Assignment - 1

This is an individual assignment.

This assignment worths 10% of the final marks of the course.

Submit your final report as a PDF and codes as a zip file in Canvas.

You should explain any details of how to run your code in report.

Final Report and Code: Due by Week 5, Sunday the 24th of March, 2024 11:59 PM

1 Safety and security (10 marks)

Safety Engineering and Security Engineering are related. Explain the similarities and differences between the two fields, and describe the aspects that absolutely refer to security engineering (provide a brief explanation and give one example scenario for each field).

2 Fundamental security design principles (10 marks)

Each of the following descriptions relates to one of the fundamental security design principles we discussed in class. In some cases, the situation illustrates the application of a fundamental security design principle; in others, it shows where a principle has been violated. For each scenario, name and briefly explain the corresponding fundamental security design principle. (2 marks for each)

i Kerckhoffs’s principle states that all details of a crypto system should be made public except for the key. By doing this, many can understand and even attempt to compromise the crypto system, identifying any associated vulnerabilities. Making system information public doesn’t weaken the crypto system. Every instance of the crypto system’s use will employ different secure keys, which an attacker can not guess or brute-force efficiently. ..........................................................................

ii Sam is building a secure network protocol for his company. The company has many different servers and computers with different operating systems and hardware capabilities. Sam’s protocol works like this. During the connection establishment phase the sender and the receiver exchange the encryption schemes and key sizes they support. If there are common schemes, the sender choses the highest commonly supported version the highest possible key size. If there are no common encryption schemes the protocol goes in the to the default mode of communication, which is the non-encrypted communication. ..........................................................................

iii Many modern enterprise networks use network segmentation for better security. Publicly accessible servers such as webservers and mail servers are placed in a Demilitarised Zone (DMZ) while the highly valued servers such as finance, payroll, and HR are in subnetworks that are not publicly accessible. ..........................................................................

iv As an IT manager in the University, Adam has realised that many employees are reluctant to update their operating systems to the latest version. The main reason they highlight is that after operating system updates, some of the software employees use stop working and they have to uninstall and reinstall them. And some of the software configurations are lost and the employees have to reconfigure them. As a result many of the employees spends hours and hours trying to make their computer work properly after updates, and therefore, generally don’t want to update their operating systems at all. ..........................................................................

v Mobile apps in operating systems such as Android and iOS run in sandboxes. They have privileges granted by the users, but nothing more than that. For example, they are not allowed to access any of the operating system files. ..........................................................................

3 Social Engineering (20 marks)

OmegaCorp recently won a bid to handle a significant project for a government agency. Ever since the announcement, there’s been heightened activity across all departments to prepare for the project kick-off. Amid this bustle, Lisa, a marketing executive, receives an unexpected call from a person identifying themselves as Sam from the project’s external audit team. Following this, she also receives an email apparently from the IT department.

Sam: “Hello Lisa, I’m Sam from the government’s external audit team for the project. As a routine procedure, we’re collecting preliminary data. Could you share the current marketing strategy documents for this project?"

Lisa: “I haven’t received any prior notification. Shouldn’t this come through our manager?"

Sam: “Understood, Lisa. However, due to the sensitivity and timeline of the project, we’re directly reaching out to key personnel. I’ve already spoken to Alex from your IT, and he’ll send an email confirming my identity."

Email:

Subject: Verification of External Audit Team Member

Dear Lisa,

This is to verify that Sam is a genuine member of the project’s external audit team. Please cooperate and provide the requested information.

Regards,

Alex Thompson - IT Department

Later that day, Lisa chats with her colleague, Rachel.

Lisa: “Rachel, I got a call from the external audit team and then an email from Alex verifying the caller. But something feels off. What do you think?" Rachel: “That’s strange. Did you verify the email’s authenticity? Maybe talk to Alex directly?"

i Identify and describe two cognitive biases the attacker is attempting to exploit. (6 marks)

ii What other red flags can you pinpoint in the scenario that Lisa could use to identify the possible attack? (4 marks)

iii As a security analyst, how would you design a system or protocol to prevent such multi-layered social engineering attempts? Provide two recommendations. (4 marks)

iv If Lisa shared the sensitive documents, list three steps OmegaCorp should take immediately. (6 marks)

4 Social Engineering in Practice (20 marks)

John is a database administrator at XYZ Corporation, he is responsible for managing MySQL databases and tables for employees. Apart from that, he is very active on social media platforms like Facebook, Twitter, and Instagram.

John’s social media profile links re listed below.

Facebook:

https://www.facebook.com/profile.php?id=100078240098613

Twitter:

https://twitter.com/JohnRiv68955090

Instagram:

https://www.instagram.com/johnrivera20296/

? Perform reconnaissance and find out information about John from his social media profiles, and based on the possible keywords, write a python program to generate a list of all possible common passwords John can have.

For example, if you find possible keywords to be “red”, “car”, the Python program should be able to generate a list like:

red

car

redred

redcar

carred

carcar

? Save the generated password list in a txt file and then use the given bruteforce.py to perform a brute force attack on the exposed database created by John and find the correct password (in this case it is in your Azure VM) .

Note: The bruteforce.py tool is for educational purposes only.

Here we simulate the database server inside our VM. So we use 127.0.0.0 as our IP address. That is you will need to run the command in the VM inside the path /home/ubuntu/tutorials/Assignment_1 after activating the virtual environment as you usually do during the tutorials.

python3 bruteforce.py -H 127.0.0.0 -u john -p passwords.txt – Use this to find the user John’s password

python3 bruteforce.py -H 127.0.0.0 -p passwords.txt – Use this to find the user root’s password (i.e., the admin user of the database)

Include the following in your submission.

i Code for generating the password list. (4 marks)

ii John’s password for the database. (4 marks)

iii root users’ password for the database. (4 marks)

iv Screenshot of the outputs of the bruteforce.py (for both john and root) as evidence that you actually found the password. (4 marks)

Figure 1: Access Tables

v Login to the database as the root user using the command mysql -u root -p -h 127.0.0.0 and include the output of show databases; command as a screenshot. (4 marks)

5 Access Control (20 marks)

a) Definitions

i Explain: is authentication a necessary ingredient for authorisation? Give an example that proves your argument. (2 marks)

ii It is conventional wisdom that passwords to encrypt a hard drive should be longer than passwords for online login to websites. Explain why. (2 marks)

iii Explain what a Security Policy Model is. 1-2 sentences are enough. (2 marks)

iv Access control is often categorised into two general forms (which we called two ends of a spectrum). What are they, and how are they different from each other? (2 marks)

v Modern CPUs have support for access control. Explain two key ideas of the common x86 architecture. (2 marks)

b) Security Policy Models

Figure 1 shows a mapping between users and clearances, and between required clearances and objects. Three files are protected, each holding a code needed to access, respectively, the fridge, the TV, and the playstation. Only these mappings are defined; no other rule sets exist.

Explain if the the following statements are right or wrong, and say why.

i “In a Bell LaPadula model, Homer can obtain the TV lock codes to watch TV.” (2 marks)

ii “In a Biba model, Homer can obtain the TV lock codes to watch TV.” (2 marks)

iii “In a Bell LaPadula model, Homer can enlist the help of Marge to obtain the TV lock codes.” (2 marks)

iv “In a Bell LaPadula model, Bart can change all codes as he wishes.” (2 marks)

v “In a Biba model, Marge can change all codes as she wishes.” (2 marks)

6 Linux Access Control (20 marks)

Below questions are associated with the provided Azure VM.

a) Basic Access Control

Below questions can be answers by Linux One liners. Provide the answer to each question and include the command you used. Make sure that you include the command as letters/characters (than screenshots/images), so that the markers can copy/paste command and check whether it is working.

i What is the User ID (UID) of the user gimly. (1 mark)

ii What is the Group ID (GID) of the group hobbits. (1 mark)

iii Find which group the user legolas belongs to. (1 mark)

iv Find all the users in the group humans. (1 mark)

v Does the user frodo have sudo access? There are multiple ways to do this. Answers requiring more than one command is also accepted. (1 mark)

b) File Permissions

For i-iii, use the linux find command with correct options and make sure that you command do not generate any permission denied messages or other error messages. Include the commands you used in your answer.

i Find all the files owned by user legolas. (1 mark)

ii Find all the files associated with the group elves. (1 mark)

iii Find all the files owned by user gimly. (1 mark)

iv In ii) you will find a file owned by legolas and having the group as elves. Is the next statement is true about the file. “arwen can write to the file”. Explain your answer. (2 marks)

v In iii) you will find a file owned by gimly and having the group as dwarves. Is the next statement is true about the file. “isildur can write to the file”. Explain your answer. (2 marks)

c) SUID Bit

i Find all the files own by root and having the group as humans. Similar to above your command must not generate any permission denied messages or other error messages. (2 marks)

ii The search in i) will return two files. Explain the difference in permission strings of these two files. (3 marks)

iii Explain and demonstrate how the permission setting in one of the files can create a security vulnerability. (Hint: You will have to run the files and use the whoami command.) (3 marks)