Vulnerable Networks and Services – a Gateway for Intrusion

Communication and network protocols form a big part of the cyber-attack landscape. Therefore, many threats are directed toward the networks or communication channels used by people, systems, and devices. At a time when there are millions of IoT devices, employees bringing their personal devices to the workplace due to BYOD, the adoption of the cloud, and many organizations depending on web-based systems, this is obvious why cyber criminals consider networks and communication channels a sweet spot to carry out attacks. There are therefore many attack techniques and tools that have been developed purposefully to exploit common vulnerabilities in networks and communication channels.

Vulnerable network protocols and network intrusions

Networks, including the internet, were established at a time when there were hardly any cybersecurity threats aimed at them. Therefore, a lot of focus was given to aspects such as performance and speed. Since there was no security design during the establishment of early networks, several adoptions have had to be incorporated due to shifts such as increased cybersecurity threats. However, this is becoming a catch-up game and hackers are unfortunately growing more powerful. This has seen several vulnerabilities being discovered in network protocols. The following are some internet protocols that are increasingly becoming insecure

Simple Mail Transfer Protocol

Simple Mail Transfer Protocol (SMTP) is used for email purposes by many organizations. This protocol was added to the internet and it quickly became the simplest way for people and organizations to send and receive emails. However, there has been an explosion of threats targeting the SMTP protocol that many organizations use. Since SMTP wasn’t conceived with these security issues in mind, it has become the burden of network administrators to secure it. One of the ways that SMTP is attacked is account enumeration. This is normally done by spammers and phishers when harvesting emails. Account enumeration verifies whether an email account is registered on a certain server by running an SMTP command called VRFY on port 25. The response obtained shows whether or not the email is valid

Secure Sockets Layer

Secure Sockets Layer (SSL) has been understood by many people as the ultimate check of security. Users are being advised to check whether a website has SSL before they submit private data to it. SSL works by encrypting data exchanged between a host and server thus making it hardly possible for a hacker to intercept and read the contents of the traffic. However, there is a challenge with this approach toward cybersecurity as the ultimate check for security. SSL has been active since 1996 and has never received any update despite the increased sophistication of hacking techniques. There have been several attacks against SSL security that have made browsers such as Chrome and Firefox want to scrap SSL. The answer to SSL has been Transport Layer Security (TLS) but it isn’t without flaws. TLS came in 1999 as a successor of SSL version 3.0 but still SSL is more commonly used on the internet.

TLS is a crypto-protocol used in internet communications to provide end-to-end encryption for all data exchanged between a client and a server. It’s more secure than SSL but still faces its fair share of cyber attacks. One of the attacks against TLS is known as BEAST and is registered as CVE-2011-3389 by the CVE database. In this attack, the attacker injects their own packets into the stream of SSL traffic and this enables them to determine how the traffic is being decrypted and thus decrypt the traffic. Another attack against SSL is POODLE, which is registered as CVE-2014-3566 by the CVE database. POODLE is an ingenious way of attacking SSL used in man-in-the-middle attacks. When a client initiates the SSL handshake, the attacker intercepts the traffic and masquerades as the server and then requests the client to downgrade to SSL 3.0. The POODLE attack happens when the attacker replaces the padding bytes in packets and then forwards the packets to the real server. Servers don’t check for values in the padding, they’re only concerned with the message-authentication code of the plaintext and the padding length. The man in-the middle will then observe the response from the server to know what the plaintext message sent by the real client was.

Domain Name System

Domain Name System (DNS) is the protocol that ensures domain names are translated into IP addresses. However, this protocol is old, flawed, and open to attacks. A hacking group was once able to exploit the working of the protocol causing users that wanted to visit twitter.com to be redirected to a different domain. Therefore, should a significant number of threat actors decide to redirect visitors of some websites to different or malicious sites, they can do this through DNS attacks. This is where hackers swap the correct IP address of a website with a rogue IP address. There have been fixes being developed but they have had effects on performance and thus have not been implemented. More applicable fixes are still being developed. Apart from the internet, there are other attacks that are regularly directed at organizational networks. These are more successful due to the narrow scope within which attackers have to focus. The following are some of these attacks

Packet sniffing

This is where an attacker reads all data that’s being exchanged in a network, especially if it’s unencrypted. Surprisingly, there are many free and open source programs that can be used to do this, such as Wireshark. Public networks, such as cafe WiFi hotspots, are some of the areas where hackers regularly use these programs to record, read, and analyze the traffic flowing through the network.

Distributed denial of service

Distributed denial of service (DDoS) is an increasingly common attack that has been proven to be successful against big targets. Since the 2016 attack on Dyn, one of the largest domain-resolution companies, hackers have been motivated to use this attack on many organizations. There are ready vendors on the dark web that can rent out their botnets to be used for DDoS attacks for a given duration. One of the most feared botnets is Mirai, which is primarily composed of many IoT devices. DDoS attacks are aimed at directing a lot of illegitimate traffic to a network – more than can be handled – thus causing it to crash or be unable to handle legitimate requests. DDoS attacks are particularly of great concern to organizations that offer their products or services via websites as the attack makes it impossible for business processes to take place.

My next article will continue on Vulnerable Networks and Services – a Gateway for Intrusion topic. I will cover Attacking web servers and web based systems, techniques and tools used in those attacks … So please come back .

In the mean time you can check the below articles , if you have not done so yet.