- A cut-and-paste attack is an assault on the integrity of a security system in which the attacker substitutes a section of ciphertext (encrypted text) with a different section that looks like (but is not the same as) the one removed. The substituted section appears to decrypt normally, along with the authentic sections, but results in plaintext (unencrypted text) that serves a particular purpose for the attacker. Essentially, the attacker cuts one or more sections from the ciphertext and reassembles these sections so that the decrypted data will result in coherent but invalid information. Cut-and-paste is a type of message modification attack: the attacker removes a message from network traffic, alters it, and reinserts it. This is called an active attack, because it involves an attempts to change information; in comparison, a passive attack, such as password sniffing, seeks information but does not itself modify the valid information, although it may be used in conjunction with an active form of attack for various purposes.
When the data modified in the attack involves critical enterprise or personal information, the cut-and-paste attack can pose a serious threat to security. A typical use for a cut-and-paste attack is the modification of information on a customer order form for the purchase of goods or services over the Web. The attacker modifies the form so that the victim's credit card number is sent to the vendor but other information - such as the attacker's chosen delivery address and the type or quantity of goods ordered - is "pasted" into the form which the customer's valid information has been "cut". The apparently unaltered form, assembled from a "cut-and-pasted" combination of valid and invalid data, is submitted to the vendor.
 |
Learn more about Enterprise Data Governance |
| LAST UPDATED: |
04 Jun 2007
|
 |
Do you have something to add to this definition? Let us know.
Send your comments to techterms@whatis.com
|

 |
More resources from around the web:
|


');
// -->


 |
 |
|  |
RELATED GLOSSARY TERMS
| Terms from Whatis.com − the technology online dictionary |
 |
data masking
(SearchSecurity.com)
Data masking is a method of creating a structurally similar but inauthentic version of an organization's data that can be used for purposes such as...
|
 |
data splitting
(SearchSecurity.com)
|
|

|