Sie sind auf Seite 1von 8

INFO2403 Information Security

Vaibhavi Kalgutkar (3534950)

Problem 1. Consider DAC and RBAC models. Compare these models, making a list of their benefits/weaknesses. Solution:

Comparing DAC and RBAC

DAC defines “Who can See my Data” and RBAC defines “what can this user do (based on roles assigned to him)”

DAC is based on resource based (permission per individual file) permission where as RBAC is based on group/role based permission

DAC is generally created by the owner of the Data (file/resource), RBAC is defined by the Administrator.

DAC are always attached with the files/resources, RBAC is either defined in configuration or at code level (privileges are assigned to roles and then users are assigned roles by admins )

In DAC permission set is not static i.e. it can/might be different for each file/resource. RBAC permission per roles are static.

Benefits of DAC

DAC is simple to implement and approach is granular

Owner of the Data has the right to decide who can access the data (basically he can assign permission to others)

Weakness of DAC

DAC is not centrally manageable, its different for each file hence more no. of file more difficult

If a new user is added to the system, you might need to modify multiple DAC depending on how many resources he/she may have access to.

Benefits of RBAC

RBAC is easy to manage, it is centrally administer. We have very few roles in organization so no matter how many users we have its still easy to manage

As it is centrally administered and access control of so many user is through same role, builds a much more effective way to verify security policies over access of resources

It supports separation of duties.

Weakness of RBAC

Not granular, quite a complex mechanism to implement.

In a large system taking care of membership, roles, applying inheritance with roles and customizing privileges is potentially very complex and time consuming.

Problem 2. Humans are the weakest link in any security system. Give an example for each of the following:

(a) A situation in which human failure could lead to a compromise of encrypted data.

human failure could lead to a compromise of encrypted data. Situation: Attacker finds out information about

Situation: Attacker finds out information about a senior executive at some organization and then makes a call to a lower subordinate pretending as the senior executive saying,

Attacker: Hello, Jeremy. Jeremy: Hi, who is this?

Attacker: I am Paul, Marketing Team Lead. You sent me few details last week and I forgot my laptop and I am in a meeting and I am looking for the pass code for encryption lock on PDF’s. Can you give me them real quick on the phone I am in a meeting and its embarrassing that I have to call you like this. Make it quick.

Jeremy: Ya sure, its 456JERE. Attacker: Thanks Jeremy, See you in office bye.

Now attacker got the pass code, we assume he already got hold of those PDF by hacking into Pauls email or somehow managed to access Pauls laptop. He can easily get the desired information from those PDFs, this information can also lead to a bigger attack on the organization.

(b) A situation in which human failure could lead to a compromise of identification and

Authentication

Situation:

For such a situation, Attacker might infect dozens of USBs with a Malware and dispersed them around the organization mostly parking lots, elevators, washrooms etc. Many of the employee who might find this USBs may plug them into their systems and as soon as they do this attacker might have a malware launched which trigger say a simple application like KeyLogger. In no time attacker would receive numerous information including login IDs and passwords for all the users that plugs in the USB.

attacker would receive numerous information including login IDs and passwords for all the users that plugs

(c) A situation in which human failure could lead to a compromise of access control

Situation:

Piggybacking could be a good example for such a question. Let’s say Attacker wants to access a secured zone (secured with say RFID tags or some access control mechanism). Here Attacker might simply walk behind a person who has access to the secured area. Now the attacker might ask the person before to hold the door pretending to carry heavy box or say a CPU cabinet, and as a courtesy the person might hold the door and let the attacker in. The person might fail to ask for identification and hence compromising the access to secured area.

and hence compromising the access to secured area. Src 

Src http://www.violence-free.com/Portals/96946/images/Piggybacking%20Image.jpg

Problem 3

On June 7th, LinkedIn confirmed that it had experienced a data breach that likely compromised the e-mail addresses and passwords of 6.5 million of its users. This confirmation followed the posting of the password records for these users in a public forum. One criticism of LinkedIn is that they used unsalted password hashes. In this question we will explore this criticism. Assume that each stolen password record had two fields in it: [user_email,SHA1(password)] and that a user login would be verified by looking up the appropriate record based on user email, and then checking if the corresponding hashed password field matched the SHA1 hash of the password inputted by the user trying to log in. By contrast, if LinkedIn had used a salted scheme, then each record would have had three fields: [user_email,salt,SHA1(password+salt)] and login verification would similarly require looking up the salt and using it when matching hashes. Given this:

up the salt and using it when matching hashes. Given this: a. Suppose the attacker’s goal

a. Suppose the attacker’s goal is to break John Smith’s password via a dictionary attack. Does the lack of salting in LinkedIn’s scheme make this goal substantially easier? Justify. Solution:

No it would not make the goal substantially easier as it is still going to take some what same amount of time because if salt is present the attacker would surely know which salt is used for each user. He can create hashes approximately same time in both the scenarios.

b. Suppose the attackers goal is to break at least half of the passwords via a dictionary attack. Does the lack of salting in this scheme make this goal substantially easier? Justify

Solution:

Yes this will make the goal substantially easy, as without salt attacker requires only one dictionary of hashes for searching the users.

Problem 4.

Practical exercise: whois, nslookup, and netcraft are a few of tools commonly used in passive reconnaissance. Explore these tools. Run them on www.bloomberg.com. This should not be done in Kali as it requires access to the Internet. Include the screenshots of your results. Explain what this information means and how it can be further used in preparation for an attack.

Solution:

can be further used in preparation for an attack. Solution: Information gathering, is very curial and

Information gathering, is very curial and most important step for performing any tasks. Similarly before a attacker makes their attack they sit and do some homework of information gathering. We have various tools available to do so. Most of them are allowed to be used legally, and is no problem. But its becomes a problem if person with wrong intentions begin using them.

Here in this assignment question we will focus on tools like WHOIS, NSLOOKUP and NETCRAFT.

1. WHOIS whois tool has been around since forever. Domain Registrar all keep records of the domains they host. This records contains information like the owners email, physical address, phone no. etc. Now this type of data can be very useful for planning Social Engg. Attack.

of data can be very useful for planning Social Engg. Attack. Here, in the image on
of data can be very useful for planning Social Engg. Attack. Here, in the image on

Here, in the image on the left you can see registrant information like city he/she live in, phone no. email ids exact physical location of the person. All such information can be very useful for attacker to prepare the attack vector.

It also show similar details for Admin, it also shows registrants registration expiration details which can also be part of attack vector and might prove useful during or for planning of an attack. Ex. Here can be same as attacker calling someone pretending to be the registrant or assistant to registrant and try to gain information for future use.

2.

NSLOOKUP

NSLOOKUP, is used to get DNS information like ip addr, port no. , web server, email server, etc

like ip addr, port no. , web server, email server, etc Here you can see in

Here you can see in the image to your left we have information like Systems DNS i.e. 131.202.240.3 in our case. Later is shows "#53" indicates that we are communicating with it on port 53, which is the standard port number DNS use to accept queries. nslookup is a program used to query Internet domain name servers for information and has several option which return several vital information.

Let us take this as example, we set type=mx and lets see what we get.

this as example, we set type=mx and lets see what we get. This return us information

This return us information about mail servers , might be

a good way to learn about

the server and exploit the vulnerabilities.

There are many other option we can use with nslookup.

It can also reverse lookup on

IP.

we can use with nslookup. It can also reverse lookup on IP. 3. NETCRAFT Netcraft analyzes

3. NETCRAFT Netcraft analyzes many expect of the internet which inculeds webservers, OS, hosting providers and SSl certificate. This information can be used to build the attack vector. Information like date first seen - Might be useful, Ip address very important, DNS server, registrant ,Shows address of hosting history, show Linux as the OS helps attacker to narrow focus on Linux.

It also shows that server is running PHP, which is again a big

piece of

information to start exploiting. With all such information all we need to do is go to exploitsDB and look for possible loop holes and prepare an attack.

and look for possible loop holes and prepare an attack. Screenshot above shows all the IP

Screenshot above shows all the IP addresses the domain had in past years and the current IP, also shows what web server is being used along with that it also use to have OS information which was linux earlier but is Unknow now.

OS information which was linux earlier but is Unknow now. Screenshot above shows basic site details

Screenshot above shows basic site details

but is Unknow now. Screenshot above shows basic site details Screenshot above shows technologies used server

Screenshot above shows technologies used server side and client which can be a big information as many technology might have its own exploit readily available through internet and this can make attackers job easy.

PS: I will be attaching complete Screen shots of each command with the assignment as screenshot_problem4.tar. I am not adding them here as its difficult to read and makes my assignment really long for no reason. I hope that doesn’t cause me deduction in marks.

Problem 5. Practical exercise: password cracking. You will be using hashcat utility (Kali/Password attacks/Offline attacks). You will need to calculate the timing of password guessing attacks for the following cases:

Solution:

password guessing attacks for the following cases: Solution: I will be attaching all the screenshots with

I will be attaching all the screenshots with the assignment on D2L as Problem5.tar.This will have folder for each password pattern and folder will contain Screen shot of Command prompt showing the 100% and hashes/salts result for each patter i.e. 6 times. Shadow files for each in respective folders and similarly cracked files for each of them in respective folders

Time for each case:

1. Password with size 3

2. Password with size 5

3. Password with size 8

4. Password with size 10

5. Password with 2 know words

6. Password with 1 know and double digit

10 min (approx) 27 hours (approx) 3 hours 30 mins (approx) 10 Secs (approx) 3 sec 5 min (approx)

Now, you might feel how it took me so less time. I would like to explain you that and I am not sure if this affects my grade. Okay so when I ran password with size 5 it took me almost 27 hours so I decided to use very simple password and saw that the hashcat does the job quickly and hence did it like ways. But I have understood the complete exercise and learned what it was meant for.

Discussion:

Now commenting on quality of password and speed of process. For password with size 5, I used alphanumeric password and it took me 27 hours and at the end of the process HASHCAT could not crack 2 of my 3 passwords. So I realize if my password are not present in dictionary it takes longer time. Now in other cases, I used very simple passwords like for size 10 I used numeric password 1234567890 for all three users, and saw that once it get the password for User1 it immediately get the hashes for User2 and User3 when passwords are same. Also for other password patterns I used very simple and common words so it took very less time because words were present in the rockyou.txt (dictionary) So I short, if the password is present in the dictionary it quick to find it, if it is not then the hashcat has to go through all the words and this make its very time consuming and eventually has no desired result for you.