Codex - Tools, Tactics, and Procedures

1. Social Engineeringa. Process of using non-technical methods to trick victims into breaking securityprocedures. Phishing emails are an example of social engineering, as are fraudulentphone calls. When a phishing-email is narrowly targeted, it is referred to as spearphishingb. Example: In 2013, the Syrian Electronic Army, attempted to gain access to emaillogin credentials by sending phishing emails to Tribune Company, the U.S. House ofRepresentatives, and GovDelivery listservs. Emails appeared to come from mediaorganizations (NBC) and U.S. government delivery services (GovDelivery). Emailsappeared to present links to news stories, which rerouted users to hidden linksfeaturing fake email login pages.
 2. Vulnerabilitya. A weakness in a software programb. Example: In a 2014 case known as Heartbleed, a major weakness in a widespreadsecurity suite was discovered, which, when exploited, could reveal sensitiveinformation.
 3. Exploita. A piece of computer code that takes advantage of a vulnerability, usually to performsome malicious or unauthorized activityb. Example: Code was written to take advantage of the 2014 Heartbleed vulnerability,and used in an intrusion targeting the Canadian Revenue Service.
 4. Patcha. An update to software that addresses a particular vulnerability, meaning that exploitstargeting said vulnerability are no longer effectiveb. Example: Microsoft traditionally issues a number of fixes to software vulnerabilitieseach month on “Patch Tuesday.”
 5. Zero-day Vulnerabilitya. A vulnerability not previously known to exist and thus unpatched. Zero dayvulnerabilities are a small subset of overall vulnerabilitiesb. Example: Prior to its publication, Heartbleed was a zero day vulnerability.
 6. Zero-day Exploita. A piece of computer code that targets an unknown, and thus unaddressed,vulnerabilityb. Example: Stuxnet used at least four zero day vulnerabilities as part of its operation.
 7. Logic Bomba. A program that lies dormant until a period of time has passed or some specific actionhas been takenb. Example: In 2006, UBS PaineWebber employee Roger Duronio was indicted forplanting a logic bomb in the financial company’s network that resulted in 1,000computers losing files. He had intended for the bomb to cause the company’s stockprice to drop, though it ultimately had no effect.
 8. Command and Controla. The process through which intruders can remotely control malicious code they haveplaced on another computer networkb. Example: Intruders in “Operation: Poisoned Hurricane” tried to hide their commandand control communications by disguising them to look like regular internet traffic.
 9. Man-in-the-Middlea. An operation wherein the attacker alters or intercepts communication between twopartiesb. Example: In Iran, a man in the middle attack was used in an attempt to compromisethe confidentiality of human rights activists’ emails.
 10. Brute-force Password Crackinga. A systematic yet simple hacking attempt that tries different password combinationsuntil the correct one is successfully guessedb. Example: The wave of 2014 celebrity photo hacks was the result of a brute-forcepassword attack designed to exploit a weakness in FindMyiPhone, for which Apple hadfailed to impose a limit on failed login attempts.
 11. SQL Injectiona. A common technique in which database commands are inputted directly into a systemby malicious actors, due to a lack of securityb. Example: An intrusion at HBGary Federal was enabled in part by SQL Injection.
 12. DDOS (Distributed Denial of Service) Attacka. A relatively-basic attack method in which a target is overwhelmed with meaninglessdata from a variety of sourcesb. Example: In 2011, the Hong Kong stock exchange was suspended due to a multi-dayDDOS attack using botnets from around the world.
 13. Strategic Web Compromise or Water Hole Attacka. Compromise of a web site that a target is likely to visit, and using the web site as ameans of delivering malicious code to the targetb. Example: In 2013, the U.S. Department of Labor was the subject of SWC attacks,resulting in data regarding workers’ compensation for employees exposed to uranium.

To comment on a term, supplement an example, or add a new entry, e-mail us at digitalfutures@wilsoncenter.org.