Question

As your concern, distinguish the type of attacks targeting the web browser through the internet connectivity, protection to your personal information and data are important as matter discuss the characteristics of weak passwords shall individual to avoid and define the function Virtual LAN perform in protecting the network environment and the data.

Answer 1

ATTACKS ON BROWSER
Buffer Overflow: Buffer Overflow attacks are specified by overwriting of memory segments of process. Exceptions, segmentation faults, and other errors are occurred because of overwriting values of the IP, BP, and other registers. These errors bring execution of the application in an unexpected way. Heap Overflow: JEMalloc Memory allocator is used in Firefox, vulnerable to a heap overflow. We plan heap overflow by placing a victim object in the same run
to the vulnerable object. The victim that can help us achieve arbitrary code execution. Heap underflows: when heap
objects are very small to store input. Dangling pointers or “use-after-free” error occurs when a program frees an object that is still in use before the due time. Uninitialized reads: when programs read from newly allocated objects such object carry data of old freed object .Stack-based attack: When the submitted data of an input string is evaluated as a command by the application the Format String exploit occurs.
It is Very easy to write program for BOF.
/* Program for Buffer overflow Attack.*/
# include <stdio.h>
void f((char∗)) { char buffer [10]; strcpy ((buffer,s))}
void main ((void)) { f (("98765432109876543210")) }
This program will result in segmentation fault. A simple
mistake can lead to buffer overflow attack.It is very difficult
to prevent.

Cross-Site Scripting: This vulnerability makes it happen for attackers to inject malicious code like JavaScript
programs into victim’s web browser. Cross-Site Scripting vulnerability allows assailants to infuse malicious code like
JavaScript projects into victim’s web program. Using this malicious code, the attackers can steal the victim's credentials, like cookies, and passwords. The content of the HTML page can be rewrite by using malicious scripts. Stored XSS Attacks: It is also known as Persistent or Type-I XSS. Stored attacks are the ones where the injected script is permanently stored on the target servers. They can store in the database, in a message forum, visitor log, comment field. Reflected XSS Attacks: It is also known as Non-Persistent, Type- II XSS. In this attack the infused script is reflected off the web server.
For example, in the hunt result every reaction that incorporates the info sent to the server as a part of the request.

Man-in-the-Middle: This attack can be accomplished by using arp poisoning, DNS spoofing methods. A Man-in-the-middle attack also called as bucket brigade attack. MITM is an attack where the assailant access and perhaps modifies the correspondence between two gatherings
without their knowledge. Victim believes they are directly communicating with each other. Active eavesdropping is one of the examples of a man-in-the-middle attack. In which the attacker makes autonomous associations with the casualties and retransmit messages between them to make them trust that they are talking specifically to each other over a private
connection. Actually the whole discussion is controlled by the attacker. The attacker must have the capacity to remove every single relevant message going between the two casualties and
infuse new ones

Extension vulnerability: In Firefox extension architecture same JavaScript namespace is shared between all JavaScript extensions installed on a system .Any extension can modify, read, write to other global namespace and introduces namespace pollution problem. In extension reuse,
vulnerability attacker uses an existing extension to make API calls and Resource access to hide malicious extension. Extensions interact with web page without any explicit request for MIME type. A browser extension has the same privilege as the Browser itself. The extension additionally has full access to browser and clients working system. Extensions can change the usefulness of the program, behavior of site, access to file framework. An active attacker regulates content loaded via HTTP and reuse it .By replacing this script attacker
hijacks extensions privileges and install malware. A JavaScript capacity break is another reason for misuse of
extension.

Extreme Phishing: This attack support dynamic user interaction. Web Single Sign-On (SSO) systems are significant trend in inline user authentication. OpenID and OAuth are open Web SSO standards rapidly gaining adoption on the Web. In this system one single IDP account is used to sign on multiple RP websites. Web SSO phishing has three distinctive characteristics: 1.Highly concentrated value of IdP account.2.Highly enlarged attack surface area.3.difficulty in
detection of attack either by algorithms or by users. A compromised IdP account enable attackers to impersonate the victim on a wide range of RP websites. Second-level context is used Rather than sending emails or phishing URLs. Attacker can host their own legitimate RP website or web
page and lure users posting URLs Everywhere. An HTML <div> element contains real popup browser window. Spoofing the EV-SSL symbol and HTTPs URL address in the <div> component should be possible by duplicating a total preview of the symbol and the URL address

Browser Cache Poisoning: Clicking through of SSL warnings: While Accessing a website having invalid certificate browser shows SSL warning. At that point the client is accepted to close that website page to ensure against MITM attack. If client disregards notices can be prompt disastrous to the security and protection of the sessions. Attacks against HTTPS: [26] 1. Man-In-The-Script-In-TheBrowser attack to avoid enhanced channel -ID based defenses. Attacks via browser cache: 1. Timing attack performed on the browser to sniff browsing history and steal user credentials as well as private information. 2. Attacks by poisoning browser web cache, HTML5 AppCache, HTTP cache .A tool called airpoison is used in the wireless network to move up on to browser cache poisoning via HTTP. 3. Cross-site scripting attack is used to inject malicious content into web page and web storage. 4. Proxy cache poisoning attack uses existing techniques to place poisoning attacks on the forward proxy and reverse proxy.

Drive-by-Download: In this attack, a victim is lure to a malicious web page of malicious site and that page contains code written in JavaScript programming language. Then attacker waits for their target to browse to the web page. The compromised page will look normal while at the same time the exploits execute and install malware on the victim's computer silently in the background. In drive-by download attack attacker loads the shell code as payload using clientside scriting code into memory and executes the exploit
against a vulnerable component. JavaScript is utilized to designate the binary representation of shell code to a variable that is stored in the address space of the browser. It utilizes heap spraying to make heap area. Once heap memory has been executed then the real exploit launched.

Protecting your online identity by using the name of your first born child or your beloved Golden Retriever as your password might seem an appropriate homage. But a new infographic from PasswordGenie predicts dire consequences for users of unimaginative passwords. In fact, the simpler the password, the faster a hacker can gain access to your protected information and wreak havoc on your finances and your life.

Data from recent password breaches at Yahoo, LinkedIn and Rockyou.com reveals that some passwords are particularly vulnerable. An all lowercase password with 6 characters can be hacked into within 10 minutes, while adding complexity with additional characters and the use of upper case letters, numbers and symbols can extend that timeframe into decades and even millennia.

Common components of easy-to-hack passwords:
1. Repeating previously used passwords
2. Names of close family members or friends
3. Your name
4. Words in the dictionary
5. Common names
6. Repeating your login code
7. Keyboard patterns and swipes (i.e., 123456 or QWERTY)