Computer Systems Security: Winter 2018 Assignment 3 - Revision history

Soma: /* Solutions */

2018-04-04T14:06:28Z

Solutions

← Older revision		Revision as of 14:06, 4 April 2018
Line 18:		Line 18:
	# Insider attacks are potentially more damaging because insiders have access and understand the systems. Thus, they know what steps to take in order to achieve their objectives. For example, it would be much easier for a rogue system administrator to delete all data and corrupt all backups than it would be for an outsider.		# Insider attacks are potentially more damaging because insiders have access and understand the systems. Thus, they know what steps to take in order to achieve their objectives. For example, it would be much easier for a rogue system administrator to delete all data and corrupt all backups than it would be for an outsider.
	# As long as it is an honest answer you should get full marks for this one!		# As long as it is an honest answer you should get full marks for this one!

			Intrusion detection systems

			2. General potential attacks

			3. Overflowing memory

			4. Why not have a business operating system that has a very restrictive environment

			5. Network hacking such as DNS servers and access points

			6. How certificate authorities are used in network security

			7. How signature work

			8. Mechanism of attack

			9. The concept of Anomaly based intrusion detection systems

			10.Malwares and low-level system security

			11.Threat modeling in general

			12.Encryption

			13.Firewall

			14.Web security

			15.How sandboxes on browsers work

			16.TCP wrappers

			17.TLS certificates

			18.Code injections / SQL injections

			19.Understanding the prevention techniques required to take to ensure the highest level of security

			20.UNIX permissions

			21.The description of the multi-dimensional array

			22.How modelling the behaviour of a process' system calls makes a good intrusion detection system

			23.The inner workings of the OSI model, how DNS works, how various network attacks can be mitigated, and where the future of networking is headed

			24.The biology portion

			25.Linux stuff

			26.The differences between sandboxing and containers

			27.How machine learning can be used for intrusion detection

			28.Public keys

			29.The difference between regular anti-malware systems and signature based intrusion detection systems

			30.The concept of Meltdown and Sceptre

			31.The passwd concept

			32.The backdoor

			33.The term BSD jails

			34.The parts about VPN/DNS/DNSSEC and understanding how traffic flows between these components

Soma at 16:50, 31 March 2018

2018-03-31T16:50:01Z

← Older revision		Revision as of 16:50, 31 March 2018
Line 15:		Line 15:
	# There are many possible answers for this question. Correct answers should focus on the limitations of signature and specification-based intrusion detection, specifically how signatures are a black list and specifications are a white list. Anomaly detection can detect attacks that wouldn't be listed on a black list and would be included on a white list. For example, an HR employee may be authorized to look at the address and tax identification number of specific individuals as part mailing tax forms. That same employee is not authorized to access addresses and tax identification numbers for other purposes (e.g., to commit identity theft). With standard intrusion detection or access control, the employee would be allowed to access this sensitive information at any time. An anomaly-based intrusion detection system, however, could detect that this information is being access at an unusual time or in an unusual way (e.g., from an unusual location).		# There are many possible answers for this question. Correct answers should focus on the limitations of signature and specification-based intrusion detection, specifically how signatures are a black list and specifications are a white list. Anomaly detection can detect attacks that wouldn't be listed on a black list and would be included on a white list. For example, an HR employee may be authorized to look at the address and tax identification number of specific individuals as part mailing tax forms. That same employee is not authorized to access addresses and tax identification numbers for other purposes (e.g., to commit identity theft). With standard intrusion detection or access control, the employee would be allowed to access this sensitive information at any time. An anomaly-based intrusion detection system, however, could detect that this information is being access at an unusual time or in an unusual way (e.g., from an unusual location).
	# Both intrusion detection systems and anti-malware systems can detect malware. IDSs detect them by observing the signatures of malware (e.g, patterns in network packets) or by noting the deviations in behavior they cause (violating either specification or learned models of behavior). Anti-malware systems use code and behavioral signatures analogous to the signatures of anti-malware systems; however, anti-malware systems generally apply these rules after unpacking and de-obfuscating code. They also can apply the signatures to behavior observed in sandboxed environments.		# Both intrusion detection systems and anti-malware systems can detect malware. IDSs detect them by observing the signatures of malware (e.g, patterns in network packets) or by noting the deviations in behavior they cause (violating either specification or learned models of behavior). Anti-malware systems use code and behavioral signatures analogous to the signatures of anti-malware systems; however, anti-malware systems generally apply these rules after unpacking and de-obfuscating code. They also can apply the signatures to behavior observed in sandboxed environments.
	#		# The key reasons for sticking with signature-based IDSs are 1) no training time (unlike anomaly detection) 2) minimal setup time (unlike specifcation-based systems) 3) can be tuned to work well in standardized benchmarks 4) clear business model (subscriptions for signature updates) 5) reputation for low false positives (although this is often not true in practice unless you tune the signature set).
			# Insider attacks are potentially more damaging because insiders have access and understand the systems. Thus, they know what steps to take in order to achieve their objectives. For example, it would be much easier for a rogue system administrator to delete all data and corrupt all backups than it would be for an outsider.
			# As long as it is an honest answer you should get full marks for this one!

Soma at 16:27, 31 March 2018

2018-03-31T16:27:43Z

← Older revision		Revision as of 16:27, 31 March 2018
Line 14:		Line 14:
	# Download the ISO (say, from a distribution mirror) and compute its hash using SHA-1 or SHA-256. Then compare it to the hash available from the main distribution website. To get a further guarantee, verify the hash file using a digital signature. (Normally, wherever you have the list of hashes, you also have a detached signature for the hash list file.) For example, see [http://cdimage.ubuntu.com/ubuntu/releases/17.10.1/release/SHA256SUMS] for the Ubuntu server hashes. The [https://help.ubuntu.com/community/VerifyIsoHowto Ubuntu Verify ISO Howto] explains the process in some detail. Note for this to work, we have to assume that 1) the obtained hash is authentic (either because we downloaded it from a trusted source or because it was signed by a trusted key) and 2) the hash function has not been compromised. #2 is a pretty safe bet nowadays for SHA256, is probably okay for SHA1 (because breaks have been found but they are still very computationally expensive), and is highly suspect for MD5 (as MD5 collisions are trivial to create).		# Download the ISO (say, from a distribution mirror) and compute its hash using SHA-1 or SHA-256. Then compare it to the hash available from the main distribution website. To get a further guarantee, verify the hash file using a digital signature. (Normally, wherever you have the list of hashes, you also have a detached signature for the hash list file.) For example, see [http://cdimage.ubuntu.com/ubuntu/releases/17.10.1/release/SHA256SUMS] for the Ubuntu server hashes. The [https://help.ubuntu.com/community/VerifyIsoHowto Ubuntu Verify ISO Howto] explains the process in some detail. Note for this to work, we have to assume that 1) the obtained hash is authentic (either because we downloaded it from a trusted source or because it was signed by a trusted key) and 2) the hash function has not been compromised. #2 is a pretty safe bet nowadays for SHA256, is probably okay for SHA1 (because breaks have been found but they are still very computationally expensive), and is highly suspect for MD5 (as MD5 collisions are trivial to create).
	# There are many possible answers for this question. Correct answers should focus on the limitations of signature and specification-based intrusion detection, specifically how signatures are a black list and specifications are a white list. Anomaly detection can detect attacks that wouldn't be listed on a black list and would be included on a white list. For example, an HR employee may be authorized to look at the address and tax identification number of specific individuals as part mailing tax forms. That same employee is not authorized to access addresses and tax identification numbers for other purposes (e.g., to commit identity theft). With standard intrusion detection or access control, the employee would be allowed to access this sensitive information at any time. An anomaly-based intrusion detection system, however, could detect that this information is being access at an unusual time or in an unusual way (e.g., from an unusual location).		# There are many possible answers for this question. Correct answers should focus on the limitations of signature and specification-based intrusion detection, specifically how signatures are a black list and specifications are a white list. Anomaly detection can detect attacks that wouldn't be listed on a black list and would be included on a white list. For example, an HR employee may be authorized to look at the address and tax identification number of specific individuals as part mailing tax forms. That same employee is not authorized to access addresses and tax identification numbers for other purposes (e.g., to commit identity theft). With standard intrusion detection or access control, the employee would be allowed to access this sensitive information at any time. An anomaly-based intrusion detection system, however, could detect that this information is being access at an unusual time or in an unusual way (e.g., from an unusual location).
			# Both intrusion detection systems and anti-malware systems can detect malware. IDSs detect them by observing the signatures of malware (e.g, patterns in network packets) or by noting the deviations in behavior they cause (violating either specification or learned models of behavior). Anti-malware systems use code and behavioral signatures analogous to the signatures of anti-malware systems; however, anti-malware systems generally apply these rules after unpacking and de-obfuscating code. They also can apply the signatures to behavior observed in sandboxed environments.
			#

Soma at 15:58, 31 March 2018

2018-03-31T15:58:06Z

← Older revision		Revision as of 15:58, 31 March 2018
Line 13:		Line 13:

	# Download the ISO (say, from a distribution mirror) and compute its hash using SHA-1 or SHA-256. Then compare it to the hash available from the main distribution website. To get a further guarantee, verify the hash file using a digital signature. (Normally, wherever you have the list of hashes, you also have a detached signature for the hash list file.) For example, see [http://cdimage.ubuntu.com/ubuntu/releases/17.10.1/release/SHA256SUMS] for the Ubuntu server hashes. The [https://help.ubuntu.com/community/VerifyIsoHowto Ubuntu Verify ISO Howto] explains the process in some detail. Note for this to work, we have to assume that 1) the obtained hash is authentic (either because we downloaded it from a trusted source or because it was signed by a trusted key) and 2) the hash function has not been compromised. #2 is a pretty safe bet nowadays for SHA256, is probably okay for SHA1 (because breaks have been found but they are still very computationally expensive), and is highly suspect for MD5 (as MD5 collisions are trivial to create).		# Download the ISO (say, from a distribution mirror) and compute its hash using SHA-1 or SHA-256. Then compare it to the hash available from the main distribution website. To get a further guarantee, verify the hash file using a digital signature. (Normally, wherever you have the list of hashes, you also have a detached signature for the hash list file.) For example, see [http://cdimage.ubuntu.com/ubuntu/releases/17.10.1/release/SHA256SUMS] for the Ubuntu server hashes. The [https://help.ubuntu.com/community/VerifyIsoHowto Ubuntu Verify ISO Howto] explains the process in some detail. Note for this to work, we have to assume that 1) the obtained hash is authentic (either because we downloaded it from a trusted source or because it was signed by a trusted key) and 2) the hash function has not been compromised. #2 is a pretty safe bet nowadays for SHA256, is probably okay for SHA1 (because breaks have been found but they are still very computationally expensive), and is highly suspect for MD5 (as MD5 collisions are trivial to create).
			# There are many possible answers for this question. Correct answers should focus on the limitations of signature and specification-based intrusion detection, specifically how signatures are a black list and specifications are a white list. Anomaly detection can detect attacks that wouldn't be listed on a black list and would be included on a white list. For example, an HR employee may be authorized to look at the address and tax identification number of specific individuals as part mailing tax forms. That same employee is not authorized to access addresses and tax identification numbers for other purposes (e.g., to commit identity theft). With standard intrusion detection or access control, the employee would be allowed to access this sensitive information at any time. An anomaly-based intrusion detection system, however, could detect that this information is being access at an unusual time or in an unusual way (e.g., from an unusual location).

Soma at 01:12, 31 March 2018

2018-03-31T01:12:50Z

← Older revision		Revision as of 01:12, 31 March 2018
Line 1:		Line 1:
	Due: March 26, 2018 by the start of class.		Due: March 26, 2018 by the start of class.

			==Questions==

	# [2] How can you check the integrity and authenticity of a downloaded ISO image of a Linux distribution? Explain what you must assume for both integrity and authenticity to be assured.		# [2] How can you check the integrity and authenticity of a downloaded ISO image of a Linux distribution? Explain what you must assume for both integrity and authenticity to be assured.
Line 7:		Line 9:
	# [2] Why are insider attacks potentially more damaging than outsider attacks? Explain using a simple example.		# [2] Why are insider attacks potentially more damaging than outsider attacks? Explain using a simple example.
	# [1] What is a concept from this class that you find confusing or hard to understand? Please explain briefly the difficulty you are having.		# [1] What is a concept from this class that you find confusing or hard to understand? Please explain briefly the difficulty you are having.

			==Solutions==

			# Download the ISO (say, from a distribution mirror) and compute its hash using SHA-1 or SHA-256. Then compare it to the hash available from the main distribution website. To get a further guarantee, verify the hash file using a digital signature. (Normally, wherever you have the list of hashes, you also have a detached signature for the hash list file.) For example, see [http://cdimage.ubuntu.com/ubuntu/releases/17.10.1/release/SHA256SUMS] for the Ubuntu server hashes. The [https://help.ubuntu.com/community/VerifyIsoHowto Ubuntu Verify ISO Howto] explains the process in some detail. Note for this to work, we have to assume that 1) the obtained hash is authentic (either because we downloaded it from a trusted source or because it was signed by a trusted key) and 2) the hash function has not been compromised. #2 is a pretty safe bet nowadays for SHA256, is probably okay for SHA1 (because breaks have been found but they are still very computationally expensive), and is highly suspect for MD5 (as MD5 collisions are trivial to create).

Soma at 14:18, 19 March 2018

2018-03-19T14:18:44Z

← Older revision		Revision as of 14:18, 19 March 2018
Line 1:		Line 1:
	~~'''This assignment is not yet finalized.'''~~

	Due: March 26, 2018 by the start of class.		Due: March 26, 2018 by the start of class.

Line 8:		Line 6:
	# [1] What is one significant reason that most currently used intrusion detection systems use signatures rather than other approaches?		# [1] What is one significant reason that most currently used intrusion detection systems use signatures rather than other approaches?
	# [2] Why are insider attacks potentially more damaging than outsider attacks? Explain using a simple example.		# [2] Why are insider attacks potentially more damaging than outsider attacks? Explain using a simple example.
			# [1] What is a concept from this class that you find confusing or hard to understand? Please explain briefly the difficulty you are having.

Soma at 17:27, 15 March 2018

2018-03-15T17:27:18Z

← Older revision		Revision as of 17:27, 15 March 2018
Line 1:		Line 1:
	'''This assignment is not yet finalized.'''		'''This assignment is not yet finalized.'''

			Due: March 26, 2018 by the start of class.

	# [2] How can you check the integrity and authenticity of a downloaded ISO image of a Linux distribution? Explain what you must assume for both integrity and authenticity to be assured.		# [2] How can you check the integrity and authenticity of a downloaded ISO image of a Linux distribution? Explain what you must assume for both integrity and authenticity to be assured.

Soma: Created page with "'''This assignment is not yet finalized.''' # [2] How can you check the integrity and authenticity of a downloaded ISO image of a Linux distribution? Explain what you must a..."

2018-03-12T13:06:52Z

Created page with "'''This assignment is not yet finalized.''' # [2] How can you check the integrity and authenticity of a downloaded ISO image of a Linux distribution? Explain what you must a..."

New page

'''This assignment is not yet finalized.'''

# [2] How can you check the integrity and authenticity of a downloaded ISO image of a Linux distribution? Explain what you must assume for both integrity and authenticity to be assured.
# [2] Describe an attack (and associated context) that could be detected using an anomaly-based intrusion detection system but would normally be missed by both specification and signature-based intrusion detection systems.
# [2] How are intrusion detection system similar to anti-malware systems? How can they be different?
# [1] What is one significant reason that most currently used intrusion detection systems use signatures rather than other approaches?
# [2] Why are insider attacks potentially more damaging than outsider attacks? Explain using a simple example.