Glossary of Terms
A security mechanism where the locations of important elements of a program in memory are randomized in order to make them harder for an attacker to find and utilize. This increases the difficulty for the attacker to perform particular types of exploit that rely on jumping to particular address areas of memory.
A loosely associated and informal group of hacktivists that participate cooperatively in various forms of protest online. Types of protest have included Denial of Service (DoS) attacks and website defacements against various entities, including government and commercial organizations, and protesting against a broad range of different political and social issues from digital rights management and anti-piracy to revenge porn.
A set of tools and resources that provide various functions developers can utilize when creating software.
A black hat hacker is a hacker who “violates computer security for little reason beyond maliciousness or for personal gain”.
In computing, a blacklist or block list is a basic access control mechanism that allows through all elements (email addresses, users, passwords, URLs, IP addresses, domain names, file hashes, etc.), except those explicitly mentioned. Those items on the list are denied access.
A blue team is a group of individuals who perform an analysis of information systems to ensure security, identify security flaws, verify the effectiveness of each security measure, and to make certain all security measures will continue to be effective after implementation.
A type of malware known as ransomware. Ransomware is malicious software that locks a user’s computer in some way and then demands a ransom in order for service to be restored. As the name suggests, this malware locks the affected user’s Web browser and holds it to ransom.
A buffer overflow is a type of vulnerability that arises when a program writes an excessive amount of data to the buffer, exceeding the capacity of the buffer and then overwriting adjacent memory. This type of vulnerability may be exploited to crash programs or, with the correct manipulation by a skilled attacker, used to execute arbitrary code on a targeted computer. Buffer vulnerabilities can be avoided by the use of bounds checking, which checks the capacity for inputs before they are written.
A form of instruction set designed for efficient execution by a software interpreter. Bytecodes are compact numeric codes, constants, and references (such as numeric addresses), which encode the result of parsing and semantic analysis of things like type, scope, and nesting depths of program objects.
A technique used to make a user take an action of an attacker’s choice by clicking on part of a webpage. While the user may believe they are clicking on something innocuous, in effect they are performing an action that is required by the attacker in order to achieve their goal—for example, by taking the action of clicking on a particular object on a page, a user may inadvertently execute a script or comply with a request to grant a particular type of risky activity.
The Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943) is a United States federal law enacted in 2018 by the passing of the Consolidated Appropriations Act, 2018, PL 115-141, section 105 Executive agreements on access to data by foreign governments. Allows federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers be it on US or foreign soil. The US government is able to enter into data rights sharing agreements with foreign countries and bypass U.S. courts, and affected users would not have to be notified when such warrants were issued.
As with many terms used in computer security, this term has been borrowed from the military. Similar to the military use of the term it means a method of exercising authority over resources, for example, a commanding officer commanding his troops. This term is often used in the context of malware and botnets in particular, where a structure is set up to command and control many compromised computers from either a centralized, or is some cases, decentralized position. A centralized command and control structure might be a single server that compromised computers connect to in order to receive commands. A decentralized command and control structure could be where compromised computers connect to a peer-topeer network, where commands are spread through the network from many possible nodes. Command and control may also be known as C2.
Command injection occurs when an attacker is able to pass unsafe data to a system shell via a vulnerable application so that the unsafe data is then executed on the targeted system. The result therefore of a successful command injection attack is the execution of arbitrary attacker supplied code on a targeted system. The risk of command injection attacks can be mitigated by appropriate input checking and validation.
A form of cross-site scripting attack, in which an attacker exploits a vulnerability in a Web browser in order to load malicious third-party content that they control in the frame of a webpage on another site. This attack may allow an attacker to steal sensitive information, such as login details, that may be input into the frame because the targeted user believes the request for login details came from the legitimate site.
An attack that occurs when an attacker exploits a vulnerability in Web applications in order to inject malicious code into client-side code that is delivered from a compromised website to an unsuspecting user. This code that is delivered to the user is trusted, and hence executed, as it appears to come from a legitimate source. These types of attack occur due to insufficient checking and validation of user-supplier input. Attackers may use this type of attack in order to bypass access controls or steal sensitive data.
A type of malware known as ransomware. Ransomware is malicious software that locks a user’s computer in some way and then demands a ransom in order for service to be restored. In the case of CryptoLocker, as the name suggests, users’ files are encrypted using an asymmetric encryption algorithm. A ransom is then demanded from affected users in order to decrypt and therefore restore their files. CryptoLocker was first discovered in the wild by researchers in 2013. It was reported to have been propagated via the Gameover Zeus botnet. The “success” of ransomware such as CryptoLocker has spawned many copycat programs. The best way to avoid being the victim of ransomware is to ensure that regular backups of your files are created and maintained, and then stored in an unrelated system; thus, if files are encrypted, they can be restored from backup.
Service Workers allows a site to intercept fetches of resources, and as it happens to be, you can use WebAssembly in a Service Worker. WebAssembly (abbreviated Wasm) is a binary instruction format for a stack-based virtual machine. Wasm is designed as a portable target for compilation of high-level languages like C/C++/Rust, enabling deployment on the web for client and server applications.
A security measure used by modern operating systems that is intended to prevent the running of malicious code on an affected system. It operates by marking areas of memory as either executable or non-executable and raises exceptions when code attempts to run from areas that are deemed non-executable.
A directory traversal occurs when an attacker is able to access areas of a system that are not intended to be publically accessible. This may occur due to inappropriate or insufficient checking of user-supplied data that contains characters that may be interpreted to traverse paths to a parent directory of the targeted system.
A condition that occurs when the resources of a system are exhausted in some manner that causes the system to stop responding.
DDoS is short for Distributed Denial of Service. DDoS is a type of DOS attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack.
An internet performance management and web application security company. Offering products to monitor, control, and optimize online infrastructure, and also domain registration services and email products.
An edge device is a device which provides an entry point into enterprise or service provider core networks. Examples include routers, routing switches, integrated access devices (IADs), multiplexers, and a variety of metropolitan area network (MAN) and wide area network (WAN) access devices.
In the context of computer security, exfiltration refers to the removal of valuable captured data from a compromised system. This is often performed as a separate step, by separate tools from those that may be used in order to first compromise the targeted system and then to capture and store data. In order for data to be exfiltrated, for example, it may need to be moved to a computer that has access to the Internet.
Code written expressly to take advantage of the security gap created by a particular vulnerability in order to deliver a malicious payload. They may be targeted at specific organizations or used en masse in order to compromise as many hosts as possible. Delivery mechanisms utilize many different technologies and vehicles and often contain a social engineering element—effectively an exploit against vulnerabilities in human nature in order to make the victim take a particular action of the attacker’s choosing.
An external information leak occurs when system data or debugging information leaves the program to a remote machine via a socket or network connection.
Mobile malware that targets the Android platform. The Fakeinst family of malware masquerades as helpful installers that are used to install other useful applications. However, once executed they attempt to send SMS messages to premium-rate services, leaving affected users with unexpectedly high phone bills.
A network security device or software that monitors traffic to or from your network. It allows or blocks traffic based on a defined set of security rules.
A technology that provides infrastructure for another technology. For example, a document management system could require a relational database as a foundational technology.
These attacks occur when an attacker uses a hidden HTML frame to load a target website inside an attacker-controlled webpage. By doing this, attackers can access sensitive information about the content of framed pages.
Maker boards often named using fruit names – boards such as the Raspberry Pi and Banana Pi.
This is an automated vulnerability research technique that involves using a fuzzer (a fuzzing tool) to inject malformed data to an application in order to attempt to cause it to crash. This technique is used to uncover possible areas of weakness or vulnerability within the application for further research and testing.
A notorious botnet consisting of peer-to-peer variants of the Zeus malware family (also known as Win32.Zbot). By using peer-to-peer, this botnet used a decentralized command-and-control infrastructure, thus avoiding the single point of failure of more centralized command and control structures and making the botnet more resilient to takedown. The Zeus malware family is associated with the sophisticated theft of online banking credentials; however, the botnet may have been used to carry out other malicious activities such as propagating additional malware, sending spam, and carrying out distributed denial of service (DDOS) attacks. In mid 2014, U.S. authorities brought down a large botnet of Gameover Zeus variants and caused significant disruption to the botnet’s malicious activities.
The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, will replace the Data Protection Directive 95/46/ec in Spring 2018 as the primary law regulating how companies protect EU citizens’ personal data.
Malware written for the Android platform that targets online banking users. One of the first Android malware samples to be purposefully installed by a Windows component if an Android device was connected to the desktop.
The term “grey hat”, alternatively spelled as “greyhat” or “gray hat”, refers to a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but does not have the malicious intent typical of a black hat hacker.
Heap spraying is a technique used by attackers to assist in use-after-free exploitation by decreasing entropy in the address space. It is not itself an exploit method; instead, it aids attackers by making freed memory space more orderly and predictable. Heap spraying consists of forcing repeated allocations in an attempt to reclaim the freed buffer and to introduce some usable order to the freed space.
A flaw, discovered in 2014, that allowed for unauthenticated remote attackers to disclose the memory of applications that use a vulnerable version of OpenSSL. Successful attacks could result in the disclosure of SSL private keys, usernames/passwords, and session tokens.
The internet of things, or IoT, is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
A local area network is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, university campus or office building.
A threat actor, also called a malicious actor, is an entity that is partially or wholly responsible for an incident that impacts – or has the potential to impact — an organization’s security.
An attack where a malicious hacker intercepts the Internet traffic that goes into and out of a device. The preferred target is a Wi-Fi router, since it contains all the of the traffic data sent of the network, and can then be used to control each device connected to it, even PCs or smartphones. Often used for direct target attacks in publicly accessible areas with Wi-Fi.
A malware that turns networked devices running Linux into remotely controlled “bots” that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai Botnet is most known for its attack on Dyn, taking down AirBNB and other online services.
Network address translation (NAT) is a method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device.
A system that monitors important operating system files is an example of a HIDS, while a system that analyzes incoming network traffic is an example of a NIDS. Some IDS have the ability to respond to detected intrusions. Systems with response capabilities are typically referred to as an intrusion prevention system.
RAM scraping occurs when the malware enumerates the processes and virtual memory space of the target machine looking for track 1 and track 2 data.
Ransomware is malicious software that locks a user’s computer in some way and then demands a ransom in order for service to be restored. This locking may include encrypting the user’s files in some way and then demanding payment for the decryption key, or it could be more simplistic and only rely on giving the user the impression that their computer is locked (even though it may be easily recoverable).
The Reaper IoT Botnet Has Already Infected a Million Networks. The latest botnet threat, known as alternately as IoT Troop or Reaper, has evolved that strategy, using actual software-hacking techniques to break into devices instead.
Penetration testers assess organization security, often unbeknownst to client staff. When used in a hacking context, a red team is a group of white-hat hackers that attack an organization’s digital infrastructure as an attacker would in order to test the organization’s defenses (often known as “penetration testing”).
A vulnerability that allows attackers to execute their own code on a target system. Depending on the vulnerability used, the RCE may be executed with either user- or system-level permissions.
An exploit technique that allows an attacker to execute code while bypassing certain types of defense-in-depth measures, such as ASLR.
A testing environment that isolates untested code changes and outright experimentation from the production environment or repository, in the context of software development including Web development and revision control.
A segmentation fault (segfault) occurs when a program attempts to access a memory location that the program is not allowed to access. Segfaults may also occur when a program attempts to access a memory location through a method that is not allowed. An example of this would be a program attempting to write to memory marked as read-only.
A small piece of code used as the payload during the exploitation of a vulnerability. While these types of payloads typically start from a command shell, any code that performs a similar function is generically referred to as shellcode.
A family of security vulnerabilities in the UNIX® Bash shell, first disclosed in September 2014.
Shodan is a search engine that lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client.
Like Phishing, except is a targeted attack towards an individual or a group of individuals in order to compromise their data or system.
Attempt at disguising device A to look like device B. If device B has access to a wireless network, then a disguised device A will trick the router into allowing it onto the network.
A standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private. Due to security concerns, SSL has been officially deprecated as of 2018
A cryptographic protocol that provide communications security over a computer network.
Free software designed to allow users to enable online anonymity and resist censorship. By directing traffic through thousands of relays, TOR (The Onion Router) conceals a user’s location and network usage from those attempting to conduct network monitoring or traffic analysis.
Malicious software that, unlike worms or viruses, is unable to spread of its own accord. There are many different types of Trojans that are used in conjunction with other types of malware in order to perpetrate computer crime. One of the most notorious types is a remote access Trojan (RAT) that can be used by a remote attacker to access and control a victim’s computer.
A serious flaw because it allows an attacker to access the login panel of routers that do not usually expose their backend on the Internet. Furthermore, allowing blackhat proxies via NAT injection.
Colloquially termed a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it.
A use-after-free vulnerability can occur when memory is allocated to an object that is used after it is deleted (or deallocated). Good programming practice dictates that any reference pointing to an object should be modified when the memory is deallocated, to keep the pointer from continuing to make the area of memory where the object once resided available for use. (A pointer in this abandoned condition is broadly called a “dangling pointer.”) If the pointer isn’t modified and tries to access that area of memory, the system can become unstable or corrupt. Attackers can use a dereferenced pointer in a variety of ways, including execution of malicious code.
Defects or bugs that allow for external influence on the availability, reliability, confidentiality, or integrity of software or hardware. Vulnerabilities can be exploited to subvert the original function of the targeted technology.
Malware designed to infect routers and certain network attached storage devices.
The term “white hat” in Internet slang refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies that ensures the security of an organization’s information systems.
A wide area network is a telecommunications network or computer network that extends over a large geographical distance/place. Wide area networks are often established with leased telecommunication circuits.
A self-contained malicious program that is able to spread of its own accord. The classification “worm” is only used to describe the ability to spread without a host file (as may be the case with computer viruses) and worms contain many different and varied payloads beyond spreading from host system to host system.
A previously unknown vulnerability for which no patch from the vendor currently exists. It is referred to as a zero day because the vendor has had zero days to fix the issue.
A family of malware that targets the Windows operating system. It is used primarily to steal banking information, but has also been used to install the CryptoLocker ransomware.