Introduction To Network Security: Theory And Practice (2015)

Chapter 1. Network Security Overview

1.7 Exercises

1.7.1 Discussions

1. 1.1. Have you experienced any network security attack described in the text? If so, please share your experience with the class. If you have experienced network security attacks not described in the text, please describe them in detail.

2. 1.2. How did you solve the network security problems you encountered?

3. 1.3. Why type of attackers do you think attacked you?

4. 1.4. Networked computers are managed by different types of people. What type of people do you think are most vulnerable to network security attacks?

5. 1.5. Why do you think phishing and pharming attacks are so common? What measures would your suggest to counter them?

6. 1.6. Why do you think network security must be a multiple-layer defense mechanism?

1.7.2 Homework

1. 1.1. This book assumes that the reader has taken a computer network course, or has sufficient experience working with computer networks.

1. (a) Describe the major structure of a TCP packet and explain the main functions of the TCP headers.

2. (b) Describe the major structure of an IP packet and explain the main functions of the IP headers.

3. (c) Explain the three-way handshake protocol in the TCP protocol and describe its main functions.

4. (d) Describe the difference between UDP and TCP. Give an example of an application that would use UDP and an application that would use TCP. Justify your answers.

2. 1.2. On the basis of your understandings of network protocols, answer the following questions:

1. (a) Explain the main functions of the ARP protocol.

2. (b) Explain the main functions of the ICMP protocol.

3. (c) Explain the major functions of routers, switches, and gateways.

4. (d) Explain the major functions of the SMTP protocol.

3. 1.3. Describe the major differences between IPv4 and IPv6.

4. 1.4. Use network administration tools to familiarize yourself with network configurations.

1. (a) In the Windows operating system, ipconfig, ping, tracert, nslookup, and netstat are common network administration tools. On a machine running Windows, go to the start menu, select run, and then enter cmd to open a command window. Execute these five network administration tools. Explain the results you observe. For each of these admin tools, use option -? to list each option of the tool and explain its usage. For example, enter ipconfig -? to learn all options of ipconfig and explain their usage.

Execute the following commands and explain the results you observe:

ping cs.uml.edu

ping www.google.com

tracert www.yahoo.com

netstat -e

2. (b) In the UNIX and Linux operating systems, ping, nslookup, netstat, and arp are common network administration tools. You may use the man tool to find out how to use these tools. For example, enter man netstat to list all information about netstat. On a machine running UNIX or Linux, execute these tools and explain the results you observe.

3. (c) Open a cmd window on a Windows machine and execute ipconfig /all to list all information of the network setup of your PC. Write down the host name, MAC address of your network adapter, IP address, subnet mask, and default gateway of your PC.

In the UNIX and Linux operating systems, you may find the IP addresses of all hosts in the system in /etc/hosts. On a machine running UNIX or Linux, enter more /etc/hosts and explain what you see.

4. (d) Open a cmd window on a Windows machine and execute netstat -ano. Identify which ports are TCP ports, which ports are listening, which ports have established connections, and which ports are UDP ports. Also identify what programs are running on these ports.

To find out what program is running on a given port number, first identify its PID (process ID), and then open the Windows Task Manager window (e.g., you may open it by pressing the three keys of Ctrl-Alt-Del simultaneously). Select View, Select Columns,, and PID. Then select Process and find out which program is running on the PID. For example, suppose that the following line is included in the result returned from netstat -ano:

Proto Local Address Foreign Address State PID

TCP 127.0.0.1:1026 127.0.0.1:1027 ESTABLISHED 664

From here, we know that Port 1026 is a TCP port where a connection has been established and its PID is 664. From the Windows Task Manager, we find out that postgres.exe has PID 664. Thus, we know that postgres.exe is running on Port 1026.

5. (e) Open a cmd window on a Windows machine and execute arp -a. It lists the physical address of your router. Compared to the physical address given by ipconfig /all, what is the difference between these two physical addresses? On a UNIX machine, enter arp -a on the UNIX prompt to list the ARP table in your machine.

5. 1.5. Network sniffers are also referred to as packet sniffers. Network sniffers are software used to monitor network\ connections and obtain information of network packets. TCPdump and Wireshark are widely used packet sniffers with free downloads fromwww.tcpdump.org and www.wireshark.org, respectively. TCPdump has been around for many years. Wireshark, formerly known as Ethereal until 2006, is newer and has a nicer GUI interface.

If you are using a Windows machine, download from http://www.wireshark.org/ and install Wireshark-win64-1.12.0.exe (64-bit) or Wireshark-win32-1.12.0.exe (32-bit) or its newest version. This version contains WinPCap4.0.1. You will need to install it as well. If you are using other operating systems, please download and install from the Wireshark Website a corresponding version of Wireshark. Then execute Wireshark.

We want to sniff ARP packets. For this purpose, on the open window of “The Wireshark Network Analyzer,” select Capture, Options, and then select network card in the Interface box. In the Capture Filter empty box type in arp, and then select Start to launch ARP sniffing. At this time, you will see a popup window titled “(the name of the network card): Capturing - Wireshark”. To generate ARP packets (so that you have something to sniff), open a Web browser and visit a few Websites. After a short while, you will see that ARP packets have been captured in the popup window. Select Capture on the menu bar, then select Stop to stop sniffing. Note that the Wireshark window is divided into three portions. The upper portion shows the ARP packets that have been captured, the middle portion shows the packer headers, and the lower portion shows the contents of the ARP packets in hexadecimal and ASCII code. Explain what you see.

Disclaimer: Network sniffing should only be done on a network where one has permission to do so and all parties are aware that it is (or may be) occurring. Otherwise, it may inadvertently break the Federal electronic eavesdropping and wiretap laws.

6. 1.6. We often want to use a network sniffer to only pick up the types of packets we are interested in.

1. (a) Execute Wireshark. Select Options from the menu of Capture. A window named “Wireshark: Capture Options” will pop up. In the empty box of Capture Filter, enter tcp port 25, and then click Start to begin sniffing. Send yourself an email message. Then clickCapture on the menu bar and select Stop. Explain what you see.

2. (b) Execute Wireshark. Select Options from the menu of Capture. A window named “Wireshark: Capture Options” will pop up. In the empty box of Capture Filter, enter tcp port 80, and then click Start to begin sniffing. Open a Web browser to visit a few Websites. Then select Capture on the menu bar and select Stop. Explain what you see.

7. 1.7. Finding statistical structures in a cipher text message is a common cryptanalysis method. For example, given a ciphertext message, we first calculate the frequency of each letter occurring in the messages. We then compare these letter frequencies with the letter frequencies one would expect to have in the underlying language. If there is a clear one-to-one correspondence, we will then know which ciphertext letter corresponds to which plaintext letter. This method is especially effective to break earlier designed encryption algorithms.

In the English language, for example, the following table lists the expected frequency of each letter, in the decreasing order of frequencies.

If the ciphertext message is not long enough, we may not be able to obtain a frequency curve similar to that of the statistical frequency curve. Thus, we may also want to calculate frequencies of strings of two or more letters, for they may correspond to common letter strings such as er, or, the, and ing. Such information would be useful. Suppose that we have the following ciphertext message with punctuation and space removed, where the plain-text message is written in English:

NTCGPDOPANFLHJINTOOFITOVJHJCTMMHIHEMTCPFDWTSOFSHTOGFWTE

TTJJTBTOOFSZOVEOCHCVCHPJHOCGTOHNQMTOCNTCGPDCGFCSTQMFBTO

FBGFSFBCTSHJCGTQMFHJCTYCXHCGFAHYTDDHAATSTJCBGFSFBCTSHJC

GTBHQGTSCTYCCGHONTCGPDQSTOTSWTOCGTMTCCTSASTRVTJBZHJCGTQ

MFHJCTYCFJDOPPJTBFJOTFSBGAPSCGTQMFHJCTYCASPNFIHWTJBHQGT

SCTYCEZBPNQFSHJICGTASTRVTJBZPATFBGMTCCTSFIFHJOCCGTLJPXJ

BPNNPJASTRVTJBZHJCGTVJDTSMZHJIMFJIVFIT

1. (a) Calculate the frequency of each letter.

2. (b) Compare your calculated letter frequencies with the statistical letter frequencies, and find out the plaintext message properly punctuated and spaced.

8. 1.8. In early versions of UNIX and Linux operating systems, login passwords of the users are stored in the file /etc/passwd in the following format:

user:password:ID:group-ID:comment:home:shell

where the encrypted passwords were readable text strings (e.g., ), making dictionary attacks possible. Recent versions have fixed this problem by only showing a symbol or x indicating that the user is required to enter the password. Suppose that your/etc/passwd file contains the following entry:

nobody:*:65534:10:NFS Nobody (normal):/:/bin/nosh

Explain the meaning of each component in this entry.

9. 1.9. Let h be a hash function and r a reduction function. Let T be a rainbow table of k rows for D under h and r, where the jth row is for . Let and , where . Suppose for some and . Answer the following questions:

1. (a) Under what conditions will appear in the jth chain of ?

2. (b) Under what conditions will not appear in the jth chain of ?

3. (c) We note that in practice, h often maps a shorter password to a longer hash value. Thus, without lost of generality, we may assume that h is one-to-one for a given domain of passwords. It is common practice to use different reduction functions to produce a password chain. Why can this technique help increase the likelihood that appears in the jth chain of ?

10.1.10. Two readers of the first edition shared with us their experiences on distributing passwords:

· “I can recall a security incident where the user name and password were accidentally sent off the secure network to an unauthorized email address. While no further security incidents occurred, it was certainly possible for an attacker to recover the username and password and do serious damage to the network.”

· “At work, we ONLY give passwords over the phone, and of course only when we know who we are speaking to. Of all the no-no's in network security, sending password via insecure emails has to be at the top of the list.”

Describe your practice of distributing passwords and discuss their pros and cons.

11.1.11. “Early in my career as a Web developer,” a reader of the first edition told us, “I created a Website for a friend. I created the FTP login name and password using the same first eight characters of the name of the site. In about 6 month time, somebody hacked into the site and put their own silly page in place of her content. Once I regained control, I created a high-strength password using a combination of uppercase and lowercase letters, numbers, and symbols, with a minimum of eight characters. I have since followed this practice for every Web login I create.”

0. (a) Discuss what the Web developer did before being hacked was problematic.

1. (b) Do you think that the weak password the Web developer set up was the actual cause of his friend's computer being hacked? Justify your answer.

2. (c) Do you think that the Web developer's solution to the problem was effective? Justify your answer.

12.1.12. “Previously when I had DSL and an old router at home, the wireless encryption didn't work and I would occasionally find unauthorized users on my network,” a reader told us. “I knew enough not to conduct any sensitive business using the wireless connection, but did once make an online shopping transaction using a credit card (I was being lazy). Within 2 days, there were fraudulent charges on my credit card.” Make an educational guess what might happen and justify your answer.

13.1.13. “My account was compromised by a brute force attack a while back when I was playing an online game,” said a reader of the first edition. “In response I purchased an RSA token and linked my account to it, so that even if my password was compromised again my account could never be fully accessed without the token code.”

0. (a) Discuss why playing an online game might breach user accounts.

1. (b) Research the use of RSA tokens and explain whether using an RSA token would help secure user accounts for playing online games. Justify your answer.

14.1.14. A reader of the first edition reported the following social engineering attack happened to him: “Sometime ago I received a random phone call from someone (later identified as a fraudster) who wanted to speak to a senior person in my company.

Caller: Hello. Can I speak with the head of operations? (The fraudster did not mention a name, just a common job title, trying to sniff out a name and email address from me if I mistakenly mentioned the name of the person.)

Me: Can you please mention the name of the person you intend to reach, as we have many operation departments and heads around here (Baiting the fraudster)?

Caller: I have lost the business card he gave me and can't remember the details. Can you be kind enough to give me the name, email address, or direct number of one of the heads who might likely be in the same business meeting where I met the person I am trying to reach?

At this point the caller was suspicious enough that I transferred the call to my company's security investigative unit, which took it up from there.”

0. (a) Describe whether you have a similar procedure at work and how you think the procedure could be improved.

1. (b) If you receive similar phone calls at home, what would you and should you do? Note that some crooks may call you that your tax returns contained errors and you must call a certain number to clear it up; otherwise you will be in trouble. Others may change the content a little by, for example, telling you that your neighbors reported to the police department that you did something wrong. Anyway, all they try to get you to do is to call a certain number and then scare you to death so that you would provide them information or give them money.

15.1.15. Good baits are essential for a phishing attack to be successful. Baits are often presented in the form of email messages and Websites that appear to be authoritative. Links contained in phishing messages are traps, leading to Websites controlled by attackers. Discuss how to identify phishing messages and phishing sites.

16.1.16. The following phishing attacks were experienced by some of the readers. In each instance, describe what you would do if it happened to you.

0. (a) “A few years ago one of my network passwords on LinkedIn was compromised, possibly through phishing or pharming. As a result, spam messages spoofing my identity were sent to my connections. I discovered this when some of my connections notified me and said that they knew that I would not send such messages. I changed my passwords (and continue to do so periodically) and as a result the problem has not occurred since.”

1. (b) “I received phishing emails 2 months ago (around November 2013), claiming to be from FedEX. There were several clues that they were bogus. For example, the content and the Subject Line did not look right, and nowhere did I see anything similar tofedex.com. The message was very generic about some complication in delivery, and it urged the recipient to open up a file attachment that looked very suspicious. Sometimes you can tell an email is a phishing attack because the link it gives you in the message does not look right.”

2. (c) “I have been getting attacked very frequently through emails lately (in early 2014). One example is an email stating that I was offered a job, and asked me to fill out a form with all of my personal data. This is obviously an attempt to get my personal information because legitimate employers wouldn't offer me a job if they didn't know anything about me. My solution to the phishing attacks are never to login to anything through an email, and never giving out information to anyone I can't authenticate or trust. I think one of the main reasons that my phone number and email address were compromised is my resume being posted on sites like monster.com. As soon as I find a job I'm taking it down!”

3. (d) “I've received tons of phishing emails over the years. When I was a customer of a local bank, I encountered the best phishing email I have ever received. I received an email that looked like it was from the bank with a link to the Website. I clicked the link. When I was about to login, I noticed that the color of the site did not look right. I took a closer look at the URL, and realized that it was not the official Website of the bank. It almost tricked me. I blocked the sender and emailed the bank who then passed it along to the FBI.”

4. (e) “I've encountered several cleverly disguised email invitations to provide account information. Thankfully, I've never entered personal information that was requested, but I know that many less security conscious people have. The best way to combat phishing is to ignore requests for personal information that emanate from the Web. When in doubt, call the institution directly, and not with the number on the email.”

5. (f) “Just last week (i.e., in mid January 2014), I received a phishing email. It appeared to come from an organization I know, but the actual email address was obviously not, and contained (false) links to reset my password. I reported it to the IT Help Desk.”

17.1.17. Do you agree with the following rule of thumb when dealing with possible phishing emails: “If an email comes from a company or individual I don't recognize, I delete it. If it's really important, they will call me!” Justify your answer.

18.*1.18. ARP maps an IP address to a MAC address of a computer. Thus, assigning a different MAC address to an IP address redirects message to a different computer. Conduct the following experiment. Let A, B, and C be three PCs connected to the same local area network (LAN) running Microsoft Windows (or Linux). Suppose that you have an user account on each of these computers and you have the same user name fool on computers B and C. Suppose that you can modify the ARP table on computer B (e.g., such as what a super user may do). On computer C, run arp -a to obtain its MAC address. Then on computer B, run arp -s to modify its ARP table to map B's IP address to C's MAC address. Wait for a while or reboot B to let B's new ARP table take effect. Now, send an email message from your account on computer A to your account fool on computer B. This message will be redirected to your account fool on computer C. Verify this result in your experiment.

19.1.19. Use port scans to check your computer's open ports.

0. (a) Use ShieldsUP! to scan your computer's open ports for possible loopholes. Visit www.grc.com and click the ShieldsUP! link. Then move your mouse down to find the ShieldsUP! link. Click the link and follow the instructions to scan your computer's open ports.

1. (b) Nessus has features similar to ShieldsUP!. It checks open ports and tries to determine what programs are running on them. Visit www.nessus.org and download nessus. Next, use nessus to scan your computer.

20.1.20. “Port scans are very frequent on our network by outside and inside attackers,” a reader told us. “We simply block repeat offenders.” Argue that this is a good solution. Can you think of a better approach to counter port scans? Justify your answers.

21.1.21. Web servers are easy targets of DoS attacks. For example, attackers may bombard a Web server with a large number of login attempts in a short period of time, forcing the Web server to use up its computing resources for checking passwords.

Web servers may use a picture verification service as follows: when receiving a login request, the Website opens a login page that will display, in addition to the usual windows for entering user name and password, a few characters in different colors or shapes, embedded in a small frame of colorful background and a window to enter these characters. To complete the login procedure, the user must also type in these characters. If these characters are not entered correctly, the Web server will not proceed to check the user name and password. This mechanism is typically used to prevent automation of services the Website provides and level the playing field (e.g., Ticketmaster uses this service to prevent scalpers from using a program to purchase tickets).

Explain how automation of services could be used to launch DoS attacks, and why the picture-verification mechanism may help stop DoS attacks.

22.1.22. A reader of the first edition shared this experience with us: “I sometimes saw employees bringing in a small personal switch and connecting it to the company LAN. Occasionally these switches would cause broadcast storms that resulted in denial of service on the LAN. It was easy to find these switches using tools such as wireshark and then remove them.” These are rogue switches. Explain how to use wireshark to identify rogue switches.

23.1.23. “We had experienced repeated DoS attacks on our corporate Web servers,” a reader said. “The attackers were flooding our servers with external communication requests, so much so that the servers could not respond to legitimate traffic. To counter these attacks, we moved to a SaaS solution for our online customer software from AWS (Amazon Web Services), and transitioned to a similar model for our corporate Web servers using a Rackspace provider, beefing up its security and redundancy during the transition.”

0. (a) Conduct a research on AWS, SaaS, and Rackspace.

1. (b) On the basis of your research, argue that the solution the company took is a good one.

24.1.24. Sometimes, a legitimate application may affect the performance of your system. Googlebot, for example, is such an application. It is a highly debatable issue whether such applications are considered malware. Googlebot is a Web crawling tool developed by Google, which is also referred to as spider. It is used to crawl the Internet and discover new and updated pages for the Google index. Here is a story shared by a reader: “I worked with a customer who was facing extremely slow performance in their portal at the time of open enrollment for a new service. It was identified that it was Googlebot causing the problem, which was crawling the content on their external facing portal. They then worked with Google and the internal security team to filter the traffic to eliminate the additional crawling time.”

Discuss this issue and justify your opinions.

25.1.25. Microsoft operating systems have become the household operating systems by people in all walks of life. Thus, computers that run Windows operating systems are hackers' major targets. Consequently, loopholes, flaws, and defects have been found one after another.

Use Microsoft Baseline Security Analyzer (MBSA) to analyze security settings of your Windows operating system and other Microsoft products. To do so, first download and install the newest version of MBSA from the following link:

www.microsoft.com/technet/security/tools/mbsahome.mspx

Then execute MBSA to scan your Windows system.

26.1.26. Server programs that run in the background of your computer are entry points to your computer from the network. Some of these programs are necessary, some are not, and some are malicious programs downloaded by careless users. Suppose that you are running Windows XP on your computer.

0. (a) Follow the following procedure to identify which server programs are running and which server programs have been closed: Select Run from the Start menu, then type in msconfg. Press the OK button to open the window of System Configuration Utility, and click Services. For example, is your DHCP client running or stopped?

1. (b) Follow the following steps to find out the usages of XP-supported services: Select Run from the Start menu, then type in services.msc. Press the OK bottom to open the window of Services and select Services. Select each service one at a time and read about its usage. For example, what is the usage of the DHCP client?

27.1.27. Back Orifice is a computer program designed for remote system administration to control a computer running the Windows operating system from a remote location. But it may also be use to log keystrokes easily. Other key-logging tools include hardware keylogger and invisible keylogger. Conduct a survey on keyloggers and write a paper reporting your findings.

1.28. Critical information may be stolen when you shop online. A reader shared with us the following story: “Just last year (i.e., in 2013) I had my credit card information stolen from what I believed to be a keystroke-logging attack. Since then I've beefed up my security and installed an anti-keylogger.”

Identify and discuss security vulnerabilities you can think of associated with online shopping.

28.1.29. As we mentioned in the text, an apparently well-protected network could be brought down via an apparently minor trick. The following is a story shared by a reader of the first edition: “I am a system administrator for a large company with employees worldwide. My site produces sensitive hardware and software products. We have a very strong network security team keeping our network safe. However, about 2 years ago (i.e., in 2012), espionage hackers still managed to get into our network. As secure as our network was, the hackers used Outlook Web Access (OWA) to get into our network, retrieving a large volume of data in 2 days. The attack took the following steps:

0. 1. They first collected information form media and by calling the company disguised as a sales person or government authority. They managed to retrieve email addresses from local users who were assigned to my site.

1. 2. They then used a spoofing method to send emails to users from the known employees to other employees.

2. 3. They would send emails with Trojans only during off hours, so that the email recipient would use OWA at home to access their email and bypass the firewalls and network security protocols at work.

The email spoofing was being done for about 2 weeks until a employee replied to the hacker, thinking it was an employee from a company laptop off hours. When the employee returned to the office the next day the hacker was able to bypass the firewall and get into the network. We had to make major changes to the network from top down including the following:

3. 1. Removed all OWA installations.

4. 2. Spent a large sum of money to purchase firewalls and network security devices and distributed them globally.

5. 3. Hired ten additional network security professionals.

6. 4. Removed all local administrative rights from domain computers.

7. 5. Purchased USB token devices to key staff members with administrator rights on computers. The devise was a custom token that had both a certificate embedded in it associated with the employee and a password management code. For example, SafeNet. Inc sells such products (see http://www.safenet-inc.com/data-protection/authentication/pki-authentication/).

8. 6. Required all employees to change passwords every 25 days for a year.

Also as a result of this attack, I had to travel for about a year to multiple locations two to three times a month to give network security training to users. We have not been hacked again so far and we continue to make improvements on our network. We send out intentional spoofing emails every now and then to test our employees and I have to give remote training to those who fail the tests.”

i. Discuss the attacking techniques the attacker was using in this attack.

j. Discuss how to identify spoofing emails.

29.1.30. “Since the MafiaBoy attack in 2000, on a regular basis, our own servers have been hit by DDoS attacks on average once every 2 years,” said a reader. Have you experienced any DDoS attack? If so, what measures did you take to counter DDoS attacks?

30.1.31. “I have discovered that DDoS effects can occur by accident on an alarming rate due to improperly configured application software. It is helpful if the network system is configured to shut down the troubled application. Otherwise, it can be difficult to use diagnostic tools to find it.” Discuss how you may configure the system to detect misconfigured applications to address this reader's concern.

31.1.32. “Our servers were taken down with the Code Red and copycat worms in the early 2000s.” The reader who shared this experienced also made the following comments: “Everybody I know has suffered from malicious software attacks at one time or another–no matter how careful you are. If you are not completely protected with updated anti-virus/malware software and more importantly, safe browsing habits, it can happen again to almost anyone.”

Share your own experiences using one or more concrete examples of malicious software attacks you encountered.

32.1.33. “Several lab computers I administered were infected with viruses that hijacked the system,” a reader told us. “The infected system displayed a message supposedly from the FBI saying that the system was in violation of copyright laws and for a small fee could be cleared up (using a credit card of course). It frankly was too much work to clean it up so we instead just reinstalled the system.”

Suggest a way to cleanup such viruses without reinstalling the system. Justify your answer.

33.1.34. “Back at the dawn of time when I was an undergrad,” said a reader, “my university's computers were riddled with viruses. One that I remember in particular was the Stoned virus. It would attack the file allocation table in the DOS operating system, making the computer unable to find any file. Antivirus tools were not readily available then, so I kept a floppy disk that was just for the university computers. Once I used a disk at school, I marked it and never used it anywhere else. I'm sure that helped spread the virus on the university computers but it kept the viruses off my own PC.”

While floppy disks are no longer in use, USB sticks are still widely used today. How do you like the reader's approach to viruses and justify your answer.

34.1.35. “In early 2013 I built a Website for a local restaurant using Drupal. It was a relatively straightforward site, with no actual commerce function. It didn't have any personal information on it, or in the MySQL database back end. I hid the administrative login for Drupal, but not very well. I just put it somewhere where a site user couldn't navigate to. However, Drupal is set up in such a way that site structures can be guessed by hackers, or perhaps mine was just crawled somehow by a program specializing in this sort of thing. Almost every day I received requests to add users to the site. The restaurant went out of business last week, so I took the site down, which stopped the requests right away.”

Can you suggest what happened to the Website and offer a fix if the site were to be run?

35.1.36. “This past year (e.g., in 2013), I developed a quick and easy site for one of our meetings on a subdomain especially for it outside of our usual security model. One morning, my inbox was flooded with hundreds of error messages (i.e., error messages sent from sites to developers with all the parameters of the requests), all with SQL statements embedded in an open text field's input string. Fortunately, none of the attempts to access the database was successful and that day we came up with a procedure to prevent it from happening in the future by (1) validating all input before it is submitted and (2) blocking any suspicious statements before they get submitted to the database.”

Describe how to identify suspicious SQL statements.

36.1.37. “A few months ago in 2013, a coworker of mine turned on an old PC hooked up to our work network and did not tell anyone. That old PC had been off line for a couple of years. Within a day or two we were having all kinds of network problems, from performance slowdown to other weird issues. Because this PC was behind our firewall it was not picked up right away. It turned out that all these problems were caused simply by an old worm in that old PC. To remedy the situation we first removed that old PC. We then manually scanned all our PCs and servers with multiple antivirus and malware tools, for the worm had also compromised the antivirus software installed on the PCs. We shut down the ports and services the worm was spreading through until we were sure that the network was clean. Once clean we were able to reconnect everything and went back to business as usual. This took about 72 hours to remedy. This incident made us revise our security policies and procedures to prevent things like this from happening again.”

What do you think the new security policy should be for this reader's company to avoid similar incidents mentioned in the message from happening again?

37.1.38. Junk email filters are software tools used to prevent junk email messages from entering your mailbox. Microsoft Office Outlook has this feature. To set it up, open Office Outlook and click Actions. Point the mouse to Junk E-Mail, click Junk E-mail options, Safe Lists Only, Safe Senders, and Add. Type in here the email addresses you wish to receive email messages from, then click OK. Likewise, you may also specify the email addresses that you do not want to receive messages from. Describe how this can be done.

38.1.39. “A server I managed was once compromised by an attacker. The attacker gained root access using buffer overflow and installed a Trojan that replaced standard Linux commands with infected ones, opening up ports for the attacker to attack other locations. We fixed the problem by a complete system reinstall from original media and applied proper security patches.”

Describe what each of these two remedies do.

39.1.40. Canary Values. The GNU Compiler Collection (GCC) supports buffer overflow protection using random canary values.

0. (a) Determine what the -fstack-protector and -fstack-protector-all flags are used for when compiling code using the GNU C (gcc) and C++ (g++) compilers.

1. (b) Compile C code with and without the -fstack-protector-all flag and disassemble the executables using the Linux tool objdump, with the -d option, compare the output and determine what code is responsible for inserting the canary value in the prologue and what code is responsible for checking the canary value in the epilogue.

40.1.41. “When I was a kid I had problems with adware and Trojans on my Windows PC. Since then I always make sure that my machines have security software installed. Now I am using Norton Internet Security and it seems to get the job done. We also have Norton endpoint security installed on the development VMs at work.” Have you experienced any malicious software attack that even the Norton security tools did not help remove them?

41.1.42. “I had an infection with spyware on my home computer. It popped up a window with an instruction to download Windows antivirus software. It would popup and keep popping up until my computer would freeze because all the opened windows had used up all of the memory. I looked up how to fix the problem but it seemed so involved I finally just took the easy route: I wiped my hard drive, reinstalled the system from scratch, and downloaded antivirus and spyware tools. On a separate note, in my work we use common access cards to log in to computers and we can't even plug in a USB for fear that there might be malware on it.”

0. (a) What do you think happened to this person's computer?

1. (b) Is the USB policy mentioned a good policy? Justify your answer.

42.1.43. “I have had several instances where my wife's computer became infected with some form of malware or another. She visited several questionable sites that I cautioned her against, but the joy of those sites outweighed my warnings. Of course each time her computer was infected I would have to fix it and hear about why can't I stop her machine from being infected. To help me avoid this, I run Linux at home which I have found to be much more secure, and less susceptible to viruses.”

Do you agree with this reader's last comment about Linux being much more secure and less susceptible to viruses? Justify your answers.

43.1.44. “I once worked for a guy as a consultant,” a reader told us. “The guy started bragging about the logic bomb he created. He set things up so that 3 months after he left the company (due to downsizing), the company screens would be taken over by a faked video of a senior member of the management team having inappropriate relationships with a donkey. The company then called him back in as a consultant (since he knew the system so well) to help find the cause of the problem. He worked at a very high rate of pay for 4 months pretending to solve the problem created by him. I stopped working for him the next week.”

Are you aware of any person who planned logic bombs in the software they wrote? If so, please describe it. If not, imagine and describe a situation in which a logic bomb may be planned.

44.1.45. “In 2012, some syndicates were able to hack into our credit-card payment systems in North America, causing us financial loss of up to $2.7 million dollars. They did this through a combination of password theft, cryptanalysis, and phishing emails. Like the textbook says: The battle against network attacks is a perpetual one as the various attackers constantly device new means to breach our network securities.” Can you make an educational guess when the attack this reader mentioned might take place? Justify your answers.

45.**1.46. When the TCP/IP protocols and the OSI seven-layer model were devised, their designers were only concerned about how to efficiently and reliably transmit data from the source computer to the destination computer. Data security was not a concern at that time. Consequently, the TCP/IP protocols and the OSI model do not contain any built-in security mechanism. When they later realized this security weakness, protocol designers started to add all kinds of security mechanisms into communication protocols. But these early protocols were not designed for data security, and so they may not have the right framework for adding security features. Adding a security feature to a protocol not built for it is like taking out materials from a wall to mend a fence. Thus, network designers have started to investigate the following issue: if one designs a communication protocol all over again, what would be the best native architecture for including the current security mechanisms as well as for adding future security features. Think about this issue when you read the rest of the book, and try to develop a design of your own. This exercise is to be handed in at the end of the course.