8] [9] . An example is below. SELECT * FROM COMMENTS WHERE COMMENT_ID =

29

SQL injection

30

Enforcement at the database level Currently only the parameterization.

H2

Database

Engine

supports

the

ability

to

enforce

query

Enforcement at the coding level Using object-relational mapping libraries avoids the need to write SQL code. The ORM library in effect will generate parametrized SQL statements from object-oriented code.

Escaping A straight-forward, though error-prone way to prevent injections is to escape dangerous characters. One of the reasons for it being error prone is that it is a type of blacklist which is less robust than a whitelist. For instance, every occurrence of a single quote (') in a parameter must be replaced by two single quotes ('') to form a valid SQL string literal. In PHP, for example, it is usual to escape parameters using the function mysql_real_escape_string before sending the SQL query: $query = sprintf("SELECT * FROM Users where UserName='%s' and Password='%s'", mysql_real_escape_string($Username), mysql_real_escape_string($Password)); mysql_query($query);

Real-world examples • On October 26, 2005, Unknown Heise readers replaced a page owned by the German TV station ARD which advertised a pro-RIAA sitcom with Goatse using SQL injection[10] • On November 1, 2005, a high school student used a SQL injection to break into the site of a Taiwanese information security magazine from the Tech Target group and steal customers' information.[11] • On January 13, 2006, Russian hackers broke into a Rhode Island government web site and allegedly stole credit card data from individuals who have done business online with state agencies.[12] • On March 29, 2006, Susam Pal discovered a SQL injection flaw in an official Indian government tourism site.[13] • On March 2, 2007, Sebastian Bauer discovered a SQL injection flaw in the knorr.de login page.[14] • On June 29, 2007, Hacker Defaces Microsoft U.K. Web Page using SQL injection. [15] [16] . U.K. website The Register quoted a Microsoft spokesperson acknowledging the problem. • In January 2008, tens of thousands of PCs were infected by an automated SQL injection attack that exploited a vulnerability in application code that uses Microsoft SQL Server as the database store. [17] • On April 13, 2008, Sexual and Violent Offender Registry of Oklahoma shuts down site for 'routine maintenance' after being informed that 10,597 social security numbers from sex offenders had been downloaded by SQL injection [18]

SQL injection • In May 2008, a server farm inside China used automated queries to Google's search engine to identify SQL server websites which were vulnerable to the attack of an automated SQL injection tool. [17] [19] • In July 2008, Kaspersky's Malaysian site was hacked by a Turkish hacker going by the handle of "m0sted", who claimed to have used SQL injection. [20] • In 2008, at least April through August, a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft's IIS web server and SQL Server database server. The attack doesn't require guessing the name of a table or column, and corrupts all text columns in all tables in a single request. [21] A HTML string that references a malware JavaScript file is appended to each value. When that database value is later displayed to a website visitor, the script attempts several approaches at gaining control over a visitor's system. The number of exploited web pages is estimated at 500,000[22] • On August 17, 2009, the United States Justice Department charged an American citizen and two unnamed Russians with the theft of 130 million credit card numbers using an SQL injection attack. In reportedly "the biggest case of identity theft in American history", the man stole cards from a number of corporate victims after researching their payment processing systems. Among the companies hit were credit card processor Heartland Payment Systems, convenience store chain 7-Eleven, and supermarket chain Hannaford Brothers.[23]

External links • SQL Injection WASC Threat Classification Entry [24], by the Web Application Security Consortium • SQL Injection Cheatsheet [25], by the Open Web Application Security Project • SQL Injections on PHP, GNU-licensed online book chapter • Advanced SQL injection on SQL server / ASP pages [26], 2002 second part [27] • SQL Server vulnerabilities [28] • SQL Injection Defenses - Parameterized Queries [29], Security Guidance from OWASP • Guidance from OWASP on how to prevent SQL Injection [25] - The SQL Injection Prevention Cheat Sheet • Secure your ColdFusion application against SQL Injection attacks [30] - Article from Adobe Developer Connection, ColdFusion Developer Center • MySQL: Secure Web Apps - SQL Injection techniques [31], Article that explains how SQL Injection works. • xkcd comic lampooning SQL injection [32]

31

SQL injection

References [1] Watson, Carli (2006) Beginning C# 2005 databases ISBN 978-0-470-04406-3, pages 201-5 [2] " E.1.7. Changes in MySQL 5.0.22 (24 May 2006) (http:/ / dev. mysql. com/ doc/ refman/ 5. 0/ en/ news-5-0-22. html)". MySQL AB. 2006-05-04. . Retrieved 2008-05-16., "An SQL-injection security hole has been found in multi-byte encoding processing", retrieved March 20 2008 [3] "Absinthe" (http:/ / www. 0x90. org/ releases/ absinthe/ ) tool or "SQLBrute" (http:/ / www. gdssecurity. com/ l/ t. php) tool • " Using SQLBrute to brute force data from a blind SQL injection point (http:/ / www. justinclarke. com/ archives/ 2006/ 03/ sqlbrute. html)". Justin Clarke. . Retrieved 2008-10-18. [4] Ofer Maor and Amichai Shulman. " Blind SQL Injection: Getting the syntax right (http:/ / www. imperva. com/ resources/ adc/ blind_sql_server_injection. html#getting_syntax_right)". Imperva. . Retrieved 2008-05-16. "This is usually the trickiest part in the blind SQL injection process. If the original queries are simple, this is simple as well. However, if the original query was complex, breaking out of it may require a lot of trial and error." [5] Official documentation for the PDO extension (http:/ / www. php. net/ pdo), php.net. [6] Official documentation for Mysqli extension (http:/ / www. php. net/ mysqli), php.net. [7] Prepared Statements in PHP and MySQLi (http:/ / www. mattbango. com/ articles/ prepared-statements-in-php-and-mysqli), Matt Bango. [8] Protecting ColdFusion server behaviors from SQL injection vulnerability (http:/ / kb. adobe. com/ selfservice/ viewContent. do?externalId=300b670e) [9] Forta.com - Blog (http:/ / www. forta. com/ blog/ index. cfm/ 2005/ 12/ 21/ SQL-Injection-Attacks-Easy-To-Prevent-But-Apparently-Still-Ignored) [10] " Adelheid und ihre Hacker (http:/ / www. heise. de/ newsticker/ meldung/ 65441)". heise online. 2005-10-27. . Retrieved 2008-05-16. (German) [11] " WHID 2005-46: Teen uses SQL injection to break to a security magazine web site (http:/ / www. webappsec. org/ projects/ whid/ list_id_2005-46. shtml)". Web Application Security Consortium. 2005-11-01. . Retrieved 2008-05-16. [12] " WHID 2006-3: Russian hackers broke into a RI GOV website (http:/ / www. webappsec. org/ projects/ whid/ list_id_2006-3. shtml)". Web Application Security Consortium. 2006-01-13. . Retrieved 2008-05-16. [13] " WHID 2006-27: SQL Injection in incredibleindia.org (http:/ / www. webappsec. org/ projects/ whid/ list_id_2006-27. shtml)". Web Application Security Consortium. 2006-03-29. . Retrieved 2008-05-16. [14] " WHID 2007-12: SQL injection at knorr.de login page (http:/ / www. webappsec. org/ projects/ whid/ list_id_2007-12. shtml)". Web Application Security Consortium. 2007-03-02. . Retrieved 2008-05-16. [15] Robert (2007-06-29). " Hacker Defaces Microsoft U.K. Web Page (http:/ / www. cgisecurity. net/ 2007/ 06/ hacker-defaces. html)". cgisecurity.net. . Retrieved 2008-05-16. [16] Keith Ward (2007-06-29). " Hacker Defaces Microsoft U.K. Web Page (http:/ / rcpmag. com/ news/ article. aspx?editorialsid=8762)". Redmond Channel Partner Online. . Retrieved 2008-05-16. [17] Sumner Lemon, IDG News Service (2008-05-19). " Mass SQL Injection Attack Targets Chinese Web Sites (http:/ / www. pcworld. com/ businesscenter/ article/ 146048/ mass_sql_injection_attack_targets_chinese_web_sites. html)". PCWorld. . Retrieved 2008-05-27. [18] Alex Papadimoulis (2008-04-15). " Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data (http:/ / thedailywtf. com/ Articles/ Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data. aspx)". The Daily WTF. . Retrieved 2008-05-16. [19] Michael Zino (2008-05-01). " ASCII Encoded/Binary String Automated SQL Injection Attack (http:/ / www. bloombit. com/ Articles/ 2008/ 05/ ASCII-Encoded-Binary-String-Automated-SQL-Injection. aspx)". . [20] " Kaspersky’s Malaysian site hacked by Turkish hacker (http:/ / blogs. zdnet. com/ security/ ?p=1516)". . [21] Giorgio Maone (2008-04-26). " Mass Attack FAQ (http:/ / hackademix. net/ 2008/ 04/ 26/ mass-attack-faq/ )". . [22] Gregg Keizer (2008-04-25). " Huge Web hack attack infects 500,000 pages (http:/ / www. computerworld. com/ action/ article. do?command=viewArticleBasic& articleId=9080580)". . [23] " US man 'stole 130m card numbers' (http:/ / news. bbc. co. uk/ 2/ hi/ americas/ 8206305. stm)". BBC. August 17, 2009. . Retrieved August 17, 2009. [24] http:/ / www. webappsec. org/ projects/ threat/ classes/ sql_injection. shtml [25] http:/ / www. owasp. org/ index. php/ SQL_Injection_Prevention_Cheat_Sheet [26] http:/ / www. nextgenss. com/ papers/ advanced_sql_injection. pdf [27] http:/ / www. nextgenss. com/ papers/ more_advanced_sql_injection. pdf [28] http:/ / www. appsecinc. com/ presentations/ Manipulating_SQL_Server_Using_SQL_Injection. pdf [29] http:/ / www. owasp. org/ index. php/ Guide_to_SQL_Injection [30] http:/ / www. adobe. com/ devnet/ coldfusion/ articles/ sql_injection. html

32

SQL injection [31] http:/ / www. playhack. net/ view. php?id=45 [32] http:/ / xkcd. com/ 327/

33

34

Bonus Material Password cracking Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password. The purpose of password cracking might be to help a user recover a forgotten password (though installing an entirely new password is less of a security risk, but involves system administration privileges), to gain unauthorized access to a system, or as a preventive measure by system administrators to check for easily crackable passwords. On a file-by file basis, password cracking is utilized to gain access to digital evidence for which a judge has allowed access but the particular file's access is restricted.

Background Passwords to access computer systems are usually stored in a database so the system can perform password verification when a user attempts to login or access a restricted resource. To preserve confidentiality of system passwords, the password verification data is typically not stored in cleartext form, but instead a one-way function is applied to the password, possibly in combination with other data, and the resulting value is stored. When a user later attempts to authenticate by entering the password, the same function is applied to the entered value and the result is compared with the stored value. If they match, there is an extremely high likelihood the entered password was correct. For simplicity in this discussion, we will refer to the one way function employed (which may be either an encryption function or cryptographic hash) as a hash and its output as a hashed password. Even though functions that create hashed passwords may be cryptographically secure, possession of the hashed password provides a quick way to test guesses for the password by applying the one-way function to each guess, and comparing the result to the verification data. The most commonly used hash functions can be computed rapidly and the attacker can test guesses repeatedly with different guesses until one succeeds, meaning the plaintext password has been recovered. The term password cracking generally refers to recovery of one or more plaintext passwords from hashed passwords, but there are also many other ways of obtaining passwords illicitly. Without the hashed version of a password, the attacker can still attempt access to the computer system in question with guessed passwords. However well designed systems limit the number of failed access attempts and can alert administrators to trace the source of the attack if that quota is exceeded. With the hashed password, the attacker can work undetected, and if the attacker has obtained several hashed passwords, the chances, in practice, for cracking at least one is quite high. Other ways to obtain passwords include social engineering, wiretapping, keystroke logging, login spoofing, dumpster diving, phishing, shoulder surfing, timing attack, acoustic cryptanalysis, using a Trojan Horse or virus, identity management system attacks (such as abuse of Self-service password reset) and compromising host security (see password for details). While those methods are not considered "password cracking" they are very popular

Password cracking among criminals (notably phishing) and remain very effective. They are often considered as the main vulnerability in password authentification systems. Common methods for verifying users over a computer network often expose the hashed password. For example, use of a hash-based challenge-response authentication method for password verification may provide a hashed password to a network eavesdropper, who can then crack the password. A number of stronger cryptographic protocols exist that do not expose hashed-passwords during verification over a network, either by protecting them in transmission using a high-grade key, or by using a zero-knowledge password proof.

Principal attack methods Weak encryption If a system uses a poorly designed password hashing scheme to protect stored passwords, an attacker can exploit any weaknesses to recover even 'well-chosen' passwords. One example is the LM hash that Microsoft Windows XP and previous uses by default to store user passwords of less than 15 characters in length. LM hash converts the password into all uppercase letters then breaks the password into two 7-character fields which are hashed separately—which allows each half to be attacked individually. Password encryption schemes that use stronger hash functions like MD5, SHA-512, SHA-1, and RIPEMD-160 can still be vulnerable to brute-force and precomputation attacks. Such attacks do not depend on reversing the hash function. Instead, they work by hashing a large number of words or random permutations and comparing the result of each guess to a user's stored password hash. Modern schemes such as MD5-crypt[1] and bcrypt use purposefully slow algorithms so that the number of guesses that an attacker can make in a given period of time is relatively low. Salting, described below, greatly increases the difficulty of such precomputation attacks, perhps sufficiently to resist all attacks; every instance of its use must be evaluated independently, however. Because progress in analyzing existing cryptographic hash algorithms is always possible, a hash which is effectively invulnerable today may become vulnerable tomorrow. Both MD5 and SHA-1, long thought secure, have been shown vulnerable to less than brute force efficiency attacks. For encryption algorithms (rather different than cryptographic hashes) the same has been true. DES has been broken (in the sense of more efficient than brute force attacks being discovered), and computers have become fast enough that its short key (56 bits) is clearly and publicly insecure against even brute force attacks. Passwords protected by these measures against attack will become invulnerable, and passwords still in use thereby exposed. Historical records are not always and forever irrelevant to today's security problems.

Guessing, dictionary and brute force attacks The distinction between guessing, dictionary and brute force attacks is not strict. They are similar in that an attacker goes through a list of candidate passwords one by one; the list may be explicitly enumerated or implicitly defined, can incorporate knowledge about the victim, and can be linguistically derived. Each of the three approaches, particularly 'dictionary attack', is frequently used as an umbrella term to denote all the three attacks and the spectrum of attacks encompassed by them.

35

Password cracking Guessing Passwords can sometimes be guessed by humans with knowledge of the user's personal information. Examples of guessable passwords include: • • • • • • • • •

blank (none) the words "password", "passcode", "admin" and their derivatives a row of letters from the qwerty keyboard -- qwerty itself, asdf, or qwertyuiop) the user's name or login name the name of their significant other, a friend, relative or pet their birthplace or date of birth, or a friend's, or a relative's their automobile license plate number, or a friend's, or a relative's their office number, residence number or most commonly, their mobile number. a name of a celebrity they like

• a simple modification of one of the preceding, such as suffixing a digit, particularly 1, or reversing the order of the letters. • a swear word • and so, extensively, on Personal data about individuals are now available from various sources, many on-line, and can often be obtained by someone using social engineering techniques, such as posing as an opinion surveyor or a security control checker. Attackers who know the user may have information as well. For example, if a user chooses the password "YaleLaw78" because he graduated from Yale Law School in 1978, a disgruntled business partner might be able to guess the password. Guessing is particularly effective with systems that employ self-service password reset. For example, in September 2008, the Yahoo e-mail account of Governor of Alaska and Vice President of the United States nominee Sarah Palin was accessed without authorization by someone who was able to research answers to two of her security questions, her zip code and date of birth and was able to guess the third, where she met her husband.[2] Dictionary attacks Users often choose weak passwords. Examples of insecure choices include the above list, plus single words found in dictionaries, given and family names, any too short password (usually thought to be 6 or 7 characters or less), or any password meeting a too restrictive and so predictable, pattern (eg, alternating vowels and consonants). Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by sophisticated cracking programs armed with dictionaries and, perhaps, the user's personal information.[3] In one survey of MySpace passwords obtained by phishing, 3.8 percent of those passwords were a single word findable in a dictionary, and another 12 percent were a word plus a final digit; two-thirds of the time that digit was 1.[4] Some users neglect to change the default password that came with their computer system account. And some administrators neglect to change default account passwords provided by the operating system vendor or hardware supplier. An infamous example is the use of FieldService as a user name with Guest as the password. If not changed at system configuration time, anyone familiar with such systems will have 'cracked' an important password; such service accounts often have higher access privileges than do a normal user accounts. Lists of default passwords are available on the Internet.[5] [6] Gary McKinnon,

36

Password cracking accused by the United States of perpetrating the "biggest military computer hack of all time"[7] , has claimed that he was able to get into the military's networks simply by using a Perl script that searched for blank passwords; in other words his report suggests that there were computers on these networks with no passwords at all. [8] Cracking programs exist which accept personal information about the user being attacked and generate common variations for passwords suggested by that information.[9] [10] Brute force attack A last resort is to try every possible password, known as a brute force attack. In theory, a brute force attack will always be successful since the rules for acceptable passwords must be publicly known, but as the length of the password increases, so does the number of possible passwords. This method is unlikely to be practical unless the password is relatively small, however, techniques using parallel processing can reduce the time to find the password in proportion to the number of compute devices (CPUs) in use. This depends heavily on whether the prospective attacker has access to the hash of the password, in which case the attack is called an offline attack (it can be done without connection to the protected resource), or not, in which case it is called an online attack. Offline attack is generally much easier, because testing a password is reduced to a quickly calculated mathematical computation (i.e., calculating the hash of the password to be tried and comparing it to the hash of the real password). In an online attack the attacker has to actually try to authenticate himself with all the possible passwords, where arbitrary rules and delays can be imposed by the system and the attempts can be logged. A common password length recommendation is eight or more randomly chosen characters combining letters, numbers, and special characters (punctuation, etc). This recommendation make sense for systems using stronger password hashing mechanisms such as md5-crypt and the Blowfish-based bcrypt, but is inappropriate for many Microsoft Windows systems because they store a legacy LAN Manager hash which splits the password into two seven character halves. On these systems, an eight character password is converted into a seven character password and a one character password. For better security, LAN Manager password storage should be disabled if it will not break supported legacy systems.[11] Systems which limit passwords to numeric characters only, or upper case only, or, generally, which exclude possible password character choices also make brute force attacks easier. Using longer passwords in these cases (if possible) can compensate for the limited allowable character set. Of course, even with an adequate range of character choice, users who ignore that range (e.g., using only upper case alphabetic characters, or digits alone) make brute force attacks against their accounts much easier. Generic brute-force search techniques are often successful, but smart brute-force techniques, which exploit knowledge about how people tend to choose passwords, pose an even greater threat. NIST SP 800-63 (2) provides further discussion of password quality, and suggests, for example, that an 8 character user-chosen password may provide somewhere between 18 and 30 bits of entropy, depending on how it is chosen. This amount of entropy is far less than what is generally considered safe for an encryption key. How small is too small for offline attacks thus depends partly on an attacker's ingenuity and resources (e.g., available time, computing power, etc.), the latter of which will increase as computers get faster. Most commonly used hashes can be implemented using specialized hardware, allowing faster attacks. Large numbers of computers can be harnessed in

37

Password cracking parallel, each trying a separate portion of the search space. Unused overnight and weekend time on office computers can also be used for this purpose.

Precomputation In its most basic form, precomputation involves hashing each word in the dictionary (or any search space of candidate passwords) and storing the word and its computed hash in a way that enables lookup on the list of computed hashes. This way, when a new encrypted password is obtained, password recovery is instantaneous. Precomputation can be very useful for a dictionary attack if salt is not used properly (see below), and the dramatic decrease in the cost of mass storage has made it practical for fairly large dictionaries. Advanced precomputation methods exist that are even more effective. By applying a time-memory tradeoff, a middle ground can be reached - a search space of size N can be turned into an encrypted database of size O(N2/3) in which searching for an encrypted password takes time O(N2/3). The theory has recently been refined into a practical technique. Another example[12] cracks alphanumeric Windows LAN Manager passwords in a few seconds. This is much faster than brute force attacks on the obsolete LAN Manager, which uses a particularly weak method of hashing the password. Windows systems prior to Windows Vista/Server 2008 compute and store a LAN Manager hash by default for backwards compatibility.[11] A technique similar to precomputation, known generically as memoization, can be used to crack multiple passwords at the cost of cracking just one. Since encrypting a word takes much longer than comparing it with a stored word, a lot of effort is saved by encrypting each word only once and comparing it with each of the encrypted passwords using an efficient list search algorithm. The two approaches may of course be combined: the time-space tradeoff attack can be modified to crack multiple passwords simultaneously in a shorter time than cracking them one after the other. Salting The benefits of precomputation and memoization can be nullified by randomizing the hashing process. This is known as salting. When the user sets a password, a short, random string called the salt is suffixed to the password before encrypting it; the salt is stored along with the encrypted password so that it can be used during verification. Since the salt is usually different for each user, the attacker can no longer construct tables with a single encrypted version of each candidate password. Early Unix systems used a 12-bit salt. Attackers could still build tables with common passwords encrypted with all 4096 possible 12-bit salts. However, if the salt is long enough, there are too many possibilities and the attacker must repeat the encryption of every guess for each user. Modern methods such as md5-crypt and bcrypt use salts of 48 and 128 bits respectively.[13] Early Unix password vulnerability Early Unix implementations limited passwords to 8 characters and used a 12-bit salt, which allowed for 4096 possible salt values. While 12 bits was good enough for most purposes in the 1970s (although some expressed doubts even then), by 2005 disk storage had become cheap enough that an attacker can precompute the hashes of millions of common passwords, including all 4096 possible salt variations for each password, and store the precomputed values on a single portable hard drive. An attacker with a larger budget can build a disk farm with all 6 character passwords and the most common 7 and 8 character

38

Password cracking passwords stored in encrypted form, for all 4096 possible salts. And when several thousand passwords are being cracked at once, memoization still offers some benefit. Since there is little downside to using a longer salt, and because they render any precomputation or memoization hopeless, modern implementations choose to do so.

Prevention The best method of preventing password cracking is to ensure that attackers cannot get access even to the encrypted password. For example, on the Unix operating system, encrypted passwords were originally stored in a publicly accessible file /etc/passwd. On modern Unix (and similar) systems, on the other hand, they are stored in the file /etc/shadow, which is accessible only to programs running with enhanced privileges (ie, 'system' privileges). This makes it harder for a malicious user to obtain the encrypted passwords in the first instance. Unfortunately, many common network protocols transmit passwords in cleartext or use weak challenge/response schemes.[14] [15] Modern Unix systems have replaced traditional DES-based password hashing with stronger methods based on MD5 and Blowfish.[16] Other systems have also begun to adopt these methods. For instance, the Cisco IOS originally used a reversible Vigenere cipher to encrypt passwords, but now uses md5-crypt with a 24-bit salt when the "enable secret" command is used.[17] These newer methods use large salt values which prevent attackers from efficiently mounting offline attacks against multiple user accounts simultaneously. The algorithms are also much slower to execute which drastically increases the time required to mount a successful offline attack.[13] Solutions like Security token give a formal proof answer by constantly shifting password. Those solutions abruptly reduce the timeframe for brute forcing (attacker needs to break and use the password within a single shift) and the reduce the value of the stolen passwords because of its short time validity.

Software There are many password cracking software tools, but the most popular[18] are Cain and Abel, John the Ripper, Hydra, ElcomSoft and Lastbit. Many litigation support software packages also include password cracking functionality. Most of these packages employ a mixture of cracking strategies, with brute force and dictionary attacks proving to be the most productive.

See also • Cryptographic key length • Password-authenticated key agreement

39

Password cracking

40

External links • Password Cracking with Rainbowcrack and Rainbow Tables [19] • Cracking passwords with Wikipedia, Wiktionary, Wikibooks etc [20] • Philippe Oechslin: Making a Faster Cryptanalytic Time-Memory Trade-Off. 2003: pp617–630 • NIST Special Publication 800-63: Electronic Authentication Guideline [22]

[21]

CRYPTO

References [1] [2] [3] [4] [5] [6] [7]

http:/ / www. usenix. org/ events/ usenix99/ provos/ provos_html/ node10. html http:/ / news. yahoo. com/ s/ ap/ 20080918/ ap_on_el_pr/ palin_hacked Password security (http:/ / portal. acm. org/ citation. cfm?id=359168. 359172) ZDNet Report: Net users picking safer passwords (http:/ / news. zdnet. com/ 2100-1009_22-150640. html) Default Password List (http:/ / www. phenoelit. de/ dpl/ dpl. html) Pnenoelit.de Retrieved on 2007-05-07 Default Password List Project (http:/ / www. helith. net/ projects/ alecto) Helith.net Retrieved on 2009-08-12 British hacker fights extradition (http:/ / news. bbc. co. uk/ 1/ hi/ scotland/ glasgow_and_west/ 6360917. stm), BBC News, February 14 2007 [8] Transcript of the interview (http:/ / news. bbc. co. uk/ 1/ hi/ programmes/ click_online/ 4977134. stm), BBC Click [9] John the Ripper project, John the Ripper cracking modes (http:/ / www. openwall. com/ john/ doc/ MODES. shtml) [10] Bruce Schneier, Choosing Secure Passwords (http:/ / www. schneier. com/ blog/ archives/ 2007/ 01/ choosing_secure. html) [11] " How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases (http:/ / support. microsoft. com/ kb/ 299656)". Microsoft. . Retrieved 2009-02-18. [12] ophcrack (http:/ / lasecwww. epfl. ch/ ~oechslin/ projects/ ophcrack/ ) [13] Password Protection for Modern Operating Systems (http:/ / www. usenix. org/ publications/ login/ 2004-06/ pdfs/ alexander. pdf) [14] [15] [16] [17] [18] [19] [20] [21] [22]

No Plaintext Passwords (http:/ / www. usenix. org/ publications/ login/ 2001-11/ pdfs/ singer. pdf) Cryptanalysis of Microsoft's Point-to-Point Tunneling Protocol (http:/ / www. schneier. com/ paper-pptp. html) A Future-Adaptable Password Scheme (http:/ / www. usenix. org/ events/ usenix99/ provos. html) MDCrack FAQ 1.8 (http:/ / c3rb3r. openwall. net/ mdcrack/ download/ FAQ-18. txt) " Top 10 Password Crackers (http:/ / sectools. org/ crackers. html)". Sectools. . Retrieved 2008-11-01. http:/ / www. darknet. org. uk/ 2006/ 02/ password-cracking-with-rainbowcrack-and-rainbow-tables/ http:/ / blog. sebastien. raveau. name/ 2009/ 03/ cracking-passwords-with-wikipedia. html http:/ / lasecwww. epfl. ch/ pub/ lasec/ doc/ Oech03. pdf http:/ / csrc. nist. gov/ publications/ nistpubs/ 800-63/ SP800-63V1_0_2. pdf

Article Sources and Contributors

Article Sources and Contributors Social engineering (security)  Source: https://secure.wikimedia.org/wikipedia/en/w/index.php?oldid=308637163  Contributors: (jarbarf), Aaa111, Abaddon314159, Academic Challenger, Adamdaley, Aldaron, Alerante, AlistairMcMillan, Anon126, Anton Khorev, ArnoldReinhold, Arsenikk, Beagle2, Beland, Bjornar, Bmicomp, Brockert, Brutulf, Chahax, ChangChienFu, Chinasaur, Chipuni, ChiuMan, Chmod007, Chovain, Chrisdab, Chuayw2000, CliffC, Coemgenus, Cryptic C62, Cumulus Clouds, CutterX, Cybercobra, Cynical, D6, Da nuke, Dancter, Daniel Quinlan, DanielPharos, DavidDW, Dcoetzee, Ddddan, Dddenton, DevastatorIIC, Dionyziz, Dp76764, Dravir, DuFF, EDGE, ESkog, EVula, Ehheh, Einsteininmyownmind, Elonka, Equendil, Eric1608, Evilandi, Faradayplank, Fenice, Frecklefoot, Frehley, Fskrc1, Gdo01, Gettingtoit, Gizzakk, Gogo Dodo, Greswik, Ground Zero, Gscshoyru, Guy Harris, Haseo9999, Heqwm, Hmwith, I already forgot, IGEL, InfoSecPro, Intgr, J Cricket, JMMING, Jerzy, Jfire, Joelr31, John Broughton, Johnisnotafreak, Jumpropekids, Kaihsu, Katanada, Khym Chanur, Kimchi.sg, Kleinheero, KnightRider, Knowledge Seeker, Kpjas, Ksharkawi, Lamename3000, Leonard G., Lexlex, Lightmouse, Lioux, Lord Matt, Lukeonia1, MER-C, Mac Davis, Majorly, Matt Crypto, McGeddon, Mckaysalisbury, Mdebets, MeekMark, MeltBanana, Midnightcomm, Mild Bill Hiccup, Moitio, MrOllie, NTK, Nafango2, Namzie11, Netsnipe, Nirvana888, NoticeBored, Nuno Tavares, Nuwewsco, Oddity-, Olrick, Omicronpersei8, Omphaloscope, Othtim, Pgillman, Ph.eyes, Philip Trueman, Phoenixrod, Pmsyyz, Primarscources, Princess Tiswas, RJBurkhart3, RainbowOfLight, Rebroad, RenniePet, RevolverOcelotX, Rich Farmbrough, Rjwilmsi, RobertG, Rohasnagpal, Rosenny, Rossami, SGBailey, Sephiroth storm, Sesquiped, Shabda, Shirulashem, Socrates2008, Srikeit, Starschreck, Studiosonic, Sue Rangell, TXiKi, Teemu Maki, The Anome, The Firewall, Thepatriots, Thesloth, Thingg, Thipburg, Tmchk, Tomisti, TonyW, Tsnapp, Tunheim, Unyoyega, Uriber, Vary, Ventura, Versus22, Virgil Vaduva, Waldir, WhisperToMe, Wilku997, WolFStaR, Woohookitty, Wshepp, XL2D, Xiong Chiamiov, Zarkthehackeralliance, Zomgoogle, 334 anonymous edits Spyware  Source: https://secure.wikimedia.org/wikipedia/en/w/index.php?oldid=308278722  Contributors: *drew, 10014derek, 2IzSz, AGK, Aaronit, Aarontay, Abbadox, Abdomination, Absmith111, AbsolutDan, Abune, Academic Challenger, Adam1213, Adams527, Adashiel, Admiral Roo, Aenar, Ahoerstemeier, Akamad, AlMac, Aleahey, Alekjds, Alerante, Alestrial, Alevine-eantflick, Alexarankteam, Alexius08, Alexs letterbox, Alexwcovington, Alistair.phillips1, AlistairMcMillan, Alistairphillips, Allen3, Allstarecho, Alpheus, Amanaplanacanalpanama, Amcfreely, Amire80, Anaraug, AndrewJNeis, Andrewlp1991, Andrewpmk, Andros 1337, Andykitchen, Andypandy.UK, Angelsfreeek, Anon user, Anotherpongo, Antandrus, Anthony, Anthony5429, Anti328, Apparition11, Ariele, Arienh4, Arlondiluthel, Arwel Parry, Astral9, AtOMiCNebula, Attilios, Atulsnischal, Aude, Avastik, Axlq, AySz88, BCube, BD2412, Backpack123, Backpackkk, Baeksu, BanyanTree, Barefootguru, Barek, Bayerischermann, Baysalc, Bercyon, Berek, Bevo, Bgold4, Bhaddow, Bichon, Bigjake, Bigtop, BlaiseFEgan, BlastOButter42, Blobglob, Blue520, Bluezy, Bmicomp, Boarder8925, Bobo192, Bogdangiusca, Bongwarrior, Boothy443, BorgQueen, Bornhj, Braksus, Brendandonhue, Browell172, BubbleDude22, Bugtrio, Bushcarrot, Butros, CambridgeBayWeather, Camp3rstrik3r, CamperStrike, Can't sleep, clown will eat me, Canderson7, CanisRufus, Capricorn42, Carbonite, Cbrown1023, Ccole, Cgs, Chaojoker, CharlotteWebb, Che829, Chemturion, Chensiyuan, Chessphoon, ChesterMarcol, Chris the speller, ChrisO, ChrisPerardi, Chrisch, Christopher denman, Christos2121, Clawed, ClementSeveillac, Clicketyclack, CliffC, Clintmsand, Clsdennis2007, Codetiger, Coemgenus, Colinstu, College222, Compman12, CompuHacker, Conversion script, Cool Blue, Copper20, Cowicide, Coyote376, Crazyman, Creative210, Cronus, CryptoDerk, Cwolfsheep, Cybercobra, Cykloman15, D. Kapusta, DHN, Dajahew1, Danalpha31, Daniel, Daniel Brockman, Daniel Case, Danno uk, Dannysalerno, Danski14, Darklord.dave, Darth Panda, Darthveda, DataGigolo, Davewild, DavidWBrooks, Dcooper, DeadEyeArrow, Deepmath, Dehumanizer, Deli nk, Delldot, Deltabeignet, Demizh, Denelson83, Destin, DevinCook, Dfense, Digita, DigitalMonster, Discospinster, Dispenser, DocWatson42, Drini, Drongo, Dspradau, Dubboy1969, Dylan Lake, Dysprosia, ERcheck, ESkog, Ecb29, Edward, Egosintrick, El aprendelenguas, ElBenevolente, ElDakio, Ellmist, Eloquence, Emc2, Emperordarius, Encephalon, Engwar, Entgroupzd, Epbr123, Episteme-jp, EricV89, Espoo, Estoy Aquí, Evercat, Everyking, Evil Monkey, Evildeathmath, Ewc21, Eyu100, Fabioejp, Fakir005, Falconleaf, Fang 23, Faradayplank, Fayul, Femto, Fennec, Ferkelparade, Fiilott, Fireball, Firewall-guy, Flakmonkey24, Flamesrule89, Flamingpanda, Flipjargendy, FlyingPenguins, FrYGuY, FrancoGG, Frap, Frecklefoot, Fredgoat, Fredtheflyingfrog, Freejason, Frencheigh, Fsf, Fubar Obfusco, Fvw, GRider, Gabi S., Gadfium, Gaius Cornelius, Galoubet, Gary09202000, GeneralPatton, Georgeryp, Gholam, GhostDancer, Gilliam, Ginza, Glen, God Of All, Golbez, Gorffy, Gorgonzilla, Gorx, GraYoshi2x, Gracefool, Graciella, GraemeL, Green caterpillar, Grendelkhan, Grunt, Guaka, Gundato, Gurch, Haakon, Hadal, Haham hanuka, Halstonm, HamburgerRadio, Harro5, Hdt83, Hede2000, Heimstern, Hellohellohello007, Herenthere, Hermione1980, Hiddenstealth, Homestarmy, HowardLeeHarkness, I2omani, ICaNbEuRsOuLjAgIrL, IHateMalware, IRP, Ian Pitchford, Icey, Idemnow, Igorberger, Ilpalozzo, Imroy, InShaneee, Incognito, Ingolfson, Inter, Interiot, Intgr, Iridescent, Irishguy, Ittan, IvanLanin, J Di, J Milburn, J.delanoy, JLaTondre, JYOuyang, JYolkowski, Jacobdead, Jag123, Jake Nelson, Jam01, JamesTeterenko, Jamesday, Jammy467, Jasrocks, Jax9999, Jclemens, Jcmiras, Jcw69, Jed keenan, Jeff G., Jeltz, Jenny Wong, Jeremyb, Jesster79, JethroElfman, JiFish, Jmax-, Jnk, JoeSmack, JonHarder, Jonathunder, Joost Kieviet, Josh Parris, Joyous!, Jsorensen, Julesd, Juliancolton, Junkcops, Jushi, JustinHall, Justinm1978, Justinstroud, Justzisguy, Jwright1, KF, Kadzuwo, KaintheScion, Kanecain, Karada, Kaunietis25, Keepitreal74, Kejoxen, KelleyCook, Kelly Martin, Kencaesi, Kerry7374, Kesac, Kevin Breitenstein, Khaosworks, Khym Chanur, King of Hearts, Kingboyk, Kipholbeck, Kirill Lokshin, Kiyo o, Klosterdev, Kmesserly, KnowledgeOfSelf, Korath, Korinkami, Korpios, Kotjze, Kribbeh, Ksero, Kungfuadam, Kusma, Kynes, Kyorosuke, Kyrin, LC, LGagnon, LOL, Lcaa9, LeaveSleaves, LebanonChild, Leemeng, Legendsword, Leuk he, Linkspamremover, Llamadog903, Lo2u, Localh77, LonelyWolf, Longhair, Lonyo, Loren.wilton, LostAccount, Lowellian, Luminique, Luna Santin, Lupin, Lzur, M3tal H3ad, MCBastos, MFNickster, MOO, Mac, Mackmar, MacsBug, MadMom2, Maestro25, MagneticFlux, Mani1, Manop, MarcK, Mardus, Marskell, Martin451, Martpol, Maryevelyn, Master Bigode, Matthuxtable, MauriceJFox3, Mav, Maximaximax, Mcfly85, Meelar, Meggar, Melsaran, Member, Mentifisto, Mguy, Michael Snow, Michael.koe, Mickelln, Midnightcomm, Mike A Quinn, Mike Rosoft, Mike5906, Mikemsd, Mikenolte, Mikey129, Mikon8er, Mild Bill Hiccup, Milenamm, Mindmatrix, Minghong, MinnetonkaCZ, Mirv, Misza13, Mmeiser, Modemac, Modulatum, Monkeyman, Monotonehell, Moondyne, Morriske, Morryau, Moulder, Mphill14, Mr. pesci, Mr.Fraud, Mr.Z-man, MrArt, Mroesler, Mwanner, Mwongozi, Mydogategodshat, Myststix, Mzub, Najoj, Nakon, Naryathegreat, Natalie Erin, NeilN, Neon white, Neutrality, Nevyan, Nixeagle, Nkedel, Nneonneo, Nonagonal Spider, Nosferatus2007, Notheruser, Noxious Ninja, Nuggetboy, OKtosiTe, Oblivious, Octahedron80, Ohnoitsjamie, OlEnglish, Omicronpersei8, Operator link, Oscarthecat, Ossmann, Otnru, Overtheblock, Ownlyanangel, Pablomartinez, Pakaran, Parajuris, Paranoid, Pascal666, Paul August, Paul Quirk, Pavel Vozenilek, Pdub567, Pedant17, Perspective, Peter, Phatom87, Phenry, Piano non troppo, Piotrus, Pixelface, Pleonic, Plethorapw, Plumbago, Poccil, Pockle, Polonium, PraeceptorIP, ProveIt, PseudoSudo, Psychonaut, Pvasiliadis, QmunkE, Quadell, Quarl, Quuxplusone, Qwerty Binary, R Lowry, Rablari Dash, RaccoonFox, Raceprouk, RadioActive, RainR, RandomStringOfCharacters, Rantaro, Raul654, Raven in Orbit, RazorICE, Rcandelori, Rchamberlain, Redrocket, RexNL, Reyk, Rhobite, Rich Farmbrough, Richjkl, RickK, Rip-Saw, Risker, Rmky87, RobertG, Roger McCoy, Roivas, Romal, Roman candles, Rookkey, Rory096, Royalguard11, Rune.welsh, SF007, SG, SMRPG, SPUI, SWAdair, Sabbut, Sam Hocevar, Sandahl, SandyGeorgia, Satori Son, Sbluen, SchfiftyThree, Schooop, Schwartz, Ken, Schzmo, Sdalk208, Sean Whitton, SeanProctor, SeanTheBest949, Seidenstud, Senthil, Sephiroth storm, Shawnc, Shibboleth, Shindo9Hikaru, Shirulashem, Shlomi Hillel, Sifaka, Silver Edge, Simoes, SimonP, Singing guns, Sionus, Sjakkalle, SkerHawx, Skintigh, Skipatek, SkyWalker, Skyezx, Sljaxon, Slusk, Snotty, Someoneinmyheadbutit'snotme, SpaceFlight89, Spartan, Spe88, Splintercellguy, SpookyMulder, Spoon!, Sridev, Steel, Stefanomione, Stephenb, SteveSims, Stewartadcock, Stifle, SuperSmashBros.Brawl777, Superfly789, Supermario99, Swatjester, T-1000, Tannin, TechOutsider, Techwrite, Teddythetank, Teggis, Texture, Tgeorgescu, That Guy, From That Show!, The Epopt, The Firewall, The Negotiator, The Trolls of Navarone, TheJC, Thomas H. Larsen, Tiger williams, TigerShark, Tinus, Titoxd, Tobias Bergemann, Toby Bartels, Tokyogamer, TomasBat, Tomchiukc, TonyW, Tor Stein, Toytoy, Treybien, Trickiality, Trimzulu, Trusilver, Twain777, Twinxor, Twsx, Ugnius, Ulric1313, Uucp, Veinor, Vernalex, Vicki Rosenzweig, Vilerage, Violetness, Violetriga, Visualize, Voodoom, Vorash, Voyage34, WJerome, Wai Wai, WalterGR, Warren, Wasisnt, Wavelength, Wayward, Weregerbil, Wereon, Wernher, West Brom 4ever, Weyes, WhisperToMe, White Cat, Who123, Wik, Wiki alf, Wiki989, WikiChip, Wikid77, Wikidenizen, Wikikiki, Wikkid, Willbrydo, Wimt, WojPob, Wowrocker2, Writerjohan, Wrs1864, Wwwwolf, Xaldafax, Xlegiofalco, Xyzzyplugh, YUL89YYZ, Yachtsman1, Yamamoto Ichiro, Yandman, Yelyos, Yodaddy4276, Yuckfoo, ZeWrestler, Zephalis, Zhen-Xjell, ZimZalaBim, Zippanova, Zoney, ZooCrewMan, Zootm, Zpb52, Zundark, Zzuuzz, Zzyzx11, ‫زيلدنف‬, 1749 anonymous edits SQL injection  Source: https://secure.wikimedia.org/wikipedia/en/w/index.php?oldid=308553790  Contributors: .anaconda, Af648, Alerante, Alex Marandon, Aminadav, AndyDent, AndyHassall, Antientropic, Apokrif, ArielGold, ArnoldReinhold, Ayolucas, Badgernet, BaldPark, Belal qudah, Benjamin Pineau, Bensonwu, Bevnet, Bevo, Biskeh, BobKeim, Bookbrad, Btx40, CAN, Caesura, Caim, Catrope, Cdean, Cenzic, Ch'marr, Cheesieluv, Chris-marsh-usa, Chrisjj2, ChristianEdwardGruber, CoJaBo, Collectonian, Cybercobra, DamnFools, Dandv, Danhash, Danielosneto, Daydreamer302000, DerHexer, Discospinster, Disembrangler, Drol, Elkman, Elwikipedista, Enigmasoldier, Enric Naval, Erik9, Everyking, Excirial, Fedevela, Feezo, Ferkelparade, Finngall, Folajimi, Freedomlinux, Furrykef, Garylhewitt, Gmoose1, Gogo Dodo, Golbez, GregorB, HalJor, Hede2000, Hurrrn, Husky, II MusLiM HyBRiD II, Indy90, IntergalacticRabbit, Island, Ixfd64, JLEM, Jamesooders, Javawizard, Jeffq, Jeffrey Mall, Jmanico, Jnarvey, JoeSmack, Jtjacques, KD5TVI, Kahina, Kalimantan kid, Kate, Kenkku, KeyStroke, Kingpin13, Kitchen, Klizza, Lawrencegold, Ldo, Liftarn, Little Mountain 5, Luna Santin, Maghnus, Marlith, Martin Hinks, Mboverload, Mcgyver5, Mchl, MeekMark, MentisQ, Michael Slone, MichaelCoates, Michaelhodgins,

41

Article Sources and Contributors MightyWarrior, Miko3k, Mild Bill Hiccup, Milo99, Mopatop, Moreschi, Mrdehate, Nabieh, Nbertram, Nic tester, Nickgalea, Nidheeshks, Njan, Nosbig, Od Mishehu, Off!, Oli Filth, Oskar Sigvardsson, Oxymoron83, Panoptical, Pearll's sun, Peterl, Pharaoh of the Wizards, Piano non troppo, Pinecar, Pingveno, Plumbago, Portablegeek, Project2501a, Public Menace, RadioActive, Rand20s, Ratfox, Raztus, Reedy, Revivethespirit, ReyBrujo, Rjanag, Rodney viana, Roman Lagunov, Ronhjones, Roshenc, Rpkrawczyk, SP-KP, Samngms, ScottW, Shabbirbhimani, Shlomif, Shtirlitz, Sniper1rfa, Societebi, Sorfane, SteinbDJ, Storm Rider, Straussian, Suei8423, Superm401, Taka, Terrifictriffid, TheBilly, TheRingess, ThomasMueller, Tjkiesel, Tobi Kellner, Tom-, Trevor MacInnis, Troels Arvin, Unlox775, VASTA zx, Vis says, Vladocar, Vupen, Wbrice83186, Werikba, WibWobble, Wikilost, Wkeevers96, Wknight94, Wwwwolf, XDanielx, Yamamoto Ichiro, ZZ9pluralZalpha, Zedlander, Zgadot, Zzuuzz, 501 anonymous edits Password cracking  Source: https://secure.wikimedia.org/wikipedia/en/w/index.php?oldid=308021364  Contributors: 0x6D667061, A. Parrot, Alphachimp, Altenmann, Andrewpmk, Angus Lepper, Anilgupta, Ankitblog, Antandrus, Arakunem, ArnoldReinhold, Arvindn, Asenine, Atanumm, Baiji, Blaimjos, BlueDevil, Bobo192, CIreland, Cate, Ccscott, Chrislk02, Christopher Parham, ClementSeveillac, Csamuel, D thadd, DVD R W, Danpoulton, DavidJablon, Dgies, Dino, Discospinster, Dispenser, Diverdan, Eric-Wester, Erik9, F, Faisal.akeel, Fangz, FatalError, Ferociouskiller, Fogster, Freakofnurture, Fribbulus Xax, Fritz Saalfeld, Furrykef, G-smooth2k, GIBBOUS3, Gbeeker, Ghepeu, GreatWhiteNortherner, Greeves, Gscshoyru, Gsp, H2g2bob, Haakon, Happykaka, Hintss, Holyhobo, Hu12, Hulsie, Impherring13, J Di, JForget, Jasonrdavis1, Jazzmaphone, JidGom, JonHarder, Joy, KVDP, KennethJ, KnowledgeOfSelf, Kotepho, Kuru, Lando5, Leotronasssttt, Lutz1982, Mailer diablo, Matt Crypto, Mboverload, Mendaliv, MichaelBillington, Minesweeper, Mohamed Magdy, Myriapode, NewEnglandYankee, O.koksharova, Oli Filth, Olivier Debre, Omegatron, OverlordQ, Pakaran, Persian Poet Gal, PeterSymonds, Piano non troppo, Pietrow, PlutoidBrain, Primetime, Prolog, RHaworth, RainbowOfLight, Rawling, RegaL the Proofreader, RexNL, RickK, Rjwilmsi, Rowan Moore, Rpremuz, Rurik, RyanCross, SJP, SLi, ST47, Scott Johnson, Securiger, Sharkface217, SheikYerBooty, SpiceMan, Splintax, Stan911, Tbone55, The Wikipedist, TheObtuseAngleOfDoom, Themightyquill, Theresa knott, Thomasyen, TonyW, Ukexpat, Unicityd, Unixguy, Until It Sleeps, WHeimbigner, Wack0, Wiki alf, Wmahan, Ww, Yaronf, Yongrenjie, Yugsdrawkcabeht, Yvh11a, Zoe, 284 anonymous edits

42

Image Sources, Licenses and Contributors

Image Sources, Licenses and Contributors File:Windows ActiveX security warning (malware).png  Source: https://secure.wikimedia.org/wikipedia/en/w/index.php?title=File:Windows_ActiveX_security_warning_(malware).png  License: unknown  Contributors: File:Ad-aware 2008 Free screenshot.png  Source: https://secure.wikimedia.org/wikipedia/en/w/index.php?title=File:Ad-aware_2008_Free_screenshot.png  License: unknown  Contributors: File:Alwaysupdate-adware-winspy.PNG  Source: https://secure.wikimedia.org/wikipedia/en/w/index.php?title=File:Alwaysupdate-adware-winspy.PNG  License: unknown  Contributors: -

43

License

License Creative Commons Attribution-Share Alike 3.0 Unported http:/ / creativecommons. org/ licenses/ by-sa/ 3. 0/

44