Gibson Index


Glossary of Information Security Terminology

Approachable definitions for common terms used in information security discussions.

This is a work in progress. Contributions and suggestions are encouraged - tweet to @Gibson_Index or email "admin at gibsonindex.org" to help out.

0-day

A "0-day exploit" is a tool or a piece of example code that is released the same day (or even before) a vulnerability has been announced in a software or a service. They are typically very bad news, because they can often allow hackers and criminals to gain full access to systems and software. Sometimes they will be documented as a mere "proof of concept", without such dire consequences - but other times, they will be kept secret and sold on the black market for other hackers and criminals to use in their efforts.

Certificate Authority

A Certificate Authority is a trusted organization that can sell secure signatures for servers to use in their communication. When you go to an HTTPS website, your web browser downloads the "SSL Certificate" from the server and compares it against the registered certificate authority signatures on the local system - if it matches, you will be shown the secure lock icon. If the match is not found, your browser will warn you that the site cannot be trusted.

Distributed Denial of Service Attack (DDoS)

Denial of Service is a common and simple way to disrupt the usability of a website or service.

It is analogous to a blockade, where a group of people forcefully shove other people out of the way. In a DDoS, this shoving is usually carried out by a network of remotely-controlled computers (a "botnet") - they bombard the target with requests, preventing legitimate requests from getting through. These attacks are usually short-lived in nature, and typically don't represent a risk to privacy or security.

Doxing

This is the practice of cyberstalking someone, retrieving private information about them, and then releasing it publically.

Password Hashing

Hashing is a process that scrambles data one-way (instead of encrypting it) so that it can't be reversed into the original string.

It is important to note that most hashing algorithms are designed to quickly identify that a file contains the data that is expected to be there, and that the file has not been corrupted during the download process. This means that they are designed for speed. This means that they are unsuitable for Password Hashing, because this very speed factor makes it very easy to generate billions of possible combinations to guess the password.

Dedicated password hashing algorithms generally have a way of slowing down this speed factor, to intentionally make it take a long time (up to 1 second) to examine the password. Generating billions of possible combinations with these algorithms (PBKDF2, bcrypt, scrypt) would take billions of seconds.

Password Salting

Salting is a way to append a precomputed value to a password before (and sometimes during) the hashing process. It acts as a control value which guarantees the password value stored in the database will not be identical to that of another user, even if they used the same password. It is a highly recommended way of ensuring password security.

Peerjacking / Man-In-The-Middle (MITM)

This is the act of impersonating servers in order to intercept communications.

Normally when you connect to a secure server, the certificate it provides is tightly matched to the domain you are accessing. However, someone could use a breach at a trusted certificate authority to generate a replacement certificate that most browsers would see as "valid"; this would allow the attacker to put their own server between you and the server you think you're talking to. Because the certificate would appear to be trusted, you wouldn't notice that there was an issue at all - but the attacker would be able to see everything you're sending to the remote server, and in many cases they would also be able to modify it for their own purposes.

PHP and cURL: Many developers don't know the risks of Peerjacking, they only see the inconvenience of having to verify that certificates can be trusted. As a result, they often disable peer verification and host verification - this makes it SO MUCH EASIER to peerjack their communications: no impersonation is needed, any SSL certificate (even a free self-signed one) will be accepted, regardless of validity.

If you are programming in PHP with cURL - or any library that uses cURL - make sure that CURLOPT_SSL_VERIFYPEER is set to "TRUE", and CURLOPT_SSL_VERIFYHOST is set to "2". Otherwise, you are vulnerable to peerjacking.

Rootkit

A rootkit is a system-level backdoor that people would install once they have gained access to your desktop or server. It would give them full access to the system, and it is typically very difficult to spot one in action (unless you are looking, e.g. with full file auditing records) and difficult to be certain you've fully removed it.

Spearphishing

Spearphishing is the practice of sending highly targeted phishing emails that leverage information about an individual or their acquaintances to appear innocuous, compelling the user to interact and reveal information to the attacker. This information is then used to compromise various accounts and systems that the victim has access to.

SQL Injection

Passing user input directly to the database without checking that it's safe is a cardinal sin. By carefully crafting input, people can use this improper handling of user input to do things like wipe out your database or give themselves administrative access to your system. They might also be able to inject values that will be echoed back to other users, which can contain exploit code.

Watering Hole Attack

When people use something like SQL injection to insert malware onto highly-visited websites, it can spread the infection to all of the visitors. One recent watering hole attack used a forum for developers of mobile applications - the attack managed to spread to developers who worked at Twitter, Facebook, and Apple (amongst many other companies).