INFO2403 Information Security

Vaibhavi Kalgutkar (3534950)

Problem 1. Consider DAC and RBAC models. Compare these models, making a list of their
benefits/weaknesses.
Solution:
Comparing DAC and RBAC

DAC defines Who can See my Data and RBAC defines what can this user do (based
on roles assigned to him)
DAC is based on resource based (permission per individual file) permission where as
RBAC is based on group/role based permission
DAC is generally created by the owner of the Data (file/resource), RBAC is defined by
the Administrator.
DAC are always attached with the files/resources, RBAC is either defined in
configuration or at code level (privileges are assigned to roles and then users are
assigned roles by admins )
In DAC permission set is not static i.e. it can/might be different for each file/resource.
RBAC permission per roles are static.

Benefits of DAC

DAC is simple to implement and approach is granular

Owner of the Data has the right to decide who can access the data (basically he can
assign permission to others)

Weakness of DAC

DAC is not centrally manageable, its different for each file hence more no. of file more
difficult
If a new user is added to the system, you might need to modify multiple DAC
depending on how many resources he/she may have access to.

Benefits of RBAC

RBAC is easy to manage, it is centrally administer. We have very few roles in

organization so no matter how many users we have its still easy to manage
As it is centrally administered and access control of so many user is through same role,
builds a much more effective way to verify security policies over access of resources
It supports separation of duties.

Weakness of RBAC

Not granular, quite a complex mechanism to implement.

In a large system taking care of membership, roles, applying inheritance with roles and
customizing privileges is potentially very complex and time consuming.

Problem 2. Humans are the weakest link in any security system. Give an example for each of the
following:
(a) A situation in which human failure could lead to a compromise of encrypted data.
Situation: Attacker finds out information about a senior
executive at some organization and then makes a call to
a lower subordinate pretending as the senior executive
saying,
Attacker: Hello, Jeremy.
Jeremy: Hi, who is this?
Attacker: I am Paul, Marketing Team Lead. You sent me
few details last week and I forgot my laptop and I am in
a meeting and I am looking for the pass code for
encryption lock on PDFs. Can you give me them real
quick on the phone I am in a meeting and its
embarrassing that I have to call you like this. Make it
quick.
Jeremy: Ya sure, its 456JERE.
Attacker: Thanks Jeremy, See you in office bye.
Now attacker got the pass code, we assume he already
got hold of those PDF by hacking into Pauls email or
somehow managed to access Pauls laptop. He can easily get the desired information from
those PDFs, this information can also lead to a bigger attack on the organization.
(b) A situation in which human failure could lead to a compromise of identification and
Authentication
Situation:
For such a situation, Attacker might infect dozens of
USBs with a Malware and dispersed them around the
organization mostly parking lots, elevators, washrooms
etc. Many of the employee who might find this USBs
may plug them into their systems and as soon as they do this attacker might have a malware
launched which trigger say a simple application like KeyLogger. In no time attacker would
receive numerous information including login IDs and passwords for all the users that plugs in
the USB.

(c) A situation in which human failure could lead to a compromise of access control
Situation:

Piggybacking could be a good example for such a question.

Lets say Attacker wants to access a secured zone (secured with say RFID tags or some
access control mechanism). Here Attacker might simply walk behind a person who has
access to the secured area. Now the attacker might ask the person before to hold the door
pretending to carry heavy box or say a CPU cabinet, and as a courtesy the person might
hold the door and let the attacker in. The person might fail to ask for identification and
hence compromising the access to secured area.

Src http://www.violence-free.com/Portals/96946/images/Piggybacking%20Image.jpg

Problem 3
On June 7th, LinkedIn confirmed that it had experienced a data breach that likely compromised
the e-mail addresses and passwords of 6.5 million of its users. This
confirmation followed the posting of the password records for these
users in a public forum. One criticism of LinkedIn is that they used
unsalted password hashes. In this question we will explore this
criticism. Assume that each stolen password record had two fields in
it: [user_email,SHA1(password)] and that a user login would be
verified by looking up the appropriate record based on user email,
and then checking if the corresponding hashed password field
matched the SHA1 hash of the password inputted by the user trying
to log in. By contrast, if LinkedIn had used a salted scheme, then each record would have had three
fields: [user_email,salt,SHA1(password+salt)] and login verification would similarly require
looking up the salt and using it when matching hashes.
Given this:
a. Suppose the attackers goal is to break John Smiths password via a dictionary attack. Does
the lack of salting in LinkedIns scheme make this goal substantially easier? Justify.
Solution:
No it would not make the goal substantially easier as it is still going to take some
what same amount of time because if salt is present the attacker would surely know which salt
is used for each user. He can create hashes approximately same time in both the scenarios.
b. Suppose the attackers goal is to break at least half of the passwords via a dictionary attack.
Does the lack of salting in this scheme make this goal substantially easier? Justify
Solution:
Yes this will make the goal substantially easy, as without salt attacker requires only
one dictionary of hashes for searching the users.

Problem 4.
Practical exercise: whois, nslookup, and netcraft are a few of tools commonly used in passive
reconnaissance. Explore these tools. Run them on www.bloomberg.com. This should not be done
in Kali as it requires access to the Internet. Include the screenshots of your results. Explain what
this information means and how it can be further used in preparation for an attack.
Solution:
Information gathering, is very curial and most
important step for performing any tasks. Similarly
before a attacker makes their attack they sit and do
some homework of information gathering. We have
various tools available to do so. Most of them are
allowed to be used legally, and is no problem. But its
becomes a problem if person with wrong intentions
begin using them.
Here in this assignment question we will focus on tools
like WHOIS, NSLOOKUP and NETCRAFT.

1.

WHOIS
whois tool has been around since forever. Domain
Registrar all keep records of the domains they host. This records
contains information like the owners email, physical address,
phone no. etc.
Now this type of data can be very useful for planning
Social Engg. Attack.
Here, in the image on the left you can see
registrant information like city he/she live in,
phone no. email ids exact physical location of the
person. All such information can be very useful
for attacker to prepare the attack vector.
It also show similar details for Admin, it also
shows registrants registration expiration details
which can also be part of attack vector and might
prove useful during or for planning of an attack.
Ex. Here can be same as attacker calling someone
pretending to be the registrant or assistant to
registrant and try to gain information for future
use.

2. NSLOOKUP
NSLOOKUP, is used to get DNS information like ip addr, port no. , web server,
email server, etc..
Here you can see in the image to your
left we have information like
Systems DNS i.e. 131.202.240.3 in our
case. Later is shows "#53" indicates
that we are communicating with it on
port 53, which is the standard port
number DNS use to accept queries.
nslookup is a program used to query
Internet domain name servers for
information and has several option
which return several vital information.
Let us take this as example, we set type=mx and lets see what we get.
This return us information
about mail servers , might be
a good way to learn about
the server and exploit the
vulnerabilities.
There are many other option
we can use with nslookup.
It can also reverse lookup on
IP.

3. NETCRAFT
Netcraft analyzes many expect of the internet which inculeds
webservers, OS, hosting providers and SSl certificate. This information can
be used to build the attack vector. Information like date first seen - Might be
useful, Ip address very important, DNS server, registrant ,Shows address
of hosting history, show Linux as the OS helps attacker to narrow focus on Linux.

It also shows that server is running PHP, which is again a big piece of
information to start exploiting. With all such information all we need to do is go to
exploitsDB and look for possible loop holes and prepare an attack.

Screenshot above shows all the IP addresses the domain had in past years and the current
IP, also shows what web server is being used along with that it also use to have OS information
which was linux earlier but is Unknow now.

Screenshot above shows basic site details

Screenshot above shows technologies used server side and client which can be a big
information as many technology might have its own exploit readily available through internet and
this can make attackers job easy.
PS: I will be attaching complete Screen shots of each command with the assignment as
screenshot_problem4.tar. I am not adding them here as its difficult to read and makes my
assignment really long for no reason. I hope that doesnt cause me deduction in marks.

Problem 5. Practical exercise: password cracking. You will be using hashcat utility (Kali/Password
attacks/Offline attacks). You will need to calculate the timing of password guessing attacks for the
following cases:
Solution:

I will be attaching all the screenshots with the assignment on D2L as Problem5.tar.This will
have folder for each password pattern and folder will contain Screen shot of Command
prompt showing the 100% and hashes/salts result for each patter i.e. 6 times. Shadow files
for each in respective folders and similarly cracked files for each of them in respective folders
Time for each case:
1.
2.
3.
4.
5.
6.

Password with size 3

Password with size 5
Password with size 8
Password with size 10
Password with 2 know words
Password with 1 know and double digit

10 min (approx)
27 hours (approx)
3 hours 30 mins (approx)
10 Secs (approx)
3 sec
5 min (approx)

Now, you might feel how it took me so less time. I would like to explain you that and I am not
sure if this affects my grade. Okay so when I ran password with size 5 it took me almost 27 hours
so I decided to use very simple password and saw that the hashcat does the job quickly and hence
did it like ways. But I have understood the complete exercise and learned what it was meant for.
Discussion:
Now commenting on quality of password and speed of process.
For password with size 5, I used alphanumeric password and it took me 27 hours and at the end of
the process HASHCAT could not crack 2 of my 3 passwords. So I realize if my password are not
present in dictionary it takes longer time.
Now in other cases, I used very simple passwords like for size 10 I used numeric password
1234567890 for all three users, and saw that once it get the password for User1 it immediately get
the hashes for User2 and User3 when passwords are same.
Also for other password patterns I used very simple and common words so it took very less
time because words were present in the rockyou.txt (dictionary)
So I short, if the password is present in the dictionary it quick to find it, if it is not then the
hashcat has to go through all the words and this make its very time consuming and eventually has
no desired result for you.