Q-1

(A) COMPARE SWITCHED V/S BROADCAST MEDIA LANS FROM SECURITY POINT OF VIEW, BRIEFLY EXPLAIN WHICH ONE IS MORE ADVANTAGEOUS AND WHY? COMPARISON BETWEEN SWITCH AND BROADCAST MEDIA DEVICE (HUB):

Switched media LANs uses switch. Do not broadcast packets to all computers. They only send the packet out the port to which the packet is addressed while Broadcast media LANs uses only bridges or hubs and it actually broadcast all packets out all ports. Switched media LAN is better as it cuts down on network traffic and prevents against packet sniffing. The main difference between Switched and while Broadcast media LANs is in the method in which packets are being delivered to destination. In switched media LAN packet is send to particular address(MAC) while in in broadcast media LAN it has no way of distinguishing which port a packet should be sent to so by passing to all nodes it ensures that it will reach its intended destination. This causes a lot of traffic congestion on the network and can lead to poor network response times.

(B)

IS IT POSSIBLE TO SNIFF NETWORK TRAFFIC ON BOTH THESE TYPES OF LANS, IF YES HOW?

Yes it is possible to sniff network traffic on both types of LAN. o In case of Broadcast Media LAN, Hacker can sniff the traffic using Packet Sniffing o In case of Switch Media LAN, Hacker can use ARP Spoofing to sniff data packet traffic by sending fake ARP response and can route the traffic to his machine by IP Forwarding Technique.

(C)

HOW CAN A HACKER WHO HAS GOT A MACHINE CONNECTED TO A NETWORK, DETERMINE WHETHER HE IS ON A SWITCHED OR A BROADCAST MEDIA LAN?

It is possible for a hacker to determine he is connected with a switch or a Hub (BMD) because Victim sends traffic based on ARP cache and Sniff the
1|Page

traffic from the link then Packets are forwarded from attackers machine to actual default router.
(D) TO WHAT EXTENT CAN WE PROVIDE PROTECTION AGAINST TRAFFIC ANALYSIS ATTACKS AND HOW?

Vulnerabilities in communication protocols TCP, UDP, ARP or any other protocols operating at different OSI layers make an attacker/hacker capable to attack your network, hack the data by analyzing traffic of the network. Due to vulnerabilities we cant ensure 100% protection against the traffic attacks but with different protection measures we can make our network secure against any traffic analysis attacks by using the following techniques. Q-2
(A) HOW CAN THE ROUTING INFORMATION BE EXPLOITED FOR LAUNCHING ANY SECURITY ATTACK?

Encryption Techniques. To implement robust network defense solutions Intrusion detection system (IDS) and intrusion prevention system (IPS) solutions. To use a powerful hardware/software based firewall. By implementing Virtual Local Area Networks (VLANs) on managed switches

There are three main mechanisms by which an attacker can spoof routing information. 1. An attacker sends out an ICMP redirect packet with the source address set to the regular gateway. The packet contains also contains the ``new'' gateway to use. The recipient of such a packet is expected to change their routing tables replacing the old gateway with the new one. 2. RIP-based attacks work by broadcasting illegitimate routing information to passive RIP hosts and routers via UDP port 520. In both of the above cases, the redirection can be made to any host chosen by the attacker. 3. Source routing allows the sending host to choose a route that a packet must travel to get to its destination. Traffic coming back to that host will take the reverse route. The attacker designs a route so that the packets go through his site.
(B) HOW CAN RIP SPOOFING BE AVOIDED

Disable RIP on target system. Use static routing only or newer routing protocols on your routing devices
2|Page

(e.g. OSPF or proprietary routing protocols if in a homogeneous environment). Set up default routes on non-routing nodes.

(C) WHAT KINDS OF LOCAL/REMOTE ATTACKS CAN BE LAUNCHED BY AN ATTACKER ON A HOST TO BECOME AN ILLEGAL USER AND AN ILLEGAL ROOT ON THE SAID HOST?

These are several kinds of local attacks of a hacker on a host as DoS attacks, DNS Spoofing, ARP Spoofing Port scanning, TCP de-synchronization ICMP attacks. Q-3
CONSIDER TWO NETWORKS, EACH WITH ITS OWN DNS SERVER RUNNING. A HOST ON ONE NETWORK WANTS TO GET CERTAIN INFORMATION FROM A SPECIFIC SITE ON THE INTERNET. USING DNS SPOOFING, HOW CAN THE HACKER INTERCEPT THE HOSTS COMMUNICATION WITH THE SITE? GIVE STEP BY STEP PROCEDURE FOR THE FOLLOWING SCENARIOS:

The cache of a DNS name server is poisoned with false information For example a hacker wants www.anything.com.pk=? to map to his own IP address 152.66.249.32
(A) WHEN THE HACKER AND THE HOST ARE BOTH ON THE SAME NETWORK?

Attacker has access to ns.attacker.com.pk The attacker modifies its local name server such that it responds a query www.attacker.com.pk=? with www.anything.com.pk=152.66.249.32 The attacker then submits a query www.attacker.com.pk=? to ns.victim.com.pk ns.victim.com.pk sends the query www.attacker.com.pk=? to ns.attacker.com.pk ns.attacker.com.pk responds with www.anything.com.pk=152.66.249.32
(B) DESCRIBE TWO WAYS THE HACKER MAY CARRY OUT DNS SPOOFING IF THE HOST AND THE HACKER ARE ON SEPARATE NETWORKS.

Attacker submits ns.victim.com.pk

DNS

query

www.

anything.com.pk=?

to

3|Page

A bit later it forges a DNS reply www.anything.com.pk=152.66.249.32 UDP makes forging easier but the attacker must still predict the query ID

Q-4
CONSIDER AN ATTACKER ON THE SAME LOCAL NETWORK AS A HOST (CLIENT). HOW CAN THE ATTACKER EMPLOY ICMP RE-DIRECT MESSAGE TO TRICK THE HOST INTO SENDING ALL HIS OUTBOUND TRAFFIC (DESTINED FOR A REMOTE SERVER) TO ITSELF (THE ATTACKER) INSTEAD OF TO THE DEFAULT ROUTER (GATEWAY)?

DESCRIBE THE SEQUENCE OF MESSAGES EXCHANGED BETWEEN THE ATTACKER, THE HOST AND THE DEFAULT ROUTER?

ICMP can be used to redirect traffic that is routed on a network. This can cause a disruption in communications or enable a sniffer to listen in on traffic that normally would not be routed in the sniffers direction. Redirection is normally used when a client sends data to a router that does not offer the best path to the destination. The receiving router sends an ICMP redirection message to a client to point the sender to another router on the network. The information is cached on the clients station (readable through the ROUTE PRINT command) and used the next time the client wants to communicate to the original destination network. Sequence of message exchanged Step 1: Attacker manages to take over a secondary gateway G1 of the source host. Step 2: Attacker sends a TCP open packet to source host acting as destination host. Step 3: While a reply is in transit from the source host to the destination host through gateway G2, the attacker sends an ICMP route redirect message to source host spoofing as G2. Step 4: Source host will accept the route change control message as valid and thus changes its routing table to now route all traffic bound for destination host through Gateway G1. Step 5: Now attacker will quietly read/modify and forward all traffic bound for destination host to Gateway G2 acting as a Man-In-The-Middle host. Q-5 (4) Consider an e-commerce company, where customers connect to the company web site over internet and provide a user name and password for a private account that is used later for placing orders. Users have to choose their own passwords for the account. Assume that you are the security consultant for the company and are tasked to determine the password selection criteria for these customer accounts. In this regard, you can consider the relative effectiveness of longer versus short passwords, enforcing randomness of password characters compared to permitting the users to choose any characters they like, and whether forcing password changes every six months is a good idea.
4|Page

Briefly discuss (about half a page) the advantages/disadvantages of these password selection schemes to help in deciding the password selection criteria. Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of Companys resources. All users, including contractors and vendors with access to Companys systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. Policy for Password selection criteria: All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every six months. Strong passwords have the following characteristics: Contain at least three of the five following character classes: o Lower case characters o Upper case characters o Numbers o Punctuation o Special characters (e.g. @#$%^&*()_+|~-=\`{}[]:";'<>/ etc) Contain at least 10 alphanumeric characters.
Does not contain your user name, real name, or company name. Does not contain a complete dictionary word.

SOME ADVANTAGES AND DISADVANTAGES of new password policy: So what is the difference between a Strong Password Policy, and a Weak Password system? A weak password provides attackers with very easy access to your computer system. Strong passwords are considerably harder to crack (or break) and thats even with the powerful password-cracking software that is available today. Password-cracking software continues to improve, and the computers that are used to crack passwords are growing more powerful than ever. Password-cracking software generally uses one of three different approaches: intelligent guessing, dictionary attacks, and brute-force automated attacks that try every possible combination of characters. Given enough time, the automated method can crack any password. However, strong passwords are much harder to crack than weak passwords. A secure computer system has strong passwords for all user accounts. The main disadvantage of strong password is that it is very hard to remember.

Q-7
Provide an explanation in support the authors claim that a combination of the stack guard defense and the non-executable stack defense serve to defeat many contemporary buffer overflow attacks, and that the proposed point guard defense will address most of the remaining contemporary buffer overflow attacks. Please note that you need to briefly explain (about two pages) the various types of buffer overflow attacks and their applicable defenses as discussed in the paper.

Ans: Buffer overflows have been the most common form of security vulnerability for the last ten years.
Moreover, buffer overflow vulnerabilities dominate the area of remote network penetration vulnerabilities, where an anonymous Internet user seeks to gain partial or total control of a host. If buffer overflow vulnerabilities could be effectively eliminated, a very large portion of the most serious security threats would also be eliminated. In this paper, the author survey the various types of buffer overflow vulnerabilities and attacks, and survey the various defensive measures that mitigate buffer overflow vulnerabilities, including StackGuard method. The the author

5|Page

combines different techniques to eliminate the problem of buffer overflow vulnerabilities, while preserving the functionality and performance of existing systems.

The paper mainly talks about buffer overflow attack techniques and sells two projects StackGuard and PointGuard, which both aim at protecting stack from buffer overflow attack. Attack Technique As to attack techniques, it mentions three kinds of locations where the code buffer may occupy:

stack heap static data area

And three common ways to launch the code:

activation record. That is by modifying saved return eip in the stack function pointers. For example, buffer overflow of a char array in a struct, may be able to modify function pointers in the same struct, or in another struct.

longjmp buffers. Modify the target address of longjmp function.

Defence This paper presents StackGuard and PointGuard to counter buffer overflow. StackGuard The main idea of StackGuard is to add canary (a type of check string) in between the return eip and stack local variables, the canary can be a magic number determined at compiletime, or random number generated at run-time. PointGuard StackGuard has one serious limitation that it can only protect return eip on the stack. Similar to StackGuard, PointGuard also takes advantage of canaries. The canaries are put next to all code pointers (including function pointers and longjmp pointers), and check their validity when ever a code pointer is dereferenced.

Q-8 (4)
IN AN AUTONOMOUS SYSTEM EXTERIOR GATEWAYS PERIODICALLY REQUEST ROUTING INFORMATION FROM THE CORE GATEWAYS. THE ROUTING INFORMATION IS ONLY SENT IN A RESPONSE. IT IS DIFFICULT FOR AN INTRUDER TO INJECT FALSE ROUTE UPDATE. THEN HOW CAN THE INTRUDER LAUNCH ATTACKS TO INJECT FALSE ROUTING INFORMATION IN AN AUTONOMOUS SYSTEM? One possible attack would be to impersonate a second exterior gateway for the same autonomous

6|Page

system. This may not succeed, as the core gateways could be equipped with a list of legitimate gateways to each autonomous system. Such checks are not currently done, however. Even if they were, they could be authenticated only by source IP address. A more powerful attack would be to claim reachability for some network where the real gateway is down. That is, if gateway G normally handles traffic for network N, and G is down, gateway G could advertise a route to that network. This would allow password capture by assorted mechanisms. The main defense against this attack is topological (and quite restrictive): exterior gateways must be on the same network as the core; thus, the intruder would need to subvert not just any host, but an existing gateway or host that is directly on the main net. A sequence number attack, similar to those used against TCP, might be attempted; the difficulty here is in predicting what numbers the core gateway is using. In TCP, one can establish arbitrary connections to probe for information; in EGP, only a few hosts may speak to the core. (More accurately, the core could only speak to a few particular hosts, though as noted such checks are not currently implemented.) It may thus be hard to get the raw data needed for such an attack.

Q-9 (4)
ENCRYPTING EACH PACKET AS IT LEAVES THE HOST COMPUTER AND DECRYPTING BEFORE IT ENTERS THE OTHER HOST SEEMS A VERY SECURE WAY OF COMMUNICATION. DO YOU THINK THERE ARE WEAKNESSES IN THIS TYPE OF ENCRYPTION? Suitable encryption can defend against most of the attacks outlined above. But encryption devices are expensive, often slow, hard to administer, and uncommon in the civilian sector. There are different ways to apply encryption; each has its strengths and weaknesses. Link-level encryption encrypting each packet as it leaves the host computer is an excellent method of guarding against disclosure of information. Link-level encryption has some weaknesses, however. Broadcast packets are difficult to secure; in the absence of fast public-key cryptosystems, the ability to decode an encrypted broadcast implies the ability to send such a broadcast, impersonating any host on the network. Furthermore, link-level encryption, by definition, is not end-to-end; security of a conversation across gateways implies trust in the gateways and assurance that the full concatenated internet is similarly protected. If such constraints are not met, tactics such as source-routing attacks or RIP-spoofing may be employed. End-to-end encryption, above the TCP level, may be used to secure any conversation, regardless of the number of hops or the quality of the links. End-to-end encryption is vulnerable to denial of service attacks, since fraudulently-injected packets can pass the TCP checksum tests and make it to the application. A combination of end-to-end encryption and link-level encryption can be employed to guard against this. A routing attack can be used to take over an existing connection; the intruder can effectively cut the connection at the subverted machine, send dangerous commands to the far end, and all the while translate sequence numbers on packets passed through so as to disguise the intrusion.

7|Page