Sunteți pe pagina 1din 46

Information Security

Primer
From Social Engineering to SQL
Injection...and Everything Beginning
with P

PDF generated using the open source mwlib toolkit. See http://code.pediapress.com/ for more information.
PDF generated at: Tue, 18 Aug 2009 21:14:59 UTC
Contents
Articles
It Begins with S 1
Social engineering (security) 1
Spyware 7
SQL injection 26

Bonus Material 34
Password cracking 34

References
Article Sources and Contributors 41
Image Sources, Licenses and Contributors 43

Article Licenses
License 44
1

It Begins with S

Social engineering (security)


Social engineering is the act of manipulating people into performing actions or divulging
confidential information. While similar to a confidence trick or simple fraud, the term
typically applies to trickery or deception for the purpose of information gathering, fraud, or
computer system access; in most cases the attacker never comes face-to-face with the
victim.

Social engineering techniques and terms


All social engineering techniques are based on specific attributes of human decision-making
known as cognitive biases.[1] These biases, sometimes called "bugs in the human
hardware," are exploited in various combinations to create attack techniques, some of
which are listed here:

Pretexting
Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a
targeted victim to release information or perform an action and is typically done over the
telephone. It is more than a simple lie as it most often involves some prior research or set
up and the use of pieces of known information (e.g. for impersonation: date of birth, Social
Security Number, last bill amount) to establish legitimacy in the mind of the target. [2]
This technique is often used to trick a business into disclosing customer information, and is
used by private investigators to obtain telephone records, utility records, banking records
and other information directly from junior company service representatives. The
information can then be used to establish even greater legitimacy under tougher
questioning with a manager (e.g., to make account changes, get specific balances, etc).
As most U.S. companies still authenticate a client by asking only for a Social Security
Number, date of birth, or mother's maiden name, the method is effective in many situations
and will likely continue to be a security problem in the future.
Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, or
insurance investigators — or any other individual who could have perceived authority or
right-to-know in the mind of the targeted victim. The pretexter must simply prepare
answers to questions that might be asked by the victim. In some cases all that is needed is a
voice that sounds authoritative, an earnest tone, and an ability to think on one's feet.

Phishing
Phishing is a technique of fraudulently obtaining private information. Typically, the phisher
sends an e-mail that appears to come from a legitimate business—a bank, or credit card
company—requesting "verification" of information and warning of some dire consequence if
it is not provided. The e-mail usually contains a link to a fraudulent web page that seems
legitimate—with company logos and content—and has a form requesting everything from a
Social engineering (security) 2

home address to an ATM card's PIN.


For example, 2003 saw the proliferation of a phishing scam in which users received e-mails
supposedly from eBay claiming that the user’s account was about to be suspended unless a
link provided was clicked to update a credit card (information that the genuine eBay
already had). Because it is relatively simple to make a Web site resemble a legitimate
organization's site by mimicking the HTML code, the scam counted on people being tricked
into thinking they were being contacted by eBay and subsequently, were going to eBay’s
site to update their account information. By spamming large groups of people, the
“phisher” counted on the e-mail being read by a percentage of people who already had
listed credit card numbers with eBay legitimately, who might respond.

IVR or phone phishing


This technique uses a rogue Interactive voice response (IVR) system to recreate a
legitimate sounding copy of a bank or other institution's IVR system. The victim is prompted
(typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free) number
provided in order to "verify" information. A typical system will reject log-ins continually,
ensuring the victim enters PINs or passwords multiple times, often disclosing several
different passwords. More advanced systems transfer the victim to the attacker posing as a
customer service agent for further questioning.
One could even record the typical commands ("Press one to change your password, press
two to speak to customer service" ...) and play back the direction manually in real time,
giving the appearance of being an IVR without the expense.
The technical name for phone phishing, is vishing.

Baiting
Baiting is like the real-world Trojan Horse that uses physical media and relies on the
curiosity or greed of the victim.[3]
In this attack, the attacker leaves a malware infected floppy disc, CD ROM, or USB flash
drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a
legitimate looking and curiosity-piquing label, and simply waits for the victim to use the
device.
For example, an attacker might create a disk featuring a corporate logo, readily available
off the target's web site, and write "Executive Salary Summary Q2 2009" on the front. The
attacker would then leave the disk on the floor of an elevator or somewhere in the lobby of
the targeted company. An unknowing employee might find it and subsequently insert the
disk into a computer to satisfy their curiosity, or a good samaritan might find it and turn it
in to the company.
In either case as a consequence of merely inserting the disk into a computer to see the
contents, the user would unknowingly install malware on it, likely giving an attacker
unfettered access to the victim's PC and perhaps, the targeted company's internal computer
network.
Unless computer controls block the infection, PCs set to "auto-run" inserted media may be
compromised as soon as a rogue disk is inserted.
Social engineering (security) 3

Quid pro quo


Quid pro quo means something for something:
• An attacker calls random numbers at a company claiming to be calling back from
technical support. Eventually they will hit someone with a legitimate problem, grateful
that someone is calling back to help them. The attacker will "help" solve the problem and
in the process have the user type commands that give the attacker access or launch
malware.
• In a 2003 information security survey, 90% of office workers gave researchers what they
claimed was their password in answer to a survey question in exchange for a cheap
pen.[4] Similar surveys in later years obtained similar results using chocolates and other
cheap lures, although they made no attempt to validate the passwords.[5]

Other types
Common confidence tricksters or fraudsters also could be considered "social engineers" in
the wider sense, in that they deliberately deceive and manipulate people, exploiting human
weaknesses to obtain personal benefit. They may, for example, use social engineering
techniques as part of an IT fraud.
The latest type of social engineering techniques include spoofing or hacking IDs of people
having popular e-mail IDs such as Yahoo, Gmail, Hotmail, etc. Among the many motivations
for deception are:
• Phishing credit-card account numbers and their passwords.
• Hacking private e-mails and chat histories, and manipulating them by using common
editing techniques before using them to extort money and creating distrust among
individuals.
• Hacking websites of companies or organizations and destroying their reputation.

Notable social engineers

Kevin Mitnick
Reformed computer criminal and later, security consultant Kevin Mitnick popularized the
term 'social engineering', pointing out that it is much easier to trick someone into giving a
password for a system than to spend the effort to hack into the system.[6] He claims it was
the single most effective method in his arsenal.

The Badir Brothers


Ramy, Muzher, and Shadde Badir - brothers, all of whom were blind from birth, managed to
set up an extensive phone and computer fraud scheme in Israel in the 1990s using social
engineering, voice impersonation, and Braille-display computers.[7]
Social engineering (security) 4

Others
Other noted social engineers include Frank Abagnale, Dave Buchwald, David Bannon, Peter
Foster, Stanley Mark Rifkin and Steven Jay Russell.

United States law


In common law, pretexting is an invasion of privacy tort of appropriation.[8]

Pretexting of telephone records


In December 2006, United States Congress approved a Senate sponsored bill making the
pretexting of telephone records a federal felony with fines of up to $250,000 and ten years
in prison for individuals (or fines of up to $500,000 for companies). It was signed by
president George W. Bush on January 12 2007.[9]

Federal legislation
The 1999 The "GLBA" is a U.S. Federal law that specifically addresses pretexting of
banking records as an illegal act punishable under federal statutes.
When a business entity such as a private investigator, SIU insurance investigator, or an
adjuster conducts any type of deception, it falls under the authority of the Federal Trade
Commission (FTC). This federal agency has the obligation and authority to ensure that
consumers are not subjected to any unfair or deceptive business practices.
US Federal Trade Commission Act, Section 5 of the FTCA states, in part: "Whenever the
Commission shall have reason to believe that any such person, partnership, or corporation
has been or is using any unfair method of competition or unfair or deceptive act or practice
in or affecting commerce, and if it shall appear to the Commission that a proceeding by it in
respect thereof would be to the interest of the public, it shall issue and serve upon such
person, partnership, or corporation a complaint stating its charges in that respect...."
The statute states that when someone obtains any personal, non-public information from a
financial institution or the consumer, their action is subject to the statute. It relates to the
consumer's relationship with the financial institution. For example, a pretexter using false
pretenses either to get a consumer's address from the consumer's bank, or to get a
consumer to disclose the name of his or her bank, would be covered. The determining
principle is that pretexting only occurs when information is obtained through false
pretenses.
While the sale of cell telephone records has gained significant media attention, and
telecommunications records are the focus of the two bills currently before the United
States Senate, many other types of private records are being bought and sold in the public
market. Alongside many advertisements for cell phone records, wireline records and the
records associated with calling cards are advertised. As individuals shift to VoIP
telephones, it is safe to assume that those records will be offered for sale as well.
Currently, it is legal to sell telephone records, but illegal to obtain them.[10]
U.S. Rep. Fred Upton (R-Kalamazoo, Michigan), chairman of the Energy and Commerce
Subcommittee on Telecommunications and the Internet, expressed concern over the easy
access to personal cell phone records on the Internet during Wednesday's E&C Committee
hearing on "Phone Records For Sale: Why Aren't Phone Records Safe From Pretexting?"
Social engineering (security) 5

Illinois became the first state to sue an online records broker when Attorney General Lisa
Madigan sued 1st Source Information Specialists, Inc., on 20 January, a spokeswoman for
Madigan's office said. The Florida-based company operates several Web sites that sell cell
telephone records, according to a copy of the suit.
The attorneys general of Florida and Missouri quickly followed Madigan's lead, filing suit
on 24 January and 30 January, respectively, against 1st Source Information Specialists and,
in Missouri's case, one other records broker - First Data Solutions, Inc.
Several wireless providers, including T-Mobile, Verizon, and Cingular filed earlier lawsuits
against records brokers, with Cingular winning an injunction against First Data Solutions
and 1st Source Information Specialists on January 13.
U.S. Senator Charles Schumer (D-New York) introduced legislation in February 2006 aimed
at curbing the practice. The Consumer Telephone Records Protection Act of 2006 would
create felony criminal penalties for stealing and selling the records of mobile phone,
landline, and Voice over Internet Protocol (VoIP) subscribers.
Hewlett Packard's former Chairman, Patricia Dunn, reported that the HP board hired a
private investigation company to delve into who was responsible for leaks within the board.
Dunn acknowledged that this company used the practice of pretexting to solicit the
telephone records of board members and journalists. Chairman Dunn later apologized for
this act and offered to step down from the board if it was desired by board members.[11]
Unlike Federal law, California law specifically forbids such pretexting, and this case is
being investigated by the California Attorney General.

In popular culture
• In the film Hackers, the protagonist used a form of social engineering, where the main
character accessed a TV network's control system by telephoning the security guard for
the telephone number to the station's modem, posing as an important executive.
Although the film is not highly accurate, the particular method demonstrates the power
of social engineering when applied to criminal behavior.
• In Jeffrey Deaver's book The Blue Nowhere, social engineering to obtain confidential
information is one of the methods used by the killer, Phate, to get close to his victims.
• In the movie Live Free or Die Hard, Justin Long is seen pretexting that his father is dying
from a heart attack to have a BMW Assist representative start what will become a stolen
car.
• In the movie Sneakers, one of the characters poses as a low level security guard's
superior in order to convince him that a security breach is just a false alarm.
• In the movie The Thomas Crown Affair, one of the characters poses over the telephone as
a museum guard's superior in order to move the guard away from his post.
• In the James Bond movie Diamonds Are Forever, Bond is seen gaining entry to the Whyte
laboratory with a then-state-of-the-art card-access lock system by "tailgating". He merely
waits for an employee to come to open the door, then posing himself as a rookie at the
lab, fakes inserting a non-existent card while the door is unlocked for him by the
employee.
Social engineering (security) 6

See also
• Phishing
• Confidence trick
• Certified Social Engineering Prevention Specialist (CSEPS)
• Media pranks, which often use similar tactics (though usually not for criminal purposes)
• Physical information security
• Vishing
• SMiShing

References

Further reading
• Boyington, Gregory. (1990). Baa Baa Black Sheep Published by Bantam Books ISBN
0-553-26350-1
• Leyden, John. April 18, 2003. Office workers give away passwords for a cheap pen [12].
The Register. Retrieved 2004-09-09.
• Long, Johnny. (2008). No Tech Hacking - A Guide to Social Engeering, Dumpster Diving,
and Shoulder Surfing Published by Syngress Publishing Inc. ISBN 978-1-59749-215-7
• Mann, Ian. (2008). Hacking the Human: Social Engineering Techniques and Security
Countermeasures Published by Gower Publishing Ltd. ISBN 0566087731 or ISBN
978-0-566-08773-8
• Mitnick, Kevin, Kasperavičius, Alexis. (2004). CSEPS Course Workbook. Mitnick Security
Publishing.
• Mitnick, Kevin, Simon, William L., Wozniak, Steve,. (2002). The Art of Deception:
Controlling the Human Element of Security Published by Wiley. ISBN 0-471-23712-4 or
ISBN 0-764-54280-X

External links
• Social Engineering Fundamentals [13] - Securityfocus.com. Retrieved on August 3rd,
2009.
• Social Engineering, the USB Way [14] - DarkReading.com. Retrieved on July 7th, 2006.
• Should Social Engineering be a part of Penetration Testing? [15] - Darknet.org.uk.
Retrieved on August 3rd, 2009.
• "Protecting Consumers' Phone Records" [16] - US Committee on Commerce, Science, and
Transportation. Retrieved on February 8th, 2006.
• Plotkin, Hal. Memo to the Press: Pretexting is Already Illegal [17]. Retrived on September
9th, 2006.
• Striptease for passwords [18] - MSNBC.MSN.com. Retrieved on November 1st, 2007.
Social engineering (security) 7

References
[1] Mitnick, K: "CSEPS Course Workbook" (2004), unit 3, Mitnick Security Publishing.
[2] " Pretexting: Your Personal Information Revealed (http:/ / www. ftc. gov/ bcp/ edu/ pubs/ consumer/ credit/
cre10. shtm)," Federal Trade Commission
[3] http:/ / www. darkreading. com/ document. asp?doc_id=95556& WT. svl=column1_1
[4] Office workers give away passwords (http:/ / www. theregister. co. uk/ content/ 55/ 30324. html)
[5] Passwords revealed by sweet deal (http:/ / news. bbc. co. uk/ 1/ hi/ technology/ 3639679. stm)
[6] Mitnick, K: "CSEPS Course Workbook" (2004), p. 4, Mitnick Security Publishing.
[7] http:/ / www. wired. com/ wired/ archive/ 12. 02/ phreaks. html
[8] Restatement 2d of Torts § 652C.
[9] Congress outlaws pretexting (http:/ / arstechnica. com/ news. ars/ post/ 20061211-8395. html), Eric Bangeman,
12/11/2006 11:01:01, Ars Technica
[10] Mitnick, K (2002): "The Art of Deception", p. 103 Wiley Publishing Ltd: Indianapolis, Indiana; United States of
America. ISBN 0-471-23712-4
[11] HP chairman: Use of pretexting 'embarrassing' (http:/ / news. com. com/ HP+ chairman+ Use+ of+
pretexting+ embarrassing/ 2100-1014_3-6113715. html?tag=nefd. lede) Stephen Shankland, 2006-09-08 1:08
PM PDT CNET News.com
[12] http:/ / www. theregister. co. uk/ 2003/ 04/ 18/ office_workers_give_away_passwords/
[13] http:/ / www. securityfocus. com/ infocus/ 1527
[14] http:/ / www. darkreading. com/ document. asp?doc_id=95556& WT. svl=column1_1
[15] http:/ / www. darknet. org. uk/ 2006/ 03/ should-social-engineering-a-part-of-penetration-testing/
[16] http:/ / www. epic. org/ privacy/ iei/ sencomtest2806. html
[17] http:/ / www. plotkin. com/ blog-archives/ 2006/ 09/ memo_to_the_pre. html
[18] http:/ / www. msnbc. msn. com/ id/ 21566341/

Spyware
Spyware is a type of malware that is installed on computers and that collects information
about users without their knowledge. The presence of spyware is typically hidden from the
user. Typically, spyware is secretly installed on the user's personal computer. Sometimes,
however, spywares such as keyloggers are installed by the owner of a shared, corporate, or
public computer on purpose in order to secretly monitor other users.
While the term spyware suggests software that secretly monitors the user's behavior, the
functions of spyware extend well beyond simple monitoring. Spyware programs can collect
various types of personal information, such as Internet surfing habits and sites that have
been visited, but can also interfere with user control of the computer in other ways, such as
installing additional software and redirecting Web browser activity. Spyware is known to
change computer settings, resulting in slow connection speeds, different home pages,
and/or loss of Internet or functionality of other programs. In an attempt to increase the
understanding of spyware, a more formal classification of its included software types is
captured under the term privacy-invasive software.
In response to the emergence of spyware, a small industry has sprung up dealing in
anti-spyware software. Running anti-spyware software has become a widely recognized
element of computer security practices for computers, especially those running Microsoft
Windows. A number of jurisdictions have passed anti-spyware laws, which usually target
any software that is surreptitiously installed to control a user's computer. The US Federal
Trade Commission has placed on the Internet a page of advice to consumers about how to
lower the risk of spyware infection, including a list of "do's" and "don'ts."[1]
Spyware 8

History and development


The first recorded use of the term spyware occurred on October 16, 1995 in a Usenet post
that poked fun at Microsoft's business model.[2] Spyware at first denoted hardware meant
for espionage purposes. However, in early 2000 the founder of Zone Labs, Gregor Freund,
used the term in a press release [3] for the ZoneAlarm Personal Firewall.[4] Since then,
"spyware" has taken on its present sense.[4] According to a 2005 study by AOL and the
National Cyber-Security Alliance, 61 percent of surveyed users' computers had some form
of spyware. 92 percent of surveyed users with spyware reported that they did not know of
its presence, and 91 percent reported that they had not given permission for the installation
of the spyware.[5] As of 2006, spyware has become one of the preeminent security threats
to computer systems running Microsoft Windows operating systems. Computers where
Internet Explorer (IE) is the primary browser are particularly vulnerable to such attacks not
only because IE is the most widely-used,[6] but because its tight integration with Windows
allows spyware access to crucial parts of the operating system.[6] [7]
Before Internet Explorer 7 was released, the browser would automatically display an
installation window for any ActiveX component that a website wanted to install. The
combination of user naiveté towards malware and the assumption by Internet Explorer that
all ActiveX components are benign, led, in part, to the massive spread of spyware. Many
spyware components would also make use of exploits in Javascript, Internet Explorer and
Windows to install without user knowledge or permission.
The Windows Registry contains multiple sections that by modifying keys values allows
software to be executed automatically when the operating system boots. Spyware can
exploit this design to circumvent attempts at removal. The spyware typically will link itself
from each location in the registry that allows execution. Once running, the spyware will
periodically check if any of these links are removed. If so, they will be automatically
restored. This ensures that the spyware will execute when the operating system is booted
even if some (or most) of the registry links are removed.
Trend Micro Inc. defines Spyware as "[...] a program that monitors and gathers user
information for different purposes.."[8]
McAfee Inc. defines Spyware as "Software that transmits personal information to a third
party without the user's knowledge or consent."[9]

Comparison

Spyware, adware and tracking


The term adware frequently refers to any software which displays advertisements, whether
or not the user has consented. Programs such as the Eudora mail client display
advertisements as an alternative to shareware registration fees. These classify as "adware"
in the sense of advertising-supported software, but not as spyware. Adware in this form
does not operate surreptitiously or mislead the user, and provides the user with a specific
service.
Most adware is spyware in a different sense than "advertising-supported software," for a
different reason: it displays advertisements related to what it finds from spying on you.
Gator Software from Claria Corporation (formerly GATOR) and Exact Advertising's
BargainBuddy are examples. Visited Web sites frequently install Gator on client machines
Spyware 9

in a surreptitious manner, and it directs revenue to the installing site and to Claria by
displaying advertisements to the user. The user receives many pop-up advertisements.
Other spyware behavior, such as reporting on websites the user visits, occurs in the
background. The data is used for "targeted" advertisement impressions. The prevalence of
spyware has cast suspicion upon other programs that track Web browsing, even for
statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet
Explorer plug-in published by Amazon.com, as spyware, and some anti-spyware programs
such as Ad-Aware report it as such. Many of these adware distributing companies are
backed by millions of dollars of adware-generating revenues. Adware and spyware are
similar to viruses in that they can be considered malicious in nature. People are profiting
from misleading adware, sometimes known as scareware, such as Antivirus 2009.
Similarly, software bundled with free, advertising-supported programs such as P2P act as
spyware, (and if removed disable the 'parent' program) yet people are willing to download
it. This presents a dilemma for proprietors of anti-spyware products whose removal tools
may inadvertently disable wanted programs. For example, recent test results [10] show that
bundled software (WhenUSave) is ignored by popular anti-spyware program Ad-Aware, (but
removed as spyware by most scanners) because it is part of the popular (but recently
decommissioned) eDonkey client. To address this dilemma, the Anti-Spyware Coalition has
been working on building consensus within the anti-spyware industry as to what is and isn't
acceptable software behavior. To accomplish their goal, this group of anti-spyware
companies, academics, and consumer groups have collectively published a series of
documents including a definition of spyware [11], risk model [12], and best practices [13]
document.

Spyware, virus and worm


Unlike viruses and worms, spyware does not usually self-replicate. Like many recent
viruses, however, spyware—by design—exploits infected computers for commercial gain.
Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements,
theft of personal information (including financial information such as credit card numbers),
monitoring of Web-browsing activity for marketing purposes, and routing of HTTP requests
to advertising sites.
However, spyware can be dropped as a payload by a worm.
Spyware 10

Routes of infection
Spyware does not directly spread in
the manner of a computer virus or
worm: generally, an infected system
does not attempt to transmit the
infection to other computers. Instead,
spyware gets on a system through
deception of the user or through
exploitation of software
vulnerabilities.
Most spyware is installed without
users' knowledge. Since they tend not
to install software if they know that it
will disrupt their working
environment and compromise their Malicious websites attempt to install spyware on readers'
privacy, spyware deceives users, computers.

either by piggybacking on a piece of


desirable software such as Kazaa, or by tricking them into installing it (the Trojan horse
method). Some "rogue" anti-spyware programs masquerade as security software.

The distributor of spyware usually presents the program as a useful utility—for instance as
a "Web accelerator" or as a helpful software agent. Users download and install the software
without immediately suspecting that it could cause harm. For example, Bonzi Buddy, a
program bundled with spyware[14] and targeted at children, claims that:
He will explore the Internet with you as your very own friend and sidekick! He
can talk, walk, joke, browse, search, e-mail, and download like no other friend
you've ever had! He even has the ability to compare prices on the products you
love and help you save money! Best of all, he's FREE![15]
Spyware can also come bundled with other software. The user downloads a program and
installs it, and the installer additionally installs the spyware. Although the desirable
software itself may do no harm, the bundled spyware does. In some cases, spyware authors
have paid shareware authors to bundle spyware with their software. In other cases,
spyware authors have repackaged desirable freeware with installers that slipstream
spyware.
A third way of distributing spyware involves tricking users by manipulating security
features designed to prevent unwanted installations. Internet Explorer prevents websites
from initiating an unwanted download. Instead, it requires a user action, such as clicking on
a link. However, links can prove deceptive: for instance, a pop-up ad may appear like a
standard Windows dialog box. The box contains a message such as "Would you like to
optimize your Internet access?" with links which look like buttons reading Yes and No. No
matter which "button" the user presses, a download starts, placing the spyware on the
user's system. Later versions of Internet Explorer offer fewer avenues for this attack.
Some spyware authors infect a system through security holes in the Web browser or in
other software. When the user navigates to a Web page controlled by the spyware author,
the page contains code which attacks the browser and forces the download and installation
of spyware. The spyware author would also have some extensive knowledge of
Spyware 11

commercially-available anti-virus and firewall software. This has become known as a


"drive-by download", which leaves the user a hapless bystander to the attack. Common
browser exploits target security vulnerabilities in Internet Explorer and in the Sun
Microsystems Java runtime.
The installation of spyware frequently involves Internet Explorer. Its popularity and history
of security issues have made it the most frequent target. Its deep integration with the
Windows environment and scriptability make it an obvious point of attack into Windows.
Internet Explorer also serves as a point of attachment for spyware in the form of Browser
Helper Objects, which modify the browser's behavior to add toolbars or to redirect traffic.
In a few cases, a worm or virus has delivered a spyware payload. Some attackers used the
Spybot worm to install spyware that put pornographic pop-ups on the infected system's
screen.[16] By directing traffic to ads set up to channel funds to the spyware authors, they
profit personally.

Effects and behaviors


A spyware program is rarely alone on a computer: an affected machine usually has multiple
infections. Users frequently notice unwanted behavior and degradation of system
performance. A spyware infestation can create significant unwanted CPU activity, disk
usage, and network traffic. Stability issues, such as applications freezing, failure to boot,
and system-wide crashes, are also common. Spyware, which interferes with networking
software commonly causes difficulty connecting to the Internet.
In some infections, the spyware is not even evident. Users assume in those situations that
the issues relate to hardware, Windows installation problems, or another Infection. Some
owners of badly infected systems resort to contacting technical support experts, or even
buying a new computer because the existing system "has become too slow". Badly infected
systems may require a clean reinstallation of all their software in order to return to full
functionality.
Only rarely does a single piece of software render a computer unusable. Rather, a computer
is likely to have multiple infections. The cumulative effect, and the interactions between
spyware components, causes the symptoms commonly reported by users: a computer,
which slows to a crawl, overwhelmed by the many parasitic processes running on it.
Moreover, some types of spyware disable software firewalls and anti-virus software, and/or
reduce browser security settings, thus opening the system to further opportunistic
infections, much like an immune deficiency disease. Some spyware disables or even
removes competing spyware programs, on the grounds that more spyware-related
annoyances make it even more likely that users will take action to remove the programs.
One spyware maker, Avenue Media, even sued a competitor, Direct Revenue, over this; the
two later settled with an agreement not to disable each others' products.[17]
Some other types of spyware use rootkit like techniques to prevent detection, and thus
removal. Targetsoft, for instance, modifies the "Winsock" Windows Sockets files. The
deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage.
A typical Windows user has administrative privileges, mostly for convenience. Because of
this, any program the user runs (intentionally or not) has unrestricted access to the system.
As with other operating systems, Windows users too are able to follow the principle of least
privilege and use non-administrator least user access accounts, or to reduce the privileges
of specific vulnerable Internet-facing proceses such as Internet Explorer (through the use of
Spyware 12

[18]
tools such as DropMyRights ). However as this is not a default configuration, few users
do this.
In Windows Vista, by default, a computer administrator runs everything under a limited
user privileges. When a program requires administrative privileges, Vista will prompt the
user with an allow/deny pop-up, see User Account Control. This improves on the design
used by previous versions of Windows.

Advertisements
Many spyware programs display advertisements. Some programs simply display pop-up ads
on a regular basis; for instance, one every several minutes, or one when the user opens a
new browser window. Others display ads in response to specific sites that the user visits.
Spyware operators present this feature as desirable to advertisers, who may buy ad
placement in pop-ups displayed when the user visits a particular site. It is also one of the
purposes for which spyware programs gather information on user behavior.
Many users complain about irritating or offensive advertisements as well. As with many
banner ads, many spyware advertisements use animation or flickering banners which can
be visually distracting and annoying to users. Pop-up ads for pornography often display
indiscriminately. Links to these sites may be added to the browser window, history or
search function. When children are the users, this could possibly violate anti-pornography
laws in some jurisdictions.
A number of spyware programs break the boundaries of illegality; variations of
“Zlob.Trojan” and “Trojan-Downloader.Win32.INService” have been known to show
undesirable child pornography, key gens, cracks and illegal software pop-up ads which
violate child pornography and copyright laws. [19] [20] [21] [22]
A further issue in the case of some spyware programs has to do with the replacement of
banner ads on viewed web sites. Spyware that acts as a web proxy or a Browser Helper
Object can replace references to a site's own advertisements (which fund the site) with
advertisements that instead fund the spyware operator. This cuts into the margins of
advertising-funded Web sites.

"Stealware" and affiliate fraud


A few spyware vendors, notably 180 Solutions, have written what the New York Times has
dubbed "stealware", and what spyware researcher Ben Edelman terms affiliate fraud, a
form of click fraud. Stealware diverts the payment of affiliate marketing revenues from the
legitimate affiliate to the spyware vendor.
Spyware which attacks affiliate networks places the spyware operator's affiliate tag on the
user's activity—replacing any other tag, if there is one. The spyware operator is the only
party that gains from this. The user has their choices thwarted, a legitimate affiliate loses
revenue, networks' reputations are injured, and vendors are harmed by having to pay out
affiliate revenues to an "affiliate" who is not party to a contract.[23]
Affiliate fraud is a violation of the terms of service of most affiliate marketing networks. As
a result, spyware operators such as 180 Solutions have been terminated from affiliate
networks including LinkShare and ShareSale.
Spyware 13

Identity theft and fraud


In one case, spyware has been closely associated with identity theft.[24] In August 2005,
researchers from security software firm Sunbelt Software suspected the creators of the
common CoolWebSearch spyware had used it to transmit "chat sessions, user names,
passwords, bank information, etc.",[25] however it turned out that "it actually (was) its own
sophisticated criminal little trojan that's independent of CWS."[26] This case is currently
under investigation by the FBI.
The Federal Trade Commission estimates that 27.3 million Americans have been victims of
identity theft, and that financial losses from identity theft totaled nearly $48 billion for
businesses and financial institutions and at least $5 billion in out-of-pocket expenses for
individuals.[27]
Spyware-makers may commit wire fraud with dialer program spyware. These can reset a
modem to dial up a premium-rate telephone number instead of the usual ISP. Connecting to
these suspicious numbers involves long-distance or overseas charges which invariably
result in high call costs. Dialers are ineffective on computers that do not have a modem, or
are not connected to a telephone line.

Digital rights management


Some copy-protection technologies have borrowed from spyware. In 2005, Sony BMG Music
Entertainment was found to be using rootkits in its XCP digital rights management
technology[28] Like spyware, not only was it difficult to detect and uninstall, it was so poorly
written that most efforts to remove it could have rendered computers unable to function.
Texas Attorney General Greg Abbott filed suit,[29] and three separate class-action suits were
filed.[30] Sony BMG later provided a workaround on its website to help users remove it.[31]
Beginning in April 25, 2006, Microsoft's Windows Genuine Advantage Notifications
application[32] installed on most Windows PCs as a "critical security update". While the
main purpose of this deliberately non-uninstallable application is making sure the copy of
Windows on the machine was lawfully purchased and installed, it also installs software that
has been accused of "phoning home" on a daily basis, like spyware.[33] [34] It can be
removed with the RemoveWGA tool.

Personal relationships
Spyware has been used to surreptitiously monitor electronic activities of partners in
intimate relationships, generally to uncover evidence of infidelity. At least one software
package, Loverspy, was specifically marketed for this purpose. Depending on local laws
regarding communal/marital property, observing a partner's online activity without their
consent may be illegal; the author of Loverspy and several users of the product were
indicted in California in 2005 on charges of wiretapping and various computer crimes.[35]
Spyware 14

Browser cookies
Anti-spyware programs often report Web advertisers' HTTP cookies, the small text files that
track browsing activity, as spyware. While they are not always inherently malicious, many
users object to third parties using space on their personal computers for their business
purposes, and many anti-spyware programs offer to remove them. [36]

Examples of spyware
These common spyware programs illustrate the diversity of behaviors found in these
attacks. Note that as with computer viruses, researchers give names to spyware programs
which may not be used by their creators. Programs may be grouped into "families" based
not on shared program code, but on common behaviors, or by "following the money" of
apparent financial or business connections. For instance, a number of the spyware
programs distributed by Claria are collectively known as "Gator". Likewise, programs which
are frequently installed together may be described as parts of the same spyware package,
even if they function separately.
• CoolWebSearch, a group of programs, takes advantage of Internet Explorer
vulnerabilities. The package directs traffic to advertisements on Web sites including
coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the
infected computer's hosts file to direct DNS lookups to these sites.[37]
• Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to
advertising. When users follow a broken link or enter an erroneous URL, they see a page
of advertisements. However, because password-protected Web sites (HTTP Basic
authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it
impossible for the user to access password-protected sites.[38]
• HuntBar, aka WinTools or Adware.Websearch [39], was installed by an ActiveX
drive-by download at affiliate Web sites, or by advertisements displayed by other spyware
programs—an example of how spyware can install more spyware. These programs add
toolbars to IE, track aggregate browsing behavior, redirect affiliate references, and
display advertisements.[40] [41]
• Movieland, also known as Moviepass.tv and Popcorn.net, is a movie download service
that has been the subject of thousands of complaints to the Federal Trade Commission
(FTC), the Washington State Attorney General's Office, the Better Business Bureau, and
other agencies. Consumers complained they were held hostage by a cycle of oversized
pop-up windows demanding payment of at least $29.95, claiming that they had signed up
for a three-day free trial but had not cancelled before the trial period was over, and were
thus obligated to pay.[42] [43] The FTC filed a complaint, since settled, against Movieland
and eleven other defendants charging them with having "engaged in a nationwide
scheme to use deception and coercion to extract payments from consumers."[44]
• MyWebSearch (of Fun Web Products) has a plugin that displays a search toolbar near
the top of a browser window, and it spies to report user search-habits.[45] MyWebSearch
is notable for installing over 210 computer settings, such as over 210 MS Windows
registry keys/values.[46] [47] Beyond the browser plugin, it has settings to affect Outlook,
email, HTML, XML, etc. Although tools exist to remove MyWebSearch,[46] it can be
hand-deleted in 1 hour, by users familiar with using Regedit to find and delete
keys/values (named with "MyWebSearch"). After reboot, the browser returns to the prior
display appearance.
Spyware 15

• WeatherStudio has a plugin that displays a window-panel near the bottom of a browser
window. The official website notes that it is easy to remove (uninstall) WeatherStudio
from a computer, using its own uninstall-program, such as under MS Windows
C:\Program Files\WeatherStudio.[48] Once WeatherStudio is removed, a browser returns
to the prior display appearance, without the need to modify the browser settings.
• Zango (formerly 180 Solutions) transmits detailed information to advertisers about the
Web sites which users visit. It also alters HTTP requests for affiliate advertisements
linked from a Web site, so that the advertisements make unearned profit for the 180
Solutions company. It opens pop-up ads that cover over the Web sites of competing
companies (as seen in their Zango End User License Agreement [49]).[23]
• Zlob trojan, or just Zlob, downloads itself to a computer via an ActiveX codec and
reports information back to Control Server. Some information can be the search-history,
the Websites visited, and even keystrokes. More recently, Zlob has been known to hijack
routers set to defaults.[50]

Legal issues related to spyware

Criminal law
Unauthorized access to a computer is illegal under computer crime laws, such as the U.S.
Computer Fraud and Abuse Act, the U.K.'s Computer Misuse Act and similar laws in other
countries. Since the owners of computers infected with spyware generally claim that they
never authorized the installation, a prima facie reading would suggest that the
promulgation of spyware would count as a criminal act. Law enforcement has often pursued
the authors of other malware, particularly viruses. However, few spyware developers have
been prosecuted, and many operate openly as strictly legitimate businesses, though some
have faced lawsuits.[51] [52]
Spyware producers argue that, contrary to the users' claims, users do in fact give consent
to installations. Spyware that comes bundled with shareware applications may be described
in the legalese text of an end-user license agreement (EULA). Many users habitually ignore
these purported contracts, but spyware companies such as Claria claim these demonstrate
that users have consented.
Despite the ubiquity of EULAs and of "clickwrap" agreements, under which a single click
can be taken as consent to the entire text, relatively little case law has resulted from their
use. It has been established in most common law jurisdictions that a clickwrap agreement
can be a binding contract in certain circumstances.[53] This does not, however, mean that
every such agreement is a contract or that every term in one is enforceable.
Some jurisdictions, including the U.S. states of Iowa[54] and Washington,[55] have passed
laws criminalizing some forms of spyware. Such laws make it illegal for anyone other than
the owner or operator of a computer to install software that alters Web-browser settings,
monitors keystrokes, or disables computer-security software.
In the United States, lawmakers introduced a bill in 2005 entitled the Internet Spyware
Prevention Act, which would imprison creators of spyware.[56]
Spyware 16

Administrative sanctions

US FTC actions
The US Federal Trade Commission has sued Internet marketing organizations under the
"unfairness doctrine" [57] to make them stop infecting consumers’ PCs with spyware. In one
case, that against Seismic Entertainment Productions, the FTC accused the defendants of
developing a program that seized control of PCs nationwide, infected them with spyware
and other malicious software, bombarded them with a barrage of pop-up advertising for
Seismic’s clients, exposed the PCs to security risks, and caused them to malfunction, slow
down, and, at times, crash. Seismic then offered to sell the victims an “antispyware”
program to fix the computers, and stop the popups and other problems that Seismic had
caused. On November 21, 2006, a settlement was entered in federal court under which a
$1.75 million judgment was imposed in one case and $1.86 million in another, but the
defendants were insolvent[58]
In a second case, brought against CyberSpy Software LLC, the FTC charged that CyberSpy
marketed and sold "RemoteSpy" keylogger spyware to clients who would then secretly
monitor unsuspecting consumers’ computers. According to the FTC, Cyberspy touted
RemoteSpy as a “100% undetectable” way to “Spy on Anyone. From Anywhere.” The FTC
has obtained a temporary order prohibiting the defendants from selling the software and
disconnecting from the Internet any of their servers that collect, store, or provide access to
information that this software has gathered. The case is still in its preliminary stages. A
complaint filed by the Electronic Privacy Information Center (EPIC) brought the RemoteSpy
software to the FTC’s attention.[59]

Netherlands OPTA
An administrative fine, first of its kind in Europe, has been taken by the Independent
Authority of Posts and Telecommunications (OPTA) from the Netherlands. It applied fines in
total value of Euro 1,000,000 for infecting 22 million computers. The spyware is called
DollarRevenue. The law articles which have been violated are art. 4.1 of the Dutch
telecommunications law; the fines have been given based on art. 15.4 taken together with
art. 15.10. A part of these fines has to be paid by the directors of these companies in their
own person, i.e. not from the accounts of their companies, but from their personal
fortunes.[60] Since a protest procedure has been taken, the fines will have to be paid after a
Dutch law court will take a decision in this case. The culprits maintain that the evidence for
violating the two law articles has been obtained illegally. The names of the directors and
the names of the companies have not been revealed, since it is not clear that OPTA is
allowed to make such information public.[61]
Spyware 17

Civil law
Former New York State Attorney General and former Governor of New York Eliot Spitzer
has pursued spyware companies for fraudulent installation of software.[62] In a suit brought
in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling by agreeing to
pay US$7.5 million and to stop distributing spyware.[63]
The hijacking of Web advertisements has also led to litigation. In June 2002, a number of
large Web publishers sued Claria for replacing advertisements, but settled out of court.
Courts have not yet had to decide whether advertisers can be held liable for spyware which
displays their ads. In many cases, the companies whose advertisements appear in spyware
pop-ups do not directly do business with the spyware firm. Rather, they have contracted
with an advertising agency, which in turn contracts with an online subcontractor who gets
paid by the number of "impressions" or appearances of the advertisement. Some major
firms such as Dell Computer and Mercedes-Benz have sacked advertising agencies which
have run their ads in spyware.[64]

Libel suits by spyware developers


Litigation has gone both ways. Since "spyware" has become a common pejorative, some
makers have filed libel and defamation actions when their products have been so described.
In 2003, Gator (now known as Claria) filed suit against the website PC Pitstop for
describing its program as "spyware".[65] PC Pitstop settled, agreeing not to use the word
"spyware", but continues to describe harm caused by the Gator/Claria software.[66] As a
result, other antispyware and antivirus companies have also used other terms such as
"potentially unwanted programs" or greyware to denote these products.

Remedies and prevention


As the spyware threat has worsened, a number of techniques have emerged to counteract
it. These include programs designed to remove or to block spyware, as well as various user
practices which reduce the chance of getting spyware on a system.
Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware
have infected a Windows computer, the only remedy may involve backing up user data, and
fully reinstalling the operating system. For instance, some versions of Vundo cannot be
completely removed by Symantec, Microsoft, PC Tools, and others because it infects
rootkit, Internet Explorer, and Windows' lsass.exe (Local Security Authority Subsystem
Service) with a randomly-filenamed dll (dynamic link library).
Spyware 18

Anti-spyware programs
Many programmers and some
commercial firms have released
products dedicated to remove or
block spyware. Steve Gibson's
OptOut pioneered a growing
category. Programs such as
Lavasoft's Ad-Aware SE (free
scans for non-commercial users,
must pay for other features) and
Patrick Kolla's Spybot - Search &
Destroy (all features free for
non-commercial use) rapidly
gained popularity as effective tools
to remove, and in some cases Lavasoft's Ad-Aware 2008

intercept, spyware programs. On


December 16, 2004, Microsoft acquired the GIANT AntiSpyware software[67] , rebranding it
as Windows AntiSpyware beta and releasing it as a free download for Genuine Windows XP
and Windows 2003 users. In 2006, Microsoft renamed the beta software to Windows
Defender (free), and it was released as a free download in October 2006 and is included as
standard with Windows Vista.

Major anti-virus firms such as Symantec, McAfee and Sophos have come later to the table,
adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms
expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware
authors against the authors of web sites and programs which described their products as
"spyware". However, recent versions of these major firms' home and business anti-virus
products do include anti-spyware functions, albeit treated differently from viruses.
Symantec Anti-Virus, for instance, categorizes spyware programs as "extended threats" and
now offers real-time protection from them (as it does for viruses).
Recently, the anti-virus company Grisoft, creator of AVG Anti-Virus, acquired anti-spyware
firm Ewido Networks, re-labeling their Ewido anti-spyware program as AVG Anti-Spyware
Professional Edition. AVG also used this product to add an integrated anti-spyware solution
to some versions of the AVG Anti-Virus family of products, and a freeware AVG
Anti-Spyware Free Edition available for private and non-commercial use. This shows a trend
by anti virus companies to launch a dedicated solution to spyware and malware. Zone Labs,
creator of Zone Alarm firewall have also released an anti-spyware program.
Spyware 19

Anti-spyware programs can combat spyware in


two ways:
1. They can provide real time protection
against the installation of spyware software
on your computer. This type of spyware
protection works the same way as that of
anti-virus protection in that the anti-spyware
software scans all incoming network data for
spyware software and blocks any threats it
comes across.
2. Anti-spyware software programs can be used
solely for detection and removal of spyware
software that has already been installed onto
your computer. This type of spyware
protection is normally much easier to use and
more popular. With this spyware protection
Microsoft Anti-Spyware, in real-time protection software you can schedule weekly, daily, or
blocks an instance of the AlwaysUpdateNews monthly scans of your computer to detect and
from being installed. remove any spyware software that has been
installed on your computer. This type of
anti-spyware software scans the contents of the windows registry, operating system files,
and installed programs on your computer and will provide a list of any threats found,
allowing you to choose what you want to delete and what you want to keep.
Such programs inspect the contents of the Windows registry, the operating system files,
and installed programs, and remove files and entries which match a list of known spyware
components. Real-time protection from spyware works identically to real-time anti-virus
protection: the software scans disk files at download time, and blocks the activity of
components known to represent spyware. In some cases, it may also intercept attempts to
install start-up items or to modify browser settings. Because many spyware and adware are
installed as a result of browser exploits or user error, using security software (some of
which are antispyware, though many are not) to sandbox browsers can also be effective to
help restrict any damage done.
Earlier versions of anti-spyware programs focused chiefly on detection and removal.
Javacool Software's SpywareBlaster, one of the first to offer real-time protection, blocked
the installation of ActiveX-based and other spyware programs.
Like most anti-virus software, many anti-spyware/adware tools require a frequently-updated
database of threats. As new spyware programs are released, anti-spyware developers
discover and evaluate them, making "signatures" or "definitions" which allow the software
to detect and remove the spyware. As a result, anti-spyware software is of limited
usefulness without a regular source of updates. Some vendors provide a subscription-based
update service, while others provide updates free. Updates may be installed automatically
on a schedule or before doing a scan, or may be done manually.
Not all programs rely on updated definitions. Some programs rely partly (for instance many
antispyware programs such as Windows Defender, Spybot's TeaTimer and Spysweeper) or
fully (programs falling under the class of HIPS such as BillP's WinPatrol) on historical
observation. They watch certain configuration parameters (such as certain portions of the
Spyware 20

Windows registry or browser configuration) and report any change to the user, without
judgment or recommendation. While they do not rely on updated definitions, which may
allow them to spot newer spyware, they can offer no guidance. The user is left to determine
"what did I just do, and is this configuration change appropriate?"
Windows Defender's SpyNet attempts to alleviate this through offering a community to
share information, which helps guide both users, who can look at decisions made by others,
and analysts, who can spot fast-spreading spyware. A popular generic spyware removal tool
used by those with a certain degree of expertise is HijackThis, which scans certain areas of
the Windows OS where spyware often resides and presents a list with items to delete
manually. As most of the items are legitimate windows files/registry entries it is advised for
those who are less knowledgeable on this subject to post a HijackThis log on the numerous
antispyware sites and let the experts decide what to delete.
If a spyware program is not blocked and manages to get itself installed, it may resist
attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware
scanner (or the user) terminates one running process, the other one respawns the killed
program. Likewise, some spyware will detect attempts to remove registry keys and
immediately add them again. Usually, booting the infected computer in safe mode allows an
anti-spyware program a better chance of removing persistent spyware. Killing the process
tree may also work.
A new breed of spyware (Look2Me spyware by NicTechNetworks is a good example) hides
inside system-critical processes and start up even in safe mode, see rootkit. With no process
to terminate they are harder to detect and remove. Sometimes they do not even leave any
on-disk signatures. Rootkit technology is also seeing increasing use,[68] as is the use of
NTFS alternate data streams. Newer spyware programs also have specific countermeasures
against well known anti-malware products and may prevent them from running or being
installed, or even uninstall them. An example of one that uses all three methods is
Gromozon, a new breed of malware. It uses alternate data streams to hide. A rootkit hides it
even from alternate data streams scanners and actively stops popular rootkit scanners from
running.

Rogue anti-spyware programs


Malicious programmers have released a large number of rogue (fake) anti-spyware
programs, and widely distributed Web banner ads now spuriously warn users that their
computers have been infected with spyware, directing them to purchase programs which do
not actually remove spyware—or else, may add more spyware of their own.[69] [70]
The recent[71] proliferation of fake or spoofed antivirus products has occasioned some
concern. Such products often bill themselves as antispyware, antivirus, or registry cleaners,
and sometimes feature popups prompting users to install them. This software is called
rogue software.
It is recommended that users do not install any freeware claiming to be anti-spyware unless
it is verified to be legitimate. Some known offenders include:

• AntiVirus 360 • Spydawn

• Antivirus 2008 • Spylocked

• Antivirus 2009 • Spysheriff

• AntiVirus Gold • SpyShredder


Spyware 21

• ContraVirus • Spyware Quake

• Errorsafe (AKA system doctor) • SpywareStrike

• MacSweeper • UltimateCleaner

• PAL Spyware Remover • WinAntiVirus Pro 2006

• Pest Trap • WinFixer

• PSGuard • WorldAntiSpy

• Spy Wiper

On January 26, 2006, Microsoft and the Washington state attorney general filed suit against
Secure Computer for its Spyware Cleaner product.[72] On December 4, 2006, the
Washington attorney general announced that Secure Computer had paid $1 million to settle
with the state. As of that date, Microsoft's case against Secure Computer remained
pending.[73]

Security practices
To deter spyware, computer users have found several practices useful in addition to
installing anti-spyware programs.
Many system operators install a web browser other than IE, such as Opera or Mozilla
Firefox. Though no browser is completely safe, Internet Explorer is at a greater risk for
spyware infection due to its large user base as well as vulnerabilities such as ActiveX.
Some ISPs—particularly colleges and universities—have taken a different approach to
blocking spyware: they use their network firewalls and web proxies to block access to Web
sites known to install spyware. On March 31, 2005, Cornell University's Information
Technology department released a report detailing the behavior of one particular piece of
proxy-based spyware, Marketscore, and the steps the university took to intercept it.[74]
Many other educational institutions have taken similar steps. Spyware programs which
redirect network traffic cause greater technical-support problems than programs which
merely display ads or monitor users' behavior, and so may more readily attract institutional
attention.
Some users install a large hosts file which prevents the user's computer from connecting to
known spyware-related web addresses. However, by connecting to the numeric IP address,
rather than the domain name, spyware may bypass this sort of protection.
Spyware may get installed via certain shareware programs offered for download.
Downloading programs only from reputable sources can provide some protection from this
source of attack. Recently, CNet revamped its download directory: it has stated that it will
only keep files that pass inspection by Ad-Aware and Spyware Doctor.
The first step to removing spyware is to put a computer on "lockdown". This can be done in
various ways, such as using anti-virus software or simply disconnecting the computer from
the internet. Disconnecting the internet prevents controllers of the spyware from being able
to remotely control or access the computer. The second step to removing the spyware is to
locate it and remove it, manually or through use of credible anti-spyware software. During
and after lockdown, potentially threatening websites should be avoided.
Spyware 22

Programs distributed with spyware


• Bonzi Buddy[75]
• Dope Wars[76]
• EDonkey2000[77]
• Grokster[78]
• Kazaa[79]
• Morpheus[77]
• RadLight[80]
• Sony's Extended Copy Protection involved the installation of spyware from audio compact
discs through autorun. This practice sparked considerable controversy when it was
discovered.
• WeatherBug[81]
[82]
• WildTangent The antispyware program Counterspy used to say that it's okay to keep
WildTangent, but it now says that the spyware Winpipe is "possibly distributed with the
adware bundler WildTangent or from a threat included in that bundler".[83]
• SpyEagle is a spyware program that is disguised as an Antivirus program.

Programs formerly distributed with spyware


• AOL Instant Messenger[82] (AOL Instant Messenger still packages Viewpoint Media
Player, and WildTangent)
• DivX (except for the paid version, and the "standard" version without the encoder). DivX
announced removal of GAIN software from version 5.2.[84]
• FlashGet (trial version prior to program being made freeware)[85]
• magicJack[86]

See also
• Computer insecurity
• Cyber spying
• Defensive computing
• Employee monitoring software
• List of fake anti-spyware programs
• Malware
• Parasite software
• Phone home
• Rootkits
• Spy software
• Spy-phishing
• Spyware removal
Spyware 23

External links
[87]
• How Spyware Works
• How Spyware And The Weapons Against It Are Evolving [88] — article discussing causes
and possible remedies of the spyware problem.
• StopBadware.org [89] — A non-profit group (sponsored by Google, Lenovo, and Sun) that
aims to provide "reliable, objective information about downloadable applications".

References
[1] Spyware:Quick Facts (http:/ / www. onguardonline. gov/ topics/ spyware. aspx)
[2] Vossen, Roland (attributed); October 21, 1995; Win 95 Source code in c!! (http:/ / groups. google. com/ group/
rec. games. programmer/ browse_thread/ thread/ 86a426b0147496d8/ 3b5d1936eb4d0f33?lnk=st& q=&
rnum=8#3b5d1936eb4d0f33) posted to rec.games.programmer; retrieved from groups.google.com November
28, 2006.
[3] http:/ / www. zonealarm. com/ store/ content/ company/ aboutUs/ pressroom/ pressReleases/ 2000/ za2. jsp
[4] Wienbar, Sharon. " The Spyware Inferno (http:/ / news. cnet. com/ 2010-1032-5307831. html)". News.com.
August 13, 2004.
[5] " AOL/NCSA Online Safety Study (http:/ / www. staysafeonline. info/ pdf/ safety_study_2005. pdf)". America
Online & The National Cyber Security Alliance. 2005.
[6] Spanbauer, Scott. " Is It Time to Ditch IE? (http:/ / www. pcworld. com/ article/ id,117550-page,1/ article.
html)". Pcworld.com. September 1, 2004
[7] Keizer, Gregg. " Analyzing IE At 10: Integration With OS Smart Or Not? (http:/ / www. techweb. com/ wire/
software/ 170100394)". TechWeb Technology News. August 25, 2005.
[8] http:/ / us. trendmicro. com/ us/ threats/ enterprise/ glossary/ s/ spyware/ index. php
[9] http:/ / www. mcafee. com/ us/ security_wordbook/ spyware. html
[10] http:/ / www. better-spyware-removal. com/ spyware-test-results. html
[11] http:/ / www. antispywarecoalition. org/ documents/ DefinitionsJune292006. htm
[12] http:/ / www. antispywarecoalition. org/ documents/ 20060629RiskModelDescription. htm
[13] http:/ / www. antispywarecoalition. org/ documents/ BestPractices. htm
[14] " Prying Eyes Lurk Inside Your PC; Spyware Spawns Efforts at Control. (http:/ / www. accessmylibrary. com/
coms2/ summary_0286-7669487_ITM)". The Gale Group, Inc.. . Retrieved 2008-06-05.
[15] Woods, Mark. " Click, you're infected (http:/ / www. f-secure. com/ f-secure/ pressroom/ protected/
prot-1-2006/ 17-388-2826. shtml)". Protected. F-Secure. . Retrieved 2008-08-29.
[16] " Security Response: W32.Spybot.Worm (http:/ / www. symantec. com/ avcenter/ venc/ data/ w32. spybot.
worm. html)". Symantec.com. Retrieved July 10, 2005.
[17] Edelman, Ben; December 7, 2004 (updated February 8, 2005); Direct Revenue Deletes Competitors from
Users' Disks (http:/ / www. benedelman. org/ news/ 120704-1. html); benedelman.com; retrieved November 28,
2006.
[18] http:/ / msdn2. microsoft. com/ en-us/ library/ ms972827. aspx
[19] http:/ / digg. com/ security/ Warner_Bros_website_distributing_Zango_Spyware_Kiddy_Porn_browser
[20] http:/ / www. aic. gov. au/ publications/ htcb/ htcb011. html
[21] http:/ / www. 2-spyware. com/ news/ post81. html
[22] http:/ / www. castlecops. com/ a5863-Child_Porn_Planting_Spyware_Beware. html
[23] Edelman, Ben (2004). " The Effect of 180solutions on Affiliate Commissions and Merchants (http:/ / www.
benedelman. org/ spyware/ 180-affiliates/ )". Benedelman.org. Retrieved November 14, 2006.
[24] Ecker, Clint (2005). Massive spyware-based identity theft ring uncovered (http:/ / arstechnica. com/ news.
ars/ post/ 20050805-5175. html). Ars Technica, August 5, 2005.
[25] Eckelberry, Alex. "Massive identity theft ring" (http:/ / sunbeltblog. blogspot. com/ 2005/ 08/
massive-identity-theft-ring. html), SunbeltBLOG, August 4, 2005.
[26] Eckelberry, Alex. "Identity Theft? What to do?" (http:/ / sunbeltblog. blogspot. com/ 2005/ 08/
identity-theft-what-to-do. html), SunbeltBLOG, August 8, 2005.
[27] FTC Releases Survey of Identity Theft in U.S. 27.3 Million Victims in Past 5 Years, Billions in Losses for
Businesses and Consumers (http:/ / www. ftc. gov/ opa/ 2003/ 09/ idtheft. htm). Federal Trade Commission,
September 3, 2003.
[28] Russinovich, Mark. "Sony, Rootkits and Digital Rights Management Gone Too Far," (http:/ / blogs. technet.
com/ markrussinovich/ archive/ 2005/ 10/ 31/ sony-rootkits-and-digital-rights-management-gone-too-far. aspx),
Mark's Blog, October 31, 2005, retrieved November 22, 2006
Spyware 24

[29] Press release from the Texas Attorney General's office, November 21, 2005; Attorney General Abbott Brings
First Enforcement Action In Nation Against Sony BMG For Spyware Violations (http:/ / www. oag. state. tx. us/
oagnews/ release. php?id=1266); retrieved November 28, 2006.
[30] "Sony sued over copy-protected CDs; Sony BMG is facing three lawsuits over its controversial anti-piracy
software" (http:/ / news. bbc. co. uk/ 1/ hi/ technology/ 4424254. stm), BBC News, November 10, 2005, retrieved
November 22, 2006.
[31] Information About XCP Protected CDs (http:/ / cp. sonybmg. com/ xcp/ english/ updates. html), retrieved
November 29, 2006.
[32] Microsoft.com - Description of the Windows Genuine Advantage Notifications application (http:/ / support.
microsoft. com/ kb/ 905474/ ), retrieved June 13, 2006
[33] Weinstein, Lauren. Windows XP update may be classified as 'spyware' (http:/ / lauren. vortex. com/ archive/
000178. html), Lauren Weinstein's Blog, June 5, 2006, retrieved June 13, 2006
[34] Evers, Joris. Microsoft's antipiracy (sic) tool "phones home" daily (http:/ / news. zdnet. com/
2100-3513_22-6081286. html?tag=nl. e589), ZDNet News, June 7, 2006, retrieved June 13, 2006
[35] Creator and Four Users of Loverspy Spyware Program Indicted (August 26, 2005) (http:/ / www. usdoj. gov/
criminal/ cybercrime/ perezIndict. htm)
[36] http:/ / www. symantec. com/ security_response/ writeup. jsp?docid=2006-080217-3524-99
[37] "" CoolWebSearch (http:/ / web. archive. org/ web/ 20060106083816/ http:/ / www. doxdesk. com/ parasite/
CoolWebSearch. html)". Parasite information database. Archived from the original (http:/ / www. doxdesk. com/
parasite/ CoolWebSearch. html) on 2006-01-06. . Retrieved 2008-09-04.
[38] "" InternetOptimizer (http:/ / web. archive. org/ web/ 20060106084114/ http:/ / www. doxdesk. com/ parasite/
InternetOptimizer. html)". Parasite information database. Archived from the original (http:/ / www. doxdesk.
com/ parasite/ InternetOptimizer. html) on 2006-01-06. . Retrieved 2008-09-04.
[39] http:/ / securityresponse. symantec. com/ avcenter/ venc/ data/ adware. websearch. html
[40] CA Spyware Information Center - HuntBar (http:/ / www3. ca. com/ securityadvisor/ pest/ pest.
aspx?id=453072528)
[41] What is Huntbar or Search Toolbar? (http:/ / www. pchell. com/ support/ huntbar. shtml)
[42] " FTC, Washington Attorney General Sue to Halt Unfair Movieland Downloads (http:/ / www. ftc. gov/ opa/
2006/ 08/ movieland. htm)". Federal Trade Commission. 2006-08-15. .
[43] " Attorney General McKenna Sues Movieland.com and Associates for Spyware (http:/ / www. atg. wa. gov/
pressrelease. aspx?id=4286)". Washington State Office of the Attorney General. 2006-08-14. .
[44] " Complaint for Permanent Injunction and Other Equitable Relief (PDF, 25 pages) (http:/ / www. ftc. gov/ os/
caselist/ 0623008/ 060808movielandcmplt. pdf)". Federal Trade Commission. 2006-08-08. .
[45] "MyWay Searchbar, MyWay SpeedSearch", Adware Report, AdwareReport.com, Gooroo, Inc. 2004, webpage:
AdwareRep-062 (http:/ / www. adwarereport. com/ mt/ archives/ 000062).
[46] "MyWebSearch Removal Tool", Exterminate-it.com, 2009, Ext-it-mywebs (http:/ / www. exterminate-it. com/
malpedia/ remove-mywebsearch): lists the folders, files and 210 registry keys/values to be deleted.
[47] "Removing My Web Search Bar and Error Message", What the Tech, Geeks to Go, Inc., 2009, webpage:
WhatTheTech-MyWeb (http:/ / www. whatthetech. com/ 2009/ 04/ 21/
removing-my-web-search-bar-and-error-message-on-start-up/ ).
[48] "WeatherStudio: Privacy Policy", WeatherStudio.com,

2009, web: WStudio-policy (http:/ / www. weatherstudio. com/ dp/ content/ weatherstudio/
privacypolicy. html).
[49] http:/ / corporate. zango. com/ eula. aspx
[50] PCMAG, New Malware changes router settings (http:/ / blogs. pcmag. com/ securitywatch/ 2008/ 06/
new_malware_silently_changes_r. php), PC Magazine, June 13, 2008.
[51] " Lawsuit filed against 180solutions (http:/ / blogs. zdnet. com/ Spyware/ ?p=655)". zdnet.com September 13,
2005
[52] Hu, Jim. " 180solutions sues allies over adware (http:/ / news. com. com/ 2110-1024_3-5287885. html)".
news.com July 28, 2004
[53] Coollawyer; 2001-2006; Privacy Policies, Terms and Conditions, Website Contracts, Website Agreements
(http:/ / www. coollawyer. com/ webfront/ internet_law_library/ articles/ law_library_user_agreement_article.
php); coollawyer.com; retrieved November 28, 2006.
[54] " CHAPTER 715 Computer Spyware and Malware Protection (http:/ / nxtsearch. legis. state. ia. us/ NXT/
gateway. dll/ 2007 Iowa Code/ 2007code/ 1/ 26150/ 26151/ 26513?f=templates& fn=defaultURLquerylink.
htm)". nxtsearch.legis.state.ia.us. Retrieved July 14, 2007.
[55] Chapter 19.270 RCW: Computer spyware (http:/ / apps. leg. wa. gov/ RCW/ default. aspx?cite=19. 270).
apps.leg.wa.gov. Retrieved November 14, 2006
Spyware 25

[56] Gross, Grant. US lawmakers introduce I-Spy bill (http:/ / www. infoworld. com/ article/ 07/ 03/ 16/
HNspywarebill_1. html). InfoWorld, March 16, 2007, accessed March 24, 2007.
[57] See Federal Trade Commission v. Sperry & Hutchinson Trading Stamp Co.
[58] FTC Permanently Halts Unlawful Spyware Operations (http:/ / www. ftc. gov/ opa/ 2006/ 11/ seismicodysseus.
shtm) (FTC press release with links to supporting documents); see also FTC cracks down on spyware and PC
hijacking, but not true lies (http:/ / docs. law. gwu. edu/ facweb/ claw/ FTCcrackSpyw. pdf), Micro Law, IEEE
MICRO (Jan.-Feb. 2005), also available at IEEE Xplore (http:/ / ieeexplore. ieee. org/ stamp/ stamp.
jsp?arnumber=1411709& isnumber=30580).
[59] See Court Orders Halt to Sale of Spyware (http:/ / www. ftc. gov/ opa/ 2008/ 11/ cyberspy. shtm) (FTC press
release Nov. 17, 2008, with links to supporting documents).
[60] OPTA, "Besluit van het college van de Onafhankelijke Post en Telecommunicatie Autoriteit op grond van
artikel 15.4 juncto artikel 15.10 van de Telecommunicatiewet tot oplegging van boetes ter zake van
overtredingen van het gestelde bij of krachtens de Telecommunicatiewet" from 5 november 2007, http:/ / opta.
nl/ download/ 202311+ boete+ verspreiding+ ongewenste+ software. pdf
[61] According to H. Moll and E. Schouten, "Limburgse ICT-baas blijkt spywarekoning" (http:/ / www. nrc. nl/
economie/ article868499. ece/ Limburgse_ICT-baas_blijkt_spywarekoning), in NRC Handelsblad, 21 december
2007, the companies are:
ECS International, Worldtostart and Media Highway International. The directors are: Arjan de Raaf and Peter
Emonds. Their accomplice having the nickname "Akill" has been arrested in Hamilton, New Zealand, for being
the manager of a huge network of zombie computers.
[62] Office of New York State Attorney General (2005-04-28). " State Sues Major "Spyware" Distributor (http:/ /
www. oag. state. ny. us/ media_center/ 2005/ apr/ apr28a_05. html)". Press release. . Retrieved 2008-09-04.
"Attorney General Spitzer today sued one of the nation's leading internet marketing companies, alleging that
the firm was the source of "spyware" and "adware" that has been secretly installed on millions of home
computers."
[63] Gormley, Michael. " "Intermix Media Inc. says it is settling spyware lawsuit with N.Y. attorney general" (http:/
/ web. archive. org/ web/ 20050622082027/ http:/ / news. yahoo. com/ news?tmpl=story& u=/ cpress/
20050615/ ca_pr_on_tc/ spitzer_spyware)". Yahoo! News. 2005-06-15. Archived from the original (http:/ / news.
yahoo. com/ news?tmpl=story& u=/ cpress/ 20050615/ ca_pr_on_tc/ spitzer_spyware) on 2005-06-22. .
[64] Gormley, Michael (2005-06-25). " Major advertisers caught in spyware net (http:/ / www. usatoday. com/ tech/
news/ computersecurity/ 2005-06-25-companies-spyware_x. htm)". USA Today. . Retrieved 2008-09-04.
[65] Festa, Paul. " See you later, anti-Gators? (http:/ / news. com. com/ 2100-1032_3-5095051. html)". News.com.
October 22, 2003.
[66] " Gator Information Center (http:/ / www. pcpitstop. com/ gator/ default. asp)". pcpitstop.com November 14,
2005.
[67] "http:/ / www. microsoft. com/ presspass/ press/ 2004/ dec04/ 12-16GIANTPR. mspx"
[68] Roberts, Paul F. " Spyware meets Rootkit Stealth (http:/ / www. eweek. com/ article2/ 0,1759,1829744,00.
asp)". eweek.com. June 20, 2005.
[69] Roberts, Paul F. (2005-05-26). " Spyware-Removal Program Tagged as a Trap (http:/ / www. eweek. com/
article2/ 0,1759,1821127,00. asp)". eWeek. . Retrieved 2008-09-04.
[70] Howes, Eric L. " The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites (http:/ /
www. spywarewarrior. com/ rogue_anti-spyware. htm)". Retrieved July 10, 2005.
[71] http:/ / en. wikipedia. org/ wiki/ Spyware
[72] McMillan, Robert. Antispyware Company Sued Under Spyware Law (http:/ / www. pcworld. com/ news/
article/ 0,aid,124508,00. asp). PC World, January 26, 2006.
[73] Leyden, John. Bogus anti-spyware firm fined $1m (http:/ / www. theregister. co. uk/ 2006/ 12/ 05/
washington_anti-spware_lawsuit/ ). The Register, December 5, 2006.
[74] Schuster, Steve. "" Blocking Marketscore: Why Cornell Did It (http:/ / web. archive. org/ web/
20070214111921/ http:/ / www. cit. cornell. edu/ computer/ security/ marketscore/ MarketScore_rev2. html)".
Archived from the original (http:/ / www. cit. cornell. edu/ computer/ security/ marketscore/ MarketScore_rev2.
html) on 2007-02-14. .". Cornell University, Office of Information Technologies. March 31, 2005.
[75] " Symantec Security Response - Adware.Bonzi (http:/ / sarc. com/ avcenter/ venc/ data/ adware. bonzi. html)".
Symantec. Retrieved July 27, 2005.
[76] Edelman, Ben (2005). " Claria's Misleading Installation Methods - Dope Wars (http:/ / www. benedelman. org/
spyware/ installations/ dopewars-claria/ )". Retrieved July 27, 2005
[77] Edelman, Ben (2005). " Comparison of Unwanted Software Installed by P2P Programs (http:/ / www.
benedelman. org/ spyware/ p2p/ )". Retrieved July 27, 2005.
[78] Edelman, Ben (2004). " Grokster and Claria Take Licenses to New Lows, and Congress Lets Them Do It
(http:/ / www. benedelman. org/ news/ 100904-1. html)". Retrieved July 27, 2005
Spyware 26

[79] Edelman, Ben (2004). " Claria License Agreement Is Fifty Six Pages Long (http:/ / www. benedelman. org/
spyware/ claria-license/ )". Retrieved July 27, 2005.
[80] " eTrust Spyware Encyclopedia - Radlight 3 PRO (http:/ / www. ca. com/ us/ securityadvisor/ pest/ pest.
aspx?id=54732)". Computer Associates. Retrieved July 27, 2005
[81] "" WeatherBug (http:/ / web. archive. org/ web/ 20050206011153/ http:/ / www. doxdesk. com/ parasite/
WeatherBug. html)". Parasite information database. Archived from the original (http:/ / www. doxdesk. com/
parasite/ WeatherBug. html) on 2005-02-06. . Retrieved 2008-09-04.
[82] " Adware.WildTangent (http:/ / research. sunbeltsoftware. com/ threatdisplay. aspx?name=AdWare.
WildTangent& threatid=236165)". Sunbelt Malware Research Labs. 2008-06-12. . Retrieved 2008-09-04.
[83] " Winpipe (http:/ / research. sunbelt-software. com/ threatdisplay. aspx?name=Winpipe& threatid=15154)".
Sunbelt Malware Research Labs. 2008-06-12. . Retrieved 2008-09-04.
[84] " How Did I Get Gator? (http:/ / www. pcpitstop. com/ gator/ Confused. asp)". PC Pitstop. Retrieved July 27,
2005.
[85] " eTrust Spyware Encyclopedia - FlashGet (http:/ / www. ca. com/ us/ securityadvisor/ pest/ pest.
aspx?id=453077947)". Computer Associates. Retrieved July 27, 2005
[86] Gadgets boingboing.net, MagicJack's EULA says it will spy on you and force you into arbitration (http:/ /
gadgets. boingboing. net/ 2008/ 04/ 14/ magicjacks-eula-says. html)
[87] http:/ / computer. howstuffworks. com/ spyware. htm
[88] http:/ / www. windowsecurity. com/ articles/ Spyware-Evolving. html
[89] http:/ / www. stopbadware. org/

SQL injection
SQL injection is a code injection technique that exploits a security vulnerability occurring
in the database layer of an application. The vulnerability is present when user input is
either incorrectly filtered for string literal escape characters embedded in SQL statements
or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a
more general class of vulnerabilities that can occur whenever one programming or
scripting language is embedded inside another. SQL injection attacks are also known as
SQL insertion attacks.[1]

Forms of vulnerability

Incorrectly filtered escape characters


This form of SQL injection occurs when user input is not filtered for escape characters and
is then passed into an SQL statement. This results in the potential manipulation of the
statements performed on the database by the end user of the application.
The following line of code illustrates this vulnerability:

statement = "SELECT * FROM users WHERE name = '" + userName + "';"

This SQL code is designed to pull up the records of the specified username from its table of
users. However, if the "userName" variable is crafted in a specific way by a malicious user,
the SQL statement may do more than the code author intended. For example, setting the
"userName" variable as

a' or 't'='t

renders this SQL statement by the parent language:

SELECT * FROM users WHERE name = 'a' or 't'='t';


SQL injection 27

If this code were to be used in an authentication procedure then this example could be used
to force the selection of a valid username because the evaluation of 't'='t' is always true.
While most SQL server implementations allow multiple statements to be executed with one
call, some SQL APIs such as php's mysql_query do not allow this for security reasons. This
prevents hackers from injecting entirely separate queries, but doesn't stop them from
modifying queries. The following value of "userName" in the statement below would cause
the deletion of the "users" table as well as the selection of all data from the "data" table (in
essence revealing the information of every user), using an API that allows multiple
statements:

a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't

This input renders the final SQL statement as follows:

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM
data WHERE 't' = 't';

Incorrect type handling


This form of SQL injection occurs when a user supplied field is not strongly typed or is not
checked for type constraints. This could take place when a numeric field is to be used in a
SQL statement, but the programmer makes no checks to validate that the user supplied
input is numeric. For example:

statement := "SELECT * FROM data WHERE id = " + a_variable + ";"

It is clear from this statement that the author intended a_variable to be a number
correlating to the "id" field. However, if it is in fact a string then the end user may
manipulate the statement as they choose, thereby bypassing the need for escape
characters. For example, setting a_variable to

1;DROP TABLE users

will drop (delete) the "users" table from the database, since the SQL would be rendered as
follows:

SELECT * FROM data WHERE id=1;DROP TABLE users;

Vulnerabilities inside the database server


Sometimes vulnerabilities can exist within the database server software itself, as was the
case with the MySQL server's mysql_real_escape_string() function[2] . This would allow
an attacker to perform a successful SQL injection attack based on bad Unicode characters
even if the user's input is being escaped.

Blind SQL injection


Blind SQL Injection is used when a web application is vulnerable to SQL injection but the
results of the injection are not visible to the attacker. The page with the vulnerability may
not be one that displays data but will display differently depending on the results of a
logical statement injected into the legitimate SQL statement called for that page. This type
of attack can become time-intensive because a new statement must be crafted for each bit
recovered. There are several tools that can automate these attacks once the location of the
SQL injection 28

vulnerability and the target information has been established.[3]

Conditional responses
One type of blind SQL injection forces the database to evaluate a logical statement on an
ordinary application screen.

SELECT booktitle from booklist where bookId = 'OOk14cd' AND 1=1;

will result in a normal page while

SELECT booktitle from booklist where bookId = 'OOk14cd' AND 1=2;

will likely give a different result if the page is vulnerable to a SQL injection. An injection
like this will prove that a blind SQL injection is possible, leaving the attacker to devise
statements that evaluate to true or false depending on the contents of a field in another
table.[4]

Conditional errors
This type of blind SQL injection causes an SQL error by forcing the database to evaluate a
statement that causes an error if the WHERE statement is true. For example,

SELECT 1/0 from users where username='Ralph';

the division by zero will only be evaluated and result in an error if user Ralph exists.

Time delays
Time Delays are a type of blind SQL injection that cause the SQL engine to execute a long
running query or a time delay statement depending on the logic injected. The attacker can
then measure the time the page takes to load to determine if the injected statement is true.

Preventing SQL injection


To protect against SQL injection, user input must not directly be embedded in SQL
statements. Instead, parameterized statements must be used (preferred), or user input
must be carefully escaped or filtered.

Parameterized statements
With most development platforms, parameterized statements can be used that work with
parameters (sometimes called placeholders or bind variables) instead of embedding user
input in the statement. In many cases, the SQL statement is fixed. The user input is then
assigned (bound) to a parameter. This is an example using Java and the JDBC API:

PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS


WHERE USERNAME=? AND PASSWORD=?");
prep.setString(1, username);
prep.setString(2, password);

Similarly, in C#:

using (SqlCommand myCommand = new SqlCommand("SELECT * FROM USERS WHERE


USERNAME=@username AND PASSWORD=HASHBYTES('SHA1',
@password)", myConnection))
SQL injection 29

{
myCommand.Parameters.AddWithValue("@username", user);
myCommand.Parameters.AddWithValue("@password", pass);

myConnection.Open();
SqlDataReader myReader = myCommand.ExecuteReader())
...................
}

In PHP version 5 and above, there are multiple choices for using parameterized statements.
The PDO[5] database layer is one of them:

$db = new PDO('pgsql:dbname=database');


$stmt = $db->prepare("SELECT priv FROM testUsers WHERE
username=:username AND password=:password");
$stmt->bindParam(':username', $user);
$stmt->bindParam(':password', $pass);
$stmt->execute();

There are also vendor-specific methods. For example in MySQL 4.1 and above with the
mysqli[6] extension. Example[7] :

$db = new mysqli("localhost", "user", "pass", "database");


$stmt = $db -> prepare("SELECT priv FROM testUsers WHERE username=? AND
password=?");
$stmt -> bind_param("ss", $user, $pass);
$stmt -> execute();

In ColdFusion, the CFQUERYPARAM statement is useful in conjunction with the CFQUERY


statement to nullify the effect of SQL code passed within the CFQUERYPARAM value as
part of the SQL clause.[8] [9] . An example is below.

<cfquery name="Recordset1" datasource="cafetownsend">


SELECT *
FROM COMMENTS
WHERE COMMENT_ID =<cfqueryparam value="#URL.COMMENT_ID#"
cfsqltype="cf_sql_numeric">
</cfquery>
SQL injection 30

Enforcement at the database level


Currently only the H2 Database Engine supports the ability to enforce query
parameterization.

Enforcement at the coding level


Using object-relational mapping libraries avoids the need to write SQL code. The ORM
library in effect will generate parametrized SQL statements from object-oriented code.

Escaping
A straight-forward, though error-prone way to prevent injections is to escape dangerous
characters. One of the reasons for it being error prone is that it is a type of blacklist which
is less robust than a whitelist. For instance, every occurrence of a single quote (') in a
parameter must be replaced by two single quotes ('') to form a valid SQL string literal. In
PHP, for example, it is usual to escape parameters using the function
mysql_real_escape_string before sending the SQL query:

$query = sprintf("SELECT * FROM Users where UserName='%s' and


Password='%s'",
mysql_real_escape_string($Username),
mysql_real_escape_string($Password));
mysql_query($query);

Real-world examples
• On October 26, 2005, Unknown Heise readers replaced a page owned by the German TV
station ARD which advertised a pro-RIAA sitcom with Goatse using SQL injection[10]
• On November 1, 2005, a high school student used a SQL injection to break into the site of
a Taiwanese information security magazine from the Tech Target group and steal
customers' information.[11]
• On January 13, 2006, Russian hackers broke into a Rhode Island government web site
and allegedly stole credit card data from individuals who have done business online with
state agencies.[12]
• On March 29, 2006, Susam Pal discovered a SQL injection flaw in an official Indian
government tourism site.[13]
• On March 2, 2007, Sebastian Bauer discovered a SQL injection flaw in the knorr.de login
page.[14]
• On June 29, 2007, Hacker Defaces Microsoft U.K. Web Page using SQL injection. [15] [16] .
U.K. website The Register quoted a Microsoft spokesperson acknowledging the problem.
• In January 2008, tens of thousands of PCs were infected by an automated SQL injection
attack that exploited a vulnerability in application code that uses Microsoft SQL Server
as the database store. [17]
• On April 13, 2008, Sexual and Violent Offender Registry of Oklahoma shuts down site for
'routine maintenance' after being informed that 10,597 social security numbers from sex
offenders had been downloaded by SQL injection [18]
SQL injection 31

• In May 2008, a server farm inside China used automated queries to Google's search
engine to identify SQL server websites which were vulnerable to the attack of an
automated SQL injection tool. [17] [19]
• In July 2008, Kaspersky's Malaysian site was hacked by a Turkish hacker going by the
handle of "m0sted", who claimed to have used SQL injection. [20]
• In 2008, at least April through August, a sweep of attacks began exploiting the SQL
injection vulnerabilities of Microsoft's IIS web server and SQL Server database server.
The attack doesn't require guessing the name of a table or column, and corrupts all text
columns in all tables in a single request. [21] A HTML string that references a malware
JavaScript file is appended to each value. When that database value is later displayed to a
website visitor, the script attempts several approaches at gaining control over a visitor's
system. The number of exploited web pages is estimated at 500,000[22]
• On August 17, 2009, the United States Justice Department charged an American citizen
and two unnamed Russians with the theft of 130 million credit card numbers using an
SQL injection attack. In reportedly "the biggest case of identity theft in American
history", the man stole cards from a number of corporate victims after researching their
payment processing systems. Among the companies hit were credit card processor
Heartland Payment Systems, convenience store chain 7-Eleven, and supermarket chain
Hannaford Brothers.[23]

External links
• SQL Injection WASC Threat Classification Entry [24], by the Web Application Security
Consortium
• SQL Injection Cheatsheet [25], by the Open Web Application Security Project
• SQL Injections on PHP, GNU-licensed online book chapter
• Advanced SQL injection on SQL server / ASP pages [26], 2002 second part [27]
• SQL Server vulnerabilities [28]
• SQL Injection Defenses - Parameterized Queries [29], Security Guidance from OWASP
• Guidance from OWASP on how to prevent SQL Injection [25] - The SQL Injection
Prevention Cheat Sheet
• Secure your ColdFusion application against SQL Injection attacks [30] - Article from
Adobe Developer Connection, ColdFusion Developer Center
• MySQL: Secure Web Apps - SQL Injection techniques [31], Article that explains how SQL
Injection works.
• xkcd comic lampooning SQL injection [32]
SQL injection 32

References
[1] Watson, Carli (2006) Beginning C# 2005 databases ISBN 978-0-470-04406-3, pages 201-5
[2] " E.1.7. Changes in MySQL 5.0.22 (24 May 2006) (http:/ / dev. mysql. com/ doc/ refman/ 5. 0/ en/ news-5-0-22.
html)". MySQL AB. 2006-05-04. . Retrieved 2008-05-16., "An SQL-injection security hole has been found in
multi-byte encoding processing", retrieved March 20 2008
[3] "Absinthe" (http:/ / www. 0x90. org/ releases/ absinthe/ ) tool or "SQLBrute" (http:/ / www. gdssecurity. com/ l/
t. php) tool
• " Using SQLBrute to brute force data from a blind SQL injection point (http:/ / www. justinclarke. com/
archives/ 2006/ 03/ sqlbrute. html)". Justin Clarke. . Retrieved 2008-10-18.
[4] Ofer Maor and Amichai Shulman. " Blind SQL Injection: Getting the syntax right (http:/ / www. imperva. com/
resources/ adc/ blind_sql_server_injection. html#getting_syntax_right)". Imperva. . Retrieved 2008-05-16. "This
is usually the trickiest part in the blind SQL injection process. If the original queries are simple, this is simple
as well. However, if the original query was complex, breaking out of it may require a lot of trial and error."
[5] Official documentation for the PDO extension (http:/ / www. php. net/ pdo), php.net.
[6] Official documentation for Mysqli extension (http:/ / www. php. net/ mysqli), php.net.
[7] Prepared Statements in PHP and MySQLi (http:/ / www. mattbango. com/ articles/
prepared-statements-in-php-and-mysqli), Matt Bango.
[8] Protecting ColdFusion server behaviors from SQL injection vulnerability (http:/ / kb. adobe. com/ selfservice/
viewContent. do?externalId=300b670e)
[9] Forta.com - Blog (http:/ / www. forta. com/ blog/ index. cfm/ 2005/ 12/ 21/
SQL-Injection-Attacks-Easy-To-Prevent-But-Apparently-Still-Ignored)
[10] " Adelheid und ihre Hacker (http:/ / www. heise. de/ newsticker/ meldung/ 65441)". heise online. 2005-10-27.
. Retrieved 2008-05-16. (German)
[11] " WHID 2005-46: Teen uses SQL injection to break to a security magazine web site (http:/ / www. webappsec.
org/ projects/ whid/ list_id_2005-46. shtml)". Web Application Security Consortium. 2005-11-01. . Retrieved
2008-05-16.
[12] " WHID 2006-3: Russian hackers broke into a RI GOV website (http:/ / www. webappsec. org/ projects/ whid/
list_id_2006-3. shtml)". Web Application Security Consortium. 2006-01-13. . Retrieved 2008-05-16.
[13] " WHID 2006-27: SQL Injection in incredibleindia.org (http:/ / www. webappsec. org/ projects/ whid/
list_id_2006-27. shtml)". Web Application Security Consortium. 2006-03-29. . Retrieved 2008-05-16.
[14] " WHID 2007-12: SQL injection at knorr.de login page (http:/ / www. webappsec. org/ projects/ whid/
list_id_2007-12. shtml)". Web Application Security Consortium. 2007-03-02. . Retrieved 2008-05-16.
[15] Robert (2007-06-29). " Hacker Defaces Microsoft U.K. Web Page (http:/ / www. cgisecurity. net/ 2007/ 06/
hacker-defaces. html)". cgisecurity.net. . Retrieved 2008-05-16.
[16] Keith Ward (2007-06-29). " Hacker Defaces Microsoft U.K. Web Page (http:/ / rcpmag. com/ news/ article.
aspx?editorialsid=8762)". Redmond Channel Partner Online. . Retrieved 2008-05-16.
[17] Sumner Lemon, IDG News Service (2008-05-19). " Mass SQL Injection Attack Targets Chinese Web Sites
(http:/ / www. pcworld. com/ businesscenter/ article/ 146048/
mass_sql_injection_attack_targets_chinese_web_sites. html)". PCWorld. . Retrieved 2008-05-27.
[18] Alex Papadimoulis (2008-04-15). " Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other
Sensitive Data (http:/ / thedailywtf. com/ Articles/
Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data. aspx)". The Daily WTF. .
Retrieved 2008-05-16.
[19] Michael Zino (2008-05-01). " ASCII Encoded/Binary String Automated SQL Injection Attack (http:/ / www.
bloombit. com/ Articles/ 2008/ 05/ ASCII-Encoded-Binary-String-Automated-SQL-Injection. aspx)". .
[20] " Kaspersky’s Malaysian site hacked by Turkish hacker (http:/ / blogs. zdnet. com/ security/ ?p=1516)". .
[21] Giorgio Maone (2008-04-26). " Mass Attack FAQ (http:/ / hackademix. net/ 2008/ 04/ 26/ mass-attack-faq/ )". .
[22] Gregg Keizer (2008-04-25). " Huge Web hack attack infects 500,000 pages (http:/ / www. computerworld.
com/ action/ article. do?command=viewArticleBasic& articleId=9080580)". .
[23] " US man 'stole 130m card numbers' (http:/ / news. bbc. co. uk/ 2/ hi/ americas/ 8206305. stm)". BBC. August
17, 2009. . Retrieved August 17, 2009.
[24] http:/ / www. webappsec. org/ projects/ threat/ classes/ sql_injection. shtml
[25] http:/ / www. owasp. org/ index. php/ SQL_Injection_Prevention_Cheat_Sheet
[26] http:/ / www. nextgenss. com/ papers/ advanced_sql_injection. pdf
[27] http:/ / www. nextgenss. com/ papers/ more_advanced_sql_injection. pdf
[28] http:/ / www. appsecinc. com/ presentations/ Manipulating_SQL_Server_Using_SQL_Injection. pdf
[29] http:/ / www. owasp. org/ index. php/ Guide_to_SQL_Injection
[30] http:/ / www. adobe. com/ devnet/ coldfusion/ articles/ sql_injection. html
SQL injection 33

[31] http:/ / www. playhack. net/ view. php?id=45


[32] http:/ / xkcd. com/ 327/
34

Bonus Material

Password cracking
Password cracking is the process of recovering passwords from data that has been stored
in or transmitted by a computer system. A common approach is to repeatedly try guesses
for the password. The purpose of password cracking might be to help a user recover a
forgotten password (though installing an entirely new password is less of a security risk,
but involves system administration privileges), to gain unauthorized access to a system, or
as a preventive measure by system administrators to check for easily crackable passwords.
On a file-by file basis, password cracking is utilized to gain access to digital evidence for
which a judge has allowed access but the particular file's access is restricted.

Background
Passwords to access computer systems are usually stored in a database so the system can
perform password verification when a user attempts to login or access a restricted
resource. To preserve confidentiality of system passwords, the password verification data is
typically not stored in cleartext form, but instead a one-way function is applied to the
password, possibly in combination with other data, and the resulting value is stored. When
a user later attempts to authenticate by entering the password, the same function is applied
to the entered value and the result is compared with the stored value. If they match, there
is an extremely high likelihood the entered password was correct. For simplicity in this
discussion, we will refer to the one way function employed (which may be either an
encryption function or cryptographic hash) as a hash and its output as a hashed password.
Even though functions that create hashed passwords may be cryptographically secure,
possession of the hashed password provides a quick way to test guesses for the password
by applying the one-way function to each guess, and comparing the result to the verification
data. The most commonly used hash functions can be computed rapidly and the attacker
can test guesses repeatedly with different guesses until one succeeds, meaning the
plaintext password has been recovered.
The term password cracking generally refers to recovery of one or more plaintext
passwords from hashed passwords, but there are also many other ways of obtaining
passwords illicitly. Without the hashed version of a password, the attacker can still attempt
access to the computer system in question with guessed passwords. However well designed
systems limit the number of failed access attempts and can alert administrators to trace the
source of the attack if that quota is exceeded. With the hashed password, the attacker can
work undetected, and if the attacker has obtained several hashed passwords, the chances,
in practice, for cracking at least one is quite high.
Other ways to obtain passwords include social engineering, wiretapping, keystroke logging,
login spoofing, dumpster diving, phishing, shoulder surfing, timing attack, acoustic
cryptanalysis, using a Trojan Horse or virus, identity management system attacks (such as
abuse of Self-service password reset) and compromising host security (see password for
details). While those methods are not considered "password cracking" they are very popular
Password cracking 35

among criminals (notably phishing) and remain very effective. They are often considered as
the main vulnerability in password authentification systems.
Common methods for verifying users over a computer network often expose the hashed
password. For example, use of a hash-based challenge-response authentication method for
password verification may provide a hashed password to a network eavesdropper, who can
then crack the password. A number of stronger cryptographic protocols exist that do not
expose hashed-passwords during verification over a network, either by protecting them in
transmission using a high-grade key, or by using a zero-knowledge password proof.

Principal attack methods


Weak encryption
If a system uses a poorly designed password hashing scheme to protect stored passwords,
an attacker can exploit any weaknesses to recover even 'well-chosen' passwords. One
example is the LM hash that Microsoft Windows XP and previous uses by default to store
user passwords of less than 15 characters in length. LM hash converts the password into all
uppercase letters then breaks the password into two 7-character fields which are hashed
separately—which allows each half to be attacked individually.
Password encryption schemes that use stronger hash functions like MD5, SHA-512, SHA-1,
and RIPEMD-160 can still be vulnerable to brute-force and precomputation attacks. Such
attacks do not depend on reversing the hash function. Instead, they work by hashing a large
number of words or random permutations and comparing the result of each guess to a
user's stored password hash. Modern schemes such as MD5-crypt[1] and bcrypt use
purposefully slow algorithms so that the number of guesses that an attacker can make in a
given period of time is relatively low. Salting, described below, greatly increases the
difficulty of such precomputation attacks, perhps sufficiently to resist all attacks; every
instance of its use must be evaluated independently, however.
Because progress in analyzing existing cryptographic hash algorithms is always possible, a
hash which is effectively invulnerable today may become vulnerable tomorrow. Both MD5
and SHA-1, long thought secure, have been shown vulnerable to less than brute force
efficiency attacks. For encryption algorithms (rather different than cryptographic hashes)
the same has been true. DES has been broken (in the sense of more efficient than brute
force attacks being discovered), and computers have become fast enough that its short key
(56 bits) is clearly and publicly insecure against even brute force attacks. Passwords
protected by these measures against attack will become invulnerable, and passwords still in
use thereby exposed. Historical records are not always and forever irrelevant to today's
security problems.

Guessing, dictionary and brute force attacks


The distinction between guessing, dictionary and brute force attacks is not strict. They are
similar in that an attacker goes through a list of candidate passwords one by one; the list
may be explicitly enumerated or implicitly defined, can incorporate knowledge about the
victim, and can be linguistically derived. Each of the three approaches, particularly
'dictionary attack', is frequently used as an umbrella term to denote all the three attacks
and the spectrum of attacks encompassed by them.
Password cracking 36

Guessing
Passwords can sometimes be guessed by humans with knowledge of the user's personal
information. Examples of guessable passwords include:
• blank (none)
• the words "password", "passcode", "admin" and their derivatives
• a row of letters from the qwerty keyboard -- qwerty itself, asdf, or qwertyuiop)
• the user's name or login name
• the name of their significant other, a friend, relative or pet
• their birthplace or date of birth, or a friend's, or a relative's
• their automobile license plate number, or a friend's, or a relative's
• their office number, residence number or most commonly, their mobile number.
• a name of a celebrity they like
• a simple modification of one of the preceding, such as suffixing a digit, particularly 1, or
reversing the order of the letters.
• a swear word
• and so, extensively, on
Personal data about individuals are now available from various sources, many on-line, and
can often be obtained by someone using social engineering techniques, such as posing as
an opinion surveyor or a security control checker. Attackers who know the user may have
information as well. For example, if a user chooses the password "YaleLaw78" because he
graduated from Yale Law School in 1978, a disgruntled business partner might be able to
guess the password.
Guessing is particularly effective with systems that employ self-service password reset. For
example, in September 2008, the Yahoo e-mail account of Governor of Alaska and Vice
President of the United States nominee Sarah Palin was accessed without authorization by
someone who was able to research answers to two of her security questions, her zip code
and date of birth and was able to guess the third, where she met her husband.[2]

Dictionary attacks
Users often choose weak passwords. Examples of insecure choices include the above list,
plus single words found in dictionaries, given and family names, any too short password
(usually thought to be 6 or 7 characters or less), or any password meeting a too restrictive
and so predictable, pattern (eg, alternating vowels and consonants). Repeated research
over some 40 years has demonstrated that around 40% of user-chosen passwords are
readily guessable by sophisticated cracking programs armed with dictionaries and,
perhaps, the user's personal information.[3]
In one survey of MySpace passwords obtained by phishing, 3.8 percent of those passwords
were a single word findable in a dictionary, and another 12 percent were a word plus a final
digit; two-thirds of the time that digit was 1.[4]
Some users neglect to change the default password that came with their computer system
account. And some administrators neglect to change default account passwords provided by
the operating system vendor or hardware supplier. An infamous example is the use of
FieldService as a user name with Guest as the password. If not changed at system
configuration time, anyone familiar with such systems will have 'cracked' an important
password; such service accounts often have higher access privileges than do a normal user
accounts. Lists of default passwords are available on the Internet.[5] [6] Gary McKinnon,
Password cracking 37

accused by the United States of perpetrating the "biggest military computer hack of all
time"[7] , has claimed that he was able to get into the military's networks simply by using a
Perl script that searched for blank passwords; in other words his report suggests that there
were computers on these networks with no passwords at all. [8]
Cracking programs exist which accept personal information about the user being attacked
and generate common variations for passwords suggested by that information.[9] [10]

Brute force attack


A last resort is to try every possible password, known as a brute force attack. In theory, a
brute force attack will always be successful since the rules for acceptable passwords must
be publicly known, but as the length of the password increases, so does the number of
possible passwords. This method is unlikely to be practical unless the password is relatively
small, however, techniques using parallel processing can reduce the time to find the
password in proportion to the number of compute devices (CPUs) in use. This depends
heavily on whether the prospective attacker has access to the hash of the password, in
which case the attack is called an offline attack (it can be done without connection to the
protected resource), or not, in which case it is called an online attack. Offline attack is
generally much easier, because testing a password is reduced to a quickly calculated
mathematical computation (i.e., calculating the hash of the password to be tried and
comparing it to the hash of the real password). In an online attack the attacker has to
actually try to authenticate himself with all the possible passwords, where arbitrary rules
and delays can be imposed by the system and the attempts can be logged.
A common password length recommendation is eight or more randomly chosen characters
combining letters, numbers, and special characters (punctuation, etc). This
recommendation make sense for systems using stronger password hashing mechanisms
such as md5-crypt and the Blowfish-based bcrypt, but is inappropriate for many Microsoft
Windows systems because they store a legacy LAN Manager hash which splits the
password into two seven character halves. On these systems, an eight character password
is converted into a seven character password and a one character password. For better
security, LAN Manager password storage should be disabled if it will not break supported
legacy systems.[11] Systems which limit passwords to numeric characters only, or upper
case only, or, generally, which exclude possible password character choices also make
brute force attacks easier. Using longer passwords in these cases (if possible) can
compensate for the limited allowable character set. Of course, even with an adequate range
of character choice, users who ignore that range (e.g., using only upper case alphabetic
characters, or digits alone) make brute force attacks against their accounts much easier.
Generic brute-force search techniques are often successful, but smart brute-force
techniques, which exploit knowledge about how people tend to choose passwords, pose an
even greater threat. NIST SP 800-63 (2) provides further discussion of password quality,
and suggests, for example, that an 8 character user-chosen password may provide
somewhere between 18 and 30 bits of entropy, depending on how it is chosen. This amount
of entropy is far less than what is generally considered safe for an encryption key.
How small is too small for offline attacks thus depends partly on an attacker's ingenuity and
resources (e.g., available time, computing power, etc.), the latter of which will increase as
computers get faster. Most commonly used hashes can be implemented using specialized
hardware, allowing faster attacks. Large numbers of computers can be harnessed in
Password cracking 38

parallel, each trying a separate portion of the search space. Unused overnight and weekend
time on office computers can also be used for this purpose.

Precomputation
In its most basic form, precomputation involves hashing each word in the dictionary (or any
search space of candidate passwords) and storing the word and its computed hash in a way
that enables lookup on the list of computed hashes. This way, when a new encrypted
password is obtained, password recovery is instantaneous. Precomputation can be very
useful for a dictionary attack if salt is not used properly (see below), and the dramatic
decrease in the cost of mass storage has made it practical for fairly large dictionaries.
Advanced precomputation methods exist that are even more effective. By applying a
time-memory tradeoff, a middle ground can be reached - a search space of size N can be
turned into an encrypted database of size O(N2/3) in which searching for an encrypted
password takes time O(N2/3). The theory has recently been refined into a practical
technique. Another example[12] cracks alphanumeric Windows LAN Manager passwords in
a few seconds. This is much faster than brute force attacks on the obsolete LAN Manager,
which uses a particularly weak method of hashing the password. Windows systems prior to
Windows Vista/Server 2008 compute and store a LAN Manager hash by default for
backwards compatibility.[11]
A technique similar to precomputation, known generically as memoization, can be used to
crack multiple passwords at the cost of cracking just one. Since encrypting a word takes
much longer than comparing it with a stored word, a lot of effort is saved by encrypting
each word only once and comparing it with each of the encrypted passwords using an
efficient list search algorithm. The two approaches may of course be combined: the
time-space tradeoff attack can be modified to crack multiple passwords simultaneously in a
shorter time than cracking them one after the other.

Salting
The benefits of precomputation and memoization can be nullified by randomizing the
hashing process. This is known as salting. When the user sets a password, a short, random
string called the salt is suffixed to the password before encrypting it; the salt is stored
along with the encrypted password so that it can be used during verification. Since the salt
is usually different for each user, the attacker can no longer construct tables with a single
encrypted version of each candidate password. Early Unix systems used a 12-bit salt.
Attackers could still build tables with common passwords encrypted with all 4096 possible
12-bit salts. However, if the salt is long enough, there are too many possibilities and the
attacker must repeat the encryption of every guess for each user. Modern methods such as
md5-crypt and bcrypt use salts of 48 and 128 bits respectively.[13]

Early Unix password vulnerability


Early Unix implementations limited passwords to 8 characters and used a 12-bit salt, which
allowed for 4096 possible salt values. While 12 bits was good enough for most purposes in
the 1970s (although some expressed doubts even then), by 2005 disk storage had become
cheap enough that an attacker can precompute the hashes of millions of common
passwords, including all 4096 possible salt variations for each password, and store the
precomputed values on a single portable hard drive. An attacker with a larger budget can
build a disk farm with all 6 character passwords and the most common 7 and 8 character
Password cracking 39

passwords stored in encrypted form, for all 4096 possible salts. And when several thousand
passwords are being cracked at once, memoization still offers some benefit. Since there is
little downside to using a longer salt, and because they render any precomputation or
memoization hopeless, modern implementations choose to do so.

Prevention
The best method of preventing password cracking is to ensure that attackers cannot get
access even to the encrypted password. For example, on the Unix operating system,
encrypted passwords were originally stored in a publicly accessible file /etc/passwd. On
modern Unix (and similar) systems, on the other hand, they are stored in the file
/etc/shadow, which is accessible only to programs running with enhanced privileges (ie,
'system' privileges). This makes it harder for a malicious user to obtain the encrypted
passwords in the first instance. Unfortunately, many common network protocols transmit
passwords in cleartext or use weak challenge/response schemes.[14] [15]
Modern Unix systems have replaced traditional DES-based password hashing with stronger
methods based on MD5 and Blowfish.[16] Other systems have also begun to adopt these
methods. For instance, the Cisco IOS originally used a reversible Vigenere cipher to
encrypt passwords, but now uses md5-crypt with a 24-bit salt when the "enable secret"
command is used.[17] These newer methods use large salt values which prevent attackers
from efficiently mounting offline attacks against multiple user accounts simultaneously. The
algorithms are also much slower to execute which drastically increases the time required to
mount a successful offline attack.[13]
Solutions like Security token give a formal proof answer by constantly shifting password.
Those solutions abruptly reduce the timeframe for brute forcing (attacker needs to break
and use the password within a single shift) and the reduce the value of the stolen
passwords because of its short time validity.

Software
There are many password cracking software tools, but the most popular[18] are Cain and
Abel, John the Ripper, Hydra, ElcomSoft and Lastbit. Many litigation support software
packages also include password cracking functionality. Most of these packages employ a
mixture of cracking strategies, with brute force and dictionary attacks proving to be the
most productive.

See also
• Cryptographic key length
• Password-authenticated key agreement
Password cracking 40

External links
• Password Cracking with Rainbowcrack and Rainbow Tables [19]
• Cracking passwords with Wikipedia, Wiktionary, Wikibooks etc [20]
[21]
• Philippe Oechslin: Making a Faster Cryptanalytic Time-Memory Trade-Off. CRYPTO
2003: pp617–630
• NIST Special Publication 800-63: Electronic Authentication Guideline [22]

References
[1] http:/ / www. usenix. org/ events/ usenix99/ provos/ provos_html/ node10. html
[2] http:/ / news. yahoo. com/ s/ ap/ 20080918/ ap_on_el_pr/ palin_hacked
[3] Password security (http:/ / portal. acm. org/ citation. cfm?id=359168. 359172)
[4] ZDNet Report: Net users picking safer passwords (http:/ / news. zdnet. com/ 2100-1009_22-150640. html)
[5] Default Password List (http:/ / www. phenoelit. de/ dpl/ dpl. html) Pnenoelit.de Retrieved on 2007-05-07
[6] Default Password List Project (http:/ / www. helith. net/ projects/ alecto) Helith.net Retrieved on 2009-08-12
[7] British hacker fights extradition (http:/ / news. bbc. co. uk/ 1/ hi/ scotland/ glasgow_and_west/ 6360917. stm),
BBC News, February 14 2007
[8] Transcript of the interview (http:/ / news. bbc. co. uk/ 1/ hi/ programmes/ click_online/ 4977134. stm), BBC
Click
[9] John the Ripper project, John the Ripper cracking modes (http:/ / www. openwall. com/ john/ doc/ MODES.
shtml)
[10] Bruce Schneier, Choosing Secure Passwords (http:/ / www. schneier. com/ blog/ archives/ 2007/ 01/
choosing_secure. html)
[11] " How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local
SAM databases (http:/ / support. microsoft. com/ kb/ 299656)". Microsoft. . Retrieved 2009-02-18.
[12] ophcrack (http:/ / lasecwww. epfl. ch/ ~oechslin/ projects/ ophcrack/ )
[13] Password Protection for Modern Operating Systems (http:/ / www. usenix. org/ publications/ login/ 2004-06/
pdfs/ alexander. pdf)
[14] No Plaintext Passwords (http:/ / www. usenix. org/ publications/ login/ 2001-11/ pdfs/ singer. pdf)
[15] Cryptanalysis of Microsoft's Point-to-Point Tunneling Protocol (http:/ / www. schneier. com/ paper-pptp. html)
[16] A Future-Adaptable Password Scheme (http:/ / www. usenix. org/ events/ usenix99/ provos. html)
[17] MDCrack FAQ 1.8 (http:/ / c3rb3r. openwall. net/ mdcrack/ download/ FAQ-18. txt)
[18] " Top 10 Password Crackers (http:/ / sectools. org/ crackers. html)". Sectools. . Retrieved 2008-11-01.
[19] http:/ / www. darknet. org. uk/ 2006/ 02/ password-cracking-with-rainbowcrack-and-rainbow-tables/
[20] http:/ / blog. sebastien. raveau. name/ 2009/ 03/ cracking-passwords-with-wikipedia. html
[21] http:/ / lasecwww. epfl. ch/ pub/ lasec/ doc/ Oech03. pdf
[22] http:/ / csrc. nist. gov/ publications/ nistpubs/ 800-63/ SP800-63V1_0_2. pdf
Article Sources and Contributors 41

Article Sources and Contributors


Social engineering (security)  Source: https://secure.wikimedia.org/wikipedia/en/w/index.php?oldid=308637163  Contributors: (jarbarf), Aaa111,
Abaddon314159, Academic Challenger, Adamdaley, Aldaron, Alerante, AlistairMcMillan, Anon126, Anton Khorev, ArnoldReinhold, Arsenikk, Beagle2,
Beland, Bjornar, Bmicomp, Brockert, Brutulf, Chahax, ChangChienFu, Chinasaur, Chipuni, ChiuMan, Chmod007, Chovain, Chrisdab, Chuayw2000,
CliffC, Coemgenus, Cryptic C62, Cumulus Clouds, CutterX, Cybercobra, Cynical, D6, Da nuke, Dancter, Daniel Quinlan, DanielPharos, DavidDW,
Dcoetzee, Ddddan, Dddenton, DevastatorIIC, Dionyziz, Dp76764, Dravir, DuFF, EDGE, ESkog, EVula, Ehheh, Einsteininmyownmind, Elonka, Equendil,
Eric1608, Evilandi, Faradayplank, Fenice, Frecklefoot, Frehley, Fskrc1, Gdo01, Gettingtoit, Gizzakk, Gogo Dodo, Greswik, Ground Zero, Gscshoyru, Guy
Harris, Haseo9999, Heqwm, Hmwith, I already forgot, IGEL, InfoSecPro, Intgr, J Cricket, JMMING, Jerzy, Jfire, Joelr31, John Broughton, Johnisnotafreak,
Jumpropekids, Kaihsu, Katanada, Khym Chanur, Kimchi.sg, Kleinheero, KnightRider, Knowledge Seeker, Kpjas, Ksharkawi, Lamename3000, Leonard G.,
Lexlex, Lightmouse, Lioux, Lord Matt, Lukeonia1, MER-C, Mac Davis, Majorly, Matt Crypto, McGeddon, Mckaysalisbury, Mdebets, MeekMark,
MeltBanana, Midnightcomm, Mild Bill Hiccup, Moitio, MrOllie, NTK, Nafango2, Namzie11, Netsnipe, Nirvana888, NoticeBored, Nuno Tavares,
Nuwewsco, Oddity-, Olrick, Omicronpersei8, Omphaloscope, Othtim, Pgillman, Ph.eyes, Philip Trueman, Phoenixrod, Pmsyyz, Primarscources, Princess
Tiswas, RJBurkhart3, RainbowOfLight, Rebroad, RenniePet, RevolverOcelotX, Rich Farmbrough, Rjwilmsi, RobertG, Rohasnagpal, Rosenny, Rossami,
SGBailey, Sephiroth storm, Sesquiped, Shabda, Shirulashem, Socrates2008, Srikeit, Starschreck, Studiosonic, Sue Rangell, TXiKi, Teemu Maki, The
Anome, The Firewall, Thepatriots, Thesloth, Thingg, Thipburg, Tmchk, Tomisti, TonyW, Tsnapp, Tunheim, Unyoyega, Uriber, Vary, Ventura, Versus22,
Virgil Vaduva, Waldir, WhisperToMe, Wilku997, WolFStaR, Woohookitty, Wshepp, XL2D, Xiong Chiamiov, Zarkthehackeralliance, Zomgoogle, 334
anonymous edits

Spyware  Source: https://secure.wikimedia.org/wikipedia/en/w/index.php?oldid=308278722  Contributors: *drew, 10014derek, 2IzSz, AGK, Aaronit,


Aarontay, Abbadox, Abdomination, Absmith111, AbsolutDan, Abune, Academic Challenger, Adam1213, Adams527, Adashiel, Admiral Roo, Aenar,
Ahoerstemeier, Akamad, AlMac, Aleahey, Alekjds, Alerante, Alestrial, Alevine-eantflick, Alexarankteam, Alexius08, Alexs letterbox, Alexwcovington,
Alistair.phillips1, AlistairMcMillan, Alistairphillips, Allen3, Allstarecho, Alpheus, Amanaplanacanalpanama, Amcfreely, Amire80, Anaraug, AndrewJNeis,
Andrewlp1991, Andrewpmk, Andros 1337, Andykitchen, Andypandy.UK, Angelsfreeek, Anon user, Anotherpongo, Antandrus, Anthony, Anthony5429,
Anti328, Apparition11, Ariele, Arienh4, Arlondiluthel, Arwel Parry, Astral9, AtOMiCNebula, Attilios, Atulsnischal, Aude, Avastik, Axlq, AySz88, BCube,
BD2412, Backpack123, Backpackkk, Baeksu, BanyanTree, Barefootguru, Barek, Bayerischermann, Baysalc, Bercyon, Berek, Bevo, Bgold4, Bhaddow,
Bichon, Bigjake, Bigtop, BlaiseFEgan, BlastOButter42, Blobglob, Blue520, Bluezy, Bmicomp, Boarder8925, Bobo192, Bogdangiusca, Bongwarrior,
Boothy443, BorgQueen, Bornhj, Braksus, Brendandonhue, Browell172, BubbleDude22, Bugtrio, Bushcarrot, Butros, CambridgeBayWeather,
Camp3rstrik3r, CamperStrike, Can't sleep, clown will eat me, Canderson7, CanisRufus, Capricorn42, Carbonite, Cbrown1023, Ccole, Cgs, Chaojoker,
CharlotteWebb, Che829, Chemturion, Chensiyuan, Chessphoon, ChesterMarcol, Chris the speller, ChrisO, ChrisPerardi, Chrisch, Christopher denman,
Christos2121, Clawed, ClementSeveillac, Clicketyclack, CliffC, Clintmsand, Clsdennis2007, Codetiger, Coemgenus, Colinstu, College222, Compman12,
CompuHacker, Conversion script, Cool Blue, Copper20, Cowicide, Coyote376, Crazyman, Creative210, Cronus, CryptoDerk, Cwolfsheep, Cybercobra,
Cykloman15, D. Kapusta, DHN, Dajahew1, Danalpha31, Daniel, Daniel Brockman, Daniel Case, Danno uk, Dannysalerno, Danski14, Darklord.dave, Darth
Panda, Darthveda, DataGigolo, Davewild, DavidWBrooks, Dcooper, DeadEyeArrow, Deepmath, Dehumanizer, Deli nk, Delldot, Deltabeignet, Demizh,
Denelson83, Destin, DevinCook, Dfense, Digita, DigitalMonster, Discospinster, Dispenser, DocWatson42, Drini, Drongo, Dspradau, Dubboy1969, Dylan
Lake, Dysprosia, ERcheck, ESkog, Ecb29, Edward, Egosintrick, El aprendelenguas, ElBenevolente, ElDakio, Ellmist, Eloquence, Emc2, Emperordarius,
Encephalon, Engwar, Entgroupzd, Epbr123, Episteme-jp, EricV89, Espoo, Estoy Aquí, Evercat, Everyking, Evil Monkey, Evildeathmath, Ewc21, Eyu100,
Fabioejp, Fakir005, Falconleaf, Fang 23, Faradayplank, Fayul, Femto, Fennec, Ferkelparade, Fiilott, Fireball, Firewall-guy, Flakmonkey24,
Flamesrule89, Flamingpanda, Flipjargendy, FlyingPenguins, FrYGuY, FrancoGG, Frap, Frecklefoot, Fredgoat, Fredtheflyingfrog, Freejason, Frencheigh,
Fsf, Fubar Obfusco, Fvw, GRider, Gabi S., Gadfium, Gaius Cornelius, Galoubet, Gary09202000, GeneralPatton, Georgeryp, Gholam, GhostDancer,
Gilliam, Ginza, Glen, God Of All, Golbez, Gorffy, Gorgonzilla, Gorx, GraYoshi2x, Gracefool, Graciella, GraemeL, Green caterpillar, Grendelkhan, Grunt,
Guaka, Gundato, Gurch, Haakon, Hadal, Haham hanuka, Halstonm, HamburgerRadio, Harro5, Hdt83, Hede2000, Heimstern, Hellohellohello007,
Herenthere, Hermione1980, Hiddenstealth, Homestarmy, HowardLeeHarkness, I2omani, ICaNbEuRsOuLjAgIrL, IHateMalware, IRP, Ian Pitchford, Icey,
Idemnow, Igorberger, Ilpalozzo, Imroy, InShaneee, Incognito, Ingolfson, Inter, Interiot, Intgr, Iridescent, Irishguy, Ittan, IvanLanin, J Di, J Milburn,
J.delanoy, JLaTondre, JYOuyang, JYolkowski, Jacobdead, Jag123, Jake Nelson, Jam01, JamesTeterenko, Jamesday, Jammy467, Jasrocks, Jax9999,
Jclemens, Jcmiras, Jcw69, Jed keenan, Jeff G., Jeltz, Jenny Wong, Jeremyb, Jesster79, JethroElfman, JiFish, Jmax-, Jnk, JoeSmack, JonHarder, Jonathunder,
Joost Kieviet, Josh Parris, Joyous!, Jsorensen, Julesd, Juliancolton, Junkcops, Jushi, JustinHall, Justinm1978, Justinstroud, Justzisguy, Jwright1, KF,
Kadzuwo, KaintheScion, Kanecain, Karada, Kaunietis25, Keepitreal74, Kejoxen, KelleyCook, Kelly Martin, Kencaesi, Kerry7374, Kesac, Kevin
Breitenstein, Khaosworks, Khym Chanur, King of Hearts, Kingboyk, Kipholbeck, Kirill Lokshin, Kiyo o, Klosterdev, Kmesserly, KnowledgeOfSelf, Korath,
Korinkami, Korpios, Kotjze, Kribbeh, Ksero, Kungfuadam, Kusma, Kynes, Kyorosuke, Kyrin, LC, LGagnon, LOL, Lcaa9, LeaveSleaves, LebanonChild,
Leemeng, Legendsword, Leuk he, Linkspamremover, Llamadog903, Lo2u, Localh77, LonelyWolf, Longhair, Lonyo, Loren.wilton, LostAccount, Lowellian,
Luminique, Luna Santin, Lupin, Lzur, M3tal H3ad, MCBastos, MFNickster, MOO, Mac, Mackmar, MacsBug, MadMom2, Maestro25, MagneticFlux,
Mani1, Manop, MarcK, Mardus, Marskell, Martin451, Martpol, Maryevelyn, Master Bigode, Matthuxtable, MauriceJFox3, Mav, Maximaximax, Mcfly85,
Meelar, Meggar, Melsaran, Member, Mentifisto, Mguy, Michael Snow, Michael.koe, Mickelln, Midnightcomm, Mike A Quinn, Mike Rosoft, Mike5906,
Mikemsd, Mikenolte, Mikey129, Mikon8er, Mild Bill Hiccup, Milenamm, Mindmatrix, Minghong, MinnetonkaCZ, Mirv, Misza13, Mmeiser, Modemac,
Modulatum, Monkeyman, Monotonehell, Moondyne, Morriske, Morryau, Moulder, Mphill14, Mr. pesci, Mr.Fraud, Mr.Z-man, MrArt, Mroesler, Mwanner,
Mwongozi, Mydogategodshat, Myststix, Mzub, Najoj, Nakon, Naryathegreat, Natalie Erin, NeilN, Neon white, Neutrality, Nevyan, Nixeagle, Nkedel,
Nneonneo, Nonagonal Spider, Nosferatus2007, Notheruser, Noxious Ninja, Nuggetboy, OKtosiTe, Oblivious, Octahedron80, Ohnoitsjamie, OlEnglish,
Omicronpersei8, Operator link, Oscarthecat, Ossmann, Otnru, Overtheblock, Ownlyanangel, Pablomartinez, Pakaran, Parajuris, Paranoid, Pascal666,
Paul August, Paul Quirk, Pavel Vozenilek, Pdub567, Pedant17, Perspective, Peter, Phatom87, Phenry, Piano non troppo, Piotrus, Pixelface, Pleonic,
Plethorapw, Plumbago, Poccil, Pockle, Polonium, PraeceptorIP, ProveIt, PseudoSudo, Psychonaut, Pvasiliadis, QmunkE, Quadell, Quarl, Quuxplusone,
Qwerty Binary, R Lowry, Rablari Dash, RaccoonFox, Raceprouk, RadioActive, RainR, RandomStringOfCharacters, Rantaro, Raul654, Raven in Orbit,
RazorICE, Rcandelori, Rchamberlain, Redrocket, RexNL, Reyk, Rhobite, Rich Farmbrough, Richjkl, RickK, Rip-Saw, Risker, Rmky87, RobertG, Roger
McCoy, Roivas, Romal, Roman candles, Rookkey, Rory096, Royalguard11, Rune.welsh, SF007, SG, SMRPG, SPUI, SWAdair, Sabbut, Sam Hocevar,
Sandahl, SandyGeorgia, Satori Son, Sbluen, SchfiftyThree, Schooop, Schwartz, Ken, Schzmo, Sdalk208, Sean Whitton, SeanProctor, SeanTheBest949,
Seidenstud, Senthil, Sephiroth storm, Shawnc, Shibboleth, Shindo9Hikaru, Shirulashem, Shlomi Hillel, Sifaka, Silver Edge, Simoes, SimonP, Singing
guns, Sionus, Sjakkalle, SkerHawx, Skintigh, Skipatek, SkyWalker, Skyezx, Sljaxon, Slusk, Snotty, Someoneinmyheadbutit'snotme, SpaceFlight89,
Spartan, Spe88, Splintercellguy, SpookyMulder, Spoon!, Sridev, Steel, Stefanomione, Stephenb, SteveSims, Stewartadcock, Stifle,
SuperSmashBros.Brawl777, Superfly789, Supermario99, Swatjester, T-1000, Tannin, TechOutsider, Techwrite, Teddythetank, Teggis, Texture,
Tgeorgescu, That Guy, From That Show!, The Epopt, The Firewall, The Negotiator, The Trolls of Navarone, TheJC, Thomas H. Larsen, Tiger williams,
TigerShark, Tinus, Titoxd, Tobias Bergemann, Toby Bartels, Tokyogamer, TomasBat, Tomchiukc, TonyW, Tor Stein, Toytoy, Treybien, Trickiality,
Trimzulu, Trusilver, Twain777, Twinxor, Twsx, Ugnius, Ulric1313, Uucp, Veinor, Vernalex, Vicki Rosenzweig, Vilerage, Violetness, Violetriga, Visualize,
Voodoom, Vorash, Voyage34, WJerome, Wai Wai, WalterGR, Warren, Wasisnt, Wavelength, Wayward, Weregerbil, Wereon, Wernher, West Brom 4ever,
Weyes, WhisperToMe, White Cat, Who123, Wik, Wiki alf, Wiki989, WikiChip, Wikid77, Wikidenizen, Wikikiki, Wikkid, Willbrydo, Wimt, WojPob,
Wowrocker2, Writerjohan, Wrs1864, Wwwwolf, Xaldafax, Xlegiofalco, Xyzzyplugh, YUL89YYZ, Yachtsman1, Yamamoto Ichiro, Yandman, Yelyos,
Yodaddy4276, Yuckfoo, ZeWrestler, Zephalis, Zhen-Xjell, ZimZalaBim, Zippanova, Zoney, ZooCrewMan, Zootm, Zpb52, Zundark, Zzuuzz, Zzyzx11,
‫زيلدنف‬, 1749 anonymous edits
SQL injection  Source: https://secure.wikimedia.org/wikipedia/en/w/index.php?oldid=308553790  Contributors: .anaconda, Af648, Alerante, Alex
Marandon, Aminadav, AndyDent, AndyHassall, Antientropic, Apokrif, ArielGold, ArnoldReinhold, Ayolucas, Badgernet, BaldPark, Belal qudah, Benjamin
Pineau, Bensonwu, Bevnet, Bevo, Biskeh, BobKeim, Bookbrad, Btx40, CAN, Caesura, Caim, Catrope, Cdean, Cenzic, Ch'marr, Cheesieluv,
Chris-marsh-usa, Chrisjj2, ChristianEdwardGruber, CoJaBo, Collectonian, Cybercobra, DamnFools, Dandv, Danhash, Danielosneto, Daydreamer302000,
DerHexer, Discospinster, Disembrangler, Drol, Elkman, Elwikipedista, Enigmasoldier, Enric Naval, Erik9, Everyking, Excirial, Fedevela, Feezo,
Ferkelparade, Finngall, Folajimi, Freedomlinux, Furrykef, Garylhewitt, Gmoose1, Gogo Dodo, Golbez, GregorB, HalJor, Hede2000, Hurrrn, Husky, II
MusLiM HyBRiD II, Indy90, IntergalacticRabbit, Island, Ixfd64, JLEM, Jamesooders, Javawizard, Jeffq, Jeffrey Mall, Jmanico, Jnarvey, JoeSmack,
Jtjacques, KD5TVI, Kahina, Kalimantan kid, Kate, Kenkku, KeyStroke, Kingpin13, Kitchen, Klizza, Lawrencegold, Ldo, Liftarn, Little Mountain 5, Luna
Santin, Maghnus, Marlith, Martin Hinks, Mboverload, Mcgyver5, Mchl, MeekMark, MentisQ, Michael Slone, MichaelCoates, Michaelhodgins,
Article Sources and Contributors 42

MightyWarrior, Miko3k, Mild Bill Hiccup, Milo99, Mopatop, Moreschi, Mrdehate, Nabieh, Nbertram, Nic tester, Nickgalea, Nidheeshks, Njan, Nosbig,
Od Mishehu, Off!, Oli Filth, Oskar Sigvardsson, Oxymoron83, Panoptical, Pearll's sun, Peterl, Pharaoh of the Wizards, Piano non troppo, Pinecar,
Pingveno, Plumbago, Portablegeek, Project2501a, Public Menace, RadioActive, Rand20s, Ratfox, Raztus, Reedy, Revivethespirit, ReyBrujo, Rjanag,
Rodney viana, Roman Lagunov, Ronhjones, Roshenc, Rpkrawczyk, SP-KP, Samngms, ScottW, Shabbirbhimani, Shlomif, Shtirlitz, Sniper1rfa, Societebi,
Sorfane, SteinbDJ, Storm Rider, Straussian, Suei8423, Superm401, Taka, Terrifictriffid, TheBilly, TheRingess, ThomasMueller, Tjkiesel, Tobi Kellner,
Tom-, Trevor MacInnis, Troels Arvin, Unlox775, VASTA zx, Vis says, Vladocar, Vupen, Wbrice83186, Werikba, WibWobble, Wikilost, Wkeevers96,
Wknight94, Wwwwolf, XDanielx, Yamamoto Ichiro, ZZ9pluralZalpha, Zedlander, Zgadot, Zzuuzz, 501 anonymous edits

Password cracking  Source: https://secure.wikimedia.org/wikipedia/en/w/index.php?oldid=308021364  Contributors: 0x6D667061, A. Parrot,


Alphachimp, Altenmann, Andrewpmk, Angus Lepper, Anilgupta, Ankitblog, Antandrus, Arakunem, ArnoldReinhold, Arvindn, Asenine, Atanumm, Baiji,
Blaimjos, BlueDevil, Bobo192, CIreland, Cate, Ccscott, Chrislk02, Christopher Parham, ClementSeveillac, Csamuel, D thadd, DVD R W, Danpoulton,
DavidJablon, Dgies, Dino, Discospinster, Dispenser, Diverdan, Eric-Wester, Erik9, F, Faisal.akeel, Fangz, FatalError, Ferociouskiller, Fogster,
Freakofnurture, Fribbulus Xax, Fritz Saalfeld, Furrykef, G-smooth2k, GIBBOUS3, Gbeeker, Ghepeu, GreatWhiteNortherner, Greeves, Gscshoyru, Gsp,
H2g2bob, Haakon, Happykaka, Hintss, Holyhobo, Hu12, Hulsie, Impherring13, J Di, JForget, Jasonrdavis1, Jazzmaphone, JidGom, JonHarder, Joy, KVDP,
KennethJ, KnowledgeOfSelf, Kotepho, Kuru, Lando5, Leotronasssttt, Lutz1982, Mailer diablo, Matt Crypto, Mboverload, Mendaliv, MichaelBillington,
Minesweeper, Mohamed Magdy, Myriapode, NewEnglandYankee, O.koksharova, Oli Filth, Olivier Debre, Omegatron, OverlordQ, Pakaran, Persian Poet
Gal, PeterSymonds, Piano non troppo, Pietrow, PlutoidBrain, Primetime, Prolog, RHaworth, RainbowOfLight, Rawling, RegaL the Proofreader, RexNL,
RickK, Rjwilmsi, Rowan Moore, Rpremuz, Rurik, RyanCross, SJP, SLi, ST47, Scott Johnson, Securiger, Sharkface217, SheikYerBooty, SpiceMan, Splintax,
Stan911, Tbone55, The Wikipedist, TheObtuseAngleOfDoom, Themightyquill, Theresa knott, Thomasyen, TonyW, Ukexpat, Unicityd, Unixguy, Until It
Sleeps, WHeimbigner, Wack0, Wiki alf, Wmahan, Ww, Yaronf, Yongrenjie, Yugsdrawkcabeht, Yvh11a, Zoe, 284 anonymous edits
Image Sources, Licenses and Contributors 43

Image Sources, Licenses and


Contributors
File:Windows ActiveX security warning (malware).png  Source:
https://secure.wikimedia.org/wikipedia/en/w/index.php?title=File:Windows_ActiveX_security_warning_(malware).png  License: unknown  Contributors: -
File:Ad-aware 2008 Free screenshot.png  Source:
https://secure.wikimedia.org/wikipedia/en/w/index.php?title=File:Ad-aware_2008_Free_screenshot.png  License: unknown  Contributors: -
File:Alwaysupdate-adware-winspy.PNG  Source: https://secure.wikimedia.org/wikipedia/en/w/index.php?title=File:Alwaysupdate-adware-winspy.PNG
 License: unknown  Contributors: -
License 44

License
Creative Commons Attribution-Share Alike 3.0 Unported
http:/ / creativecommons. org/ licenses/ by-sa/ 3. 0/