Abuse of Privilege: Formal nomenclature for user action(s) not in accordance with organizational policy or law. Actions falling outside, or explicitly proscribed by, acceptable use policy.
acceptable level of risk: A judicious and carefully considered assessment by the appropriate authority that a computing activity or network meets the minimum requirements of applicable security directives. The assessment should take into account the value of assets; threats and vulnerabilities; countermeasures and operational requirements.
acceptable use policy: DoD nomenclature for documented standards and/or guidance on usage of information systems and networked assets.
Acronym = AUP
accountability: The principle that individuals using a facility or a computer system must be identifiable. With accountability, violations or attempted violations of system security can be traced to individuals who can then be held responsible.
active attack: A form of attack in which data is actually modified, corrupted, or destroyed.
application gateway: One form of a firewall in which valid application-level data must be checked / confirmed before allowing a connection. In the case of an ftp connection the application gateway appears as a ftp server to the client and as a ftp client to the server.
asynchronous attacks: Attacks that take advantage of dynamic system actions — especially by exploiting an ability to manipulate the timing of those actions.
audit trail: In computer security systems, a chronological record of when users log in, how long they are engaged in various activities, what they were doing, whether any actual or attempted security violations occurred. An automated or manual set of chronological records of system activities that may enable the reconstruction and examination of a sequence of events and/or changes in an event. (AFCERT Computer Glossary)
authentication: Positive procedural verification of the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system. This term also connotes verifying the integrity of data that have been stored, transmitted, or otherwise exposed to possible unauthorized modification.
authorization: The process of determining what types of activities are permitted. Usually, authorization is in the context of authentication. Once you have authenticated a user, the user may be authorized different types of access or activity. (AFCERT Computer Glossary)
back door: A hole in the security of a computer system deliberately left in place by designers or maintainers. Synonymous with trap door; A hidden software or hardware mechanism used to circumvent security controls. A breach created intentionally for the purpose of collecting, altering or destroying data. (AFCERT Computer Glossary)
between-the-lines-entry: Access that an unauthorized user gets, typically by tapping the terminal that is inactive at the time, of a legitimate user. (AFCERT Computer Glossary)
BLOB: Binary Large Object, used to describe any random large block of bits, usually a picture or sound file; can be stored in a database but normally not interpretable by a database program. Can be used as a mild hacker threat (mailbomb) when mailed. Can also be used to hide malicious logic code. (AFCERT Computer Glossary)
blue box devices: Gadgets created by crackers and phone hackers (phreakers) to break into the telephone system and make calls bypassing normal controls and/or billing procedures.
Class I (information warfare): Personal information warfare. That area of IW concerned with personal privacy issues. This is one of 3 IW classes delineated by Winn Schwartau.
Class II (information warfare): Corporate / organizational-level information warfare. That area of IW concerned with espionage issues. This is one of 3 IW classes delineated by Winn Schwartau. issues related to computer security, including information on configuration, management and bug fixes for systems. (AFCERT Computer Glossary)
Class III (information warfare): Information warfare viewed with an open / global scope. That area of IW concerned with cyber-terrorism issues. This is one of 3 IW classes delineated by Winn Schwartau.
computer abuse: The willful or negligent unauthorized activity that affects the availability, confidentiality, or integrity of computer resources. Computer abuse includes fraud, embezzlement, theft, malicious damage, unauthorized use, denial of service, and misappropriation. (AFCERT Computer Glossary)
computer fraud: Crimes involving deliberate misrepresentation or alteration of data in order to obtain something of value, perpetrated via or with regard to computers and/or information networks
countermeasures: Action, device, procedure, technique, or other measure that reduces the vulnerability of an automated information system. Countermeasures that are aimed at specific threats and vulnerabilities involve more active techniques as well as activities traditionally perceived as security. (AFCERT Computer Glossary)
cyberocracy: A term, not yet clearly defined, which is sometimes invoked to connote a manner of government or politics in which information and the global information networks are the dominant source of empowerment.
This term, from the roots cyber- and -cracy, signifies rule by way of information. As it develops, information and its control will become a dominant source of power, as a natural next step in mans political evolution. In the past, under aristocracy, the high-born ruled; under theocracy, the high priests ruled. In modern times, democracy and bureaucracy have enabled new kinds of people to participate in government. In turn, cyberocracy, by arising from the current revolution in information and communications technologies, may slowly but radically affect who rules, how, and why.
cyberwar: A synonym for automated warfare: …in which robots do much of the killing and destroying without direct instructions from human operators. The weapons would be autonomous … (Arnett, 1992, p. 15)
data driven attack: A form of attack that is encoded in innocuous seeming data which is executed by a users or other software to implement an attack. In the case of firewalls, a data driven attack is a concern since it may get through the firewall in data form and launch an attack against a system behind the firewall. (AFCERT Computer Glossary)
degradation of service: Any reduction (with respect to norms or expectations) in service processes reaction / response time, quantitative throughput, or quality parameters. This term is often used to denote the general set of service(s) impairment(s) which at the extreme (i.e., total degradation to a zero state with respect to the given parameter(s)) constitutes an absolute denial of service.
Note that (owing to operational constraints such as time before timing out settings) a disruptive tactic capable of only degrading service(s) may result in a complete denial of said service(s) from the perspective of the end user(s).
denial of service: Action(s) which prevent any part of an AIS from functioning in accordance with its intended purpose. (AFCERT Computer Glossary)
Denial of service attacks may include denying services or processes limited to one host machine. However, the term is most often invoked to connote action against a single host (or set of hosts) which results in the targets inability to perform service(s) for other users — particularly over a network.
One may consider denial of service to be the extreme case of degradation of service in which one or more normal functional parameters (e.g., response, throughput)get zeroed out, at least as far as the end user is concerned.
It is important to note that denial is delineated with respect to whether or not the normal end user(s) can exploit the system or network as expected. Seen in this light, denial (like degradation) is descriptive of a functional outcome, and it is not therefore definitive with respect to cause(s) (i.e., tactics effecting said result). Forms of attack not geared to denial per se may lead to denial as a corollary effect (e.g., when a system administrators actions in response to an intrusion attempt lead to a service outage). As such, denial of service is not a good criterion for categorizing attack tactics.
DNS spoofing: A form of spoofing which exploits the Domain Name Service (DNS) by which networks map textual domain names onto the IP numbers by which they actually route data packets.
Assuming the DNS name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain. (AFCERT Computer Glossary)
double enveloping: Given the usage of an envelope — information added to a data packet to ensure the packet is received correctly at its destination…
A technique consisting of encasing the content and envelope of a message in a new outer envelope to protect the information on the envelope whenever a message is forwarded through a less trusted domain. The content of the new outer envelope may or may not be encrypted, depending on the degree of trust accorded to the less trusted domain. (AFCERT Computer Glossary)
dumpster diving: A form of HUMINT in which cast-off articles and information are scavenged in an attempt to obtain advantageous data. For example, going through someones trash to recover documentation of his / her critical data (Social Security number, credit card ID numbers, etc.)
The practice of raiding the dumpsters behind buildings where producers and/or consumers of high-tech equipment are located with the expectation of finding discarded but still-valuable equipment or information. (AFCERT Computer Glossary)
Entrapment: The deliberate planting of apparent flaws in a system for the purpose of detecting attempted penetrations. (AFCERT Computer Glossary)
Ethernet meltdown: An event that causes saturation or near saturation on an Ethernet. It usually results from illegal or misrouted packets and typically lasts only a short time. (AFCERT Computer Glossary)
For example, an IP transmission addressed to a nonexistent recipient node and broadcast to all machines on a network can result in gateways / routers sending out Address Resolution Protocol (ARP) packets in an attempt to locate the non-existent recipient and forward the transmission. This forces the gateway(s) to spend processing cycles on the futile search, to the expense of handling normal network traffic. To the extent the networks operations are negatively affected, this can constitute an effective means for degradation of service or even temporary denial of service.
Ethernet sniffing: A form of sniffing directed at basic Ethernet traffic (e.g., by monitoring packets passing through / by a router) and screening for packets of interest (e.g., those containing or indicative of passwords). This process can be performed by automatic means, with the composite take being logged into a summary form for further analysis and exploitation.
firewall: A metaphorical label for a set of hardware and software components protecting system resources (e.g., servers, LANs) from exogenous attack via a network (e.g., from Internet users) by intercepting and checking network traffic. The mix of hardware and software accomplishing firewall operations can vary. For LAN installations of any size, the typical approach is to install one or more computers positioned at critical junctures (e.g., gateways) and dedicated to the firewall functions. It is typically the case that such installations are configured such that all external connections (e.g., modems, ports) are outside the firewall (with respect to its domain of protection), or at least abut it on its external face. The firewalls own internal connection into the protected domain is typically the focus of monitoring functions.
A system or combination of systems that enforces a boundary between two or more networks. Gateway that limits access between networks in accordance with local security policy. The typical firewall is an inexpensive micro-based Unix box kept clean of critical data, with a bunch of modems and public network ports on it but just one carefully watched connection back to the rest of the cluster. (AFCERT Computer Glossary)
fork bomb: A disruptive piece of code directed toward a Unix-based system which causes runaway forking (splitting / replication) of operating system processes to degrade or (if saturation is achieved) deny that target systems operations.
Code that can be written in one line of code on any Unix system; used to recursively spawn copies of itself, explodes eventually eating all the process table entries and effectively locks up the system. (AFCERT Computer Glossary)
hacker: The label hacker has come to connote a person who deliberately accesses and exploits computer and information systems to which he / she has no authorized access. Originally, the term was an accolade for someone highly motivated to explore what computers could do and/or to explore the limits of his / her technical skills (especially in programming). A great hack was a common compliment for an especially cunning or innovative piece of software code. The term cracker was then reserved for people intruding into computer / information systems for the thrill of it (or worse). Over time, cracker faded from usage and hacker came to subsume its (unfortunate) connotations.
A person who enjoys exploring the details of computers and how to stretch their capabilities. A malicious or inquisitive meddler who tries to discover information by poking around. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn only the minimum necessary. (AFCERT Computer Glossary)
The term hackers has a relatively long history. Hackers were at one time persons who explored the inner workings of computer systems to expand their capabilities, as opposed to those who simply used computer systems. Today the term generally refers to unauthorized individuals who attempt to penetrate information systems; browse, steal, or modify data; deny access or service to others; or cause damage or harm in some other way.
(GAO, Information Security: Computer Attacks at Department of Defense Pose Increasing Risks, Report GAO/AIMD-96-84, 1996)
The definition of the term hacker has changed over the years. A hacker was once thought of as any individual who enjoyed getting the most out of the system he was using. A hacker would use a system extensively and study the system until he became proficient in all its nuances. This individual was respected as a source of information for local computer users; someone referred to as a guru or wizard. Now, however, the term hacker is used to refer to people who either break into systems for which they have no authorization or intentionally overstep their bounds on systems for which they do have legitimate access.
information attack: Directly corrupting information without visibly changing the physical entity within which it resides. (Widnall & Fogleman, 1995, p. 6) In the wake of an information attack …an information function is indistinguishable from its original state except through inspecting its data or instructions.
information collection: That aspect of IW activities concerned with the acquisition of data. An organization needs a variety of information to support its operations. …Information collection includes the entry points for information into an organization from both internal and external sources. Issues include quantity (completeness), quality (accuracy), and timeliness of this information. Business examples of collection systems include point-of-sale (POS) systems, market surveys, government statistics, and internal management data. Military examples of collection systems include tactical radars and other sensors. (Cramer, 1996)
information protection: Information protection addresses two types of threats: information compromise and destruction. Compromise involves a competitor gaining access to an organizations proprietary data. Destruction involves the loss of these data (or loss of access to these data) as the result of a hostile attack by an adversary. (Cramer, 1996)
information terrorism: An ill-defined term (as yet) invoked to connote cyberspace mischief undertaken with intentions or ramifications analogous to the fear-inducing physical attacks we associate with terrorist activity.
Political terrorism is the systematic use of actual or threatened physical violence in the pursuit of a political objective, to create a general climate of public fear and destabilize society, and thus influence a population or government policy. Information terrorism is the nexus between criminal information system fraud or abuse, and the physical violence of terrorism. However, particularly in a legal sense, information terrorism can be the intentional abuse of a digital information system, network, or component toward an end that supports or facilitates a terrorist campaign or action. In this case, the system abuse would not necessarily result in direct violence against humans, although it may still incite fear.
intel: Common abbreviated form of the term intelligence. Hehehehe…..
intrusion attempt: An event taken to be a potentially deliberate and unauthorized action toward accessing data / information, manipulating data / information, and/or rendering a given data / information system unreliable or unusable.
IP splicing / hijacking: A form of surreptitious co-opting of an interactive session through manipulation of low-level IP features. The allusion to splicing connotes that the attacker splices his packet stream into a stream already established / acknowledge / authenticated. The allusion to hijacking connotes that the attacker thus masquerades as whomever originally established the connection, allowing him to hijack the session to his own ends.
IP spoofing: An attack whereby a system attempts to illicitly impersonate another system by using IP network address. (AFCERT Computer Glossary)
keystroke monitoring: A form of user surveillance in which the actual character-by-character traffic (i.e., that users keystrokes) are monitored, analyzed, and/or logged for future reference.
A specialized form of audit trail software, or a specially designed device, that records every key struck by a user and every character of the response that the host computer returns to the user. (AFCERT Computer Glossary)
leapfrog attack: Any form of intrusion / attack accomplished by exploitation of data / information obtained on a site / server other than the attacks target.
Use of userid and password information obtained illicitly from one host to compromise another host. (AFCERT Computer Glossary)
In a second, distinct, sense — a method of intrusion / attack in which the intruder / attacker approaches the target system through at least one intermediate system other than his / her own platform.
The act of TELNETing through one or more hosts in order to confuse a trace (a standard cracker procedure). (AFCERT Computer Glossary)
letter bomb / letterbomb: Malicious / disruptive code delivered via an email message (and / or an attachment to said message). A piece of email containing live data intended to do malicious things to the recipients machine or terminal.
Under UNIX, a letterbomb can also try to get part of its contents interpreted as a shell command to the mailer. The results of this could range from silly to tragic. (AFCERT Computer Glossary)
logic bomb: The term for a mischievous / destructive piece of software (cf. virus, Trojan horse which lies resident on the victim computer / system until triggered by a specific event (e.g., onset of a predetermined date or set of system conditions).
A logic bomb is unauthorized code that creates havoc when a particular event occurs, e.g. the perpetrators name is deleted from the payroll or a certain date occurs. (GAO, Information Security: Computer Attacks at Department of Defense Pose Increasing Risks, Report GAO/AIMD-96-84, 1996)
A resident computer program which, when executed, checks for particular conditions or particular states of the system which, when satisfied, triggers the perpetration of an unauthorized act. (AFCERT Computer Glossary)
mail storm / mailstorm: What the target system / users see when being mail bombed. Any large amount of incoming email sufficient to disrupt or bog down normal local operations.
What often happens when a machine with an Internet connection and active users re-connects after extended downtime — a flood of incoming mail that brings the machine to its knees. (AFCERT Computer Glossary)
mockingbird: A computer program or process which mimics the legitimate behavior of a normal system feature (or other apparently useful function) but performs malicious activities once invoked by the user. (AFCERT Computer Glossary)
network spoofing: In network spoofing a system presents itself to the network as though it were a different system (system A impersonates system B by sending Bs address instead of its own). The reason for doing this is that systems tend to operate within a group of other trusted systems. Trust is imparted in a one-to-one fashion; system A trusts system B (this does not imply that system B trusts system A). Implied with this trust, is that the system administrator of the trusted system is performing his job properly and maintaining an appropriate level of security for his system. Network spoofing occurs in the following manner: if system A trusts system B and system C spoofs (impersonates) system B, then system C can gain otherwise denied access to system A.
network worm: A worm which migrates across platforms over a network by copying itself from one system to another by exploiting common network facilities, resulting in execution of the (replicated) worm on that system and potentially others.
packet sniffer: A device or program that monitors the data traveling between computers on a network. (AFCERT Computer Glossary)
packet sniffing: Packet sniffing is a technique in which attackers surreptitiously insert a software program at remote network switches or host computers. The program monitors information packets as they are sent through networks and sends a copy of the information retrieved to the hacker. By picking up the first 125 keystrokes of a connection, attackers can learn passwords and user identifications, which, in turn, they can use to break into systems. (GAO, Information Security: Computer Attacks at Department of Defense Pose Increasing Risks, Report GAO/AIMD-96-84, 1996)
password cracking / password theft: Password cracking is a technique used to surreptitiously gain system access by using another users account. Users often select weak password. The two major sources of weakness in passwords are easily guessed passwords based on knowledge of the user (e.g. wifes maiden name) and passwords that are susceptible to dictionary attacks (i.e.brute-force guessing of passwords using a dictionary as the source of guesses). (Bassham & Polk, 1992)
Password cracking and theft is a technique in which attackers try to guess or steal passwords to obtain access to computer systems. This technique has been automated by attackers; rather than attackers trying to guess legitimate users passwords, computers can very efficiently and systematically do the guessing. For example, if the password is a dictionary word, a computer can quickly look up all possibilities to find a match. Complex passwords comprised of alphanumeric characters are more difficult to crack. However, even with complex passwords, powerful computers can use brute force to compare all possible combinations of characters until a match is found.
password sniffing: A form of sniffing which entails sampling specific portions of the data stream during a session (e.g., collecting a certain number of initial bytes where the password can be intercepted in unencrypted form on common Internet services) so as to obtain password data that can then be exploited.
phreak / phone phreak: A term for hacking or cracking-type exploitation directed at the telephone system (as opposed to the data communications networks). Where the intrusion / action involves both telephone and data communications networks, that portion of the intrusion activity directed toward manipulating the telephone system is typically called phreaking.
The act of employing technology to attack the public telephone system. The art and science of cracking the phone network. (AFCERT Computer Glossary)
A term for someone engaging in (phone) phreaking. Sometimes the label phreak is used for both the perpetrator and the act.
The phone phreak (phreak for short) is a specific breed of hacker. A phreak is someone who displays most of the characteristics of a hacker, but also has a specific interest in the phone system and the systems that support its operations. Additionally, most of the machines on the Internet, itself a piece of the Public Switched Network, are linked together through dedicated, commercial phone lines. A talented phreak is a threat to not only the phone system, but to the computer networks it supports.
probe: Any effort to gather information about a machine or its users on-line for the apparent purpose of gaining unauthorized access to the system at a later date. (AFCERT Computer Glossary)
proxy: Specifically… A firewall mechanism that replaces the IP address of a host on the internal (protected) network with its own IP address for all traffic passing through it. A software agent that acts on behalf of a user, typical proxies accept a connection form a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination. (AFCERT Computer Glossary)
retro-virus: A retro-virus is a virus that waits until all possible backup media are infected too, so that it is not possible to restore the system to an uninfected state. (AFCERT Computer Glossary)
sensor-to-shooter: A descriptive phrase employed to donote the cumulative feed-forward of data and information through an operational military system, from initial acquisition of novel data elements (via the sensors) through to the element(s) effecting instrumental response as needed (e.g., the shooter). A loose descriptor for the scope of processing for intrasystemic functions to obtain advantage in a theater of operations.
session hijacking: Taking over an authorized users terminal session, either physcially when the user leaves his terminal unattended or electronically when the intruder carefully connects to a just-disconnected communications line. (AFCERT Computer Glossary)
sniffer: A tool used to intercept potentially exploitable data from the traffic on a network. A program to capture data across a computer network. Used by hackers to capture user id names and passwords. Software tool that audits and identifies network traffic packets. (AFCERT Computer Glossary)
social engineering: A term for personal {i.e., social} tactics employed in support of attempts to achieve unauthorized access to a computer information system. This is something of a catch-all category for any tricks used to obtain the intended access or to obtain information critical to achieving that access.
Social engineering is the final method of gaining unauthorized system access. People have been known to call a system operator, pretending to be some authority figure, and demand that a password be changed to allow them access. One could also say that using personal data to guess a users password is social engineering.
spam: The act of bombarding a target (system, Usenet news group, set of email addresses) with sufficient volume of data (or a volume of sufficiently massive data items) such that degradation or even denial of service is achieved. This term is also perjoratively applied to describe the perceived harassment of receiving profligately-broadcast data (e.g., junk email advertising).
To crash a program by overrunning a fixed-site buffer with excessively large input data. Also, to cause a person or newsgroup to be flooded with irrelevant or inappropriate messages. (AFCERT Computer Glossary)
spoofing: A generic label for activities in which trusted relationships or protocols are exploited for mischievous or surreptitious ends — especially those cases in which an unknown or unauthorized actor surreptitiously pretends to be a trusted one. The spoofing need not entail personal identification — tactics in which a machines identity or address data are usurped are also termed spoofing.
Pretending to be someone else. The deliberate inducement of a user or a resource to take an incorrect action. Attempt to gain access to an AIS by pretending to be an authorized user. Impersonating, masquerading, and mimicking are forms of spoofing. (AFCERT Computer Glossary)
terminal hijacking: Allows an attacker on a certain machine to control any terminal session that is in progress. A attack hacker can send and receive terminal I/O while a user is on the terminal. (AFCERT Computer Glossary
trap door: A hidden software or hardware mechanism used to circumvent security control. (AFCERT Computer Glossary)
Trojan horse: A trojan horse is an independent program that when called by an authorized user performs a useful function, but also performs unauthorized functions, often usurping the privileges of the user. (GAO, Information Security: Computer Attacks at Department of Defense Pose Increasing Risks, Report GAO/AIMD-96-84, 1996)
An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data. (AFCERT Computer Glossary)
troll: The act of subverting a forum by deliberately posting provocative (especially provocatively stupid) messages with the intention of distracting others into response.
An online message whose purpose is to attract responses and make the responders look stupid. People who troll want to make you waste your time responding to their pointless statements. (AFCERT Computer Glossary)
virus: The generic label for a unary set of code which is designed to operate so as to cause mischief or other subversive effect in a target computer system. The term computer virus was first defined by Fred Cohen (working at DEC) in 1983.
A virus is a code fragment that reproduces by attaching to another program. It may damage data directly, or it may degrade system performance by taking over system resources which are then not available to authorized users. (GAO, Information Security: Computer Attacks at Department of Defense Pose Increasing Risks, Report GAO/AIMD-96-84, 1996)
war dialer: A cracking tool, a program that calls a given list or range of numbers and records those which answer with handshake tones (and so might be entry points to computer or telecommunications systems). (AFCERT Computer Glossary)
worm: A class of mischievous / disruptive software whose negative effect is primarily realized through rampant proliferation — e.g., via replication and distribution of the worms own code. Replication is the hallmark of the worm. Worm code is relatively host-independent, in that the code is self-contained enough to migrate across multiple instances of a given platform, or across multiple platforms over a network (cf. network worm). To replicate itself, a worm needs to spawn a process; this implies that worms require a multitasking operating system to thrive.
A program or executable code module which resides in distributed systems or networks. It will replicate itself, if necessary, in order to exercise as much of the systemss resources as possible for its own processing. Such resources may take the form of CPU time, I/O channels, or system memory. It will replicate itself from machine to machine across network connections, often clogging networks and computer systems as it spreads. (AFCERT Computer Glossary)