Loopholes

Wordconcepts

Basicexplanation

1.[hole;leak;leakage]:Smallholesorgapstoplugleaks.

2.[flaw;weakpoints;hole;loophole]:Wherelaws,decrees,treatiesoragreementsarenotwellformulated,theflawsshouldplugtheobviousloopholesinthelegislation.

Citationexplanation

1.Gaps;smallholes.MingLushen's"ExcerptfromStoppingRecords":"ThelefthandGuanhasaslipperyandslowpulse,thefourthlobeoftheliverisleaky,andthelowerpartisconnected."ZhaoZi,"SecondPairofEyes":"Youcantouchthewateraccordingtothedirectionofthewaterflow.Vulnerabilities."

2.Vulnerabilities,imprecisepoints.MaoDun's"FrostyLeavesAreRedLikeFebruaryFlowers"5:"WangBoxhenisalsoverysmartwhenhewantstocome.Hemusthaveanotherarrangementforthismatter.Theloopholeshavealreadybeenfixed."ZhouErfu's"ShanghaiMorning"partfour:"Thegeneralmanagerthinksverycarefully,andtherearenoloopholesatall."

Informationtechnologymeaning

VulnerabilityreferstotheweaknessordefectofasystemthatattacksorisdangeroustoaspecificthreatThesensitivityoftheincident,orthepossibilityofthethreatofanattack.Vulnerabilitiesmaycomefromdefectsinthedesignofapplicationsoftwareoroperatingsystemsorerrorsincoding,orfromdesigndefectsintheinteractiveprocessingofthebusinessorunreasonablelogicflow.Thesedefects,errorsorunreasonablepointsmaybeintentionallyorunintentionallyexploited,whichwilladverselyaffectanorganization’sassetsoroperations.Forexample,theinformationsystemisattackedorcontrolled,importantinformationisstolen,userdataistamperedwith,andthesystemisusedasAspringboardtoinvadeotherhostsystems.Judgingfromthevulnerabilitiesfoundsofar,therearefarmorevulnerabilitiesinapplicationsoftwarethanvulnerabilitiesinoperatingsystems,andvulnerabilitiesinWEBapplicationsystemsaccountforthevastmajorityofvulnerabilitiesininformationsystems.

1.Therelationshipbetweenthevulnerabilityandthespecificsystemenvironmentanditstime-relatedcharacteristics

Thevulnerabilitywillaffectawiderangeofhardwareandsoftwaredevices,includingTheoperatingsystemitselfanditssupportingsoftware,networkclientandserversoftware,networkroutersandsecurityfirewalls,etc.Inotherwords,theremaybedifferentsecurityvulnerabilitiesinthesedifferenthardwareandsoftwaredevices.Differenttypesofsoftwareandhardwaredevices,differentversionsofthesamedevice,differentsystemscomposedofdifferentdevices,andthesamesystemunderdifferentsettingconditionswillhavetheirowndifferentsecurityvulnerabilities.

Theissueofvulnerabilitiesiscloselyrelatedtotime.Fromthedayasystemisreleased,asusersdeepenitsuse,thevulnerabilitiesinthesystemwillcontinuetobeexposed,andthesevulnerabilitiesdiscoveredearlierwillalsobeconstantlypatchedbythepatchsoftwarereleasedbythesystemvendor,orreleasedinthefuture.Becorrectedinthenewversionofthesystem.Whilethenewversionofthesystemcorrectstheloopholesintheoldversion,itwillalsointroducesomenewloopholesanderrors.Soovertime,oldloopholeswillcontinuetodisappear,andnewloopholeswillcontinuetoappear.Vulnerabilitieswillalsoexistforalongtime.

Therefore,itismeaninglesstodiscussthevulnerabilitieswithoutthespecifictimeandspecificsystemenvironment.Wecanonlydiscussthepossiblevulnerabilitiesandfeasiblesolutionsfortheactualenvironmentsuchastheoperatingsystemversionofthetargetsystem,thesoftwareversionrunningonit,andtheserviceoperationsettings.

Atthesametime,itshouldbenotedthattheresearchonvulnerabilitiesmusttrackthelatestdevelopmentsinthecurrentcomputersystemanditssecurityissues.Thisissimilartotheresearchonthedevelopmentofcomputerviruses.Ifyoucan'tkeeptrackofnewtechnologiesinyourwork,youwon'thavetherighttotalkaboutsystemsecurityvulnerabilities,andeventheworkdonebeforewillgraduallylosevalue.

2.Theharmandpreventionofvulnerabilities

Theexistenceofvulnerabilitiescaneasilyleadtohackers’intrusionandthepresenceofviruses,whichcanleadtodatalossandtampering,Privacydisclosureandevenmonetaryloss,suchas:thewebsiteishackedduetoloopholes,websiteuserdatawillbeleaked,websitefunctionsmaybedisruptedandsuspended,ortheserveritselfiscontrolledbytheintruder.Inthecurrentdevelopmentofdigitalproducts,vulnerabilitieshavebeenextendedfromcomputersascarrierstodigitalplatforms,suchasmobilephoneQRcodevulnerabilities,Androidapplicationvulnerabilities,etc...

Systemvulnerabilities

Overview

Systemvulnerabilitiesrefertoflawsinthelogicdesignofapplicationsoftwareoroperatingsystemsoftwareorerrorsinwriting.ThisflaworerrorcanbeexploitedbycriminalsorcomputerhackersbyplantingTrojanhorsesorviruses.Attackorcontroltheentirecomputerbyothermeans,therebystealingimportantdataandinformationinyourcomputer,orevendestroyingyoursystem.

Principle

Theproblemofwindowssystemvulnerabilitiesiscloselyrelatedtotime.Fromthedayawindowssystemisreleased,asusersdeepenuse,thevulnerabilitiesinthesystemwillcontinuetobeexposed,andthesevulnerabilitiesdiscoveredearlierwillalsobeconstantlypatchedbythesystemvendor:Microsoft’spatchsoftware.Oritwillbecorrectedinanewversionofthesystemthatwillbereleasedlater.Whilethenewversionofthesystemcorrectstheloopholesintheoldversion,itwillalsointroducesomenewloopholesanderrors.

Soovertime,oldsystemvulnerabilitieswillcontinuetodisappear,andnewsystemvulnerabilitieswillcontinuetoappear.Systemvulnerabilitieswillalsoexistforalongtime.

MicrosoftSecurityBulletin

IntheearlymorningofFebruary12,2014,Microsoftreleased7vulnerabilitypatches,including4"critical"levelpatchesand3"critical"levelvulnerabilities.FixedmultiplevulnerabilitiesinInternetExplorer,.Net,andWindows,andaspecificvulnerabilityinWindows8.

OnJanuary16,2014,theJanuarysecuritybulletinwasreleased.Thepatchlevelsofthe4vulnerabilitiesareall"important".TheyfixtheMSOfficeWord,Windows7kernelandtheoldversionoftheWindowskerneldriver.Therearemultipleremotecodeexecutionandprivilegeescalationvulnerabilities.AlsopushedaretheversionupdateinstallationpackageofAdobeFlashPlayer12andthesecurityupdateofAdobeReader.

MicrosoftgenerallyreleasessecuritybulletinsonthesecondTuesdayofeachmonth,whichiscalled"PatchTuesday."

Level

Vulnerabilitiesareclassifiedintofourtypesaccordingtotheirseverity:"Urgent","Important","Warning",and"Caution".Generallyspeaking,whatisdefinedasimportantontheMicrosoftwebsiteshouldbeupdatedintime.

Vulnerabilityrepair

ThesystemautomaticallyupdatesUpdate,orautomaticallyrepairsitwithsecuritysoftwaresuchasComputerManager.

Classification

Fliesdonotstareatseamlesseggs.Intruderscaneasilybreakintothesystemaslongastheyfindacrackinthecomplexcomputernetwork.Soknowingwheretheseseamsarelikelytobeiscrucialtorepairingthem.Usuallycracksaremainlymanifestedinsoftwarecompilationbugs,impropersystemconfiguration,passwordtheft,cleartextcommunicationinformationbeingmonitored,anddefectsintheinitialdesign.

Therearebugsinsoftwarewriting

Whetheritisserverprogram,clientsoftwareoroperatingsystem,aslongasitiswrittenincode,therewillbevariousdegreesofbugs.Bugsaremainlydividedintothefollowingcategories:

(1)Bufferoverflow:Referstotheintruderenteringastringofmorethanthespecifiedlengthintherelevantinputitemsoftheprogram,andtheexcesspartisusuallywhattheintruderwantsTheattackcodetobeexecuted,andtheprogramwriterdidnotchecktheinputlength,whicheventuallycausedtheextraattackcodetooccupythememorybehindtheinputbufferandbeexecuted.Don'tthinkthat200charactersareenoughfortheloginusernameandnolongercheckthelength.Theso-calledanti-littlebutnotgentleman,theintruderwilltryeverymeanstotrytheattack.

(2).Unexpectedjointuseproblem:Aprogramisoftencomposedofmultiplelayersofcodewithdifferentfunctions,eveninvolvingthelowestoperatingsystemlevel.Intrudersusuallyusethisfeaturetoinputdifferentcontentfordifferentlayersinordertoachievethepurposeofstealinginformation.Forexample:ForaprogramwrittenbyPerl,theintrudercanentersomethinglike"mailoperatingsystemtocallthemailprogram,andsendanimportantpasswordfiletotheintruder.Borrowaknifetokillsomeone,borrowaMailtosenda"letter",itistrueHigh!

(3)Noexpectedcheckofinputcontent:Someprogrammersareafraidoftroubleanddonotperformexpectedmatchingcheckoninputcontent,whichmakesthejobofintruderdeliveringbombseasyandsimple.

(4)Raceconditions:Therearemoreandmoremulti-taskingandmulti-threadedprograms.Whileimprovingtheefficiencyofoperation,wemustalsopayattentiontotheproblemsofRaceconditions.Forexample:ProgramAandProgramBareinaccordancewith"Read/Modify/Write"Operateafileintheorderof.WhenAfinishesreadingandmodifying,Bstartstoimmediatelyexecuteallthe“read/modify/write”tasks.Atthistime,Acontinuestoperformthewritingwork,andtheresultisthatB’soperationhasnoperformance!Intrudersmayusethisvulnerabilityintheprocessingsequencetorewritesomeimportantfilestoachievethepurposeofbreakingintothesystem.Therefore,programmersshouldpayattentiontothesequenceoffileoperationsandlockingissues.

Impropersystemconfiguration

(1)Insufficientdefaultconfiguration:Manysystemshavedefaultsecurityconfigurationinformationafterinstallation,whichisusuallycalledeasytouse.Unfortunately,easytousealsomeanseasytobreakin.Therefore,thedefaultconfigurationmustbeabandoned.

(2).Administratorlaziness:Oneofthemanifestationsoflazinessistokeeptheadministratorpasswordemptyafterthesystemisinstalledandnotmodifyitafterwards.Youknow,thefirstthingtheintruderhastodoistosearchthenetworkforsuchmachineswithanemptypasswordfortheadministrator.

(3)Temporaryport:sometimesfortestingpurposes,theadministratorwillOpenatemporaryportonthemachine,butforgottoprohibititafterthetest,thiswillgivetheintruderaholetofindandaleaktodrill.Theusualsolutionis:unlessaportismandatory,itisprohibitedIt!Ingeneral,securityauditdatapacketscanbeusedtodiscoversuchportsandnotifytheadministrator.

(4),trustrelationship:systemsbetweennetworksoftenestablishtrustrelationshipstofacilitateresourcesharing,butthisItalsogivesintrudersthepossibilityofindirectattacks.Forexample,aslongasonemachineinthetrustgroupiscompromised,itispossibletofurtherattackothermachines.Therefore,thetrustrelationshipmustbestrictlyreviewedtoensureatruesecurityalliance.

Passwordtheft

(1)Aweakpassword:itmeansthatalthoughapasswordisset,itissosimplethatitcan’tbeeasierforacunningintruder.Cracking.

(2)Dictionaryattack:referstotheintruderusingaprogramthatusesadictionarydatabasecontainingusernamesandpasswordstocontinuouslytrytologintothesystemuntilitsuccessfullyenters.ThereisnodoubtthatthisThekeytothiswayItliesinhavingagooddictionary.

(3)Bruteforceattack:similartodictionaryattack,butthisdictionaryisdynamic,thatis,thedictionarycontainsallpossiblecharactercombinations.Forexample,a4-characterpasswordcontaininguppercaseandlowercasehasabout500,000combinations,anda7-characterpasswordcontaininguppercaseandlowercaseandpunctuationhasabout10trillioncombinations.Forthelatter,ittakesaboutafewmonthsforageneralcomputertotestitagain.Seethebenefitsoflongpasswords,it’sreallyalotofmoney!

Sniffingunencryptedcommunicationdata

(1),sharedmedia:thetraditionalEthernetstructureisveryItisconvenientforanintrudertoplaceasnifferonthenetworktoviewthecommunicationdataonthenetworksegment,butifaswitchedEthernetstructureisadopted,thesniffingbehaviorwillbecomeverydifficult.

(2)Serversniffing:Switchednetworksalsohaveanobviousshortcoming.Intruderscaninstallasniffersoftwareontheserver,especiallytheserverthatservesasaroutingfunction,andthenpassitThecollectedinformationbreaksintoclientmachinesandtrustedmachines.Forexample,althoughtheuser'spasswordisnotknown,whentheuserlogsinusingTelnetsoftware,hecansniffthepasswordheentered.

(3)Remotesniffing:ManydeviceshaveRMON(Remotemonitor,remotemonitoring)functionsothatmanagerscanusepubliccommunitystringsforremotedebugging.Withthecontinuouspopularizationofbroadband,intrudersarebecomingmoreandmoreinterestedinthisbackdoor.

Designflaws

(1),TCP/IPprotocolflaws:TCP/IPprotocolisnowwidelyused,butitwasdesignedtoberampantbyintrudersItwasdesignedlongagotoday.Therefore,therearemanydeficienciesthatcausesecurityvulnerabilities,suchassmurfattacks,ICMPUnreachablepacketdisconnection,IPaddressspoofing,andSYNflood.However,thebiggestproblemisthattheIPprotocolisveryeasyto"trust",thatis,intruderscanforgeandmodifyIPdatapacketsatwillwithoutbeingdiscovered.Ipsecprotocolhasbeendevelopedtoovercomethisshortcoming,butithasnotbeenwidelyused.

Systemattack

Systemattackreferstoaperson'sillegaluseordestructionofresourcesinaninformationsystem,aswellasunauthorizedactsthatcausethesystemtolosepartorallofitsservicefunctions.

Theattackactivitycangenerallyberoughlydividedintotwotypes:remoteattackandinternalattack.NowwiththeprogressoftheInternet,theremoteattacktechnologyamongthemhasbeengreatlydeveloped,andthethreatsaregettingbiggerandbigger,andtherearemoresystemvulnerabilitiesandrelatedknowledgeinvolved,soithasimportantresearchvalue.

Related Articles
TOP