Part 1. Lecturer: Prof. Mohamed Bettaz Coordinator: Prof. Mohamed Bettaz Internal Examiner: Dr. Mourad Maouche. Examination Paper

Transcription

1 Philadelphia University Lecturer: Prof. Mohamed Bettaz Coordinator: Prof. Mohamed Bettaz Internal Examiner: Dr. Mourad Maouche Faculty of Information Technology Department of Computer Science Examination Paper Information and Computer Networks Security ( ), Section 1, Special Topics in Software Engineering ( ), Section 1, Information Security ( ), Section 1, Final Exam, 2014/15_2, Date: June 14, 2015, Time: 2 hours Marking Scheme Information for Candidates 1. This examination paper contains seven questions totalising 40 marks 2. The marks for parts of questions are shown in round brackets: e.g. (1). Advice to Candidates 1. You should attempt ALL the questions. 2. Answer each question on a separate page of the exam sheet, question 1 on the left most page, and question 6 on the right-most page. Part 1 Objectives: The questions in part 1 aim to check students understanding of basic concepts of the major course topics. Question 1 (Answer this question on page 1 of the exam sheet) (10 marks) A. A virtual LAN (VLAN) allows devices to be grouped 1. based on subnets. 2. logically. 3. directly to hubs. 4. only around core switches. B. Which of the following devices is easiest for an attacker to take advantage of to capture and analyze packets? 5. hub. 6. switch. 7. router. 8. load balancer. C. Which of the following is NOT true regarding a demilitarized zone (DMZ)? 9. it provides an extra degree of security. 10. it typically includes an or Web server. 11. it can be configured to have one or two firewalls. 12. it contains servers that are only used by internal network users. D. A reverse proxy 13. only handles outgoing requests. 14. is the same as a proxy server. 15. must be used together with a firewall. 16. routes incoming requests to the correct server. E. Which is the preferred location for a spam filter? 17. install the spam filter with the SMTP server. 18. install the spam filter on the proxy server. 19. install the spam filter on the local host client. F. Which in the following is a vulnerability of MAC address filtering? 20. the user must enter the MAC. 21. APs use IP addresses instead of MACs. 22. not all operating systems support MACs. 23. MAC addresses are initially exchanged between wireless devices and the AP in an unencrypted format.

2 G. The primary weakness of wired equivalent privacy (WEP) is 24. its usage creates a detectable pattern. 25. initialization vectors (IVs) are difficult for users to manage. 26. it slows down a WLAN from 104 Mbps to 16 Mbps. H. Hashing would not be used in which of the following examples? (1 mark) 27. bank automatic teller machine (ATM). 28. encrypting and decrypting attachments. 29. verifying a user password entered on a Linux system. 30. determining the integrity of a message. I. If a person X wants to send a secure message to a person Y using an asymmetric cryptographic algorithm, the key he uses to encrypt the message is (1 mark) 31. Y s private key. 32. Y s public key. 33. X s public key. 34. X s private key. J. A digital signature can provide each of the following benefits (1 mark) 35. prove the integrity of the message. 36. verify the sender. 37. enforce non-repudiation. 38. all the above. Question 2 (Answer this question on page 2 of the exam sheet) (5 marks) Explain briefly how the boot virus might harm the hard drive. Elements of the answer are in the textbook. Additional material was handed to students for more details: The MBR contains the program necessary for the computer to start up and a description of how the hard drive is organized (the partition table). Instead of damaging individual files, a boot virus is intended to harm the hard disk drive itself. Part 2 Objectives: The questions in part 2 aim to check the students ability to solve familiar problems in the subject Question 3 (Answer this question on page 3 of the exam sheet) (5 marks) Explain briefly how buffer overflow attack might cause computer to stop functioning. Elements of the answer are in the textbook. Additional material was handed to students for more details: Boundaries of a fixed-length storage buffer. This extra data overflows into the adjacent memory locations and, under certain conditions, may cause the computer to stop functioning. Attackers also use a buffer overflow in order to compromise a computer. The storage buffer typically contains the memory location of the software program that was being executed when another function interrupted the process. That is, the storage buffer contains the return address of the program to which the computer s processor should return once the new process has finished. An attacker could overflow the buffer with a new return address and point to another area in the data memory area that contains the attacker s malware code instead. It is expected that students write a simplified code to illustrate their answer.

3 Question 4 (Answer this question on page 4 of the exam sheet) (5 marks) a) What is meant by Network Address Translation (NAT)? (1) b) Using IP addresses of class B, give an example of your choice showing how NAT operates. Illustate your answer by a draw. (4) Private IP addresses Class B Public IP addresses Class B a) Network address translation (NAT) is a technique that allows private IP addresses to be usedon the public Internet. Private IP addresses, are IP addresses that are not assigned to any specific user or organization; instead, they can be used by any one on the private internal network. Private addresses function as regular IP addresses on an internal network; however, if a packet with a private address makes its way to the Internet, the routers drop that packet. b) Private IP address : NAT replaces private IP address with public IP address: , Packet sent with public IP address: to the Internet. Question 5 (Answer this question on page 5 of the exam sheet) (5 marks) Subnetting is used among other to secure networks from attacks. a) Explain briefly the approach. (1) b) Suppose that we have a local area network consisting of 6 work stations all of them connected to the same and unique segment. Using IP addresses of class C, and subnetting technique, show how to transform the upper mentioned network into 3 subnets. (4) Public IP addresses Class C a) The TCP/IP protocol uses 32-bit IP addresses, consiting of wo parts: one part is a network address and one part is a host address. This split between the network and host portions of the IP address originally was set on the boundaries between the bytes (called classful addressing). Improved addressing techniques introduced later on allowed an IP address to be split anywhere within its 32 bits. b) Suppose all the 6 stations are on a net with address One subnet address: Another subnet with the address: A third subnet with the address: Question 6 (Answer this question on page 6 of the exam sheet) (5 marks) We know that keystream attack (or IV attack) happens when attacker identifies two packets (P1 and P2) derived from same IV. a) Show that in this case the XOR operation on the plaintext of the identified packets gives the same result as the XOR operation on their ciphertext (C1 and C2) Take P1: P2: Keystream X:

4 P1: C1 = P2: C2 = P1+P C1+C b) From the upper example, show how an attacker can discover the plaintext of P2 if he identified both ciphertexts and the plaintext P1. P1: (C1+C2) which is the plaintext of P2 Part 3 Answer one of the following two questions Objectives: The question in part 3 aims to check the students ability to solve an unfamiliar problem in the subject Question 7 (Answer this question on page 7 of the exam sheet) (5 marks) Both proxy server and Network Address Translation (NAT) use address masking (hiding) that might serve, among other, security purposes. What is the difference between both techniques with respect to the nature of masked (hidden) address. Among the elements of the answer the following has to be stresed: NAT: hidden adresses are private IP addresses. Proxy server: hidden adresses are not necessarily private IP addresses. A draw might be used to complete the answer. Question 8 (Answer this question on page 8 of the exam sheet) (5 marks) a) What is the difference between bleujacking and bleusnarfing? (1)

5 b) Does bleuejacking necessites pairing between the attacker and the attacked device? Give an example. (4) a) Elemets of the answer for the part a) might be based on material from the textbook: Bluejacking is an attack that sends unsolicited messages to Bluetooth-enabled devices. Usually bluejacking involves sending text messages, images and sounds. Bluejacking is usually considered more annoying than harmful because no data is stolen. However, many Bluetooth users resent receiving unsolicited messages. Bluesnarfing is an attack that accesses unauthorized information from a wireless device through a Bluetooth connection, often between cell phones and laptop computers.in a bluesnarfing attack, the attacker copies s, calendars, contact lists, cell phone pictures, or videos by connecting to the Bluetooth device without the owner s knowledge or permission. b) No. Example: elaborate around the following: create a contact with a message content instead of a true contact name; then send by sharing through bleutooth