Skip to Content

The Security Geek's Dictionary

# A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Expand or Collapse all.

419 Scam

 Named for section 419 of Nigerian law which makes confidence schemes illegal, this is a scam in which someone pretends to be a wealthy foreigner who wants help moving a large amount of money overseas. Usually, the scammer requests bank account information to pay for fees supposedly incurred in the large-sum transfer. The large sum transfer never happens and the victim is taken for as much "fee" money as possible.

Anti-virus Software

 Computer software that attempts to locate, disable and remove from a computer any malicious software (such as viruses and worms). Anti-virus software typically relies on so-called signature files, which allow the software to detect malware based on particular code segments that are only present in unwanted programs. Since it is not possible to know what these code segments are before the malware starts infecting machines on the Internet (and is analyzed by anti-virus companies), this type of prevention mechanism does not help early on as a new malware version spreads. Some types of anti-virus software also perform so-called behavioral checks to detect yet-unseen strains of malware based on what they are trying to do. This is possible since malware is typically accessing and storing data at computer memory locations that other types of software do not.


 An attack is an attempt to subvert or bypass a system's security. Attacks may be passive or active. Active attacks attempt to alter or destroy data. Passive attacks try to intercept or read data without changing it. Also see: brute-force attack, Denial of Service, hijacking, password attacks, password sniffing.

Authentication Token

 A security device carried by an authorized user. The device has a changing value or a secret algorithm that cannot be copied, thus requiring a valid token to be possessed by whomever wants to authenticate. An example of an authentication token is the RSA SecurID token. Also see "second-factor authentication."

Back door

 A back door is a feature programmers often build into programs to allow special privileges normally denied to users of the program. Often programmers build back doors so they can fix bugs. If hackers or others learn about a back door, the feature may pose a security risk. This is also called a trap door.

Back orifice

 Back Orifice is a program developed and released by The Cult of the Dead Cow (cDc). It is not a virus; instead, it is a remote administration tool with the potential for malicious misuse. If installed by a hacker, it has the ability to give a remote attacker full system administrator privileges to your system. It can also “sniff” passwords and confidential data and quietly email them to a remote site. Back Orifice is an extensible program—programmers can change and enhance it over time. Also see: password sniffing.

Background scanning

 Background scanning is a feature in some anti-virus software to automatically scan files and documents as they are created, opened, closed, or executed.

Bayesian filter

 A Bayesian filter is a program that uses Bayesian logic (also called Bayesian analysis) to evaluate the header and content of an incoming email message to determine the probability that it constitutes spam.

Boot record

 The boot record is the program recorded in the boot sector. This record contains information on the characteristics and contents of the disk and information needed to boot the computer. If a user boots a PC with a floppy disk, the system reads the boot record from that disk. Also see: boot sector.

Boot sector

 The boot-sector is an area located on the first track of floppy disks and logical disks that contains the boot record. Boot sector usually refers to this specific sector of a floppy disk, whereas the term master boot sector usually refers to the same section of a hard disk. Also see: master boot record.

Boot sector infector (BSI)

 A boot-sector infector virus places its starting code in the boot sector. When the computer tries to read and execute the program in the boot sector, the virus goes into memory where it can gain control over basic computer operations. From memory, a boot-sector infector can spread to other drives (floppy, network, etc.) on the system. Once the virus is running, it usually executes the normal boot program, which it stores elsewhere on the disk. It is also called a boot virus, boot-sector virus, or BSI.

Bot network (BotNet)

 A bot network is a network of hijacked zombie computers controlled remotely by a hacker. The hacker uses the network to send spam and launch Denial of Service attacks, and may rent the network out to other cyber criminals. Also see: zombie.

Browser hijacker

 A browser hijacker is a type of spyware that allows the hacker to spy on the infected PC’s browsing activity, to deliver pop-up ads, to reset the browser homepage, and to redirect the browser to other unexpected sites. Also see: spyware.

Brute-force attack

 A brute-force attack is an attack in which each possible key or password is attempted until the correct one is found. Also see: attack.


 To compromise a system is to access or disclose information without authorization.

Cyber criminals

 Cyber criminals (cyber criminals) are hackers, crackers, and other malicious users that use the Internet to commit crimes such as identity theft, PC hijacking, illegal spamming, phishing and pharming, and other types of fraud.

Denial of service (DoS)

 A Denial of Service (DoS) attack is an attack specifically designed to prevent the normal functioning of a system and thereby to prevent lawful access to the system by authorized users. Hackers can cause Denial of Service attacks by destroying or modifying data or by overloading the system’s servers until service to authorized users is delayed or prevented. Also see: attack.


 Dialers are programs that use a system, without your permission or knowledge, to dial out through the Internet to a 900 number or FTP site, typically to accrue charges.


 Most anti-virus software carries out disinfection after reporting the presence of a virus to the user. During disinfection, the virus may be removed from the system and, whenever possible, any affected data is recovered.

DNS Poisoning

 A way of forcing users to a malicious site by injecting bad data into a domain name server's cache in order to change (for users of that server) the destination a domain resolves to. The effect of DNS poisoning is that the conversion from a URL to an IP address fails. For example, instead of translating the address to the IP address corresponding to the actual site of American Express, a server that has been a victim of DNS poisoning will supply the incorrect IP address. The URL that the user types will still be printed in the address bar, and if the content of the fraudulent Web site to which the translation is done looks the same as that of the legitimate site, then the user will not notice that the attack took place. Moreover, the fraudulent Web site will be able to harvest all the cookies intended for the legitimate Web site, which will allow it to impersonate the user's machine to the real site as well. Also see man-in-the-middle attacks. DNS poisoning is sometimes referred to as pharming, and it can be performed in a large number of ways. One of the recently discovered ways in which an attacker can mount an attack of this sort is by uploading malware to a person's router (or access point). These are devices that have no inherent protection against malware, but are very powerful in that all the user's Internet traffic passes through these machines. Therefore, an infected router can easily cause incorrect IP address information to be returned to an unsuspecting user.

DNS Server

 A server that translates DNS names (such as into an IP address that is actually used for communication on the Internet.


 A dropper is a carrier file that installs a virus on a computer system. Virus authors often use droppers to shield their viruses from anti-virus software. The term injector often refers to a dropper that installs a virus only in memory.

EICAR Standard Anti-Virus Test File

 The EICAR Standard Anti-Virus Test File consists of one line of printable characters; if saved as EICAR.COM, it can be executed and displays the message: "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" This provides a safe and simple way of testing the installation and behavior of anti-virus software without using a real virus.

Fast infector

 Fast infector viruses, when active in memory, infect not only executed programs, but also other programs that are open at the same time. Thus, running an application, such as anti-virus software, which opens many programs but does not execute them, can result in all programs becoming infected. Also see: slow infector.


 The small icon displayed next to a URL in the address bar of a browser. Phishers can place a "lock" icon here to pretend the connection is secure, or they can set this icon appropriately to mimic a real site. This means that seeing a lock in the address bar does not automatically mean that the corresponding site is secure.


 A firewall prevents computers on a network from communicating directly with external computer systems. A firewall typically consists of a computer that acts as a barrier through which all information passing between the networks and the external systems must travel. The firewall software analyzes information passing between the two and rejects it if it does not conform to pre-configured rules.


 Spam forwarded to you by a family member, friend or colleague.

Heuristic analysis

 Heuristic analysis is behavior-based analysis of a computer program by anti-virus software to identify a potential virus. Often heuristic scanning produces false alarms when a clean program behaves as a virus might.


 Hijackingis an attack whereby an active, established session is intercepted and used by the attacker. Hijacking can occur locally if, for example, a legitimate user leaves a computer unprotected. Remote hijacking can occur via the Internet.

In the wild (ITW)

 A virus is "in the wild" (ITW) if it is verified as having caused an infection outside a laboratory situation. Most viruses are in the wild and differ only in prevalence. Also see: zoo virus.

IP Address

 A set of four numbers from 0-255 separated by periods (.) that are used to identify each computer on a network. (Example: An IP address instead of a domain name (such as can be used in a phishing URL to hide the fact that a given Web site is not legitimate. In a DNS poisoning or pharming attack, the IP address returned by a DNS server is changed to direct victims to a phisher's site.

Joke programs

 Joke programs are not viruses, but may contain a virus if infected or otherwise altered. These are also called practical joke programs.


 The Windows Registry uses keys to store computer configuration settings. When a user installs a new program or the configuration settings are otherwise altered, the values of these keys change. If viruses modify these keys, they can do damage.

Keyboard Logger (Keylogger)

 Keyloggers are malicious programs that record the key strokes a user types on their PC, including instant message and email text, email addresses, web sites visited, passwords, credit card and account numbers, addresses, and other private data.

Library file

 Library files contain groups of often-used computer code that different programs can share. Programmers who use library code make their programs smaller since they do not need to include the code in their program. A virus that infects a library file automatically may appear to infect any program using the library file.

In Windows systems, the most common library file is the Dynamic Link Library; its extension is DLL.

Lock Icon

 A small padlock icon displayed by a Web browser to indicate that the browser has established a secure connection to the currently loaded Web site. This suggests to the user that nobody can "eavesdrop" on their communications with the server.

Logic bomb

 A logic bomb is a type of Trojan horse that executes when specific conditions occur. Triggers for logic bombs can include a change in a file, a particular series of keystrokes, or a specific time or date. Also see: time bomb.

Mail bomb

 A mail bomb is an excessively large email (typically many thousands of messages) or one large message sent to a user's email account. This is done to crash the system and prevent genuine messages from being received.


 Malware is a generic term used to describe malicious software such as viruses, Trojan horses, spyware, virus, worm and malicious active content. Some malware uses technical vulnerabilities (such as buffer overflow) to attack a machine, whereas other types of malware instead uses social vulnerabilities, i.e., attempts to make the victim willingly install and run the software. To do this, various types of deception is used. Commonly, the user is told that the software has a beneficial purpose, such as a screen saver, an Internet optimizer or spyware detector. While the malware may perform some of these functions, it also performs other functions, unbeknownst to the victim user.

Malicious code

 Malicious code is a piece of code designed to damage a system and the data it contains, or to prevent the system from being used in its normal manner.

Man-in-the-middle Attack

 An attack in which an attacker relays all messages back and forth between a client and server. During the attack, messages may be changed or simply recorded for later use. An example of this attack is where a victim contacts a Web server that is controlled by an attacker, thinking that this is his bank. The Web server then immediately establishes a connection to the user's bank. It sends any information it receives from the bank to the victim, who thinks he received the information from the bank. Any information sent from the victim to the attacker's Web server is immediately forwarded to the bank, which then thinks it receives the information from the user in question. There is no noticeable delay, so this is not detectable. As the Web server sends information back and forth, it may also save all the information it receives. While secure sockets layer (see below) may help protect against man-in-the-middle attacks, there are also ways an attacker can cause two sessions to be started by the victim at the same time, where one of them results in a connection with the bank and the other results in the theft of information sent to the bank. Man-in-the-middle attacks can be performed by malware, whether residing on the victim's machine, on a router or access point he connects to, or on another machine on the Internet.

Master boot record

 The master boot record (MBR) is the 340-byte program located in the master boot sector. This program reads the partition table, determines what partition to boot, and transfers control to the program stored in the first sector of that partition. There is only one master boot record on each physical hard disk. It is also called the partition table. Also see: boot record.

Not in the wild

 Viruses "not in the wild" are in the real world but fail to spread successfully. Also see: in the wild, zoo virus.

On-access scanner

 An on-access scanner is a real-time virus scanner that scans disks and files automatically in the background as the computer accesses the files.


 Payload refers to the effects produced by a virus attack. It sometimes refers to a virus associated with a dropper or Trojan horse.

Password attacks

 A password attack is an attempt to obtain or decrypt a legitimate user's password. Hackers can use password dictionaries, cracking programs, and password sniffers in password attacks. Defense against password attacks is rather limited but usually consists of a password policy including a minimum length, unrecognizable words, and frequent changes. Also see: password sniffing.

Password Sniffing

 Password sniffing is the use of a sniffer to capture passwords as they cross a network. The network could be a local area network, or the Internet itself. The sniffer can be hardware or software. Most sniffers are passive and only log passwords. The attacker must then analyze the logs later. Also see: sniffer.


 In computer security, this is an attack where an attacker compromises domain name values and redirects many people to the wrong IP for a given domain. Often this is accomplished with DNS poisoning or by modifying the host's files on peoples' computers. This is a special case of DNS poisoning, and is often the result of malware infections.


 Tricking someone into giving up private data by masquerading as an authority. This is mostly accomplished using e-mail or instant messages, directing the recipient to a fraudulent Web site that appears legitimate. Phishing is related to conning, but is taking place at a much grander scale, due to the use of the Internet, and it is harder to track back to the criminal.

Phishing IQ Test

A test where e-mails are displayed to a participant who is then asked to classify each as fraud or real. Usually these tests are used to illustrate the difficulty of identifying phishing e-mails. Recent research shows that phishing IQ tests are not measuring susceptibility to phishing very well, but rather, simply measure fear of phishing.


 To piggyback is to gain unauthorized access to a system by exploiting an authorized user's legitimate connection.

Program infector

 A program infector virus infects other program files once an infected application is executed and the activated virus is loaded into memory.

Puddle Phishing

 A phishing attack targeting the clients of a small financial institution, typically with very limited geographical coverage. Smaller institutions typically have lesser resources to fight phishing attacks than large banks do, and their clients are less accustomed to being targeted. This makes puddle phishing often more successful for the phisher.


 Ransomware is malicious software that encrypts the hard drive of the PC that it infects. The hacker then extorts money from the PC’s owner in exchange for decryption software to make the PC’s data usable again.

Real-time scanner

 A real-time scanner is an anti-virus software application that operates as a background task, allowing the computer to continue working at normal speed while it works. Also see: on-access scanner.

Screen Scraper

 Software that analyzes the graphics displayed on a computer screen and translates displayed images into text. This is often used to steal information from users, in particular if a user uses an on-screen keypad to enter a PIN.

Second Factor Authentication

 Second factor authentication demands more than just a password from a user logging in. It could be something he or she knows, something he or she has, or something he or she is. Examples of these three possibilities are: knowing one's mother's maiden name; to have a device that displays frequently changing passwords only known by the service provider and the person with the device; and use of a thumbprint to provide evidence of identity. There are many other forms of second factors, but not all are equally secure. Recent banking regulation demands that banks use some form of second factor authentication, but do not specify what type.

Secure Sockets Layer (SSL)

 A communication protocol developed by Netscape that is used to establish cryptographically secure communications between a client (usually a Web browser) and server. This protects against data from being stolen by eavesdroppers. Additionally, when a Web browser starts an SSL session, a small lock is displayed in the frame of the browser. However, phishers know that it can be hard to know exactly where the lock should be placed, and even though phishers cannot easily place locks in the browser frame, it is trivial to place lock images in the content portion of the Webpage. Many people do not notice the difference.

Signature-based Malware Detection

 A method of detecting malware that identifies malware by analyzing behavior of software, configuration and software patterns. Also see: malware.

Slow infector

 Slow infectors are active in memory and only infect new or modified files. Also see: fast infector.


 A sniffer is a software program that monitors network traffic. Hackers use sniffers to capture data transmitted over a network.


 Spam is unsolicited or undesired bulk electronic messages. There is email spam, instant messaging spam, Usenet newsgroup spam, web search-engine spam, spam in blogs, and mobile phone-messaging spam. Spam includes legitimate advertisements, misleading advertisements, and phishing messages designed to trick recipients into giving up personal and financial information.


Spam Filter

 A spam filter is a program used to detect unsolicited email to prevent spam from making it to a user's inbox. Filters use heuristics, keyword scans, whitelists and blacklists, and other processes. The filters are placed on email and ISP servers, in anti-spam software, and in anti-phishing browsers. Also see: Bayesian filter, heuristic analysis.


 Spim is spam for instant messaging. The messages can be simple unsolicited ads, or fraudulent phishing mail. Also see: spam, phishing..

Spear Phishing

 This attack is to phishing what targeted advertising is to advertising. In spear phishing, the attacker infers or manipulates the context of his intended victim and then "personalizes" his attack. It is possible for attackers to learn information about the victim in many ways, and it is difficult to know when this has taken place. This makes spear phishing very dangerous.

Spoofed E-mail

 Assuming the identity of another person while sending e-mail; often used to disguise the actual sender of a message. It is trivial to spoof an e-mail, and it can be done to make the e-mail appear to come from anywhere, whether it is your best friend, your system administrator, your bank or

Spoofed web site

 A spoofed web site is one that mimics a real company’s site—mainly financial services sites—in order to steal private information (passwords, account numbers) from people that are tricked into visiting it. Phishing emails contain links to the counterfeit site, which looks exactly like the real company’s site, down to the logo, graphics, and detailed information. Also see: phishing.


 Spyware is a wide range of unwanted programs that exploit infected computers for commercial gain. They can deliver unsolicited pop-up advertisements, steal personal information (including financial information such as credit card numbers), monitor web-browsing activity for marketing purposes, or route HTTP requests to advertising sites.

SSL Post

 A form submission that originates from an unencrypted "http" page but posts to an encrypted page (https). Encryption only occurs in this case after the submission button is pressed. Some phishers try to make it appear that the sites they manage (and which impersonate legitimate brands) perform SSL posts, whereas they do not. It is difficult for typical users to determine whether a given Webpage will perform an SSL post or not, which makes SSL posts less secure than traditional SSL connections.


 A subdivision of a master domain, e.g. "cs" in and "informatics" in

Synthetic Identity Fraud

 Posing as someone using identity that is completely fabricated — making up a new identity and assuming it. While not commonly in the news, this is one of the predominant types of fraud.

Time bomb

 A time bomb is a malicious action triggered at a specific date or time. Also see: logic bomb.

Trojan horse

 A Trojan horse is a malicious program that pretends to be a benign application. It purposefully does something the user does not expect. Trojans are not viruses since they do not replicate, but they can be just as destructive.


 Tunneling is a virus technique designed to prevent anti-virus applications from working correctly. Anti-virus programs work by intercepting the operating system before it can execute a virus. Tunneling viruses try to intercept the actions before the anti-virus software can detect the malicious code. New anti-virus programs can recognize many viruses with tunneling behavior.


 Vaccination is a technique some anti-virus programs use to store information about files in order to notify the user about file changes. Internal vaccines store the information within the file itself, while external vaccines use another file to verify the original for possible changes.


 A variant is a modified version of a virus. It is usually produced on purpose by the virus author or another person amending the virus code. If changes to the original are small, most anti-virus products will also detect variants. However, if the changes are large, the variant may go undetected by anti-virus software.


 A virus is a computer program file capable of attaching to disks or other files and replicating itself repeatedly, typically without user knowledge or permission. Some viruses attach to files so when the infected file executes, the virus also executes. Other viruses sit in a computer's memory and infect files as the computer opens, modifies, or creates the files. Some viruses display symptoms, and others damage files and computer systems, but neither is essential in the definition of a virus; a non-damaging virus is still a virus.

There are computer viruses written for several operating systems including DOS, Windows, Amiga, Macintosh, Atari, UNIX, and others. presently detects more than 57,000 viruses, Trojans, and other malicious software. Also see: boot sector infector, file viruses, macro virus, companion virus, worm. Also see: Virus definition

Virus Hoaxes

 Virus hoaxes are not viruses, but are usually emails warning people about a virus or other malicious software program. Some hoaxes cause as much trouble as viruses by causing massive amounts of unnecessary email.
Most hoaxes contain one or more of the following characteristics:

  • Warnings about alleged new viruses and their damaging consequences
  • Demands that the reader forward the warning to as many people as possible
  • Pseudo-technical "information" describing the virus
  • Bogus comments from officials: FBI, software companies, news agencies, etc.

If you receive an email message about a virus, check with a reputable source to ensure the warning is real. Click here( to learn about hoaxes and the damage they cause. Sometimes hoaxes start out as viruses and some viruses start as hoaxes, so both viruses and virus hoaxes should be considered a threat.


 Worms are parasitic computer programs that replicate, but unlike viruses, do not infect other computer program files. Worms can create copies on the same computer, or can send the copies to other computers via a network. Worms often spread via Internet Relay Chat (IRC).

Yield (Phishing)

 The percentage of targets in a scam that fall victim. If an e-mail asking for credit card details is sent to 100 people and two of them respond, the yield is 2 percent. Phishers, of course, hope for a high yield. It is not known exactly what the yield of phishing attacks are, but researchers and security specialists believe that it is in the range of a few percent, but believe that the increased use of spear phishing can increase the yield well above 20 percent. Given that phishers target huge numbers of potential victims at the same time, even a yield of just a few percent create a sufficient profit for the phishers to be attracted to committing this crime again and again.


 A zombie is a PC that has been infected with a virus or Trojan horse that puts it under the remote control of an online hijacker. The hijacker uses it to generate spam or launch Denial of Service attacks. Also see: spam, Denial of Service.


 A zoo is a collection of viruses used for testing by researchers. Also see: in the wild, zoo virus.